assignment issa 2
Post on 05-Apr-2018
227 Views
Preview:
TRANSCRIPT
-
7/31/2019 Assignment Issa 2
1/26
1.1 INTRODUCTION
Information system security involves understanding and managing of risks involved with network
traffic and security, protecting IT assets, data, electing and implementing effective controls to ensure
confidentiality, integrity and making sure information and communication systems that store, process
and transmit data are available at all times.There has been an increase in security threats due to ease of obtaining and using hacking tools, steady
advance in sophistication and effectiveness of attack technology and the dire consequences of new
and more destructive cyber-attacks etc., could affect the countrywide network of computerized
enhanced reservation and ticketing(CONCERT)
1.2 IT Security Audits
. INFORMATION SECURITY AUDIT
The objective of this audit was to identify the vulnerable areas of CONCERT system that could be
easily breached and also with a view to assessing whether adequate and effective information access
controls, network controls and operational system were implemented to protect confidentiality,
integrity and availability of the systems and data and offer recommendations. Information security
audits are a vital tool for governance and control of agency IT assets. This Guideline suggests actions
to make the efforts of auditors and agencies more productive, efficient, and effective.
1.1 Roles and Responsibilities
Agencies should assign an individual to be responsible for managing the IT Security Audit
Program for the E-seva. While the individual assigned this responsible will vary from agency to
agency, it is recommended that this responsibility be assigned either to the E-seva Internal Audit
Director, where one is available or to the Information Security Officer (ISO).
1.2 IT Security Audits
Information security audits are a vital tool for governance and control of agency IT assets. IT
security audits assist agencies in evaluating the adequacy and effectiveness of controls and
procedures designed to protect COV information and IT systems. This Guideline suggests
actions to make the efforts of auditors and agencies more productive, efficient, and effective.
-
7/31/2019 Assignment Issa 2
2/26
2
1.3 Roles and Responsibilities
Agencies should assign an individual to be responsible for managing the IT Security Audit
program for the agency. While the individual assigned this responsible will vary from agency to
agency, it is recommended that this responsibility be assigned either to the agency Internal Audit
Director, wher one is available or to the Information Security Officer (ISO).
2 Planning
2.1 Coordination
As stated in the Audit Standard, at a minimum, IT systems that contain sensitive data relative to
one or more of the criteria of confidentiality, integrity, or availability, shall be assessed at least
once every three years. For maximum efficiency, the E-sevas IT Security Audit Program should be
designed to place reliance on any existing audits being conducted, such as those by the E-seva internal
audit organization, Certified information System Audit, or third party audits of any service provider.
When IT Security Audit Guideline
2.2 IT Security Audit Plan
The IT security audit plan helps the agency schedule the necessary IT Security Audits of the
sensitive systems identified in the data and system classification step in the risk management
process.
The V-Tech uses the IT security audit plan to identify and document the:
1. Sequencing of the IT Security Audits relative to both risk and the business cycle of the firm to
avoid scheduling during peak periods;
2. Frequency of audits commensurate with risk and sensitivity
3. Resources to be used for the audit such as Internal Auditors, the Auditor of Public
Accounts staff or a private firm that the agency deems to have adequate experience,
expertise and independence.
SCOPE
-
7/31/2019 Assignment Issa 2
3/26
3
The scope included an assessment of the entire network system in e-Seva. The key personnel in
various departments were interviewed so as to identify critical data and ascertain how the
network was being used. We reviewed system logs for all network components to determine
stability issues. All the network hardware which was considered to be critical to e-Seva business
initiative was also reviewed to determine single points of failure. We also assessed the various
network perimeter devices to ascertain vulnerabilities and evaluated some of the e-Seva practices
that could lead to system breaches. The security controls were also assessed to determine
whether adequate access control has been put in place.
Opening Meeting
The audit meeting was opened with a word of prayer by the Assistant Director of E-seva. The
director e- seva then welcomed all the members present in the meeting
He Introduced he audit team from V-Tech company to the department members and alsopart of his team
They Reviewed the audit plan, scope and objectives for the audit and the timeline it willtake for the audit to be complete .it was decided that the audit would take almost three
weeks
Establishes the official communication link between department representative and auditteam .
AUDIT TEAM
1. Elizabeth Birgen BIT-1-4067-3/2010 CISA Lead AuditorCERTIFICATIONS
Certified Information Systems Auditor (CISA). IBM DB2 Universal Database
Over 10 years experience in auditing major companies in Kenya. She is responsible for auditing
operation systems
Experienced Global IT Service Delivery Manager leading an international organization ofDatabase and System Administrators located in the US, Mexico and India.
