Other Human Resources Policies and Practices Include:

Hiring practices � to ensure that the most effective and efficient staff is chosen and that the

company is in compliance with legal requirements. Practices include:

- Background checks

- Confidentiality agreements

- Employee bonding to protect against losses due to theft

- Conflict of interest agreements

- Non-compete agreements

Employee handbook � distributed to all employees upon being hired, should explain items such as

- Security policies and procedures

- Company expectations

- Employee benefits

- Disciplinary actions

- Performance evaluations etc.

Promotion policies � should be fair and understood by employees. Based on objective

criteria considering performance, education, experience and level of responsibility.

Training � should be provided on a fair and regular basis Scheduling and time reporting � proper

scheduling provides for a more efficient operation and use of computing resources

Employee performance evaluations � employee assessment must be a standard and

regular feature for all IS staff Required vacations � ensures that once a year, at a minimum,

someone other than the regular employee will perform a job function. This reduces the opportunity

to commit improper or illegal acts.

Job rotation � provides an additional control (to reduce the risk of fraudulent or malicious

acts), since the same individual does not perform the same tasks all the time.

Termination policies � policies should be structured to provide adequate protection for the

organisation�s computer assets and data. Should address:

- Voluntary termination

- Immediate termination

- Return of all access keys, ID cards and badges to prevent easy physical access

- Deletion of assigned logon-ID and passwords to prohibit system access

- Notification to other staff and facilities security to increase awareness of the terminated

employee�s status.

- Arrangement of the final pay routines to remove the employee from active payroll files

- Performance of a termination interview to gather insight on the employee�s perception of

management

- Return of all company property

- Escort from the premises.

Network Security

Communication networks (Wide Area or Local Area Networks) generally include devices connected

to the network, and programmes and files supporting the network operations. Control is

accomplished through a network control terminal and specialised communications software.

The following are controls over the communication network:

- Network control functions should be performed by technically qualified operators.

- Network control functions should be separated and duties rotated on a regular basis where

possible.

- Network control software must restrict operator access from performing certain functions

such as ability to amend or delete operator activity logs.

- Network control software should maintain an audit trail of all operator activities.

- Audit trails should be reviewed periodically by operations management to detect any

unauthorised network operation activities.

- Network operation standards and protocols should be documented and made available to the

operators and should be reviewed periodically to ensure compliance.

- Network access by system engineers should be closely monitored and reviewed to direct

unauthorised access to the network.

- Analysis should be performed to ensure workload balance, fast response time and system

efficiency.

- A terminal identification file should be maintained by the communication software to check

the authentication of a terminal when it tries to send or receive messages.

- Data encryption should be used where appropriate to protect messages from disclosure during

transmission.

Some common network management and control software include Novell NetWare, Windows NT,

UNIX, NetView and NetPass.

Local Area Network (LAN) Security

Local area networks (LANs) facilitate the storage and retrieval of programs and data used by

a group of people. LAN software and practices also need to provide for the security of these

programs and data. Risks associated with use of LANs include:

� Loss of data and programme integrity through unauthorised changes

� Lack of current data protection through inability to maintain version control

� Exposure to external activity through limited user verification and potential public network

access from dial-up connections

� Virus infection

� Improper disclosure of data because of general access rather than need-to-know access

provisions

� Violating software licenses by using unlicensed or excessive number of software copies

� Illegal access by impersonating or masquerading as a legitimate LAN user

� Internal user�s sniffing (obtaining seemingly unimportant information from the network that

can be used to launch an attack, such as network address information)

� Internal user�s spoofing (reconfiguring a network address to pretend to be a different address)

� Destruction of the logging and auditing data

The LAN security provisions available depend on the software product, product version and

implementation. Commonly available network security administrative capabilities include:

� Declaring ownership of programmes, files and storage

� Limiting access to read only

� Implementing record and file locking to prevent simultaneous update to the same record

� Enforcing user ID/password sign-on procedures, including the rules relating to password

length, format and change frequency

Dial-Up Access Controls

It is possible to break LAN security through the dial-in route. Without dial-up access controls,

a caller can dial in and try passwords until they gain access. Once in, they can hide pieces of

software anywhere, pass through Wide Area Network (WAN) links to other systems and generally

cause as much or as little havoc as they like.

