Why do most public and private sector organizations still maintain separate security organizations for their physical and cybersecurity functions?

Physical and environmental security

 

Control category A.11 deals with physical and environmental security. It deals with what might be called geographic or area security, with equipment security and with general controls to protect physical assets. Large or multi- site organizations might, as discussed in Chapters 5 and 6, need to break themselves down into a number of physical domains (giving due considera- tion to any communication links between them) and then consider each domain on its merits.

 

Secure areas

 

Control objective A11.1 deals with secure areas. Its objective is to prevent unauthorized physical access, damage or interference to business premises and information. It has six sub-clauses. Critical or sensitive information and information processing facilities should be housed in secure areas protected by a defined secure perimeter, with appropriate security barriers (eg walls, fixed floors and ceilings, card-controlled entry gates) and controls (eg staffed reception desks) that provide protection against unauthorized access or damage to papers, media or information processing facilities. The protection implemented should be commensurate with the assessed risks and the clas- sification of the information, and should take into account out-of-hours working and similar issues.

 

Physical security perimeter

 

Control 11.1.1 of ISO27002 says the organization should use a security perimeter to protect areas that contain information processing facilities. It may be appropriate, depending on the risk assessment and the classification

 

IT GOVERNANCE206

 

of the information being protected, for an organization to use more than one physical barrier, as each additional barrier may increase the total protec- tion provided.

 

The first step is to use a site or floor plan to identify the area that needs to be secured. A copy of this document should be found with the property title deeds. The plan that is with the deeds is there to show clearly the prem- ises that the organization owns or leases, and it is the most appropriate base document to use for defining the secure perimeter as it identifies clearly the property over which the organization has control.

 

A continuous line should be drawn around the premises on the site plan, including all the information and information processing facilities that need to be protected. This line should follow the existing physical perimeter (and a perimeter in this context is something that provides a physical barrier to entrance) between the organization and the outside world: walls, doors, windows, gates, floors, fixed ceilings (false ceilings hide a multitude of threats), skylights, etc. Special attention should also be given to lifts and lift shafts, risers, maintenance and access shafts, etc. This site plan, showing the defined physical perimeter, should form part of the ISMS records. The ISO27001 auditor will almost certainly want to see it and then to test the effectiveness of the perimeter.

 

A comprehensive risk assessment should be carried out to identify the weaknesses, vulnerabilities or gaps in this perimeter, and from this assess- ment the appropriate physical controls – the additional physical barriers, such as doors, card-controlled gates, staffed reception desk, etc – can begin to be identified. While not all organizations will have information as valua- ble as that obtained by Tom Cruise’s character, Ethan Hunt, in the first Mission Impossible, the way in which he gained access to the room within which it was kept indicated that the guarding organization’s risk assessment had not been sufficiently thorough. There was a vulnerability in the physical perimeter that Ethan Hunt identified and then exploited in a way that demonstrates that ‘difficult to imagine someone coming in through those ducts’ was an inadequate approach to securing the physical perimeter. The ISO27001 auditor should want to see the documented risk assessment and will analyse its thoroughness and effectiveness, initially by challenging the person responsible for defining it and then, after inspecting likely vulnerable areas, by probing to see how secure it actually is.

 

The following controls should form part of the implemented security perimeter:

 

PHYSICAL AND ENVIRONMENTAL SECURITY 207

 

●● The perimeter itself is defined (and the secure environment within it is an asset that should have been the subject of a risk assessment) in a document and, if possible, by means of appropriate signage, and staff are aware of what and where it is.

 

●● The perimeter (particularly of a building containing information process- ing facilities) should be physically sound. There should be no gaps in the perimeter (risers, lift shafts, air-conditioning vents, etc should all be assessed) or areas where a break-in could easily occur. The external walls should be of solid construction and all external doors should be protected against unauthorized access using appropriate control mechanisms, one- way bars, alarms, locks, etc.

 

●● There should be a staffed reception area or other means to control phys- ical access to the site or building. Access to secured premises should be restricted to authorized personnel only.

 

●● Physical barriers should be extended from real floor to real ceiling (ie below and above any false floor or false ceiling, particularly those installed to provide effective ducting for cabling) to prevent unauthorized entry or environmental contamination such as that caused by fire or flood.

 

●● All fire doors on a security perimeter should open outwards only, should slam shut (because they have working door-closing mechanisms fitted to them) and should be alarmed (and this fact should be advertised on the doors to try to prevent inadvertent false alarms). Some organizations site CCTV cameras to cover these doors to watch for deliberate false alarms that might be designed to distract security staff attention from a planned point of real break-in elsewhere or to enable a perimeter breach before security staff can attend.

 

●● Appropriate intruder detection systems (which are manufactured to relevant standards) should be professionally installed and maintained. All external doors and accessible windows (particularly on the ground floor) should be covered, and unoccupied areas should probably be alarmed. The alarm cover should be specifically extended to include computer and communications rooms. Copies of test certificates, schedules of key holders and alarm response procedures (who is to do what when an alarm goes, including out of hours) should be retained as part of the ISMS records. Key holders should receive training in how to respond to alarms, what to do to secure the site after a break-in or other incident,

 

IT GOVERNANCE208

 

and what the escalation procedure is. The alarm response procedure should be reviewed after every alarm incident, and where a police response service is part of the security set-up, every effort has to be made to avoid false alarms, as these can lead the police to withdraw their cover. This is particularly important where the organization includes a manual alarm trigger at, for instance, the reception desk to help deal with unwanted intruders during opening hours; these alarms can easily be triggered accidentally. However, making them awkward to trigger detracts from their effectiveness in addressing the reason for having them in the first place.

 

There are particular problems where two or more organizations share phys- ical premises. In these circumstances, more than one secure perimeter may be necessary. For instance, there may be a staffed reception desk that lets employees of both organizations on to the property according to jointly agreed procedures. Each organization might then restrict access to its own floors, either through key cards or through its own reception desk. Where this type of additional perimeter is not possible, there may need to be indi- vidual security perimeters around individual information assets or information processing facilities in order to ensure that the organization’s information processing facilities are physically separated from those managed by any third parties.

 

Physical entry controls

 

Control 11.1.2 of ISO27002 says that secure areas (see A.11.1.3, which is discussed below) should be protected by appropriate entry controls to ensure that only authorized personnel are allowed access to the premises. ISO27002 recommends specific controls, some of which are more difficult for smaller companies, but which are nevertheless worth considering and, wherever possible, implementing:

 

●● Visitors to secure areas – whether the site itself or specific areas within the site – should be supervised, or cleared in advance, and their date and time of arrival and departure recorded. Access should only be granted for specific, authorized purposes and all such visitors should be issued with instructions on the security requirements of the area and on emergency evacuation procedures. These instructions are usually recorded on a standard visitor’s pass, which itself records the date and time of arrival into a ledger on which the departure details can be recorded when the

 

PHYSICAL AND ENVIRONMENTAL SECURITY 209

 

visitor leaves. Good practice would usually require the security staff issuing the visitor’s pass to confirm by telephone that the visitor is expected and the purpose of the visit. A more secure set-up would be for the visitor’s details to be notified to the reception desk in advance and for a telephone check to take place when the visitor arrives. In high-security areas, these visitor lists might have to be approved by a senior line manager before they are forwarded to the security desk. Visitors should be accompanied everywhere by a member of staff, and where necessary their identity should be reconfirmed prior to access to other sections of the secure area being granted. Visitors’ passes should use some slightly complex and visible system of demonstrating whether or not they are still valid; for instance, all passes issued on a Monday might have a black dot, those issued on Tuesdays a red square, etc.