Extremely familiar with challenges, issues and opportunities associated with managing IToutsourcing contracts and vendors.
http://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htm -
7/31/2019 Assignment Issa 2
4/26
4
2. David Rotich BIT-1-2333-2/2010 CSSP AuditorCERTIFICATIONS
CSSP
CCIE
Experienced IT auditor and information security specialist.He is responsible for auditingNetwork security controls
Reduced the number of Incident tickets assigned to the organization by over 80% over aone year period of time.
Accountable for Service Level Agreements and Disaster Recovery exercises for multipleclients.
3. Linda BuneiBIT -1-2342-1/2011 ORACLE AuditorCERTIFICATIONS
Oracle BDA
ITIL
Has 5 years experience in auditing oracle systems. She is responsible for auditing acces
controls
Developed and implemented a process to monitor database activity of Powerful Users. Developed and implemented a process to allow clients to review database access on a
quarterly basis.
Verified and approved that all Change and Release Management changes have properapproval, are documented, performed according to documented procedures and, that there
is an audit trail of changes performed.
Executing audit
Operational Systems
1. Documentation relating to software, hardware, network, error handling, etc. was noted tobe incomplete.
2. Assets and data were not classified on the basis of risk perception.3. Complete technical documentation including the source code was not obtained. This
made it impossible for identification of any unauthorized programme running in the
software application package.
4. There was no documented disaster recovery plan defining the roles, responsibilities, rulesand structures in the event of any disaster accidental or otherwise.
5. No alternative site was identified for data Centre activities in case of any disaster.
http://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htm -
7/31/2019 Assignment Issa 2
5/26
5
Operational Systems Recommendations
1. Documentations of the software, hardware, network and error handling issues should becomplete and precise at any given time.
2. Risky data and assets should be given higher security priority3. Complete documentation with code is essential because it will help other programmers to
go through them and know what the program is expected to do and be able to know help
other programmers navigate through your code easily in order to find bugs or to
determine where to add new features.
4. They should come up with disaster recovery process plans consisting of defining rules,processes, and disciplines to ensure that the critical business processes or
telecommunications resources upon which their operations depend, these key elements to
disaster plans should be emphasized
Establish a planning group, perform risk assessment and audits Establish priorities for applications and networks Prepare inventory and documentationplan
5. There should be an alternate site disaster recovery; the two main issues are thereconfiguring or rebuilding infrastructure, and moving data between the primary site and
the alternate site.
6. Develop adequate back up strategies The recommended number of backups should be taken and the back up
procedures should be in place
They should automate the backup with automating scripts just in case there is nopersonnel to do it, back-up will run as always and once a while they should try
testing the backup file by trying to do a recovery to check its validity.
Network controls
1. No review of functioning of network management tools was undertaken by themanagement to identify weaknesses.
2. There was a difference in number of transactions as reported by eSeva and twoparticipating departments which indicated that data transmission was incomplete on some
days.
-
7/31/2019 Assignment Issa 2
6/26
6
3. Protocol analyzers, essential for ensuring network security were not used.4. Data was not classified as per sensitivity and was transmitted in clear text between eSeva5. Centres to data center instead of in an encrypted form. The risk of splicing the wire and
re-routing the data or tampering the data by way of unauthorized access could not be
ruled out.
6. Technical experts did not test the reliability of firewalls. Penetration test reports were alsonot produced to audit.
7. The logs of internet transactions were not maintained on a continuous basis. They wereneither archived nor reviewed.
Network Controls Recommendations
1. Develop intrusion detection strategies for the computer. Many of the common intrusiondetection methods depend on the existence of various logs that the systems produce and
on the availability of auditing tools that analyze those logs. In the deployment plan, the
kinds of information that will be collected and managed on each computer in support of
security should be described.
2. The number of transactions on documentation should tally with the number reported fromtheir systems
3. They should set up protocol analyzers and packet sniffer that analyses the networktraffic and displays the traffic situation on your network in real time
4. Data should be classified as per sensitivity and should be encrypted while being sent overa network to prevent the unauthorized personnel from accessing it.
5. They need to test their firewalls to prevent unauthorized persons from gaining access to aprivate network and occasionally do a penetration test, to evaluate the security of a
computer system or network by simulating an attack from malicious outsiders.
6. Backups of Web server logs are required. Backups of configuration and installationinformation are also required unless there is a configuration management system that can
be used to recover or rebuild a system from a trusted baseline.7. Reasonably up-to-date versions of system security agent software which must include
malware protection and reasonably up-to-date patches and virus definitions, or a version
of such software that can still be supported with up-to-date patches and virus definitions,
and is set to receive the most current security updates on a regular basis.
-
7/31/2019 Assignment Issa 2
7/26
7
8. Education and training of employees on the proper use of the computer security systemand the importance of data security.
Access Controls
1. There was an incident of theft, which indicated lack of physical security.2. Password policy
Password policy did not exist with respect to the eSeva application, Oracle,database and operating system.