� To minimise the risk of unauthorized dial-in access, remote users should never store their

passwords in plain text login scripts on notebooks and laptops. Furthermore, portable PCs

should be protected by physical keys and/or basic input output system (BIOS) based

passwords to limit access to data if stolen.

� In order to prevent access by the guessing of passwords, a dial-back modem should be used.

When a call is answered by the modem, the caller must enter a code. The modem then hangs

up the connection and looks up a corresponding phone number that has been authorised for

dial-in access and calls the number back if it is authenticated.

Client/Server Security

A client/server system typically contains numerous access points. Client/server systems utilise

distributed techniques, creating increased risk of access to data and processing. To effectively

secure the client/server environment, all access points should be identified. In mainframe-based

applications, centralised processing techniques require the user to go through one pre-defined

route to access all resources. In a client/server environment, several access points exist, as

application data may exist on the client or the server. Each of these routes must, therefore,

be examined individually and in relation to each other to determine that no exposures are left

unchecked.

In order to increase the security in a client/server environment, the following control techniques

should be in place:

� Securing access to the data or application on the client/server may be performed by disabling

the floppy disk drive, much like a keyless workstation that has access to a mainframe.

Diskless workstations prevent access control software from being by- passed and rendering

the workstation vulnerable to unauthorised access. By securing the automatic boot or start up

batch files, unauthorised users may be prevented from overriding login scripts and access.

� Network monitoring devices may be used to inspect activity from known or unknown users.

� Data encryption techniques can help protect sensitive or proprietary data from unauthorized

access.

� Authentication systems may provide environment-wide, logical facilities that can differentiate

among users. Another method, system smart cards, uses intelligent handheld devices and

encryption techniques to decipher random codes provided by client/ server systems. A smart

card displays a temporary password that is provided by an algorithm (step-by-step calculation

instructions) on the system and must be re-entered by the user during the login session for

access into the client/server system.

� The use of application level access control programmes and the organisation of users into

functional groups is a management control that restricts access by limiting users to only those

functions needed to perform their duties.

Client/Server Risks and Issues

Since the early 1990s, client/server technology has become one of the predominant ways many

organisations have processed production data and developed and delivered mission critical

products and services.

The areas of risk and concern in a client/server environment are:

� Access controls may be inherently weak in a client/server environment if network

administration does not properly set up password change controls or access rules.

� Change control and change management procedures, whether automated or manual may be

inherently weak. The primary reason for this weakness is due to the relatively high level of

sophistication of client/server change control tools together with inexperienced staff who are

reluctant to introduce such tools for fear of introducing limitations on their capability.

� The loss of network availability may have a serious impact on the business or service

� Obsolescence of the network components, including hardware, software and communications.

� Unauthorised and indiscriminate use of synchronous and asynchronous modems to connect

the network to other networks.

� Connection of the network to public switched telephone networks.

� Inaccurate, unauthorised and unapproved changes to systems or data.

� Unauthorised access to confidential data, the unauthorized modification of data,business

interruption and incomplete and inaccurate data.

� Application code and data may not be located on a single machine enclosed in a secure

computer room as with mainframe computing.

Internet Threats

The very nature of the Internet makes it vulnerable to attack. It was originally designed to allow

for the freest possible exchange of information, data and files. However, today the freedom

carries a price. Hackers and virus-writers try to attack the Internet and computers connected

to the Internet and those who want to invade other�s privacy attempt to crack into databases of

sensitive information or snoop on information as it travels across Internet routes.

It is, therefore, important in this situation to understand the risks and security factors that are

needed to ensure proper controls are in place when a company connects to the Internet. There

are several areas of control risks that must be evaluated to determine the adequacy of Internet

security controls:

� Corporate Internet policies and procedures

� Firewall standards

� Firewall security

� Data security controls

Internet threats include:

a) Disclosure

It is relatively simple for someone to eavesdrop on a �conversation� taking place over the Internet.

