Kudler Fine Foods IT Security Report and Presentation Security Considerations CMGT/400 Kudler Fine Foods IT Security Report and Presentation Security Considerations According to Whitman and Mattord (2010), The ISO 27000 series is one of the most widely referenced security models.
Referencing ISO/IEC 27002 (17799:2005), the major process steps include: risk assessment and treatment, security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, information systems acquisition, development, and maintenance, information security incident management, business continuity management, and compliance (Chapter 10, Security Management Models). 1.
Risk assessment and treatment 2. Security policy: Focuses mainly on information security policy 3. Organization of information security: For both the internal organization and external parties 4. Asset management: Includes responsibility for assets and information classification 5. Human resources security: Ranges from controls prior to employment and during employment to termination or change of employment 6. Physical and environmental security: Includes secure areas and equipment security 7.
Haven’t found the relevant content? Hire a subject expert to help you with Kudler Security Report
Communications and operations management: Incorporates operational procedures and responsibilities, third-party service delivery management, systems palnning and acceptance, protection against malicious and mobile code, backup, network security management, media handling, exchange of information, electronic commerce services and monitoring 8. Access control: Focuses on business requirement for access control, user access management, user responsibilities, network access control, operating system access control, application and information access control, and mobile computing and teleworking 9.
Information systems acquisition, development, and maintenance: Includes security requirements of information systems, correct processing in applications, cryptographic controls, security of system files, security in development and support processes, and technical vulnerability management 10. Information security incident management: Addresses reporting information security events and weaknesses and management of information security incidents and improvements 11.
Business continuity management: Information security aspects of business continuity management 12. Compliance: Includes compliance with legal requirements, compliance with security policies and standards, and technical compliance and information systems audit considerations The “SANS: SCORE” (2012) website provides a free audit checklist for organizations to verify if they comply with the ISO 27002. The following table represents the SANS audit checklist as it relates to Kudler Fine Food’s frequent buyer program. Security policy: Focuses mainly on information security policy | |Section |Audit Question |Security Considerations |Security concern if |Mitigation | | | | |removed | | |Information security policy|Whether there exists an Information |A security policy is |Without a security policy |Define what needs to be | |document |security policy, which is approved by the |necessary to guide all |in place the restriction |protected in order to | | |management, published and communicated as |access or to block |of information would be |develop a security policy. | | |appropriate to all employees. |access to information. |lost.
Uncontrolled access|The importance of the | | | | |will result in the loss of|information should | | |Whether the policy states management | |company information. |determine the severity of | | |commitment and sets out the organizational| | |the security. | | |approach to managing information security. | | | | |Review of Informational |Whether the
Information Security Policy is|The security policy |Without the review of |Each policy should be | |Security Policy |reviewed at planned intervals, or if |should be reviewed as |security policies they |reviewed periodically to | | |significant changes occur to ensure its |business practices, |will most likely become |ensure its effectiveness. | | |continuing suitability, adequacy and |hardware, software, and |out dated and lose | | | |effectiveness. |the way in which |usefulness. Each policy owner will be | | | |information is shared | |responsible for the review | | |Whether the Information Security policy |change. |Without giving each |of the policy. | | |has an owner, who has approved management | |section of the policy an | | | |responsibility for development, review and|Each part of the policy |owner the policy will have|Each change will be brought| | |evaluation of the security policy. should have an owner who|no one responsible for its|before management before | | | |is responsible for |maintenance. |being brought into action. | | |Whether any defined Information Security |keeping it up to date. | | | | |Policy review procedures exist and do they| |A policy to review new | | | |include requirements for the management |A review procedure |policies or changes made | | | |review. should be in place, each|to current policies should| | | | |change made should be |be in place to discourage | | | |Whether the results of the management |reviewed by management. |unauthorized changes. | | | |review are | | | | | |taken into account. | | | | | |Whether management approval is obtained | | | | | |for the revised policy. | | | |Organization of Information Security | |Section |Audit Question |Security |Security concern if |Mitigation | | | |Considerations |removed | | |Management commitment to|Whether management demonstrates active support for |An active role |Without the active support|A definition of the role | |information security |security measures within the organization.
This can be|by management |of management the security|management should play in | | |done via clear direction, demonstrated commitment, |is needed to |policy will lose its |the commitment to the | | |explicit assignment and acknowledgement of information|ensure the |effectiveness. |security policy should be | | |security responsibilities. |effectiveness | |stated in the security | | | |of the security| |policy. | | | |policy. | | |Information security |Whether information security activities are |Security |Information security |Ensure that the owner of | |coordination |coordinated by representatives from diverse parts of |activities need|activities need to be |each policy is responsible | | |the organization, with pertinent roles and |to be |organized by employees |for all activities | | |responsibilities. |coordinated by |with higher roles and |associated with the | | | |representatives|responsibilities. The |policies. | | |that carry |security policies protect | | | | |pertinent roles|the information and all | | | | |and |activities associated with| | | | |responsibilitie|the security policy should| | | | |s. |be made by responsible | | | | | |parties. | |Allocation of |Whether responsibilities for the protection of |The business |Without a clear set of |A clear set of instructions| |information security |individual assets, and for carrying out specific |will suffer a |rules governing the |will be provided to ensure | |responsibilities |security processes, were clearly identified and |great many |protection of individual |that each individual asset | | |defined. |losses due to |assets and security |and each security process | | | |unclear |processes the business |is clearly defined. | | |detentions of |will surely suffer a loss. | | | | |procedures. | | | |Authorization process |Whether management authorization process is defined |Authorization |Without the use of an |Any and all information | |for information |and implemented for any new information processing |processes need |authorization system a new|processing facilities need | |processing facilities |facility within the organization. to be clearly |information processing |to be given ownership to a | | | |stated in the |facility would be left |member of management. This| | | |security |vulnerable for attack. |member needs to ensure the | | | |policy. Any | |security policy is | | | |new information| |followed.
