ISO-27001:2013: May 2015

Sunday, May 31, 2015

Computer Policies in Information Security

This group of policies applies to computers and information systems. Authentication policies often form the largest collection of policy statements in a computer environment because authentication systems and variations are so complex and because they tend to have the greatest impact on the average computer users in Software Development Companies. Password policies are often the largest subset of authentication policies.

Account/Password Authentication: A unique account and password combination must authenticate all users of information systems. The account name must be used only by a single individual, and the password must be a secret known only to that individual.

New Account Requests: The manager responsible for a new end user must request access to corporate information systems via a new account. End users may not request their own accounts. The new account request must be recorded and logged for the record. When the account is no longer needed, the account must be disabled.

Account Changes: The manager responsible for the end user must request changes in access privileges for corporate information systems for a system account. End users may not request access-privilege changes to their own accounts. The request must be recorded and logged for the record.

Two-Factor Authentication: All administrators of critical information servers must be authenticated via a token card and PIN code. The individual must be uniquely identified based on possession of the token card and knowledge of a secret PIN code known only to the individual user.

Desktop Command Access: Access to operating system components and system administration commands on end-user workstations or desktop systems is restricted to system support staff only. End users will be granted access only to commands required to perform their job functions.

Generic User Accounts: Generic system accounts for use by people are prohibited in Software Development Companies. Each system account must be traceable to a single specific individual who is responsible and accountable for its use. Passwords may not be shared with any other person.

Inactive Screen Lock: Computer systems that are left unattended must be configured to lock the screen with a password-protected screensaver after a period of inactivity. This screen locking must be configured on each computer system to ensure that unattended computer systems do not become a potential means to gain unauthorized access to the network.

Login Message: All computer systems that connect to the network must display a message before connecting the user to the network. The intent of the login message is to remind users that information stored on the organization’s information systems belongs to the organization and should not be considered private or personal. The message must also direct users to the corporate information system usage policy for more detailed information. The message must state that by logging on, the user agrees to abide by the terms of the usage policy. Continuing to use the system indicates the user’s agreement to adhere to the policy.

Failed Login Account Disabling: After ten successive failed login attempts, a system account must be automatically disabled to reduce the risk of unauthorized access. Any legitimate user whose account has been disabled in this manner may have it reactivated by providing both proof of identity and management approval for reactivation.

Password Construction: Account names must not be used in passwords in any form. Dictionary words and proper names must not be used in passwords in any form. Numbers that are common or unique to the user must not be used in passwords in any form. Passwords shorter than eight characters are not allowed.

Password Expiration: Passwords may only be used for a maximum of 3 months. Upon the expiration of this period, the system must require the user to change their password. The system authentication software must enforce this policy.

Password Privacy: Passwords that are written down must be concealed in a way that hides the fact that the written text is a password. When written, the passwords should appear as part of a meaningless or unimportant phrase or message, or be encoded in a phrase or message that means something to the password owner but to nobody else. Passwords sent via e-mail must use the same concealment and encoding as passwords that are written down, and in addition must be encrypted using strong encryption.

Password Reset: In the event that a new password must be selected to replace an old one outside of the normally scheduled password change period, such as when a user has forgotten their password or when an account has been disabled and is being reactivated, the new password may only be created by the end user, to protect the privacy of the password.

Password Reuse: When the user changes a password, the last six previously used passwords may not be reused. The system authentication software must enforce this policy.

Employee Account Lifetime: Permanent employee system accounts will remain valid for a period of 12 months, unless otherwise requested by the employee’s manager. The maximum limit on the requested lifetime of the account is 24 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation.

Contractor Account Lifetime: Contractor system accounts will remain valid for a period of 12 months, unless otherwise requested by the contractor’s manager. The maximum limit on the requested lifetime of the account is 24 months. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation.

Business Partner Account Lifetime: Business partner system accounts will remain valid for a period of 3 months, unless otherwise requested by the manager responsible for the business relationship with the business partner. The maximum limit on the requested lifetime of the account is 12 months in Software Development Companies. After the lifetime of the account has expired, it can be reactivated for the same length of time upon presentation of both proof of identity and management approval for reactivation.

Same Passwords: On separate computer systems, the same password may be used. Any password that is used on more than one system must adhere to the policy on password construction.

Generic Application Accounts: Generic system accounts for use by applications, databases, or operating systems are allowed when there is a business requirement for software to authenticate with other software. Extra precautions must be taken to protect the password for any generic account. Whenever any person no longer needs to know the password, it must be changed immediately. If the software is no longer in use, the account must be disabled.