Messages and data traversing the Internet can be seen by other machines including e-mail files,

passwords and in some cases key-strokes as they are being entered in real time.

b) Masquerade

A common attack is a user pretending to be someone else to gain additional privileges or access

to otherwise forbidden data or systems. This can involve a machine being reprogrammed to

masquerade as another machine (such as changing its Internet Protocol � IP address). This is

referred to as spoofing.

c) Unauthorised access

Many Internet software packages contain vulnerabilities that render systems subject to attack.

Additionally, many of these systems are large and difficult to configure, resulting in a large

percentage of unauthorized access incidents.

d) Loss of integrity

Just as it is relatively simple to eavesdrop a conversation, so it is also relatively easy to intercept

the conversation and change some of the contents or to repeat a message. This could have

disastrous effects if, for example, the message was an instruction to a bank to pay money.

e) Denial of service

Denial of service attacks occur when a computer connected to the Internet is inundated (flooded)

with data and/or requests that must be serviced. The machine becomes so tied up with dealing with

these messages that it becomes useless for any other purpose.

f) Threat of service and resources

Where the Internet is being used as a channel for delivery of a service, unauthorised access to

the service is effectively theft. For example, hacking into a subscription-based news service is

effectively theft.

It is difficult to assess the impact of the threats described above, but in general terms the following

types of impact could occur:

� Loss of income

� Increased cost of recovery (correcting information and re-establishing services)

� Increased cost of retrospectively securing systems

� Loss of information (critical data, proprietary information, contracts)

� Loss of trade secrets

� Damage to reputation

� Legal and regulatory non-compliance

� Failure to meet contractual commitments

Encryption

Encryption is the process of converting a plaintext message into a secure coded form of text

called cipher text that cannot be understood without converting back via decryption (the reverse

process) to plaintext again. This is done via a mathematical function and a special encryption/

decryption password called the key.

Encryption is generally used to:

� Protect data in transit over networks from unauthorised interception and manipulation

� Protect information stored on computers from unauthorised viewing and manipulation

� Deter and detect accidental or intentional alterations of data

� Verify authenticity of a transaction or document

The limitations of encryption are that it can�t prevent loss of data and encryption programs can

be compromised. Therefore encryption should be regarded as an essential but incomplete form

of access control that should be incorporated into an organization�s overall computer security

program.

Key elements of encryption systems are:

(vi) Encryption algorithm � a mathematically based function or calculation which encrypts/

decrypts data

(vii) Encryption keys � a piece of information that is used within an encryption algorithm

(calculation) to make the encryption or decryption process unique/ similar to passwords, a

user needs to use the correct key to access or decipher a message. The wrong key will

decipher the message into an unreadable form.

(viii) Key length � a predetermined length for the key. The longer the key, the more difficult it

is to compromise in a brute-force attack where all possible key combinations are tried.

Effective encryption systems depend upon the secrecy and the difficulty of compromising

a key, the existence of back doors by which an encrypted file can be decrypted without

knowing the key, the ability to decrypt an entire cipher text message if you know the

way that a portion of it decrypts (called a known text attack), and the properties of the

plaintext known by a perpetrator.

There are two common encryption or cryptographic systems:

a) Symmetric or private key system

Symmetric cryptosystem use a secret key to encrypt the plaintext to the cipher text. The

same key is also used to decrypt the cipher text to the corresponding plaintext. In this

case the key is symmetric because the encryption key is the same as the decryption

key. The most common private key cryptography system is data encryption standard (DES).

b) Asymmetric or public key system

Asymmetric encryption systems use two keys, which work together as a pair. One key

is used to encrypt data, the other is used to decrypt data. Either key can be used to

encrypt or decrypt, but once one key has been used to encrypt data, only its partner

can be used to decrypt the data (even the key that was used to encrypt the data cannot

be used to decrypt it). Generally, with asymmetric encryption, one key is known only to one person

� the secret or private key � the other key is known by many people � the public key. A common

form of asymmetric encryption is RSA (named after its inventors Rivest, Shamir and Adelman).

