Executive Summary

This research report aims to establish and reveal a baseline of a security policy program
for a company which should be implemented in order to protect its physical and
environmental resources against unauthorized system penetration attacks as well as
internal threats. This report also includes a brief background of security standards’
evaluation on how ISO/IEC 17799:2005 has been developed and has become ISO/IEC
27002:2005. This is followed by explaining main components of a core standard
including security policy, organization of information security, asset management, human
resources security, physical and environmental security, communications and operations
management, access control, development and maintenance, incident management,
business continuity management, compliance.

The research report basically shows that the issue arises from the information which is
able to be accessed remotely is threatened by unauthorized access attempts by attackers.
This is proven with three different case studies identified. One of the issues reveals that
how a system was penetrated and 6 million of personal customer data was stolen through
SQL injection. The next case study shows that how a malware attempted to get in the
system that is running on one of the clients’ personal computer of Bank X. Last but not
least it will be seen from the last case study, how insiders (employees) are other possible
threats for companies as well as attackers. Intel experienced a top secret data theft by an
employee from a well encrypted system.

After all the case studies are analyzed, principals of a security policy program are
examined. The importance of confidentiality, integrity and availability of data is underlined
in the planning section. Then a detailed report is conducted which includes computer
security policies under the titles of physical access controls, network security policies
(for example, e-mail and Internet policies), data security policies, contingency and
disaster recovery plans and security awareness and training.

1
Finally, it is highlighted that the purpose of creating a standard on acceptable security
policy is required to reduce the risk aspects that may cause an internal or external harm to
company resources. Then the reported concluded with the recommendation of a
security policy program implementation for all companies which deal with massive
transactions, possess huge databases and work with more than a hundred employees.

2
 Table of Contents

1 Introduction.......................................................................................................................3
2 Background.......................................................................................................................4
3 Case Studies......................................................................................................................6
4 Security Policy Program...................................................................................................8
5 Recommendation............................................................................................................16
6 Conclusion......................................................................................................................16

1 Introduction
Since the organizational data, intellectual property, customer data and confidential
information have started to be stored and accessed through electronic environment,
security norms have become one of the vital concerns in industrial area. It has become
important for even small scale companies to protect themselves and also to maintain their
reputation in the public eye. This norm possesses a large meaning and comprises a
variety of complicated issues under one single shell such as interconnection between
databases, applications, servers, workstations, the Internet and intranet networks. At this
point, in order to provide a secure environment and network against a wide variety of
threats which are growing in sophistication and scope, appropriate security policy
programs and policy projects should be prepared, documented and implemented by
companies. Organizations might be faced with particular issues including losing
reputation in business area and liability in the clients’ eye. Even there is a very high
possibility, breaching of pre-specified policies might bring issues to the courts. However,

3
defining the policies required, documenting in a suitable format and proper deployment
throughout the company is another struggle for organizations. At this point, the standards
are brought in use. Specifically for information technology, ISO/IEC 27002 standard has
been developed and enhanced in order to identify the boundaries of security aspects
required, policies for controlling information and human resources, characteristics of the
efficient security framework and constant monitoring for system vulnerabilities
(Stallings, 2007).

2 Background
Standards were developed to create an organizational regulation to perform governance
within predefined boundaries. The purpose of creating a standard on information
technology security is, however, to provide an internationally acceptable certification.
Hence, companies all over the world will be able to prove their security measures with
the well documented standards (Danchev, 2003). Latest developed standard ISO/IEC
27002:2005, which is formerly known as ISO/IEC 17799:2005, is an internationally
accredited technical guideline which is specifically improved to elaborate security
concerns in IT. It consists of comprehensive set of policies, controls and best practices
(ISO, 2008). Essentially the standard comprises controls and functions for best code of
practices in the areas as follows (ISO27001Security, 2010):

• security policy;
• organization of information security;
• asset management;
• human resources security;

4
 • physical and environmental security;
• communications and operations management;
• access control;
• information systems acquisition, development and maintenance;
• information security incident management;
• business continuity management;
• compliance

As it is illustrated in figure 1, it is designed as core security functions and each function

branches into detailed business activities. It starts with informing company’s employees
regarding their responsibilities due to security policies prepared in the company borders.
By doing so, insecure or improper use of the Internet and prohibited activities will be
prevented.

Figure 1: ISO 27002 Security Standards.

5
3 Case Studies
Confidential data concept has a large meaning in behind it, in terms of its content.
Customer information, intellectual property, company assets, database contents and
removable disks consist of precious information which should be protected with security
devices as well as security policies and programs. Intercepting confidential data can be
used to unauthorized account access of a customer’s or stealing massive customer
information by hacking a database (Trend Micro, 2010).

