unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
Â
Review ICS Guidelines
1. 500-1045 Howe Street
V6Z 2A9 Vancouver, B.C.
Ph.604-314â4485
Fx:604-6845909
foboni@riskope.com
Mr. xxxxxxxx
xxxxxxxxxx
xxxxxxxxxx
xxxxxxxxxxx
xxxx xxxx xxxx,2011
Review of the document entitled xxxx Security Guidelines
Dear xxxx,
âŚ.. we have undertaken the review of the XXXX Security Guidelines
document âŚ.......... information security (including industrial controls).
As a general introductory remark we note that despite the statements in
Section 1, Introduction, of the received document we neither know the
intended audience of the received document (Skilled staff, employees,
company guests, vendors?), its precise scope, nor the limitations that
have been given to the author(s). We believe it would be very useful for
XXXX if those would be clearly stated, as it would help calibrating the
pertinent amount and level of technical information included in the Security
Guidelines for each intended audience. We do understand that guidelines are
generally purposely vague (see for example ISO 27000, ISO 31000, ON
49000, just to quote some in the area of Information Risk Management and
Security), but we do know that it is usually in details that security (of all kinds)
get compromised.
It is essential that all employees clearly understand the value of the
Company's Information and their individual and collective responsibility to
protect it. Awareness will constitute the first line of defense (see below
Human Factors) in mitigating the chances of inappropriate malicious usage
and other nefarious cyber activities. The document last statement (6,
Personnel Security) rightly quotes ISA-99:
âPersonnel security measures are meant to reduce the possibility
and risk of human error, theft, fraud, or other intentional or unintentional
Š Oboni Riskope Associates Inc. Page 1 of 5 09/26/11
2. misuse of informational assets.â
But then states that this aspect of security is not covered within the
proposed Security Guideline since it references corporate policies and
procedures including hiring and employment conditions. It also states that
âdesigners should keep in mind that inappropriate access by corporate staff
and other approved people is as much an issue as hackersâ. We are in total
agreement with the author(s) of the document and encourage XXXX to
âbreak-up the silosâ as Information Security should cover selection, hiring,
etc. of personnel, subcontractors and suppliers. Personnel is one of the
most likely sources of leak or file alteration, capable of annihilating any
technical effort described in the Guidelines.
Thus, we would also encourage the compilation of several versions of the
guidelines tailored towards the needs of various layers of users (see
below the âneed to knowâ remark). As a matters of fact, for example, the
present glossary is well written and professional, but âŚ.......
We understand these Security Guidelines should determine the minimum
level of security to be achieved and establish the criteria against which results
are measured. So, coming back to information/competence silos, we find odd
that there is no formal and well structured reference to any protection
from physical man-made or natural hazards, business continuity plans,
resumption plans, backup capabilities etc. Again, we do not know if âŚ.....,
but we would encourage XXXX to include these considerations into a broader
view of IS.
You will find below a point by point analysis of the received document in
the form of a list of themes that are either missing in the present document
or should be, in our opinion, developed/expanded:
⢠Compliance with Information Security Policies (ISP) must be
mandatory. Exceptions must be contemplated, but approved by the
Company CIO. ISP apply to all information assets and processes
⢠We have not seen a section on the Separation of Duties and
Functions or Individual Accountability or Maintenance of Trust
(Security Principles and Strategies)
⢠There should be a section on client and supplier involvement in
Information Security.
⢠Strategies, Information Security Management xxx...
⢠We believe the document would be stronger if it was based on what
users âNeed to knowâ, âNeed to doâ, âSeparation of Functionsâ
and âIndividual Accountabilityâ (note xxx )
⢠We have neither seen a chapter regarding Users Work Space (like for
instance securing âŚ..... in a locked desk or file cabinet, etc.) (cleaners,
janitors and other third party workers can be hackers, agents,
criminals), nor Secure Work Habits: users must develop and
implement security conscious work habits in order to keep their
Š Oboni Riskope Associates Inc. Page 2 of 5 09/26/11
3. workplace safe.
