Other Human Resources Policies and Practices Include:
Hiring practices � to ensure that the most effective and efficient staff is chosen and that the
company is in compliance with legal requirements. Practices include:
- Background checks
- Confidentiality agreements
- Employee bonding to protect against losses due to theft
- Conflict of interest agreements
- Non-compete agreements
Employee handbook � distributed to all employees upon being hired, should explain items such as
- Security policies and procedures
- Company expectations
- Employee benefits
- Disciplinary actions
- Performance evaluations etc.
Promotion policies � should be fair and understood by employees. Based on objective
criteria considering performance, education, experience and level of responsibility.
Training � should be provided on a fair and regular basis Scheduling and time reporting � proper
scheduling provides for a more efficient operation and use of computing resources
Employee performance evaluations � employee assessment must be a standard and
regular feature for all IS staff Required vacations � ensures that once a year, at a minimum,
someone other than the regular employee will perform a job function. This reduces the opportunity
to commit improper or illegal acts.
Job rotation � provides an additional control (to reduce the risk of fraudulent or malicious
acts), since the same individual does not perform the same tasks all the time.
Termination policies � policies should be structured to provide adequate protection for the
organisation�s computer assets and data. Should address:
- Voluntary termination
- Immediate termination
- Return of all access keys, ID cards and badges to prevent easy physical access
- Deletion of assigned logon-ID and passwords to prohibit system access
- Notification to other staff and facilities security to increase awareness of the terminated
employee�s status.
- Arrangement of the final pay routines to remove the employee from active payroll files
- Performance of a termination interview to gather insight on the employee�s perception of
management
- Return of all company property
- Escort from the premises.
Network Security
Communication networks (Wide Area or Local Area Networks) generally include devices connected
to the network, and programmes and files supporting the network operations. Control is
accomplished through a network control terminal and specialised communications software.
The following are controls over the communication network:
- Network control functions should be performed by technically qualified operators.
- Network control functions should be separated and duties rotated on a regular basis where
possible.
- Network control software must restrict operator access from performing certain functions
such as ability to amend or delete operator activity logs.
- Network control software should maintain an audit trail of all operator activities.
- Audit trails should be reviewed periodically by operations management to detect any
unauthorised network operation activities.
- Network operation standards and protocols should be documented and made available to the
operators and should be reviewed periodically to ensure compliance.
- Network access by system engineers should be closely monitored and reviewed to direct
unauthorised access to the network.
- Analysis should be performed to ensure workload balance, fast response time and system
efficiency.
- A terminal identification file should be maintained by the communication software to check
the authentication of a terminal when it tries to send or receive messages.
- Data encryption should be used where appropriate to protect messages from disclosure during
transmission.
Some common network management and control software include Novell NetWare, Windows NT,
UNIX, NetView and NetPass.
Local Area Network (LAN) Security
Local area networks (LANs) facilitate the storage and retrieval of programs and data used by
a group of people. LAN software and practices also need to provide for the security of these
programs and data. Risks associated with use of LANs include:
� Loss of data and programme integrity through unauthorised changes
� Lack of current data protection through inability to maintain version control
� Exposure to external activity through limited user verification and potential public network
access from dial-up connections
� Virus infection
� Improper disclosure of data because of general access rather than need-to-know access
provisions
� Violating software licenses by using unlicensed or excessive number of software copies
� Illegal access by impersonating or masquerading as a legitimate LAN user
� Internal user�s sniffing (obtaining seemingly unimportant information from the network that
can be used to launch an attack, such as network address information)
� Internal user�s spoofing (reconfiguring a network address to pretend to be a different address)
� Destruction of the logging and auditing data
The LAN security provisions available depend on the software product, product version and
implementation. Commonly available network security administrative capabilities include:
� Declaring ownership of programmes, files and storage
� Limiting access to read only
� Implementing record and file locking to prevent simultaneous update to the same record
� Enforcing user ID/password sign-on procedures, including the rules relating to password
length, format and change frequency
Dial-Up Access Controls
It is possible to break LAN security through the dial-in route. Without dial-up access controls,
a caller can dial in and try passwords until they gain access. Once in, they can hide pieces of
software anywhere, pass through Wide Area Network (WAN) links to other systems and generally
cause as much or as little havoc as they like.
