Wednesday 21 April 2010
By castlebbs on Wednesday 21 April 2010, 21:10
Friday 12 February 2010
By castlebbs on Friday 12 February 2010, 21:57
What are the top 3 most important information security policies a company
This question was asked on Linkedin and I found it very interesting to read the different opinions given. Based on the answers, I think it is possible to guess differences in people approach of security policies. I found for example, that reading the answers, you can figure out if the person is technology or process minded.
My answer reflects my opinion regarding Information Security. I think that technology is obviously essential to protect information systems. However:
... technology can be a waste of money. The cursor should be put somewhere between technology and governance. If it positioned too near technology you will experience these example of issues:
Well, as you probably understood reading these few lines, I am more that convinced that security policies are essential. Policies establish, but also demonstrate governance. I am convinced about the essential need of security policies, but for the right reasons, not to tick a box and have my number of issues decreased when the auditor comes back. That's unfortunately still the main driver for policies and information security in general.
My Answer to the question:
What are the top 3 most important information security policies a company can have?
This is actually a very good question, and any security professional has to
review policies, and needs to prioritize his work. So it makes sense to find
out where to start.
I like the work done by Thomas R. Peltier trying to categorize policies in three tier:
Wednesday 3 February 2010
By castlebbs on Wednesday 3 February 2010, 22:33
IBM i is the operating system (formerly known as i5/OS or OS/400) that runs on System i hardware (formerly known as iSeries and AS/400). System i was the IBM mid-range of computer systems. IBM now offer IBM i on their new range of computer systems: Power Systems.
IBM i is used by many industries and generally host the organisations' critical data and applications. Given the classification of the data that is stored/proceeded on those systems, ensuring a high level of security is paramount.
Mid-range computer systems and mainframes has gained a reputation of being very secure. They are known to be secure by design (compared to Windows and Unix operating systems). This belief is generally shared between IT professionals and auditors. However, few security professionals and auditors are familiar with these systems and a comprehensive assessment of these systems may be overlooked.
The company Powertech did a survey of around 200 system i servers (many fortune 100 companies). The result is amazing. Looking at this reports, it seems obvious that the security of those systems should be getting more focus:
What is really interesting is that the vulnerabilities highlighted here are very basic things: Trivial passwords, generic accounts, access control, log/monitoring, no hardening of the security settings etc. All recipes that are used on micro-computers and that are now mature should be applied on IBM i.
Historically, the only way to access those systems was a dumb terminal. Access control was done restricting the user's menu on the terminal. There were not many paths to the database or platform (operating system) layers. There was no real need to apply a consistent object-level access control policy, the only way of accessing the data was through the menu.
With TCP/IP and network connectivity, there are many more points of entry to the data. Ensuring the effectiveness of these controls is obviously more challenging.
One of the conclusion that can be reach reading this report is that there is obviously a breach of the security policies of most organisations when it comes to security of there IBM i systems. I believe that almost all fortune 100 companies have information security policies. They just forgot to enforce them for their most critical systems!
This highlight the importance of having sound data classification policies (ISO/IEC 27002 7.2.1 - CobiT PO2.3). The result of this study shows clearly that inappropriate security level is applied on many IBM i systems assessed during the survey - I take the assumption that they proceed critical data. The implementation of a classification and handling policy force the company to identify where is their critical data so this is less likely that an information system is left overlooked by security professionals and help the auditors in defining their risk-based audit strategy.
Regardless of the technology used (mid-range computers, mainframes, micro-computers), the level of security has to be applied in proportion to the value of the data to be protected. Most of the companies have patch management procedures, hardening guides, vulnerability management programs but surprisingly enough, these don't often apply to mid-range and mainframes
Friday 18 September 2009
By castlebbs on Friday 18 September 2009, 23:02
Following a question on the cissp mailing list on the risks of virtual server deployment spanning security zones, here is the answer I posted:
Monday 4 May 2009
By castlebbs on Monday 4 May 2009, 13:24
Saturday 19 April 2008
By castlebbs on Saturday 19 April 2008, 01:42
I subscribed to the professional network linkedin.com. It's the first time I register to this kind of website and I have to say that I found it useful for security professionals. First, you can get in touch with experts in Information Security by connecting to security groups or inviting friends of friends. I also like the questions and answers section. You can ask questions or participate to answers on high level security topics and since the people that answers the questions gets a note, often high quality answers are provided on very interesting IT Security topics.