Issue Identified 1: Database infiltrated - 6 million customer data was stolen

An incident reported in September 2007 says (Wilson, 2009); one of the databases of an
online trading company, Ameritrade, had been infiltrated by an intrusion. As a result of
incident, approximately 6 million retail and institutional clients’ personal and corporal
trading information had been stolen and used to send spam to those clients. After the
incident, the company hired a special team to perform a penetration test to prevent further
possible attacks.
This also can be seen from Figure 2 (CIO Magazine, 2009), statistics of data theft can be
divided into 2 parts. Databases and file-sharing applications are the ones which can be
accessible through the Internet by attackers. This is an external threat which has the
highest percentage 57% and 46% respectively. However, laptops, removable media and
back-up tapes are the devices which are placed in the company and under the employees’
responsibility. This is an internal threat which has a lower impact of data lose, 39%, 23%
and 16% respectively.

Figure 2: Confidential Data Theft Statistics (CIO Magazine, 2009)

Issue Identified 2: Intel’s top secret files was stolen by an employee

6
Another incident reported as chipset producer giant Intel’s 13 top secret files which
consist of designs and documents of Intel’s newest chips were captured by an employee
of the company (Gaudin, 2008). The issue was discovered by another employee heard a
rumor that Pani was working for AMD while still working for Intel. Then an
investigation was conducted to report Pani’s activities showing access and download
history on the system. Intel’s old employee, Pani, later admitted that he downloaded the
documents from an encrypted system at Intel.

The problem in Intel had risen from two different weaknesses. First one is vulnerabilities
on monitoring of critical confidential data and second one is the employee’s recruitment
by another company without leaving the current company.

Top secret documents, like Intel’s chipset designs, should be stored in a separated
encrypted system to ensure that protection is always at the highest level. However, there
would always be a group of people who have been granted with proper authorization to
access to the documents. To overcome this problem, a proper and separated monitoring
mechanism should be implemented by companies like Intel to know the persons who
would like to access to the documents, when and why. The company should have
implemented a special defense system which allows senior management screening
download activities and also sending a notification to the security service (Perimetrix,
n.d.).

Issue Identified 3: Accounts of Bank X’s customer under Zeus Malware Threat
Bank X (which would like to remain anonymous) has experienced a malware attack
which transfers millions of dollars from its clients’ bank accounts to another country,
especially small scale business customer accounts (Litan, 2010). The vulnerability
identified was arising from a client’s computer of Bank X’s. Zeus Malware was set up to
wake up automatically when a URL entered or navigated to a bank website. After the
user enter the account identification and password, new URL stream (which carries a
specific token belongs to that session) was copied by the malware and transmitted to
malware’s control server. However, due to naive programming, the replicated URL

7
session was transmitted a second time to the bank by the control server. Bank X’s
network administrators caught the attack straight after their authenticator application
received the requester URL second time.

Banks X had deployed an intrusion detection system against specifically for fraud in
2006. According to the plan, IT security team and LOB (another team that is responsible
from online banking) came together and worked on malware’s behavior and replicated its
working mechanism to thwart the attacker. After all activities of the malware had been
examined, a new rule was deployed to existing fraud detection system. By doing so, the
bank thwarted over $1 million loss of customer accounts and several malware
interception attempts stopped.

4 Security Policy Program

The purpose of this section is to clarify the key points of creating an efficient and
effective policy awareness program in order to protect all company assets. Every
company has a distinctive management approach and style. However, there are certain
issue specific aspects that are exactly the same for all companies such as (Microsoft [1],
2010):

• Physical computer security policies such as physical access controls.

• Network security policies (for example, e-mail and Internet policies).
• Data security policies (access control and integrity controls).
• Contingency and disaster recovery plans and tests.
• Computer security awareness and training.
• Computer security management and coordination policies.

A complete protection can only be performed by implementing a formal policy program

including the aspects listed above. This is not just a plan for using and disseminating
knowledge but also a guidance to define roles and responsibilities for managers,

8
administrators and employees for company’s current and future use. In other words,
building and implementing a program is a cooperative task among stakeholders although
many users think that doing this is not their job and responsibility.

Planning
Security is defined as 'the state of being free from unacceptable risk'. To keep the company
away from potential harm, firstly fundamentally a plan should be prepared. Basically,
planning is defining the scope of the security policy program, identifying the threats,
possible risks and its countermeasures as well as training employees in relation to what can
do and cannot do with company’s resources.

