It Isn't rocket science!
Here are 10 basic security precautions for Windows machines :
- Always set the option to force a user to press CTL-ALT-DEL before logging on
- Passwords should be at least six characters long and contain letters and numbers
- Don't use your name, your partners name or the name of a pet as a password
- Don't write the password on a post-it note and stick it to the screen or under the keyboard
- Passwords should be changed regularly
- Don't share your password with anyone
- Use ant-ivirus software and keep it up to date
- Use an anti-spyware programme regularly
- Turn on the inbuilt firewall (Windows XP and later machines)
- When leaving the desktop or laptop unattended, lock the system by pressing the windows button and L
Labels: information security management, ISO27001
Posted: Tuesday, 17 March 2009
Security of Passwords ISO27001
This year your password could be exchanged for a chocolate bar. It is still shocking that some 64% of people challenged outside Liverpool Street railway station in Central London, were prepared to give their passwords away for a paltry chocolate bar. The findings were further segmented when the split of sexes was added into the equation; more of those giving away their passwords were women.
Where the questions were extended to ask for telephone numbers, place of work and dates of birth in exchange for the chance to win a holiday then results were down but still more women than men gave their details but only just.
The only crumb of consolation is that the total numbers prepared to compromise their personal or work security is down on last year by about 20%.
Government and big business continues to exhibit a less than satisfactory level of care with our security; indeed another case where there had been a problem with email attachments resulted in a disc being sent by normal post. The disc contained important information but was only protected by a basic password, which the company admitted, could be broken in a matter of minutes. The disc did not arrive.
It is not known how many of the security details given away at Liverpool Street Station were genuine and how many were simply wrong, but working on the 70:30 principle a good number were genuine. It is fortunate that details obtained were not used for any unauthorised use.... but they could have been.
Vigilance is required to ensure security of all our systems
Labels: information security management, ISO27001
Posted: Monday, 2 June 2008
ISO27001 Information Security
Every cloud has a silver lining however; we have seen a huge increase in enquiries for consultancy in setting up ISO27001 systems. It seems that industry and commerce are taking data security very seriously, unlike the Revenue.
ISO27001 sets up a number of steps that protect data and other information from unauthorised access and release. It also ensures compliance with the Data Protection Act and ensures that companies are protected from litigation concerning data.
Surely it cannot be long before the Information Commissioner takes action or failing that litigation against those who loose or act in a cavalier manner with data under their care.
Every organisation employing ISO27001 can claim that they have used best practice and have taken all reasonable steps to ensure that the elements of Data Security have been employed. This is a valid defence in a Court of Law (if it should go that far).
C. I. A. are the main requirements:
Confidentiality
- To ensure that data is not compromised or released
Integrity
- To ensure that data is protected from unauthorised alteration
Availability
- To ensure that data is available when and where required
If we all carry this out then there is hope for us yet.
At the moment, I for one, am unwilling to trust my valuable data to any organisation not complying fully with ISO27001.
Labels: information security management, ISO27001
Posted: Monday, 25 February 2008
Business Continuity Planning
If you wait until 'something' happens, it could be too late. I have seen people wading in calf deep water looking for the stopcock; others reading the instructions on a fire extinguisher in the middle of a fire.
In reality we should all know what to do in an emergency well before the emergency happens and be prepared for most eventualities.
We have read about the terrorist attack, the dirty bomb and other major catastrophes but it is often the 'soft' disasters which can cause irreparable damage to a company.
One such problem occurred recently; the company uses a card entry system to gain access to the building. The server housing the operating system failed and prevented anyone entering the building. It was apparent that there was no manual override; people milled around outside the building, not really knowing what to do. Eventually someone broke a window to gain entry. Of course the alarm went off and before it could be turned off the police were on site; embarrassment all round.
The company has now put a system in place to override the card system if it fails in the future.
The winter season also means that illness will increase; how many companies have prepared for a flu epidemic? Sadly very few.
Companies that have incorporated ISO27001 (Information Security Management System) will have an emergency plan in place, regularly tested and validated. This together with an IT disaster Recovery Plan will be able to deal with most eventualities. The old saying that 'if you hope for the best but prepare for the worst' is a good mantra to use.
Companies that have suffered major disaster, like being in the vicinity of the Buncefield fuel depot fire, and did not have any business continuity plan have disappeared without trace. Insurance cover just didn't mitigate all the problems. Those companies that did have a plan in place, had difficulties but managed to survive.
It is a pity that, as of December 2007, there are only 363 companies in the UK certificated to ISO27001. It is a very big standard to achieve but the benefits are huge.
Labels: information security management, ISO27001
Posted: Thursday, 17 January 2008
2 Comments:
-
Ed. said...
-
There seems to be an ongoing confusion here between ISO Standards requirements and conformance and the possible REGISTRATION activity. It is perfectly possible to argue the case for compliance/conformance with the requirements of the various Standards, but other than on the dubious grounds of Publicity I have yet to hear a case for the necessary investment in the registration process.
-
said...
