IS Information Security Management Strategies and Policies

The implementation of strong IS security management ensures the protection of information assets (processing resources and data) through effective policy, controls, standardized procedures, and control testing. As stated earlier, security management applies risk-management principles and techniques to assess IT assets, mitigate the risk to these assets, and monitor residual risks. These are the three tenets of information security:

• Confidentiality

  • Ability to ensure that the necessary level of secrecy is enforced throughout each junction of data processing, to prevent unauthorized disclosure

• Integrity

  • Assurance of accuracy and reliability of data

  • Prevention of unauthorized data modification

  • Prevention of authorized unintentional modification

• Availability

  • Reliable and timely access to data and resources for individuals

These tenets are collectively known as the CIA triad. Security management should apply these tenets in the implementation and review of controls within the IT environment. In Chapter 1, you learned about a variety of risk types. Security management implements controls to reduce (mitigate) risk. The following are a list of control categories that reduce risk and help control the IT function:

• Security

• Input

• Processing

• Output

• Databases

• Backup and recovery

Developing and implementing a function dedicated to security in the organization ensures that the risks associated with the business and information systems are mitigated through the use of risk-assessment techniques, policies and procedures, and an overall security strategy. The combination of these security controls ensures that the IT infrastructure is protected against both internal and external threats.

The security function must protect the IT infrastructure through the use of physical and logical controls. Physical security controls access to facilities, computers, and telecommunications equipment and other assets of the infrastructure. These controls ensure that only authorized users have access to facilities and that policies are in place so that visitors are logged and accompanied by authorized personnel. The physical facility should be configured so that during the normal course of business, visitors such as vending machine suppliers, workmen, and janitorial and repair personnel are monitored and have access only to the areas required to perform their function. Access to the facility can be controlled through the use of security guards, biometric devices (retina scanners, hand geometry, fingerprint scanners), keys and locks, and electronic card readers. All access points to the facility, including doors, windows, and access vents, should contain physical controls to monitor, detect, and control entry. In the case of windows and vents, the organization might deploy cameras, motion detectors, glass-break detectors, and alarms.

A monitoring system should be in place for the facility. This could include cameras, visitor logs, card entry logs, roving guards, and penetration alarms. It is important to remember that having these controls in place should include defining responsibility for regular review and monitoring. As an example, the visitor logs should be regularly reviewed to ensure that visitors are signing in and out of the facility. The logs associated with key cards should be reviewed to ensure that only authorized individuals have access to the facility and to look for anomalies associated with access (authorized individuals coming in during time frames that are not concurrent with their work hours or attempting to access areas of the facility for which they do not have access).

Physical security controls are most often defeated through the use of social engineering, whereby unauthorized persons gain access to the facility by posing as someone they are not (repairman, authorized vendors, and others). Social engineering is the use of physiological tricks on authorized users to gain access to the system. Unauthorized persons might use techniques such as "shoulder surfing," looking over the shoulder of authorized users to identify key codes to access the building, or claiming to have "lost" badges or key cards and persuading an authorized user to help them gain access, or piggybacking behind an authorized user with a valid key card.

The IS auditor should regularly perform penetration tests into the facility. These tests might include breaking into access points through the use of persuasion or brute force, or gaining admission as a visitor and trying to access areas for which they are not authorized. The combination of regular review, monitoring, and testing of physical security controls can identify weaknesses and areas for improvement.

As a rule, logical security controls are more complex to implement and maintain, but they are an integral part of maintaining the confidentiality, availability, and integrity of the IT infrastructure. Logical access controls entail access to the information systems (workstations, servers, telecommunications, and data) of the organization. The most common form for logical access to the information systems is through a terminal or workstation. Logical controls ensure that authorized users have a login (ID) and password, and should apply the control of least privilege: Authorized users should have access to only the applications and data they need to perform their job function.