 

●● The selection of security services is itself a security risk. Not all such companies take appropriate steps to vet and train their operatives, and it is therefore essential that appropriate controls in respect of external parties are fully implemented. No matter what their prior training or experience, security guards should also receive training in the internal security procedures of the organization for which they are providing security services.

 

●● Where access for unauthorized people to the site or building is controlled remotely from the reception desk, there should be an effective communi- cation tool that enables the receptionist to identify (both verbally and visually) the visitor before allowing access.

 

●● Access to sensitive information, and information processing facilities, should be controlled and restricted to specifically authorized persons only. This is particularly important for the computer server room(s), access to which needs to be severely limited. Authentication controls, such as a swipe card and/or individual PIN codes, should be used to authorize and validate access to secure areas, and to secure areas within the security perimeter. If possible (and if required by the risk assessment), the swipe card entry system should also provide an auditable trail of access. The record of visitor passes issued should be maintained in a secure location, as it might, at some point in the future, be required to identify an intruder.

 

●● All personnel should be required to wear some form of visible identifica- tion (which could be incorporated with an access card – which might work through swiping, physical proximity or biometric accuracy) and

 

IT GOVERNANCE210

 

should be encouraged to challenge or report unescorted strangers or anyone not wearing visible identification. A visible identification badge is a control far more important in a large organization than in a small one, but in any size of organization, unidentified and unaccompanied visitors should always be challenged. There are many organizations for which this, on its own, will require a significant culture change, and this could significantly contribute to improved security. Of course, even in a small organization the fact that visitors have to wear badges acts as a deterrent to opportunist trespassers or intruders, as they will realize that they are obviously out of place without the appropriate visual ‘stamp’ of approval (assuming this control is implemented effectively and passes are retrieved from visitors and staff leavers who no longer have need for them).

 

●● All staff who might encounter visitors should be trained so that it is diffi- cult for a social engineer to bypass physical security controls.

 

●● Access rights to secure areas should regularly be reviewed, updated and, where necessary, revoked. This is particularly important for access rights to computer server rooms. The record should be reviewed on a regular basis by the information security management forum, and a record of the forum’s review should form part of the ISMS documentation.

 

●● Third-party support personnel should have access rights that are, to the greatest extent possible, restricted to those secure areas or information processing facilities they need to access for specific times, and these access rights should be monitored, reviewed and, where necessary, revoked.

 

Securing offices, rooms and facilities

 

Control A.11.1.3 requires the organization to create secure areas within the security perimeter to protect offices, rooms and facilities that have addi- tional, special security requirements. A secure room may contain lockable cabinets or safes. Secure rooms could be any rooms within the premises but will certainly include server rooms, telecommunications rooms and plant (power and air-conditioning) rooms. Some other areas (such as accounts or HR, or directors’ offices) might also need to be secured. Many CEOs’ offices should also be treated as secure rooms.

 

There could be a clash, within organizations that are strongly committed to open-plan working, between the desire for openness and the need for security. This will have to be addressed and solutions found that can be consistently and coherently applied across the whole organization. Part of

 

PHYSICAL AND ENVIRONMENTAL SECURITY 211

 

the solution will lie in what sort of meeting rooms or available secured areas can be used by employees, and part will depend on how information is clas- sified and what facilities are made available for its storage.

 

ISO27002 provides very common-sense advice on the selection and design of a secure area, and this section should be read in conjunction with the next sub-section, ‘Protecting against external and environmental threats’. Secure area design should take account of the possibility of damage from fire, flood, explosion, civil unrest and other forms of natural or human- created disaster. The risks posed by neighbouring premises should be considered, such as potential leakage of water from outside the secure area. Secure storage facilities, such as safes and high-security document stores, also need to be sited in such a way that they can be located on a site map within the business continuity documentation and quickly and easily recov- ered after a disaster. This will require consideration to be given to issues such as the fire-resistance period of surrounding doors and floors; the organ- ization wants to avoid scenarios where, for example, after an explosion in the building, a safe containing all the organization’s insurance documents falls from its location on the first floor right through into the basement of the building and has to be recovered (when it can be found) from among the debris of fire and flood.

 

The controls that ISO27002 recommends should be considered and, if appropriate, implemented include the following:

 

●● Key storage areas and keyed entrance areas should be sited to avoid access by unauthorized persons and by the public.

 

●● Buildings that contain information processing facilities should be unob- trusive and give as little indication as possible of their presence or purpose.

 

●● Office machinery, such as printers and photocopiers, should be sited within the secure perimeter in such a way that access to more secure rooms is not required. In other words, do not put the scanner or printer machine in the same room as the computer servers, nor in a public area where unauthorized individuals may access the output.

 

●● Doors and windows should be locked when the building or room is unat- tended. External protection, such as burglar bars, should be considered in the context of the risk assessment for ground-floor and any other acces- sible windows. This is particularly important for the computer server and communications rooms, which should be accessible only to a small number of authorized personnel, each of whom has individual access codes so that a record of access and egress can be maintained at an indi-

 

IT GOVERNANCE212

 

vidual level. No one should be allowed into one of these rooms unless accompanied at all times by an authorized person. Externally, any special precautions taken for specific rooms (eg whitewashed windows or bars) should not stand out in comparison to other rooms, as this would clearly indicate to a potential intruder where the most valuable assets might be stored. There should be no obvious signs outside the building to indicate how valuable or important a room is.

 

●● As discussed earlier, information processing facilities managed by the organization should be physically separate from those managed by third parties, even if this means erecting a cage or some other form of physical security within a shared secure area.

 

●● Internal directories or telephone books or other guides that identify the location or telephone numbers of secure, sensitive areas should not be accessible by the public or unauthorized persons.

 

●● Hazardous or combustible material, particularly office stationery, should not be bulk-stored within a secure area. There should be a separate area, some distance away, where such material is stored. Regular inspections of secure rooms, by someone other than those responsible for their day-to- day management, are usually necessary to ensure that this requirement is observed.

 

●● Back-up equipment and media should not be stored with the equipment that they will back up, in order to ensure that the organization can actually restore operations if it loses or otherwise has compromised its front-line facilities (through, for example, fire in the server room or terrorist activity affecting the whole of the premises).

 

Finally, a word about keys: keys should not be left in locks, irrespective of whether or not the access route has an automatic door closer. If the lock has not been engaged, it is possible for the key to be used by someone (whether accidentally or maliciously) to activate the lock, thus restricting planned access or egress at a later time.

