This ISFS is an information security framework that is easy to understand and implement, designed to bridge the gap between the user and information security. It provides the SMEs with a centralised repository of security policy and technical control of information. Hence, the ISFS allows the SMEs with basic infrastructure to effectively communicate security policies and controls throughout their company ensuring business continuity, confidentiality, integrity and availability of information.
ISFS is the implementation of a suitable set of controls, including policies, processes, procedures, organisational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and updated to ensure that the specific security and business objectives of the organisation are met.
The main objectives of the ISFS are:
- Ensuring consistency of organisational security objectives throughout the SMEs sector
- Allowing business strategies and goals to drive information security
- Providing a comprehensive set of security guidelines
- Allowing the SMEs sector to manage risks
- Providing methods to effectively and efficiently implement security objectives at a technical level
Properties of the Information Security Framework for SMEs (ISFS)
The ISFS is tailored to the needs of the SMEs and have the following controls:
- physical security-secure the areas by appropriate entry controls to ensure that only authosrised personnel are allowed access.
- personnel security-to ensure that all employees and third party users understand their responsibilities and roles and to reduce the risk of theft, fraud or misuse of facilities.
- data protection and privacy of personal information- establishing safeguards to protect data of employees from theft, abuse, misuse and any form of damage.
- protection of organizational records- establishing safeguards to protect data of the organisation from theft, abuse, misuse and any form of damage.
- intellectual property rights-to protect any material that may be considered intellectual property.
- access controls-required controls to prevent unauthorised user access and compromise or theft of information held in application systems.
- security technology-implement appropriate controls and softwares to prevent, detect and remove malicious code.
- security response and recovery-to ensure confidentiality, integrity and availability of critical business information or systems.
- security audits-controls to minimise the risk of disruptions to business processes.
Development of the Information Security Framework for SMEs (ISFS)
ISFS is built on a unique security framework in order to provide flexibility in managing the information. The key elements, referred to as the three pillars to ISFS are:
The three elements of security together in a security framework effectively monitors, measures and reports on controls. The following diagram represents the key elements of a security system.
People or the employees of the SMEs are the greatest asset or element of the security system. It comprises of people and various roles and responsibilities within the organisation. In another words, the roles and responsibilities of the people are to execute and support the process. Some examples of the key roles of the people are senior management, security administrators, system and IT administrators, end users and auditors.
A good security culture is developed in the following three ways:
- Identity and access management-The roles for different users within the SMEs environment (from administrative to the CEO) are defined and the physical and logical access privileges for all employees are specified. Once these roles are defined, appropriate access are given to the employees.
- Information security organisation- All the employees shall be responsible for security.
- Training and awareness-An ongoing effort to raise awareness of the benefits of working in a secured environment. The process includes executive, management, administrator and end-users.
It is an integral to the protection of information system as it is considered to one of the fastest growing segments and is available in many forms and flavours. It includes tools, methods and mechanisms to support the process. The earliest information security technologies were virus tools to protect desktop computers and firewalls to protect organisation boundaries. Nowadays, new security technologies are available to protect individual users, enterprises, intra-nets, Internets, home users, small businesses.
Information security is based on a layering effect of technologies throughout an organisation to provide an umbrella that mitigates risk and thereby reduces threat. According to Forrester Research, technology is divided into seven domains:
- Application infrastructure
- Messaging and content
- Data encryption
It is the glue that binds the people and technology. It comprises the security vision statement, security policy and standards and control documentation. It is said to be the bible that security process will refer to for direction and guidance. The written security environments are:
- Information risk management
- Policy and compliance framework
- Information asset management
- Business continuity and disaster recovery
- Incident and threat management
- Physical and environmental security
- System development and operations management
Within the three pillars of the ISFS, the following phases are included:
The determinant factors of the business drivers of security are:
- technology strategy
- business initiatives and processes
- threats, vulnerabilities and risk
They are combined to reflect the security policies and technical controls.
