The Mission of the Firm is to provide relevant practical knowledge and skills for planning and performing various types of assurance or consulting assignments in the areas of Governance, Risk management, Security, Controls and Compliance in the domain of Information Systems and in an Information Technology environment by using relevant standards, frameworks, guidelines and best practices
To demonstrate and provide
- Provide IS assurance or IT Enabled services and perform effective audits in a computerised environment by using relevant standards, guidelines, frameworks and best practices.
- Evaluate structures, policies, procedures, practices, accountability mechanisms and performance measures for ensuring Governance and management of Information Technology, risk management and compliance as per internal and external stakeholder requirements.
- Provide assurance, consulting or compliance services to confirm that enterprise has appropriate security and controls to mitigate risks at different layers of technology as per risk management strategy.
- Provide assurance or consulting services that the management practices relating to systems development: acquisition, maintenance and implementation are appropriate to meet enterprise strategy and requirements
- Provide assurance or consulting services to validate whether required controls have been designed, configured and implemented in the application software as per enterprise and regulatory requirements and provide recommendations for mitigating control weaknesses as required.
- Provide assurance or consulting services to confirm whether the Business continuity management strategy, processes and practices meet enterprise requirements to ensure timely resumption of IT enabled business operations and minimise the business impact of a disaster.
- Plan and perform IS assurance or consulting assignments by applying knowledge learnt by presenting project assignment relating to allotted case study to confirm understanding.
To consult on Risk Management
RISK RESPONSE POLICY
1. Avoid: Organization may consider this response by deciding not to use technology for select business operation.
2. Transfer: Where organization try to pass on the risk to another entity. (a) Insuring against financial losses. (b) using outsourcing option,
3. Accept: If the risk assessed is within the risk appetite, management may decide not to implement control and accept the risk.
4. Mitigate: Where organization decide to implement controls, sometimes by incurring additional cost (like delay in process, acquiring tool, adding manpower etc.) so as to reduce the assessed impact to bring it within acceptable limits. Organisation may choose to accept remaining risk
The Costs of Data Loss: Data is a critical resource of an organization for its present and future process and its ability to adapt and survive in a changing environment. ii. Incorrect Decision Making: Management and operational controls taken by managers involve detection, investigations and correction of out-of-control processes. These high level decisions require accurate data to make quality decision rules. iii. Costs of Computer Abuse: Unauthorized access to computer systems, computer viruses, unauthorized physical access to computer facilities and unauthorized copies of sensitive data can lead to destruction of assets (hardware, software, documentation etc.).
High Costs of Computer Error: In a computerized enterprise environment where many critical business processes are performed a data error during entry or process would cause great damage.
Maintenance of Privacy: Today data collected in a business process contains details about an individual on medical, educational, employment, residence etc. These data were also collected before computers but now there is a fear that privacy has eroded beyond acceptable levels.
Controlled evolution of computer Use: Technology use and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive.
Information Systems auditing: Is the process of attesting objectives that focus on asset safeguarding and data integrity, and management objectives (those of the internal auditor) that include not only attest objectives but also effectiveness and efficiency objectives.
Asset Safeguarding Objectives: The information system assets (hardware, software, data files etc.) must be protected by a system of internal controls from unauthorised access.
Data Integrity Objectives: Is a fundamental attribute of IS Auditing. The importance to maintain integrity of data of an organisation depends on the value of information, the extent of access to the information and the value of data to the business from the perspective of the decision maker, competition and the market environment.
System Effectiveness Objectives: Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet substantial user requirements.
System Efficiency Objectives: To optimize the use of various information system resources (machine time, peripherals, system software and labour) along with the impact on its computing environment.
