Security Policies and Disaster Recovery
Security Policies
Many businesses could not survive a widespread loss of data and, therefore, a security policy is extremely important. Some threats to security and integrity of data are:
Human error (e.g. mistakes in programming, mistakes in data entry, operator errors)
Computer crime (e.g. hacking, viruses)
Natural Disasters (floods, fire, etc)
Malicious Attacks (e.g. bombs, arson)
Hardware failures (e.g. power failure, HDD crash, network failure)
Consequences of Disaster
You need to understand that information is the most important asset that any organisation has and access to that information is very often dependant on computer networks. Any period of down-time would result in:
· Financial loss
· Legal consequences
Risk Analysis
The purpose of risk analysis is to make sure that everyone in the organisation is aware of the security threats to the hardware, software and data held. Everyone needs to understand the consequences of data loss including the financial loss and the long-term effect caused by loss of consumer confidence, which would result by the inability of the organisation to provide a full service.
A value will be placed on data, people, communications channels and hardware. Risks to all these will be identified, including the likelihood of their occurrence.
Layers of Security
1. Building Security (guards, IDs, visitor passes)
2. Terminal use controls (locks, swipe cards, biometric identification)
3. Authorisation Software (e.g. access levels)
4. Communications Software (automatic callback, encryption, handshaking)
5. Operational Security (audit trails, virus checks, backup)
6. Personnel Screening (hiring policies, separation of duties, training)
Building Security involves physical measures to secure the premises e.g. a signing in system, smoke alarms, fire extinguishers, biometric recognition.
Passwords pose problems because they are easily circumvented. Many people use their name as a password, or even the word "password". Many people use the same password for everything so they don't forget it. The most secure passwords have a mixture of upper and lower case and a mixture of numbers and letters. A pass phrase is more secure than a password. Passwords need to be changed regularly. Passwords should be encrypted on the network so that even the system administrator doesn't know what a user's password is. Passwords can be used to grant different access levels (see IT01).
Hackers can be tackled by using callback security. This is where a computer calls back to verify the location of the caller. A "handshake" system can also be employed where a recognised signal is sent from one computer to another and a connection is established if the computer recognises the computer that is calling.
Anti virus software should be installed on all computers and it might be thought to be a sensible policy to forbid employees from bringing in disks from home, or from installing their own software on the network.
There is a good link on encryption at: http://www.open2.net/ictportal/ (java applet)
Audit Controls
See the next topic (Implementation of Legislation) for information about this.
Personnel Safeguards
17% of computer crime is committed by external hackers but 82% is committed by employees who plant viruses, damage data or steal money or information from their employer.
Separation of duties can ensure that no single person should perform all the steps in one transaction.
Corporate IT Security Policy
There is a conflict between wanting to make the system widely accessible and wanting to make it secure. For instance schools and colleges, who want to encourage computer-use among students, have relatively insecure networks. Financial institutions and businesses are more likely to want to restrict use.
Employees should be made aware of the policy. It will include disciplinary procedures, backup procedures, control of access, protection of the power supply and different access levels.
--- Top of Page ---
Good News Article:
BBC News - Disaster Planning Saves Wall Street
Negligence
90% of businesses that suffer a significant loss of data go out of business within 2 years. The impact of a significant loss is not immediately felt. The day after the disaster, a company operates at 96% capacity. Ten days later, this has fallen to 10%.
Businesses may be prosecuted under health and safety legislation if a loss of data has a negative effect on the public or the environment. If the data was lost because of negligence, fines or litigation could result.
Stages in Disaster Planning
Disaster planning involves identifying the most critical business functions and ensuring that, in the event of a disaster, that they can be up and running again as quickly as possible.
The Security Plan
A security officer may be appointed to implement a security plan. This plan includes:
Listing the most critical business functions
Methods for securing access to all necessary resources and to key personnel
A step-by-step course of action
Education, training and disaster drills
Disaster Recovery Plan
The plan should identify the equipment, data, staff and business functions that are critical.
The plan should be integrated with other policies e.g. the computer security policy.
A recovery method should be identified. This should be ACHIEVABLE, DOCUMENTED and TESTED. Staff should be trained how to react.A business should have two "controls of last resort" i.e. adequate insurance and a disaster plan. Insurance premiums may be reduced if a business has an adequate disaster recovery plan.
Backup facilities are important to disaster recovery. These can include:
A "cold standby" site i.e. a backup facility distant from the main site.
A reciprocal agreement with another company which has a compatible system
Subscribing to a disaster recovery service (see case study p.255)
Distributed Support – Large organisations can spread the computing facilities over several sites, thus decreasing the dependence on one site. In the event of disaster, work can be transferred to other sites.
Choice of Contingency Plan
Timing - the nature of the organisation makes a difference e.g. an online booking system needs to be up and running again within a few hours but a postal billing service might be able to wait a couple of days.
Likelihood of disaster e.g. A business in San Francisco would invest more in disaster recovery than a business elsewhere.
Cost - some disaster recover plans are expensive e.g. if you want to maintain a cold storage site.
The size and scale of the organisation makes a difference.