It is the design of the security environment for the SMEs. In this stage, the SMEs clearly defines the security policy and technical control information. These processes allow them to manage risk appropriately and identify the risks and values of information assets.
It is the documentation of guidelines and procedures of the ISFS. The guidelines are updated for changing environment.
The fundamental ISFS life cycle of the phases is five interrelated processes:
- Manage and Support
These five elements allow the ISFS to grow and respond to changing environment needs and conditions.
It is to anlayse the current state of security by identifying the assets to be protected (software, hardware, data and people), prioritise the information, identify the required services and predict the threats.
It is a process whereby an information security framework is designed based on the needs of the SMEs sector. At this stage, the security framework is a complete document accompanied by a deployment plan.
It is the physical process of implementing the information security framework created in the design phase.
Manage and Support
It is measuring the performance of the company against the goals stated in the framework. Based on the metrics, the framework is re-evaluated and updated to improve the effectiveness of the framework.
It is a critical element for the successful deployment of the ISFS. It is an ongoing process to raise awareness of the roles and responsibilities at the executive, management, administrator and end-user levels and how the company benefits in terms of technical and financial. It ensures that they are familiar with the procedures and the benefits of working in a secured environment.
Elements in the ISFS
Information Security Risk Assessment
This section helps the SMEs to assess their information security needs and after completing the checklist, they will be able to implement the action of the ISFS.
Evaluation of the security
It helps to evaluate the information security concern of the SMEs. In fact, it guides them to take the necessary steps to review the security of their systems and networks in order not to disrupt the business.
Risk Key Parameters (YesNo)
- Do you store important company or personal information (employees, customers, and third party) on the computer?
- What types of information (credit card, accounting details, and supplier information) are accessed on the network?
- Does the company have a website?
- Do the employees use computers and if they are connected to Internet?
- Do the employees use email at work?
- Would the company be affected if it were a victim of viruses or phishing?
Identification of critical information assets
After the evaluation of the level of security in the company, it is vital to identify and prioritise the critical information assets in order to protect the business assets.
Risk Key Parameters (YesNo)
- Have you identified the information that is critical to business?
- Are you aware of the necessary steps to implement while creating, processing, storage, use and transmission of the critical information?
- If the confidentiality, integrity and availability of critical information are compromised during either processing or transmission, are you aware what would happen to the business?
- Do you regularly perform an inventory control of the assets of the company?
- Do you know the critical assets of the company?
Managing the access to critical information
It is essential to know who accesses the critical information, how and why the person accesses that information in order to ensure confidentiality, integrity and availability of the assets. It can be achieved through the following set of questions:
Risk Key Parameters (YesNo)
- Do you have an approval process for granting access to key information in your organisation?
- Do you have procedures and policies in place to control who has access to key information?
- Can the users in the system be identified by unique usernames?
- Do you have a procedure to ensure that access is removed when an employee leaves the organisation?
- Do you frequently review the access rights to the system?
- Do you take steps to prevent unauthorised access (physically) to premises? (Server room, secretariat, filling cabinet).
- Do you physically secure the laptops when they are unattended?
- Do you keep the passwords confidential?
- Do you regularly change the passwords?
- Does the length of password exceed 8 characters?
- Does the password contain numeric, alphabetic character?
Managing critical information
The security practices shall be strongly upheld within the SMEs environment to ensure that the systems and data are appropriately protected and secured against threats. The following points help the SMEs to identify the best practices in protecting the assets.
Risk Key Parameters (YesNo)
- Do you regularly perform backup of data and how frequently?
- Do you test the backup regularly?
- Where do you store the backup?
- Are antivirus and antispyware softwares installed on the computer?
- Are the definitions updated at least once a week?
- Do you include security responsibilities in job?
- Do you provide security training for your employees
Understanding the legal obligation
It is important to know and understand the legal responsibility under the different laws prevailing in the ICT sector.
- Data Protection Act 2004
- Computer Misuse and Cybercrime Act 2003
- Electronic Transaction Act 2000
The following guides the SMEs to assess their obligations of the assets of their company.