CONTROL
The objective of controls is to reduce or if possible eradicate the causes of the exposure to probable loss. All exposures have causes and are potential losses due to threats materialising. Some categories of exposures are: • Errors or omissions in data, procedure, processing, judgment and comparison. • Improper authorisations and improper accountability with regards to procedures, processing, judgment and comparison. • Inefficient activity in procedures, processing and comparison. Some of the critical control considerations in a computerised environment are: • Lack of management understanding of IS risks and lack of necessary IS and related controls. • Absence or inadequate IS control framework. • Absence of or weak general and IS controls. • Lack of awareness and knowledge of IS risks and controls amongst the business users and even IT staff. • Complexity of implementation of controls in distributed computing environments and extended enterprises. Lack of control features or their implementation in a highly technology driven environments. • Inappropriate technology implementations or inadequate security functionality in technologies implemented.
REVIEW & MONITORING
Periodic Review and monitoring of risk and controls After implementation of the risk responses and management techniques, the managers need to monitor the actual activities to ensure that the identified risk stays within an acceptable threshold. To ensure that risks are reviewed and updated organizations must have a process that will ensure the review of risks. The best processes are: 1. Periodic review: the risk assessment exercise may be conducted after predefined period say annual. 2. All incidents and lesson learned must be used to review the identified risk 3. Change management processes proactively review the possible risks and ensure they are part of organization’s risk register. 4. New initiatives and projects must be considered only after risk assessment.
INFORMATION SECURITY
The key elements of information security management include: • Senior management commitment and support • Policies and procedures • Organization structure and roles and responsibilities • Security awareness and education • Monitoring • Compliance • Incident handling and response
Information Security can be a business enabler if following five suggested actions are adopted by Information Security Management: a) Alignment with business objectives: Management views Information Security as another support function and not primary business function although an important function. The Management need to establish security policy in line with business objectives, to ensure that all Information Security elements are strategically aligned. b) Organizational culture: Ensure that the framework followed to implement, maintain, monitor and improve Information Security is consistent with the organisational culture. c) Establish and enforce an Information Security Programme: Information Security program focuses on protecting information present in business processes. Establish a program to improve Information Security management enterprise-wide and enforce it. d) Adoption of standard: Adopting an internationally recognised reference framework to establish an Information Security framework is useful in providing assurance that all required aspects of information security are covered. It also helps in benchmarking the security levels. Adopting an information security standard seems to demonstrate to staff, customers and trading partners that their data is safe, and that there is an independent verification of this fact. Rules formulated under IT (Amendment) act, 2008 defines reasonable security as implementation of ISO 27001 or equivalent certifiable standard so as to establish that reasonable security practices are being followed. e) Spend resources wisely and transparently: Prioritise expenditures to mitigate risks and avoid spending more resources in assessing risks than those that would be spent if the problems really occurred.
DATA CLASSIFICATION & PRIVACY POLICY
Data classification and Privacy Policies It is the policy of the Organization to protect against the unauthorized access, use, corruption, disclosure, and distribution of non-public personal information in its possession, and to comply with all applicable laws and regulations regarding such information. It generally covers: The organization shall hold non-public personal information in strict confidence and shallØ not release or disclose such information to any person except as required or authorized by law and only to such persons who are authorized to receive it. The organization shall adopt procedures for the administrative, technical and physicalØ safeguarding of all non-public personal information. The organization shall ensure that an entity controlled by it, or any other entity that utilizesØ information provided by the organization to carry out its responsibilities, shall have signed and agreed to abide by the terms of the data privacy and security policy or shall have adopted a data privacy and security policy that is substantially similar to the organization policy.
ACCEPTABLE USE OF IT FAIR USE POLICY
A set of rules applied by the owner or manager of a network, website or large computer system that restrict the ways in which the network, website or system may be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers, and website owners, often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.
Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems.
For this reason, an AUP must be concise and clear, while at the same time covering the most important points about what users are, and are not, allowed to do with the IT systems of an organization. It should specifically cover Acceptable Use of Internet.
For example it may state that no user of company’s Internet facility will connect to pornographic, child abuse or racial discrimination sites and so on.
