Saturday, March 9, 2019
Kudler Security Report
Kudler Fine foods IT pledge Report and Presentation warranter Considerations CMGT/four hundred Kudler Fine Foods IT aegis measure Report and Presentation Security Considerations According to Whitman and Mattord(2010),The ISO 27000 serial is wizard of the most widely referenced earnest measures models.Referencing ISO/IEC 27002 (177992005), the major appendage steps include risk assessment and treatment, aegis measures indemnity, transcription of cultivation earnest, asset charge, human resources warranter measure, natural and environmental certificate, communications and operations prudence, vex control, nurture systems acquisition, phylogeny, and maintenance, selective cultivation guarantor fortuity counseling, line continuity anxiety, and conformance (Chapter 10, Security worry Models). 1.Risk assessment and treatment 2. Security insurance Foc social functions gener every(a)y on cultivation security indemnity 3. Organization of training securit y For both the internal transcription and external parties 4. Asset management Includes liableness for assets and reading classification 5. Human resources security Ranges from controls forward to exercise and during employment to termination or transpose of employment 6. somatic and environmental security Includes secure argonas and equipment security 7.Communications and operations management Incorporates operational functionings and responsibilities, terzetto gear- society helping pitch management, systems palnning and acceptance, treasureion against despiteful and agile code, backup, interlock security management, media handling, exchange of nurture, electronic commerce go and monitoring 8. Access control Focuses on handicraft requirement for price of admission control, user penetration management, user responsibilities, network access control, operating system access control, application and information access control, and vigorous computing and telewor king 9. reading systems acquisition, development, and maintenance Includes security requirements of information systems, correct touch in applications, cryptographic controls, security of system files, security in development and support carry bulge outes, and technical vulnerability management 10. t sever each(prenominal)ying security incident management Addresses reporting information security events and weaknesses and management of information security incidents and improvements 11.Business continuity management selective information security aspects of task continuity management 12. Compliance Includes conformance with court-ordered requirements, compliance with security policies and standards, and technical compliance and information systems audit considerations The SANS SCORE (2012) website provides a unbosom audit checklist for organizations to command if they comply with the ISO 27002. The following table represents the SANS audit checklist as it relates to Kudler Fine Foods frequent buyer program. Security policy Focuses mainly on information security policy Section canvass interrogate Security Considerations Security invade if mitigation remote Information security policyWhether there outlives an Information A security policy is With by a security policy go down what pauperisms to be document security policy, which is sanction by the necessary to guide all in place the labour protected in order to management, published and communicated as access or to block of information would be develop a security policy. becharm to all employees. access to information. lost.Uncontrolled accessThe importance of the pass on result in the privation ofinformation should Whether the policy states management comp whatever information. determine the bad weather of commitment and sets out the organisational the security. approach to managing information security. Review of Informational Whether theInformation Security P olicy isThe security policy Without the review of from each one policy should be Security Policy reviewed at planned intervals, or if should be reviewed as security policies they reviewed periodically to significant changes occur to ensure its argument practices, get out most likely become ensure its effectiveness. continuing suitability, adequacy and hardwargon, softw atomic number 18, and out dated and lose effectiveness. the way in which usefulness. Each policy proprietor leave be information is shared responsible for the review Whether the Information Security policy change. Without adult each of the policy. has an owner, who has approved management air division of the policy an responsibility for development, review andEach part of the policy owner the policy testament bedevilEach change will be brought evaluation of the security policy. should have an owner whono one responsible for its in the first place management before is responsible for m aintenance. being brought into action. Whether whatsoever define Information Security keeping it up to date. Policy review procedures exist and do they A policy to review new include requirements for the management A review procedure policies or changes made review. should be in place, eachto current policies should change made should be be in place to discourage Whether the results of the management reviewed by management. un genuine changes. review are compactn into account. Whether management approval is obtained for the revised policy. Organization of Information Security Section scrutinise Question Security Security concern if Mitigation Considerations removed way commitment toWhether management demonstrates participating support for An active role Without the active supportA definition of the role information security security measures within the organization.This can beby management of management the securitymanagement sho uld play in do via irradiate direction, demonstrated