Risk Key Parameters (YesNo)
- Are you familiar with legal requirements related to securing certain types of information (personal, sensitive or confidential information)?
- Are you familiar with the rights of employees in the workplace?
- Are you aware of your role regarding the security of others?
- Do your employees understand what is appropriate behaviour on the Internet?
Information Security Framework for SMEs (ISFS)
Below is a set of controls that builds up the ISFS framework which undoubtedly, will help the SMEs to build a trustworthy and information secured enterprise.
The mandatory elements of the framework are:
Appropriate access control policies should be applied to ensure that only authorised personnel are allowed to access critical information. Access rights should be granted on a need to know basis only. For instance, staff in the communication department cannot access the payroll information.
- Access rights to the system should be granted based on a person's role rather than on a person-by-person basis and it should be reviewed regularly.
- Each user should be assigned a unique identification on the system
- The users should be trained on the best security practices and educated about the importance of information security.
- When an employee leaves the company or his role has changed, the user's account should be disabled or his privileges should be reviewed.
- A password should be required to log on to any computer or system. It should be difficult to guess and have a mix of uppercase and lowercase letters, numbers, and symbols.
- The password should be at least eight characters long. e.g; Msi5Yold! (My son is 5 years old)
- The password should be changed regularly.
Physical control of the equipments in an enterprise is vital as they are like any other valuable asset.
- The sensitive areas (e.g filling cabinets, server room and PCs) should be restricted and controlled either physically or by locks using two-factor authentication.
- Laptop should be physically secured when unattended.
- All the services utilities should be tested after each three months (air conditioning equipment, fire prevention, detection systems and UPS)
- The visitors should be escorted and not allowed to enter the premises prior to the approval by the management.
- The backup media should be stored in a secure and safe location especially for media containing sensitive or critical information.
- The serial numbers of servers and PCs should be recorded so that they can be identified if stolen.
- All removable media (hard disk, USB, CDs, DVDs, floppy disks) shall be appropriate secured and controlled and before disposal, the information should be totally destroyed.
- An audit log recording the user activities to the secure areas shall be securely kept which may be required upon investigation.
Data protection and privacy of personal information
A policy should be developed to establish safeguards to protect data of employer and employee from theft, abuse, misuse or any form of damage
- The organisation should be registered with the Data Protection Office, which provides that a person or any organisation that holds personal data of its employees, suppliers, customers/clients is considered to be a data controller and has the obligation to comply with the Data Protection Act 2004.
- All employees should be aware of the data protection principles.
- Handling of personal information of employees and organisation should comply with the Act.
Protect Desktops and Laptops
The three basic security measures that help to safeguard the computers from security threats and productivity loss. Thus, providing powerful first line of defense.
- Update software:
- The criminal hackers exploit bugs and loopholes in software products and this has a great impact on business. Hence, security updates of windows and softwares should be downloaded and installed once a week.
- Antivirus software
- Antivirus software should be installed on the computers and server and the definitions should be regularly updated.
- The antivirus software should be configured to scan the contents of incoming e-mail messages and files of the computer.
- Set up firewalls
- o The PCs connected to internet should have a firewall installed. This will prevent malicious code to enter into the system that may compromise the confidentiality, integrity and availability of information and network.
A regular backup procedure is a simple way to protect critical business data.
- Backup data by making a copy of the sensitive data on a DVD-Rom, an external hard disk or a shared folder on the network.
- Test the backups by restoring the data to ensure that the media and backup data has not been tampered.
- Encrypt the data when to data is stored or transferred to a different location to ensure the integrity, confidentiality of the data.
- A copy of the backup should be stored in a fire-proof or to an offsite location or bank.
Internet and Email
The unscrupulous websites and unsolicited emails can be dangerous. Thus, the set of controls below will help the SMEs to protect the business and the employees.
- The work computers should not used to idle browsing.
- Only trusted sites should be visited.
- The employees should not allow websites to install programs while browsing.