PHYSICAL ACCESS & SECURITY POLICY
Physical access and Security Policy Physical security describes security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks). Physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, Biometric access, RFID cards, access cards protective barriers, locks, access control protocols, and many other techniques. Asset Management Policy This policy defines the requirements for Information Asset’s protection. It includes assets like servers, desktops, handhelds, software, network devices etc. Besides, it covers all assets used by an organisation-owned or leased. Business Continuity Management Policy This policy defines the requirements to ensure continuity of business critical operations. It is designed to minimise the impact of an unforeseen event (or disaster) and to facilitate return of business to normal levels.
NETWORK SECURITY POLICY
A network security policy defines the overall rules for organisation’s network access, determines how policies are enforced and lays down some of the basic architecture of the company security/ network security environment.
PASSWORD POLICY
This policy defines high-level configuration of password to be used within organisation to access the information assets. For example: • Password length must be more than 8 characters • Password must be complex containing upper case, lower case, numeric and special characters • Password must be changed regularly Chapter 2: Information Security Management IV – 19 • Password should not be used again for minimum period • Password should not be changed in consecutive sequence
SECURITY POLICY
The first fundamental security rule is that each individual should be aware of what the organisation expects from them. These expectations are communicated through various important documents such as company policies and individual job descriptions duties, responsibilities and the level of authority they have. It is difficult (and unjust) for an organization to accuse an individual of carrying out activities or tasks which they have no right to do, if the individual’s job was not clearly possible for an organisation to put into place other personnel security procedures including the following: • Segregation of duties • Four eyes (the two person principle) • Rotation of duties • Key man policies
OWNERSHIP POLICY
However for security and control the ownership is delegated to an employee or group of employees who need to use these assets. In other words, users have right to not only use the assets but are also responsible for the safe-keeping of assets. This fundamental rule of organizational control also applies to corporate security, where ownership must be defined in order for control to be applied. Thus every corporate asset, building, item of equipment, bank account and item of information should have a clearly defined ‘owner’. The owner should then have a defined set of responsibilities. • Ensuring that computer rooms are kept clean and tidy • Ensuring that equipment is well maintained and kept operational • Ensuring that an item of data used by the organization is accurate and up to date Owners of a particular asset generally have authority over it, thus an owner may have t
RISKS AND MITIGATION POLICY
DATA BREACH
What if there is Data Breach in your office: Ransom ware Attack, Digital Signatures, Loss of Reputation and Repercussion post Data Brach
STORAGE SECURITY
(1)Drive Lock (2) Folder Lock (3) File Lock (4) Attribute (5) Backup
NETWORK SECURITY
Email Security: (1) Confidential Mode (2) App Permission (3) Safe-note (4) Separate Mail (5) Temporary Mail (6) Separate Mobile Number
Productivity Tools ( 1) Google Drive Sync (2) Android Air (3) Snapdrop.net (4) Notepad (5) Multiple Inboxes at one place (6) Google Docs Voice Typing (7) Best Performance/Battery Saver ( Getnotify.comu
Online Security (1) Cookies (2) Password Saving Tool (3) Unfurl Short URL (4) Windows 7 EO(5) Bot Removal Tool https://www.csk.gov.in/security-tools.htmlu
INFORMATION SAFETY POLICY
There are several different types of computer crime, many of which overlap. Some of the most commonly reported computer crimes are: a. Denial of Service (DoS): A Denial-of-Service attack (DoS) is an attempt to make a machine or network unavailable to its intended users. This causes legitimate users to not be able to get on the network and may even cause the network to crash. b. Network Intrusions: Network Intrusion refers to unauthorized access to an organization’s internal network. c. Software Piracy: The illegal copying of software. d. Spoofing of IP Addresses: IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system e. Eavesdropping: Eavesdropping is the unauthorized real-time interception of a private communication, such as a phone call, instant message, and video-conference or fax transmission. f. Phishing: Phishing is the act of trying to obtain information like user ID and password for bank accounts, credit card pin etc. using electronic communication means like emails, fake websites etc. g. Social Engineering: It is the act of obtaining or attempting to obtain otherwise secure data by conning an individual into revealing secure information. Social engineering is successful because its victims innately