Inactive Accounts: System accounts that have not been used for a period of 90 days will be automatically disabled to reduce the risk of unused accounts being exploited by unauthorized parties. Any legitimate user whose account has been disabled in this manner may have it reactivated by providing both proof of identity and management approval for reactivation.

Unattended Session Log off: Login sessions that are left unattended must be automatically logged off after a period of inactivity. This automatic log off must be configured on each server system to ensure that idle sessions do not become a potential means to gain unauthorized access to the network.

User-Constructed Passwords: Only the individual owner of each account may create passwords, to help ensure the privacy of each password. No support staff member, colleague, or computer program may generate passwords.

User Separation: Each individual user must be blocked by the system architecture from accessing other users’ data. This separation must be enforced by all systems that store or access electronic information. Each user must have a well-defined set of information that can be located in a private area of the data storage system.

Multiple Simultaneous Logins: More than one login session at a time on any server is prohibited, with the exception of support staff. User accounts must be set up to automatically disallow multiple login sessions by default for all users. When exceptions are made for support staff, the accounts must be manually modified to allow multiple sessions.

Benefits of ISO/IEC 27001: Information Security Management

ISO (the International Organization for Standardization) and IEC (the International Electro technical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. ISO has equal importance to all Software Development Companies in India and globe.

ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. The ISMS is an overarching management framework through which the organization identifies, analyses and addresses its information security risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.

The standard covers all types of organizations that includes Software Development Companies as well (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defence, healthcare, education and government). This is clearly a very wide brief.

This experience allows us to see first-hand how managing information security with an ISO/IEC 27001 management system helps you protect valuable information and deliver real benefits:

Information Security Issue #1: With increasing fines for personal data breaches, organizations need to ensure compliance with legislative requirements, such as the Data Protection Act

How ISO/IEC 27001 helps

It provides a framework for the management of information security risks, which ensures you take into account your legal and regulatory requirements

Benefit:

Supports compliance with relevant laws and regulations
Reduces likelihood of facing prosecution and fines
Can help you gain status as a preferred supplier

Information Security Issue #2: Potential information breach, damaging your reputation

How ISO/IEC 27001 helps

It requires you to identify risks to your information and put in place security measures to manage or reduce them
It ensures you implement procedures to enable prompt detection of security breaches
It is based around continual improvement, and requires you to regularly review the effectiveness of your information security management system (ISMS) and take action to address new and emerging security risk

Benefit:

Protects your reputation
Provides reassurance to clients that their information is secure
Cost savings through reduction in incidents

Information Security Issue #3: Availability of vital information at all times

How ISO/IEC 27001 helps

It ensures that authorized users have access to information when they need it
It demonstrates that information security is a priority, whilst reassuring stakeholders that a best practice system is in place
It makes sure you continually improve your information security provisions

Benefit:

Demonstrates credibility and trust
Improves your ability to recover your operations and continue business as usual

Information Security Issue #4: Lack of confidence in your organizations ability to manage information security risks

How ISO/IEC 27001 helps

Gives you a framework for identifying risks to information security and implementing appropriate management and technical controls
Is risk based – delivering an appropriate and affordable level of information security

Benefit:

Confidence in your information security arrangements
Improved internal organization
Better visibility of risks amongst interested stakeholders

Information Security Issue #5: Difficulty in responding to rising customer expectations in relation to the security of their information

How ISO/IEC 27001 helps

It provides a way of ensuring that a common set of policies, procedures and controls are in place to manage risks to information security
It gives organizations a straightforward way for responding to tender requirements around information governance

Benefit:

Meet customer and tender requirements
Reduce third party scrutiny of your information security requirements
Get a competitive advantage

Information Security Issue #6: No awareness of information security within your organization

How ISO/IEC 27001 helps

It ensures senior management recognize information security as a priority and that there is clear tone from the top
It requires you to implement a training and awareness programmed throughout your organization
It requires management to define ISMS roles and responsibilities and ensure individuals are competent to perform their roles

Benefit:

Improved information security awareness
Shows commitment to information security at all levels throughout your organization
Reduces staff-related security breaches

Friday, May 29, 2015

Introduction to ISO:27001

ISO/IEC 27001 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.

ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite of activities concerning the management of information security risks. The ISMS is an overarching management framework through which the organization identifies, analyses and addresses its information security risks. The ISMS ensures that the security arrangements are fine-tuned to keep pace with changes to the security threats, vulnerabilities and business impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s flexible risk-driven approach as compared to, say, PCI-DSS.

The standard covers all types of organizations that includes software development companies as well (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defence, healthcare, education and government). This is clearly a very wide brief.

History

ISO/IEC 27001 is derived from BS 7799 Part 2, published in 1999. BS 7799 Part 2 was revised by BSI in 2002, explicitly incorporating Deming’s Plan-Do-Check-Act cyclic process concept, and was adopted by ISO/IEC as ISO/IEC 27001 in 2005. It was extensively revised in 2013, bringing it into line with the other ISO certified management systems standards and dropping the PDCA concept.

What is ISO 27001

ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an Information Security Management System (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organization’s information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

Benefits of ISO/IEC 27001 Information Security Management

Identify risks and put controls in place to manage or reduce them
Flexibility to adapt controls to all or selected areas of your business
Gain stakeholder and customer trust that their data is protected
Demonstrate compliance and gain status as preferred supplier
Meet more tender expectations by demonstrating compliance

ISO 27001 uses a top down, risk-based approach and is technology-neutral. The specification defines a six-part planning process:

Define a security policy.
Define the scope of the ISMS.
Conduct a risk assessment.
Manage identified risks.
Select control objectives and controls to be implemented.
Prepare a statement of applicability.

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organization.

The 27001 standard does not mandate specific information security controls, but it provides a check-list of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.

ISO 27002 contains 12 main sections:
Risk assessment
Security policy
Organization of information security
Asset management
Human resources security
Physical and environmental security
Communications and operations management
Access control
Information systems acquisition, development and maintenance
Information security incident management
Business continuity management
Compliance

Organizations including software development companies are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.

Tuesday, May 19, 2015

Characteristics of Information Security

In Software Development Companies, many technologies are used for the benefit of the people of the present era. Where there are many advantages of the information technology some disadvantages are also present that really throw a bad light on the technological devices and processes. However, the major advantage of the information technology is providing the information security to the data that is used in the transmission of the data or producing the new technical products. It is defined as the technology designed to protect the information from the different types of hackers and the from identity theft and protect your information from unauthorized use is called as information security.

Due the importance of the information security, it has many important features that are really helpful for the protection of the confidential data from leaking and also help to protect from hacking. Some important characteristics of the information security are described in the blog below:

Availability
Accuracy
Integrity
Confidentiality
Authenticity
Utility
Possession

1. Availability

Availability enables users who need to access information to do so without interference or obstruction, and to receive it in the required format.

Is accessible to any user.
Requires the verification of the user as one with authorized access to the information.

Availability of information
The information, then, is said to be available to an authorized user when and where needed and in the correct format.

Example:- Consider the contents of a library

Research libraries that require identification before entrance.
Librarians protect the contents of the library, so that it is available only to authorized patrons.
The librarian must see and accept a patron’s proof of identification before that patron has free and easy access to the contents available in the bookroom.

2. Accuracy

Information is accurate in Software Development Companies

when it is free from mistakes or errors
It has the value that the end user expects.

Information contains a value different from the user’s expectations due to the intentional or unintentional modification of its content, it is no longer accurate.

Example:- Consider the checking account

Inaccuracy of the information in your checking account can be caused by external or internal means.
If a bank teller, for instance, mistakenly adds or subtracts too much from your account, the value of the information has changed.

In turn, as the user of your bank account, you can also accidentally enter an incorrect amount into your account register. This also changes the value of the information.

3. Integrity

The quality or state of being whole, complete, and uncorrupted is the integrity of information.
The integrity of information is threatened when the information is exposed to

Corruption,
Damage,
Destruction, or
Other disruption of its authentic state.

The threat of corruption can occur while information is being stored or transmitted.
Many computer viruses and worms have been created with the specific purpose of corrupting data.

For this reason the key method for detecting the virus or worm in Software Development Companies:

First Key methodology is to look for changes in file integrity as shown by the size of the file.
Another key methodology for assuring information integrity is through file hashing.

With file hashing, a file is read by a special algorithm that uses the value of the bits in the file to compute a single large number called a Hash value.
The hash value for any combination of bits is different for each combination.

