jump to navigation

Initial Site Survey Guidelines August 9, 2008

Posted by timsteiner in Information Security.
Tags: , , , , , , ,
add a comment

Initial Site Survey

  • Are passwords difficult to crack?
  • Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
  • Are there audit logs to record who accesses data?
  • Are the audit logs reviewed?
  • Are the security settings for operating systems in accordance with accepted industry security practices?
  • Have all unnecessary applications and computer services been eliminated for each system?
  • Are these operating systems and commercial applications patched to current levels?
  • How is backup media stored? Who has access to it? Is it up-to-date?
  • Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
  • Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
  • Have custom-built applications been written with security in mind?
  • How have these custom applications been tested for security flaws?
  • How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?

Pre-Audit Homework

Before the computer security auditors even begin an organizational audit, there’s a fair amount of homework that should be done. Auditors need to know what they’re auditing. In addition to reviewing the results of any previous audits that may have been conducted, there may be several tools they will use or refer to before. The first is a site survey. This is a technical description of the system’s hosts. It also includes management and user demographics. This information may be out of date, but it can still provide a general framework. Security questionnaires may be used as to follow up the site survey. These questionnaires are, by nature, subjective measurements, but they are useful because they provide a framework of agreed-upon security practices. The respondents are usually asked to rate the controls used to govern access to IT assets. These controls include: management controls, authentication/access controls, physical security, outsider access to systems, system administration controls and procedures, connections to external networks, remote access, incident response, and contingency planning.

Site surveys and security questionnaires should be clearly written with quantifiable responses of specific requirements. They should offer a numerical scale from least desired (does not meet requirements) to most desired (meets requirements and has supporting documentation). Both should include electronic commerce considerations if appropriate to the client organization. For instance, credit card companies have compliance templates listing specific security considerations for their products. These measure network, operating system, and application security as well as physical security.

Auditors, especially internal auditors, should review previous security incidents at the client organization to gain an idea of historical weak points in the organization’s security profile. It should also examine current conditions to ensure that repeat incidents cannot occur. If auditors are asked to examine a system that allows Internet connections, they may also want to know about IDS/Firewall log trends. Do these logs show any trends in attempts to exploit weaknesses? Could there be an underlying reason (such as faulty firewall rules) that such attempts are taking place on an ongoing basis. How can this be tested?

Because of the breadth of data to be examined, auditors will want to work with the client to determine the scope of the audit. Factors to consider include: the site business plan, the type of data being protected and the value/importance of that data to the client organization, previous security incidents, the time available to complete the audit and the talent/expertise of the auditors. Good auditors will want to have the scope of the audit clearly defined, understood and agreed to by the client.

Next, the auditors will develop audit plan. This plan will cover how will audit be executed, with which personnel, and using what tools. They will then discuss the plan with the requesting agency. Next they discuss the objective of the audit with site personnel along with some of the logistical details, such as the time of the audit, which site staff may be involved and how the audit will affect daily operations. Next, the auditors should ensure audit objectives are understood.

http://www.securityfocus.com/infocus/1697



White Paper: Legal Liabilities of an IT Professional February 11, 2008

Posted by timsteiner in Research.
Tags: , , , , , , , , , , , , ,
add a comment

Tim Steiner

LES 330

12/05/07

White Paper: Legal Liabilities of an IT Professional

INTRODUCTION

As an IT Security Professional your main focus is to provide confidentiality, integrity, and availability (CIA) of sensitive company and client information. This means that the information is only seen by its intended viewer, it is not tampered with, and available when requested (Bell, G. 2001). This can be a daunting task when faced with vast amounts of information that needs secured. If you overlook something, will you be held liable? What happens if you fail to properly do your job and it results in loss of intellectual property, trade secrets, or your client’s bank account information? Thus, It is important to understand the duty of care that is expected of you as an IT professional in order to avoid legal liability. This is why I have chosen to research the legal liabilities of an IT professional and give a more clear assessment of what standards apply.

