Control

In brief

Securing information is far from being a technical issue for an organisation. In fact, technical operations are just one aspect of a process which, to be successful, must include all of the company’s activities as a whole.

Before implementing technical procedures and measures aimed at improving an organisation’s security, it is important to first conduct a risk analysis (risk management) and to write up a security policy.

The security policy formalises and coordinates all of the organisation’s security techniques and organisational procedures.

Writing up a security policy is a lengthy task. We don’t advise that small companies tackle it all in one go. It’s better to make gradual progress through continuous improvement, creating a document that is both short and concise, to progressively develop the procedures and sectoral policies that are most needed.

The governing principle when drafting a security policy consists on the one hand of a set of best practices (ISO/IEC 27001 and ISO/IEC 27002), and, on the other hand, of risk analysis and assessment. All organisations should ensure they implement behavioural, organisational and technical measures where they can be quickly and truly effective.

In any case, you should choose an approach that is best suited to the size, and especially the criticality of assets and the maturity of the organisation.

Security charter

The definition and application of a security charter is the first step towards security management. To guarantee its success, it must meet the specific security requirements for the organisation. A risk analysis, even a brief one, must precede this process. Without this analysis, management will not be in a position to determine which assets should be protected as a priority. In order to be able to predict the worst possible outcome, management must identify the most likely threats and the vulnerabilities which are the easiest to exploit.

The introduction of a charter must imperatively be accompanied by a presentation to the employees who will have to implement the suggested measures on a daily basis. Without this training, there is a risk that the charter will be ignored and will therefore become useless.

Security policy

Once the major risks for the organisation have been identified (risk management), management will, with a view to continuous improvement, be able to go beyond a simple security charter. They will introduce an actual policy, as well as specific procedures.

With the introduction of even a rudimentary security policy, management will be able to begin organising security. The security policy will define in the formal procedures, the obligations and responsibilities of each individual, as well as the processes related to the security of information.

At this stage, there is no point in compiling an exhaustive security policy. Making an organisation secure is an ongoing process (Design, Implementation, Assessment/Checks and Improvement), and it is implemented according to security measures, assessed based on the worst possible outcomes, the most likely threats and the largest vulnerabilities.

Design

This first step aims to correctly determine the scope and context of the future system. It must also be able to identify and assess the risks, in order to develop a management plan. (It cannot, however, replace the risk analysis which must be carried out in advance.)

Implementation

The implementation stage primarily consists of applying the security policy created in the previous stage. Organisational and technical measures are implemented and behavioural measures are applied by the staff.

Assessment and checks

The assessment systems must have been set out in the security manual. The aim is to ensure that the procedures put in place work as intended.

These assessments can take several different forms:

regular inspections carried out as part of the everyday tasks;
automatic checks performed using software tools which can generate reports;
comparison with other organisations;
performance of planned formal audits (risk assessment);
management review.

If the assessments and checks uncover inadequacies in certain procedures, measures must then be taken to correct them.

Improvement

The actions that were decided upon in the previous step will have to be implemented, either:

at the security system level itself, by appointing a (new) manager for all or part of the system, for example;
at operational procedure level which will have been determined, such as the implementation of a different (and obviously better suited) data backup procedure;
at tool level, with the purchase of an antivirus, for example.

Contents of the security policy

The security policy should contain the following documents:

Section 1. Security policy

Management commitment
Review and assessment

Section 2. Organisation of security

Attribution of responsibilities
Authorisation procedure for adding information processing tools
Expert advice
Independent review of information security
Third party access and outsourcing

Section 3. Classification and monitoring of resources

Classification of and responsibility for resources

Section 4. Human factors

Security as a mission
Training and information
Response to incidents and security malfunctions

Section 5. Physical and environmental security

Physical security perimeter
Rules within the perimeter
Electrical equipment safety
Maintenance
Off-site equipment security
Disposal or reuse of the equipment
Clean desk

Section 6. Operational and communications aspects

Documented procedures
Separation of development and production environments
External management of resources
Protection against malware
Data backups
Device security during transport
Email

Section 7. Access control

Access control policy
Access rights management
Password management
Use of external networks
External connections
Separation of networks
Login procedure

Section 8. Development and maintenance of systems

Use of encryption
Electronic signatures

Section 9. Management of security incidents

Reporting information security events
Incident management and improvements information security
Analysis of non-fulfillment of obligations

Section 10. Managing business continuity

Operational continuity

Section 11. Compliance

Identification of applicable legislation
Intellectual property
Protection of operational data
Personal data protection

Glossary

▹ Antivirus

▹ Actifs

▹ Authentification

▹ Disponibilité

▹ Critères de base pour l'analyse des risques

▹ Attaque informatique

▹ Confidentialité

▹ Control

▹ Cryptographie

▹ Cybercriminalité

▹ Cybercriminel

▹ DRP – Disaster Recovery Plan

▹ Sauvegarde de données

▹ Perte de données

▹ Défiguration

▹ Désinfectez la machine avec un live CD

▹ Mise au rebut

▹ Email

▹ Firewall

▹ Erreurs humaines

▹ IDS/IPS

▹ Droit à l'image

▹ Impact

▹ Intégrité

▹ Internet et droits d'auteurs

▹ Aspects légaux

▹ LuxTrust

▹ Logiciels malveillants

▹ Sites Web malicieux

▹ Segmentation réseau

▹ Password

▹ Correctifs - patch

▹ Phishing

▹ Pannes physiques

▹ Sécurité physique

▹ Vol Physique

▹ Recommandations pour sécuriser un serveur de fichiers

▹ Recommandations pour sécuriser un serveur connecté à Internet

▹ Recommandations pour sécuriser un serveur Web

▹ Supports amovibles

▹ Gestion des risques

▹ Spam - les courriers indésirables

▹ SSL/TLS - les technologies de chiffrement sur la toile

▹ Mettre à jour les logiciels sur son ordinateur à l'aide de Secunia PISA

▹ Charte de sécurité

▹ Ingénierie sociale

▹ Menaces

▹ VPN : Les réseaux privés virtuels

▹ Vulnérabilités

▹ Web of Trust - WOT

▹ Filtre web - Proxy

▹ Pourquoi est-il important de protéger son ordinateur?