This Security Audit is not a comprehensive audit of the security requirements of a particular organization. It is a checklist which will give an indication of the kinds of steps that an organization should take in securing its computer and information systems. It should always be borne in mind that security of information systems is not a static solution that can be fixed once. Constant attention has to be paid to the issue, as the risks, the threats, and the things that have to be protected are always changing.
Each of the following items should be considered, and appropriate action is taken to protect your information.
It is a vital and far too often overlooked factor in any information security system, but backups are one of the essential factors. If anything goes wrong with your systems, then you must be able to get back to where you started as fast as possible, and this means restoring your data.
Factors which you should consider in arranging your back-ups are:
- What information or data do I have that has to be backed up?
- How often should I back my information up?
- What is an efficient and cost effective medium for backing up into?
- Have I got the ability to restore my information in the event of a loss of the computer(s), the backup machine, and the backup software?
- Have you tried to restore data to ensure that your backup processes are working?
Where will I store my backups?
There are any number of solutions which will meet the requirements of any user, from a periodic (weekly or monthly) copying of some information onto a CD or other external media, to a fully replicated server system where two parallel systems are operated in separate parts of the world. With the advent of always access to the internet, one backup solution which is becoming more widespread is to use a managed service to back-up your data onto a remotely located server over a broadband connection to the internet.
Making sure that you do not get infected with a virus may not seem like a security issue, however, in maintaining the integrity of your information, Anti-Virus software is vital. Virii can destroy your data (e.g. the I Love You Virus Virii can crash your systems (e.g. the Melissa Virus) Virii are not good for the security of your information systems.
- Numerous software vendors sell Anti-Virus software, and all the major vendors offer a reasonable degree of protection against virii usually there are two important things to bear in mind.
- Ensure that your anti-virus software has the most recent updates with details of the latest virii.
- Ensure that your antivirus software is configured to identify viruses by all means that they can come with your computer (e-mail, web browsing, floppy disks, CDs, archives, etc.)
NB With the recent CODE RED and NIMDA Virii, it is of vital importance that you keep up to date with ALL the security patches for web servers that are susceptible.
Even if you are a single user computer, with the number of port scans that are being carried out, it is important to have suitable firewall protection.
For personal use, there are simple software personal firewalls which will offer a reasonable degree of protection. However, it is important to configure these correctly to meet your requirements. If you leave communication channels open through your firewall, these can be exploited by a hacker to gain access to your information.
Accurate information on the configuration of whatever firewall you use should be available from the manufacturer of your particular firewall.
If you have an always-on connection, you should realize that instant messaging and chat facilities offer an excellent opportunity for a hacker to gain access to your systems, and are also a route by which spam can be propagated.
4. Blocking and Filtering.
If you have a PC at home or have a network at home, consider whether any children have access to the PC and through the PC to the Internet.
It is easy to access information of an explicit and adult nature on the internet, and accordingly, it would be advisable to consider some blocking or filtering facility to protect children from this adult material. There are some such utilities available which offer a degree of protection to children.
5. Access Control.
If you are not the only person who has access to a PC, it may be worthwhile considering implementing a log-on system. This is more suited to the business network environment that the stand alone PC environment, though it may be appropriate for a stand-alone machine.
This can be achieved through specialized user authentication systems, however simple use of the username and password facilities in Windows 2000, NT and XP is capable.
For larger networks and companies there are some additional considerations which must be taken into account to maintain information security.
Consider what information should be accessed by which people within your organization. Ensure that people do not unnecessarily have full access to the systems.
- What information is it most important to maintain the confidentiality off?
- Do you have an Acceptable Use Policy explaining what everyone in your organization should and should not do with the information systems?
- Are you aware of all the machines on your network, and are you aware of the configuration of them?
- Are you aware of all the software that is installed on your network?
- Have you ensured that all the passwords that are used in your IT systems have been changed from the default?
- Do you have a requirement that log-on passwords are maintained as confidential, that they are modified regularly and that they are in a format that cannot easily be guessed?
- Do you have any workers who take laptops and other portable devices off the network and out with the standard security procedures?
- Do you have any employees who work remotely who will need to connect to the network?
- Do you have a process to evaluate your security requirements on an ongoing basis?
- Do you have someone who is responsible for network and information security? Does that person have the authority to take action to respond to security breaches and vulnerabilities?
- Are you able to identify abnormal activity on your network?
- How do you dispose of your material waste? It is surprising how much information can be gleaned from the rubbish bins of a company.
Business Computer networks on-line will always be exposed to a degree of risk. The function of information and network security is to minimize that chance.
It must also be borne in mind that the reason why you have computer systems in business, and the reason why you put them on-line, is to further the business. Therefore the most secure network, might not be in the best interests of the firm.
For each business decisions have to be taken in implementing IT security to ensure that there is an appropriate balance between freedom of access to increase business activity and safety to prevent loss of data and resources.
If you are serious about the security of your business information and computer systems, then it is advisable to consider the implementation of the Quality Standard, ISO17799 (BS7799). ISO17799 is a standard that is a code of practice for information security management, and is organized into ten sections:
- Business Continuity Planning
- Systems Access Control
- System Development and Maintenance
- Physical and Environmental Security
- Compliance, Personnel Security
- Security Organisation
- Computer and Operations Management
- Asset Classification and Control
- Security Policy.