Tuesday, April 3, 2007

Data Security - Departmental Information Security Policy

Data Security – Departmental Information Security Policy

Although for most companies drafting a central policy for Information Security really is enough.

However, there are some companies which require individual business units or departments to come out with their own departmental policies.

If such a case exists, it makes sense therefore to come out with one standard template for all departments to follow.

What should then be the format & how should it look like is something that is going to be discussed in this post.

First of all, the structure of the policy should go this way in my opinion:

Index

1. Central Policy

2. Departmental IT Policy

3. IT Emergency Procedure for the Department



The following IT Policy are valid for the department(s)__________.

The department heads are responsible for the planning, implementation and control of measures for data protection and information security in the department. All employees of the department should know the rules and are responsible within the scope of their duties for the proper and secure handling of confidential information.

Other categories include:

Permissible Hardware in the department.
Permissible Software in the department.
Departmental data classification, authorisation lists.
Office - Security.
Backup Strategy, Archiving Strategy
Emergency Procedures for the department

I have created a sample departmental policies if you are interested do drop me a email at certboy@gmail.com. I just need a small donation from you for my effort that’s all.

Related Tags: , , , ,

Sunday, April 1, 2007

Data Security - Information Security Policies

Data Security – IS regulations

Although there should be company-wide IT security regulations. Each business units should also modify their versions of security regulations based on business needs.


I will send you a copy of IT regulations if you can send me email at certboy@gmail.com to request for a copy.


Related Tags: , , ,

Data Security - Information Security Documents

After the organizational network is established, it is important to establish what documentation to keep in each business units.

I would say that each business units should keep a documentation of IT regulations pertaining to his/her department follow by IT documentation like hardware / software assets lists , authorization documents like who can access which systems / folders in their departments and what kind of access.

Other important documents include Emergency documentation like proxies for key appointment holders, spare systems for critical function, virus outbreak escalation procedures can also be drafted as well.

I will dwell deeper into the individual documentation in my next posts.

Meantime, please give your comments if needed.


Related Tags: , , ,

Tuesday, March 20, 2007

Data Security - Establish a network of data security personnel

To be successful in information security management. The initiatives need to be implemented from TOP managemen down to executives.

Ideally, a data security partner (DSP) need to be elected from every department so that the data security partners can be trained on all aspects of information security policies , procedures and standards.

The DSPs will then implement all policies, procedures and standards according to their business environment

Data Security - Traceability

Traceability simply means able to track logs & events so as to detect who , why & how an attacker penetrates into a compromised system.

By reviewing logs & events one can also check for unauthorised attempts to login to a system

However, there is real challenge today to retain massive log files & yet made meaningful associations with the log files very now and then

It is a field to learn when it comes to log management. In fact , to decide what to log & what not to log becomes a science to be learnt over experience.

Monday, March 19, 2007

Data Security - Avaliability

Avaliability in data security means able to tolerate the loss of the data / information in instances of disaster.

Again we can divide avaliability into 3 classes :

Class 1 - Tolerance for loss of data / information for more than a week
Class 2 - Tolerance for loss of data/information for more than a day but less than a week
Class 3 - Tolerance for loss of data / information for less than a day

Saturday, March 17, 2007

Data Security - Integrity

Integrity means ensuring data , information is preserved in its original form and
not modified or spoof as in the case of email.

To ensure that we can put in a technical control like using
digital signatures when sending emails

How other ways can we do it , please suggest

Friday, March 16, 2007

Data Security - Confidentiality

Confidentiality (C) means being able to define information into different classifications
and protect it according to the classifications defined.


  • Class 1 - Internal ( can only be viewed by staff of the company and not public)
  • Class 2 - Confidential (can only be viewed by a selected number of staff only)
  • Class 3 - Strictly Confidential( can only be viewed by an even smaller group of staff)

Ideally, Class 2 & Class3 Information need to be encrypted whether it be files on
a server or attatchments in email.

2 products worth mentioning are :

PHP Code encryption

Advance File Encryption

Data Security

Data Security in my point of view is make up of 4 important concepts :

  • Confidentiality(C)
  • Integrity(I)
  • Avaliability(A)
  • Traceability(T)

In short it is known as CIAT, what is your point of view?

Related Tags: , , ,