Firewall Security

A firewall is a set of hardware and software equipment placed between an organisation�s internal

network and an external network to prevent outsiders from invading private networks. Companies

should build firewalls to protect their networks from attacks. In order to be effective, firewalls

should allow individuals on the corporate network to access the Internet and at the same time stop

hackers or others on the Internet from gaining access to the corporate network to cause damage.

Firewalls are hardware and software combinations that are built using routers, servers and a

variety of software. They should sit in the most vulnerable point between a corporate network and

the Internet and they can be as simple or complex as system administrators want to build them.

There are many different types of firewalls, but many enable organisations to:

� Block access to particular sites on the Internet

� Prevent certain users from accessing certain servers or services

� Monitor communications between an internal and external networks

� Eavesdrop and record all communications between an internal network and the outside world

to investigate network penetrations or detect internal subversions.

� Encrypt packets that are sent between different physical locations within an organization by

creating a virtual private network over the Internet.

Problems faced by organisations that have implemented firewalls are:

� A false sense of security exists where management feels that no further security checks and

controls are needed on the internal network.

� Firewalls are circumvented through the use of modems connecting users to Internet Service

Providers.

� Mis-configured firewalls, allowing unknown and dangerous services to pass through freely.

� Misunderstanding of what constitutes a firewall e.g. companies claiming to have a firewall

merely having a screening router.

� Monitoring activities do not occur on a regular basis i.e. log settings not appropriately applied

and reviewed.

Intrusion Detection Systems (IDS)

Intrusion or intruder detection is the identification of and response to ill-minded activities. An

IDS is a tool aiding in the detection of such attacks. An IDS detects patterns and issues an alert.

There are two types of IDSs, network-based and host-based.

Network-based IDSs identify attacks within the network that they are monitoring and issue a

warning to the operator. If a network-based IDS is placed between the Internet and the firewall, it

will detect all the attack attempts, whether they do or do not enter the firewall. If the IDS is placed

between a firewall and the corporate network it will detect those attacks that could not enter the

firewall ( intruders). The IDS is not a substitute for a firewall, but complements the function of a

firewall.

Host-based IDSs are configured for a specific environment and will monitor various internal

resources of the operating system to warn of a possible attack. They can detect the modification of

executable programmes, the deletion of files and issue a warning when an attempt is made to use a

privileged command.

Environmental Exposures and Controls

Environmental exposures are primarily due to naturally occurring events. However, with proper

controls, exposure to these elements can be reduced. Common exposures are:

- Fire

- Natural disasters � earthquake, volcano, hurricane, tornado

- Power failure

- Power spike

- Air conditioning failure

- Electrical shock

- Equipment failure

- Water damage/flooding � even with facilities located on upper floors of high-rise buildings,

water damage is a risk, typically occurring from broken water pipes

-Bomb threat/attack

Other environmental issues and exposures include the following:

- Is the power supply to the computer equipment properly controlled to ensure that it remains

within the manufacturer�s specifications?

- Are the air conditioning, humidity and ventilation control systems for the computer

equipment adequate to maintain temperatures within manufacturers� specifications?

- Is the computer equipment protected from the effects of static electricity, using an antistatic

rug or anti-static spray?

- Is the computer equipment kept free of dust, smoke and other particulate matter, such as

food?

- Is consumption of food, beverage and tobacco products prohibited, by policy, around

computer equipment?

- Are backup media protected from damage due to temperature extremes, the effects of

magnetic fields and water damage?

Controls for Environmental Exposures

a) Water detectors � in the computer room, water detectors should be placed under the raised

floor and near drain holes, even if the computer room is on a high floor (remember water

leaks). When activated, the detectors should produce an audible alarm that can be heard by

security and control personnel.

b) Hand-held fire extinguishers � fire extinguishers should be in strategic locations throughout

the information system facility. They should be tagged for inspection and inspected at least

annually.

c) Manual fire alarms � hand-pull fire alarms should be strategically placed throughout the

facility. The resulting audible alarm should be linked to a monitored guard station.

d) Smoke detectors � they supplement not replace fire suppression systems. Smoke detectors

should be above and below the ceiling tiles throughout the facility and below the raised

computer room floor. They should produce an audible alarm when activated and be linked to

a monitored station (preferably by the fire department).

e) Fire suppression system � these systems are designed to activate immediately after detection

of high heat typically generated by fire. It should produce an audible alarm when activated.

