Читать книгу Maintaining Mission Critical Systems in a 24/7 Environment - Peter M. Curtis - Страница 39

2.6 Documentation and Its Relation to Information Security

Оглавление

In recent years, there have been critical infrastructure drawings found on unsecured laptop computers, in garbage pails, and blowing around the streets of major cities. These security leaks provide an opportunity for cyber threats to occur and make our national infrastructure vulnerable to people who want to disrupt the electrical grid, or specific critical buildings vital to our national and economic security. Examples of these security leaks include a major banking and finance company’s laptop computer that was found in India with critical infrastructure drawings on it, transportation drawings found in a trash can outside a major transportation hub, and most recently, the New York City Freedom Tower drawings found in the trash. The occurrence of these situations can compromise corporate and national safety and security if these documents fall into the wrong hands. Business officials traveling abroad are also a major target for information theft. Spyware installed on electronic devices and laptops can open communications with outside networks, exposing information stored on them. In the environment we live in today, we need a steadfast plan to secure invaluable information such as critical drawings, procedures, and business processes. The following items should be considered when you are evaluating your internal security:

Security Questions:

1 Have you addressed physical security concerns?

2 Have all infrastructures been evaluated for the type of security protection needed (e.g., card control, camera recording, key control)?

3 If remote dial‐in or Internet access is provided to any infrastructure system, have you safeguarded against hacking, or do you permit read‐only functionality?

4 How frequently do you review and update access permission authorization lists?

5 Are critical locations included in security inspection rounds?

Network and Access:

1 Do you have a secure network between your facility’s IT installations?

2 Do you have an individual on your IT staff responsible for managing the security infrastructure of your data?

3 Do you have an online file repository? If so, how is the use of the repository monitored, logged, and audited?

4 How is data retrieved from the repository and then kept secure once it leaves the repository?

5 Is your file repository available through the public Internet?

Techniques for addressing information security:

1 Enforce strong password management for properly identifying and authenticating users.

2 Authorize user access to only permit access needed to perform job functions.

3 Encrypt sensitive data.

4 Effectively monitor changes on mainframe computers.

5 Physically identify and protect computer resources.

Enhancements that can improve security and reliability:

 Periodic assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems.

 Policies and procedures that:Are based on risk assessments.Cost‐effectively reduce risks.Ensure that information security is addressed throughout the life cycle of each system.Ensure compliance with applicable requirements.

 Plans for providing adequate information security for networks, facilities, and systems.

 Security awareness training to inform personnel of information security risks and of their responsibilities in complying with agency policies, procedures, and practices, performed.

 A process for planning, implementing, evaluating, and documenting remedial action to address deficiencies in information security policies, procedures, or practices.

 Plans and procedures to ensure continuity of operations for information systems.

Recommendations for executive action:

 Update policies and procedures for configuring mainframe operations to ensure that they provide the necessary detail for controlling and documenting changes.

 Identify individuals with significant security responsibilities and ensure they receive specialized training.

 Expand scope for testing and evaluating controls to ensure more comprehensive testing.

 Enhance contractor oversight to better ensure that contractors’ noncompliance with information security policies is detected.

 Update remedial action plans to ensure that they include what, if any, resources are required to implement corrective actions.

 Identify and prioritize critical business processes as part of contingency planning.

 Test contingency plans at least annually.

Maintaining Mission Critical Systems in a 24/7 Environment

Подняться наверх