dependence on various media and devices for communication
and information exchange with the outside world is increasing.
So we need to take adequate steps to protect our infrastructure
from the security hazards posed by such media and devices.
by Avinash Kadam
of Information Systems depends on the flawless execution
of multiple interdependent functions. Managing communications
and operations is one such area requiring meticulous
technical and managerial planning. You also need to
create and maintain well-documented procedures and ensure
that everybody involved in the process scrupulously
The main control objectives to be fulfilled for this
Operational procedures and responsibilities
System planning and acceptance
Protection against malicious software
Media handling and security
Exchange of information and software
OPERATIONAL PROCEDURES AND RESPONSIBILITIES
Documenting the operating procedures, and clearly defining
the responsibility for maintaining and updating these
documents alone, could ensure correct and repeatable
operation. Usually, there are a number of procedures
in an organization pertaining to computer job-scheduling
and execution, handling of special categories of information
like confidential information, handling of errors, operating
instructions for certain equipment, restart and recovery
procedures, computer backup, maintenance procedures
etc. These procedures would be partly documented, partly
provided by suppliers of systems and equipmentsometimes
these may exist in internal memos.
Over a period, most of the procedures become routine
and the documentation is hardly referred to. The danger
is, if a new person joins the department or an old-hand
is on leave, the proper procedure may not be available
or known, leading to errors and chaos.
Operational change control: Most organizations that
have a Quality Management System (QMS) like ISO 9001
in place would have the procedures well documented and
indexed. QMS also requires a proper change-control procedure
to be in place. This means that all the changes to any
procedure will be appropriately controlled.
that do not have ISO 9001 will have to make these extra
efforts, which will be well rewarded as the errors and
rework will definitely reduce.
Few additional procedures may be required for documentation,
to meet the security requirements. These are:
Incident management procedure: This is required to ensure
quick identification of a security incident. It must
include correct response for each type of incident;
quick communication to all those affected by the incident;
audit trails to trace the origin of incident; action
plan to recover from the incident, and lessons learnt
from each incidentwhich help prepare the organization
to develop and implement preventive measures to avoid
future repetition of such incidents.
Segregation of duties: To ensure that, the same person
is not responsible for initiation or execution of an
action as well as approving or authorizing the same
action. This is to prevent frauds, which could be committed
Separation of developmental and operational facilities:
To ensure that no software, which is in live use, is
modified without proper permissions and no software,
which is still under development or testing, is ever
used for live operations.
External facilities management: If the processing is
outsourced, the outsourcing contractor's facilities
should be subjected to the same level of security as
you expect for your organization. In fact, the decision
to use external facilities itself should be based on
assessing the security risk to the organization due
to outsourcing. It may be advisable to retain sensitive
applications in-house. In case it is necessary to outsource
some applications, the procedure should ensure compliance
by the contractor with the same level of security standards
as well as business continuity plans, which are defined
for the organization. Even the security incident handling
procedures should follow the organizational standards.
SYSTEM PLANNING AND ACCEPTANCE
Capacity Planning: Moore's law predicts doubling of
computing power every 18 months. However, this geometric
progression of computing power does not keep pace with
the exponential growth of the demand for computing power,
storage capacity and communication bandwidth for a growing
company. Unless a careful planning process is followed,
which considers future capacity requirements fully catering
for growing business needs, there is a danger of denying
services due to capacity bottlenecks. This could also
lead to curtailing some security measures, leading to
System Acceptance: Acceptance of a new system by the
operations group is accepting the total responsibility
for accuracy and security of the system. The development
group may, 'wash their hands off' once the system is
accepted. A well-documented acceptance criterion is
extremely important to avoid any misunderstanding. Such
an acceptance document should consider the performance
and capacity requirements, all error recovery and restart
procedures, testing of all routine procedures, testing
of all security controls, alternative manual procedures
and business continuity arrangements. The testing procedure
should also check any adverse effects the new system
has on the performance, operation or security of the
current systems. Operations department should become
a tough and demanding customer, as the 'buck will stop
with them' once the system is accepted.
PROTECTION AGAINST MALICIOUS SOFTWARE
We need to identify all the entry points for malicious
software and we need to have documented procedures to
protect the organization by applying controls at these
entry points. By entry points we mean preventing the
use of unauthorized or unlicensed software, obtained
through media like floppy or CD, or a file downloaded
from Internet or any external source.
Next in the list of preventive measures is installation
of detection software at various entry-points, servers
and end users' workstations. These could be anti-virus
software and content-monitoring software. Finally, if
the malicious software destroys some part of information,
we need recovery procedures as well as business continuity
plans. Each of these steps needs to be properly planned,
documented and implemented. The most important aspect
is training each user about their responsibilities,
and the effect on organizational security if they are
lax in following these procedures.
There are a number of routine activities to be done.
Proper performance of these activities usually goes
un-noticed. But improper performance will be immediately
noticed and can affect information integrity and availability.
Information backup is one such routine but absolutely
essential activity. Every organization must have a well-documented
procedure for backup. Design concern should essentially
answer various 'what ifs?' For example, what if the
back up is not taken regularly? What if the backup is
not restorable? What if the backup is not adequately
protected? The procedure should ensure that the risks
on account of failure to back up are adequately addressed.
Operator-logs could provide a lot of information for
proper restoration of the system. Since the logs are
keeping records of all the operator actions, any procedure
to check the logs against operating procedures will
not be very welcome with the operators. An independent
person should regularly perform this unpopular but necessary
Fault logging is a measure to ensure that every fault
noticed by users in the information processing or communication
should be recorded. This record should be regularly
reviewed to ensure that all faults have been satisfactorily
corrected and security has not been compromised.