- The web addresses should be filtered using a firewall or router and blocked internet traffic to and from dangerous sites to protect from viruses or spywares.
- The employees should not respond to unsolicited emails for instance, 'You are the lucky winner of the National Loterry and you have won $50 000000. Please provide your account details'.
- The attachments having extensions e.g,.exe,.com,.bat should be opened unless it is from a trusted source.
- Do not subscribe to unnecessarily to mailing lists.
- Do not provide banking details on the internet unless it is a trusted site.
- Do not download games, screensavers as there are sources of malwares like Trojan and viruses.
- The bandwidth of the internet should be checked once a week in order to detect any spywares consuming the network resources.
- The daily transaction logs should be checked for suspicious activities.
Intellectual Property Rights
The following controls help the SMEs to protect any material that may be considered intellectual property.
- Appropriate procedures should be implemented and communicated to the employees which defines the legal use of software and information products.
- Only authorised softwares should be installed on the PCs and regular audits shall be performed.
- No pirated softwares should be installed in order to prevent the risk of virus attacks.
- Maintaining proof and evidence of ownership of licenses.
- The intellectual content should be protected, e.g, web content, such as product images, may be stolen by others.
Security Response and Recovery
An information security incident is an adverse event that comprises the availability, integrity and confidentiality of the critical business information and systems. Examples of adverse events are:
- Theft and burglary
- Natural disasters, e.g. cyclones, flooding
- Data line failure
- System crashes
- Packet flooding
- Unauthorised access or use of system resources
- Unauthorised use of another user's account
- Unauthorised use of system privileges
- Web Defacement
- System penetration / intrusion
- Massive virus attacks
Thus, an information security incident plan is a set of controls that detects, corrects and prevents security problems.
Security Controls: (in case of an incident)
- A committee should be set up to handle security incident and the roles and responsibilities should be well-defined and communicated.
- The staff should be trained on the emergency procedure and the incident reporting contact.
- Any abnormal event detected should be reported, for instance, viruses, and a sudden slow down of the applications.
- The type of problem and impact of the incident should be determined.
- The details of the incident should be properly classified, for instance, date, time, what happened and how it happened.
- The incident should be reported to the management or CERT-MU to seek advice from them.
- An impact assessment of the incident should be conducted on the data and information to determine if the system has been comprised and the damages.
- If the system has been comprised, a full backup should be performed and stored securely.
- The cause of the incident should be either eliminated or mitigated.
- The information system should be restored back to its normal operation
- After the evaluation of the incident, the existing procedure should be strengthened and all the actions of the incident should be recorded.
- After the incident, a post-mortem analysis should be carried
If the business has a small network, it is recommended to follow the guidelines.
- A firewall controls access should be implemented to and from the network or computer in order to block the intruders having access to network.
- Strong passwords should be used to authenticate the user into the network and system.
- All unnecessary network ports should be closed to strengthen the network security.
The server is said to be the network's command center as if it is comprised, the entire network is at risk.
- The server should be locked in well-ventilated room.
- Only authorised employees should have accessed to the server room.
- The principle of least privilege should be implemented giving the permission only to perform task assigned.
- The security options of the server should be well understood and implemented.
Implementation and Testing of ISFS
This section illustrates the application of ISFS in an SME sector. The company selected randomly from the pool of respondents is Compagnie d'Exploitation Agricole Lte (CEAL).
CEAL is involved in the rental of equipments, excavation, harvesting of sugar-cane and sea dredging.
The main objectives are to:
- assess the current state of security in the company,
- determine the information security culture among the employees and the company,
- classify the assets to be protected as well as sensitive information,
- identify the security controls to be implemented,
- create a plan for implementation of the ISFS,
- execute the plan,
- monitor the implementation of the ISFS.
The project team includes:
- Mr. -Managing Director
- Mr. -IT Officer
- Mr. -Supervisor
- Mrs Parweezia Moossa- Implementer
The framework was circulated to the project team and each member read the security guidelines carefully.
The current state of the company: