Data Integrity Policies in Information Security

This group of policies applies to computers and information systems. Data integrity policies focus on keeping valuable information intact in Software Development Companies. Data integrity policies focus on keeping valuable information intact. It is important to start with definitions of how data integrity may be compromised, such as by viruses, lack of change control, and backup failure.

Workstation Antivirus Software: All workstations and servers require antivirus software.

Virus-Signature Updating: Virus signatures must be updated immediately when they are made available from the vendor.

Central Virus-Signature Management: All virus signatures must be updated (pushed) centrally.

E-Mail Virus Blocking: All known e-mail virus payloads and executable attachments must be removed automatically at the mail server.

E-Mail Subject Blocking: Known e-mail subjects related to viruses must be screened at the mail server, and messages with these subjects must be blocked at the mail server.

Virus Communications: Virus warnings, news, and instructions must be sent periodically to all users to raise end-user awareness of current virus information and falsehoods.

Virus Detection, Monitoring, and Blocking: All critical servers and end-user systems must be periodically scanned for viruses. The virus scan must identify the following:

• E-mail-based viruses arriving on servers and end-user systems

• Web-based viruses arriving on servers and end-user systems

• E-mail attachments containing suspected virus payloads

Notification must be provided to system administration staff and the intended recipient when a virus is detected.

All critical servers and end-user systems must be constantly monitored at all times for virus activity. This monitoring must consist of at least the following categories:

• E-mail-based viruses passing through mail servers

• Web-based viruses passing through web servers

• Viruses successfully installed or executed on individual systems

Notification must be provided to system administration staff and the intended recipient when a virus is detected. Viruses passing through web proxy servers and e-mail gateways must be blocked in the following manner:

• E-mail-based viruses passing through mail servers must have the attachment removed

• Web-based viruses passing through web servers must have the attachment removed

• Messages with subject lines known to be associated with viruses must not be passed through mail servers, and must instead be discarded

Notification must be provided to system administration staff and the intended recipient when a message or web page containing a suspected virus is blocked.

Back-out Plan: A back-out plan is required for all production changes.

Software Testing: All software must be tested in a suitable test environment before installation on production systems.

Division of Environments: The division of environments into Development, Test, Staging, and Production is required for critical systems.

Version Zero Software: Version zero software (1.0, 2.0, and so on) must be avoided whenever possible to avoid undiscovered bugs.

Backup Testing: Backups must be periodically tested to ensure their viability in Software Development Companies.

Online Backups: For critical servers with unique data, online (disk) backups are required, along with offline (tape) backups.

Onsite Backup Storage: Backups are to be stored onsite for one month before being sent to an offsite facility.

Fireproof Backup Storage: Onsite storage of backups must be fireproof.

Offsite Backup Storage: Backups older than one month must be sent offsite for permanent storage.

Quarter-End and Year-End Backups: Quarter-end and year-end backups must be done separately from the normal schedule, for accounting purposes.

Change Control Board: A corporate Change Control Board must be established for the purpose of approving all production changes before they take place.

Minor Changes: Support staff may make minor changes without review if there is no risk of service outage.

Major Changes: The Change Control Board must approve major changes to production systems in advance, because they may carry a risk of service outage.

Vendor-Supplied Application Patches: Vendor-supplied patches for applications must be tested and installed immediately when they are made available.

Vendor-Supplied Operating System Patches: Vendor-supplied patches for operating systems must be tested and installed immediately when they are made available in Software Development Companies.

Disaster Recovery: A comprehensive disaster-recovery plan must be used to ensure continuity of the corporate business in the event of an outage.