4. Confidentiality

The confidentiality of information is the quality or state of preventing disclosure or exposure to unauthorized individuals or systems.
Confidentiality of information is ensuring that only those with the rights and privileges to access a particular set of information are able to do so, and that those who are not authorized are prevented from obtaining access.
When unauthorized individuals or systems can view information, confidentiality is breached.
To protect the confidentiality of information, you can use a number of measure:

Information classification
Secure documents storage
Application of general security policies
Education of information custodians and end users

Example:-

Ex: 1 A security is an employee throwing away a document containing critical information without shredding it.

Ex: 2 A hacker who successfully breaks into an internal database of a Web-based organization and steals sensitive information about the clients such as

Names
Addresses and
Credit card numbers

5. Authenticity

Authenticity of information is the quality or state of being genuine or original, rather than a reproduction or fabrication.

Information is authentic when it is the information that was originally

Created,
Placed,
Stored, or
Transferred

Example:- Consider for a moment some of the assumptions made about e-mail.

When you receive e-mail, you assume that a specific individual or group of individuals created and transmitted the e-mail—you assume know the origin of the e-mail. This is not always the case.
E-Mail spoofing, the process of sending an e-mail message with a modified field, is a problem for many individuals today, because many times the field modified is the address of the originator.
Spoofing the address of origin can fool the e-mail recipient into thinking that the message is legitimate traffic.
In this way, the spoofer can induce the e-mail readers into opening e-mail they otherwise might not have opened.
The attack known as spoofing can also be applied to the transmission of data across a network, as in the case of user data protocol (UDP) packet spoofing, which can enable unauthorized access to data stored on computing systems.

6. Utility

The Utility information is the quality or state of having value for some purpose or end.
Information has value when it serves a particular purpose. This means that if information is available, but not in a format meaningful to the end user, it is not useful.

7. Possession

The Possession of information in Software Development Companies is the quality or state of having ownership or control of some object or item.
Information is said to be in possession if one obtains it, independent of format or other characteristic.
A breach of confidentiality always results in a breach of possession, a breach of possession does not always result in a breach of confidentiality.

Example:-

Assume a company stores its critical customer data using an encrypted file system.
An employee, who has quit, decides to take a copy of the tape backups to sell the customer records to the competition.
The removal of the tapes from their secure environment is a breach of possession, because the data is encrypted, neither the employee nor anyone else can read it without the proper decryption methods, therefore there is no breach of confidentiality.

Bibliography

http://www.ustudy.in/node/11800
http://security.blogoverflow.com/2012/08/confidentiality-integrity-availability-the-three-components-of-the-cia-triad/
http://www.wifinotes.com/security/what-is-information-security.html

Wednesday, May 13, 2015

Security Policy Development Process

In Software Development Company, security policy is the essential foundation for an effective and comprehensive security program. A good security policy should be a high-level, brief, formalized statement of the security practices that management expects employees and other stakeholders to follow. A security policy should be concise and easy to understand so that everyone can follow the guidance set forth in it.

In its basic form, a security policy is a document that describes an organization’s security requirements. A security policy specifies what should be done, not how; nor does it specify technologies or specific solutions. The security policy defines a specific set of intentions and conditions that will help protect an organization’s assets and its ability to conduct business. It is important to plan an approach to policy development that is consistent, repeatable, and straightforward.

A top-down approach to security policy development provides the security practitioner with a roadmap for successful, consistent policy production. The policy developer must take the time to understand the organization’s regulatory landscape, business objectives, and risk management concerns, including the corporation’s general policy statements. As a precursor to policy development, a requirements mapping effort may be required in order to incorporate industry-specific regulation. Chapter 3 covered several of the various regulations as well as best practice frameworks that security policy developers may need to incorporate into their policies.

A security policy lays down specific expectations for management, technical staff, and employees in IT Companies. A clear and well-documented security policy will determine what action an organization takes when a security violation is encountered. In the absence of clear policy, organizations put themselves at risk and often flounder in responding to a violation.

For Managers, a security policy identifies the expectations of senior management about roles, responsibilities, and actions that should be taken by management with regard to security controls.

For Technical Staff, a security policy clarifies which security controls should be used on the network, in the physical facilities, and on computer systems.

For All Employees, a security policy describes how they should conduct themselves when using the computer systems, e-mail, phones, and voice mail.

A security policy is effectively a contract between the business and the users of its information systems. A common approach to ensuring that all parties are aware of the organization’s security policy is to require employees to sign an acknowledgement document. Human Resources should keep a copy of the security policy documentation on file in a place where every employee can easily find it.