� To minimise the risk of unauthorized dial-in access, remote users should never store their
passwords in plain text login scripts on notebooks and laptops. Furthermore, portable PCs
should be protected by physical keys and/or basic input output system (BIOS) based
passwords to limit access to data if stolen.
� In order to prevent access by the guessing of passwords, a dial-back modem should be used.
When a call is answered by the modem, the caller must enter a code. The modem then hangs
up the connection and looks up a corresponding phone number that has been authorised for
dial-in access and calls the number back if it is authenticated.
Client/Server Security
A client/server system typically contains numerous access points. Client/server systems utilise
distributed techniques, creating increased risk of access to data and processing. To effectively
secure the client/server environment, all access points should be identified. In mainframe-based
applications, centralised processing techniques require the user to go through one pre-defined
route to access all resources. In a client/server environment, several access points exist, as
application data may exist on the client or the server. Each of these routes must, therefore,
be examined individually and in relation to each other to determine that no exposures are left
unchecked.
In order to increase the security in a client/server environment, the following control techniques
should be in place:
� Securing access to the data or application on the client/server may be performed by disabling
the floppy disk drive, much like a keyless workstation that has access to a mainframe.
Diskless workstations prevent access control software from being by- passed and rendering
the workstation vulnerable to unauthorised access. By securing the automatic boot or start up
batch files, unauthorised users may be prevented from overriding login scripts and access.
� Network monitoring devices may be used to inspect activity from known or unknown users.
� Data encryption techniques can help protect sensitive or proprietary data from unauthorized
access.
� Authentication systems may provide environment-wide, logical facilities that can differentiate
among users. Another method, system smart cards, uses intelligent handheld devices and
encryption techniques to decipher random codes provided by client/ server systems. A smart
card displays a temporary password that is provided by an algorithm (step-by-step calculation
instructions) on the system and must be re-entered by the user during the login session for
access into the client/server system.
� The use of application level access control programmes and the organisation of users into
functional groups is a management control that restricts access by limiting users to only those
functions needed to perform their duties.
Client/Server Risks and Issues
Since the early 1990s, client/server technology has become one of the predominant ways many
organisations have processed production data and developed and delivered mission critical
products and services.
The areas of risk and concern in a client/server environment are:
� Access controls may be inherently weak in a client/server environment if network
administration does not properly set up password change controls or access rules.
� Change control and change management procedures, whether automated or manual may be
inherently weak. The primary reason for this weakness is due to the relatively high level of
sophistication of client/server change control tools together with inexperienced staff who are
reluctant to introduce such tools for fear of introducing limitations on their capability.
� The loss of network availability may have a serious impact on the business or service
� Obsolescence of the network components, including hardware, software and communications.
� Unauthorised and indiscriminate use of synchronous and asynchronous modems to connect
the network to other networks.
� Connection of the network to public switched telephone networks.
� Inaccurate, unauthorised and unapproved changes to systems or data.
� Unauthorised access to confidential data, the unauthorized modification of data,business
interruption and incomplete and inaccurate data.
� Application code and data may not be located on a single machine enclosed in a secure
computer room as with mainframe computing.
Internet Threats
The very nature of the Internet makes it vulnerable to attack. It was originally designed to allow
for the freest possible exchange of information, data and files. However, today the freedom
carries a price. Hackers and virus-writers try to attack the Internet and computers connected
to the Internet and those who want to invade other�s privacy attempt to crack into databases of
sensitive information or snoop on information as it travels across Internet routes.
It is, therefore, important in this situation to understand the risks and security factors that are
needed to ensure proper controls are in place when a company connects to the Internet. There
are several areas of control risks that must be evaluated to determine the adequacy of Internet
security controls:
� Corporate Internet policies and procedures
� Firewall standards
� Firewall security
� Data security controls
Internet threats include:
a) Disclosure
It is relatively simple for someone to eavesdrop on a �conversation� taking place over the Internet.