The threat/risk concerns the protection of the well-known three aspects of data as follows
(UTS, 2008):
• Confidentiality refers to the protection of confidential company data, intellectual
property and customers’ data against unauthorized interception. For example, SQL
injection based database attacks.
• Integrity refers to the precision and comprehensiveness of data which should be
protected against deliberate corruption and modification. For instance, changing the
figures of an important report or destroying electronic evidence by deleting.
• Availability ensures that the system operates on timely basis in order to provide
required service to be aware of considerable losses. For example, online banking
websites should be available 7/24.

Policy and programs

Fundamentally, in this section, policies and programs have been divided into particular
main areas and each area has been broken up sub-area of interests in its entirety. By

9
doing so, protection of information boundaries and people responsibilities could be seen
clearly.

Physical Security Policies

1-Environment
Before preparing the office plan, the most secure rooms should be defined for
confidential data accommodation. Equipment required should be installed and tested in
advance such as surveillance cameras and swipe card readers to eliminate possible
threats. Backup devices containing critical confidential customer and organizational data
should be placed at a safe distance from the main site to ensure that a disaster would not
harm the backup media. A procedure should be prepared and guards should be informed
as to how to escort to individuals who would like to visit the company.

2-Equipment Security
All organizational devices should be accommodated in a secure environment to thwart
unauthorized access. Especially company’s portable devices including laptops, PDAs and
mobile computing devices should be well-configured and should not be left on mode
without proper lock settings. Devices should not be taken out of the company without
permission.

3-Physical Access Control

List of authorized employees who are responsible from critical devices including server
rooms and backup rooms should be kept updated and be controlled occasionally. All
security keys, passwords and swipe cards which allow users access to the system or
security rooms should be physically secure. All rooms and data centers, which are visited
by legitimate users or guests, should be monitored and logged 24/7. Device which is left
alone for a while should be locked by its user and if it is not in use should be turned off to

10
prevent illegal attempts. The screen and keypad of a device should be located carefully so
unauthorized users or guests will not be able to read it.

Network Security Policies

1-General Network Protection
All internal networks should be configured properly with sufficient security measures
against unauthorized access infiltration. Company workers should not be allowed to use
any other communication devices including broadband link, dial-up modem or wireless
interface without the permission of concerned department. Configuration deployed and
management of information systems should be reviewed periodically. All confidential
data should be transmitted with sufficient encryption.

2-Internet Security
All users should be informed about acceptable internet use policies. Internet access
should be set up on a gateway for each office. Internet traffic should be monitored and
logged to watch illegal user activities. Downloaded materials should be scanned and
verified by antivirus software before installation.
3-Email Security
Each department should announce an acceptable email usage to the users. A systematic
process should be established and maintained by the administrators for recording,
retention and destruction of e-mail messages. Sent and received email should be scanned
for malicious codes. Company’s email addresses containing entries should be protected
against unauthorized infiltration and alteration. Electronic mails which include
attachments with .com or .exe extension should not be opened or forwarded.

4-Protection against Malicious Software

Company computers should have antivirus software which should be always on mode.
All hardware and software should be maintained up-to-date for ensuring the resources are
protected from malware attack. The portable storage media which is consistently taken
out and got in from/to company should be scanned properly each time to ensure it does
not include any infectious file or folder. Employees should not plug any personal media

11
to the corporate resources and also should not get involved any malicious code
distribution deliberately.

5-Software and Patch Management

Software required to be installed should not be loaded before taking the responsible
manager’s approval. Network administrators should ensure that software patches are
gathered from software vendors’ sites. Distrustful hotfixes, patches, updates should not
be installed. All kind of patches should be examined in a test environment to see if it has
any side effects before its distribution.

Data Security Policies

Data security policy comprises overall data security and information backup to maintain
confidentiality of resources. In order to maintain data security throughout the company,
first of all, all users should work in the pre-defined and published security policy program
boundaries. The most important policy, in which all users are responsible, is disclosure of
confidential information. They must avoid from the actions (deliberately or intentionally)
that might harm organizational resources. Backup operations and recovery procedures,
however, must be well documented, properly implemented and tested regularly. A
periodic calendar should be defined and operations should be conducted based on this
time table. Backed-up data should be stored at remote distance from the system and
should be accessible by only authorized persons.

