Security Policy – Operational and Communication Aspects

Documentation of Procedures

All operations concerning the processing of information must be documented. This applies to planned processing (batches), system shutdowns and restarts, and data backup procedures.

In addition to the everyday operations to be carried out, these procedures must specify:

• the instructions in case of error
• start-up conditions
• what to do with the output (listings, printouts, etc.)
• …

The procedures are updated by the IT manager and saved in specific, easily accessible locations. The employees concerned must know about these procedures and follow them.

The attached section is optional but important for organisations that use servers. Nevertheless, documenting at least the backup procedure still applies in all other cases.

Applying Security Measures To:

• File Servers
• E-mail Servers
• potentially to describe the installation of new computers and laptops (‘Ghost’)

Directly Associated Organisational Measures:

• Organisation of Security
  • Attribution of Responsibilities

Separation of Environments

It is preferable to separate devices that deal with software development activities or test activities from those on which products in relation to production are installed. This separation aims to limit the risk of modifications to actual data. The use of production data located in test environments (which tend to be less well protected) is not recommended. In particular, if critical data (Confidentiality), trade secrets or personal data is processed there.

Applying Security Measures To:

• Servers that run applications (accounting, Customer Relationship Management, Stock Management, etc.) if the organisation is making or testing developments.

Directly Associated Organisational Measures:

• Classification and Monitoring of Resources
  • Classification of and responsibility for resources
• Compliance
  • Protection of operational data
  • Personal data protection

Outsourcing of Resource Management

Concerning resources managed by external companies, it is important to first assess the organisation’s critical security points and indicate the specific management measures in the service agreement. Here, we talk about ‘outsourcing’ or ‘facilities management’.

Applying Security Measures To:

• Computers and servers that are managed by external companies. In the case of remote management, it is very important to provide specific terms for access controls (see External connections).

Protection Against Malware

An attack by a virus or other malicious software is one of the most likely risks for any computer user. They can infiltrate the ‘organisation’ through removable devices, such as, in particular, USB flash drives and e-mails.

The organisation’s computers and servers must be equipped with antivirus software. The IT manager is responsible for installing these tools on each device and ensuring they are always up to date. This concerns both the users’ workstations and the servers (see security measures for file servers and security measures for e-mail servers).

On the other hand, numerous measures must be respected by users to avoid compromising security. It is prohibited to:

• prevent the antivirus tools from running (deactivating them, reconfiguring them, turning off updates, etc.);
• install software that has not been approved by the IT manager (SMEs: see Use of unapproved software);
• launch programs or files received by e-mail sent unsolicited to the recipient, even if they know the sender (SMEs: see Social engineering/Inadequate communication and Handling malicious codes). Such e-mails must be destroyed, and advice may be requested from the IT manager.

Incoming e-mail verification tools deal not only with viruses, but can also eliminate potentially dangerous attachments (executables, scripts, macros).

Applying Security Measures To:

• File servers
• E-mail servers
• Computers connected to the Internet
• Laptop computers

Behavioural Measures:

• Malicious software – best practice
• E-mails
• Removable devices
• Malicious websites

Directly Associated Organisational Measures:

• Classification and monitoring of resources
  • Classification of and responsibility for resources
• Human factors
  • Training and information
  • Response to incidents and security malfunctions
• Operational and communications aspects
  • E-mail
• Access control
  • Access control policy
  • Use of external networks
  • Separation of networks
• Development and maintenance of systems
  • Management of technical vulnerabilities
• Management of security incidents
  • Reporting information security events
  • Incident management and improvements of information security
• Managing business continuity
  • Operational continuity

Technical Measures:

• Antivirus
• Firewall
• Network segmentation
• Patches
• Backups
• Cryptography

Data Backups

It is essential for an organisation to back up their data and their specific, or specifically configured, software. A disaster (fire, flood) or, more commonly, a hard drive problem could easily destroy all information (SMEs: see Fire and Failure of IT or communications equipment and Hardware damaged during transport).

