Posted: September 5th, 2010 | Author: admin | Filed under: Issues | No Comments »
Welcome to the second edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to 17799 and related information security issues. The newsletter comprises a combination of inclusive articles and the identification of useful and topical sources on the web.
This edition covers::
- BSI Offer Discounted Standard
- Computer Security Begins at Home
- How the Standard Fits Together
- Majority of Cyber Crimes are Not Reported
- ISO17799 Resources
- Downloading Information from the Internet
- ISO17799 Positioning or Certification?
- Less than 1% Reject Cookies
- Disaster Recovery Focus Post Sept 11 (ISO17799 Section 11)
- The ISO17799 Newsletter
BSI OFFFER DISCOUNTED STANDARD
BSI have bundled both parts of the standard (see below) at a special discounted rate. The bundled Part 1 (which is now ISO17799) and Part 2 (BS7799-2:1999) can be obtained online from the BSI Electronic Shop
COMPUTER SECURITY BEGINS AT HOME
Whilst everyone is aware of the importance of good information security measures in the office, these are often overlooked when an employee works from home, whether on a permanent or occasional basis. Dangers range from inadequate virus protection on a laptop or home computer, to the risk of confidential data being exposed to unauthorized users, or even a breach of the company’s computer network if accessed remotely.
To counter these risks, there are a number of security measures which should be taken when working from home or off-site. For example:
- Treat company property and/or data as you would in the office, according to company information security procedures
- Do not allow a laptop issued for businesspurposes to be used by family or friends
- Ensure that laptops are kept secure at all times, and protect access with a strong authentication mechanism
- Do not use the same computer for both busines and personal use; or, where this is not possible, store company data on a separate disk with secure access and protection
- Valid licenses must be obtained for any software used at home to avoid a breach of Software Licensing laws
- Ensure that adequate virus protection software is installed on any computers used at home
- Specifically protect all sensitive business documents stored on laptops or home computers
- When connecting remotely to an office network, consider the use of a dial-back facility for added security, and always investigate the reason for failed access (your username may already be in use by an unauthorized person)
This guidance is brought to you courtesy of the RUSecure Interactive Security Manual
HOW THE STANDARD FITS TOGETHER
The standard effectively comprises of two parts:
a) Part 1: ISO/IEC 17799:2000 – this is the set of security controls… the measures and safeguards for potential implementation. It is the main body of the standard itself.
b) Part 2: BS7799-2:1999 – this a standard ‘specification’ for an Information Security Management System (an ISMS). It is the means managers use to measure, monitor and control their security from a top down perspective. It essentially explains how to apply ISO17799 and it is this part that can currently be certified against.
Part 2 defines a six part process, broadly as follows:
Define a security policy
Define the scope of the ISMS
Undertake a risk assessment
Manage the risk
Select control objectives and controls to be implemented
Prepare a statement of applicability.
This perhaps indicates to a degree why web sites and this newsletter focus so heavily upon risk analysis and security policies – they are absolutely central to ISO17799.
SECURITY POLICIES: Policies are of course ‘the bottom line’ – the rules which define the baseline requirements for your organization. It is therefore critical that they are top quality (see www.information-security-policies-and-standards.com for more information on security policies).
RISK ANALYSIS: You do not have to implement every control covered by ISO17799 – only those that are applicable and appropriate.. the latter largely being determined via risk analysis.
MAJORITY OF CYBER CRIMES NOT REPORTED
A survey of the leading companies in 12 countries, undertaken by accounting firm KPMG, concluded that almost 10% had experienced a cyber-security breach during the past twelve months, but that the majority of these companies did not take any legal action against the offenders. A representative of KPMG was quoted as saying: “What we see in the cases that are reported to us is that companies are far more concerned in recovery of assets and keeping their names out of the newspapers than they would be about prosecutions. If they report their losses to regulators or law enforcers, then the focus of any investigation generally becomes the prosecution of offenders.” He also added: “The majority of frauds are committed by people inside the company. If someone has broad knowledge, they are more capable of bypassing any procedures they might have.” (From an article published onwww.zdnetasia.com)
An Information Security incident must be reported to outside authorities whenever this is a requirement for compliance with legal requirements or regulations. By not reporting such an incident where it is legally required that you do so, your organization may be unwittingly aiding or abetting an offence. If you believe a crime has been committed, the following actions are strongly recommended:
- Contact the relevant regulatory body and / or law enforcement agency, as appropriate
- You may wish to take legal advice about the severity of the offence
- Gather evidence to prove malicious intent, especially if the suspects are members of staff; but consider carefully the validity of such evidence before reporting it to a third party
- Consider how best to support the investigative process with the minimum breach to your Information Security. You may wish to use a specialist Information Security organization if you lack in-house expertise.
