Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download ICT Security
Document related concepts
Wireless security wikipedia , lookup
Unix security wikipedia , lookup
Medical privacy wikipedia , lookup
Mobile security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Information privacy law wikipedia , lookup
Information security wikipedia , lookup
International cybercrime wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Computer security wikipedia , lookup
Transcript
ICT Security January 2010 This section covers the areas that organisations will need to consider in terms of both physical and data security, and summarises the relevant legislation. Introduction Organisations must ensure that they have comprehensive ICT security procedures to protect their data and their ICT systems. Procedures must cover both physical security, to prevent damage or unauthorised access to ICT equipment, and data security, to prevent loss or misuse of data. This section summarises the main issues that organisations will need to consider in terms of ICT security, and covers the relevant legislation – principally the Copyright, Designs and Patents Act 1988, the Computer Misuse Act 1990, the Data Protection Act 1998, and the Regulation of Investigatory Powers Act 2000 (RIPA). The section also provides an overview of BS 7799/ISO/IEC 27002, which is a code of practice for information security management. For other information on security issues, including two data security standards that affect public sector organisations, the Government Code of Connection (CoCO – It might be worth adding a few sentences on Govermment Connect itself and its implications.) and the Payment Card Industry Data Security Standard (PCI DSS), see Electronic Service Delivery. Physical Security Valuable computer equipment can be relatively portable and therefore presents a high level of risk. Managers should be aware of this risk and bear it in mind when considering the location of equipment and the adequacy of the physical security in the proposed location. This issue must be considered when formulating the organisation’s overall security policy. In addition to ensuring that computer equipment is kept in a secure location, specific equipment security measures should be considered, such as security marking of equipment or padlocking equipment to office furniture. An inventory of all computer equipment will need to be kept for insurance purposes, as well as for security reasons and for asset management. The detailed requirements of the insurance policy must be followed; for example, laptops will not be covered if left unattended. For more information on insurance, see Risk Management and Insurance. The ICT manager will be responsible for ensuring the physical and access security of centralised servers. The continued operation of central servers is critical to the day to day operations of most organisations, and this makes it important to take steps to prevent disruption. Each organisation should have an overall ICT security policy that addresses issues such as: restriction of physical access to all but properly authorised personnel; securing of doors and windows, commensurate with adequate escape routes in case of emergency; providing automatic fire detection and extinguishing systems consistent with current environmental requirements; secure and safe location of the equipment; intruder detection alarms; management of software (This doesn’t look right for physical security, but there is a physical access issue which you address under data storage. Perhaps we should remove this item or move it to another part of the section.) – the organisation should preferably only permit ICT staff to install or update software; data storage hardware – for example, the permitted and safe use of removable media such as USB memory sticks; inventories and insurance. Advice on these matters is available from suppliers, insurers, the police and fire brigades. Operational staff should be made aware of their responsibilities in the case of emergency and their response should be tested with periodic drills. Despite such precautions, however, the possibility that interruption will occur remains. The organisation should therefore ensure that it has a business continuity plan and a key element of this will be a formal disaster recovery plan for all its ICT facilities, from mainframes to PCs, and this must be regularly tested. Essential elements of such a plan are: making of meticulously updated copies of data files, programs, operating systems and manuals, and storing these at a remote site or in fireproof safes; reciprocal agreements with other sites with similar hardware, or insurance type arrangements with an external organisation to allow processing to be switched; regular testing to ensure that back-up procedures work and that back-up sites are technically compatible; having a priority list of software systems to help ensure business continuity; ensuring that power supplies can be maintained or replaced with an alternative power source quickly when power is lost; insurance to cover the costs not only of replacement equipment but also of recreating data files and program libraries. The existence of an ICT disaster recovery plan will not, in itself, ensure the continuity of the business, and should be part of a wider business recovery plan for the organisation. For further information see the section on Disaster Recovery. Data Security Introduction Data is a vital commodity for all organisations in that it can be manipulated and organised into information. Security over data is important to ensure that the data retains its integrity and therefore its usefulness, as well as for data protection reasons and the prevention and detection of fraud. Data that is held in electronic form brings with it certain specific risks. The organisation must have a clearly set out plan in an information systems strategy to ensure it is protected (see the ICT Strategy section). In determining the level of security required, consideration should be given to the harm which may be caused by