previous  next  Title  Contents  Index


Practical IT Security: Summary of Chapters 1-8

If you don't want to read any theory (i.e. the previous chapters), then read at least this part before going into the technical guidelines.


10.1 Brief Security Checklist

The following based on the authors experience and a checklist for system security, published by the UK ITSEC scheme [uk1] www.itsec.gov.uk .

  1. Is your software ITSEC or TCSEC (see appendix C) certified? Is it securely configured and installed? Are audits regularly carried out?
  2. Are your passwords secure (easy to guess, regularly changed, use of temporary & default passwords)? Can people see your staff entering passwords on their terminals and PCs? Are screens ever left logged on or unattended, however briefly? Are screens automatically locked after 10 minutes idle?
  3. Is your most valuable data encrypted?
  4. How accessible is your equipment; are PCs or servers anywhere near public areas?
  5. Do your staff wear ID badges? Are your computer areas physically secured? Do you check the credentials of external contractors?
  6. Do you have a machine dedicated to checking against viruses?
  7. Is waste paper binned or shredded? Do you have procedures for disposing of waste material?
  8. What do you do with old computer equipment? Are you sure old hard and floppy discs can't be read by someone else? Do you have a policy for allowing old or used computer components out of the building?
  9. Do you keep backup records? Do you have a system for archiving information? Are the archives kept in a secure environment? Are Restores regularly tested?
  10. Do you have rules about what can and cannot be sent over email and what may or may not be download from the Internet (or BBSs). What procedures do you have for remote logon or support?

Another way of looking at the problem is using the British standards institute [bsi1] list of "key controls":

  1. Information Security Policy Document
  2. Allocation of security responsibilities
  3. Information security education and training
  4. Reporting of security incidents
  5. Virus controls
  6. Business continuity planning process
  7. Control of proprietary copying.
  8. Safeguarding of Company records.
  9. Compliance with data protection legislation
  10. Compliance with security policy.

10.2 Classification Summary

Sensitivity Classes:

Class : Public / non classified data
Class : Internal data
Class : Confidential data
Class : Top Secret data

Availability Classes

Class
Maximum allowed Server downtime, per event 1 Week 1 Day 1 Hour 1 Hour
Available on which Days? Mon-Fri Mon-Fri Mon-Fri 7 Days
During what hours?     07:00-18:00 24h
Expected availability percentage 80% 95% 99.5% 99.9%
  = 1 day/week = 2 hours/week = 15min./week = 10min./week

10.3 Component security checklist

It is suggested that individual components of a system and systems as a whole be analysed according to the following checklist.

I. Assurance: Documentation (Are the system security features well documented for Users and System Administrators Guide to Security, Test & Design documentation). Education: Are users and system administrators educated on secure system usage? Policy: Does a written Security Policy exist? System assurance :- Architecture, System Integrity, Security Testing. Has the system been certified to meet known standards?

II. Accountability/Responsibility : Users shall be accountable for their actions.

III. Access Control

IV. Accuracy

V. Secure data exchange / network communications

VI. Reliability of Service/Availability/Contingency Planning

Notes: Points I-III are based on the TCSEC [tcsec] class C2 (or [itsec] E2 F-C2 - see appendix C), point IV come from ITSEC, point V is based on the ITSEC functionality class F-DX and point VI is based on experience.


previous  next  Title  Contents  Index