Professional Documents
Culture Documents
This research report aims to establish and reveal a baseline of a security policy program
for a company which should be implemented in order to protect its physical and
environmental resources against unauthorized system penetration attacks as well as
internal threats. This report also includes a brief background of security standards’
evaluation on how ISO/IEC 17799:2005 has been developed and has become ISO/IEC
27002:2005. This is followed by explaining main components of a core standard
including security policy, organization of information security, asset management, human
resources security, physical and environmental security, communications and operations
management, access control, development and maintenance, incident management,
business continuity management, compliance.
The research report basically shows that the issue arises from the information which is
able to be accessed remotely is threatened by unauthorized access attempts by attackers.
This is proven with three different case studies identified. One of the issues reveals that
how a system was penetrated and 6 million of personal customer data was stolen through
SQL injection. The next case study shows that how a malware attempted to get in the
system that is running on one of the clients’ personal computer of Bank X. Last but not
least it will be seen from the last case study, how insiders (employees) are other possible
threats for companies as well as attackers. Intel experienced a top secret data theft by an
employee from a well encrypted system.
After all the case studies are analyzed, principals of a security policy program are
examined. The importance of confidentiality, integrity and availability of data is underlined
in the planning section. Then a detailed report is conducted which includes computer
security policies under the titles of physical access controls, network security policies
(for example, e-mail and Internet policies), data security policies, contingency and
disaster recovery plans and security awareness and training.
1
Finally, it is highlighted that the purpose of creating a standard on acceptable security
policy is required to reduce the risk aspects that may cause an internal or external harm to
company resources. Then the reported concluded with the recommendation of a
security policy program implementation for all companies which deal with massive
transactions, possess huge databases and work with more than a hundred employees.
2
Table of Contents
1 Introduction.......................................................................................................................3
2 Background.......................................................................................................................4
3 Case Studies......................................................................................................................6
4 Security Policy Program...................................................................................................8
5 Recommendation............................................................................................................16
6 Conclusion......................................................................................................................16
1 Introduction
Since the organizational data, intellectual property, customer data and confidential
information have started to be stored and accessed through electronic environment,
security norms have become one of the vital concerns in industrial area. It has become
important for even small scale companies to protect themselves and also to maintain their
reputation in the public eye. This norm possesses a large meaning and comprises a
variety of complicated issues under one single shell such as interconnection between
databases, applications, servers, workstations, the Internet and intranet networks. At this
point, in order to provide a secure environment and network against a wide variety of
threats which are growing in sophistication and scope, appropriate security policy
programs and policy projects should be prepared, documented and implemented by
companies. Organizations might be faced with particular issues including losing
reputation in business area and liability in the clients’ eye. Even there is a very high
possibility, breaching of pre-specified policies might bring issues to the courts. However,
3
defining the policies required, documenting in a suitable format and proper deployment
throughout the company is another struggle for organizations. At this point, the standards
are brought in use. Specifically for information technology, ISO/IEC 27002 standard has
been developed and enhanced in order to identify the boundaries of security aspects
required, policies for controlling information and human resources, characteristics of the
efficient security framework and constant monitoring for system vulnerabilities
(Stallings, 2007).
2 Background
Standards were developed to create an organizational regulation to perform governance
within predefined boundaries. The purpose of creating a standard on information
technology security is, however, to provide an internationally acceptable certification.
Hence, companies all over the world will be able to prove their security measures with
the well documented standards (Danchev, 2003). Latest developed standard ISO/IEC
27002:2005, which is formerly known as ISO/IEC 17799:2005, is an internationally
accredited technical guideline which is specifically improved to elaborate security
concerns in IT. It consists of comprehensive set of policies, controls and best practices
(ISO, 2008). Essentially the standard comprises controls and functions for best code of
practices in the areas as follows (ISO27001Security, 2010):
• security policy;
• organization of information security;
• asset management;
• human resources security;
4
• physical and environmental security;
• communications and operations management;
• access control;
• information systems acquisition, development and maintenance;
• information security incident management;
• business continuity management;
• compliance
5
3 Case Studies
Confidential data concept has a large meaning in behind it, in terms of its content.
Customer information, intellectual property, company assets, database contents and
removable disks consist of precious information which should be protected with security
devices as well as security policies and programs. Intercepting confidential data can be
used to unauthorized account access of a customer’s or stealing massive customer
information by hacking a database (Trend Micro, 2010).
