Credit Union IT Governance

Credit Union IT Governance

Information Systems Security Policy

We’re an IT solutions provider, empowering people through technology.

meeting
Credit Union IT Governance

Credit Union IT Governance

Information Systems Security Policy

As computers and other digital devices have become essential to business and commerce, they have also increasingly become a target for attacks. In order for a company or an individual to use a computing device with confidence, they must first be assured that the device is not compromised in any way and that all communications will be secure.

Information systems are combinations of hardware, software, and telecommunications networks that people build and use to collect, create, and distribute useful data, typically in organisational settings. An effective information security policy should specify a hierarchy of risk categories for the types of information being protected. These might be ranked according to the magnitude of the impact to the organisation. Such categories should be neither numerous nor complex. High-, medium-, and low-impact designations with accompanying criteria would suffice.

The Information Security Triad: Confidentiality, Integrity, Availability.

Information Systems Security Policy Credit Unions

Confidentiality

When protecting information, we want to be able to restrict access to those who are allowed to see it; everyone else should be disallowed from learning anything about its contents.

Integrity

Integrity is the assurance that the information being accessed has not been altered and truly represents what is intended. Just as a person with integrity means what he or she says and can be trusted to consistently represent the truth, information integrity means information truly represents its intended meaning.

Availability

Information can be accessed and modified by anyone authorised to do so in an appropriate timeframe. Companies such as Amazon.com will require their servers to be available twenty-four hours a day, seven days a week. Other companies may not suffer if their web servers are down for a few minutes once in a while.

Security Policy Settings

Authentication

The most common way to identify someone is through their physical appearance. The most common form of authentication today is the user ID and password. In this case, the authentication is done by confirming something that the user knows (their ID and password). But this form of authentication is easy to compromise and stronger forms of authentication are sometimes needed.

Access Control

Once a user has been authenticated, the next step is to ensure that they can only access the information resources that are appropriate. This is done through the use of access control. Access control determines which users are authorised to read, modify, add, and/or delete information.

Passwords

It turns out that this single-factor authentication is extremely easy to compromise. Good password policies must be put in place in order to ensure that passwords cannot be compromised. Below are some of the more common policies that organisations should put in place.

Backups

Another essential tool for information security is a comprehensive backup plan. Not only should the data on the corporate servers be backed up, but individual computers used throughout the organisation should also be backed up. A good backup plan should consist of several components.

  • A full understanding of the organisational information resources. What information does the organisation actually have?
  • Regular backups of all data. The frequency of backups should be based on how important the data is to the company, combined with the ability of the company to replace any data that is lost.
  • Offsite storage of backup data sets. It is essential that part of the backup plan is to store the data in an offsite location.

Firewalls

This is a method that organisations uses to increase security on their network, typically from external ingress into the systems. A firewall can exist as hardware or software (or both). A firewall protects all company servers and computers by stopping data travelling from outside the organisation’s network that do not meet a strict set of criteria. A hardware firewall is a device that is connected to the network and filters the packets based on a set of rules. A software firewall runs on the operating system and intercepts packets as they arrive to a computer.

Intrusion Detection Systems

An IDS does not add any additional security to a network, but it adds layers – provides the functionality to identify if the network is being attacked, the log may illustrate the various types of traffic on the network for analysis later.

Virtual Private Networks

A VPN allows a user who is outside of a corporate network to take a detour around the firewall and access the internal network from the outside. Through a combination of software and security measures, this lets an organisation allow limited access to its networks while at the same time ensuring overall security.

Physical Security

Physical security is the protection of the actual hardware and networking components that store and transmit information resources. To implement physical security, an organisation must identify all of the vulnerable resources and take measures to ensure that these resources cannot be physically tampered with or stolen.

  • Locked doors
  • Physical intrusion detection
  • Secured equipment
  • Environmental monitoring
  • Employee training

Mobile Security

As the use of mobile devices such as smartphones and tablets proliferates, organisations must be ready to address the unique security concerns that the use of these devices bring. Creating a BYOD (“Bring Your Own Device”) policy allows employees to integrate themselves more fully into their job and can bring higher employee satisfaction and productivity.

When an employee does have permission to access and save company data on his or her device, a different security threat emerges: that device now becomes a target for thieves. Theft of mobile devices (in this case, including laptops) is one of the primary methods that data thieves use.

Should we allow employees to bring their own devices and use them as part of their employment activities? Or should we provide the devices to our employees?

Personal Information Security

There is no way to have 100% security, but there are several simple steps we, as individuals, can take to make ourselves more secure.