OVERVIEW

A professional is defined as a person who, “has more than average skills and abilities.” When a professional is sued they are held to a higher standard than an ordinary person because they are expected to know better. Recognized professionals can be sued for malpractice while ordinary individuals can only be sued for negligence (Professional Negligence, 2007). Furthermore, recognized professionals such as doctors, lawyers, or accountants can be sued for malpractice if they fail to provide a sufficient standard of care and the results are tortuous (Malpractice, 2007). Recognized professions require practitioners to meet certain universal requirements and there is a standard certification process. Because there is no universally agreed upon certification process, there are no clear standards for IT professionals. IT professionals are currently not considered professionals in regards to legal liability and therefore not subject to malpractice lawsuits.

ANALYSIS

Since IT professionals are not subject to malpractice, only negligence suits can be brought against an IT professional. In order to prove negligence the claimant must show that there was a duty of care owed to them and that the duty of care has been breached (Breach of duty in English law, 2007). The claimant bears the burden of proof to show that there was a duty of care owed, and a breach of that duty of care caused some harm to the claimant. The court uses a test to find if the defendant was negligent. This test examines what a reasonable person would have done in the same situation (Roe v Minister of Health, 2007).

Origins

There are several cases that identify the origin of the reasonable person test. In 1837 the famous English tort case, Vaughan v. Menlove, first used the reasonable person test to find if a defendant was liable for negligence (Vaughan v. Menlove, 2007). The 1954 case of Roe v Minister of Health involved proving that a medical professional failed to meet the required duty of care. It was shown that a reasonable medical professional would not have foreseen the subsequent harm and therefore was not liable (Roe v Minister of Health, 2007). These cases set a precedence for negligence suits today.

Evolution

Since the inception of negligence cases there have been many critical changes. In 1957, the Bolam test was introduced after the case of Bolam v Friern Hospital Management Committee showed that a higher duty of care is owed by an individual with skills and abilities in excess of an ordinary person (Bolam Test, 2007). This case first identifies the professional standard of care (Standard of Care, 2007).

Current Applications

Many of the mentioned historical cases are referenced today in modern negligence cases. Currently, the Bolam test is being used to determine whether a doctor is liable for medical malpractice (Bolam Test, 2007). The “hand rule”, or Calculus of Negligence, is used today in the United States to determine the responsibility of a person to take precautions. If the cost to avoid harm is less than the cost of that harm then the precautions should be taken (Calculus of Negligence, 2007). This clearly applies to IT applications. Many precautions are taken by businesses to prevent information security loss. Using the hand rule if the cost of preventing information loss is less than the cost of losing that data, then the precautions should be taken.

ASSESSMENT

Clearly many historic cases, although unrelated in subject matter, are applicable to cyberlaw. Furthermore, many of the same rules of law that apply to written contracts also apply to electronic contracts. The liability of an IT professional is similar to that of any professional. An IT professional has more than average skills and abilities in specific areas, therefore the IT professional will be held to a higher standard than an ordinary individual. At this time there is no universal licensing of IT professionals due to the vast areas of expertise and quickly changing technologies. This is a good thing for IT professionals in terms of legal liability. IT professionals can be held liable for negligence, but not malpractice which poses a much more severe consequence.

CLOSING REMARKS

The IT professional faces many challenges to ensure information is C.I.A. while limiting liability. Liability can not be eliminated but can be mitigated through following good information security practices and procedures. If precautions are used effectively and the hand rule is applied, then risk of negligence is minimal. No policies should be a replacement for good common sense. If the IT professional is actively involved in day to day operations and notices something that could result in a security breach, then it should be addressed immediately. Paying attention to details is essential to all professionals and especially important for IT applications where security is key.

REFERENCES

Bell, G. (2001). Information Security Risk & Assessment. Retrieved December 4, 2007, from http://www.sis.uncc.edu/LIISP/slides01/Greg-Bell.pdf

Roe_v_Minister_of_Health. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Roe_v_Minister_of_Health

Vaughn_v._Menlove. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Vaughn_v._Menlove

Malpractice. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Malpractice

Bolam_Test. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Bolam_Test

Calculus_of_negligence. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Calculus_of_negligence

Breach_of_duty_in_English_law. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Breach_of_duty_in_English_law

1/5