buy cheap levitra cheap levitra online cheapest generic levitra levitra versus viagra order generic levitra online viagra cialis levitra online pharmacy levitra levitra for sale discount levitra levitra for women cheap viagra online cheap generic viagra female viagra cream viagra for women herbal viagra non prescription viagra generic viagra lowest prices buying viagra online order cheap viagra purchase viagra online
 

Chapter 11. Best Practices: Building A Security Culture

At a Glance

In Part 3 we have described the security role and functions in the organization, whether that organization is a small or medium-sized business, a non-profit entity, an academic institution, or a government agency. In discussing the responsibility for organizational security, we have emphasized that someone must take the lead role, but we have not assumed that there will be an exclusive staff position of Chief Security Officer, for example, with the exception of larger organizations. In SMEs there are often budget and staffing constraints that make it unlikely to have official Chief Security Officers (CSOs) or other full-time security experts on the payroll. Nevertheless, any enterprise driven by or dependent on technology should have one person, or at most a small group of people, designated with responsibility for security. Uniform procedures, good reporting standards, and vigilant, but friendly, relationships with other employees, outside contractors, vendors, and customers will help this employee or team perform the necessary functions for the organization. This chapter provides detailed suggestions on taking a layered approach to security, including a policy statement on the twelve layers of security. This statement is followed by a selection of checklists that will help employees and members of the management team with day-to-day responsibility for security in the organization.

Best Practices: The 12 Layers of E-Security85

Management of e-security risks can be thought of as a twofold process. The first part is risk analysis, which has three major components: identify and inventory assets for a baseline, analyze and assign values to the assets, and establish how critical each asset is, in priority order.

The second part of security is development of an approach to risk management. The major elements of risk management are to develop and implement policies and procedures, educate users (employees and customers), and audit and monitor for quality assurance. A prudent approach might reflect the following thesis: "Expect to be hit – Prepare to survive."

The three general axioms to remember in building a security program are as follows:

• Attacks and losses are inevitable.

• Security buys time.

• The network is only as secure as its weakest link.

12 core layers of proper security are essential for maintaining the integrity of data and mitigating the risks associated with open architecture environments, and in many instances, actual implementation of a specific layer need not entail large capital investments or outlays.

1.Information Security Officer—The creation of the position of Chief Security Officer who overseas that the other 11 layers are carried out and implemented in accordance with the best practices below (and details available in Glaessner, Kellermann and McNevin, "Electronic Security: Risk Mitigation in Financial Transaction")

2.Risk Management—A broad based framework based upon CERT’s OCTAVE paradigm for managing assets and relevant risks to those assets.

3.Access Controls/Authentication—Establish the legitimacy of a node or user before allowing access to requested information. During the process, the user enters a name or account number (identification) and password (authentication). The first line of defense is access controls; these can be divided into passwords, tokens, biometrics, and public key infrastructure (PKI).

4.Firewalls—Create a system or combination of systems that enforces a boundary between two or more networks.

5.Active content filtering—At the browser level, it is prudent to filter all material that is not appropriate for the workplace or that is contrary to established workplace policies.

6.Intrusion detection system (IDS)—This is a system dedicated to the detection of break-ins or break-in attempts, either manually or via software expert systemsthat operate on logs or other information available on the network. Approaches to monitoring vary widely, depending on the types of attacks that the system is expected to defend against, the origins of the attacks, the types of assets, and the level of concern for various types of threats.

7.Virus scanners—Worms, Trojans, and viruses are methods for deploying an attack. A virus is a program that can replicate itself by infecting other programs on the same system with copies of itself. Trojans do not replicate or attach themselves to other files. Virus scanners hunt malicious codes.

8.Encryption—Encryption algorithms are used to protect information while it is in transit or when ever it is exposed to theft of the storage device (e.g. removable backup media or notebook computer).

9.Vulnerability testing—Vulnerability testing entails obtaining knowledge of vulnerabilities that exist on a computer system or network and using that knowledge to gain access to resources on the computer or network while bypassing normal authentication barriers.

10.Proper systems administration—This should be complete with a list of administrative failures that typically exist within financial institutions and corporations and a list of best practices.

11.Policy Management Software—a software program should control company policy and procedural guidelines vis-‡-vis employee computer usage.

12.Business Continuity/Incident response plan (IRP)—This is the primary document used by a corporation to define how it will identify, respond to, correct, and recover from a computer security incident. The main necessity is to have an IRP and to test it periodically.

85 Source: Glaessner, Thomas, Kellermann, Tom, McNevin, "Electronic Security: Risk Mitigation in Financial Transactions -Public Policy Issues," June 2002, The World Bank.

Executive Support Checklist86

As we have seen in previous chapters, education and awareness of security issues are key to creating an environment where employees are best able to assist in the protection of their organization. In part, the personnel will take their lead from the management team’s attitude toward security issues and the corresponding investment in training and communication on security and related areas. The checklist is designed for company executives who will lead the security policy effort.

Are executive-level summaries produced regularly?