ISO17799 RESOURCES
The first edition of ISO17799 News prompted a number of questions related to resources to help achieve compliance or certification. The following have therefore been identified as leading players for the various topics:
SECURITY POLICIES (ISO17799 Section 3)
The quality of security policies is of fundamental importance, as is their scope and relationship with ISO17799. The RUsecure Information Security Policies are one of several sets of ‘off the shelf’ policies that can be obtained commercially.
However, they are distinctive not only because of their quality, but because they fully embrace ISO17799. In fact, they optionally cross reference the standard, creating assurance for anyone who seriously wishes to demonstrate compliance.
The policy set is shipped in MS-Word format, enabling full editing to meet individual corporate demands. More information on these policies can be obtained from: RUsecure Information Security Policies
RISK ANALYSIS (ISO17799 – throughout!)
There is little doubt about the most ISO17799 aligned, and indeed, the most well known risk analysis product – COBRA. COBRA provides a fully comprehensive risk analysis capability (“risk analysis made easy”) as well as providing a front line ISO17799 compliance management function.
Information on risk analysis itself, and COBRA in particular, can be obtained fromwww.riskworld.net
DISASTER RECOVERY PLANNING (ISO17799 Section 11)
Disaster recovery planning (or business continuity planning) is sometimes not fully embraced because it is seen as difficult or resource intensive. However, the recent trend is towards simplicity – to enable continuity planning to be grasped and implemented readily and easily.
The leading player in this trend is the BCP-Generator. This comprises of two components: a template for a plan and an interactive guide to help you populate it. Both are MS-Word driven, enabling full control and flexibility. If you already have a plan, and perhaps wish to audit it or audit your contingency arrangements, The Disaster Recovery Toolkit is of similar ilk.
Both these products are described at: The Disaster Recovery Shop
DOWNLOADING INFORMATION FROM THE INTERNET
There is a wealth of information available today on the Internet, and the powerful search engines at our disposal enable us to access numerous web sites extremely quickly. The fact that this information is so readily available in the familiar environment of home or office often lulls us into a false sense of security when it comes to downloading files or data. Before doing so, we should consider the risks involved, such as a potentially destructive virus or other malicious code infecting our system, or the risk of system overload and subsequent failure.
The following guidelines are recommended when downloading information from the Internet:
- Ensure that you are in compliance with your company’s Information Security Policy before downloading any information
- Always choose the option to “Save this program to disk”, saving it to a temporary folder away from your main network; then run an up-to-date virus and malicious code scan; if clean, re-file in the desired location on your system.
- Be particularly careful with shareware or freeware programs – these are particularly suited to introducing “Trojan horses” and other malicious code to your computer system.
- Do not introduce software via the “back door” of the Internet. Only acquire and install software according to an agreed company procedure.
- Be aware that information on the Internet may not be reliable, and may have even been released with intent to cause damage or to defraud; try to validate the source of any information you wish to use, and check its date – information on the Internet can be several years old and still claim to be “new”.
- Be aware of the risk of overloading your computer system and its subsequent failure by downloading too many large files… this is easier to do than is sometimes realised.
ISO17799 POSITIONING OR CERTIFICATION?
This is still the most agonized question for organizations approaching ISO17799. It is a very individual question for each – how far to go along the ISO17799 path. For some, nothing less than full certification will do, due to a variety of possible reasons. For many, however, a positioning brief is adequate…. reaching a position of compliance and then monitoring the market and industry carefully.
For most, the correct posture will be self evident. However, for those unsure of how far to proceed, the online presentation at: The ISO1 7799 Directory may be helpful. This presents ISO17799 in the context of past, present and possible future.
