SlideShare uma empresa Scribd logo

Review ICS Guidelines

Oboni Riskope Associates Inc.
Oboni Riskope Associates Inc.

A censored (for confidentiality reasons) third party review report on a client's Information Security Guidelines.

NegóciosTecnologia
1 de 5
500-1045 Howe Street V6Z 2A9 Vancouver, B.C. Ph.604-314’4485 Fx:604-6845909 foboni@riskope.com Mr. xxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxxx xxxx xxxx xxxx,2011 Review of the document entitled xxxx Security Guidelines Dear xxxx, ….. we have undertaken the review of the XXXX Security Guidelines document ….......... information security (including industrial controls). As a general introductory remark we note that despite the statements in Section 1, Introduction, of the received document we neither know the intended audience of the received document (Skilled staff, employees, company guests, vendors?), its precise scope, nor the limitations that have been given to the author(s). We believe it would be very useful for XXXX if those would be clearly stated, as it would help calibrating the pertinent amount and level of technical information included in the Security Guidelines for each intended audience. We do understand that guidelines are generally purposely vague (see for example ISO 27000, ISO 31000, ON 49000, just to quote some in the area of Information Risk Management and Security), but we do know that it is usually in details that security (of all kinds) get compromised. It is essential that all employees clearly understand the value of the Company's Information and their individual and collective responsibility to protect it. Awareness will constitute the first line of defense (see below Human Factors) in mitigating the chances of inappropriate malicious usage and other nefarious cyber activities. The document last statement (6, Personnel Security) rightly quotes ISA-99: “Personnel security measures are meant to reduce the possibility and risk of human error, theft, fraud, or other intentional or unintentional © Oboni Riskope Associates Inc. Page 1 of 5 09/26/11
misuse of informational assets.” But then states that this aspect of security is not covered within the proposed Security Guideline since it references corporate policies and procedures including hiring and employment conditions. It also states that “designers should keep in mind that inappropriate access by corporate staff and other approved people is as much an issue as hackers”. We are in total agreement with the author(s) of the document and encourage XXXX to “break-up the silos” as Information Security should cover selection, hiring, etc. of personnel, subcontractors and suppliers. Personnel is one of the most likely sources of leak or file alteration, capable of annihilating any technical effort described in the Guidelines. Thus, we would also encourage the compilation of several versions of the guidelines tailored towards the needs of various layers of users (see below the “need to know” remark). As a matters of fact, for example, the present glossary is well written and professional, but …....... We understand these Security Guidelines should determine the minimum level of security to be achieved and establish the criteria against which results are measured. So, coming back to information/competence silos, we find odd that there is no formal and well structured reference to any protection from physical man-made or natural hazards, business continuity plans, resumption plans, backup capabilities etc. Again, we do not know if …....., but we would encourage XXXX to include these considerations into a broader view of IS. You will find below a point by point analysis of the received document in the form of a list of themes that are either missing in the present document or should be, in our opinion, developed/expanded: • Compliance with Information Security Policies (ISP) must be mandatory. Exceptions must be contemplated, but approved by the Company CIO. ISP apply to all information assets and processes • We have not seen a section on the Separation of Duties and Functions or Individual Accountability or Maintenance of Trust (Security Principles and Strategies) • There should be a section on client and supplier involvement in Information Security. • Strategies, Information Security Management xxx... • We believe the document would be stronger if it was based on what users “Need to know”, “Need to do”, “Separation of Functions” and “Individual Accountability” (note xxx ) • We have neither seen a chapter regarding Users Work Space (like for instance securing …..... in a locked desk or file cabinet, etc.) (cleaners, janitors and other third party workers can be hackers, agents, criminals), nor Secure Work Habits: users must develop and implement security conscious work habits in order to keep their © Oboni Riskope Associates Inc. Page 2 of 5 09/26/11