unauthorised or unlawful processing or loss, destruction or damage to the data, the nature of the data being secured and the reliability of those members of staff who have access to the data. Effective data security has a number of inter-related dimensions as shown in the figure below. The British standard covering IT security, BS 7799 (see below), addresses information security and contains a number of security objectives and controls along with considerable guidance and advice on how the controls could be achieved. It is a document that can be used for guidance and allows organisations to obtain pointers and information (from a management point of view) on the different aspects of information security. British organisations can also obtain accredited certification against this standard if they so wish. Policy, procedures and culture Best practice dictates that an organisation should have an information security policy in place which acts as a high level document, referencing further to other more detailed policies and procedures. The information security policy acts as a framework to work within and draws information security aspects, policies and guidelines together across the organisation. BS 7799/ISO/IEC 27002 recommends that the development of the security policy itself (normally only a few pages) should be performed after a risk assessment has taken place. The policy can then be further developed, through the use of workshops and interviews, to enable it to clearly reflect specific risks and concerns. In all cases, the policy should be signed off by the board (or equivalent) and then distributed to all members of staff. An information security policy forms the foundation of an information security programme. It should contain as a minimum: a definition of information security, its overall objectives and scope and its importance as an enabling mechanism for information sharing; a statement of management intention, supporting the goals and principles of information security; an explanation of specific security policies, principle, standards and compliance requirements. An example security policy is provided in the Example Policy Documents section. The information security policy should where possible be supported by an officer with responsibility for information security who has sufficient status to ensure that polices and procedures are complied with and not sacrificed to other management and user priorities. This would include procedures to ensure all incidents can be reported relatively easily, with all reported incidents of security violation, whether via direct access to the system or otherwise, being investigated and that appropriate action is taken to prevent or minimise the likelihood of a recurrence. The organisation should have a mechanism in place which enables the information security policy to be subject to regular review, updating it to ensure it remains aligned to the business as the business changes, for example, with the implementation of e-government. All staff need to be trained on data security; the level of training should be tailored to the staff duties. The training should consider a number of issues including end user computing security, information classification, file management, back-up, handling of sensitive or confidential data, responsible use of the internet including email, data protection legislation, disaster planning and system continuity. Passwords Access to and loss of the data and software contained on machines need to be considered as security risks. Managers should be aware of the need to keep certain information confidential and should therefore ensure that an adequate level of password protection is implemented, in order to prevent unauthorised access. Passwords should be used to secure access to the system itself, not just the data. Passwords should be personalised and changed regularly, with access deleted when personnel leave. Passwords should also contain a mixture of numbers, letters (both lower and upper case) and symbols. All staff must respect the need to keep passwords confidential, and switch off computers when they are not in use. Networking software provides the option for password control, and this should be used with operators being required to change passwords after a given number of days. In addition, or instead of this, security packages that control access to computer systems, assist in back-up procedures, monitor for viruses and encrypt data are available. Authorisation levels Most software packages for specific applications (rather than general office use such as word processors), have the ability to tailor access to specific levels and requirements. This access should reflect the role that the user plays within the organisation. There will also need to be restrictions on the ability of a single individual to undertake a complete business process. Examples include: Senior managers would need access to management reporting but are unlikely to need to be able to create detail level transactions such as purchase orders or billing documents. The person who sets up the suppliers in an Accounts Payable system should not be able to set up payments as well otherwise there is a risk they could make payments to themselves. A purchase order, particularly one of high value, would need to be authorised by someone other than the person who created it. Access to payroll information is restricted on data protection grounds except to those with a genuine need to see it. Back-up procedures An agreed back-up procedure is essential, as the cost of losing data can be high. Issues to be considered in determining such a procedure should include responsibility for ensuring regular back-ups are carried out and that back-up media is securely stored. Sometimes users are responsible for making back-up copies of data, although this should be on the basis of guidelines issued by the ICT department. Increasingly ICT are taking responsibility, with technical solutions providing automatic backing up of network server files, including ‘mirroring’ which is the exact copying