 

Protecting against external and environmental threats

 

Control 11.1.4 of ISO27002 encourages organizations to protect them- selves from damage due to fire, flood, earthquake, explosion, civil unrest and other forms of natural or human-created disaster. The discussion, above, about external threats to secure areas should be applied to the organiza- tion’s general physical locations. In a sense, this control is asking the

 

PHYSICAL AND ENVIRONMENTAL SECURITY 213

 

organization to ensure that it has complied with health and safety and fire regulations and that it has carried out all the relevant risk assessments required by these regulations, while the comments, above, about controls against threats to secure areas apply more generally. In particular, there should be an appropriate site-level risk assessment covering the possibility of all these natural or human-created disasters; premises in a known earth- quake area, for instance, face a greater threat than those elsewhere, and the organization’s business continuity plan will need to take appropriate account of the threat. Similarly, likely local activity (including that of neighbours) should be considered, as should the risks of particularly high-profile loca- tions – for instance, there might be protest marches, terrorist atrocities or police activity near government offices. In particular, choice of fall-back locations should be driven by consideration of likely repercussions of particular events: the diameter of the area likely to be affected by a bomb explosion, the likely effect of a police cordon, etc.

 

The auditor will want to see, and the board will want to know, that an appropriate risk assessment has taken place and that appropriate controls against such disasters have been implemented. Of course, these controls must be consistent with the corporate risk treatment plan.

 

Working in secure areas

 

Control 11.1.5 of ISO27002 says the organization should implement controls and guidelines for working in secure areas, to enhance the security provided by being within a secure perimeter and/or a secure area. These additional controls are largely common-sense extensions of the controls discussed earlier. ISO27002 suggests that the organization consider the following additional controls:

 

●● Only allow employees (or contractors or third parties) to know about the existence of, or activities within, a secure area on a ‘need-to-know’ basis.

 

●● Avoid unsupervised working within secure areas so as to avoid the oppor- tunity for malicious activities. The extent to which this control is worth implementing does depend on the risk assessment and the size of the organization. At the very least, staff who are being disciplined, or who are on notice, should not be allowed into secure areas unsupervised. This also reduces the health and safety risk for a lone worker, who might have an accident or become ill in an area to which first-aiders may not have access without one of a restricted number of authorized staff being available to open secure doors.

 

IT GOVERNANCE214

 

●● Vacant areas should be kept locked and periodically checked. This activ- ity should form part of the schedule of activities of a security guarding company or individual guard.

 

●● Personnel of contracted third-party service providers should be given only restricted access to secure rooms, and this should always be under supervision.

 

●● Recording equipment (mobile phones, cameras, videos, photocopiers, etc) of any sort should not be allowed within secure areas; the records could (accidentally or deliberately) come into the hands of someone who wants to gain unauthorized access to the organization’s sensitive infor- mation.

 

●● Additional security restrictions may become necessary when the organi- zation is working, in a specific area of its site, to develop something that needs to be kept confidential for a period of time.

 

●● Finally, specific controls might be necessary to ensure that personal mobile devices (eg smartphones) or other recording devices (digital cameras, handheld video cameras, USB flash sticks, smart spectacles, etc) do not collect information from secure areas.

 

Delivery and loading areas

 

Control 11.1.6 of ISO27002 says the organization should control delivery and loading areas as well as any other areas to which unauthorized persons (such as members of the public) might have access and, if possible, to keep them isolated from information processing facilities in order to limit the danger of unauthorized access to those facilities. This control will have a different importance for different types of organization. A manufacturing or retailing organization is, for instance, likely to have more significant public access, loading and delivery issues than a straightforward office-based organization. The risks range from unauthorized personnel (customers, delivery drivers, etc) to dangerous deliveries (eg bombs, anthrax), any of which might compromise the organization’s information security. A risk assessment should, as with every other area to be controlled, be used to determine the security requirements.

 

The measures that ISO27002 wants to be considered are as follows:

 

PHYSICAL AND ENVIRONMENTAL SECURITY 215

 

●● Access to a holding area from outside the secure perimeter should be restricted to identified and authorized delivery staff or other personnel.

 

●● The delivery and holding area should be designed so that delivery staff cannot gain access from it to other parts of the building.

 

●● The external doors of a delivery or holding area should be closed when the internal one is open.

 

●● Incoming material should be inspected for potential hazards or threats before it is moved elsewhere or to the point of use.

 

●● Incoming material should, if appropriate, be registered on arrival.

 

●● Incoming and outgoing shipments should, where possible, be physically segregated.

 

Implementation of these measures can require significant reorganization of existing delivery facilities and procedures with potentially a significant capi- tal expenditure on the physical set-up. The risk assessment should reflect the fact that as security controls are improved in other parts of the organization, so remaining vulnerabilities become more significant because they provide the few remaining ways in which unauthorized access to information can be gained. In other words, once an organization has started down the road to ISO27001, it should be thorough and complete the journey.

 

16

 

Equipment security

 

Control A.11.2 deals with equipment security. It says the organization should take steps to prevent loss, damage, theft or compromise of its assets and the consequential interruption to its activities. It is broken down into nine sub-clauses, each of which deals with aspects of equipment security and disposal.

 

Equipment siting and protection

 

Control A.11.2.1 requires equipment to be sited, or protected, in such a way that risks from environmental threats and hazards, or unauthorized access, are reduced. ISO27002 identifies a number of measures to be considered, including the following:

 

●● Equipment should be sited so as to minimize unnecessary, unauthorized access into work areas. For example, refreshment units or office machinery designed for use by visitors to premises should be sited within a designated and supervised public area; unauthorized personnel should not have to access secure offices in order to use these facilities. How visitors access toilets will need consideration. Clearly, if the only toilets are within a secure area, visitors will either have to be denied the use of them or will have to be escorted at all times! Doors to computer rooms should have, depending on the risk assessment, mechanisms for ensuring that they are kept shut and locked at all times, with any deviations notified on an alarm system.

 

●● Information processing and storage facilities handling sensitive data should be positioned so as to reduce the risk of being seen by members of the public while in use. This applies, for instance, to workstation monitors in a ground-floor office, where passers-by could look through a window

 

IT GOVERNANCE218

 

and see what is on the screen. (Alternatively, windows could be screened.) This may not be relevant if the information that is likely to appear on the computer screen is not sensitive, but if it is, a simple solution might be the installation of window blinds. This would also apply to a wall or floor safe, in retail premises, which has been located so that it could be seen by a member of the public on the premises – it should be hidden in another room. Entrances to computer server rooms, and the security locks that protect them, should not be visible from the street, or through a window that would enable someone with a telescope potentially to see a code being input into a door lock. It all depends on the risk assessment; one should be carried out for each circumstance in which this control might need to be implemented and action then taken in the light of that assessment and in proportion to the risk identified. Decisions should, as usual, be documented.

 

●● Items requiring special protection should be isolated so as to reduce the general level of protection required. Only a risk assessment will establish what type of equipment falls into this category; it is clearly sensible that, for instance, the fuse board that controls the power into the computer server room should be sited away from public places and away from places that even authorized staff access on a regular basis. An opportunist thief passing an office containing a notebook that is docked at a workstation but not otherwise secured might find it difficult to resist the temptation to add the notebook to his or her own briefcase.