Security Policy Development

When developing a security policy for the first time, one useful approach is to focus on the why, who, where, and what during the policy development process:

1. Why should the policy address these particular concerns? (Purpose)

2. Who should the policy address? (Responsibilities)

3. Where the policy should be applied? (Scope)

4. What should the policy contain? (Content)

Phased Approach If you approach security policy development in the following phases, depicted in Figure 5-1, the work will be more manageable:

1. Requirements gathering

ü Regulatory requirements (industry specific)

ü Advisory requirements (best practices)

ü Informative requirements (organization specific)

2. Project definition and proposal based on requirements

3. Policy development

4. Review and approval

5. Publication and distribution

6. Ongoing maintenance (and revision)

After the security policy is approved, standards and procedures must be developed in order to ensure a smooth implementation in Software Development Companies. This will require the policy developer to work closely with the technical staff to develop standards and procedures relating to computers, applications, and networks.

Tuesday, May 12, 2015

Information Security Professionals: Roles & Responsibilities

In Software Development Industry, Information security is best initiated from the top down. Security Professionals and the Organization It takes a wide range of professionals to support a diverse information security program. These article describes the typical information security responsibilities of various professional roles in an organization.

The senior technology officer is typically the Chief Information Officer (CIO), although other positions like vice president of information, VP of information technology, and VP of systems may be used. The CIO is mainly responsible for advising the chief executive officer, president, or company owner on the strategic planning that affects the management of information in the organization. The CIO transcribes the strategic plans of the organization as a whole into strategic information strategy for the information systems or data processing division of the organization. Once this is accomplished, CIOs work with junior managers to develop tactical and operational plans for the different department and to enable planning and management of the systems that support the organization.

The Chief Information Security Officer (CISO) has primary responsibility for the assessment, management, and implementation of information security in the organization. The CISO may also be referred to as the manager for IT security, the security administrator, or a similar title. The CISO usually reports directly to the CIO, although in larger organizations it is not uncommon for one or more layers of management to exist between the two. However, the recommendations of the CISO to the CIO must be given equal, if not greater, priority than other technology and information-related proposals. The placement of the CISO and supporting security staff in organizational hierarchies is the subject of current debate across the industry.

Information Security Project Team

The information security project team should consist of a number of individuals who are experienced in one or multiple facets of the required technical and nontechnical areas in Software Development Industry. Many of the same skills needed to manage and implement security are also needed to design it. Members of the security project team fill the following roles:

Champion: A senior executive who promotes the project and ensures its support, both financially and administratively, at the highest levels of the organization.

Team Leader: A project manager, who may be a departmental line manager or staff unit manager, who understands project management, personnel management, and information security technical requirements.

Security Policy Developers: People who understand the organizational culture, existing policies, and requirements for developing and implementing successful policies.

Risk Assessment Specialists: People who understand financial risk assessment techniques, the value of organizational assets, and the security methods to be used.

Security Professionals: Dedicated, trained, and well-educated specialists in all aspects of information security from both a technical and nontechnical standpoint.

Systems Administrators: People with the primary responsibility for administering the systems that house the information used by the organization.

End Users: Those whom the new system will most directly affect. Ideally, a selection of users from various departments, levels, and degrees of technical knowledge assist the team in focusing on the application of realistic controls applied in ways that do not disrupt the essential business activities they seek to safeguard.

Data Responsibilities

The three types of data ownership and their respective responsibilities are outlined below:

1. Data Owners: Those responsible for the security and use of a particular set of information. They are usually members of senior management and could be CIOs. The data owners usually determine the level of data classification (discussed later), as well as the changes to that classification required by organizational change. The data owners work with subordinate managers to oversee the day-to-day administration of the data.

2. Data Custodians: Working directly with data owners, data custodians are responsible for the storage, maintenance, and protection of the information. Depending on the size of the organization, this may be a dedicated position, such as the CISO, or it may be an additional responsibility of a systems administrator or other technology manager. The duties of a data custodian often include overseeing data storage and backups, implementing the specific procedures and policies laid out in the security policies and plans, and reporting to the data owner.

3. Data Users: End users who work with the information to perform their assigned roles supporting the mission of the organization. Everyone in the organization is responsible for the security of data, so data users are included here as individuals with an information security role.

Conclusion: AS Information Security is best initiated from the top down. Senior management is the key component and the vital force for a successful implementation of an information security program. But administrative support is also essential to developing and executing specific security policies and procedures, and technical expertise is of course essential to implementing the details of the information security program.