Sophistication | | | | | |of restraint would be | | | | | |dependent upon importance | | | | | |of information and budget. | |Securing offices, rooms, |Whether the rooms, which have the | | | | |and facilities |information processing service, are locked| | | | | |or have lockable cabinets or safes. | | | |Protecting against external|Whether the physical protection against |corruption and/or loss |loss of critical data. |Data and system redundancy,| |and environmental threats |damage from fire, flood, earthquake, |of information due to | |off-site storage and/or | | |explosion, civil unrest and other forms of|environmental conditions| |multiple servers at | | |natural or man-made disaster should be | | |different locations. | | |designed and applied. | | | | | | | | | | |Whether there is any potential threat from| | | | | |neighboring premises. | | | | |Working in secure areas |Whether physical protection and guidelines| | | | | |for working in secure areas is designed | | | | | |and implemented. | | | | |Public access delivery and Whether the delivery, loading, and other | | | | |loading areas |areas where unauthorized persons may enter| | | | | |the premises are controlled, and | | | | | |information processing facilities are | | | | | |isolated, to avoid unauthorized access | | | | |Equipment sitting |Whether the equipment is protected to | | | | |protection |reduce the risks from environmental | | | | | |threats and hazards, and opportunities for| | | | | |unauthorized access | | | | |Supporting utilities |Whether the equipment is protected from | | | | | |power failures and other disruptions | | | | | |caused by failures in supporting | | | | | |utilities. | | | | | | | | | | |Whether permanence of power supplies, such| | | | | |as a multiple feed, an Uninterruptible | | | | | |Power Supply (ups), a backup generator, | | | | | |etc. are being utilized. | | | | |Cabling security |Whether the power and telecommunications | | | | | |cable, carrying data or supporting | | | | | |information services, is protected from | | | | | |interception or damage. | | | | | | | | | | |Whether there are any additional security | | | | | |controls in place for sensitive or | | | | | |critical information. | | | | |Equipment Maintenance |Whether the equipment is correctly | | | | | |maintained to ensure its continued | | | | | |availability and integrity. | | | | | | | | | | |Whether the equipment is maintained, as | | | | | |per the supplier’s recommended service | | | | | |intervals and specifications. | | | | | | | | | | | |Whether the maintenance is carried out | | | | | |only by authorized personnel. | | | | | | | | | | |Whether logs are maintained with all | | | | | |suspected or actual faults and all | | | | | |preventive and corrective measures. | | | | | | | | | | | |Whether appropriate controls are | | | | | |implemented while sending equipment off | | | | | |premises. | | | | | | | | | | |Are the equipment covered by insurance and| | | | | |the insurance requirements satisfied | | | | |Securing of equipment |Whether risks were assessed with regards |off-site data storage |off-site data may be |proper security measures in| |off-premises |to any equipment usage outside an |centers provide a level |compromised or otherwise |place to ensure integrity | | |organization’s premises, and mitigation |of redundancy to |corrupted due to |of data. | | |controls implemented. maintain integrity in |insufficient security | | | | |the event of a local |measures | | | |Whether the usage of an information |breach | | | | |processing facility outside the | | | | | |organization has been authorized by the | | | | | |management. | | | |Secure disposal or re-use |Whether all equipment, containing storage | | | | |of equipment |media, is checked to ensure that any | | | | | |sensitive information or licensed software| | | | | |is physically destroyed, or securely | | | | | |over-written, prior to disposal or reuse. | | | | |Removal of property |Whether any controls are in place so that | | | | | |equipment, information and software is not| | | | | |taken off-site without prior | | | | | |authorization. | | | |Communications and Operations Management | |Section |Audit Question |Security Considerations |Security concern if |Mitigation | | | | |removed | | |Documented Operation |Whether the operating procedure is |Management should set |Without direction, |To establish how the | |Procedures |documented, maintained and available to |guideline about how each|employees would not know |company is to operate on a | | |all users who need it. |function should operate |what to do throughout the |daily basis. | | | |in the company. |day. | | |Whether such procedures are treated as | | | | | |formal documents, and therefore any | | | | | |changes made need management | | | | | |authorization. | | | | |Change Management |Whether all changes to information | | | | | |processing facilities and systems are | | | | | |controlled. | | | |Segregation of duties |Whether duties and areas of responsibility|Management is |No one would be |To establish accountability| | |are separated, in order to reduce |responsible for |responsible for ensuring |for task performed in each | | |opportunities for unauthorized |assigning area of |tasks are completed. |area. | | |modification or misuse of information, or |responsibility. | | | | |services. | | | |Separation of development, |Whether the development and testing |Management needs to |Incorrect information |To prevent incorrect | |test, and operational |facilities are isolated from operational |establish a separate |could cause a delay in |information is not given to| |facilities |facilities. For example, development and |network. |production or development. |incorrect personnel. | | |production software should be run on | | | | | |different computers.