 

●● ISO27002 suggests that measures should also be adopted to minimize the risk of potential threats including fire, theft, explosives, smoke, water (or supply) failure, dust, vibration, chemical effects, electrical supply interference or failure, and electromagnetic radiation! The only way this can be complied with is to consider, in respect of each of the major systems and components of systems (see Chapter 6), what the risk of compromise will be for each of the risks identified in this section and, in the light of that assessment, to implement appropriate controls. Many of the controls that will be adopted will be simple common sense. Certainly, in any office environment consideration should be given to how workstations and, in particular, notebooks can be locked down so that they are not easily removed. Notebooks should, at the very least, be attached to the desk by notebook security cables, which have individual pass codes. There is a range of security products available, from a number of different suppliers (their advertisements can be found in most information security magazines), that are designed to secure equipment.

 

EQUIPMENT SECURITY 219

 

These range from night safes for notebooks through security ties for workstations to safes of one sort or another. There are sufficient security products available for any piece of important equipment to be adequately secured such that there is little real risk of its being stolen, other than by properly equipped criminals who are ready, able and determined to overcome the controls that are in place.

 

●● ISO27002 recommends that an organization should consider its policy towards eating and drinking in proximity to information processing facilities. Most IT specialists will probably say that eating and drinking should not be allowed anywhere near IT equipment. Somehow, sometimes, this does not also apply to them! Direct experience suggests that very little of any real significance ever happens in the general office as a result of people eating or drinking at their desks. Sometimes, paper-based information is damaged, but computers rarely are. The debris left by people eating in the office can attract rodents and often leaves unattractive odours, but these tend to be the limits of their impacts. The one place where eating and drinking should certainly be banned (apart, obviously, from clean facilities or anywhere that is specifically designated as a clean area) is the server room. Eating and drinking inevitably leaves debris, which, because the server room is not (or should not be) accessible to the cleaners, accumulates and can have a negative impact on stored data or the machinery. Eating and drinking are obviously never allowed in clean rooms or similar facilities.

 

●● Environmental conditions should be monitored for conditions that adversely affect the performance of information processing equipment. The organization should be particularly concerned here with heat and cold, smoke, dust and rain. IT equipment should not be exposed to any of these; server rooms should be equipped with detectors of heat, condensation or moisture, fire and smoke that have alarms that contact duty personnel (wherever they are – that is, the alarms must be able to trigger pagers or similar long-distance communications tools) who know what action to take to deal with the threat. Fire suppression equipment could also be installed.

 

●● Lightning protection should be installed in all buildings that operate information systems and there should be lightning protection filters on incoming power and communications lines.

 

●● Special protection methods, such as protective keyboard membranes, might be necessary for equipment in industrial environments.

 

IT GOVERNANCE220

 

●● The impact of a disaster in nearby premises or sites (such as the street) should be considered.

 

●● The danger of information leakage due to electromagnetic emanation should be considered. This includes the possible disclosure of information through unintentional radio or electrical signals, sounds or vibrations. ‘Emission security’ or EMSEC deals with this specific area.

 

Supporting utilities

 

Control A.11.2.2 of ISO27002 says the organization should protect its equipment from power failures, failures in supporting utilities and other electrical anomalies. This is obvious common sense, as all information processing equipment is electrically powered and is dependent on one or more of water supply, sewage, heating or ventilation and air-conditioning, but most organizations make inadequate contingency plans to deal with power failure. All support utilities should have a rota of regular inspection by an appropriately qualified engineer to ensure that they are still operating as required and are likely to continue doing so. For a start, every item of equip- ment should have a power supply that conforms to its maker’s recommendations.

 

An uninterruptible power supply (UPS) is essential to support equipment running critical business applications.

 

The UPS should enable continuous running or, under specific circum- stances, orderly shutdown. The UPS will need to be of adequate power to support the equipment that relies on it for as long as necessary to allow orderly shutdown or the provision (if possible and appropriate) of alter- native power, and if necessary the manufacturers of both should be consulted. There should be contingency plans for a failure of the UPS. These might include provision of a back-up UPS. UPS equipment should be regularly tested in line with the manufacturer’s recommendations and it should certainly be stress-tested in a simulation of the worst possible combination of power and service interruption circumstances that can be dreamed up, to ensure that the continuous running or system shutdown plans work effectively.

 

UPSs must also be considered for workers in home offices. Appropriate equipment needs to be provided to home office users to ensure that data are not lost. This might include USB sticks or other external memory devices, supported by a standard procedure requiring home office users to take at least daily back-ups of data. Users (both in the home office and mobile users,

 

EQUIPMENT SECURITY 221

 

with notebooks) should be trained to save the document on which they are working manually at predefined intervals or, alternatively, to have an autosave facility that does this; this will reduce the amount of work lost in the event of a sudden power outage, battery failure or finger error.

 

Home office UPSs also need to be tested on a regular basis, and a proce- dure for doing this will need to be designed and implemented.

 

A back-up generator should be considered if processing has to continue through a prolonged power failure. Just like the UPS, back-up generators should be regularly tested and stress-tested. Adequate petrol or diesel supplies should be immediately available and stored in accordance both with applicable health and safety legislation and with the outcome of a specific risk assessment.

 

While we deal later, and at length, with business continuity planning, this is an appropriate point at which to suggest that consideration might also be given to the impact a power outage could have on the working environment. In winter, a building will rapidly become too cold for staff to continue work- ing unless alternative sources of heat are easily accessible and ready for use when needed; a visit to the local camping or plant hire shop should offer some ideas for solutions.

 

In addition, emergency power switches should be located near emergency exits in equipment rooms to facilitate rapid power-down in the event of an emergency. Emergency (non-electric) lighting should be available in the case of mains power failure at night or in winter. This may be no more than will be sufficient to enable the computer room to be secured and other secure areas or rooms also to be secured. Torches, issued to identified personnel and maintained in a state of constant readiness, may be sufficient; it will all depend on the risk assessment. Gas-operated lamps may also be required.

 

Lightning protection should be supplied for all buildings, and lightning protection filters should be fitted to all external communication lines. This can be particularly challenging for external communication lines that are without the control of the organization, and due consideration will have to be given to appropriate contingency plans for circumstances where there is a power interruption as a result of a lightning strike to a utility company’s unprotected lines.

 

Finally, consideration needs to be given to all the other supporting services; critically, air-conditioning, humidification and fire suppression equipment needs to be regularly tested and have appropriate alarms fitted to alert staff when it has become inoperative. Telecommunications services

 

IT GOVERNANCE222

 

should have two different methods of connection to the service provider, to ensure that there is no single point of failure for a critical service, and there should usually be an analogue telephone service available as well to deal with emergencies where the digital service is unavailable.