There was no restriction on unsuccessful login attempts. There was no system of maintaining emergency passwords, which had to be kept
in a sealed cover with responsible authority for use in unforeseen situations.
There was no documented well-defined.procedure for creating user accounts.
The system did not provide for transaction logs, but did not provide for audit trail,which could trace the flow of transactions and processing at every stage.
It was noticed that the application allowed deletion of data without authentication.
Access Control Recommendations
1. The servers should be kept in a room under lock and key and the people who have access to
the key should be accountable at all times. Change lock combinations annually or following any
possible security compromise.
2. System resource profiles include a number of security-related parameters, in a particular
related to the use of passwords. It is possible to set restrictions on password composition,
complexity, aging, expiration and history. In addition it is also possible to set rules for locking
accounts after a number of failed login attempts, a maximum number of concurrent sessions for a
user, and rules to disconnect idle users.
3. There should be a proper documentation procedure for creating new users in the system anddeleting old users who are no longer in service.
4. Oracle provide for various methods of authentication. The most usual method would probably
be Oracle-based authentication based on username and password. It is also possible to use host-
-
7/31/2019 Assignment Issa 2
8/26
8
based authentication, which is based on operating system user accounts being passed on to
Oracle. Auditing in Oracle is the monitoring and recording of activities within the database.
5. Oracle provides functions for auditing almost any action within the database (viewing,
modifying information, executing programs, deleting
CLOSING MEETING
The meeting ended after three hours and the following were to be put in place to make sure that
there is security in the e- seva:
Everyday new computer viruses are being released and it is essential that business is protected
from these viruses by keeping the anti-virus software up to date. If possible, companies should
look at policies whereby computers that do not have the most up to date anti-virus software
installed are not allowed to connect to the network.
As computer viruses can spread by means other than email, it is important that unwanted traffic
is blocked from entering the network by using a firewall. Sensitive areas with a companys
network should also be further segmented and protected using additional firewalls. For users that
use computers for business away from the protection of the companys network, such as home
PCs or laptops, a personal firewall should be installed to ensure the computer is protected.
All incoming and outgoing email should be filtered for computer viruses. This filter should
ideally be at the perimeter of the network to prevent computer viruses. Emails with certain file
attachments commonly used by computer viruses to spread themselves, such as .EXE, .COM and
.SCR files, should also be prevented from entering the network.
Ensure that all users know to never open an email attachment they are not expecting. Even when
the email is from a known source, caution should be exercised when opening attachments.
Recent viruses have spread because they appear to be from addresses familiar to the user.
Ensure that all files downloaded from the Internet are scanned for computer viruses before beingused. Ideally this scanning should be done from one central point on the network to ensure that
all files are properly scanned.
-
7/31/2019 Assignment Issa 2
9/26
9
SECURITY POLICIES FOR E-SEVA PROJECT
Security Procedure Manual
Introduction Scope Sanctions Audit controls procedures Person or entity authentication Information access management Disaster recovery plan Risk management plan Appendix A. Confidentiality Declaration Appendix B. Data Protection Statement
INTRODUCTION
The purpose of this policy is to outline essential roles and responsibilities within the E-seva
community for creating and maintaining an environment that safeguards data from threats to
personal, professional and institutional interests and to establish a comprehensive data security
program in compliance with applicable law. This policy is also designed to establish processes
for ensuring the security and confidentiality of confidential information and to establish
administrative, technical, and physical safeguards to protect against unauthorized access or use
of this information.
SCOPE
This policy applies to all E-seva staff, whether full- or part-time, paid or unpaid, temporary or
permanent, as well as to all other members of the community. This policy applies to all
information collected, stored or used by or on behalf of any operational unit, department and
person within the community in connection with government operations
POLICIES
1.1 Sanctions
E-SEVA shall discipline workforce personnel who violate E-SEVAs security policies and
Procedures or violate the E-seva Security Rules.
http://www2.hud.ac.uk/cls/it/policy/securityproc.php#sec4http://www2.hud.ac.uk/cls/it/policy/securityproc.php#sec5http://www2.hud.ac.uk/cls/it/policy/securityproc.php#sec5http://www2.hud.ac.uk/cls/it/policy/securityproc.php#sec4 -
7/31/2019 Assignment Issa 2
10/26
10
PERSONNEL
IT Manager
Security Officer
Privacy Officer
Human Resources
E-SEVA Workforce Members
System Administrator
Senior Management
PROCEDURES
1. Security Violations That Prompt Consideration of Disciplinary Action.
a) Human Resources may discipline a workforce member, in accordance with theDiscipline and Dismissal Policy of the Privacy Manual , who violates either the
Security Rule or this Manual relating to the safeguarding of information (a
Security Violation).
b) Human Resources may also discipline managers or supervisors, if their lack of diligenceor lack of supervision contributes to a subordinates Security Violation.