Access Control Security

Access control security consists of (mandatory) standards such as data access rights,
authentication, privacy, user identification, user privileges and password management.
These standards should be implemented by organizations to ensure that sufficient security
exist on corporate assets. Different data (depending on its sensitivity) is reached with
different level of authentication. Therefore, data access rights should be granted for users
or groups based on needs. User privileges should be assigned to a unique user or to

12
predefined groups. It also must be controlled and updated periodically to support the
standards mentioned above.

Protection: Risk Assessment, Contingency Plans and Incident Management.

Essentially, companies are being protected against possible outside attacks. However,
particular further countermeasures should be taken in advance, if the company is
penetrated despite all the cautions (encrypted data transfers, passwords, firewalls and so
on). An organization, which performs hundreds or thousands of online transaction in a
day, should promise the continuity of the business to its clients. First of all, a risk
assessment should be conducted to determine possible risks.

1-Risk Assessment

Basically, the risk assessment can be examined under three main category as natural
disasters (floods and fire), intentional external malicious attackers and unintentional user
mistakes/intentional user harm (Microsoft[2], 2010). This information then can be
divided into sub categories in detail:

• Identify the assets you want to protect and the value of these assets.
• Identify the risks to each asset.
• Determine the category of the cause of the risk (natural disaster risk, intentional
risk, or unintentional risk).
• Identify the methods, tools, or techniques the threats use.

2-Contingency Plan

Risk assessment is then followed by preparing, documenting and testing a contingency

and disaster recovery plan in detail. The ultimate goal is to maintain confidentiality,
integrity and availability of the data to maintain the protection on corporate assets. The
contingency plan sheet should consist of the information needed in a disaster situation
such as (Microsoft, 2010):

13
 • Persons who must do what, when and where to maintain the business continuity.
• An updated staff list that reveals responsible persons to act in a disaster situation.
• The instructions to access latest backup data.
• The instructions to update the software.
• The instructions how to move production to another place.

3-Incident Management

To perform a complete incident management, online business activities should be

monitored and collected data (logs of screening) should be stored as evidence for further
needs. Gathered data is then reviewed by administrators to determine the pattern of
incoming/outgoing stream. Suspicious attempts, system breakdowns and IDS alerts
should be reported to the authorized person straightaway according to the incident
management procedures (SCU, 2004).

People and Projects: Computer Security Consciousness and Training.

Defining roles and responsibilities for all stakeholders including managers,
administrators, employees and contractors is one of the most essential key factors to
thwart undesired incidents. This can be achieved by training people whereby policies and
procedures. The biggest mistake among employees is the thought of ‘accept the system
fully protected, once technical equipment has been deployed’. The researches reveal that
the majority of the organizational problems are cultural not technological. Reading,
understanding and complying with documented security policy program should be
compulsory for every company. Particular roles and responsibilities are listed in general
as follows (SANS, n.d.):

14
 • Roles and responsibilities should be documented uniquely and signed by each
employee that would be evidence showing the person has read, understood and
accepted its role in the company.
• General roles and responsibilities should be kept as hardcopy and softcopy.
• Updated softcopy should be published on the company’s intranet as all users can
easily reach and read.
• A survey should be conducted to enforce all users to see new updates through
intranet. Survey results should be reviewed to ensure that all employees read and
understand new changes and add-ons.
• Weekly company magazines can be used to let employees know about new in-
company regulations and changes.

To improve security consciousness of all employees, particular training material should

be documented and transmitted to all company bodies. Particular rules have been listed as
follows (NIST, 2003):

• Password management definition should be made including creation (password

should contain numbers, letters and special characters), frequency of changes
(monthly), and protection (do not leave or tell your password to anyone else) of
password.
• Protection from malicious codes should be explained as not to open unknown
emails and attachments.
• Company’s network allowed and restricted activities should be defined and
announced as some personal research can be done however Facebook account
should not be used through company’s internet.
• Personal media device is not allowed to plug to company’s resources.
• Each user is responsible from its own actions; therefore, user should be careful
regarding shoulder surfing to protect his/her password.
• An incidence response team guideline is a part of user training. The team
members should be trained for incidents might occur anytime.

15
 • Organizational portable resources are a security issue while travelling.
• Users are not allowed to install software (might include infectious code) without
proper authorization.
• Visitors should be accommodated at the entrance of the company and escorted to
the department they need to visit.
• Employees should report any unusual activity or stranger to responsible person.