Ideally, the system should automatically trigger other mechanisms to localise the fire. This

includes closing fire doors, notifying the fire department, closing off ventilation ducts and

shutting down nonessential electrical equipment. Therefore, fire suppression varies but is

usually one of the following:

� Water based systems (sprinkler systems) � effective but unpopular because they

damage equipment

� Dry-pipe sprinkling � sprinkler systems that do not have water in the pipes until an

electronic fire alarm activates the water pumps to send water to the dry pipe system.

� Halon systems � release pressurised halon gases that remove oxygen from the air, thus

starving the fire. Halon is popular because it is an inert gas and does not damage

equipment.

� Carbon dioxide systems � release pressurised carbon dioxide gas into the area

protected to replace the oxygen required for combustion. Unlike halon, however,

carbon dioxide is unable to sustain human life and can, therefore, not be set to

automatic release.

f) Strategically locating the computer room � to reduce the risk of flooding, the computer room

should not be located in the basement. If located in a multi-storey building, studiesshow that

the best location for the computer room to reduce the risk of fire, smoke and water damage is

between 3rd, and 6th floor.

g) Regular inspection by fire department � to ensure that all fire detection systems comply with

building codes, the fire department should inspect the system and facilities annually.

h) Fireproof walls, floors and ceilings surrounding the computer room � walls surrounding the

information processing facility should contain or block fire from spreading. The surrounding

walls would have at least a two-hour fire resistance rating.

i) Electrical surge protectors � these electrical devices reduce the risk of damage to equipment

due to power spikes. Voltage regulators measure the incoming electrical current and either

increase or decrease the charge to ensure a consistent current. Such protectors are typically

built into the uninterruptible power supply (UPS) system.

j) Uninterruptible power supply system (UPS)/generator � a UPS system consists of a battery or

petrol powered generator that interfaces between the electrical power entering the facility and

the electrical power entering the computer. The system typically cleanses the power to ensure

wattage into the computer is consistent. Should a power failure occur, the UPS continues

providing electrical power from the generator to the computer for a certain length of time. A

UPS system can be built into a computer or can be an external piece of equipment.

k) Emergency power-off switch � there may be a need to shut off power to the computer and

peripheral devices, such as during a computer room fire or emergency evacuation. Two

emergency power-off switches should serve this purpose, one in the computer room, the other

near, but outside, the computer room. They should be clearly labelled, easily accessible for

this purpose and yet still secured from unauthorised people. The switches should be shielded

to prevent accidental activation.

l) Power leads from two substations � electrical power lines that feed into the facility are

exposed to many environmental hazards - water, fire, lightning, cutting to due careless

digging etc. To reduce the risk of a power failure due to these events that, for the most part,

are beyond the control of the organisation, redundant power lines should feed into the facility.

In this way, interruption of one power line does not adversely affect electrical supply.

m) Wiring placed in electrical panels and conduit � electrical fires are always a risk. To reduce

the risk of such a fire occurring and spreading, wiring should be placed in fire resistant panels

and conduit. This conduit generally lies under the fire-resistant raised computer room floor.

n) Prohibitions against eating, drinking and smoking within the information processing facility �

food, drink and tobacco use can cause fires, build-up of contaminants or damage to sensitive

equipment especially in case of liquids. They should be prohibited from the information

processing facility. This prohibition should be overt, for example, a sign on the entry door.

o) Fire resistant office materials � wastebaskets, curtains, desks, cabinets and other general

office materials in the information processing facility should be fire resistant. Cleaning fluids

for desktops, console screens and other office furniture/fixtures should not be flammable.

p) Documented and tested emergency evacuation plans � evacuation plans should emphasise

human safety, but should not leave information processing facilities physically unsecured.

Procedures should exist for a controlled shutdown of the computer in an emergency situation,

if time permits.