of files and data. Depending on how systems are accessed, home workers may be responsible for backing up their own data. (I must confess that I don’t like the idea of home workers storing their own data. I suggest that we should emphasises that, ideally, data should be stored or backed-up by IT staff and only in exceptional circumstances should backups be made at home. Where such backups are made, then they should be transferred to a secure IT network as soon as possible. I think there will be Government Connect issues here, but I am not an expert.) If they access office based systems remotely, for example through a virtual private network (VPN), then they will not be storing any data on their home based equipment and should not need to make their own back ups. Possible fluctuations in power supply must also be considered. Uninterruptible power supplies (UPS) are available for individual machines or entire networks; these smooth out fluctuations in supply and in the event of a total power loss they provide time to continue using the system and to close down files properly. Viruses and other threats Viruses on all computers and laptops have become a serious problem for all managers. A computer virus is a program usually designed to copy itself onto any machine from an infected disk or email, and then corrupt or destroy valid data. The damage may be total or partial and the effect may be immediate or over a long period. The term ‘malware’ is also used, to encompass viruses, spyware (software that collects information about users) and adware (software that displays unwanted advertising material). The introduction of a virus to a network system can be particularly damaging. Viruses are most commonly introduced into organisations by the use of unofficial software. The intentional introduction of a virus to a computer system is an offence under Section 3 of the Computer Misuse Act 1990. Once introduced, a virus will be at best expensive, in terms of the cost of locating and neutralising the problem. At worst, they can be devastating if they are able to change or delete data held on the system. Managers must therefore be aware of the potential problems and take precautions against the introduction of such viruses, which should include the following: Anti-virus software must be installed on all computers on a network (and laptops that can access a network) to work in the background to scan all disks, incoming emails and attachments before loading onto an operational computer, and to periodically check machines’ hard disk drives for infection; regular back-ups must be taken so that in the event of infection data can be restored quickly; only authorised software from reputable sources should be loaded onto any computer. Unsolicited disks, software used in educational establishments (I agree with you, but we could be seen as targeting a specific group here. Is it the software or the folk who introduce/use it?) and games software are common sources of viruses; users should be given training and advice to make them aware of the forms a virus attack may take and what to do immediately if they suspect infection; as viruses can be transmitted from one site to another by maintenance engineers, checks should be made before allowing any of their disks to be used. As the nature of the use of computers and laptops has changed, so the number of threats has increased. A general name for these threats is “malware”. Threats include: Spyware is virus-like software that runs in the background and transmits personal information to a third party without the user's knowledge or consent. It is often installed as part of a “free” software. At its most innocuous, spyware will just pop up unsolicited adverts but increasingly they steal personal information such as credit card details and passwords to networks and websites. Trojans are similar to spyware in that they are installed without the user’s knowledge but don’t activate immediately. They wait until a pre-determined date or signal and activate on the users computer. Sometimes the software will lock out a computer or encrypt data that can only be unlocked by a payment to the criminals who created the Trojan. They can also act like spyware, stealing personal information. Compromised websites – some virus software doesn’t only infect an organisation’s computers but also can infect their websites. People who then access that website are at risk of infection. Some websites are deliberately designed to infect visitors. Spam is unsolicited email, usually advertising. It is named after the use of the repeated word “spam” in the Viking sketch on Monty Python’s Flying Circus. The links in these emails often take people to compromised websites or to websites that ask for credit card or personal information which is then used for fraud. Much of spam is of a sexual or pornographic nature. Spam makes up an increasing proportion of email, with recent estimates of around 95%. Phishing emails are a form of spam. Usually they are emails telling people that they have to re-activate their online banking by entering their details. These can be very closely based on legitimate emails from banks or other trusted companies. There are also emails where a large amount of money is offered to someone in return for a small upfront fee. These trade on people’s greed and gullibility. Instant messaging (IM) is increasingly being used to distribute viruses and other malware. IM requires the opening up of access on a computer that a hacker can then use for their own purposes. As a result of the above threats, anti-virus software is increasingly part of a larger security package which protects the user from spyware, whilst surfing the internet, scans for spam emails, protects against phishing and provides a firewall. Organisations will need to decide how much of this protection is done centrally or on each individual PC. Laptops that are used outside of the organisation’s premises should have the highest level of protection installed. Again, these issues should be set out in the organisation’s ICT policies and would