+—————————————————–+
SPONSORS:
If you are interested in sponsoring this newsletter
please contact us at the email address below.
Sponsor Today quick loans
+—————————————————–+
LESS THAN 1% OF WEB USERS REJECT COOKIES
The results of a recent survey of one billion pages from high-volume Web sites concluded that cookies were rejected only 0.68% of the time. Chief Privacy Officer at WebSideStory, the U.S. company which carried out the survey, said: “Although some Web surfers may not know how to disable cookies in their browsers, such a minute percentage indicates that cookies are simply not a big concern among most Internet users”. However, the use of cookies has also raised concerns over consumer privacy. For example, a recent lawsuit against the Internet advertising company DoubleClick accused the company of illegal “cookie-frenzy”. Also, Amazon has admitted to using cookies to determine product pricing, and may give first time visitors to their Web site (or those who disable their cookies) larger discounts than regular visitors. (From an article published on www.theregister.co.uk)
What is a Cookie?
For the unaware, a cookie is a small text file placed on a user’s computer by a Web site which can log information about the user and the number of visits they make to the site. Web site owners claim that cookies are beneficial to the user, allowing faster access and ‘personalization’ of the site for that user. However, the use of cookies also raises a number of security issues.
The following guidelines are appropriate:
- You should be aware that confidential data may be stored by means of a cookie saved on your PC and accessed by a Web site whilst you are browsing – most likely without your knowledge.
- To turn off automatic cookies, select the security function from your browser toolbar and set “receive cookies” to “off”.
- Alternatively, cookies may be monitored by the use of cookie management software.
- Ensure that you disable cookies from sites which might potentially share your details with third parties.
- Where possible, avoid entering confidential data on Web sites or other Internet resources.
MORE FOCUS ON BCP (ISO17799 Section 11) FOLLOWING SEPT 11
“To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters” – ISO17799 SECTION 11 OBJECTIVE “A business continuity management process should be implemented to reduce the disruption caused by disaster and security failures (which may be the result of, for example, natural disasters, accidents, equipment failures, and deliberate actions) to an acceptable level through a combination of preventative and recovery controls.” – ISO17799
The tragic events of the 11 September have resulted in a reappraisal of disaster recovery arrangements by many companies. Firms who supply products which assist with contingency planning and crisis management are reporting a significant increase in numbers seeking advice and guidance.
Terence Hewett, of Glendale Systems, developers of the BCP Generator product, comments, “Companies are recognizing that they need to give greater importance and urgency to preparing for unexpected events that can affect their ability to stay in business. If your disaster recovery plan is in place then you have a reasonable chance of staying afloat if disaster strikes your business. This is obviously in your shareholders’, your customers’ and your employees’ best interests.”
Posted: September 1st, 2010 | Author: admin | Filed under: Issues | No Comments »
ISO17799 News – Issue 6
Welcome to this, the sixth edition of the ISO17799 newsletter, designed to keep you abreast of news and developments with respect to the ISO 17799 information security standard.
The information contained is free to our subscribers and provides guidance on a range of practical issues, plus commentary on recent Information Security incidents.
1) Obtaining ISO17799 Itself
2) Information Classification Criteria
3) ISO17799 – a World Wide Phenomena
4) Third Party Cyber Crime Attacks
5) ISO17799 and Software
6) Employee Internet Abuse
7) More Frequently Asked Questions
My Favorite Web Sites
9) Continuity Backup and Recovery Strategy (Section 11)
10) More on SLA’s (Section 4)
11) Employee Confidentiality Undertakings
12) BSI Certifications
13) It Couldn’t Happen Here…. Could It?
OBTAINING ISO 17799
The standard itself is available from:
http://www.iso17799-made-easy.com
This is the home page for the ISO17799 Toolkit. This package was put together to help those taking the first steps towards addressing ISO17799. It includes both parts of the standard, audit checklists, a roadmap, ISO17799 compliant security policies, and a range of other items..
http://www.iso17799.net
This is the ISO17799/BS7799 Electronic Shop. Essentially it is an online vending site for downloadable copies of the standard.
INFORMATION CLASSIFICATION CRITERIA
An important task for the Information Security Manager (or the person who is assigned these duties) is to establish a system to classify the organization’s information with respect to its level of confidentiality/importance.