workplace safe. • Network Access Controls(see note yy) section should be significantly expanded by defining, for example: o Policy on network services use o …. o …. o Network routing address control • We think that Operating System Access Controls should be expanded upon: log-on process must indeed be configured to minimize the opportunity for unauthorized access, etc.: o Unsuccessful log-on attempts (record unsuccessful log-on, etc.) o ….. o …... o Mobile computing and teleworking o Smartphones • We have seen a minor section of the document dedicated to Human Factors. Security Awareness Training must be provided to users to ensure they are: o Aware of additional risks and responsibilities inherent to mobile computing, smartphones and company personal computers and workstations o A Security Threat and Risk Assessment must consider threats to information and information technology assets, such as: physical theft, data interception, credential theft, device destruction, information destruction, malicious and mobile codes • Minimum Information Protection safeguards such as encryption of stored data should be described. • A section on Information Systems Acquisition, Development and Maintenance is missing in the reviewed document. Such a section should establish requirements for ….........: o Security requirements of information system o System security plan o ….. o ….. o Security of development and support processes, changes to software …. • Technical Vulnerability Management including: o Vulnerabilities information external sources monitoring, o Risk assessment of published vulnerabilities • Communication and Operations Management. This chapter must establish the requirements to support the integration of information security in the services provided by XXXX information processing facilities. Examples are: …..... • The reviewed document seems to focus only very briefly on protection against malicious and mobile code.... The existence of malicious © Oboni Riskope Associates Inc. Page 3 of 5 09/26/11
code and related attacks must indeed be considered a fact by a company operating an ICT infrastructure connected to the outside world. Malicious code ….. Among possible prevention and detection controls: o Installing, updating and consistently using approved software designed to scan for detect, repair and provide protection. o …. o …... o Restriction on mobile code (scanning mobile code before execution, etc...) • In the reviewed document we did not find any reference to Back-Up. Information and information systems must be yyyyy. The back-up and recovery strategy must comply with, for example: o Business continuity plans o …. o ….. o Recovery point objectives, the point in time to which data must be restored to resume processing transactions … • We stress the importance of testing back-up and recovery processes (at least once per month). We stress as well the importance of network control and management (…...) to maintain the integrity of networks, changes to network devices configuration information (such as ....). • Wireless Local Area Networking should also receive attention, for example: o Strong link layer encryption o ….. o ….. o Instructions on how to use telephone and smartphone if some exchange of information occurs during a telephone conversation, etc. • We have not found any chapter regarding e-mail management in the document. We underline the importance of setting up clear rules for …. • The reviewed document does not include requirements for reporting a possible breach of information security, …..... reporting and mitigating security events. • A section on Business Continuity Management is also apparently missing. That section should provide guidance for planning the resumption of business or services in the aftermath of a man-made or natural disaster. Of course the events or sequence of events that can cause interruption to the Company day to day business process (e.g. natural, third party, criminal, military, man-made) must be identified. A Risk Assessment must then be undertaken to determine the impact of those interruptions, both in the damage scale and recovery period. A Business Continuity Strategy must be developed using the results from the risk assessment, which will determine the overall approach to business continuity. © Oboni Riskope Associates Inc. Page 4 of 5 09/26/11
• A section on Compliance should describe the requirements for verifying that information systems comply with ….... (for example: suppliers are forbidden to …. etc.). Compliance policies identify how to ensure that the Company is in compliance with applicable laws and policies (...). © Oboni Riskope Associates Inc. Page 5 of 5 09/26/11