2. Investigation of Security Violation.
a) A workforce member who becomes aware of a Security Violation shall promptlycommunicate the report to the Security Officer and his or her supervisor or Human
Resources
b) After receiving a reported Security Violation, the Security Officer or someonedesignated by him or her shall determine the facts and circumstances
surrounding the violation, and report the findings to Human Resources.
3. Imposition of Discipline.Human Resources shall impose sanctions for a Security Violation in accordance with the
Discipline and Dismissal Policy of the Privacy Manual.
4.
Reporting of Security Violations.The failure to report a known Security Violation because each workforce member has an
obligation to report any Security Violation of which the workforce member becomes aware
to the Security Officer and to his or her supervisor or the Human Resources Department.
POLICY
-
7/31/2019 Assignment Issa 2
11/26
11
1.1 Audit Controls
E-SEVA shall record and examine activity in information systems that contain or use
electronic database for the purposes of identifying suspect activity, identifying high-risk
activity, identifying security breaches, responding to potential security weaknesses, and
assessing E-SEVAs security program.
IMPACTED SYSTEMS
This policy shall apply to all computer systems that contain or access electronic PHI, including,
but not limited to, network servers, application servers, desktop computer systems, laptops, data
management systems, and server devices.
PROCEDURES
1. Implementation of Audit Control Mechanisms
a) The System Administrator shall ensure that all computer systems that contain or accesselectronic Database have in place audit controls for recording and examining activity.
b) The System Administrator shall configure any new computer system received by E-SEVA to record or examine activity on the system, if not already contained on the new
system. The System Administrator shall not bring this new system online until audit controls
have been established.
2. Activity to Be Logged
System Administrator shall implement software on E-SEVA information systems (including
applications or processes) containing or accessing electronic Database that records system
activity such as logon, logoff, file access, file activity, attempted logons, and failed logons
concurrent with the system activity.
3. Information Logged
The implemented audit control mechanism shall identify:
a. Who or what is accessing data;
b. When the data is accessed;
c. What data was accessed;
d. The activity that occurred (read only, add, delete, modify data);
e. Whether data is accessed by anyone outside of E-SEVA; and
f. Successful and unsuccessful login attempts.
-
7/31/2019 Assignment Issa 2
12/26
12
4. Respond to System Activity
System Administrator shall promptly respond to any observed or reported suspect
activity. System Administrator should follow E-SEVA Security Incident Procedures with
respect to any suspect activity.
5. Audit Trails.E-SEVA shall maintain audit trails showing system activity for a minimum of 6 years.
The Security Officer shall be responsible for maintaining the audit trail information.
Audit trail information and reports containing audit trails shall remain confidential. The
audit trail shall contain:
a. The type of event;
b. The User associated with the event;
c. The date the event occurred;
d. The method or program used to access the information system; and
e. The activities undertaken with respect to the data accessed.
6. Review System Activity
a. Security Officer-on-call shall oversee the review of audit trails at least monthly.
b. Security Officer shall review audit trails at least semi-annually in accordance with
the procedures set out in E-SEVAs Security Management Policy
The System Administrator shall work with the Security Officer in reviewing the audit
logs. Specifically, System Administrator shall identify for the Security Officer any
suspect activity and any potential security weaknesses. Security Officer or Privacy
Officer shall be responsible for determining whether an external review is necessary
for E-SEVAs audit control system.
c. System Administrator shall add automated monitoring software to E-SEVAs computer
systems that contain or access electronic Database that logs activities within the
computer systems and notifies or alarms security personnel upon detecting any
suspicious activity. The System administrator shall review and report to SecurityOfficer detected suspicious activity.
Section 1.2: Person or Entity Authentication
POLICY
-
7/31/2019 Assignment Issa 2
13/26
13
E-SEVA shall employ technical safeguards to verify that a person or entity seeking
access to the servers is the one claimed. This policy shall apply to all E-SEVA locations. End
Users shall be familiar with this policy.
PROCEDURE
1. Personnel Responsibility
a. Implementation of Procedures. System Administrator shall initiate and oversee the
implementation of the following procedures for person and entity authentication,
either singly or in combination, to authenticate that the person or entity seeking
access to electronic protected health information is the one claimed.
b. Monitoring Access Attempts. System Administrator shall review access logs to monitor
and detect unauthorized access attempts.
