Secured View: Communications and Operations Management
A cautious approach to information exchange

Our dependence on various media and devices for communication and information exchange with the outside world is increasing. So we need to take adequate steps to protect our infrastructure from the security hazards posed by such media and devices. by Avinash Kadam

Security of Information Systems depends on the flawless execution of multiple interdependent functions. Managing communications and operations is one such area requiring meticulous technical and managerial planning. You also need to create and maintain well-documented procedures and ensure that everybody involved in the process scrupulously follows these.

The main control objectives to be fulfilled for this domain are:

• Operational procedures and responsibilities
• System planning and acceptance
• Protection against malicious software
• Housekeeping
• Network Management
• Media handling and security
• Exchange of information and software

OPERATIONAL PROCEDURES AND RESPONSIBILITIES
Documenting the operating procedures, and clearly defining the responsibility for maintaining and updating these documents alone, could ensure correct and repeatable operation. Usually, there are a number of procedures in an organization pertaining to computer job-scheduling and execution, handling of special categories of information like confidential information, handling of errors, operating instructions for certain equipment, restart and recovery procedures, computer backup, maintenance procedures etc. These procedures would be partly documented, partly provided by suppliers of systems and equipment—sometimes these may exist in internal memos.

Over a period, most of the procedures become routine and the documentation is hardly referred to. The danger is, if a new person joins the department or an old-hand is on leave, the proper procedure may not be available or known, leading to errors and chaos.

Operational change control: Most organizations that have a Quality Management System (QMS) like ISO 9001 in place would have the procedures well documented and indexed. QMS also requires a proper change-control procedure to be in place. This means that all the changes to any procedure will be appropriately controlled.

Organizations that do not have ISO 9001 will have to make these extra efforts, which will be well rewarded as the errors and rework will definitely reduce.

Few additional procedures may be required for documentation, to meet the security requirements. These are:
Incident management procedure: This is required to ensure quick identification of a security incident. It must include correct response for each type of incident; quick communication to all those affected by the incident; audit trails to trace the origin of incident; action plan to recover from the incident, and lessons learnt from each incident—which help prepare the organization to develop and implement preventive measures to avoid future repetition of such incidents.

Segregation of duties: To ensure that, the same person is not responsible for initiation or execution of an action as well as approving or authorizing the same action. This is to prevent frauds, which could be committed by collusion.

Separation of developmental and operational facilities: To ensure that no software, which is in live use, is modified without proper permissions and no software, which is still under development or testing, is ever used for live operations.

External facilities management: If the processing is outsourced, the outsourcing contractor's facilities should be subjected to the same level of security as you expect for your organization. In fact, the decision to use external facilities itself should be based on assessing the security risk to the organization due to outsourcing. It may be advisable to retain sensitive applications in-house. In case it is necessary to outsource some applications, the procedure should ensure compliance by the contractor with the same level of security standards as well as business continuity plans, which are defined for the organization. Even the security incident handling procedures should follow the organizational standards.

SYSTEM PLANNING AND ACCEPTANCE
Capacity Planning: Moore's law predicts doubling of computing power every 18 months. However, this geometric progression of computing power does not keep pace with the exponential growth of the demand for computing power, storage capacity and communication bandwidth for a growing company. Unless a careful planning process is followed, which considers future capacity requirements fully catering for growing business needs, there is a danger of denying services due to capacity bottlenecks. This could also lead to curtailing some security measures, leading to security threats.

System Acceptance: Acceptance of a new system by the operations group is accepting the total responsibility for accuracy and security of the system. The development group may, 'wash their hands off' once the system is accepted. A well-documented acceptance criterion is extremely important to avoid any misunderstanding. Such an acceptance document should consider the performance and capacity requirements, all error recovery and restart procedures, testing of all routine procedures, testing of all security controls, alternative manual procedures and business continuity arrangements. The testing procedure should also check any adverse effects the new system has on the performance, operation or security of the current systems. Operations department should become a tough and demanding customer, as the 'buck will stop with them' once the system is accepted.

PROTECTION AGAINST MALICIOUS SOFTWARE
We need to identify all the entry points for malicious software and we need to have documented procedures to protect the organization by applying controls at these entry points. By entry points we mean preventing the use of unauthorized or unlicensed software, obtained through media like floppy or CD, or a file downloaded from Internet or any external source.

Next in the list of preventive measures is installation of detection software at various entry-points, servers and end users' workstations. These could be anti-virus software and content-monitoring software. Finally, if the malicious software destroys some part of information, we need recovery procedures as well as business continuity plans. Each of these steps needs to be properly planned, documented and implemented. The most important aspect is training each user about their responsibilities, and the effect on organizational security if they are lax in following these procedures.

HOUSEKEEPING
There are a number of routine activities to be done. Proper performance of these activities usually goes un-noticed. But improper performance will be immediately noticed and can affect information integrity and availability.

Information backup is one such routine but absolutely essential activity. Every organization must have a well-documented procedure for backup. Design concern should essentially answer various 'what ifs?' For example, what if the back up is not taken regularly? What if the backup is not restorable? What if the backup is not adequately protected? The procedure should ensure that the risks on account of failure to back up are adequately addressed.
Operator-logs could provide a lot of information for proper restoration of the system. Since the logs are keeping records of all the operator actions, any procedure to check the logs against operating procedures will not be very welcome with the operators. An independent person should regularly perform this unpopular but necessary action.
Fault logging is a measure to ensure that every fault noticed by users in the information processing or communication should be recorded. This record should be regularly reviewed to ensure that all faults have been satisfactorily corrected and security has not been compromised.

