Security of third party access:
Third party access to an organisation's information processing facilities will be detailed in a formal method. The method contains all requirements for complying with the organisation's security policies and standards. The method should ensure that there is no misunderstanding between organisation and third party. We should maintain some methods to protect the information. These are
- The general policy on information security that we have to protect official information, equipment and software
- Whether information or data has been compromised
- Controls should ensure that information and equipment is returned or destroyed at a specified time or after completing the contract
- Integrity and Availability and we should have some restrictions on copying or destroying the data
The data should transfer between the staff as appropriate. We should maintain legal responsibilities based on data protection especially containing national legal system if foreign organisations are involved. Control of access agreements to information, this is covering some methods like,
- Permitted access methods that controlling the system means unique identifiers such as user IDs and Passwords
- An authorisation process for user access
- An ongoing and accurate list of authorised users specifying their rights
- Clearly defined performance and monitoring and if revoke user access
- The right to have third parties contractual responsibilities
- The perfect process for problem resolution and responsibilities for installing and maintaining hardware and software
- A clear reporting structure and formats and change management
- Physical protection controls and mechanisms to enforce those controls and have to control against malicious software
People working for the organisations have confidentiality, the duty to respect confidentiality should be clearly communicated with agreements or contracts.
Asset classification and control:
Asset classification is the process of assigning value to data in order to organize it according to its sensitivity to loss or disclosure. The task of assets identification means to protect an aspect of information security but do not know about these assets such that we have to know the assets and their locations and values. We have to decide the amount of time and efforts or money that we should spend on securing the assets. The method required to the asset classification and controls are,
- Identification of assets
- Accountability of assets
- Preparing information for assets classification
- Implementing the assets classification
1. Identification of Assets:
If our corporate office is gutted in a major fire, we need to have a previous backup of information in remote control access to protect the information. And if any unauthorised person hacked our database, we have to take some redundancy actions on the information that what we have to protect the database from the hackers. And moreover we should keep the extra copy or have to connect to other server to procure the asset information. We can classify the asset in several categories, these are
• Information Assets:
Every information of an organisation comes into this category. This information has been classified as
- Data bases: includes personnel information, production, sales, marketing, finances.
- Data files: transactional data giving up-to-date information about each event
- Archived information: old information that may be required to be maintained by law.
• Software Assets:
This can be classified into two categories,
- Application software: this implements business rules of the organisation and creation of application software is a time consuming task.
- System software: an organisation would invest in various packaged software programs like Operating systems, DBMS, development tools and utilities, software packages, office productivity suites etc.
These assets are classified into several categories,
- Computer equipment: mainframe computers, servers, desktops, notebook computers
- Communication equipment: modems, routers, EPABXs and fax machines
- Storage media: magnetic tapes and disks, CDs and DATs
- Technical equipment: power supply and air conditioners
- Furniture and Fixtures.
- Computing services that the organisation has outsourced
- Communication services like voice communication, data communication, value added services, wide area network etc.
- Environmental conditioning services like heating, lighting, air conditioning and power.
2. Accountability of Assets:
Usually the organisation will have a fixed assets register maintained for the purpose of calculating depreciation there will be a number of users for these assets. But the prime responsibility for accuracy will lie with the asset owner. Any addition or modification will done with the asset owner. Information technology staff will probably make the changes physically. Using this criteria, we have to clarify the owner of the each information assets.
The owner of the assets will be responsible for maintaining the system software including protecting the organisation against software piracy.
3. Preparing Information for Assets Classification:
The criteria for classification will be,
- Confidentiality: how the information distributes
- Value: how the value varies, is it the high value item or low value item.
- Time: how is the information time sensitive and how will its confidentiality changes after the time?
- Access rights: who will have access the assets?
- Destruction: how long the information will be stored and when it will be destroys and if necessary what will it do.
Confidentiality could be defined in terms of:
Confidential: where the access is restricted to a specifies list of people. These could be company plans, secret manufacturing processes, formulas.
Company only: where the access is restricted only to the internal employees. These could be customer databases, procedures.
Shared: where the resources are shared within the groups
Unclassified: where the resources are publicly accessible.
4. Implementing the Assets Classification:
The real test of classification is when implemented. Information is a real resource. An uniform protection is implemented to identify the required information. A companies business plan is a confidential document. In this corporate world, the plan will be discussed behind he closed doors known to a few senior members. And the final plan and stored in the MD's computer and it is secretary. A soft copy of this plan would be send by email to the executives who need to refer to it. The hard disk of every computer where the plan is stored will also have a backup copy on CD or other criteria. Each member will print and keep hard copy for reference, an extra copy also prepared by the copying machine. If the email is not available, the plan would be sent by fax or post.
