IS Security Policy ISMT 350 week #4 IS Security: The Challenge Presented by Computers Practicum: Recognizing Fraud – The Anonymous Caller Instructor: Professor J. Christopher Westland, PhD, CPA Time: Tue & Thur 10:30am-11:50amVenue: Rm. 2463Duration: 5 Sep – 7 Dec Text. Champlain, Auditing Information Systems (2nd ed.), Wiley, 2003 Contact: Office: 852 2358 7643 Fax: 852 2358 2421 Email: [email protected]URL: http://teaching.ust.hk/~ismt350/
39
Embed
IS Security Policy ISMT 350 week #4 IS Security: The Challenge Presented by Computers Practicum: Recognizing Fraud – The Anonymous Caller Instructor: Professor.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IS Security PolicyISMT 350
week #4
IS Security: The Challenge Presented by Computers Practicum: Recognizing Fraud – The Anonymous Caller
Instructor: Professor J. Christopher Westland, PhD, CPA
What is the problem? Who (which individual in the case) is responsible for
solving the problem and making a decision? Where is the money? (The value generated by the
solution) When does the problem need to be solved? How will you measure success? Why did you have this problem, and what will you do to
prevent it in the future?
The “Why”
You may not always want to include a description of why something is necessary in a policy But if your reader is an end-user,
it may be helpful to incorporate a description of why a particular security control is necessary
because this will not only aid their understanding, but will also make them more likely to comply with the policy.
Establishing the Company’s Risk Profile(It’s Surprisingly Similar to the Auditor’s Risk Assessment Database)
Asset (Ex 2.1) Risk Assessment (Ex. 2.2 with improvements)
Primary OS Owner
Application
Asset Value ($000,000 to Owner)*
Transaction Flow Description
Total Annual Transaction Value Flow managed by Asset($000,000)*
Risk Description
Probability of Occurrence (# per Year)
Cost of single occurrence ($)
Expected Loss
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23 Theft 100 100 10000
Win XPReceiving Dock A/P 0.002
RM Received from Vendor 23
Obsolescence and spoilage 35 350 12250
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
Etc Etc Etc Etc Etc Etc Etc Etc Etc Etc
*Whether you list depends on Audit Materiality
Why are auditors interested in IS Security Policy?
E x ter n a l R ea lW o r ld E n tit ies
an d E v en ts th a tC r ea te an d
D es tr o y Valu e
Au d it R ep o r t /O p in io n
J o u r n a l E n tr ies
'O w n e d ' A s s e t sa n d Lia b ilit ie s
R ep o r ts :S ta tis t ic s
I n te r n a lO p er a tio n so f th e F ir m
Ac c o u n tin gS y s tem s
Au d itP r o g r am
T r an s ac tio n s
T ra n sa c tio n s
The P hys i c al W o r l d
The P ar al l e l (L o g i c al )W o r l d o f Ac c o unt i ng
L ed g er s :D atab as es
Audi t i ng
C o r p o r a te L aw
Su b
stan
tiv e
Te s
ts
Te st s o f T
ran sa c ti o n s
Attes ta tion
A n a ly tic a l T ests
Practicum: Recognizing Fraud
The Anonymous Caller
Recognizing It's a Fraud and Evaluating What to Do
How to Write An IS Security Policy
The Three Elements of Policy Implementation
Standards – Standards specify the use of specific technologies in a uniform way. The example the book gives is the standardization of operating procedures
Guidelines – Similar to standards but are recommended actions
Procedures – These are the detailed steps that must be performed for any tasks.
Steps to Creation of IS Security PolicyPolicy Development Lifecycle
1. Senior management buy-in2. Determine a compliance grace period 3. Determine resource involvement . 4. Review existing policy5. Determine research materials (Internet, SANS, white papers, books…)6. Interview parties {Responsible, Accountable, Controlling} assets
1. Define your objectives 2. Control the interview 3. Sum up and confirm
4. Post-interview review
7. Review with additional stakeholders 8. Ensure policy is reflected in “awareness” strategies 9. Review and update 10. Gap Analysis11. Develop communication strategy12. Publish
What’s in a Policy Document
Governing Policy
Should cover Address information security policy at a general level define significant concepts describe why they are important, and detail what your company’s stand is on them
Governing policy will be read by managers and by technical custodians
Level of detail: governing policy should address the “what” in terms of security policy.
Governing Policy Outlinemight typically include
1. Authentication 2. Access Control 3. Authorization 4. Auditing 5. Cryptography 6. System and Network Controls 7. Business Continuity/Disaster Recovery 8. Compliance Measurement
Technical Policies
Used by technical custodians as they carry out their security responsibilities for the system they work with.
Are more detailed than the governing policy and will be system or issue specific, e.g., AS-400 or physical security.
User Policies Cover IS security policy that end-users should ever have to know
about, comply with, and implement. Most of these will address the management of
transaction flows and databases associated with applications
Some of these policy statements may overlap with the technical policy
Grouping all end-user policy together means that users will only have to go to one place and read one document in order to learn everything they need to do to ensure compliance with company security
User Policy Outline might typically include 1. User Access 2. User Identification and Accountability 3. Passwords 4. Software 5. System Configuration and Settings 6. Physical 7. Business Continuity Planning 8. Data Classification 9. Encryption 10. Remote Access 11. Wireless Devices/PDAs 12. Email 13. Instant Messaging 14. Web Conferencing 15. Voice Communications 16. Imaging/Output
Special Topics
New IS Security Threats that have arisen or grown in
importance over the Last Decade
Social Engineering
Tricking firm personnel into Revealing passwords Relinquishing control of sensitive or valuable information Allowing entry to intruders Or other activity destructive or detrimental to the firm
Only ‘Awareness’ programs can control for social engineering
Recent News: Email Fraud and HSBC
Policy on Information Sharing Identify Assets, Threats, and Countermeasures
Information which needs to be protected: Information created by, intended solely for, or of sole possession of a single user. Information considered personal or private to a single user. Information relating to employee health or social security number, Non disclosure
Agreement protected information, publicly identifiable research subject or customer data, classified information, and information protected by the greater organization’s program policy.