It is important that the security function in the organization not only implement these controls, but also have regular logging and monitoring of logical access to the systems and data. These policies and procedures should include segregation of duties, logging of access (both successful and unsuccessful), and transaction logs monitoring what systems or applications were accessed by whom and when. Proper segregation of duties ensures that those charged with the review of system and transaction logs do not have the ability to change those logs and that there are clear procedures for reporting any anomalies or incidents found in the logs. A variety of controls are included in logical controls; these are some of the controls that the IS auditor should look for:

• Proper segregation of duties with regard to the input and authorization of data

• Proper password procedures and complex passwords (the use of alphanumeric characters and symbols, and correct password length)

• Regular password changes (30, 60, 90 days)

• Proper procedures for new account creation and termination of accounts

• Proper systems logging for successful and unsuccessful access attempts

• Proper transaction logging for access to applications and data (transaction performed, by whom, and at what time)

• Where possible, time periods for which users can log into the system (9 a.m. to 5 p.m.)

• Training in place to ensure that users do not provide passwords to unauthorized parties (for example, by phone or with sticky notes at desk)

• Clear job descriptions and definitions of application and data access

• Regular review of all user accounts, to ensure that only authorized users have access and that access is correct per job function (job description)

• Clear process for reporting and investigating incidents and anomalies

In addition to internal user accounts, unauthorized users might gain access to applications and data from outside the organization. Unauthorized users could be existing vendors or suppliers who have access to internal systems, authorized internal users who access from remote locations, or unauthorized users (hackers) gaining access through the Internet. In most cases, organizations will have firewalls in place to protect external access through the Internet. The firewall settings (rules) should be the most restrictive possible and should deny all access except that explicitly required by the external users to perform their function. Firewall logs and access should be regularly reviewed and should have a system in place to notify administrators in the event of unauthorized access. The security function should define incident response and reporting procedures to remove access to critical applications and data in the event of external unauthorized access. These procedures can be as extreme as disconnecting the organization's access to the Internet or can just include removing critical applications for Internet connectivity.

The IS auditor should perform regular review and scanning for known vulnerabilities, as well as attempts to exploit vulnerabilities that are discovered. Penetration testing ensures that the controls in place mitigate the risk in accordance with the system's value or function. The purpose of performing a penetration test is to exploit one or more known vulnerabilities. The combination of regular monitoring, incident reporting, scanning, and penetration testing enables the organization to identify and correct weaknesses within the current security infrastructure.

An information system converts data into information through its collection and processing. The information systems should produce accurate, complete, timely, and reliable information. The organization must control the risks associated with the collection and processing of this data. The integrity of data in the organization is important because all data, with few exceptions, should be considered influential data. Influential data is used throughout the organization for decision making at all levels in the organization. One of the greatest concerns with regard to data is unauthorized access to the data. This might take place at the point of entry into the information system or through unauthorized manipulation or viewing of the data once in the information system. These threats are both internal and external, and they compromise the confidentiality and privacy of data. Organizations today store and use a large amount of data in their information systems, and they often do not have proper controls in place to protect data access or detect such access.

Table 2.5 lists some common examples of risks associated with data integrity.

We just identified unauthorized access and the manipulation of data and its effect on data integrity. Another effect on the data integrity is the introduction of errors in the data. These errors might be affected through improper system design, lack of procedures or training, or inadvertent misuse of data.

Proper procedures with regard to system development and testing reduce the introduction of errors in the data. During the system development life cycle, the IT organization should ensure that the requirements for the systems are complete, that the system requirements meet the business requirements of the organization, and that application-development procedures continually test against the requirements. The development of the system should include proper controls at the application level (access, validation, and so on) and the database level (proper data element design, validation, constraints, and error handling). Applications and their associated databases should have regular error-handling routines that ensure that the data entered in the systems meets the business rules as well as external guidelines (compliance). The normal process should include the input of data, a validation process, the creation of a suspense file for transactions that do not meet the validation criteria, and a review of the suspense file by authorized parties before making it part of the production data. This process should include proper segregation of duties, ensuring that those entering data have no part in authorizing, reviewing, or approving data.

The security function in the organization should be involved in all aspects of the system development life cycle, to ensure that proper controls are implemented. The security function should provide specific controls for the confidentiality, availability, and integrity of information systems, to mitigate risk in the organization.