Recomendados

CISSP Certification Training Course
CISSP Certification Training CourseCISSP Certification Training Course
CISSP Certification Training Course
Ricky Lionel Vaz
 
Communique
CommuniqueCommunique
Communique
Oboni Riskope Associates Inc.
 
Bd7244 Brochure
Bd7244 BrochureBd7244 Brochure
Bd7244 Brochure
Jim Burrows
 
Gospodarska klima v sloveniji in v svetu, oktober 2011, ipsos
Gospodarska klima v sloveniji in v svetu, oktober 2011, ipsosGospodarska klima v sloveniji in v svetu, oktober 2011, ipsos
Gospodarska klima v sloveniji in v svetu, oktober 2011, ipsos
Damjana Kocjanc
 
Inclusive design principles for WordPress
Inclusive design principles for WordPressInclusive design principles for WordPress
Inclusive design principles for WordPress
Joe Ortenzi
 
Ca labio lengua mucosa bucal y encia
Ca labio lengua mucosa bucal y enciaCa labio lengua mucosa bucal y encia
Ca labio lengua mucosa bucal y encia
victorgoch
 
Kaplan & norton transforming the bsc from performance measurement to st...
Kaplan & norton transforming the bsc from performance measurement to st...Kaplan & norton transforming the bsc from performance measurement to st...
Kaplan & norton transforming the bsc from performance measurement to st...
Rinsanti Margaretha
 
Ad september 2014 exam final
Ad september 2014 exam finalAd september 2014 exam final
Ad september 2014 exam final
Lo Wai
 

Recomendados

CISSP Certification Training Course
CISSP Certification Training CourseCISSP Certification Training Course
CISSP Certification Training Course
Ricky Lionel Vaz
 
Communique
CommuniqueCommunique
Communique
Oboni Riskope Associates Inc.
 
Bd7244 Brochure
Bd7244 BrochureBd7244 Brochure
Bd7244 Brochure
Jim Burrows
 
Gospodarska klima v sloveniji in v svetu, oktober 2011, ipsos
Gospodarska klima v sloveniji in v svetu, oktober 2011, ipsosGospodarska klima v sloveniji in v svetu, oktober 2011, ipsos
Gospodarska klima v sloveniji in v svetu, oktober 2011, ipsos
Damjana Kocjanc
 
Inclusive design principles for WordPress
Inclusive design principles for WordPressInclusive design principles for WordPress
Inclusive design principles for WordPress
Joe Ortenzi
 
Ca labio lengua mucosa bucal y encia
Ca labio lengua mucosa bucal y enciaCa labio lengua mucosa bucal y encia
Ca labio lengua mucosa bucal y encia
victorgoch
 
Kaplan & norton transforming the bsc from performance measurement to st...
Kaplan & norton transforming the bsc from performance measurement to st...Kaplan & norton transforming the bsc from performance measurement to st...
Kaplan & norton transforming the bsc from performance measurement to st...
Rinsanti Margaretha
 
Ad september 2014 exam final
Ad september 2014 exam finalAd september 2014 exam final
Ad september 2014 exam final
Lo Wai
 
The search of a dream
The search of a dreamThe search of a dream
The search of a dream
Paul Yang
 
Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
Balázs Czékmán
 
Analysis of korean wine market 20150902-daejeon
Analysis of korean wine market 20150902-daejeonAnalysis of korean wine market 20150902-daejeon
Analysis of korean wine market 20150902-daejeon
휘웅 정
 
Tablettel támogatott oktatás általános iskolában
Tablettel támogatott oktatás általános iskolábanTablettel támogatott oktatás általános iskolában
Tablettel támogatott oktatás általános iskolában
Balázs Czékmán
 
konsumer
konsumerkonsumer
konsumer
diana zali
 
The extremist human tendency
The extremist human tendencyThe extremist human tendency
The extremist human tendency
Paul Yang
 
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
Balázs Czékmán
 
сузір'я діва
сузір'я дівасузір'я діва
сузір'я діва
utyyflbq
 
Evisceración traumática
Evisceración traumáticaEvisceración traumática
Evisceración traumática
victorgoch
 
Bone grafts and periodontal
Bone grafts and periodontalBone grafts and periodontal
Bone grafts and periodontal
Navneet Randhawa
 
Tema 5 1º bach tangencias y enlaces v4
Tema 5 1º bach tangencias y enlaces v4Tema 5 1º bach tangencias y enlaces v4
Tema 5 1º bach tangencias y enlaces v4
qvrrafa
 
English Translation Of Go Forward Plan, Harvard Bus Review
English Translation Of Go Forward Plan, Harvard Bus ReviewEnglish Translation Of Go Forward Plan, Harvard Bus Review
English Translation Of Go Forward Plan, Harvard Bus Review
Thomas Nastas
 