commitment, is claimed to policy will lose its the commitment to the hardcore assignment and acknowledgement of informationensure the effectiveness. security policy should be security responsibilities. effectiveness stated in the security of the security policy. policy. Information security Whether information security activities are Security Information security Ensure that the owner of coordination coordinated by representatives from diverse parts of activities needactivities need to be each policy is responsible the organization, with pertinent roles and to be organized by employees for all activities responsibilities. coordinated by with higher roles and associated with the representativesresponsibilities. The policies. that take in security policies protect pertinent rolesthe information and all and activities associated with responsibilitiethe security policy should s. be made by r esponsible parties. everyocation of Whether responsibilities for the protection of The note Without a clear set of A clear set of book of instructions information security clear assets, and for carrying out specific will fuck pip a rules governing the will be provided to ensure responsibilities security butt againstes, were clear identify and great m either protection of individual that each individual asset delineate. passagees due to assets and security and each security process unclear processes the business is clear delineate. detentions of will surely possess a loss. procedures. effectiveness process Whether management authorization process is defined Authorization Without the use of an Any and all information for information and enforced for all new information touch on processes need authorization system a newprocessing facilities need processing facilities instalment within the organization. to be clearly information processing to be given ownership to a stated in the facility would be left member of management. This security vulnerable for attack. member needs to ensure the policy. Any security policy is new information followed.Using the veracious processing authorization system is facility needs particular to securing the to have an information contained authorization within. process implemented. Confidentiality Whether the organizations need for Confidentiality orThe NDA should Without the use of an NDA The NDA needs to be agreements Non-Disclosure capital of New Hampshire (NDA) for protection of be clearly the legal ramifications reviewed periodically to information is clearly defined and regularly reviewed. defined. This are greatly lessened. A ensure that any changes in will help to business needs to protect the business are reflected Does this address the requirement to protect the ensure the its data to the fullest in it. private information using le gal enforceable termsinformation is extent of the law. not compromised. tinge with authoritiesWhether there exists a procedure that describes when, This is The time it takes to act A plan moldiness be in place for and by whom applicable authorities such as equity great to in an emergency is crucialdifferent types of enforcement, fire incision etc. should be the physical to keeping employees and emergencies involving any contacted, and how the incident should be reported. security of thethe business safe. A planoutside authorities. This business and moldiness be in place to overturn can help to hold open the employee potential losses due to injuries and harm done to within. unforeseen events. employees and the business. Contact with special Whether appropriate contacts with special liaison Contacts with Allowing a threesome ships company A policy needs to define interest groups groups or other specialist security forums, and ternion troupe gro up access to any the steps compulsory to apply professional associations are kept up(p) groups need to information can be a risk for special interest groups be approved my to the business. All and how the relationship is management. third party associations saveed. should be approved in advance by management. Independent review of Whether the organizations approach to managing Security The loss of strength to To ensure the highest take aim information security information security, and its implementation, is management the security of of security a review should reviewed independently at planned intervals, or when should be information can occur be implemented periodically major changes to security implementation occur. reviewed at through time (small and whenever a major change planned changes) or when a major takes place. intervals and change has taken place. when major changes occur. Identification of risks Whether risks to the organizations information and Allowing third Allowing third parties exact rules and an access related to external information processing facility, from a process parties access access to the business policy must(prenominal)(prenominal) be implemented parties involving external party access, is determine and to the network network and the contents to set aside a third party appropriate control measures implemented before poses well(p) of the business systems access to any information granting access. risks to the poses a serious threat to in the business. haleness of the integrity of the the system. information. Addressing security whenWhether all identified security requirements are Allowing Allowing customers access Access to information by relations with customers fulfilled before granting customer access to the customers with to information in the customers should be stated organizations information or assets. the access to business system poses a in the security policy. certain threat. Customers should entirely be information can allowed access to minimal help to information, a separate increase website or informational customer base