Messages and data traversing the Internet can be seen by other machines including e-mail files,
passwords and in some cases key-strokes as they are being entered in real time.
b) Masquerade
A common attack is a user pretending to be someone else to gain additional privileges or access
to otherwise forbidden data or systems. This can involve a machine being reprogrammed to
masquerade as another machine (such as changing its Internet Protocol � IP address). This is
referred to as spoofing.
c) Unauthorised access
Many Internet software packages contain vulnerabilities that render systems subject to attack.
Additionally, many of these systems are large and difficult to configure, resulting in a large
percentage of unauthorized access incidents.
d) Loss of integrity
Just as it is relatively simple to eavesdrop a conversation, so it is also relatively easy to intercept
the conversation and change some of the contents or to repeat a message. This could have
disastrous effects if, for example, the message was an instruction to a bank to pay money.
e) Denial of service
Denial of service attacks occur when a computer connected to the Internet is inundated (flooded)
with data and/or requests that must be serviced. The machine becomes so tied up with dealing with
these messages that it becomes useless for any other purpose.
f) Threat of service and resources
Where the Internet is being used as a channel for delivery of a service, unauthorised access to
the service is effectively theft. For example, hacking into a subscription-based news service is
effectively theft.
It is difficult to assess the impact of the threats described above, but in general terms the following
types of impact could occur:
� Loss of income
� Increased cost of recovery (correcting information and re-establishing services)
� Increased cost of retrospectively securing systems
� Loss of information (critical data, proprietary information, contracts)
� Loss of trade secrets
� Damage to reputation
� Legal and regulatory non-compliance
� Failure to meet contractual commitments
Encryption
Encryption is the process of converting a plaintext message into a secure coded form of text
called cipher text that cannot be understood without converting back via decryption (the reverse
process) to plaintext again. This is done via a mathematical function and a special encryption/
decryption password called the key.
Encryption is generally used to:
� Protect data in transit over networks from unauthorised interception and manipulation
� Protect information stored on computers from unauthorised viewing and manipulation
� Deter and detect accidental or intentional alterations of data
� Verify authenticity of a transaction or document
The limitations of encryption are that it can�t prevent loss of data and encryption programs can
be compromised. Therefore encryption should be regarded as an essential but incomplete form
of access control that should be incorporated into an organization�s overall computer security
program.
Key elements of encryption systems are:
(vi) Encryption algorithm � a mathematically based function or calculation which encrypts/
decrypts data
(vii) Encryption keys � a piece of information that is used within an encryption algorithm
(calculation) to make the encryption or decryption process unique/ similar to passwords, a
user needs to use the correct key to access or decipher a message. The wrong key will
decipher the message into an unreadable form.
(viii) Key length � a predetermined length for the key. The longer the key, the more difficult it
is to compromise in a brute-force attack where all possible key combinations are tried.
Effective encryption systems depend upon the secrecy and the difficulty of compromising
a key, the existence of back doors by which an encrypted file can be decrypted without
knowing the key, the ability to decrypt an entire cipher text message if you know the
way that a portion of it decrypts (called a known text attack), and the properties of the
plaintext known by a perpetrator.
There are two common encryption or cryptographic systems:
a) Symmetric or private key system
Symmetric cryptosystem use a secret key to encrypt the plaintext to the cipher text. The
same key is also used to decrypt the cipher text to the corresponding plaintext. In this
case the key is symmetric because the encryption key is the same as the decryption
key. The most common private key cryptography system is data encryption standard (DES).
b) Asymmetric or public key system
Asymmetric encryption systems use two keys, which work together as a pair. One key
is used to encrypt data, the other is used to decrypt data. Either key can be used to
encrypt or decrypt, but once one key has been used to encrypt data, only its partner
can be used to decrypt the data (even the key that was used to encrypt the data cannot
be used to decrypt it). Generally, with asymmetric encryption, one key is known only to one person
� the secret or private key � the other key is known by many people � the public key. A common
form of asymmetric encryption is RSA (named after its inventors Rivest, Shamir and Adelman).
