Sie sind auf Seite 1von 3

Selecting control objectives and controls, Part II

Malaysia, Mon October 13 2003 By Alan See, CEO of e-Cop.net Surveillance Sdn Bhd

In this month's installment, we continue our discussion on selecting control objectives and controls to be implemented in an organisation. Previously, we have identified the first five categories of BS 7799-2:1999 Information security management - Part 2: Specification for information security management systems out of the 10 broad categories. It should be noted that there are some controls that are mandatory for compliance or certification, while others are optional. Communications and operations management This category is further divided into seven parts which contains operational procedures and responsibilities, system planning and acceptance, protecting against malicious software, housekeeping, network management, media handling and security and last but not least, exchange of information and software. The objective of operational procedures and responsibilities is to achieve a correct and secure operation of information processing facilities. The operating procedures identified in the security policy have to be documented and maintained, and any changes to information processing facilities and systems should be controlled. Incident management responsibilities and procedures should be established to ensure a quick, effective and orderly response to security incidents. Duties and areas of responsibility should be segregated in order to reduce opportunities for unauthorised modification or misuse of information or services. Prior to using external facilities management services, the risks must be identified and appropriate controls agreed with the contractor before being incorporated into the contract. The objective of system planning and acceptance is to minimise the risk of systems failure. Capacity demands should be monitored and projections for future capacity requirements made to ensure that adequate processing power and storage are available. A suitable and established system test has to be carried out prior to acceptance of criteria for new information systems, upgrades and new versions. The aim of protecting against malicious software is to protect the integrity of software and information. Organisations should implement detection and prevention controls to protect against malicious software and establish appropriate user awareness procedures. The idea of housekeeping is to maintain the integrity and availability of information processing and communication services. It is advised that back-up copies of essential

business information and software should be made regularly while operational staff should maintain a log of their activities. As for network management, the objective here is to ensure the safeguarding of information in networks and the protection of the supporting infrastructure. A range of controls should be implemented to achieve and maintain security in networks. The objective of media handling and security is to prevent damage to assets and interruptions to business activities. The management of removable computer media such as tapes, disks, cassettes and printed reports should be controlled and disposed of securely and safely when no longer required. Procedures for handling and storage of information need to be established in order to protect such information from unauthorised disclosure or misuse. System documentation should also be protected from unauthorised access. Exchange of information and software aims to prevent loss, modification or misuse of information exchanged between organisations. Amongst some of the guidelines is the development of a policy for the use of e-mail, with controls put in place to reduce the accompanying security risks. These policies or guidelines must be implemented to control the business and security risks associated with electronic office systems; and to protect the exchange of information through the use of voice, facsimile and video communications facilities. Access control Next in the category is access control. It has eight parts which encompass business requirements for access control, user access management, user responsibilities, network access control, operating system access control, application access control, monitoring system access and use, and finally mobile computing and teleworking. The objective of business requirements for access control is to control access to information by defining and documenting them; access should be restricted to what is defined in the access control policy. User access management aims to prevent unauthorised access to information systems. There should be a formal user registration and deregistration procedure for granting access to all multi-user information systems and services; the allocation of passwords must be controlled through a formal management process. It is advisable that a formal process is conducted at regular intervals to review users' access rights. The idea of user responsibilities is to prevent unauthorised user access where users are required to follow good security practices in the selection and use of passwords and any unattended equipment has the appropriate protection.

The objective of network access control is the protection of networked services. Users should only have access to the services that they have been specifically authorised to use and the path from the user terminal to the computer must be controlled. Any access by remote users or connections to remote computer systems must be authenticated. Controls should be introduced in networks to segregate groups of information services; user and information systems and shared networks should have routing controls to ensure that computer connections and information flows do not breach the access control policy of business applications. Operating system access control's objective is to prevent unauthorised computer access. Amongst the requirements is automatic terminal identification and terminal log-on procedures. All users must have a unique identifier (user ID) for their personal and sole use so that activities can be traced to the responsible individual. Application access control aims at preventing unauthorised access to information held in information systems where there should be information access restriction. In addition, sensitive systems should have a dedicated and isolated computing environment. The objective of monitoring system access and use is to detect unauthorised activities. Audit logs recoding exceptions and other security related events should be produced and kept for an agreed period to assist in future investigations and access control monitoring. The goal of mobile computing and teleworking controls is to ensure information security when using mobile computing and teleworking facilities. It provides that there should be policies and procedures for such facilities. In the next installment, we will continue with systems development and maintenance, business continuity management and compliance.

Das könnte Ihnen auch gefallen