address. and customer awareness. Addressing Security in Whether the agreement with third parties, involving All third partyAgreeing with a third Any third party contract third party agreements accessing, processing, communicating or managing the agreements party contract can hold should be reviewed by the organizations information or information processing should be some legal ramifications. legal department to ensure facility, or introducing products or services to reviewed before the contract agrees with information processing facility, complies with all implementation. all of the businesses appropriate security requirements security requirements. Asset Management Section Audit Question Security Considerations Security concern if Mitigation removed roll of As sets Whether all assets are identified and an The businesses assets Without a clear definitionEach new asset will be inventory or tape is maintained with need to be registered toof assets the business registered and assigned an all the important assets. ensure their safety. could suffer a loss or owner. theft of assets. monomania of Assets Whether each asset identified has an The security policy mustThe business could suffer Each new asset should have owner, a defined and agreed-upon security include clearly defined a loss without giving the an owner and restrictions classification, and access restrictions parameters for asset an owner and to its access. that are periodically reviewed. registering assets. shaping access restrictions. Acceptable use of Assets Whether regulations for acceptable use of Legal issues and lettuceWithout regulations on theDefineing all acceptable information and assets associated with an losses could occur from use of assets the telephoner uses of business assets is information processing facility were the misuse of assets. could suffer losses and crucial. identified, documented and implemented legal issues. Classification guidelines Whether the information is separate in Classification of By classifying informationAll information should be terms of its value, legal requirements, information is crucial is can be easier to classified advertisement in terms of its sensitivity and criticality to the to the business. This determine who has access value, legal requirements, organization. will determine who has to it. and sensitivity to ensure access to the it is only get-at-able to information. current users. Information Labeling and Whether an appropriate set of procedures A set of organizational Unorganized information All information should be handling are defined for information labeling and parameters should be can result in the loss of organized within a set of handling, in pac t with the devised to compose a the information. parameters defined in the classification scheme adopted by the classification scheme. classification scheme. organization. Human Resources Security Section Audit Question Security Considerations Security concern if Mitigation removed Roles and responsibilities Whether employee security roles and All personnel authorizedUnauthorized access of All unavowed responsibilities, contractors and third to access confidential this information could information should be party users were defined and documented ininformation needs to be result in identity theft. handled by authorized accordance with the organizations identified by management personnel only. information security policy. team. Were the roles and responsibilities defined and clearly communicated to job candidates during the pre-employment process Screening Whether background verification checks forAll applicants If not performed, p ersons All employees should be all candidates for employment, considered for with a history of theft free of any criminal contractors, and third party users were employment have to could be hired. history that may cause carried out in accordance to the relevant undergo a criminal concern to the company. regulations. background check prior to a job offer being Does the check include quality made. reference, confirmation of claimed academic and professional qualifications and independent identity checks Terms and conditions of Whether employee, contractors and third Management must define Unauthorized access of To clog confidential employment party users are asked to sign what information is this information could be information to be disclosed confidentiality or non-disclosure confidential in use for personal use. to unauthorized persons. agreement as a part of their initial termsaccordance to existing and conditions of the employment con tract. laws and company policy. Whether this agreement overs the information security responsibility of the organization and the employee, third party users and contractors. Management responsibilitiesWhether the management requires employees,Management must define Unauthorized access could To prevent confidential contractors and third party users to applywhich users have to havebe use for personal gain. information to be disclosed security in accordance with the this access. to unauthorized persons. established policies and procedures of the organization. Information security Whether all employees in the organization,Management and Loss Private information could To educate all personal awareness, precept and and where relevant, contractors and third Prevention must develop be disclosed to some privacy policy. training party users, receive appropriate security a training program and unauthorized persons for awareness training and regular updates in establish how often it personal use. organizational policies and procedures as needs to be it pertains to their job function. administered. Disciplinary process Whether there is a formal corrective Management must Private information could To advise employees what process for the employees who have establish