How often?

Does a clear communication path exist from the top level of management to the line-level workers?

Does everyone know what or where that communication path is?

Does responsibility for security rest with a Vice President, Director of Security, or other member of management?

Has management demonstrated that it is committed to the company’s security program by appropriately presenting and enforcing it?

Has adequate funding for security been allocated and made available?

Do all system administrators understand the importance of reporting and resolving security issues quickly?

Is security awareness training provided as part of the standard orientation for new employees at all levels from line-level to upper management?

Have steps been taken to ensure that all employees from the top down are aware of the company’s information-protection policies?

Were the realities of the company’s culture (in terms of management/worker relationships) considered when the security policies and procedures were developed?

Do employees know whom to call for help when a security breach occurs or when they don’t understand their roles?

Are security audits conducted regularly? Every 6 months? Yearly?

86 Source: ITS, Chapter 3 Executive Support, p. 50.

Employees' Responsibilities

In order to foster a security culture, managers must:

- Explain what constitutes a good security program. - Emphasize that security is important at all levels of the organization.

- Encourage people to ask questions on technology and procedures related to security.

- Ask that the entire team be vigilant and report any unusual activity, both in the office and over the network.

- Outline what is being done to protect employees’ privacy and security, but make it clear that allegiance to the organization comes first and intentional security breaches will not be tolerated.

The following checklist is designed to help managers train employees to assist in the security function:

Security Training Checklist87

Do all managers, from the top down, voice a corporate commitment to security?

Do they back up that commitment with funding for security training?

Does that training program include details on configuring and supporting security?

Do security training policies exist?

Are they thorough, current, and widely known?

Are all employees, including executive managers, trained on their security responsibilities for the company?

Does a framework exist for developing and continuing security awareness?

Control and Risk Management Framework

In Chapters 2, 3, and 4, we reviewed common threats to security (risk evaluation) and loss analysis. We also developed guidelines for security policies and procedures that would strengthen the organization’s resistance to attack and accidental loss. The response plan included a listing of practical security assessment and suggested a range of perimeter defenses.

The following checklists offer further detail on risk assessment and loss prevention.

Review your Risks Checklist88

Was a risk assessment completed recently? How often is it updated?

Have systems been classified by risk level (non-critical, critical, mission critical)?

Are management’s goals tied to security?

Are routine audits conducted to verify risk-assessment conclusions?

Are external auditors used when appropriate is assessing and reducing risk?

Are all employees (managers, as well as system administrators) assigned and evaluated based on security goals?

Loss Prevention Checklist89

Do you know what you are trying to protect on your network?

Was management involved in risk assessment?

Are policies easy to read and understand?

Does everyone either have a copy of the policies or at least have access to one?

Does someone "own" responsibility for the policies and procedures?

Does the policy owner attend security conferences and keep current on policy issues?

Do you conduct periodic audits to verify that security controls are in place?

Are you sure that all person’s installing your systems have been trained on your company’s security policies and procedures?

Do you double-check that all known security problems have been addressed before bringing new hardware or software systems online?

Do you configure and review audit logs? How often?

Physical Security: Internal and External Networks

Physical security has been covered in varying degrees of detail in Part 2 (Security for Individuals), Part 3, and Part 5 (Security for Technical Administrators). On the technical side, there are a number of areas to cover from a security standpoint, including internal networks, external networks, and control of access to networks. The following checklists are designed to aid in the effort to protect the physical assets in a networked environment.

87 Source: ITS, Chapter 5 Security Training, p. 81.

88 Source: ITS, Chapter 6 Unplanned Security, p. 95.

89 Source: ITS, Chapter 2 Out-of-the-Box Security, P. 32.

Internal Network Security Checklist90

Are there policies and procedures for system configurations?

Do those policies and procedures cover files permissions, passwords, and patches?

Do you disable unnecessary services?

Is there a policy covering physical security?

Do all account users have passwords?

Have any default accounts installed with the systems been changed?

Are default guest accounts banned as a matter of policy?

Are dormant accounts regularly disabled?

Are security patches applied as part of the installation for all new systems?

Do you try to crack the passwords on the systems you support to test for easily-guessed passwords?

How often?

Do you look for unauthorized changes to files?

How often?

Do you use caution when exporting file systems?

External Networks and Firewalls Checklist91

Are security roles and responsibilities clearly defined?

Has someone been assigned to audit the firewall on a regular basis? How often?

Has someone been assigned to regularly conduct firewall penetration tests?

Has someone been assigned to upgrade the firewall when necessary?

Are firewall administration, upgrades, and routine maintenance adequately funded?

Do managers understand their own security roles and those of the people who report to them?

Are emergency roles and responsibilities clearly, and formally, defined?

Do support personnel have specific preventive procedures to follow?

Is intrusion detection software installed on networks and systems?

Is auditing software installed on mission-critical systems?

Is virus protection installed at every entry point?

Are lessons learned from break-ins shared and used to build better processes?

Network Access Checklist92

Is management involved in the external-connection approval process?