IT for Nurisng - Web 2.0
IT for Nurisng - Web 2.0IT for Nurisng - Web 2.0
IT for Nurisng - Web 2.0
Sascha Funk
 
Part 5: Putting it all together
Part 5: Putting it all togetherPart 5: Putting it all together
Part 5: Putting it all together
NAPWA
 
Roses
RosesRoses
Roses
guestaf9e7ba
 
Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...
April Charlton
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of Nc
Kristen Wilson
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
Tiffany Graham
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
PrescottLunt386
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
christiandean12115
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
captsbtyagi
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docxRunning Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
toltonkendal
 

Mais conteúdo relacionado

Destaque

Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
Balázs Czékmán
 
Tablettel támogatott oktatás általános iskolában
Tablettel támogatott oktatás általános iskolábanTablettel támogatott oktatás általános iskolában
Tablettel támogatott oktatás általános iskolában
Balázs Czékmán
 
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
Balázs Czékmán
 
сузір'я діва
сузір'я дівасузір'я діва
сузір'я діва
utyyflbq
 
IT for Nurisng - Web 2.0
IT for Nurisng - Web 2.0IT for Nurisng - Web 2.0
IT for Nurisng - Web 2.0
Sascha Funk
 

Destaque (15)

The search of a dream
The search of a dreamThe search of a dream
The search of a dream
 
Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
Tablettel támogatott oktatás általános iskolában: eredmények a tanulók és a p...
 
Analysis of korean wine market 20150902-daejeon
Analysis of korean wine market 20150902-daejeonAnalysis of korean wine market 20150902-daejeon
Analysis of korean wine market 20150902-daejeon
 
Tablettel támogatott oktatás általános iskolában
Tablettel támogatott oktatás általános iskolábanTablettel támogatott oktatás általános iskolában
Tablettel támogatott oktatás általános iskolában
 
konsumer
konsumerkonsumer
konsumer
 
The extremist human tendency
The extremist human tendencyThe extremist human tendency
The extremist human tendency
 
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
A tartalomelőállítás lehetőségei a virtuális valóság (VR) és a kiterjesztett ...
 
сузір'я діва
сузір'я дівасузір'я діва
сузір'я діва
 
Evisceración traumática
Evisceración traumáticaEvisceración traumática
Evisceración traumática
 
Bone grafts and periodontal
Bone grafts and periodontalBone grafts and periodontal
Bone grafts and periodontal
 
Tema 5 1º bach tangencias y enlaces v4
Tema 5 1º bach tangencias y enlaces v4Tema 5 1º bach tangencias y enlaces v4
Tema 5 1º bach tangencias y enlaces v4
 
English Translation Of Go Forward Plan, Harvard Bus Review
English Translation Of Go Forward Plan, Harvard Bus ReviewEnglish Translation Of Go Forward Plan, Harvard Bus Review
English Translation Of Go Forward Plan, Harvard Bus Review
 
IT for Nurisng - Web 2.0
IT for Nurisng - Web 2.0IT for Nurisng - Web 2.0
IT for Nurisng - Web 2.0
 
Part 5: Putting it all together
Part 5: Putting it all togetherPart 5: Putting it all together
Part 5: Putting it all together
 
Roses
RosesRoses
Roses
 

Semelhante a Review ICS Guidelines

Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...
April Charlton
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of Nc
Kristen Wilson
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
Tiffany Graham
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
christiandean12115
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
captsbtyagi
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docxRunning Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
toltonkendal
 
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
anitramcroberts
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
mfmurat
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
Elyes ELEBRI
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
Christopher Nanchengwa
 
RaoNayakShelve inNetworkingSecurityUser levelB.docx
RaoNayakShelve inNetworkingSecurityUser levelB.docxRaoNayakShelve inNetworkingSecurityUser levelB.docx
RaoNayakShelve inNetworkingSecurityUser levelB.docx
audeleypearl
 

Semelhante a Review ICS Guidelines (20)

Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...
 