It is advisable to restrict the number of classification levels in your organization to a manageable number, as having too many makes maintenance and compliance difficult. For those currently without a structure, we suggest a five point system:
- Top Secret: Highly sensitive internal documents. For example: impending mergers or acquisitions; investment strategies; plans or designs that could seriously damage the organization if lost or made public. Information classified as Top Secret has very restricted distribution and must be protected at all times. Security at this level is the highest possible.
- Highly Confidential: Information that is considered critical to the organization’s on-going operations and could seriously impede them if made public or shared internally. Such information includes business plans, accounting information, the sensitive information of customers of banks, solicitors, or accountants etc.; patients’ medical records, and similar very sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security should be very high.
- Proprietary: Procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for use by authorized personnel only. Security at this level is high.
- Internal Use Only: Information not approved for general circulation outside the organization where its disclosure would inconvenience the organization or management, but is unlikely to result in financial loss or serious damage to credibility. Examples include: internal memos, minutes of meetings, internal project reports. Security at this level is controlled but normal.
- Public Documents: Information in the public domain: annual reports, press statements etc. which have been approved for public use. Security at this level is minimal.
Care should always be applied regarding a user’s tendency to over classify their own work. It can sometimes be erroneously surmised that the classification level assigned to a user’s work can reflect directly on the individual’s own level of importance within the organization.
ISO17799 – A WORLD WIDE PHENOMINA
Our source list for purchases of ISO17799 has proved a popular talking point in previous editions of ISO17799 News, so here is the up to date version of the most recent:
Argentina 1
Argentina 2
Australia 7
Austria 7
Barbados 2
Belgium 9
Bermuda 1
Bosnia and Herzegovina 1
Brazil 6
Brunei 1
Canada 68
Cayman Islands 1
Chile 4
China 3
Colombia 6
Costa Rica 1
Croatia 1
Cyprus 1
Denmark 11
Egypt 4
France 6
Germany 31
Gibraltar 1
Greece 4
Guatemala 1
Hong Kong 9
Hungary 2
India 6
Indonesia 4
Ireland 14
Isle of Man 1
Israel 1
Italy 26
Japan 6
Malaysia 5
Mexico 12
Netherlands 18
New Zealand 3
Norway 12
Panama 1
Portugal 2
Russia 4
Saudi Arabia 2
Singapore 10
Slovak Republic 1
Slovenia 2
South Africa 6
Spain 17
Sultanate of Oman 1
Sweden 8
Switzerland 24
Taiwan 3
Thailand 2
Tunisia 1
Turkey 2
UAE 4
UK 298
USA 326
Venezuela 2
The same health warnings apply as did last time: these are online credit card sales. As a consequence, those cultures that are less familiar with this form of commerce will be under represented in the figures.
THIRD PARTY CYBER CRIME ATTACKS
This critical topic is covered in ISO/IEC 17799 under Section 9.4 “Network Access Controls”.
There is, of course, a high risk of external security breach where network security is inadequate. It is extremely important to have an effective policy statement covering this risk area… for the following reasons:
· Criminals may target your organization’s information systems, resulting in serious financial loss and damage to your business operations and reputation.
· Cyber crime is an ever-increasing area of concern, and suitable training must be given to those persons responsible for network security to minimize such risks.
A suitable high level policy statement covering this could be as follows:
“Security on the network is to be maintained at the highest level. Those responsible for the network and external communications are to receive proper training in risk assessment and how to build secure systems which minimize the threats from cyber crime.”
It is necessary to build adequate defences against such attacks. The following areas are among those that should be considered: · Verify that the primary safeguards of your network and those of your individual systems are in place.
· Identify the access points of your network layout, and verify that the current safeguards are operational.
· Consider the following network protection facilities, some of which offer multiple features:-
- Intrusion detection software that records attempted and successful access to your systems.
- Pattern (usage) analysis, which identifies changes in on-line activity that may indicate a criminal attack.
- Access control lists and facilities, which record certain activities for specific files, such as: read, write, execute, delete.
- System based accounting records.
- Network usage analysis, which identifies application access and reports on user authorization levels.
- Network packet sniffing software to detect attack origins.
- URL blockers, (e.g. your firewall) that can prevent connection from specific, untrustworthy web sites and / or other computers.