 

Cabling security

 

Control 11.2.3 of ISO27002 looks to protect any cables that carry data or that support information services from interception or damage. With a bit of luck, some of the measures recommended by ISO27002 will have been implemented at the time your building was put up, because if they weren’t, it is going to be difficult to implement them now. The measures ISO27002 wants to be considered are as follows:

 

●● Power and telecommunications/broadband lines into information processing facilities should, wherever possible, be underground or subject to alternative adequate protection. If they are not already underground, it is probably too late. However, it may still be possible to ensure that cables are adequately protected. Specialist information from the utility company concerned will be necessary to help identify a way to protect them. Seriously, where highly sensitive data are being handled, the way in which the utility company handles its telecommunications cables may be critical. Where the risk assessment highlights this issue, there should be a discussion with the utility company about what extra protection it could provide. This protection is important; facilities that are otherwise protected could be penetrated simply because it is possible to tap into the telecommunications cable or cut the power cable. The sheer difficulty in implementing appropriate controls means that this becomes a particularly vulnerable area as everywhere else becomes more secure.

 

●● Cabling in work areas should be appropriately organized and protected. The tangle of cable that often hangs out of the back of workstations and lies around on the floor is vulnerable to breakage and can, of course, be a health and safety risk. Cables should be tied away with cable tidies, power splitter boxes should be sensibly sited and, where possible, desks with cable handling systems should be used.

 

●● Network cable should be protected by using conduit or avoiding routes through public areas. This is a lot simpler to bring about; the network cabling contractor can be instructed to install new cabling – or to strip

 

EQUIPMENT SECURITY 223

 

out and reinstall old cabling – in such a way that it will be protected from unauthorized interception or from damage.

 

●● Power cables should be separated from communications cables to prevent interference. While the risk of electric interference is self-evident, keeping the two services clearly separate ensures that the risk of losing both power and telecommunications simultaneously is reduced.

 

●● There are additional measures that should be implemented for particularly sensitive data: armoured conduits, locked rooms or boxes at cable inspection and termination points, fibre optic cabling, electromagnetic shielding, sweeps for unauthorized devices attached to cables, and controlled access to patch panels and cable rooms. Risk assessments should be carried out and expert advice taken, and measures that are identified as necessary through this process should be implemented.

 

Equipment maintenance

 

Control 11.2.4 of ISO27002 says the organization should maintain all its information processing equipment in accordance with the manufacturer’s instructions and/or documented organizational procedures to ensure that it remains available and in working order. This clearly means that the organi- zation should retain copies of all the manufacturer’s instructions and should identify the recommended service intervals and specifications, and to enable a quick call-out for corrective action in the event of a breakdown they should be displayed together with the supplier’s contact details on the equip- ment. Only authorized and trained personnel should carry out repairs or services; records of all work done should be retained (in an old-fashioned book attached to the machine) and there should be appropriate procedures (dealing with the saving, deleting or erasing of data, particularly sensitive or confidential data) for controlling equipment sent off-site for repair. Any insurance requirements should be identified and complied with.

 

There is a more important issue with older or legacy equipment. Equipment that works faultlessly for long periods can suddenly fail. It is important, at that point, that there are detailed records of qualified mainte- nance and repair organizations. More sensibly, a documented record of the service history of equipment should be maintained so that as it becomes older, properly informed decisions can be taken about the right time for it to be replaced.

 

IT GOVERNANCE224

 

Removal of assets

 

Control A.11.2.5 requires the organization to ensure that no assets – equip- ment, information or software – are removed from its premises without authorization. This is clearly a basic control that is useful in deterring theft of assets. The procedure for obtaining authorization (and the identity of those where are empowered to provide authorization) should be clearly laid out in the ISMS, and the steps that are required should be proportionate to the sensitivity or value of the asset. Valuable assets should be logged out of the premises and logged back in again; staff who are regularly carrying valu- able assets in and out (such as notebook computers) should perhaps have written authority to do so, which they should carry with them at all times and be able to provide on challenge. Of course, the proliferation of mobile devices may mean that a number of individuals are issued with them as part of their basic employment contract and, therefore, some more sophisticated method of tagging might be required. It has to be recognized that, in detail, the guidance of ISO27002 is difficult to apply in an environment where mobile devices are ubiquitous; smart organizations will want to consider options for tagging mobile devices to identify cards. Spot checks should take place to detect unauthorized removals, and all staff and contractors should be made aware of this policy and that breach of it may be considered a disci- plinary matter, perhaps involving the police. Remote workers who have company assets at home should be required annually to endorse an inven- tory of items in their possession, commenting on their current state of repair.

 

Security of equipment and assets off-premises

 

Not surprisingly, control A.11.2.6 requires the organization to apply secu- rity procedures and measures to secure equipment used outside an organization’s premises. In particular, use off-site of any equipment should be formally approved (particularly notebooks, and smartphones, together with any other information processing equipment that will be used away from the office) by line managers. The process for this approval should be standardized and can be determined in the light of a risk assessment that considers the possible risks to the organization of its equipment when used off-site. Some of the measures that ISO27002 says should be considered are as follows:

 

EQUIPMENT SECURITY 225

 

●● Notebook computers, USB sticks and smartphones should be encrypted, particularly if they contain sensitive information or personal data. Equipment (and media) taken off premises should never be left unattended. Notebooks should always be carried as hand luggage and, wherever possible, disguised. Notebook computers or USB sticks should not be left in cabs, on planes or anywhere else – but they often are, and the organization needs to think through the consequent risks. Possible controls include placing a limit on the data that can be carried on the C: drive of a notebook, requiring back-ups to a USB stick to be carried out at regular intervals, signing up for a web-based incremental back-up service, and limiting the period of time that confidential information can be stored on the notebook. Preferably, password protection (including screen savers) should be standard, and confidential information should be encrypted. Mobile devices should be backed up regularly, and access to both smartphones should be restricted by means of access codes.

 

●● Staff should be trained in how to protect equipment from risks identified by the manufacturer, such as electromagnetic fields, and these requirements should be built into the user authorization requirements. While the idea of creating rules for handoffs between staff in relation to custody of mobile devices seems intellectually interesting, the reality is that devices will be lost or mislaid and, therefore, building remote wipe into the mobile device policy may be a more pragmatic solution to this issue than an exchanges log.

 

●● A risk assessment in respect of home working should lead to designation of standard – and, where necessary, special – measures, such as lockable filing cabinets.

 

●● Certainly, adequate insurance should be taken out to protect equipment off-site and this should be from an insurer that properly understands the market and offers cover adequate for the risks identified in the risk assessment.

 

Secure disposal or reuse of equipment

 

Control A.11.2.7 requires information and licensed software to be erased from equipment prior to its disposal or reuse. The standard ‘Delete’ function in software packages is inadequate; when equipment is to be disposed off, it

 

IT GOVERNANCE226

 

should be completely wiped of all data. Even so, the data image may still be on the disk. As disk drives are so inexpensive now, it may be better to destroy disk drives completely before selling PCs. Storage devices (USB sticks, tapes, CD-Roms, smartphones) should, for preference, be destroyed rather than reused. Workstations, servers and laptops should have their hard disks comprehensively overwritten prior to their disposal, and all software should be removed. Organizations that offer to destroy hard drives prior to dispos- ing of PCs should be able to provide hard evidence that they do actually do this. Software may be copied and sold; the original licence holder for the software could thus be open to a charge of illegal software copying. Destroy any software before disposing of the hard media. Ensure that compliance with any Waste Electrical Equipment regulations also provides for secure disposal of information assets.