normally require the ICT department to carry out any necessary testing, although good practice would be to have ICT security guidelines for all users to adhere to. Home working and remote access Most of the security issues that are covered above also apply to mobile workers. However, they assume even greater importance for staff who may be based in any number of locations, since third party or open-air locations will probably be less secure than an employee’s home. For example, Wireless Fidelity (WiFi) cafés do not always have secure connections – visitors do not necessarily need to log on with a password. Consequently, work that involves sensitive or confidential information should not be undertaken in hotspots, or indeed any location where other people might be able to look over an employee’s shoulder. In addition, employees who install and use wireless LANs at home for work purposes also run security risks. Neighbours could access corporate networks if the connection is not sufficiently secure, or alternatively ‘steal’ the bandwidth provided by the LAN. One of the main forms of WiFi security (WEP) is compromised and easily and quickly crackable. A stronger form of security (for example, WPA) should be used. Moreover, legal and data protection risks are compounded when staff work from different locations, because they may need to rely on data that is stored on hardware that they carry around with them. Effective measures should be in place to ensure that back-up disks and memory sticks (as well as laptops, mobile phones and PDAs) are stored securely and the data on them encrypted, particularly if they contain sensitive information. The security of wireless devices is improving though, and provided sensitive data is stored centrally and accessed through ‘thin client’ type solutions, the confidentiality issue is reduced. In addition, a number of devices can be destroyed or rendered useless remotely if they are lost or stolen. For more information on remote access, see the Mobile Government and ICT infrastructure sections. Legislation The three main statutes concerning computers are the Computer Misuse Act 1990, the Copyright, Designs and Patents Act 1988 and the Data Protection Act 1998. The Regulation of Investigatory Powers Act 2000 (RIPA) is also relevant. These statutes are summarised below. Some European legislation is also relevant. In addition BS 7799/ISO/IEC 27002 is a code of practice for information security management and its provisions are also detailed below. Computer Misuse Act 1990 The Computer Misuse Act 1990 defines specific offences relating to computer hacking. Thus, even the intent to make unauthorised access to programmes or data in a computer is an offence if the offender knows access is unauthorised and the computer is made to perform some action (as small as scrolling the display). Access cannot be authorised by employees who have authorised access themselves but do not have the authority to confer access rights on others. It is also an offence to incite anyone to confer unauthorised access. Similarly, it is an offence to cause unauthorised modification to programmes and data, so that introducing a virus can be a crime. The practical effect of this is that if someone circumvents an organisation’s computer security provisions, they are probably committing a criminal offence. This is different from the case in a normal office situation – there is no offence if someone reads paper documents that they should not see but know that access is unauthorised. A screensaver with a banner saying that unauthorised people should not proceed further may be a good idea (and a similar banner should also display on boot-up and program load). Copyright, Designs and Patents Act 1988 The Copyright, Designs and Patents Act 1988 specifies offences relating to the illegal copying of computer software. All organisations have a legal responsibility to ensure all computer software is licensed by the vendor who holds the copyright to the product. Organisations are responsible for maintaining adequate records to prove compliance. It should be the policy of the organisation to ensure no copyright material is copied without the owner's consent. Directors of a limited company and officers of organisations may be prosecuted for failure to comply with the Act. Substantial fines can be imposed on the organisation and directors/officers may be given prison sentences. An organisation known as the Federation Against Software Theft (FAST) has been established with the support of leading vendors such as Microsoft and IBM. FAST has powers to gain entry to any premises at any time to check for compliance with the Act. The Act has helped to reduce the incidence of software theft, and many organisations include the provisions of the Act in security policies. In many organisations staff are subject to disciplinary action if they do not comply with the security policy (and the Act). Data Protection Act 1998 The Data Protection Act 1998 came into force in March 2000. It is now a requirement for anyone processing personal data to comply with eight enforceable principles of good practice. As stated by the Information Commissioner, data must be: fairly and lawfully processed; processed for limited purposes; adequate, relevant and not excessive; accurate; not kept longer than necessary; processed in accordance with the data subject's rights; secure; not transferred to countries without adequate protection. Further information can be obtained from the Information Commissioner’s Office. Monitoring of Staff and the Regulation of Investigatory Powers Act 2000 (RIPA) RIPA covers a wide range of media, including post, e-mail messages, telephone calls, faxes and Internet usage. It is designed to control how organisations deal with intercepting communications on networks. It is illegal to intercept communications on a public network without legal authority. Any organisation (especially an employer) would be open to civil action if they failed to obtain legal authority to intercept a communication, or have a reasonable belief that both the