CASES.LU

Glossary

  1. ▹ Antivirus
  2. ▹ Actifs
  3. ▹ Authentification
  4. ▹ Disponibilité
  5. ▹ Critères de base pour l'analyse des risques
  6. ▹ Attaque informatique
  7. ▹ Confidentialité
  8. ▹ Control
  9. ▹ Cryptographie
  10. ▹ Cybercriminalité
  11. ▹ Cybercriminel
  12. ▹ DRP – Disaster Recovery Plan
  13. ▹ Sauvegarde de données
  14. ▹ Perte de données
  15. ▹ Défiguration
  16. ▹ Désinfectez la machine avec un live CD
  17. ▹ Mise au rebut
  18. ▹ Email
  19. ▹ Firewall
  20. ▹ Erreurs humaines
  21. ▹ IDS/IPS
  22. ▹ Droit à l'image
  23. ▹ Impact
  24. ▹ Intégrité
  25. ▹ Internet et droits d'auteurs
  26. ▹ Aspects légaux
  27. ▹ LuxTrust
  28. ▹ Logiciels malveillants
  29. ▹ Sites Web malicieux
  30. ▹ Segmentation réseau
  31. ▹ Password
  32. ▹ Correctifs - patch
  33. ▹ Phishing
  34. ▹ Pannes physiques
  35. ▹ Sécurité physique
  36. ▹ Vol Physique
  37. ▹ Recommandations pour sécuriser un serveur de fichiers
  38. ▹ Recommandations pour sécuriser un serveur connecté à Internet
  39. ▹ Recommandations pour sécuriser un serveur Web
  40. ▹ Supports amovibles
  41. ▹ Gestion des risques
  42. ▹ Spam - les courriers indésirables
  43. ▹ SSL/TLS - les technologies de chiffrement sur la toile
  44. ▹ Mettre à jour les logiciels sur son ordinateur à l'aide de Secunia PISA
  45. ▹ Charte de sécurité
  46. ▹ Ingénierie sociale
  47. ▹ Menaces
  48. ▹ VPN : Les réseaux privés virtuels
  49. ▹ Vulnérabilités
  50. ▹ Web of Trust - WOT
  51. ▹ Filtre web - Proxy
  52. ▹ Pourquoi est-il important de protéger son ordinateur?

Control

In brief

Securing information is far from being a technical issue for an organisation. In fact, technical operations are just one aspect of a process which, to be successful, must include all of the company’s activities as a whole.

Before implementing technical procedures and measures aimed at improving an organisation’s security, it is important to first conduct a risk analysis (risk management) and to write up a security policy.

The security policy formalises and coordinates all of the organisation’s security techniques and organisational procedures.

Writing up a security policy is a lengthy task. We don’t advise that small companies tackle it all in one go. It’s better to make gradual progress through continuous improvement, creating a document that is both short and concise, to progressively develop the procedures and sectoral policies that are most needed.

The governing principle when drafting a security policy consists on the one hand of a set of best practices (ISO/IEC 27001 and ISO/IEC 27002), and, on the other hand, of risk analysis and assessment. All organisations should ensure they implement behavioural, organisational and technical measures where they can be quickly and truly effective.

In any case, you should choose an approach that is best suited to the size, and especially the criticality of assets and the maturity of the organisation.

Security charter

The definition and application of a security charter is the first step towards security management. To guarantee its success, it must meet the specific security requirements for the organisation. A risk analysis, even a brief one, must precede this process. Without this analysis, management will not be in a position to determine which assets should be protected as a priority. In order to be able to predict the worst possible outcome, management must identify the most likely threats and the vulnerabilities which are the easiest to exploit.

The introduction of a charter must imperatively be accompanied by a presentation to the employees who will have to implement the suggested measures on a daily basis. Without this training, there is a risk that the charter will be ignored and will therefore become useless.

Security policy

Once the major risks for the organisation have been identified (risk management), management will, with a view to continuous improvement, be able to go beyond a simple security charter. They will introduce an actual policy, as well as specific procedures.

With the introduction of even a rudimentary security policy, management will be able to begin organising security. The security policy will define in the formal procedures, the obligations and responsibilities of each individual, as well as the processes related to the security of information.

At this stage, there is no point in compiling an exhaustive security policy. Making an organisation secure is an ongoing process (Design, Implementation, Assessment/Checks and Improvement), and it is implemented according to security measures, assessed based on the worst possible outcomes, the most likely threats and the largest vulnerabilities.

Design

This first step aims to correctly determine the scope and context of the future system. It must also be able to identify and assess the risks, in order to develop a management plan. (It cannot, however, replace the risk analysis which must be carried out in advance.)

Implementation

The implementation stage primarily consists of applying the security policy created in the previous stage. Organisational and technical measures are implemented and behavioural measures are applied by the staff.

Assessment and checks

The assessment systems must have been set out in the security manual. The aim is to ensure that the procedures put in place work as intended.

These assessments can take several different forms:

  • regular inspections carried out as part of the everyday tasks;
  • automatic checks performed using software tools which can generate reports;
  • comparison with other organisations;
  • performance of planned formal audits (risk assessment);
  • management review.

If the assessments and checks uncover inadequacies in certain procedures, measures must then be taken to correct them.

Improvement

The actions that were decided upon in the previous step will have to be implemented, either:

  • at the security system level itself, by appointing a (new) manager for all or part of the system, for example;
  • at operational procedure level which will have been determined, such as the implementation of a different (and obviously better suited) data backup procedure;
  • at tool level, with the purchase of an antivirus, for example.

Contents of the security policy

The security policy should contain the following documents:

Section 1. Security policy

  1. Management commitment
  2. Review and assessment

Section 2. Organisation of security

  1. Attribution of responsibilities
  2. Authorisation procedure for adding information processing tools
  3. Expert advice
  4. Independent review of information security
  5. Third party access and outsourcing

Section 3. Classification and monitoring of resources

  1. Classification of and responsibility for resources

Section 4. Human factors

  1. Security as a mission
  2. Training and information
  3. Response to incidents and security malfunctions

Section 5. Physical and environmental security

  1. Physical security perimeter
  2. Rules within the perimeter
  3. Electrical equipment safety
  4. Maintenance
  5. Off-site equipment security
  6. Disposal or reuse of the equipment
  7. Clean desk

Section 6. Operational and communications aspects

  1. Documented procedures
  2. Separation of development and production environments
  3. External management of resources
  4. Protection against malware
  5. Data backups
  6. Device security during transport
  7. Email

Section 7. Access control

  1. Access control policy
  2. Access rights management
  3. Password management
  4. Use of external networks
  5. External connections
  6. Separation of networks
  7. Login procedure

Section 8. Development and maintenance of systems

  1. Use of encryption
  2. Electronic signatures

Section 9. Management of security incidents

  1. Reporting information security events
  2. Incident management and improvements information security
  3. Analysis of non-fulfillment of obligations

Section 10. Managing business continuity

  1. Operational continuity

Section 11. Compliance

  1. Identification of applicable legislation
  2. Intellectual property
  3. Protection of operational data
  4. Personal data protection