Firewall Security
A firewall is a set of hardware and software equipment placed between an organisation�s internal
network and an external network to prevent outsiders from invading private networks. Companies
should build firewalls to protect their networks from attacks. In order to be effective, firewalls
should allow individuals on the corporate network to access the Internet and at the same time stop
hackers or others on the Internet from gaining access to the corporate network to cause damage.
Firewalls are hardware and software combinations that are built using routers, servers and a
variety of software. They should sit in the most vulnerable point between a corporate network and
the Internet and they can be as simple or complex as system administrators want to build them.
There are many different types of firewalls, but many enable organisations to:
� Block access to particular sites on the Internet
� Prevent certain users from accessing certain servers or services
� Monitor communications between an internal and external networks
� Eavesdrop and record all communications between an internal network and the outside world
to investigate network penetrations or detect internal subversions.
� Encrypt packets that are sent between different physical locations within an organization by
creating a virtual private network over the Internet.
Problems faced by organisations that have implemented firewalls are:
� A false sense of security exists where management feels that no further security checks and
controls are needed on the internal network.
� Firewalls are circumvented through the use of modems connecting users to Internet Service
Providers.
� Mis-configured firewalls, allowing unknown and dangerous services to pass through freely.
� Misunderstanding of what constitutes a firewall e.g. companies claiming to have a firewall
merely having a screening router.
� Monitoring activities do not occur on a regular basis i.e. log settings not appropriately applied
and reviewed.
Intrusion Detection Systems (IDS)
Intrusion or intruder detection is the identification of and response to ill-minded activities. An
IDS is a tool aiding in the detection of such attacks. An IDS detects patterns and issues an alert.
There are two types of IDSs, network-based and host-based.
Network-based IDSs identify attacks within the network that they are monitoring and issue a
warning to the operator. If a network-based IDS is placed between the Internet and the firewall, it
will detect all the attack attempts, whether they do or do not enter the firewall. If the IDS is placed
between a firewall and the corporate network it will detect those attacks that could not enter the
firewall ( intruders). The IDS is not a substitute for a firewall, but complements the function of a
firewall.
Host-based IDSs are configured for a specific environment and will monitor various internal
resources of the operating system to warn of a possible attack. They can detect the modification of
executable programmes, the deletion of files and issue a warning when an attempt is made to use a
privileged command.
Environmental Exposures and Controls
Environmental exposures are primarily due to naturally occurring events. However, with proper
controls, exposure to these elements can be reduced. Common exposures are:
- Fire
- Natural disasters � earthquake, volcano, hurricane, tornado
- Power failure
- Power spike
- Air conditioning failure
- Electrical shock
- Equipment failure
- Water damage/flooding � even with facilities located on upper floors of high-rise buildings,
water damage is a risk, typically occurring from broken water pipes
-Bomb threat/attack
Other environmental issues and exposures include the following:
- Is the power supply to the computer equipment properly controlled to ensure that it remains
within the manufacturer�s specifications?
- Are the air conditioning, humidity and ventilation control systems for the computer
equipment adequate to maintain temperatures within manufacturers� specifications?
- Is the computer equipment protected from the effects of static electricity, using an antistatic
rug or anti-static spray?
- Is the computer equipment kept free of dust, smoke and other particulate matter, such as
food?
- Is consumption of food, beverage and tobacco products prohibited, by policy, around
computer equipment?
- Are backup media protected from damage due to temperature extremes, the effects of
magnetic fields and water damage?
Controls for Environmental Exposures
a) Water detectors � in the computer room, water detectors should be placed under the raised
floor and near drain holes, even if the computer room is on a high floor (remember water
leaks). When activated, the detectors should produce an audible alarm that can be heard by
security and control personnel.
b) Hand-held fire extinguishers � fire extinguishers should be in strategic locations throughout
the information system facility. They should be tagged for inspection and inspected at least
annually.
c) Manual fire alarms � hand-pull fire alarms should be strategically placed throughout the
facility. The resulting audible alarm should be linked to a monitored guard station.
d) Smoke detectors � they supplement not replace fire suppression systems. Smoke detectors
should be above and below the ceiling tiles throughout the facility and below the raised
computer room floor. They should produce an audible alarm when activated and be linked to
a monitored station (preferably by the fire department).
e) Fire suppression system � these systems are designed to activate immediately after detection
of high heat typically generated by fire. It should produce an audible alarm when activated.