-
Although I agree in principle, formal certification does mean that someone else is confirming your compliance to a standard and this must carry more weight than a self declaration
A Happy New Year (and a more secure one!)
In addition to lost disks, there are paper records discarded in public dustbins and lost laptops by the boat-load. Security which was trumpeted by ministers as being paramount seems to have been very low on their priority list in their own domains. It is also lamentable that there has been a deliberate policy of hiding the facts from those people most at risk.
We must be vigilant as these data breaches might not affect us until some date in the future. Criminals will wait until the furore has died down before using the data illegally.
Let us make sure that 2008 is a year of data security, here is a recap of precautions:
- Always shred confidential documents or documents having identifiable data;
- Never give passwords or log on information to email enquiries, telephone callers or visitors;
- Be wary of emails directing you to a bank or other secure site which ask for personal information;
- Do be aware that information put into social sites such as Facebook may be visible to people other than the intended audience. Dates of birth, names and addresses, telephone numbers and details of family can be used to steal identities.
- Never dispose of old computers until the hard drives have been removed or destroyed; remember deleting or re-formatting the disk does not actually delete the data;
- Never leave confidential documents on desks overnight or when unattended (clear desk policies);
- Laptops should be secured with a multistrand cable to an immovable object like a radiator when unattended;
- Laptops should be password protected;
- Laptops should be encrypted if data is sensitive;
- Never share passwords and use complex passwords to prevent other gaining access to desktops and laptops;
Never leave desktops and laptops logged in and unattended;
The list goes on and on but use common sense - assume that the worst may happen and take precautions to stop or at least reduce it.
Let us all have a Happy and safe New Year
Labels: information security management, ISO27001
Posted: Thursday, 3 January 2008
ISO27001 and Hard Disks
A disk drive consists of disks of magnetic material spinning at relatively high speeds with a reading head flying less that the breadth of a human hair just above it. The smallest deviation will result in the reading head crashing into the magnetic disk with disastrous results. Add to this the mechanics and electronics of the thing, it is not surprising that ALL disk-drives will fail; yes 100% of them.
If you have been clever and have taken good backups of your data and have ensured that you have verified that the backup is good then you will have only a moderately bad time reinstalling the programs and settings etc. If you have been super efficient and have used a mirror raid system where the information on one disk is mirrored onto another, then you will have very little down-time.
The sad thing is that very few organisations have a full mirror set-up, not all organisations have a verified back-up and some organisations have no back-up at all. Irretrievable loss of all data can be very damaging, if not fatal, to an organisation.
ISO27001 Information Security Management Standard specifies the level that backup should take, the protection given to back up media and finally how redundant media is de-commissioned and disposed.
Don't let short term gains result in data loss.
Labels: hard disk drives, information security management, ISO27001
Posted: Thursday, 15 March 2007
Basic Computer Security
Other organisations should consider basic security on their computer systems however, it is surprising that really basic security measures on desktop and laptops isn't always being used.
Better safe than sorry
Labels: basic computer security, information security management, ISO27001
Posted: Saturday, 27 January 2007
Information Security Management: All you need to Know
Information is the lifeblood of all organisations and can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by mail or by electronic means, shown in films, or spoken in conversation.
In today's competitive business environment, such information is constantly under threat from many sources. These can be internal, external, accidental, or malicious. With the increased use of new technology to store, transmit, and retrieve information, we have all opened ourselves up to increased numbers and types of threats.
Threats
There is a need to establish a comprehensive Information Security Policy within all organisations. You need to ensure the confidentiality, integrity, and availability of both vital corporate information and customer information. The standard for Information Security Management System (ISMS) ISO27001, has fast become one of the world's established biggest sellers.
What is an Information Security Management System?
An Information Security Management System (ISMS) is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes and IT systems. BSI has published a code of practice for these systems, ISO/IEC 17799, which is now being adopted internationally.
Where do I Start?
Develop an information security policy and identify your organisation's key information assets. Purchase the standard, ISO/IEC 17799 & ISO27001 to help you do this.
- Carry out a risk assessment and build your ISMS. Training of key staff will help to ensure its successful implementation.
- Once your management system is fully implemented you can register to ISO27001 with one of the accredited certification bodies
What is ISO27001?
ISO27001 is a standard setting out the requirements for an Information Security Management System. It helps identify, manage and minimise the range of threats to which information is regularly subjected.
- Annex A of BS 7799 identifies 10 controls:
Security policy - This provides management direction and support for information security - Organisation of assets and resources - To help you manage information security within the organisation
- Asset classification and control - To help you identify your assets and appropriately protect them
- Personnel security - To reduce the risks of human error, theft, fraud or misuse of facilities
- Physical and environmental security - To prevent unauthorised access, damage and interference to business premises and information
- Communications and operations management - To ensure the correct and secure operation of information processing facilities
- Access control - To control access to information
- Systems development and maintenance - To ensure that security is built into information systems
- Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters
- Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirements.
Labels: annex a, bs7799, information security management, ISO27001
Posted: Saturday, 2 December 2006
0 Comments:
Post a Comment