2. Person Authentication
a. Person Password Authentication.
i. System Administrator shall assign to each E-SEVA workforce personnel and
any other person that must access the servers stored on E-SEVAs computer
systems each Users unique User ID pursuant to the Access Control Policy
ii. Users shall select passwords in accordance with the procedures described in the
Access Control Policy
iii. Each User shall enter a password along with his or her unique User ID to authenticate his
or her identity. A User shall be denied access if the password entered does not
match the password assigned to the User ID entered by the User.
b. End User Responsibility
i. Users shall be responsible for keeping their User IDs and passwords shall be
confidential and be forbidden from sharing their User IDs and passwords with anyone,
unless authorized by System Administrator.
ii. If User becomes aware that someone has improperly obtained his or her User ID and
password or has improperly accessed E-SEVAs health care operations-related
electronic system through the use of the User ID and password, the User shall
immediately notify the Security Officer or System Administrator. System
Administrator shall promptly disable access rights to that User ID.
-
7/31/2019 Assignment Issa 2
14/26
14
iii. If Users unique User ID and password are improperly used to gain access to the
databases, the User may be subject to discipline in accordance with E-SEVAs Sanctions
Policy, which may include the loss of his or her access rights.
3. Entity Authentication.
a. Entity Password Authentication.
i. System Administrator shall assign to each entity needing access to E-SEVAs electronic
information system containing PHI a unique ID pursuant to the Access Control.
ii. Entities shall select passwords in accordance with the procedures described in the Access
Control Policy.
iii. Each entity shall enter a password along with the unique User ID assigned to it to
authenticate its identity. An entity shall be denied access if the password entered does
not match the password assigned to the User ID entered by the entity.
b. Entity Responsibility.
i. Entities shall be responsible for maintaining the confidentiality of their unique User IDs
and the passwords. Entities shall not make E-SEVAs assigned User IDs and their
passwords available company-wide. The unique User ID and password shall only be
provided to those entity personnel with a need to know to perform a service on E-
SEVAs behalf. An entity may lose its access rights for failing to protect the
confidentiality of the unique User ID and password.
ii. If an entity determines that any of its personnel or any other person or entity has
improperly obtained its User ID and password or has improperly accessed E-SEVAs
health care operations-related electronic system through the use of the User ID and
password, the entity shall immediately notify Security Officer. System Administrator
shall promptly disable access rights to that entitys User ID.
iii. The Security Officer shall determine the proper response to an entitys failure to properly
safeguard its User ID and password. Such response may include a
recommendation to the Chief Operating Officer to deny access rights to the entity or
termination of the business relationship.
-
7/31/2019 Assignment Issa 2
15/26
15
4. Two-factor Authentication.
E-SEVA has determined at this time not to require two-factor authentication based
upon its risks analysis and cost/benefits analysis. The Security Officer shall review
this determination on an annual basis to determine whether it is reasonable and
appropriate to implement two-factor authentication. Person and Entity Authentication
5. Digital Signature Authentication.
E-SEVA has determined at this time not to require digital signature authentication
based on public key encryption due to a lack of infrastructure support. Security
Officer shall review this determination on an annual basis to determine whether it is
reasonable and appropriate to implement such digital signature authentication.
1.3 Information Access Management
POLICY
E-SEVA shall establish procedures that (i) assign and manage access to electronic protected
Government information in a manner commensurate with the role of each workforce member,
and (ii) are consistent with the Security Rule. This policy shall apply to all E-SEVA personnel.
SYSTEMS AFFECTED
This policy shall apply to E-SEVAs computer systems that contain or access the databases,
including, but not limited to, network servers, application servers, desktop computer systems,
laptops, handheld devices, data management systems, and infrastructure devices.
PROCEDURES
1. Access Authorization
a) The Security Officer shall establish role-based access as set forth in the Access ControlPolicy and Workforce Security Policy.
b) The authorization criteria shall include required levels of training and trainingcertification requirements commensurate with the level of access in accordance with the
Security Awareness and Training Policy. The access level shall be established by eitherthe Security Officer or his or hers designee, and approval may be for a limited period.
Renewal or a change of access level may require full re-evaluation of access needed and
may require additional training.
-
7/31/2019 Assignment Issa 2
16/26
16
c) A member of the workforce shall not be authorized to access another workforcemembers client record unless it is for the purpose of treatment, payment, or health care
operations associated for the member of the workforce whose record is accessed.
2. Access Establishment
a) Information Security shall implement the following procedures to ensure appropriateaccess and access authorization:
i. Upon hire, each workforce member shall be identified by the security class applicableto their job functions.
ii. User department shall ensure that new workforce members complete the appropriateaccess request form in order to establish the appropriate level of access and to request
a unique user identification number. The department head of the new workforce
member shall sign the access request form to verify accuracy.
iii. Once approval is obtained and the appropriate access request form has been signed byall necessary parties, as set forth above, Information Security or Director on Call will
assign appropriate access.
3. Access Modification.
a. If a workforce members employment is terminated or if a workforce member leaves E-
SEVA or if a workforce members position is changed so that the workforce member is
performing a different role:
i User department shall notify Security Officer.
ii Security Director and Security Officer-on-call shall implement the procedures set forth in
the Workforce Security of this Manual if the workforce member is being terminated.
iii System Administrator shall modify or terminate access upon instruction from Security
Officer or Director-on-call, as set forth in the Access Control Policy of this Manual.