- Word pattern usage analysis that can help e-mail system administrators track down breaches in e-mail policies.
Further advice on this risk area and all others covered within ISO/IEC 17799 can be obtained from the RUSecure Security On-line System at: http://www.yourwindow.to/security-policies/
ISO17799 AND SOFTWARE
We are sometimes asked about the role of software/products with respect to ISO17799, particularly the two most well known offerings, COBRA and The ISO17799 Toolkit. Where do they fit in? Are they competitor products or do they compliment each other? How do they help?
The truth is that they fulfill completely different needs:
A) The ISO17799 Toolkit comprises the basic building blocks: the standard itself (both parts), 17799 cross referenced security policies, and so on. It is intended to ‘get you going’ on the right path straight away, by providing some basics, as well as guidance and explanations by way of a presentations, glossary, roadmap, etc. It can basically be seen as an introduction and starting pack for compliance with the standard.
B) COBRA on the other hand is designed to help you manage that compliance. It takes you through the standard and ultimately measures your compliance level, pointing out where you fall short. Quite apart from this it is one of the most widely used (possibly THE most widely used) risk analysis systems in the world… and bear in mind that risk analysis is integral to the requirements of the standard… references to ‘as determined by risk assessment’ are almost interwoven.
In essence therefore, one product gets you started, the other helps you manage.
SOURCES
For further information on the ISO17799 Toolkit, and to obtain a copy, see: http://www.iso17799-made-easy.com
For COBRA, see: http://www.security-risk-analysis.com
EMPLOYEE INTERNET ABUSE
Although employers are placing increased emphasis on setting up policies covering internet and email abuse, the message is not always getting across to the employees. According to Eric Jacksch, who is president of a leading Canadian IT security firm, employees are continuing to put their employers at risk and also wasting significant levels of corporate resources. These abuses include inappropriate email abuse, loss of productivity through slow web access, and downloading of music, games and pornography.
It is suggested that the first steps to address this are as follows:
- The first step is to ensure that your organization has a clear policy on the acceptable use of the organization’s information resources
- Secondly, ensure that this (and other information security policies) is delivered effectively to the employee either through the PC or workstation/desktop, or through the organization’s intranet. Also, ensure that the employee is made fully aware of the consequences of non-compliance.
- Thirdly, ensure that the employee is made aware of the organization’s right to monitor all email and internet traffic in and out of the organization.
These steps alone should reduce the scale of the problem, but equally importantly, they lay a solid foundation should further action be required. For more policies see the address above.
ISO17799 – MORE FREQUENTLY ASKED QUESTIONS
1) Where can I find back issues of the ISO17799 Newsletter?
All back issues are posted to: http://www.iso17799-web.com
2) Who published ISO 17799? BSI or ISO?
Both… sort of. ISO 17799 is an ISO standard of course. However, there is a Part 2 to cover security management systems. This is published by BSI as BS7799 Part 2.
3) Where can I find a consultant specifically for ISO 17799?
Email iso17799@7safe.com or see The ISO17799 Consultants Directory at: http://www.iso17799world.com
4) Can I discuss ISO17799 with people online?
A new forum has recently been created at: http://groups.yahoo.com/group/iso17799security/.
5) Can I re-publish parts or all of ISO17799 News on our company intranet or via internal communication?
Subject to reference to the source web site (see Question 1) permission is almost always granted.
6) What is the difference between accreditation and certification?
Essentially an accreditation body is an organization (usually national) that grants third parties the authority to issue certificates (to certify). It is the latter, therefore, that issues certificates (certifies) against standards/etc. The former confers the right to do this on the certification company.
7) What are the 10 sections of ISO17799?
- Security Policy
- Security Organization
- Asset Classification and Control
- Personnel Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Systems Development and Maintenance
- Business Continuity Management
- Compliance
MY FAVORITE WEB SITES
From time to time we will invite a well known information security figure to nominate their favorite IS related web sites. For this issue we present the favorites of Jenni Harrison of the ISO17799 Directory.
a) Your Window To…
This is a little known portal with a wealth of free to access resources. (www.yourwindow.to)
b) BBC…
Not just news, almost an encyclopedia of resources. (www.bbc.com)
c) CCCure…
A rich source of information for CISSP. (www.cccure.org)
SECTION 11: CONTINUITY BACK-UP / RECOVERY STRATEGY
One of the most important aspects of Business Continuity Planning for the majority of organizations is in choosing an appropriate strategy for the back-up and recovery of the IT based systems.