Does someone keep track of external connections?

Does management know how many employees and contractors have external connections?

Are unnecessary network services disabled?

Are all outside connections evaluated for true need before approval?

Does your company conduct routine audits to maintain control over external connections?

Are procedures in place to disable connections when employees and contractors resign?

Do policies and procedures exist for installing firewalls?

Do policies and procedures exist for installing customer connections (extranets)?

Are all connection-related policies and procedures enforced?

Security Audits

While an organization may spend a great deal of time and money crafting excellent security polices and procedures, training employees, and listening to its managers and security experts, the efficiency of these efforts must be tested from time to time. Security audits will find holes in the security plan which may not have been understood, or may have arisen with growth and change in the lifecycle of the organization. Security audits are also useful in helping to ensure compliance; if would be violators know that you are on the lookout for them, they may curtail their activities on your systems.

Among the most common mistakes discovered by routine audits:

- Security patches are not installed

- Excessive file permissions have been granted

- Passwords are easy to guess

- Unnecessary network services are enabled

- Firewalls are not on or not enforced The following checklist is provided to set a baseline for your security audits, whether they are conducted by internal staff or outsourced to security professionals in your area.

90 Source: ITS, Chapter 8 Internal Network Security, p. 121.

91 Source: ITS, Chapter 7 Maintaining Security, p. 109.

Audit Procedures Checklist93

Does your company have a formal audit policy?

Does your company have written audit procedures for testing security?

Are audits conducted on a regular schedule?

Is auditing software installed on all platforms in use (Windows, Mac, Unix/Linux)?

Is funding provided to buy the required auditing tools?

Does management support security auditing by providing the right training for auditors?

Outsourcing

Finally, we are aware that the complexity of IT security may prompt some organizations to hire outside specialists to handle their security needs. The chapter on outsourcing provided a detailed discussion of what to look for in outsourcing firms, how to manage their activities, and when to increase your scrutiny of their practices at your location.

The following checklist serves as an additional resource to firms that are considering the use of outside contractors for the security function.

Outsourcing Security Checklist94

(Technical considerations)

Are supplier and customer connections (extranets) audited on a regular basis? How often?

Does a formal architecture exist for connecting suppliers and customers to your network via extranets?

Does a formal policy exist to spell out when, why, and how extranet connections will be permitted?

Is management approval required before brining an extranet connection online?

Is a formal security audit required before bringing an extranet connection online?

93 Source: ITS, Chapter 9 Outsourcing Security, p. 133.

94 Source: ITS, Chapter 9 Outsourcing Security, p. 133.

  
 


Copyright © 2003 The International Bank for Reconstruction and Development / The World Bank

Buy ativan Online Buy diazepam Online Buy effexor Online buy Cephalexin buy norvasc online Buy Vicodin Online order zyrtec 10mg order zyban 150mg Order cheap Zyban discount Zyban buy meridia without prescription meridia for depression purchase meridia buy meridia medication meridia no prescription usa pharmacy phentermine 37 5mg online phentermine no prescription phentermine very cheap difference between adipex and phentermine discount phentermine cheap Zyban no rx buy cheap zocor buy generic lisinopril order zocor 20mg Buy Ephedra Online order cheap Ephedra Online buy singulair order cheap Synthroid buy Synthroid online buy desyrel online Buy Atenolol Online Buy Atarax Online Buy Amoxicillin Online Buy Baclofen Online Buy Amitriptyline Online Buy Neurontin Online Buy Pravachol Online buy cheap tramadol 50 mg buy cheap tramadol overnight Order Phentermine 37.5 online Buy Phentermine Adipex 37.5mg Phentermine 37.5 Mg 90 Tablets original phentermine 90 Tablets Buy Zithromax 250mg Buy Generic Zithromax Order Zithromax 100 mg order discount zithromax Order lipitor 60 pills buy lipitor 40 mg Generic Lipitor 20 mg Purchase Lorazepam 2.5mg order Soma 350mg Soma Discount Prices order generic Soma Buy Provigil 30 pills order discount Provigil Buy paxil Online
phentermine no prescription phentermine 37 5mg online buy meridia without prescription buy cheap tramadol overnight order phentermine online no prescription buy cialis no prescription buy xanax online buy ambien no prescription cheap generic viagra viagra cialis levitra Phentermine 37.5 Mg 90 Tablets Buy Phentermine (Adipex) 37.5mg discount phentermine purchase meridia online buy tramadol online non prescription viagra original phentermine 90 tablets buy cheap tramadol overnight phentermine no prescription phentermine 37 5mg online tramadol cod online tramadol hcl very cheap tramadol buy tramadol at a cheap price online cheap tramadol without prescription order tramadol cod tramadol 180 next day tramadol tramadol hydrochloride order tramadol online cheap phentermine phentermine without prescription generic phentermine strongest phentermine cheap 37 5 phentermine long term phentermine use phentermine on sale phentermine 6 pm order where to buy phentermine phentermine hcl