want to trust other people and are naturally helpful. The victims of social engineering are tricked into releasing information that they do not realize will be used to attack a computer network. h. Hacking: Hacking is the process of exploiting vulnerabilities of a system to gain unauthorized access to system or resources like a website, bank accounts etc. i. Dumpster diving: Dumpster diving is looking for treasure in someone else’s trash. ,a technique used to retrieve information that could be used to carry out an attack on an organization. j. Data-Diddling: Data stet diddling is the changing of data before or during entry into the computer system. Examples include forging or counterfeiting documents used for data entry and exchanging valid disks and tapes with modified replacements k. Targeted attacks: The new trend in cyber (computer related) crimes is targeted attacks. These are the attacks that are specifically targeted to selected organization. It is combination of attacks like malware (a virus or program me that is written with specific objective e.g. Stuxnet), social engineering to introduce malware in system, data diddling and scavenging (malware once activated initiated these attacks and sends information outside in small proportions so as not to detect. l. Advanced persistent Threat (APT): This is a type of targeted attack that continues for a sustained period for about a year or more. A malware launched starts sending confidential information masking it and in small proportions so as not to cross monitoring thresholds. m. Botnets: Acronym for robotic network. An underground network established by hackers by sending malware. This malware goes undetected since it is part of targeted attack. Hackers build a virtual network of such compromised computers and uses as and when required to launch attacks.
INCIDENT HANDLING POLICY
Incident Handling should address: a. What constitutes an incident b. How should an incident be reported c. To who should an incident be reported d. What action should be taken if an incident occurs e. Who should handle the response to the incident f. Are recovery procedures required g. What type of follow up or review is required h. Should additional safeguards be implemented i.To minimise damage from security incidents and to recover and to learn from such incidents
INCIDENT RESPONSE CAPABILITY POLICY
A formal incident response capability should be established, and it should include the following phases: • Planning and preparation • Detection • Initiation • Recording • Evaluation • Containment • Eradication • Escalation Module 4 IV – 30 • Response • Recovery • Closure • Reporting • Post-incident review • Lessons learned The organisation and management of an incident response capability should be co-ordinated or centralised with the establishment of key roles and responsibilities. This should include: • A coordinator who acts as the liaison to business process owners • A director who oversees the incident response capability • Managers who manage individual incidents • Security specialists who detect, investigate, contain and recover from incidents • Non-security technical specialists who provide assistance based on subject-matter expertise • Business unit leader liaisons (legal, human resources, public relations, etc.) Incidents occur because of weaknesses or vulnerabilities that are not addressed properly. A post incident review phase should determine which vulnerabilities were exploited and why
INFORMATION ASSET CONTROL POLICY
Effective control requires a detailed inventory of information assets. Such a list is the first step in classifying the assets and determining the level of protection to be provided to each asset. The inventory record of each information asset should include: • Specific identification of the asset: Server, printer, network device etc. • Relative value to the organisation (based on the impact on business in case of compromise. Many times this value is determined based on the class of information processes/stored by the asset) • Location: Where the asset is located? Depending on class of information location and protection might be decided • Security/risk classification • Asset group (where the asset forms part of a larger information system) • Owner • Designated custodian of the media which may contain or comprise information/data. • Databases • Data files • Back-up media • On-line magnetic media • Off-line magnetic media • Paper • System documentation • User manuals • Training material • Operational or support procedures • Continuity plans • Fall-back arrangements Information classification can provide organisations with a systematic approach to protecting information consistently across all parts of organisation and for all versions of information (original, copies, discarded, outdated etc.). Information follows a life cycle consisting of one or more of stages such as: origination, draft, approved/signed, received, stored, processed, transmission, archived, discarded, destruction etc. The organisation is expected to protect information, during each stage of its lifecycle in a consistent manner. The state in which information exists can also influence how a piece of information should be protected.