Advantages And Disadvantages Of Nc
Advantages And Disadvantages Of NcAdvantages And Disadvantages Of Nc
Advantages And Disadvantages Of Nc
 
Risk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs ProvidedRisk Mitigation Plan Based On Inputs Provided
Risk Mitigation Plan Based On Inputs Provided
 
Cyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.comCyb 610 Inspiring Innovation--tutorialrank.com
Cyb 610 Inspiring Innovation--tutorialrank.com
 
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docxISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
ISE 510 Final Project Scenario Background Limetree Inc. is a resea.docx
 
News letter June 11
News letter June 11News letter June 11
News letter June 11
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docxRunning Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
 
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docxProject 6 - Cloud Computing Security PolicyThis week you will pr.docx
Project 6 - Cloud Computing Security PolicyThis week you will pr.docx
 
Iso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guideIso 27001 metrics and implementation guide
Iso 27001 metrics and implementation guide
 
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdfpdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
pdfcoffee.com_iso-iec-27002-implementation-guidance-and-metrics-pdf-free.pdf
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Chapter 1 introduction(web security)
Chapter 1 introduction(web security)Chapter 1 introduction(web security)
Chapter 1 introduction(web security)
 
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAMINFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
RaoNayakShelve inNetworkingSecurityUser levelB.docx
RaoNayakShelve inNetworkingSecurityUser levelB.docxRaoNayakShelve inNetworkingSecurityUser levelB.docx
RaoNayakShelve inNetworkingSecurityUser levelB.docx
 
Azstec cyber-security-workbook
Azstec cyber-security-workbookAzstec cyber-security-workbook
Azstec cyber-security-workbook
 
Tft2 Task3 Essay
Tft2 Task3 EssayTft2 Task3 Essay
Tft2 Task3 Essay
 
Paper Titled Information Security in an organization
Paper Titled Information Security in an organizationPaper Titled Information Security in an organization
Paper Titled Information Security in an organization
 
820 1961-1-pb
820 1961-1-pb820 1961-1-pb
820 1961-1-pb
 
CST 610 Effective Communication - snaptutorial.com
CST 610 Effective Communication - snaptutorial.comCST 610 Effective Communication - snaptutorial.com
CST 610 Effective Communication - snaptutorial.com
 

Mais de Oboni Riskope Associates Inc.

Rational Risk and Crisis Management Course
Rational Risk and Crisis Management CourseRational Risk and Crisis Management Course
Rational Risk and Crisis Management Course
Oboni Riskope Associates Inc.
 
Riskope 5 days course on Risk and Crisis Management for top managers and key ...
Riskope 5 days course on Risk and Crisis Management for top managers and key ...Riskope 5 days course on Risk and Crisis Management for top managers and key ...
Riskope 5 days course on Risk and Crisis Management for top managers and key ...
Oboni Riskope Associates Inc.
 
Balangero asbestos mine dumps restoration a few years after, in the aftermath...
Balangero asbestos mine dumps restoration a few years after, in the aftermath...Balangero asbestos mine dumps restoration a few years after, in the aftermath...
Balangero asbestos mine dumps restoration a few years after, in the aftermath...
Oboni Riskope Associates Inc.
 
Oboni Riskope Conference on Risk Based Decision Making in Bogotà, Colombia
Oboni Riskope Conference on Risk Based Decision Making in Bogotà, ColombiaOboni Riskope Conference on Risk Based Decision Making in Bogotà, Colombia
Oboni Riskope Conference on Risk Based Decision Making in Bogotà, Colombia
Oboni Riskope Associates Inc.
 

Mais de Oboni Riskope Associates Inc. (20)

Riskope new web site announcement
Riskope new web site announcementRiskope new web site announcement
Riskope new web site announcement
 
Rational Risk and Crisis Management Course
Rational Risk and Crisis Management CourseRational Risk and Crisis Management Course
Rational Risk and Crisis Management Course
 
Cim2013 oboni oboni_zabolotoniuk
Cim2013 oboni oboni_zabolotoniukCim2013 oboni oboni_zabolotoniuk
Cim2013 oboni oboni_zabolotoniuk
 
Riskope 5 days course on Risk and Crisis Management for top managers and key ...
Riskope 5 days course on Risk and Crisis Management for top managers and key ...Riskope 5 days course on Risk and Crisis Management for top managers and key ...
Riskope 5 days course on Risk and Crisis Management for top managers and key ...
 