 

There also need to be specific procedures for ensuring that portable equipment is recovered from staff who leave. The best way to do this is to withhold final salary payment until all company property is returned. The only way to set this up properly is to have this specific right written into employment contracts initially. Indeed, subject to the value an organization puts on the data accessed by an employee during day-to-day activities, it may be sensible to alter a person’s duties at the point of resignation. Removing the right, as well as the need, for a departing salesperson to access sensitive client data has obvious benefits. The early retrieval of company assets from such staff will also assist both the organization and the individ- ual concerned – and will prevent any untoward suspicion if an asset is stolen, damaged or corrupted during the notice period.

 

Unattended user equipment

 

Control A.11.2.8 requires users to ensure that unattended equipment has appropriate protection. The primary focus of this control is workstations or servers that are logged on and then left unattended, usually temporarily, by the user. This offers an unauthorized user the opportunity to access resources or assets using someone else’s user name, resources or assets that he or she may, in fact, not be authorized to access in the first place.

 

The need for server rooms to remain locked when unattended has already been discussed. All workstations, notebooks and servers should, however, have password-protected screen savers. These are set up by the user and should be set so that the screen saver fires up after a short period – three to

 

EQUIPMENT SECURITY 227

 

five minutes might be the maximum period. Otherwise, users should be trained to trigger the password-protected screen saver when leaving their workstation for any period of time, to log off when they have finished work- ing on a particular application and to ensure that the log-off procedure has completed before any machine is switched off or left unattended. A regular audit of machines to ensure that they have been logged off, and not simply had the screen switched off, is a key part of maintaining this control.

 

Clear desk and clear screen policy

 

Control 11.2.9 of ISO27002 says the organization should implement a clear desk and clear screen policy to reduce the risks of unauthorized access to, or loss of, or damage to, information. This requirement should be contained in the user access authorization document.

 

A clear desk policy is one of the easiest to adopt. The first step is to ensure that appropriate facilities are available in the office in which, depending on their security classification (see Chapter 8), computer media (disks, tapes, CD-Roms) and paper and paper files can be stored and locked away, includ- ing in lockable pedestals, filing cabinets and cupboards. Sensitive information should be locked away in a fireproof safe (and the security adviser will have to assess the fire resistance of the safe in terms of the sensitivity of the infor- mation inside it and its location in order to ensure its survival for long enough to be rescued). Once the facilities are available, senior managers simply adopt a ‘black bag policy’. The way this works is that after 24 hours’ due notice that the clear desk policy will be implemented, senior managers simply go around the office after closing time and put everything that has been left out on desks into a series of black plastic bags. The bags are then left with the rubbish that the cleaners will remove for pulping the next morning. The first time this happens, the bags might be left briefly in the morning for people to recover the papers that they need. The second night, there is unlikely to be anything left out on desks to put into the black bags.

 

Personal computers, computer terminals and printers should be switched off when not in use and should be protected by locks, passwords and the like when they are in use. Everyone should be required to use a password- protected screen saver that automatically fires up after only a few minutes (between three and five is reasonable) of inactivity; this ensures that sensi- tive information is not easily available to the casual observer. While everyone

 

IT GOVERNANCE228

 

in the office should be trained to switch machines off, the last one out of the office each day should be required to double-check and switch off anything still on.

 

Incoming and outgoing mail collection points should be protected or supervised so that letters cannot be stolen or lost, and fax machines (where they’re still deployed) should be protected when not in use. Photocopiers should be switched off and locked outside working hours; this makes it difficult for unauthorized copying of sensitive information to occur. All printers, fax machines and should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays or on the scanner bed for the wrong person to collect.

 

17

 

Operations security

 

Control category A.12 has a number of major sub-clauses. The first of them is control A.12.1, which deals with operational procedures and responsi- bilities. Its aim is to ensure the correct and secure use of information processing facilities.

 

Documented operating procedures

 

Control 12.1.1 of ISO27002 says the organization should document the operating procedures that were identified as necessary in the security policy and which are being discussed at length through the pages of this book. As discussed in Chapter 3 (management system integration), the document control principles of ISO9000 are applicable to ISO27001, and all the oper- ating procedures that are part of the organization’s ISMS should be treated in accordance with these requirements, including appropriate management approval.

 

Again as discussed elsewhere, the best way to make the entire ISMS avail- able to staff is through SharePoint and the best way to make it available to third-party contractors is through an extranet, or secure access to part of SharePoint. The key benefits of such an approach are that documentation can easily be kept completely up to date and users can be sure that they are seeing the most recent version of ISMS requirements.

 

While the organization will adopt those procedures that it finds most useful in implementing its information security policy, ISO27002 recom- mends that there should be detailed procedures and operations (or work) instructions (and the level of detail should be appropriate to the size of the organization, with more detail required for larger and more complex ones),

 

IT GOVERNANCE230

 

which should be worked out between the information security adviser and the responsible operational staff, for:

 

●● Processing and handling information – which covers, in particular, confidentiality requirements and information classification.

 

●● Back-up, which is dealt with in more detail in control A.12.3.1.

 

●● Work scheduling requirements, explaining where necessary inter- dependencies with other systems (so that no one has to find these out the hard way) and earliest job start and latest job completion times (for instance, for back-up procedures).

 

●● Instructions for handling errors or other exceptional conditions, including restricting use of system utilities, although the organization should have due regard for the comments in Chapter 4 and elsewhere about the need to recruit and retain an information security specialist who has sufficient skill and experience to respond flexibly to new and unusual circumstances. These instructions might, therefore, set out reporting requirements and general guidance, with more specific instructions for junior operatives and inexperienced staff to follow.

 

●● Contact details and for accessing appropriate support in the event of unexpected operational or technical difficulties, and what records should be kept.

 

●● Instructions for handling special outputs, such as special stationery, or what to do with failed output for special jobs. Uncontrolled versions of these instructions should be posted near the machines to which they relate.

 

●● Detailed system restart and recovery procedures to follow in the event of system failure. These procedures should be in the ISMS, and controlled copies should be visibly posted near the equipment to which they relate, to enable them to be easily used when required.

 

There should also be detailed procedures (based on manufacturers’ instruc- tions or user manuals) for all the basic housekeeping functions, including computer start-up and power-down, back-ups, equipment maintenance, mail handling, computer room usage, etc. These procedures should, wher- ever possible, be reflected in visible reminders as to requirements, posted in the vicinity of where they are relevant. Staff should be trained in their use. Consideration should be given to the possibility that unauthorized staff could see these procedures, and therefore their classification level would be relevant to how they are posted.