So the confidential plan is now distributed across the organisation. The practical implementation of classification scheme thus very important. The classification of assets should not give any easy way of identification. We should provide a perfect protection.
It may be desirable to avoid transmission of confidential documents in soft copy format. For example an attachment of an email, only a restricted number of hard copies will be circulated. If it is necessary to carry the soft copies every one should be instructed to encrypt information for transmission and storage and to memorise their passwords and keep them secret.
Asset classification is thus the key to various security controls that need to be implemented for asset protection.
This classification to be used when inventorying critical information. The sensitivity information classes guidance to the community on how information to be shared or restricted from the access. The criticality information classes provide guidance to the community on implementing safeguards and controls to ensure that information are available on required.
Information classification can be classified as:
Classifying the sensitivity of information use the following information classes,
- Private: personal information about an individual for which the individual can reasonably expect will not be made available to the public. This type of information includes personably identifying information as well as other non public personal information that would adversely impacted an individual if disclosed. The mishandling of private information may impact the finance, loss of public confidence and damage of reputation. Examples of private information includes social security numbers, bank account information, healthcare records and educational records.
- Restricted: non-public information that may cause harm to individuals if disclosed. For example inventories identifying the location of hazardous material, research data with commercial value, individual works of intellectual property and risk assessments that highlight weaknesses in the service infrastructure.
- Public: information to which the general public could be granted access.
Some classes are required for information criticality,
- Safety: information to support safety must be available at all times. The loss of safety information could be catastrophic in terms of operations or exposure. Systems that are which store or process information are highly redundant are the first systems to be covered by a disaster.
- Essential: information that is essential to the mission of the business unit that must be restored as quickly as possible. The loss of essential information would affect the operations. The acceptable loss of essential information would be expressed in hours.
- Non essential: information that is non- essential to the mission of the business unit that can restore after all essential information is available. The acceptable loss of non essential information would be expressed in days.
- Derived: information that is derived from mother systems and can be recovered from those systems. The loss of derived information would be an irritant but not impact operations.
RESPONDING TO SECURITY INCIDENTS AND MALFUNCTIONS:
All employees should be through the responsibilities and risks outlined. And they would be aware of their all requirements to report all security incidents and malfunctions. The procedure for responding to security incidents are,
- Reporting staff member: immediately take an appropriate action to minimise the problem. Immediately or as soon as possible as practicable verbally inform to the management or to the senior staff member. Ensure a full written account of the incident as recorded, including dates, timings and all actions taken in nay required documents. Keep a copy for ourselves incase we sub sequentially need to refer to it.
- Department manager or senior staff member: initiate immediate or appropriate action is taken to minimise the breach. Check the details of the reported incident and clarify any queries with the reporting officer. Add details of any action taken or any outcome achieved. As soon as practicable, verbally inform to service manager or divisional manager. Immediately after the event and complete an incident report with as much as possible. Complete a management report ensuring a full written account of the incident is documented including timings action taken in appropriate logs or records. Complete fax a report on serious incident.
- Information security manager: ensure the head of informatics as informed as soon as possible. Prepare a report of the incident and send it to Chief Executive, Director and Head of informatics or senior officer. This is to enable any urgent changes to be implemented and communicate with relevant external organisation.
Procedures for responding to the malfunctions are,
Malfunctions may manifest in many different ways. If we are convinced thoroughly double checking our procedures and data output to screen file or printer is either corrupt or not what was expected, users of information services are required to note and report any observed or suspected software malfunctions. They should report these problems to the procedure as,
- Reporting staff member: note the symptoms of the problem and any messages appearing on the screen. Isolate the suspected computer and immediately inform to line manager. Ensure a full written account as recorded including dates, timings and all actions taken at that time. And keep a copy to refer it.
- Department Manager: check the details of the reported malfunctions and clarify with queries to the officer. Inform the service provider or IT support helpdesk as required. Add details of any action taken or outcome achieved. If this incident is suspected to the malfunction then inform to the chief executive officer or director.
- Director: check the details of the incident and inform to the external organisation to solve the incident of the malfunction.
PHYSICAL AND ENVIRONMENTAL SECURITY:
Risk management allows flexibility through various levels of protection against unauthorised access to classified material. It may control,
- Physical space
Physical security measures the threat to security posed by the ill intentioned person who already has authority to enter the site, building or secure zone rather than the intruder from outside. In a government organisation with much classified material other precautions may be needed to guard against human error. The precautions are,
- Security keys and containers to protect classified information
- Access control measures
- Security alarm systems to detect unauthorised access alert a response
- Physical barriers to deter, detect and delay unauthorised entry
Physical measures may complimented by personnel measures. Good security must include the co operation of staff who know their responsibilities. Managers and staff should receive security education to meet their individual responsibilities.