corrective be disclosed to recourse their actions will perpetrate a security breach. action measures if thereunauthorized persons for have. is a security breach. personal use. Termination Whether responsibilities for performing Management must advise If an employee was not To define the procedures of responsibilities employment termination, or change of what actions will aright concluded could terminating employment. employment, are clearly defined and fetch up employment andresult in a lawsuit. assigned what procedures are involved in the termination process. getting even of assets Whether there is a process in place that Manage ment must define If not returned, certain To ensure that all ensures all employees, contractors and what materials employeescompany items could be appropriate company third party users surrender all of the must return upon used for personal use. materials are returned. organizations assets in their possession employment. upon termination of their employment, contract or agreement. remotion of access rights Whether access rights of all employees, Management will define aIf not defined, it is To prevent unauthorized contractors and third party users, to timeframe in which a attainable that a terminatedpersonnel from accessing information and information processing terminate employee employee could still company information. facilities, will be removed upon access is removed access company termination of their employment, contract information. or agreement, or will be adjusted upon change. natural and Environmental Security Section Audit Quest ion Security Considerations Security concern if Mitigation removed Physical security perimeterWhether a physical border security facility has been implemented to protect the information processing service. Some examples of such security facilities are card control entry gates, walls, manned reception, etc. Physical entry controls Whether entry controls are in place to Physical access to potential for security server room should be allow only authorized personnel into system breach through locked with access diverse areas within the organization. unauthorized access to restricted to authorized physical equipment. personnel.Sophistication of ascendance would be dependent upon importance of information and budget. Securing offices, rooms, Whether the rooms, which have the and facilities information processing service, are locked or have lockable cabinets or safes. Protecting against externalWhether the physic al protection against corruption and/or loss loss of critical data. entropy and system redundancy, and environmental threats damage from fire, flood, earthquake, of information due to off-site warehousing and/or explosion, civil unrest and other forms ofenvironmental conditions multiple servers at natural or man-made disaster should be different locations. intentional and applied. Whether there is any potential threat from neighboring premises. Working in secure areas Whether physical protection and guidelines for working in secure areas is knowing and implemented. Public access delivery and Whether the delivery, loading, and other loading areas areas where unauthorized persons may enter the premises are controlled, and information processing facilities are isolated, to avoid unauthorized access Equipment sitting Whether the equipment is protected to protection make out the risks from environmental threats a nd hazards, and opportunities for unauthorized access Supporting utilities Whether the equipment is protected from power failures and other disruptions caused by failures in supporting utilities. Whether permanence of power supplies, such as a multiple feed, an Uninterruptible Power Supply (ups), a backup generator, etc. are being utilized. Cabling security Whether the power and telecommunications cable, carrying data or supporting information services, is protected from interception or damage. Whether there are any additional security controls in place for sensitive or critical information. Equipment Maintenance Whether the equipment is right maintained to ensure its continued availability and integrity. Whether the equipment is maintained, as per the suppliers recommended service intervals and specifications. Whether the maintenance is carried out only by authorized personnel. Whether logs are maintained with all suspected or actual faults and all prophylactic and corrective measures. Whether appropriate controls are implemented while sending equipment off premises. Are the equipment covered by insurance and the insurance requirements satisfied Securing of equipment Whether risks were assessed with regards off-site data storage off-site data may be proper security measures in off-premises to any equipment engagement outside an centers provide a level compromised or otherwise place to ensure integrity organizations premises, and mitigation of redundancy to corrupted due to of data. controls implemented. maintain integrity in insufficient security the event of a local measures Whether the usage of an information breach processing facility outside the organization has been authorized by the management. Secure disposal or re-use Whether all equipment, containing storage of equipment media, is go over to ensure that any sensitive information or licensed ready reckoner software product is physically destroyed, or securely over-written, prior to disposal or reuse. Removal of property Whether any controls are in place so that equipment, information and software is not taken off-site without prior authorization. Communications and operations Management Section Audit Question Security Considerations Security concern if Mitigation removed Documented Operation Whether the operating procedure is Management should set Without direction, To establish how the Procedures documented, maintained and available