In this section of the planning process, the key business processes are normally matched against the IT systems and an appropriate speed of recovery strategy is chosen. This may require some in-depth research to determine the relevant costs of each strategy. It may also be necessary to prepare a detailed Request for Proposal for vendors to establish the viability and cost of the preferred strategic approach and related support.
Consideration should also be given to the impact of potential severe damage to both premises and communication systems which could have a significant impact on the organization’s IT services and systems.
There are a number of strategic options to be investigated when considering IT systems back up and recovery processes. The two most important factors to be considered are the criticality of the IT systems to the business process itself (the speed of recovery needed), and the amount of money available for IT back up and recovery strategies. The options, in order of cost, are as follows:
Fully mirrored recovery site
This strategy entails the maintenance of a fully mirrored duplicate site which would enable instantaneous switching between the live site and the back up site. This is normally the most expensive option.
Switchable hot site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain an identical site with communications to enable you to switch your IT operations to his site within an agreed time period, usually less than one to two hours.
Hot site
This strategy involves the establishment of a commercial arrangement with a vendor who will guarantee to maintain a compatible site to enable you to switch your IT operations to his site within an agreed time period, usually less than six to twelve hours.
Cold site
This strategy involves the setting up of an emergency site once the crisis has occurred and has a standby arrangement with a vendor to deliver the minimum configuration urgently. This option usually enables the organization to be operational within two to three days.
Relocate and restore
This strategy involves the identification of a suitable location, hardware and peripherals and re-installing the systems and backed up software and data after an emergency has occurred. This strategy is often considered to be inadequate for the needs of today’s business.
No effective back-up strategy
This at first glance appears to be the cheapest strategy but it also carries the highest risk as it will often involve no effective off-site back up of systems or data. As you would expect, this strategic option usually ends up with the organization eventually going out of business as they are not prepared for any unexpected emergencies occurring. You would be surprised at the number of businesses that adopt this approach to Business Continuity and Disaster Recovery. It often ends up being the most expensive strategy of all.
Finally, if you do decide to outsource some or all of these IT disaster recovery back-up processes don’t forget to insist that your supplier also has adequate business continuity planning processes in place that are up-to-date and fully tested!
Additional advice and guidance on Business Continuity and Disaster Recovery Planning can be found at: http://www.disaster-recovery-guide.com
MORE ON SERVICE LEVEL AGREEMENTS
Service Level Agreements (SLAs) are covered in Section 4 of ISO/IEC 17799 and it is important that both the Supplier and the Purchaser/User of IT and other services fully understand the implications and responsibilities inherent in such agreements.
An SLA is effectively a proxy contract that the two parties have negotiated and signed, specifying the terms and conditions under which the service delivery is to be effected.
Both parties must clearly understand their respective roles and responsibilities in respect of the delivery of these services and this information is usually included the SLA. The Supplier and the Purchaser/User are identified together with a statement of expectations and abilities. The Purchaser/User should also fully understand the cost of receiving these services and the basis for the calculation of those costs. The Supplier is accountable for the quality and performance levels of the services and the service availability.
A comprehensive and interactive electronic guide to simplify the preparation and understanding of SLAs is now available. Further information can be found at: http://www.service-level-agreement.net
EMPLOYEE CONFIDENTIALITY UNDERTAKINGS
It is increasingly important that employees are required to sign confidentiality undertakings to their employers. The following guidance is given for consideration, although organizations are recommended to seek further expert opinion on the suitability of such statements to their own contracts of employment:
‘Confidential Information’ normally means any information which is not generally known in the relevant trade or industry, and belongs to the Organization, or is learned, discovered, developed, conceived, originated or prepared during, as a result of, or in connection with, the Employees work, or relates to the Organization’s customers of clients, including but not limited to :
- Information which is unique to the Organization
- Information relating to the existing or contemplated products, services, technology, designs, processes, formulae, computer systems, computer software, algorithms, research or development of the organization;
- Information relating to the business plans, sales or marketing methods, methods of doing business, customer lists, customer requirements or supplier information of the Organization;
- Information relating to proprietary products or services;
- Any proprietary information not generally known to the public;
- Any information which the Organization or their clients or customers may wish to protect by patent or copyright, or by keeping it secret or confidential; and
- Information which may affect the value of the shares in the Organization and (where relevant) any price sensitive information
The Employees should be asked to acknowledge that the Organization:
- Is (inter alia) in the business or providing
- Has and will invest significantly in terms of money and time in developing their business and products;
- Has and will expect to develop confidential proprietary information relating to their business; and
- Operates a highly competitive commercial arena.