Riskope for christmas 2012
Riskope for christmas 2012Riskope for christmas 2012
Riskope for christmas 2012
 
Ore cockpit castellano
Ore cockpit castellanoOre cockpit castellano
Ore cockpit castellano
 
Mining 012 riskope is it true that pi_gs
Mining 012 riskope is it true that pi_gsMining 012 riskope is it true that pi_gs
Mining 012 riskope is it true that pi_gs
 
Bogota 02 10-011 Risk Management Mining Summit
Bogota 02 10-011 Risk Management Mining SummitBogota 02 10-011 Risk Management Mining Summit
Bogota 02 10-011 Risk Management Mining Summit
 
Balangero asbestos mine dumps restoration a few years after, in the aftermath...
Balangero asbestos mine dumps restoration a few years after, in the aftermath...Balangero asbestos mine dumps restoration a few years after, in the aftermath...
Balangero asbestos mine dumps restoration a few years after, in the aftermath...
 
Oboni Riskope Conference on Risk Based Decision Making in Bogotà, Colombia
Oboni Riskope Conference on Risk Based Decision Making in Bogotà, ColombiaOboni Riskope Conference on Risk Based Decision Making in Bogotà, Colombia
Oboni Riskope Conference on Risk Based Decision Making in Bogotà, Colombia
 
Cassass presentation WLF2 Rome
Cassass presentation WLF2 RomeCassass presentation WLF2 Rome
Cassass presentation WLF2 Rome
 
Road Safety- Sicurezza Stradale
Road Safety- Sicurezza StradaleRoad Safety- Sicurezza Stradale
Road Safety- Sicurezza Stradale
 
Tolerability and Decision Making Discussion
Tolerability and Decision Making DiscussionTolerability and Decision Making Discussion
Tolerability and Decision Making Discussion
 
Rims Metal and Mining Session talk by F+C Oboni, Riskope
Rims Metal and Mining Session talk by F+C Oboni, RiskopeRims Metal and Mining Session talk by F+C Oboni, Riskope
Rims Metal and Mining Session talk by F+C Oboni, Riskope
 
Rims Metals and Mining Session
Rims Metals and Mining Session Rims Metals and Mining Session
Rims Metals and Mining Session
 
Force Majeure: a Time Bomb
Force Majeure: a Time BombForce Majeure: a Time Bomb
Force Majeure: a Time Bomb
 
Oboni02 castellano
Oboni02 castellanoOboni02 castellano
Oboni02 castellano
 
Oboni01 castellano
Oboni01 castellanoOboni01 castellano
Oboni01 castellano
 
Cda esm waste oil disposal application part 2
Cda esm waste oil disposal application part 2Cda esm waste oil disposal application part 2
Cda esm waste oil disposal application part 2
 
Force Majeure Clause in Contracts
Force Majeure Clause in ContractsForce Majeure Clause in Contracts
Force Majeure Clause in Contracts
 

Último

Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
Workforce Group
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
kapoorjyoti4444
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
dlhescort
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
ritikaroy0888
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Dipal Arora
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Sheetaleventcompany
 

Último (20)

Forklift Operations: Safety through Cartoons
Forklift Operations: Safety through CartoonsForklift Operations: Safety through Cartoons
Forklift Operations: Safety through Cartoons
 
Falcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to ProsperityFalcon's Invoice Discounting: Your Path to Prosperity
Falcon's Invoice Discounting: Your Path to Prosperity
 
Cracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptxCracking the Cultural Competence Code.pptx
Cracking the Cultural Competence Code.pptx
 
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLBAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
BAGALUR CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
Call Girls in Delhi, Escort Service Available 24x7 in Delhi 959961-/-3876
 
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptxB.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
B.COM Unit – 4 ( CORPORATE SOCIAL RESPONSIBILITY ( CSR ).pptx
 
Organizational Transformation Lead with Culture
Organizational Transformation Lead with CultureOrganizational Transformation Lead with Culture
Organizational Transformation Lead with Culture
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine ServiceCall Girls In Panjim North Goa 9971646499 Genuine Service
Call Girls In Panjim North Goa 9971646499 Genuine Service
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
Call Girls Navi Mumbai Just Call 9907093804 Top Class Call Girl Service Avail...
 