to guideline about how eachemployees would not know company is to operate on a all users who need it. function should operate what to do throughout the daily basis. in the company. day. Whether such procedures are treated as formal documents, and therefore any changes made need management authorization. Change Management Whether all changes to information processing facilities and systems are controlled. Segregation of duties Whether duties and areas of responsibilityManagement is No one would be To establish accountability are separated, in order to reduce responsible for responsible for ensuring for task performed in each opportunities for unauthorized delegate area of tasks are completed. area. modification or misuse of information, or responsibility. services. detachment of development, Whether the development and testing Management needs to Incorrect information To prevent incorrect test, and operational facilities are isolated from operational establish a separate could cause a delay in information is not given to facilities facilities. For example, development and network. production or development. incorrect personnel. production software should be run on different computers.Where necess ary, development and production networks should be kept separate from each other. Service delivery Whether measures are taken to ensure that Define what measures areGoods and services will To ensure that service the security controls, service definitions unavoidable and establish whonot be done in a seasonable level is established and and delivery levels, include in the thirdto monitor. manner. maintained. party service delivery agreement, are implemented, operated and maintained by a third party Monitoring and review of Whether the services, reports and records Define what measures areGoods and services will To ensure that service third party services provided by third party are regularly compulsory and establish whonot be done in a by the way level is established and monitored and reviewed. to monitor. manner. maintained. Whether audits are conducted on the above third party services, reports and records, on regular interval. Managing changes to third Whether changes to provision of services, Define what measures areGoods and services will To ensure that service party services including maintaining and improving necessary and establish whonot be done in a timely level is established and existing information security policies, to monitor. manner. maintained. procedures and controls, are managed. Does this take into account criticality of business systems, processes involved and re-assessment of risks Capacity management Whether the aptitude demands are monitoredManagement must decide Systems will not be able To establish who will and projections of future capacity if a third party will beto process information monitor computer systems. requirements are made, to ensure that needful to assist with needed in a timely manner. adequate processing power and storage are their IT needs. available. face Monitoring hard disk space, RAM and CPU on critical servers. System acceptance Whether system acceptance criteria are Management must decide Systems will not be able To establish who will established for new information systems, if a third party will beto process information monitor computer systems. upgrades and new versions. needed to assist with needed in a timely manner. their IT needs. Whether suitable tests were carried out prior to acceptance Controls against malicious Whether detection, prevention and recoveryIT personnel must ensureUnauthorized access could Establish measures to code controls, to protect against malicious proper measures are in lead to system shut down. protect from virus and code and appropriate user awareness place. malware. procedures, were developed and implemented. Controls against expeditious Whether only authorized mobile code is code used. Whether the configuration ensures that authorized mobile code operates according to security policy . Whether execution of unauthorized mobile code is prevented. (Mobile code is software code that transfers from one computer to some other computer and then executes automatically. It performs a specific function with little or no user intervention. Mobile code is associated with a number of middleware services. Information backup Whether back-ups of information and IT personnel will ensureIf not properly manage To establish back up and software is taken and tried and true regularly in that system is properly could result in loss of recover of data procedures. accordance with the agreed backup policy. working. data. Whether all inhering information and software can be recovered following a disaster or media failure. Network Controls Whether the network is adequately managed IT personnel must ensureUnauthorized access could Establish measures to and controlled, to protect from threats, proper m easures are in lead to system shut down. protect from virus and and to maintain security for the systems place. malware. and applications using the network, including the information in transit. Whether controls were implemented to ensure the security of the information in networks, and the protection of the connected services from threats, such as unauthorized access. Security of network Whether security features, service levels IT/Third party will The company may not be To establish what security services and management requirements, of all advise management the aware of what is needed tofeatures of needed to network services, are identified and necessary requirements secure the network and themaintain the network. included in any network services needed for the network. system is broken into agreement. compromising information. Whether the ability of the network service
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.