Physical security can come from establishing several security perimeters around facilities storing classified material. A security perimeter is any barrier such as a wall, card controlled entry or staffed reception desk. A risk assessment will help to decide the location and strength of each barrier. This security may be enhanced as,
- Perimeter instruction detector system
- Security lighting
- Closed circuit television
- Security guards
- Warning signs and notices.
This standard establishes requirements regarding access to university resources as well as responsibilities for stewardship of university resources. In the universities, physical and logical controls are using to protect the material or any university belongings. The level of control will depend on the level of risk associated with loss of university resources. Violation of this standards should be reported to individual authorised to grant access to university resources.
Access control is classified as:
- Physical access control: physical access control for any area that houses, university must be commensurate with the level of risk associated with their loss. All devices on which confidential university data are stored and all mobile users must store in a physically secure location when the user is not present.
- Logical access control: university information should be used only for appropriate university purposes. University information may not be accessed by any one who does not need the information to perform the activities and fulfil the responsibilities associated with their university position or affiliation. Those authorised to access the university information are responsible for properly securing it from unauthorised access as well as for securing and protecting data, passwords, keys and other forms of access control. Those authorised to grant access to university resources or information must be in,
- Document procedures to ensure that access is appropriately assigned. And modified as needed and cancelled as individual transfer other positions or leave the university and that access privileges and their implementations are reviewed periodically.
- Ensure that university resources under their responsibilities have adequate features and controls to support the proper management of user access.
Those accepting the university resources must have that the requirements related to the acceptance of that information are met.
Objective: to protect the confidentiality, authenticity and integrity of information should be protected by the cryptographic control.
Cryptographic systems and techniques should be used for the protection of information that is considered at risk and for which other controls do not provide adequate protection.
Key management: a management system must be in place to protect an organisation's cryptographic keys from creation to destruction.
COMPLIANCE, SYSTEM AUDIT CONTROLS:
Objective: to ensure compliance of systems with organisational security policies and standards. The security of information systems should be regularly reviewed.
All areas within the organisation should be considered for regular review to ensure compliance with security policies and standards. Information systems should be regularly checked for compliance with security implementation standards. And coming to audit controls,
This is used to maximise the effectiveness and minimise interference to the information system audit process. There should be controls to safeguard operational system and audit tools during system audits. Audits of operational system should be planned and agreed. To protect the information system audit tools we should access the system audit tools to be controlled.
EVALUATION AND CONCLUSION:
By evaluating the security policies, in this framework environment every organisation's security is being attacked by the hackers and unauthorised persons. In organisations there existing gutted solutions by an unauthorised person. We conclude to protect this is, we have to maintain the third party access in the organisations to protect the information and database of the organisation.
Coming to asset classification, in some hardly unsecured cases means as in fires or hackers, we have to maintain particular steps that involve with the organisation members. As an organisation employee, everyone have the responsibility of protecting the database and information. We conclude that every employee should have the responsibility that to implement with immediate action to protect the database.
All the information should not to be accessible to all the people. Attackers can maintain the information to their own handover. So the people who have grant to access the information only should access the information. There we should maintain some logins, IDs, passwords or any other criteria to be accessible to the authorised people.
As final we would like to conclude that, only the organisation owner should maintain the final database and information. He have to have the responsibility for the information, and nobody can access the information that should maintain the whole information. Everyone should have the responsibility for the security in the organisation. Authorised persons only can be access the information. Every authorised
Person should have the passwords or login system. To maintain the security for the information the owner should the copy of information that all include the information which is maintaining the whole organisation.
USERS TRAINING STRUCTURE:
Every year organisations offering to the employees. As freshers they do not know how to maintain the policies of organisation and how to secure the organisation's database or information. We need to tell them that what are the requirements the organisation wants and what are applications are going in the organisation and how these are working in a secure manner.
The new comers do not know that what are security policies we are applying in the organisation, so we have to know them that the security policies what we are using in the organisation and we have teach them that how to login into the security policies and logout from the security policies and moreover we need tell them what are drawbacks will occur when we misused the policies in the organisation.
We have to tell them what are software we are using and how to install and how maintain the software for the organisation growth. They have to know what are the operating systems are involved in the software, how the hackers will destroy the information and what are steps we have to follow to come out from the risk management.
We have to teach them that what are the main functions are using in the organisation and how to follow the functions and how to come up with policies that are implementing the organisation.
We have to explain them how to improve the organisation that what their responsibilities when the organisation give the management of their own works in the organisation.
1. Andy Jones, Debi Ashenden, Risk management for computer security [book], Elsevier.
2. https://www.cu.edu/policies/general/IT-sec infoclassification.
4. O'Reilly, System Administration [book], Aeleen Frisch
5. http://security.practitioner.com/introduction/infosec 7 11 3.htm
6. http://security.practitioner.com/introduction/infosec 7 14.htm