NETWORK MANAGEMENT
We are heavily dependent on networks. These could be local area networks, wide area networks, or the Internet. A network frees an organization from physical boundaries, and may extend its reach across the globe. Each network entails the deployment of huge infrastructure, beginning with various physical media like cables, wireless or optical fiber, and other networking equipment. These may be managed by other organizations over which the company may have no control.

An organization's network managers need to ensure maintenance of integrity and confidentiality of the data passing over public networks, as well as any other connected network, and the availability of network services consistent with business needs. To achieve this, responsibilities for maintenance and security of various segments and devices will have to be documented.

MEDIA HANDLING AND SECURITY
Data stored on various media will have the same level of asset classification as assigned to the original data items, and should be protected against damage or loss.

We need to have well documented procedures on how the media should be stored, handled, secured and disposed off (when no longer required).

Management of removable computer media requires that an audit-trail be maintained to trace the movement of such media as well as its storage. While stored, it should be provided security as per the asset classification. A color code will be useful to immediately identify the media requiring higher level of protection.

If the media is reusable (like a tape or disk), all the previous data should be erased (wiped off) before the media is reissued for use.

Disposal of media may involve understanding the original classification of media given for disposal. The disposal methods should be commensurate with the classification. This may involve incineration, shredding or a similar irrevocable destruction process to be carried out.

Information handling procedure needs to be explicitly documented as per the classification levels decided by the organization. Classified information should be handled with the utmost precaution, not only when being processed or stored, but also when communicated by e-mail, fax or phone—especially through mobile phones. The procedure for information handling should specify the distribution mechanism as well as review of distribution lists, restrictions of storage as well as access.

Most of the data is retained for long periods due to the fear of losing something of importance. This may result in a huge amount of stagnating data. The classification scheme should have specific mention of the expiry date for a particular data item. The data must be destroyed after that expiry date.

Security of system documentation: Finally, all the system documentation, which consists of all the processes, procedures, and data structures itself, should also be securely stored and the access-list for such documentation should be well-controlled and authorized by the application owners.

EXCHANGE OF INFORMATION AND SOFTWARE
Exchange of information in a secure mode is the basic requirement for conducting business. This requires that there are appropriate information exchange agreements in place; the media is well protected while in transit; and all the business uses of information are designed to ensure confidentiality, availability and integrity of information.

Information and software exchange agreements may be necessary to clearly understand the roles and responsibilities, and liabilities of various agencies involved in handling the information. All the technical standards for packaging, transmission, recording, reading and cryptography may be required to be documented and accepted.

Security of media in transit: When media are physically transported, we may need to define the procedures for tamper-proof/tamper-evident packaging or other secure ways of delivering the media through a reliable transporter or courier.

Electronic-commerce security is an area of major concern, more because of the fear of the unknown. Wide publicity given to hacking activities and vulnerability of the Internet to attacks has made electronic-commerce security an area of great importance. All the measures for a normal business security have to be implemented in this faceless and physical contact-less world of the Internet.

We have to ensure the following measures:

• Use of right technology for authentication of customers and traders.
• Authorization for the permitted actions.
• Presence of mechanisms for non-repudiation.
• Confidentiality and integrity.
• Clear statement about who carries the liability for fraudulent transactions.

These measures usually depend on cryptography. We have to ensure that we are following appropriate cryptography legislation, and also create an appropriate infrastructure to manage the keys being issued, verified and revoked for the electronic-commerce transaction.

Security of electronic mail: The biggest impact the Internet has made on our personal lives and business transactions is perhaps electronic mail. The insecure nature of electronic mail has not yet sunk in our consciousness. It is necessary to establish a clear policy on the use of electronic mail for business transactions. This policy should be based on various security risks an organization may face because of unauthorized access or modification of e-mail. E-mail may also be a carrier of viruses and Trojans. The policy should define the responsibility of users for their actions, as well as responsibility and authority of management for inspecting, storing and reviewing employee e-mail. The policy should also clarify the organization's standards for use of cryptography for confidentiality and integrity of electronic mail messages.

Security of electronic office systems: Apart from electronic mails, we use a number of devices, which help us in faster dissemination of information. These are phone systems with recording facilities, voice mail boxes, conference call facilities, fax machines that store faxes, electronic bulletin boards, multimedia communication facilities, mobile communication and computing which can easily interface with our office systems. We need to document all the vulnerabilities of information in office systems and frame appropriate policies, which will help manage this explosion of information.

Publicly available systems: Similarly, we need to protect the integrity of information, which is publicly available, for example information available on a company's website. A misrepresentation of facts could damage the credibility of the company. A procedure to ensure the access, update, and integrity checking should be in place to avoid such incidents.

Other forms of information exchange: The all-pervasive nature of information makes it necessary to enforce a policy on exchange of information by voice, facsimile and video conferencing. Even restriction on use of mobile phones in public places for exchanging confidential information needs to be specified in policy.

So define the security policy for clearly identified risks. If people accept the definition of confidential information, they will, not only follow the policy and procedures, but also may help you to detect any security-loopholes that you might have overlooked.

Avinash Kadam is Chief Executive - Assurance and Training at Miel e-Security, Pvt. Ltd. He can be reached at awkadam@mielesecurity.com