6
Another incident reported as chipset producer giant Intel’s 13 top secret files which
consist of designs and documents of Intel’s newest chips were captured by an employee
of the company (Gaudin, 2008). The issue was discovered by another employee heard a
rumor that Pani was working for AMD while still working for Intel. Then an
investigation was conducted to report Pani’s activities showing access and download
history on the system. Intel’s old employee, Pani, later admitted that he downloaded the
documents from an encrypted system at Intel.
The problem in Intel had risen from two different weaknesses. First one is vulnerabilities
on monitoring of critical confidential data and second one is the employee’s recruitment
by another company without leaving the current company.
Top secret documents, like Intel’s chipset designs, should be stored in a separated
encrypted system to ensure that protection is always at the highest level. However, there
would always be a group of people who have been granted with proper authorization to
access to the documents. To overcome this problem, a proper and separated monitoring
mechanism should be implemented by companies like Intel to know the persons who
would like to access to the documents, when and why. The company should have
implemented a special defense system which allows senior management screening
download activities and also sending a notification to the security service (Perimetrix,
n.d.).
Issue Identified 3: Accounts of Bank X’s customer under Zeus Malware Threat
Bank X (which would like to remain anonymous) has experienced a malware attack
which transfers millions of dollars from its clients’ bank accounts to another country,
especially small scale business customer accounts (Litan, 2010). The vulnerability
identified was arising from a client’s computer of Bank X’s. Zeus Malware was set up to
wake up automatically when a URL entered or navigated to a bank website. After the
user enter the account identification and password, new URL stream (which carries a
specific token belongs to that session) was copied by the malware and transmitted to
malware’s control server. However, due to naive programming, the replicated URL
7
session was transmitted a second time to the bank by the control server. Bank X’s
network administrators caught the attack straight after their authenticator application
received the requester URL second time.
Banks X had deployed an intrusion detection system against specifically for fraud in
2006. According to the plan, IT security team and LOB (another team that is responsible
from online banking) came together and worked on malware’s behavior and replicated its
working mechanism to thwart the attacker. After all activities of the malware had been
examined, a new rule was deployed to existing fraud detection system. By doing so, the
bank thwarted over $1 million loss of customer accounts and several malware
interception attempts stopped.
8
administrators and employees for company’s current and future use. In other words,
building and implementing a program is a cooperative task among stakeholders although
many users think that doing this is not their job and responsibility.
Planning
Security is defined as 'the state of being free from unacceptable risk'. To keep the company
away from potential harm, firstly fundamentally a plan should be prepared. Basically,
planning is defining the scope of the security policy program, identifying the threats,
possible risks and its countermeasures as well as training employees in relation to what can
do and cannot do with company’s resources.
The threat/risk concerns the protection of the well-known three aspects of data as follows
(UTS, 2008):
• Confidentiality refers to the protection of confidential company data, intellectual
property and customers’ data against unauthorized interception. For example, SQL
injection based database attacks.
• Integrity refers to the precision and comprehensiveness of data which should be
protected against deliberate corruption and modification. For instance, changing the
figures of an important report or destroying electronic evidence by deleting.
• Availability ensures that the system operates on timely basis in order to provide
required service to be aware of considerable losses. For example, online banking
websites should be available 7/24.
9
doing so, protection of information boundaries and people responsibilities could be seen
clearly.
2-Equipment Security
All organizational devices should be accommodated in a secure environment to thwart
unauthorized access. Especially company’s portable devices including laptops, PDAs and
mobile computing devices should be well-configured and should not be left on mode
without proper lock settings. Devices should not be taken out of the company without
permission.
10
prevent illegal attempts. The screen and keypad of a device should be located carefully so
unauthorized users or guests will not be able to read it.
2-Internet Security
All users should be informed about acceptable internet use policies. Internet access
should be set up on a gateway for each office. Internet traffic should be monitored and
logged to watch illegal user activities. Downloaded materials should be scanned and
verified by antivirus software before installation.
3-Email Security
Each department should announce an acceptable email usage to the users. A systematic
process should be established and maintained by the administrators for recording,
retention and destruction of e-mail messages. Sent and received email should be scanned
for malicious codes. Company’s email addresses containing entries should be protected
against unauthorized infiltration and alteration. Electronic mails which include
attachments with .com or .exe extension should not be opened or forwarded.
11
to the corporate resources and also should not get involved any malicious code
distribution deliberately.
12
predefined groups. It also must be controlled and updated periodically to support the
standards mentioned above.