5 Recommendation
After issues identified are analyzed and background of information technology based
standards are examined, implementing a security policy program is strongly
recommended. It is a compulsory process for all size of organizations and companies
working with hundreds of people and processing thousands of online transactions.
Depending upon different company needs, rules and policies required should be specified
by company’s professional managers. Then a suitable standard program is able to be
documented and deployed to the system. However, organizations are busy workplaces to
structure their businesses on a proper framework by themselves. Therefore, they
outsource this complicated process from particular companies whose profession is
assisting organizations to establish a security baseline with well designed templates and
professional training. So, companies are able to improve their existing structure with a
specialized assistance.

6 Conclusion
In conclusion, security policies are the basis of organizational security strategy and they
are considered as “best practices” for IT departments of all organizations. They are the
fundamentals for security plan, structural design, implementation, and practices. While
implementing a standard framework is accepted as a de facto obligation for several
companies such as banks and hospitals, all size of organizations dealing with confidential
data should conduct their businesses on a trustworthy platform. Maintaining their
reputation in the public eye and keeping their clients satisfied are directly related with the
platform they are operating their businesses on. Also, stakeholders’ participation is

16
evidently as essential as company’s firewalls in protecting the company and its assets
properly. Therefore, a security policy program consists of detailed policies and
procedures from human resources training to equipments’ updates.

References

CIO Magazine, (2009). The Global State of Information Security, viewed on 13.05.2010
from http://www.pwc.com/en_GX/gx/information-security-
survey/pdf/pwcsurvey2010_cio_reprint.pdf

Danchev, D. (2003). Building and Implementing a Successful Information Security

Policy, viewed on 28.04.2010 from www.windowsecurity.com/pages/security-
policy.pdf

17
FERF, (2003). "What is COSO? Defining the Alliance that Defined Internal Control",
http://www.financialexecutives.org/eweb/DynamicPage.aspx?
site=_fei&webcode=ferf_pub_detail&prd_key=3de00f4b-a538-4c0d-9b5f-
9e43467309d5

Gaudin, S. (2008). Former Intel engineer charged with stealing trade secrets, viewed on
19.05.2010 from
http://www.computerworld.com/s/article/9114592/Former_Intel_engineer_charge
d_with_stealing_trade_secrets?source=rss_topic17

HIPAA, (2010). The Health Insurance Portability And Accountability Act, viewed on
15.05.2010 from http://www.hipaa.org/

ISO27001Security, (2010). Code of Practice for Information Security Management, ,

viewed on 28.04.2010 from
http://www.iso27001security.com/html/27002.html#ContentOfISO17799-2000

ISO, (2008). ISO/IEC 27002:2005 Code of Practice for Information Security

Management, viewed on 25.04.2010 from
http://www.iso.org/iso/catalogue_detail?csnumber=50297

Litan, A. (2010). Case Study: Bank Defeats Attempted Zeus Malware Raids of Business
Accounts, viewed on 05.05.2010 from
http://download.entrust.com/resources/download.cfm/24050/entrust3342.pdf/?start

Microsoft [1], (2010). Security Strategies, viewed on 15.05.2010 from

http://technet.microsoft.com/en-us/library/cc723506.aspx

Microsoft [2], (2010). Security Planning, viewed on 19.05.2010 from

http://technet.microsoft.com/en-us/library/cc723503.asp

18
NIST, (2003). Computer Security, viewed on 18.05.2010 from
csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

Perimetrix, (n.d). Secret Documents Lifecycle, viewed on 15.05.2010 from

http://perimetrix.com/downloads/wp/WP_Perimetrix_SDL_eng.pdf

SANS, (n.d.). Security Policy Research Project, viewed on 20.05.2010 from

http://www.sans.org/security-resources/sec_policy.php

SCU, (2004). Security Incident Management Policy, viewed on 18.05.2010 from

www.scu.edu.au/it/download.php?doc_id=583&site_id=36

SEC, (n.d.). The Laws that Govern the Securities Industry, viewed on 29.04.2010 from
http://www.sec.gov/about/laws.shtml

Stallings, W. (2007).Computer Security: Principles and Practices, ‘Security Standards’,

viewed on 02.05.2010 from
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_10-
4/104_standards.html

Trend Micro, (2010). Trend Micro, Data Loss Prevention, viewed on 11.05.2010 from
http://apac.trendmicro.com/imperia/md/content/us/pdf/products/enterprise/leakproof/wp0
1_leakproof_dlp_100105us.pdf

UTS, (2008). Information Technology Security Policy, viewed on 07.05.2010 from

http://www.gsu.uts.edu.au/policies/itsecurity.html

Wilson, T, (2009). ESO – Security Trends Report, viewed on 13.05.2010 from

http://www.oregon.gov/DAS/EISPD/ESO/Pub/Trends/Trends_2009_11.pdf

19
20