Where necessary, | | | | | |development and production networks should| | | | | |be kept separate from each other. | | | | |Service delivery |Whether measures are taken to ensure that |Define what measures are|Goods and services will |To ensure that service | | |the security controls, service definitions|needed and establish who|not be done in a timely |level is established and | | |and delivery levels, included in the third|to monitor. |manner. |maintained. | |party service delivery agreement, are | | | | | |implemented, operated and maintained by a | | | | | |third party | | | | |Monitoring and review of |Whether the services, reports and records |Define what measures are|Goods and services will |To ensure that service | |third party services |provided by third party are regularly |needed and establish who|not be done in a timely |level is established and | | |monitored and reviewed. |to monitor. |manner. |maintained. | | | | | | | |Whether audits are conducted on the above | | | | | |third party services, reports and records,| | | | | |on regular interval. | | | | |Managing changes to third |Whether changes to provision of services, |Define what measures are|Goods and services will |To ensure that service | |party services |including maintaining and improving |needed and establish who|not be done in a timely |level is established and | | |existing information security policies, |to monitor. |manner. |maintained. | | |procedures and controls, are managed. | | | | | | | | | | |Does this take into account criticality of| | | | | |business systems, processes involved and | | | | | |re-assessment of risks | | | | |Capacity management |Whether the capacity demands are monitored|Management must decide |Systems will not be able |To establish who will | | |and projections of future capacity |if a third party will be|to process information |monitor computer systems. | | |requirements are made, to ensure that |needed to assist with |needed in a timely manner. | | | |adequate processing power and storage are |their IT needs. | | | | |available. | | | | | | | | | | |Example: Monitoring hard disk space, RAM | | | | | |and CPU on critical servers. | | | | |System acceptance |Whether system acceptance criteria are |Management must decide |Systems will not be able |To establish who will | | |established for new information systems, |if a third party will be|to process information |monitor computer systems. | | |upgrades and new versions. |needed to assist with |needed in a timely manner. | | | | |their IT needs. | | | |Whether suitable tests were carried out | | | | | |prior to acceptance | | | | |Controls against malicious |Whether detection, prevention and recovery|IT personnel must ensure|Unauthorized access could |Establish measures to | |code |controls, to protect against malicious |proper measures are in |lead to system shut down. |protect from virus and | | |code and appropriate user awareness |place. | |malware. | | |procedures, were developed and | | | | | |implemented. | | | | |Controls against mobile |Whether only authorized mobile code is | | | | |code |used. | | | | | | | | | | |Whether the configuration ensures that | | | | | |authorized mobile code operates according | | | | | |to security policy. | | | | | | | | | | | |Whether execution of unauthorized mobile | | | | | |code is prevented. | | | | | | | | | | |(Mobile code is software code that | | | | | |transfers from one computer to another | | | | | |computer and then executes automatically. | | | | | |It performs a specific function with | | | | | |little or no user intervention. Mobile | | | | | |code is associated with a number of | | | | | |middleware services. | | | | |Information backup |Whether back-ups of information and |IT personnel will ensure|If not properly manage |To establish back up and | | |software is taken and tested regularly in |that system is properly |could result in loss of |recover of data procedures. | | |accordance with the agreed backup policy. |working. |data. | | | | | | | | | |Whether all essential information and | | | | | |software can be recovered following a | | | | | |disaster or media failure. | | | |Network Controls |Whether the network is adequately managed |IT personnel must ensure|Unauthorized access could |Establish measures to | | |and controlled, to protect from threats, |proper measures are in |lead to system shut down. |protect from virus and | | |and to maintain security for the systems |place. | |malware. | | |and applications using the network, | | | | | |including the information in transit. | | | | | | | | | | |Whether controls were implemented to | | | | | |ensure the security of the information in | | | | | |networks, and the protection of the | | | | | |connected services from threats, such as | | | | | |unauthorized access. | | | |Security of network |Whether security features, service levels |IT/Third party will |The company may not be |To establish what security | |services |and management requirements, of all |advise management the |aware of what is needed to|features of needed to | | |network services, are identified and |necessary requirements |secure the network and the|maintain the network. | | |included in any network services |needed for the network. |system is broken into | | | |agreement. | |compromising information. | | | | | | | | |Whether the ability of the network service|
Haven’t found the relevant content? Hire a subject expert to help you with Kudler Security Report