Pharma Works Profile of Karan Communications
Pharma Works Profile of Karan CommunicationsPharma Works Profile of Karan Communications
Pharma Works Profile of Karan Communications
 
Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...Ensure the security of your HCL environment by applying the Zero Trust princi...
Ensure the security of your HCL environment by applying the Zero Trust princi...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
RSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors DataRSA Conference Exhibitor List 2024 - Exhibitors Data
RSA Conference Exhibitor List 2024 - Exhibitors Data
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 

Review ICS Guidelines

  • 1. 500-1045 Howe Street V6Z 2A9 Vancouver, B.C. Ph.604-314’4485 Fx:604-6845909 foboni@riskope.com Mr. xxxxxxxx xxxxxxxxxx xxxxxxxxxx xxxxxxxxxxx xxxx xxxx xxxx,2011 Review of the document entitled xxxx Security Guidelines Dear xxxx, ….. we have undertaken the review of the XXXX Security Guidelines document ….......... information security (including industrial controls). As a general introductory remark we note that despite the statements in Section 1, Introduction, of the received document we neither know the intended audience of the received document (Skilled staff, employees, company guests, vendors?), its precise scope, nor the limitations that have been given to the author(s). We believe it would be very useful for XXXX if those would be clearly stated, as it would help calibrating the pertinent amount and level of technical information included in the Security Guidelines for each intended audience. We do understand that guidelines are generally purposely vague (see for example ISO 27000, ISO 31000, ON 49000, just to quote some in the area of Information Risk Management and Security), but we do know that it is usually in details that security (of all kinds) get compromised. It is essential that all employees clearly understand the value of the Company's Information and their individual and collective responsibility to protect it. Awareness will constitute the first line of defense (see below Human Factors) in mitigating the chances of inappropriate malicious usage and other nefarious cyber activities. The document last statement (6, Personnel Security) rightly quotes ISA-99: “Personnel security measures are meant to reduce the possibility and risk of human error, theft, fraud, or other intentional or unintentional © Oboni Riskope Associates Inc. Page 1 of 5 09/26/11
  • 2. misuse of informational assets.” But then states that this aspect of security is not covered within the proposed Security Guideline since it references corporate policies and procedures including hiring and employment conditions. It also states that “designers should keep in mind that inappropriate access by corporate staff and other approved people is as much an issue as hackers”. We are in total agreement with the author(s) of the document and encourage XXXX to “break-up the silos” as Information Security should cover selection, hiring, etc. of personnel, subcontractors and suppliers. Personnel is one of the most likely sources of leak or file alteration, capable of annihilating any technical effort described in the Guidelines. Thus, we would also encourage the compilation of several versions of the guidelines tailored towards the needs of various layers of users (see below the “need to know” remark). As a matters of fact, for example, the present glossary is well written and professional, but …....... We understand these Security Guidelines should determine the minimum level of security to be achieved and establish the criteria against which results are measured. So, coming back to information/competence silos, we find odd that there is no formal and well structured reference to any protection from physical man-made or natural hazards, business continuity plans, resumption plans, backup capabilities etc. Again, we do not know if …....., but we would encourage XXXX to include these considerations into a broader view of IS. You will find below a point by point analysis of the received document in the form of a list of themes that are either missing in the present document or should be, in our opinion, developed/expanded: • Compliance with Information Security Policies (ISP) must be mandatory. Exceptions must be contemplated, but approved by the Company CIO. ISP apply to all information assets and processes • We have not seen a section on the Separation of Duties and Functions or Individual Accountability or Maintenance of Trust (Security Principles and Strategies) • There should be a section on client and supplier involvement in Information Security. • Strategies, Information Security Management xxx... • We believe the document would be stronger if it was based on what users “Need to know”, “Need to do”, “Separation of Functions” and “Individual Accountability” (note xxx ) • We have neither seen a chapter regarding Users Work Space (like for instance securing …..... in a locked desk or file cabinet, etc.) (cleaners, janitors and other third party workers can be hackers, agents, criminals), nor Secure Work Habits: users must develop and implement security conscious work habits in order to keep their © Oboni Riskope Associates Inc. Page 2 of 5 09/26/11