sender and recipient of the communication have consented to the interception. It is strongly recommended that organisation take legal advise before deciding to intercept any communications on a public network. Interception can be performed in specific circumstances, including: When confirming conformance with standards and procedures When national security is threatened Preventing or detecting crime The interception must be related to the organisation's normal business, and best efforts must be made to inform employees and callers that such practices do happen on occasion. The development, agreement and publishing of specific Internet and e-mail usage policies is required to ensure organisations adhere to RIPA. Other legislation that applies to the monitoring of staff not mentioned elsewhere includes: Telecommunication (Lawful Business Practice) (Interception of Communications) Regulations 2000 Human Rights Act 1998 European legislation The EU Directive on Privacy and Electronic Communications was implemented in the UK by the Privacy and Electronic Communications (EC Directive) Regulations 2003, which came into force in December 2003. The regulations cover issues relating to privacy in electronic communications. In particular, if a website uses cookies to store information about the user, the user must be informed about what information is being stored and the purpose for which it will be used, and must be given an opportunity to opt out. The regulations also ban the sending of unsolicited emails for direct marketing purposes (i.e. spam). BS 7799 and ISO/IEC 27002 The essence of BS 7799/ISO/IEC 27002 is that a sound information security management system (ISMS) should be established within organisations. The purpose of this is to ensure that an organisation’s information is secure and properly managed. BS 7799 is in three parts. Part one, entitled Code of Practice for Information Security Management, provides guidance and recommendations on best practice in information security management, not to be treated as a specification. It became internationalised as ISO/IEC 27002 in December 2000. It was last revised in June 2005 and was renamed from ‘ISO 17799’ in July 2007, to bring it into line with other standards in the ISO 27000 series. Part two, titled Specification for Information Security Management Systems, is a British Standard and “forms the basis for an assessment of the information security management system (ISMS) of the whole, or part, of an organisation. It may be used as the basis for a formal certification scheme.” It sets out the specification against which an ISMS will be assessed. BS 7799 part three was published in 2005, and covers risk analysis and management. It aligns with ISO 27001. Information security management has three basic components: confidentiality – protecting sensitive information from unauthorised disclosure; integrity – safeguarding the accuracy and completeness of information and computer software; availability – ensuring that information and vital services are available to users when required. The Code of Practice for Information Security Management (part one of BS 7799) includes controls in 11 key areas of information security management as summarised below. Security policy – the organisation should have a policy, supported by senior management, setting out the requirements for information security and the scope of the information security management system. Organising information security – a suitable governance structure for information security should be in place, with the responsibilities of each relevant person or committee set out, including responsibilities for procedures and policies. Asset management – an information asset register should be created, listing all the organisation’s information assets (databases, personnel records etc) and showing who is responsible for each asset and any special requirements for confidentiality, integrity of availability. Human resources – the organisation should take appropriate security measures when recruiting employees, provide appropriate training in security procedures and manage access rights for staff. Physical and environmental security – information and systems should be physically protected from damage, theft and unauthorised access, and equipment should be properly maintained. Communications and operations management – this section covers security in the day to day operation of ICT systems, including anti-virus software, incident management procedures, back-up procedures, network security, electronic commerce, email and websites. Access control – access to systems, networks, information and computer applications must be controlled to prevent unauthorised use, with access rights managed for staff and with passwords strongly enforced. Information systems acquisition, development and maintenance – this section covers the process for specifying, building, acquiring, testing and implementing ICT systems. Information security incident management – the organisation should have a procedure to ensure that information security events and weaknesses are reported, so that corrective action can be taken. Business continuity management – the organisation must have a process for managing business continuity plans, business impact analysis and implementation and testing of plans, to ensure that core processes can keep running following an event. Compliance – the organisation must comply with relevant legislation, including health and safety legislation, the Data Protection Act 1998, the Computer Misuse Act 1990 and the Copyright, Designs and Patents Act 1988. Further information on BS 7799/ISO/IEC 27002 and information security can be found at the Department for Business, Innovation and Skills (BIS). Sources of Further Information Computer Audit Guidelines - fully revised 6th edition (CIPFA, 2002) BIS information security homepage BIS information security management publications BIS ISO 27002 information Information Systems Audit and Control Association (ISACA) Federation Against Software Theft (FAST) Information Commissioner’s Office