POLICY
E-seva shall establish procedures for responding to an emergency or other occurrence thatdamages E-SEVAs information systems that contain electronic protected personal information
including implementation of a Data Backup Plan, a Disaster Recovery Plan and an Emergency
Mode Operation Plan.
PROCEDURES
-
7/31/2019 Assignment Issa 2
17/26
17
1. Data Backup Plan. The IT Manager-on-call shall oversee the implementation of the
following procedures that provide for the creation and maintenance of retrievable exact copies of
electronic INFORMATION.
a. Personnel Responsibility. The IT Manager-on-call shall establish specific backup
schedules and procedures for E-SEVAs networks and computer systems.
b. Daily Backups. E-SEVA shall back up all software, applications, files, data, and messages
related to its personal care operations stored on E-SEVAs networks and other information
systems to tape, CD-ROM, disk, or other storage media
c. Backup Validation. The IT Manager-on-call or his or her designee shall validate the
accuracy, completeness and integrity of the backup performed each night. IT Manager-on-call
shall act to promptly resolve errors shown by the validation process and shall either resolve
the errors or seek outside technical support to assist in the resolution of errors in the backup
process.
d. Onsite Storage. The storage media from the previous day or current week shall be stored
onsite in an area secured in a safe. Security officer and the E-seva Management shall
have the combination to this safe.
e. Offsite Storage.
(i) The Security Officer shall approve an environmentally secure offsite location that
provides adequate security and protection from fire and other disasters for storage of a copy
of E-SEVAs backup media.
(ii) The IT Manager-on-call shall cause to be sent three days per week a copy of the stored
data to the offsite location.
(iii) E-SEVA shall store up to 5 weeks of backup data at the offsite facility.
(iv) The Security Officer and designated administrators for backup and restoration shall be
entrusted with keys and granted passwords to access the offsite storage area.
f. Restoration of Lost Data. For backup data stored offsite, the Security Officer and
IT Manager-on-call shall develop a plan for the retrieval of such backup data. The SecurityOfficer shall ensure that any necessary backup data is retrieved from the offsite location using
the most expedient means practical in case of a partial or complete system failure.
2. Disaster Recovery Plan. The Security Officer and IT Manager-on-call shall oversee the
implementation of the following procedures to restore any loss of data in the case of a
-
7/31/2019 Assignment Issa 2
18/26
18
catastroinformationc event such as an emergency, fire, vandalism, system failure, or natural
disaster.
a. Disaster Assessment. Once a disaster has occurred, IT Manager-on-call shall assess the
effect of the disaster on E-SEVAs personal care operations information system to
determine any lost functionality and loss of data. If IT Manager-on-call has determined that
data has been lost, IT Manager-on-call should consult with the Security Officer on
whether to implement this Disaster Recovery Plan.
b. Personnel Responsibility. IT Manager-on-call is responsible for
implementation of this Disaster Recovery Plan and the restoration of any lost data.
c. Notify Administrators. IT Manager-on-call shall notify security personnel of the disaster
and notify the designated administrators for backup and restoration. The administrators
for backup and restoration shall be designated by the Security Officer and the IT Manager-on-
call.
d. Secure Facilities. In the event of a catastroinformationc event, E-SEVA security
personnel shall immediately ensure that all facilities housing E-SEVAs personal care
operations information systems remain secure under the circumstances. E-SEVA
security personnel shall limit access to facilities to only the following authorized personnel to
assist in disaster recovery:
(i) Security Officer;
(ii) Facilities Manager;
(iii) IT Manager-on-call;
(iv) Administrators for backup and restoration; and
(v) Approved outside vendors to assist in disaster recovery.
e. Password Access. IT Manager-on-call and other administrators for backup and
restoration shall have access to system passwords to perform restores of necessary systems and
data.
f. Onsite Backup Data. The IT Manager-on-call shall ensure that theadministrators for backup and restoration have access to any backup media stored onsite if
necessary to restore software, applications, information and data to E-SEVA information
systems.
-
7/31/2019 Assignment Issa 2
19/26
19
g. Systems Architecture and Diagrams. The IT Manager-on-call and
administrators for backup and restoration shall develop and maintain detailed descriptions
of E-SEVAs main system hardware components to help rebuild the system in the event of
disaster. The administrators for backup and restoration shall maintain updated profiles
for each system configuration and maintain lists of installed software, including current
installed patches, drivers, and O/S distribution media.
h. Offsite Storage. The Security Officer shall determine whether offsite backup files are
necessary.
(i) IT Manager-on-call and/or administrators for backup and restoration shall retrieve all
necessary backup files stored offsite.