DATA PRIVACY POLICY
Data privacy, also called Information Privacy, is generally refers to personal information. This personal information can be related to any person or stakeholders who need to provide this information to organisation. For example Banks may have to collect identification proofs, PAN card details, address, telephone numbers from the customers, and generates information like credit cards details, bank account numbers for customers. Or retail stores may collect credit card information from customers. If such information is leaked it may result into identity theft or impersonation by another person with malicious intent. Organisations must take care of protecting such information. Many countries have enacted laws to fix the accountability and organisations must comply with these laws. These laws specifically mandate that organisation must secure personally identifiable information (PII) while processing, sharing with third parties and business associates, users etc.
DATA PROTECTION POLICY
Data Protection In order to ensure that appropriate protection is provided to information assets organisation must first identify and classify all information assets. Information assets must take place at all levels described below: • For paper documents, including output from systems, classification will apply to each individual document; • For server-based systems, classification will be done at the file or data level; • For information in a database, the classification will normally apply to the entire database; • For critical databases, classification may apply to column level, at the discretion of the information owner; • For distributed systems, classification will normally apply to all information supported by the system – in this case the classification is determined by the highest category of information supported; • CD, DVD, diskettes, tapes, memory cards, USB sticks and any other information carriers should be classified at the highest category of information carried.
DATA PROTECTION LEVEL POLICY
Protection policy must be defined based on class of information and type of information described above. Protection level for each class of information shall be determined based on the risk to organization due to breach of such information. While formulating data protection levels organizations need to consider these key points: 1. Physical security to all assets involved in information lifecycle: a. Desktops/Laptops b. Servers/storage area networks (SAN) c. USB, tapes, DVDs and other Potable storages d. Documents 2. Physical security of back-up media during transition depending upon the criticality of contents 3. Strong room/Safe, lock and key, fireproof cupboards for paper documents and other portable storages based on class of information. 4. Strong access controls based on principle of “Need to know and need to do”. Information asset owner/custodian may consider defining access control matrix for approving and granting accesses to information based on class. 5. Encryption of information during transmission, processing and storing. 6. Content management process for data being published (printed, advertisement, website), transmitted, communicated, mailed. 7. Information communication policies and approval process, if required, before accessing/ processing/transmitting classified information. 8. Consider automating data protection process based on cost-benefit analysis 9. Monitoring outgoing traffic particularly for classified information.
Classification of other Information Assets Classification of Information Assets helps an organisation address their most significant risks, by affording them the appropriate level of security. As all information does not have the same value or use, or is subject to the same risks their protection mechanisms, recovery processes, etc., are different, with differing costs associated with them.
PHYSICAL IT ASSETS POLICY
Information assets other than data can be, categorized into following types: 1. Servers: Servers are the most physically secure class of systems. This is due to the common practice of placing them in a location that has better access and environmental control. Although this class may be the most physically secure, their overall security is dependent on the physical security of the workstations and portable devices that access them. 2. Workstations: Usually located in more open or accessible areas of a facility. Because of their availability within the workplace, workstations can be prone to physical security problems if used carelessly. 3. Portable devices: Can be an organization’s security nightmare. Although issuing laptops and PDAs to employees facilitates flexibility and productivity in an organization, it poses several serious risks with regard to physical security. Besides, more and more organizations are adopting Bring Your Own Device (BYOD) policy which further makes the portable device and the corporate network vulnerable. With users accessing the company’s internal information systems from anywhere, a breach in physical security on one of these devices could undermine an organization’s information security. Extreme care must be taken with this class. 4. Printers: Although the data is stored on electronic for the purpose. The reports, letters, communications etc. have to be printed. Organizations deploy printers. In order to optimize use of printer most organizations deploy network based printers shared among group of users. In such situation it is necessary to control the number of copies printed particularly if the information is classified and the owner is not attending the printer, there is possibility that unauthorized users may access such reports. 5. Network devices: Devices deployed for establishing communication which includes routers, switches, firewalls, cables, wireless devices and other network monitoring tools. Unattended equipment: Special care must be taken to protect the unattended devices. For example telecom companies may install towers to facilitate mobile communication that are not attended. Or Bank installing ATM without security guards.