⢠Network Access Controls(see note yy) section should be significantly
expanded by defining, for example:
o Policy on network services use
o âŚ.
o âŚ.
o Network routing address control
⢠We think that Operating System Access Controls should be
expanded upon: log-on process must indeed be configured to minimize
the opportunity for unauthorized access, etc.:
o Unsuccessful log-on attempts (record unsuccessful log-on, etc.)
o âŚ..
o âŚ...
o Mobile computing and teleworking
o Smartphones
⢠We have seen a minor section of the document dedicated to Human
Factors. Security Awareness Training must be provided to users to
ensure they are:
o Aware of additional risks and responsibilities inherent to mobile
computing, smartphones and company personal computers and
workstations
o A Security Threat and Risk Assessment must consider threats
to information and information technology assets, such as:
physical theft, data interception, credential theft, device
destruction, information destruction, malicious and mobile codes
⢠Minimum Information Protection safeguards such as encryption of
stored data should be described.
⢠A section on Information Systems Acquisition, Development and
Maintenance is missing in the reviewed document. Such a section
should establish requirements for âŚ.........:
o Security requirements of information system
o System security plan
o âŚ..
o âŚ..
o Security of development and support processes, changes to
software âŚ.
⢠Technical Vulnerability Management including:
o Vulnerabilities information external sources monitoring,
o Risk assessment of published vulnerabilities
⢠Communication and Operations Management. This chapter must
establish the requirements to support the integration of information
security in the services provided by XXXX information processing
facilities.
Examples are: âŚ.....
⢠The reviewed document seems to focus only very briefly on protection
against malicious and mobile code.... The existence of malicious
Š Oboni Riskope Associates Inc. Page 3 of 5 09/26/11
4. code and related attacks must indeed be considered a fact by a
company operating an ICT infrastructure connected to the outside
world. Malicious code âŚ..
Among possible prevention and detection controls:
o Installing, updating and consistently using approved software
designed to scan for detect, repair and provide protection.
o âŚ.
o âŚ...
o Restriction on mobile code (scanning mobile code before
execution, etc...)
⢠In the reviewed document we did not find any reference to Back-Up.
Information and information systems must be yyyyy. The back-up and
recovery strategy must comply with, for example:
o Business continuity plans
o âŚ.
o âŚ..
o Recovery point objectives, the point in time to which data must
be restored to resume processing transactions âŚ
⢠We stress the importance of testing back-up and recovery
processes (at least once per month). We stress as well the
importance of network control and management (âŚ...) to maintain
the integrity of networks, changes to network devices configuration
information (such as ....).
⢠Wireless Local Area Networking should also receive attention, for
example:
o Strong link layer encryption
o âŚ..
o âŚ..
o Instructions on how to use telephone and smartphone if some
exchange of information occurs during a telephone
conversation, etc.
⢠We have not found any chapter regarding e-mail management in the
document. We underline the importance of setting up clear rules for âŚ.
⢠The reviewed document does not include requirements for reporting
a possible breach of information security, âŚ..... reporting and
mitigating security events.
⢠A section on Business Continuity Management is also apparently
missing. That section should provide guidance for planning the
resumption of business or services in the aftermath of a man-made or
natural disaster. Of course the events or sequence of events that can
cause interruption to the Company day to day business process
(e.g. natural, third party, criminal, military, man-made) must be
identified. A Risk Assessment must then be undertaken to determine
the impact of those interruptions, both in the damage scale and
recovery period. A Business Continuity Strategy must be developed
using the results from the risk assessment, which will determine the
overall approach to business continuity.
Š Oboni Riskope Associates Inc. Page 4 of 5 09/26/11
5. ⢠A section on Compliance should describe the requirements for
verifying that information systems comply with âŚ.... (for example:
suppliers are forbidden to âŚ. etc.). Compliance policies identify how
to ensure that the Company is in compliance with applicable laws
and policies (...).
Š Oboni Riskope Associates Inc. Page 5 of 5 09/26/11