The Employees should acknowledge that during their employment they may have access to, gain knowledge of, be entrusted with and be involved in the creation of Confidential Information, improper disclosure of which could :
- Result in the Organization losing its competitive edge;
- Cause the Organization to suffer financial loss; and
- Be otherwise detrimental to the Organization.
The Employees should undertake that both during employment or thereafter, they will:
- Not disclose, divulge or communicate to any person any Confidential Information, save to those officials of the Organization whose proper province it is to know such information or with the written consent of the Board;
- Do everything reasonably within his power to protect the confidentiality of all Confidential Information;
- Not use any Confidential Information for his/her own benefit or for the benefit of any third party or in a manner which could be detrimental to the Organization;
The Employees should also undertake that on leaving the company they will:
- Deliver up to the Organization all copies and originals of documents, computer disks, tapes, accounts, data, records, papers, designs, specifications, price lists, lists of customers and all other information, whether written or electronically stored, which belongs to the Organization or relates in any way to their business or affairs or the business or affairs of any of their suppliers, agents, distributors or customers, or contain any Confidential Information, and are in the Employees’ possession or under his control.
- Upon request supply the Organization with a signed statement confirming that the Employee has complied with this undertaking.
Again, further guidance on this and similar topics is included in the RUSecure Security On-line Support system (http://www.yourwindow.to/security-policies/).
BSI CERTIFICATIONS
We are pleased to add the following to the list produced in Issues 4 and 5, of those who have been certified by BSI with respect to BS7799 Part2 for at least one system in at least one location:
MetroMail Ltd, NTT Communications Corporation, Systems Software Solutions, Solution Business Division (Japan), Miles Smith, Global Security Experts Inc, Marine Systems Associates Co. Ltd (Japan), Broadfern, NEXOR, e-Solutions Create Corporation, IT Frontier Corporation.
A number of organizations are now re-registering their original certificates (which are valid for 3 years). Successful organizations include: Cadweb Limited, Camelot Group Plc and DBI Consulting.
Congratulations to all these organizations.
In the next issue, we will also produce some sample scopes of registration from existing certificates.
IT COULDN’T HAPPEN HERE….COULD IT?
Every issue of The ISO17799 Newsletter features at least one TRUE story of an information security breach and its consequences:
1) The Long Goodbye
After a series of serious disagreements with his fellow directors, a director left the UK branch of an international network services company. As the service was used by a number of international banking groups, he decided to extract revenge.
Some time after his departure, he was still able to access the system… because the company’s termination/departure procedures did not immediately revoke access rights.
The banking groups found to their horror that extremely rude messages began to appear on their terminal links with other banks for no apparent reason. Transfers were delayed and some messages had parts missing.
It took some time to identify the cause. Although the cost was impossible to quantify, there was certainly serious damage in terms of the company’s goodwill and reputation.
2) Don’t Forget The Obvious
Dial-in or remote access can be a real Achilles heel if not properly controlled.
In a recent case, a young hacker gained access to a major corporation’s computer system by using the default password of a system engineer. It had never been changed from installation. This actually gave him considerable scope and powers of access.
To cover for himself, he changed a number of user passwords, semi-disabled the machine log, created several fictitious privileged users and tampered with the dial back system code. Getting more ambitious he established a communication link with another computer and ended up making it crash. All this took place over just two evenings.
Despite the fact that the hacker was not maliciously causing damage or attempting to make financial gain, his actions caused havoc. The installation ultimately had to closedown its prime computer and restore from the previous weeks back-up, at considerable cost.
Another resources: payday loan