 

OPERATIONS SECURITY 231

 

Remember that overly detailed or infrequently used procedures are as likely to lead to problems as no systems at all. Organizations that outsource their IT services – bearing in mind the distinction that outsourced processes would be within the scope of the ISMS although the organization delivering them would not – should specify the requirement for proper and appropri- ate system documentation, to ISO9000 and ISO27001 standards, in the outsourcing contract. It might be appropriate to require suppliers of outsourced IT services to be certified to ISO20000 and, arguably, ISO22301 as well as ISO27001.

 

Change management

 

Control 12.1.2 of ISO27002 says an organization should control changes to its business processes, information processing facilities, operational systems and application software. These changes usually cause major disruption to the business even when they go well. Inadequate control of these sorts of changes is a common cause of system failures or vulnerabilities. As some banks can testify, the transition from test to production can occasion major, costly and embarrassing system outages. It is also a common cause of unnec- essary expenditure. Formal, documented change control procedures need to be in place, which could be adopted from or be the same as existing project management or change control procedures within the organization. What is important is that for all changes to information processing equipment, soft- ware or security procedures, there should be a formal method of control, preferably within an appropriate project governance structure.

 

Procedural or process change is easy to control, particularly if the ISMS was set up with the information security management forum as the body that steers implementation of the ISMS. It will have to approve all proce- dural changes, which should be issued under formal document control and supported, where appropriate, by additional staff training.

 

Changes to operational programs and applications can have an impact on one another, and the change control process should ensure that this risk is considered. The specialist input of the IT manager, or vendor-certificated experts, should if necessary be considered as part of the change management process. There needs to be a clearly formulated policy dealing with updates, patches and fixes to major operational and application software; there may not always be a valid business or information security reason for making the upgrade, and therefore the organization’s policy needs to set out the criteria for upgrade decisions and their timings.

 

IT GOVERNANCE232

 

In general, the change control procedure for operating programs and applications could be on a standard single-page document that includes:

 

1 an identification of significant changes, and the business reasons (including, if necessary, a cost–benefit assessment) together with a change log;

 

2 the planning process for testing changes and gaining user acceptance of the changed system;

 

3 an assessment of their potential (security and other) impacts, including their impacts on other operational or application software and any hardware changes that might be required;

 

4 formal approval for the changes to be made, and verification that information security requirements have been met;

 

5 communication to all relevant people of the changes, perhaps by means of copying, or e-mailing, to them uncontrolled versions of the change control form;

 

6 procedures for aborting, for rollback, and for recovering from planned changes that go wrong;

 

7 emergency procedures for recovering from incidents or errors.

 

On a more substantial level, any significant change to the network would necessitate a review of the main information security risk assessment in advance of the change. Provision should be made in the change control procedure to ensure that this possibility is considered. Any dependent records would need to be amended.

 

Organizations that have already adopted ITIL or COBIT should inte- grate the detailed aspects of this control into their existing change management process; it makes sense to have a single, coherent, secure process for managing the whole range of changes that might need to occur.

 

Capacity management

 

Control 12.1.3 of ISO27002 says the organization should monitor its capac- ity demands and then to make projections of future capacity requirements so that it can ensure that it has adequate power, bandwidth and data storage facilities available. The utilization of key system resources (file servers, domain servers, e-mail servers, printers and other output devices) should be monitored so that additional capacity can be brought on-stream when it is

 

OPERATIONS SECURITY 233

 

needed or capacity-hungry activities schedule for other times. The projec- tions should obviously take account of predictions of levels of business activity, and there should therefore be an overt link between this activity and the annual business planning cycle. The trends that should be considered are the increase in business activity, and therefore in transaction processing; and the increase in the number of staff, and therefore in the number of worksta- tions and other facilities. E-commerce businesses should also consider the expected increase in website activity and plan sufficient capacity to ensure that the site remains operational, particularly at times of peak activity.

 

All of this should enable network managers and webmasters to identify and, through their capacity management plans – including deleting obsolete files and data, decommissioning devices that are no longer required, sched- uling bankwidth availability, etc – avoid potential bottlenecks that could threaten system security or the availability of network or system resources or data.

 

Separation of development, testing and operational environments

 

Control 12.1.4 of ISO27002 says the organization should separate develop- ment and testing environments (recognizing that visualization enables multiple environments to reside on a single box) from its operational (production) ones in order to reduce the risk of accidental change or unau- thorized access to operational software and business data. This clause will be relevant primarily to software development companies and secondarily to any organization that is having bespoke software developed in-house for use, rather than buying a commercial off-the-shelf (COTS) package, in its own operations.

 

This is a key segregation of activities; the rules for the transfer of soft- ware from development to operational status should be defined and documented. ISO27002 sets out very clearly the ways in which software development should be separated from operations; any organization that is involved in developing software should refer explicitly to clause 12.1.4 of ISO27002 for guidance on best practice in how to do this.

 

Many companies that are not software companies are likely to be doing some limited development work even if it is limited only to process automa- tion or website scripts. The controls of this clause of ISO27001 are also relevant in these circumstances. In essence, the requirement is that developing

 

IT GOVERNANCE234

 

and testing activities should be separated to the greatest extent possible, preferably running them on different computers or on different domains, and certainly running them in different directories. Access methods and passwords should be different between development, test and operational environments. The test environment should be a known, stable one, which emulates as closely as possible the live, operational (production) one and in which meaningful testing can take place and any attempt by a developer or webmaster to introduce malicious code or Trojans or build-in vulnerabilities can be detected. Users should have different user profiles for testing and production environments, and developers should never have access to the live site or production environment.

 

There are also specific data management issues to be considered in regard to the use of personal data for testing; all personal data, even those used for testing purposes, are subject to the DPA 2018 or other privacy regulations.

 

Back-up

 

Control A.12.5 requires the organization to take regular copies of essential business information and software. This is one of the most basic and most important of all controls. It is important not just because it enables an organization to recover from a disaster or media failure, but because it can also enable individual users to recover from unforced errors. Where back- ups have not been taken, it can be impossible to recover from disaster. This is as true for a cloud-based business as it is for one that runs its own server room or data centres; cloud back-ups that are stored behind the same dash- board as the core configuration and other data are just as exposed – and as potentially useless – as back-up media stored alongside their servers in a physical location.

 

An essential first step in making a back-up policy work in most offices is to ensure that most information is filed on the organization’s servers, or network drives (whether onsite or off) and not on individuals’ C: drives. While servers can be backed up automatically and centrally; C: drives can only be backed up if the back-up service is specifically configured to do so. This is difficult to do with tape back-up services, and is particularly difficult with notebook users, who often work on the move and who need immediate access to their files. The requirement for regular back-ups from portable devices to network file servers or the Cloud (or the provision of notebook- level back-up service) and for the use of the Cloud or a file server rather than

 

OPERATIONS SECURITY 235

 

the fixed C: drive should be part of the initial staff training on data security. One step that might be considered in order to illustrate the importance of this particular control might be to make unbacked-up storage of digital data on a desktop a disciplinary offence.