In the event of a large disaster, equipment that has been destroyed can usually be replaced; however, it is often impossible to reproduce lost data, which may lead to a company’s closure.

Backing up important or crucial information (classification) should be done regularly with respect to the level of importance of the organisation’s activities.

The backup cycle can take place at three levels, depending on the type of information. A daily backup on a device that is reused weekly (Monday’s backup erases the backup from Monday of the previous week, for example). A weekly backup with a cycle of four to five weeks. A monthly backup with an annual cycle. The weekly backup can be turned into a monthly backup once a month (the last day of the month). The last annual backup is archived ‘indefinitely’ in case of legal requirements.

The weekly and monthly backups must be stored in a specific location that guarantees the same security conditions as those used in the security perimeter, if possible at a remote location.

Unused devices must be erased or destroyed. This applies to all media whether digital, paper or otherwise (SMEs: see Disposal and Device recovery and Aggravated theft).

Data backups can also be useful in the event of human error (SMEs: see Human errors), to restart the IT system from a previously reliable position. A data recovery procedure is necessary in this case and, additionally, it will allow you to test the procedure. The procedures should be tested annually.

Applying Security Measures To:

• File servers
• E-mail servers
• Computers connected to the Internet
• Laptop computers

Directly Associated Organisational Measures:

• Organisation of security
  • Attribution of responsibilities
• Classification and monitoring of resources
  • Classification of and responsibility for resources
• Physical and environmental security
  • Physical security perimeter
  • Off-site equipment security
• Operational and communications aspects
  • Documented procedures
  • Device security during transport
• Access control
  • Access control policy
  • Access rights management
• Managing business continuity
  • Operational continuity

Technical Measures:

• Data backups

Device Security During Transport

When transporting or sending devices containing the organisation’s data, it is important to take the following measures into account, depending on the level of importance of the data (SMEs: see Hardware damaged during transport):

• use specific packaging (which leaves traces of forced opening)
• use a briefcase with a combination lock
• have a member of the ‘organisation’ transport the delivery
• encrypt the data

Applying Security Measures To:

• The transportation of backups
• Communication by e-mail
• Communication by Internet (FTP, etc.)

Organisational Measures:

• Classification and monitoring of resources
  • Classification of and responsibility for resources
• Development and maintenance of systems
  • Use of encryption

Technical Measures:

• encryption

E-mail

E-mails that are transmitted across the Internet can in no way be considered a secure means of communication. This is because the e-mail may be accidentally sent to a wrong recipient, or be edited or read by a third party. As a result, any operation for which the ‘organisation’ is responsible would be better confirmed by an additional means (telephone, letter, fax, etc.). This would prevent recipient error or changes to prices or quantities on orders, for example (Good E-mail Practises).

Avoid sending confidential information by e-mail. If applicable, use an approved encryption tool with your correspondents.

The organisation’s messaging system is intended for professional use. Moderate personal use may be tolerated. The user is held personally responsible in the case of the criminal use of tools. Please note that, in response to traceability restrictions, it is possible that part or all of the messages exchanged by members of the ‘organisation’ will be saved (SMEs: see Misuse of the organisation’s resources).

Applying Security Measures To:

• E-mail servers
• Computers connected to the Internet
• Laptop computers

Behavioural Measures:

• Best practice concerning e-mail

Directly Associated Organisational Measures:

• Classification and monitoring of resources
  • Classification of and responsibility for resources
• Human factors
  • Training and information
  • Response to incidents and security malfunctions
• Operational and communications aspects
  • Protection against malware
• Access control
  • Use of external networks
  • External connections
  • Login procedure
• Development and maintenance of systems
  • Use of encryption
  • Electronic signatures
• Management of security incidents
  • Reporting information security events
• Compliance
  • Intellectual property
  • Protection of operational data
  • Personal data protection

Technical Measures:

• Encryption