(ii) Backup media shall be retrieved so that data can be restored as soon as reasonably
permitted under the circumstances.
3. Emergency Mode Operation Plan. Callier Center Management shall oversee the
implementation of the following procedures to enable continuation of critical
business processes for protection of the security of electronic INFORMATION while operating
in emergency mode.
a. Emergency. For the purposes of this Emergency Mode Operation Plan, an Emergency
shall be defined as an incident that either disables, wholly or partially, or substantially impairs
E-SEVAs personal care operations central computing system or any computer system or
network that contains or allows access to INFORMATION for a period of 48 hours.
e. Backup Servers. If necessary, IT Manager-on-call shall ensure that E-SEVAs
backup servers containing critical security applications are brought online to safeguard and
continue critical business processes, applications (such as firewalls), and virus protection
software, that protect computer systems and networks that contain electronic information
.
5.RISK MANAGEMENT POLICY
OverviewRisk management is the ongoing process of identifying risks and implementing plans to address
them. Often, the number of assets potentially at risk outweighs the resources available to manage
them. It is therefore important to know where to apply available resources to mitigate risk in a
cost-effective and efficient manner.
-
7/31/2019 Assignment Issa 2
20/26
20
This policy lays the framework for a formal risk management program by establishing
responsibility for risk identification and analysis, security planning for risk mitigation, and
program management and oversight. It is important to note that program management and
oversight is a university-wide responsibility that calls for the active involvement of executive
leadership, departmental management, data stewards, and others with information management
responsibility1.
Policy Statements
1. The E-seva Risk Management Officer (RMO) is responsible for coordinating thedevelopment and maintenance of risk management policies, procedures, standards and
forms for the University.
2. The RMO is responsible for the ongoing development and day-to-day management of theuniversitys Risk Management Program (Program) for information privacy and security.
3. Organizational Unit heads shall ensure that risk assessments are performed at least onceannually on all computing systems and/or business processes under their units control
that involve non-public information, following guidance from the RMO on assessment
method, format, content, and frequency.
4. Organizational Unit heads shall submit the risk assessment results and associatedremediation plans to the RMO for review. Remediation plans shall include specific
actions with expected completion dates, as well as an account of residual risks.
5. The RMO shall advise the Head of Information Services on risk management strategiesand provide periodic reports on Program progress.
Policy Implementation
The RMO is responsible for coordinating the implementation of this policy and for providing
guidance on the interpretation of specific policy requirements.
DefinitionsRisk: The potential of harm to the University or its stakeholders.
-
7/31/2019 Assignment Issa 2
21/26
21
Risk Assessment: A qualitative or quantitative evaluation of the nature and magnitude of risk to
government information. The evaluation is based upon known or theoretical vulnerabilities
and threats, as well as the likelihood of the threats being realized and the potential impact to
the the firm and its stakeholders.
Risk Management:
The process of evaluating and responding to risks to goverment information for the purpose of
reducing those risks to acceptable levels. Risk management is inclusive of the risk
assessment process, and uses the results of risk assessments to make decisions on the
acceptance of risks or on taking action to reduce those risks.
Checklist for perfoming Audit
Application Systems Controls
The application system before being implemented has to be reviewed by the
auditor if various controls suggested by Users are incorporated in the
application system. The various controls,which have to be included in the system are
as follows:
Logical Access Controls
1. Does the software allow creation of user-IDs in the same name more than once?Does the software encrypt the passwords one way and store the same in encrypted
form?
2. Does the software display the password as it is keyed in?3. Does the software lock the user-ID if it is used for 3 unsuccessful times to logon to
the system?
4. Does the software force the User to change the password at set periodical intervals?5. Does the software maintain password history i.e., does not allow the same
password to be used again on rotation basis?
6. Is there any audit trail for the maintenance of User profiles?7. Does the software have provision to create and maintain user-IDs based on
users designations and positions held?
-
7/31/2019 Assignment Issa 2
22/26
22
8. Can DBA change others password? If so is it reflected in the audit trail?9. If a user-id record is deleted, does the software delete it physically or logically?
Does the software capable of producing a report of logically deleted User-IDs?
10. Does the software have provision to restrict different menu options to differentuser-Ids based on user level (based on designation / powers, etc.)?
11. Does the software have provision for defining access rights to users such as, ReadOnly,Read and Write, Modify, Delete, etc.?
12. Does the software allow automatic logical deletion of inactive users after certainperiod of time?
13. Does the system maintain password length to be of minimum 6 or 8characters or as indicated in the password policy?
14. Can the user-IDs be created without passwords?15. Does the system limit the maintenance of system control parameters to
privileged user level having sufficient authority only?
CRYPTOGRAPHY
16.Is there a cryptography/encryption policy for various types of classified informationthat travels/gets stored within and outside the E-sevas network(s)?