Ideally, the system should automatically trigger other mechanisms to localise the fire. This
includes closing fire doors, notifying the fire department, closing off ventilation ducts and
shutting down nonessential electrical equipment. Therefore, fire suppression varies but is
usually one of the following:
� Water based systems (sprinkler systems) � effective but unpopular because they
damage equipment
� Dry-pipe sprinkling � sprinkler systems that do not have water in the pipes until an
electronic fire alarm activates the water pumps to send water to the dry pipe system.
� Halon systems � release pressurised halon gases that remove oxygen from the air, thus
starving the fire. Halon is popular because it is an inert gas and does not damage
equipment.
� Carbon dioxide systems � release pressurised carbon dioxide gas into the area
protected to replace the oxygen required for combustion. Unlike halon, however,
carbon dioxide is unable to sustain human life and can, therefore, not be set to
automatic release.
f) Strategically locating the computer room � to reduce the risk of flooding, the computer room
should not be located in the basement. If located in a multi-storey building, studiesshow that
the best location for the computer room to reduce the risk of fire, smoke and water damage is
between 3rd, and 6th floor.
g) Regular inspection by fire department � to ensure that all fire detection systems comply with
building codes, the fire department should inspect the system and facilities annually.
h) Fireproof walls, floors and ceilings surrounding the computer room � walls surrounding the
information processing facility should contain or block fire from spreading. The surrounding
walls would have at least a two-hour fire resistance rating.
i) Electrical surge protectors � these electrical devices reduce the risk of damage to equipment
due to power spikes. Voltage regulators measure the incoming electrical current and either
increase or decrease the charge to ensure a consistent current. Such protectors are typically
built into the uninterruptible power supply (UPS) system.
j) Uninterruptible power supply system (UPS)/generator � a UPS system consists of a battery or
petrol powered generator that interfaces between the electrical power entering the facility and
the electrical power entering the computer. The system typically cleanses the power to ensure
wattage into the computer is consistent. Should a power failure occur, the UPS continues
providing electrical power from the generator to the computer for a certain length of time. A
UPS system can be built into a computer or can be an external piece of equipment.
k) Emergency power-off switch � there may be a need to shut off power to the computer and
peripheral devices, such as during a computer room fire or emergency evacuation. Two
emergency power-off switches should serve this purpose, one in the computer room, the other
near, but outside, the computer room. They should be clearly labelled, easily accessible for
this purpose and yet still secured from unauthorised people. The switches should be shielded
to prevent accidental activation.
l) Power leads from two substations � electrical power lines that feed into the facility are
exposed to many environmental hazards - water, fire, lightning, cutting to due careless
digging etc. To reduce the risk of a power failure due to these events that, for the most part,
are beyond the control of the organisation, redundant power lines should feed into the facility.
In this way, interruption of one power line does not adversely affect electrical supply.
m) Wiring placed in electrical panels and conduit � electrical fires are always a risk. To reduce
the risk of such a fire occurring and spreading, wiring should be placed in fire resistant panels
and conduit. This conduit generally lies under the fire-resistant raised computer room floor.
n) Prohibitions against eating, drinking and smoking within the information processing facility �
food, drink and tobacco use can cause fires, build-up of contaminants or damage to sensitive
equipment especially in case of liquids. They should be prohibited from the information
processing facility. This prohibition should be overt, for example, a sign on the entry door.
o) Fire resistant office materials � wastebaskets, curtains, desks, cabinets and other general
office materials in the information processing facility should be fire resistant. Cleaning fluids
for desktops, console screens and other office furniture/fixtures should not be flammable.
p) Documented and tested emergency evacuation plans � evacuation plans should emphasise
human safety, but should not leave information processing facilities physically unsecured.
Procedures should exist for a controlled shutdown of the computer in an emergency situation,
if time permits.