To help determine which protective countermeasures will be employed, the threats to the protected information need to be determined.
Breach of user confidentiality or privacy due to unauthorized access of protected information.
Breach of information integrity, ownership, or accountability due to unauthorized modification of protected information.
Breach of information availability due to unauthorized deletion, movement, or other suppression of protected information.
The focus of the information sharing policy is to mitigate the threat from other users within the organizational unit.
Related technical policies such as policy for router configuration, firewall configuration, or anti-virus protection must also be designed to help mitigate those threats.
Managing Internet Use Big Brother or Due Diligence?
Internet access has become an established business tool, taken for granted along with email, telephone and facsimile
Like these other media, giving staff access to the Internet has risks
will they spend all day downloading porn or swapping chat messages with their friends?
Will they infect the network with viruses or publish company secrets?
Responsibility Accounting Each bubble is associated with a person or entity
that is responsible for that process The same individuals with:
Managerial Control Accountability Responsibility for the process
Should all be responsible for the same bubble
Example (next slide) of Traditional Flowchart Often, traditional accounting flowcharts place responsibility
centers across the top of the chart, and sequence of processes from top (first) to bottom (last)
Excessive Internet Inadequate Wasted time (M) 18 Acceptable Use Policy.
Use (H) reporting of use Usage monitoring and
(H) reporting
Excessive Internet Connection not Lack of 27 Require all connections to be
Use (H) authenticated (H) accountability (H) authenticated
Inappropriate Staff able to Can be sued for 8 Acceptable Use Policy.
Internet Use (M) access such sites hostile workplace Implement blocking capability.
(M) (M) Disciplinary Process.
Unauthorised Staff able to Local PC 2 Policy
software (M) install software destabilised (L) Lock Down PC
(L) Audit
Unauthorised Non-compliance Sued by vendor 12 Policy
software (M) with li censes (M) (H) Lock Down PC
Audit
Approved purchase route
Unauthorised Virus/Trojan Loss or disclosure 6 Policy
software (M) introduced (L) of data (H) Lock Down PC
Anti-virus software
Users don’t spea k System messages Policy not 8 Translate Policy
English (M) in English (M) followed because Login banners in local
not understood language
(M) Error pages in local language
Excessive non-business related Internet use Risk both in terms of lost productivity and in competition for
infrastructure resources for legitimate business use
Surveys have estimated the time spent on non-business browsing by US and UK workers to average 30 to 60 minutes a day.
Lost productivity of a pharmaceutical industry worker who spends one hour a day on non-business use as $43,000 a year (est. Surfcontrol, Inc.)
News, chat and email represent the greatest problems
Where Internet Use Occurs
Unauthorized Software
Employees with Internet access are able to download software.
This could be commercial software or shareware that is not part of the standard desktop, but could also be Trojans and viruses.
There is also the risk of non-compliance with licensing terms, for example commercial use of a product that is only free for personal use (those these problems are decreasing)
The impact of unauthorised software will vary depending on the sensitivity of the system on which it is installed
Installation of unauthorised software on strictly controlled PCs that are part of formally defined and validated systems compromises the entire system.
Policy implementation alternatives Authentication Having the client authenticate with the Internet gateway ensures that usage is assigned to
individual user IDs. It also provides the opportunity to display an acceptable use banner. Logging Usage logs may be created by firewall and proxy servers. These will contain User ID, Client IP,
URL requested and time stamp. Logs should be regularly reviewed to detect inappropriate use. URL Blocking Given the low cost of blocking software, typically $10 a seat, it would be difficult for a company to
defend a hostile workplace action unless it had implemented blocking. Reporting Usage reporting should be automated using the capabilities of the blocking software, with
reporting tools such as WebTrends or with custom scripts. Care should be taken when reporting individuals’ usage as this risks infringing their privacy.
Investigation Of Inappropriate Use IT Security should avoid becoming the moral guardians of the company. Inappropriate use is
primarily a line management issue so any investigation should be managed by Human Resources departments, with IT security staff providing technical assistance. Policy should describe an escalation process by which incidents can be handed off from IT to HR and on to corporate security or even the police if necessary.
Data Retention Companies should define a process to archive or dispose of log files. HR should retain any data
that has been used as part of a disciplinary process, with other records relating to the case.
There is little legal foundation in the US or Asia to protect individuals’ privacy
Since the employer owns the computer network and the terminals, he or she is free to use them to monitor employees
The main requirement of the Electronic Communications Privacy Act is that employees must give their consent to monitoring and employers notify staff of their monitoring policy on hiring and annually thereafter.
"If an employer electronically monitors an employee without giving the required notice, an employee may sue for civil damages. Compensatory damages are capped at $5000, and total damages are capped at $20,000 . In a case where many employees are affected, per incident damages are capped at $500,000,"
Scant Privacy Protection Conversely, there is a requirement on employers to
take steps to protect their staff from a hostile workplace.
"[The Supreme Court requires that] companies must take reasonable steps to prevent as well as quickly correct any hostile environment or sexual harassment behaviors as they occur. It can b e interpreted that if there are reasonable technologies to able to prevent this from ever happening, companies must take those steps."
The conclusion is that US law requires companies to implement processes, such as monitoring and blocking, to protect their staff and staff should have no expectation of privacy providing they have been informed of the monitoring.