This article is going to focus on an overall information security management system. This is in line with industry best practices like ISO27001, COBIT, SSE-CMM and legislative requirements like HIPAA, SAS70 etc. To help organizations in kick starting the information security practices, I have developed the following checklist.
POLICY: I would love to work in this area, if I have a given a chance. This is the place where you are defining the practices. A policy reflects the management.s intention towards achieving information security and every policy has to be approved by an authority in a approving capacity. Policies shall include Information Security Policy and Acceptable Use Policy. In addition to policies you should develop the standards and operating procedures. Finally, you need to have the Roles and responsibilities defined to ensure that the policies and procedures are enforced by the responsible users.
USER ACKNOWLEDGEMENT: Now you have policies and procedures. This need to be understood by the employees, this can be achieved by training, and you need to take a proof of the same. A written, nowadays electronic, acknowledgement of their understanding and acceptance of the infosec policies need to be obtained. If you have third parties (Contractors, vendors etc..) accessing your information, the acknowledgement is applicable for them also.
CONFIDENTIALITY AGREEMENTS: OK, now its time to include legal clauses to your business in securing the information. Execute signed confidentiality agreements before disclosing any sensitive or proprietary information to outside users. It is a good practice to have NDA with the employees (recent surveys shows that internal threat materializes faster than outside threat)
PHYSICAL SECURITY: Protect you physical infrastructure. Identify the physical entry points to the organization and ensure that only authorised users are entering to the premises. Protect you paper documents those are spread across your table, printer and close you shelves before you leave the place. Lock/logoff your computers when unattended.
PROTECTION AGAINST MALICIOUS SOFTWARE: Deploy antivirus software across the enterprise. Hmmm. OK I would say plan a process/system to protect your information systems from malicious software attacks. The reason why I said the word .process. is that you have to regularly update the virus definitions files to sharpen your cop against the newly released viruses.
SOFTWARE PATCHES: You shall plan for a Patch Management system by which you can ensure that all the systems are patched with the latest security updates (please test the patches before deploying)
NETWORK SECURITY: Document your network perimeter (just like you have done with the physical perimeter). All connections connecting to your external networks should be documented, authorized by the management (Network Manager or above), and shall be protected by firewalls, IDS. (Think about the desktops with modems connected). Establish VPNs for extranet communication. Define an incident reponse plan and TEST it.
REMOTE ACCESS: Develop best practices for establishing remote access connectivity. Again, think about modems
PASSWORDS: Very very key in establishing a security framework. More on passwords is my next blog please wait till then .
DATA SECURITY: Ensure that only authenticated and authorized users have access to the data.
AUDITS: Audit everything related to Information Security. Do vulnerability assessments on your computers and network devices. Audit the process and policy flows. Audit for illegal software.s. Yes, you have to do the auditing regularly so best approach is to prepare a audit plan and allocate a audit committee.
BUSINESS CONTINUITY PLAN: Ensure that you have business continuity. Identify key business objects (people, process, material, place, etc.) Document a plan for continuing the business operation in case of an emergency. That shall include data backup and restore procedures, alternate facilities, replacement resources, etc.