NETWORK INFORMATION SECURITY
17.Have the Network data monitoring tools (e.g., sniffers, datascopes, and probes)utilized by the product/service been approved by the e-sevas IT Department?
19.Has dial-in connectivity been prohibited on network-connected machine (server
and workstation) except where documented and explicitly approved in writing by
BusinessManagement and the IT Department.
20.Have the remote control products used in a dial in environment been approved by the
IT Department explicitly?
Backup and recovery
Software
-
7/31/2019 Assignment Issa 2
23/26
23
21.Verify if a latest copy of backup of software (Operating System, RDBMS,
application,etc.) is taken and preserved at the user site.
Data
22. Verify if different types of data backup are taken periodically at specified
intervals as advised by the software developer / vendor.
23 Are there proper records for noting the media in which different data backups are stored,
data type, location where it is stored, date of backup, due date for recycle, etc.
- Check if appropriate parameters are implemented in the operating system of the web
server so that the super user account will lock out if too many unsuccessful attempts
are made across the network, but remain unlocked at the system console.
24.Check if sensitive operating system related executable program files and data files on
the web server are not stored on public area but in any other secure location with audit
duly enabled.
25.IP routing should be disabled in the web server. Check and confirm this.
26.Ensure that unauthorized ports for e.g., UDP port No.443 are not allowed inside the
webserver. Also, ensure that unnecessary services like ftp, messenger, SMTP, telnet,
etc. are not installed and active on the web server.
27.The facility to shutdown the machine should be restricted to the system
console on the web server. Check and ensure this.
28.Access to floppy drive, CD-ROM drive, etc. should be restricted in the web
server to interactive only to prevent these devices from being shared by all
processes on the system. Check and ensure this.
Logs of activity
29.Ensure that auditing is enabled in the web servers operating system and whether the
logs are reviewed and authenticated by authorized officials periodically.
30.Check if audit trail is enabled on the firewall to log the changes made to the
rule base settings and verify whether the logged entries are approved by higherauthorities in the IT Department.
31.Check Whether the system administrators are monitoring the logs produced by
the Intruder Detection System (IDS) (An intrusion detection system helps in
recognizing Security threats and is capable of scanning packets for vulnerabilities.
-
7/31/2019 Assignment Issa 2
24/26
24
It ensures that distributed denial of service attacks are prevented) and escalating
the access violations to the Checklists for IS Audit
Database Controls
It is important to ensure the following with reference to databases:
Database is physically secure and free of any corruption
Access to the database is restricted and permitted only to authorized personnel
Referential Integrity of the data is ensured at all times
Accuracy of the contents of the database is verified periodically
Database is also technically verified periodically, in terms of storage space, performance
tuning and backup
Backups of the database are periodically retrieved and ensured that they are in order
-
7/31/2019 Assignment Issa 2
25/26
25
REFFERENCES
1.http://www.isect.com
2.http://www.sas70exam.com
3.information security management handbook 4th
edition by Tiptoh.H and Crause M.
4.Litchfield, David. Hackproofing Oracle Application Server (A guide to securing
Oracle 9). NGSSoftware Insight Security Research Publication, 10 January 2002.
URL: http://www.nextgenss.com/papers/hpoas.pdf (5 March 2002)
5) Theriault, Marlene and Heney, William. Oracle Security. Sebastopol, CA:
OReilly & Associates, Inc, 1998.
http://www.isect.com/http://www.isect.com/http://www.isect.com/http://www.sas70exam.com/http://www.sas70exam.com/http://www.sas70exam.com/http://www.sas70exam.com/http://www.isect.com/ -
7/31/2019 Assignment Issa 2
26/26
26
OUTLINE
1.1 introduction ............................................................................................................................... 1
information security audit ............................................................................................................... 1
1.1 roles and responsibilities ........................................................................................................... 1
1.2 it security audits ....................................................................................................................... 11.3 roles and responsibilities ....................................................................................................... 2
2 planning..................................................................................................................................... 2
2.1 coordination .......................................................................................................................... 2
2.2 it security audit plan .............................................................................................................. 2
opening meeting .............................................................................................................................. 3
executing audit ................................................................................................................................ 4
closing meeting ............................................................................................................................... 8
security procedure manual........................................................................................................... 9
personnel ....................................................................................................................................... 10
impacted systems .......................................................................................................................... 11
section 1.2: person or entity authentication ................................................................................ 12
Person authentication ................................................................................................................... 13
Entity authentication. .................................................................................................................... 14
Two-factor authentication. ........................................................................................................... 15
Digital signature authentication. ................................................................................................... 15
checklist for perfoming audit ....................................................................................................... 21
cryptography ................................................................................................................................. 22
network information security ........................................................................................................ 22
backup and recovery ..................................................................................................................... 22
refferences ..................................................................................................................................... 25
top related