We are heavily dependent on networks. These could be
local area networks, wide area networks, or the Internet.
A network frees an organization from physical boundaries,
and may extend its reach across the globe. Each network
entails the deployment of huge infrastructure, beginning
with various physical media like cables, wireless or
optical fiber, and other networking equipment. These
may be managed by other organizations over which the
company may have no control.
An organization's network managers need to ensure maintenance
of integrity and confidentiality of the data passing
over public networks, as well as any other connected
network, and the availability of network services consistent
with business needs. To achieve this, responsibilities
for maintenance and security of various segments and
devices will have to be documented.
MEDIA HANDLING AND SECURITY
Data stored on various media will have the same level
of asset classification as assigned to the original
data items, and should be protected against damage or
We need to have well documented procedures on how the
media should be stored, handled, secured and disposed
off (when no longer required).
Management of removable computer media requires that
an audit-trail be maintained to trace the movement of
such media as well as its storage. While stored, it
should be provided security as per the asset classification.
A color code will be useful to immediately identify
the media requiring higher level of protection.
If the media is reusable (like a tape or disk), all
the previous data should be erased (wiped off) before
the media is reissued for use.
Disposal of media may involve understanding the original
classification of media given for disposal. The disposal
methods should be commensurate with the classification.
This may involve incineration, shredding or a similar
irrevocable destruction process to be carried out.
Information handling procedure needs to be explicitly
documented as per the classification levels decided
by the organization. Classified information should be
handled with the utmost precaution, not only when being
processed or stored, but also when communicated by e-mail,
fax or phoneespecially through mobile phones.
The procedure for information handling should specify
the distribution mechanism as well as review of distribution
lists, restrictions of storage as well as access.
Most of the data is retained for long periods due to
the fear of losing something of importance. This may
result in a huge amount of stagnating data. The classification
scheme should have specific mention of the expiry date
for a particular data item. The data must be destroyed
after that expiry date.
Security of system documentation: Finally, all the system
documentation, which consists of all the processes,
procedures, and data structures itself, should also
be securely stored and the access-list for such documentation
should be well-controlled and authorized by the application
EXCHANGE OF INFORMATION AND SOFTWARE
Exchange of information in a secure mode is the basic
requirement for conducting business. This requires that
there are appropriate information exchange agreements
in place; the media is well protected while in transit;
and all the business uses of information are designed
to ensure confidentiality, availability and integrity
Information and software exchange agreements may be
necessary to clearly understand the roles and responsibilities,
and liabilities of various agencies involved in handling
the information. All the technical standards for packaging,
transmission, recording, reading and cryptography may
be required to be documented and accepted.
Security of media in transit: When media are physically
transported, we may need to define the procedures for
tamper-proof/tamper-evident packaging or other secure
ways of delivering the media through a reliable transporter
Electronic-commerce security is an area of major concern,
more because of the fear of the unknown. Wide publicity
given to hacking activities and vulnerability of the
Internet to attacks has made electronic-commerce security
an area of great importance. All the measures for a
normal business security have to be implemented in this
faceless and physical contact-less world of the Internet.
We have to ensure the following measures:
Use of right technology for authentication of customers
Authorization for the permitted actions.
Presence of mechanisms for non-repudiation.
Confidentiality and integrity.
Clear statement about who carries the liability for
These measures usually depend on cryptography. We have
to ensure that we are following appropriate cryptography
legislation, and also create an appropriate infrastructure
to manage the keys being issued, verified and revoked
for the electronic-commerce transaction.
Security of electronic mail: The biggest impact the
Internet has made on our personal lives and business
transactions is perhaps electronic mail. The insecure
nature of electronic mail has not yet sunk in our consciousness.
It is necessary to establish a clear policy on the use
of electronic mail for business transactions. This policy
should be based on various security risks an organization
may face because of unauthorized access or modification
of e-mail. E-mail may also be a carrier of viruses and
Trojans. The policy should define the responsibility
of users for their actions, as well as responsibility
and authority of management for inspecting, storing
and reviewing employee e-mail. The policy should also
clarify the organization's standards for use of cryptography
for confidentiality and integrity of electronic mail
Security of electronic office systems: Apart from electronic
mails, we use a number of devices, which help us in
faster dissemination of information. These are phone
systems with recording facilities, voice mail boxes,
conference call facilities, fax machines that store
faxes, electronic bulletin boards, multimedia communication
facilities, mobile communication and computing which
can easily interface with our office systems. We need
to document all the vulnerabilities of information in
office systems and frame appropriate policies, which
will help manage this explosion of information.
Publicly available systems: Similarly, we need to protect
the integrity of information, which is publicly available,
for example information available on a company's website.
A misrepresentation of facts could damage the credibility
of the company. A procedure to ensure the access, update,
and integrity checking should be in place to avoid such
Other forms of information exchange: The all-pervasive
nature of information makes it necessary to enforce
a policy on exchange of information by voice, facsimile
and video conferencing. Even restriction on use of mobile
phones in public places for exchanging confidential
information needs to be specified in policy.
So define the security policy for clearly identified
risks. If people accept the definition of confidential
information, they will, not only follow the policy and
procedures, but also may help you to detect any security-loopholes
that you might have overlooked.
Kadam is Chief Executive - Assurance and Training at
Miel e-Security, Pvt. Ltd. He can be reached at firstname.lastname@example.org