  • Keep your software up to date
  • Install antivirus software and keep it up to date
  • Be smart about your connections
  • Back up your data
  • Secure your accounts with two-factor authentication
  • Make your passwords long, strong, and unique
  • Be suspicious of strange links and attachments

Security Policies

Besides the technical controls listed above, organisations also need to implement security policies as a form of administrative control. In fact, these policies should really be a starting point in developing an overall security plan. A good information-security policy lays out the guidelines for employee use of the information resources of the company and provides the company recourse in the case that an employee violates a policy.

According to the SANS Institute, a good policy is “a formal, brief, and high-level statement or plan that embraces an organisation’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area.” Policies require compliance; failure to comply with a policy will result in disciplinary action. A policy does not lay out the specific technical details, instead it focuses on the desired results. A security policy should be based on the guiding principles of confidentiality, integrity, and availability

Creating an Information Systems Security Policy

Executive Summary

The first paragraph in the policy should be an “Executive Summary” of the policy. In this paragraph state the objective(s) of the policy in a general overview fashion. It should state why the policy was written. What the policy covers, and equally, what the policy does not cover. It should say, by whose authority this policy been written.

Scope and Applicability

The scope of the policy should state, who (employees, vendors, contractors, etc.) are covered by this policy, what types of operating systems, communications systems, network systems, etc. are covered. This paragraph should detail who (employees, departments, etc.) must adhere to this policy. And again, what is not covered in the scope of this policy,

Roles and Responsibilities

This section could also be used to create functional roles for various individuals within an organisation and to designate an IS Officer / IT Department and their roles and responsibilities.

Compliance

What happens to the department or individual that violates this policy? After having explained everyone’s roles in the preceding paragraphs, now explain what happens if the policy is not followed.

Risk Assessment

There should be a risk assessment, countermeasures, applied and tested, as required, and a contingency plan for every individual piece of IS equipment the corporation owns or operates, whether it be a mainframe, a workstation, a printer, a copier, a telephone system, etc.

Risk Management

This will probably be the largest section of the IS Security Policy as it has many elements to cover. Risk management looks at an organization’s IS assets exposure to environmental risks. Risk management is continuous and must be reevaluated whenever changes occur to the IS assets’  environment. These paragraphs should include such elements as those that affect the IS Security environment. Elements like the following must be included under this section:

access controls – usually descriptions of logon warning screens on a computer and access lists for dedicated computer rooms, non-disclosure agreements.

system backups – by whom, how often and where stored (offsite is best).

incident handling – what should be reported, to whom, what will be the response, by whom.

virus protection – mandatory installation of, how often updated (automatic or manual), virus incident handling.

unauthorised access – who is allowed to access the company’s computer assets and LAN

monitoring – stating who will monitor the network for internal and external intrusions, and users for violations of security policies, who has access to intrusion detection devices, who will review and/or disseminate the logs.

encryption – what is the company standard encryption methodology, when will encryption be used and by whom.

digital signatures – what is the company standard, when will digital signatures be used and by whom.

web presence – what is and is not allowed to be placed on a public web server and who is allowed to publish

disposing of resources – how to, by whom

passwords – duration, number of and what type of characters, who must use passwords, for what and when, how to create.

use of personal resources within the company – allowed or not allowed, if so, under what conditions

inspections and reviews – of what resources, how often, conducted by whom

entertainment software, games, etc. – allowed or not allowed, if allowed when can be used.

removal media – USB or other removal devices for personal or company use and usage marked

software copyrights – software copyright laws are very stringent, who will be liable if a copyright is violated, who is responsible to ensure copyrights are not violated.

personnel/physical security – what happens if a system containing sensitive information is moved out from a locked door.

vendor responsibilities – what rules will a vendor follow when using a company IS asset or when using its own assets on company premises.

public disclosure – who can release information to the public and under what restrictions. And what about non-disclosure agreements for employees as well as vendors.

computer room facilities/areas – IS Security personnel should be involved in the design stage of new computer room facilities in order in insure safeguards to protect company IS assets.

system configuration change – changes that alter the security profile (risk) of a company. IS asset should not be instituted without consulting IS Security personnel first.

audit of IS Security compliance – who will audit for compliance? (the Audit Department), how will the audit be conducted. An excellent source for auditing criteria is the Information Systems Audit and Control Association (ISACA™).

security awareness and training – mandates an IS Security awareness training program, indicates who should attend this training, how often training will be conducted and what will be included in the training.

inventory of IS assets –who should keep an inventory of all the company’s IS assets, who should have access to that inventory, is it available to the risk management/audit teams

documentation – to support risk management what support documentation should be maintained, by whom and how (electronically, etc.), i.e. risk assessment, countermeasures, test results documentation, standard operating procedures (SOPs), disaster recovery/contingency plans.