1-Risk Assessment
Basically, the risk assessment can be examined under three main category as natural
disasters (floods and fire), intentional external malicious attackers and unintentional user
mistakes/intentional user harm (Microsoft[2], 2010). This information then can be
divided into sub categories in detail:
• Identify the assets you want to protect and the value of these assets.
• Identify the risks to each asset.
• Determine the category of the cause of the risk (natural disaster risk, intentional
risk, or unintentional risk).
• Identify the methods, tools, or techniques the threats use.
2-Contingency Plan
13
• Persons who must do what, when and where to maintain the business continuity.
• An updated staff list that reveals responsible persons to act in a disaster situation.
• The instructions to access latest backup data.
• The instructions to update the software.
• The instructions how to move production to another place.
3-Incident Management
14
• Roles and responsibilities should be documented uniquely and signed by each
employee that would be evidence showing the person has read, understood and
accepted its role in the company.
• General roles and responsibilities should be kept as hardcopy and softcopy.
• Updated softcopy should be published on the company’s intranet as all users can
easily reach and read.
• A survey should be conducted to enforce all users to see new updates through
intranet. Survey results should be reviewed to ensure that all employees read and
understand new changes and add-ons.
• Weekly company magazines can be used to let employees know about new in-
company regulations and changes.
15
• Organizational portable resources are a security issue while travelling.
• Users are not allowed to install software (might include infectious code) without
proper authorization.
• Visitors should be accommodated at the entrance of the company and escorted to
the department they need to visit.
• Employees should report any unusual activity or stranger to responsible person.
5 Recommendation
After issues identified are analyzed and background of information technology based
standards are examined, implementing a security policy program is strongly
recommended. It is a compulsory process for all size of organizations and companies
working with hundreds of people and processing thousands of online transactions.
Depending upon different company needs, rules and policies required should be specified
by company’s professional managers. Then a suitable standard program is able to be
documented and deployed to the system. However, organizations are busy workplaces to
structure their businesses on a proper framework by themselves. Therefore, they
outsource this complicated process from particular companies whose profession is
assisting organizations to establish a security baseline with well designed templates and
professional training. So, companies are able to improve their existing structure with a
specialized assistance.
6 Conclusion
In conclusion, security policies are the basis of organizational security strategy and they
are considered as “best practices” for IT departments of all organizations. They are the
fundamentals for security plan, structural design, implementation, and practices. While
implementing a standard framework is accepted as a de facto obligation for several
companies such as banks and hospitals, all size of organizations dealing with confidential
data should conduct their businesses on a trustworthy platform. Maintaining their
reputation in the public eye and keeping their clients satisfied are directly related with the
platform they are operating their businesses on. Also, stakeholders’ participation is
16
evidently as essential as company’s firewalls in protecting the company and its assets
properly. Therefore, a security policy program consists of detailed policies and
procedures from human resources training to equipments’ updates.
References
CIO Magazine, (2009). The Global State of Information Security, viewed on 13.05.2010
from http://www.pwc.com/en_GX/gx/information-security-
survey/pdf/pwcsurvey2010_cio_reprint.pdf
17
FERF, (2003). "What is COSO? Defining the Alliance that Defined Internal Control",
http://www.financialexecutives.org/eweb/DynamicPage.aspx?
site=_fei&webcode=ferf_pub_detail&prd_key=3de00f4b-a538-4c0d-9b5f-
9e43467309d5
Gaudin, S. (2008). Former Intel engineer charged with stealing trade secrets, viewed on
19.05.2010 from
http://www.computerworld.com/s/article/9114592/Former_Intel_engineer_charge
d_with_stealing_trade_secrets?source=rss_topic17
HIPAA, (2010). The Health Insurance Portability And Accountability Act, viewed on
15.05.2010 from http://www.hipaa.org/
Litan, A. (2010). Case Study: Bank Defeats Attempted Zeus Malware Raids of Business
Accounts, viewed on 05.05.2010 from
http://download.entrust.com/resources/download.cfm/24050/entrust3342.pdf/?start
18
NIST, (2003). Computer Security, viewed on 18.05.2010 from
csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
SEC, (n.d.). The Laws that Govern the Securities Industry, viewed on 29.04.2010 from
http://www.sec.gov/about/laws.shtml
Trend Micro, (2010). Trend Micro, Data Loss Prevention, viewed on 11.05.2010 from
http://apac.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/leakproof/wp0
1_leakproof_dlp_100105us.pdf
19
20