  • 3. workplace safe. • Network Access Controls(see note yy) section should be significantly expanded by defining, for example: o Policy on network services use o …. o …. o Network routing address control • We think that Operating System Access Controls should be expanded upon: log-on process must indeed be configured to minimize the opportunity for unauthorized access, etc.: o Unsuccessful log-on attempts (record unsuccessful log-on, etc.) o ….. o …... o Mobile computing and teleworking o Smartphones • We have seen a minor section of the document dedicated to Human Factors. Security Awareness Training must be provided to users to ensure they are: o Aware of additional risks and responsibilities inherent to mobile computing, smartphones and company personal computers and workstations o A Security Threat and Risk Assessment must consider threats to information and information technology assets, such as: physical theft, data interception, credential theft, device destruction, information destruction, malicious and mobile codes • Minimum Information Protection safeguards such as encryption of stored data should be described. • A section on Information Systems Acquisition, Development and Maintenance is missing in the reviewed document. Such a section should establish requirements for ….........: o Security requirements of information system o System security plan o ….. o ….. o Security of development and support processes, changes to software …. • Technical Vulnerability Management including: o Vulnerabilities information external sources monitoring, o Risk assessment of published vulnerabilities • Communication and Operations Management. This chapter must establish the requirements to support the integration of information security in the services provided by XXXX information processing facilities. Examples are: …..... • The reviewed document seems to focus only very briefly on protection against malicious and mobile code.... The existence of malicious © Oboni Riskope Associates Inc. Page 3 of 5 09/26/11
  • 4. code and related attacks must indeed be considered a fact by a company operating an ICT infrastructure connected to the outside world. Malicious code ….. Among possible prevention and detection controls: o Installing, updating and consistently using approved software designed to scan for detect, repair and provide protection. o …. o …... o Restriction on mobile code (scanning mobile code before execution, etc...) • In the reviewed document we did not find any reference to Back-Up. Information and information systems must be yyyyy. The back-up and recovery strategy must comply with, for example: o Business continuity plans o …. o ….. o Recovery point objectives, the point in time to which data must be restored to resume processing transactions … • We stress the importance of testing back-up and recovery processes (at least once per month). We stress as well the importance of network control and management (…...) to maintain the integrity of networks, changes to network devices configuration information (such as ....). • Wireless Local Area Networking should also receive attention, for example: o Strong link layer encryption o ….. o ….. o Instructions on how to use telephone and smartphone if some exchange of information occurs during a telephone conversation, etc. • We have not found any chapter regarding e-mail management in the document. We underline the importance of setting up clear rules for …. • The reviewed document does not include requirements for reporting a possible breach of information security, …..... reporting and mitigating security events. • A section on Business Continuity Management is also apparently missing. That section should provide guidance for planning the resumption of business or services in the aftermath of a man-made or natural disaster. Of course the events or sequence of events that can cause interruption to the Company day to day business process (e.g. natural, third party, criminal, military, man-made) must be identified. A Risk Assessment must then be undertaken to determine the impact of those interruptions, both in the damage scale and recovery period. A Business Continuity Strategy must be developed using the results from the risk assessment, which will determine the overall approach to business continuity. © Oboni Riskope Associates Inc. Page 4 of 5 09/26/11
  • 5. A section on Compliance should describe the requirements for verifying that information systems comply with ….... (for example: suppliers are forbidden to …. etc.). Compliance policies identify how to ensure that the Company is in compliance with applicable laws and policies (...). © Oboni Riskope Associates Inc. Page 5 of 5 09/26/11