 

A second essential step is ensuring that the back-up policy is comprehen- sive. Mobile users have information stored in notebooks and on smartphones. Office-based users use a range of software products, sometimes on single machines only, which might be outside the normal range of Microsoft prod- ucts. Organizations have websites, intranets and extranets. They use accounting systems, ERP systems and project management systems. They have voicemail systems, which also carry data, particularly in all those voicemail boxes that substitute more and more for real people. Increasingly, organizations use the services of application service providers (ASPs) and SaaS (with the use of applications like Saleforce.com (archived at https:// perma.cc/4QKH-A6YZ) and Office365 becoming widespread), and this leads to data being stored outside the organization’s secure perimeter in situ- ations where the organization has no direct control over the security of its information. It is critical, in these relationships, that the controls for security in third-party relationships discussed are carefully considered. All digital data storage needs to be considered – and so do paper files.

 

The fact that data are stored in paper files or in other books does not make them any less important to the organization than data in digital form. A fire, a flood, an explosion or even simple straightforward theft can deprive an organization of its paper files. They need to be taken into account, and those that are assessed as important to the organization need to be backed up in some manner; the great fire of Alexandria destroyed many original manuscripts of which there were no copies anywhere else in the world.

 

Once the organization has identified all the data assets that need to be backed up, it can decide on a method, and frequency, for carrying out the back-up. This exercise should be comprehensive and should link back to the list of assets that was put together as part of the initial asset inventory. Each of these methods of backing up and storing data should be risk-assessed in the light of the highest security classification that is likely to be given to data stored in this medium or a particular file or device. There is an early decision to make, for electronic data, between dual-writing (making the copy at the same time as the original) and once-per-day copying. Once a decision has been made as to what data are to be protected, and the necessary level of back-up information has been defined, the controls that ISO27002 would like to see considered are as follows:

 

IT GOVERNANCE236

 

●● The minimum level of back-up information, together with accurate and complete records of what has been backed up and a copy of the documented recovery procedure, should be stored at a remote location. Accurate records of what has been backed up are necessary to facilitate finding what is required for a restore operation. The minimum information would be details of precisely which servers have been backed up and the date and time of back-up. It does need to be sufficiently remote that if, for instance, the base city ceased to exist, the remote site could take up the burden. The remote location should be sufficiently remote to avoid any disaster that takes place at the main site (or that affects the environs of the main site) but not so remote that it cannot be easily accessed. Back-up tapes might also be stored with a storage company, which collects one tape (or set of tapes) every day and leaves behind the next tape (or tapes) in the cycle. The contract with such an organization would, of course, be subject to the organization’s standard controls for third-party contracts. At least three cycles of back-up information should be retained for important applications. A typical back-up cycle, of digital media to a digital audiotape (DAT), is called ‘grandfather, father, son’. These three generations refer to monthly, weekly and daily back-ups, with the ‘son, an incremental back-up running every day (one tape for each day of the week) and being overwritten on the same day the following week. The ‘father’ back-ups are full back-ups done every week (one tape for each week of the month) and then overwritten in the same week of the next month. The ‘grandfather’ back-ups are done every month (one tape for each month of the year) and overwritten in the same month of the next year. Autochangers and additional software might be necessary to ensure that back-ups are done fully and effectively.

 

●● Back-up information should be given the same level of physical and environmental security as the original data; it is just as important, and therefore standard physical and environmental controls must also apply to the back-up data. Where necessary, back-ups should be protected by encryption.

 

●● Back-up media (eg the tape unit) should be regularly tested to ensure that they are working. The back-up should be set to happen at a regular time each 24 hours, or whatever shorter or longer cycle the organization chooses in the light of its assessment of its risks of data loss. It should take place at a time of limited or zero network usage, as the network will run slowly while the back-up takes place and those sections being backed

 

OPERATIONS SECURITY 237

 

up are unlikely to be available to users while the back-up is taking place. It should be demonstrated that the equipment and media used have the actual capacity to complete the required back-up within the allotted time. If they do not, the back-up may be flawed and critical data may be lost. Details of these tests should be retained with the ISMS documents and are critical evidence that the back-up system will be able to help when it needs to.

 

●● Recovery and restoration procedures, which should be documented in the ISMS, should be regularly tested. The testing should involve those staff who will be responsible for carrying out the restoration, as it is critical that restoration can actually be completed within the time allotted. Tests should be carried out to restore data from every single one of the servers and for every single one of the applications that are supported, and restoration should be to vanilla boxes; it is only through such exhaustive testing that the organization can be sure that it will have what it needs when it needs it. Deficiencies should be put right either through training or through reassessing the software, hardware or back-up procedure itself. The wrong time to discover the deficiencies in this procedure is in the middle of an attempt to restore either an important document or an entire system. The records of these tests, and their outcomes, should form part of the ISMS business continuity docu- mentation. Like all critical tests, they should be reviewed by the information security management forum on a regular basis. Restoration of files from historic records will become increasingly difficult as organizations update or change their software; they will need to remember to retain the ability to access old electronic records for as long as their data retention policy requires, and that this might necessitate retention in a working state in a secure environment of software that has otherwise been superseded.

 

●● Critical paper files should also be backed up, with complete photocopies stored at a remote location. The comments about physical security for back-up documents, and controls over copying paper documents should also be applied.

 

●● RAID (Redundant Array of Independent Disks) should be considered for all servers running critical applications. This will provide a level of protection if one of the server drives fails. There are seven (0–6) basic RAID levels, providing different levels of data protection and performance improvement. A risk assessment should be the basis on which selection and implementation of a RAID solution takes place. RAID 5 is the usual

 

IT GOVERNANCE238

 

level of RAID array implemented, and this combines a good level of protection and performance. Expert advice should be taken on the implementation of a RAID array.

 

●● The retention period for business information should be defined and applied to the backed-up data. It is particularly important to recognize that legal requirements now increasingly require that e-mails are retained as business records. Data vaults and single-instance e-mail storage may be appropriate solutions to this requirement.

 

Mobile device back up is increasingly critical to organizations and decisions made about how this is to be effected should be part of the mobile device policy and procedures. As the fundamental controls that protects an organi- zation against compromise of critical or sensitive data on laptops or mobile devices should now include some mix of boot-level whole disk encryption for laptops and remote wipe for smartphones and similar mobile devices, it is essential that organizations implement some form of ongoing, incremen- tal background data and system synchronization to some easily accessible – but significantly secure – central repository.

 

Chapter 24 deals with A.12.4, logging and monitoring, alongside infor- mation security incident management.

Collepals.com Plagiarism Free Papers

Are you looking for custom essay writing service or even dissertation writing services? Just request for our write my paper service, and we'll match you with the best essay writer in your subject! With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.

Get ZERO PLAGIARISM, HUMAN WRITTEN ESSAYS

Why Hire Collepals.com writers to do your paper?

Quality- We are experienced and have access to ample research materials.

We write plagiarism Free Content

Confidential- We never share or sell your personal information to third parties.

Support-Chat with us today! We are always waiting to answer all your questions.

Related Posts

All Rights Reserved Terms and Conditions
College pals.com Privacy Policy 2010-2018