Information security Course This course concentrates on information security improvement in small enterprises. The target description group is enterprises, who do not have information security improvement plan and whose resources are not adequate to improve the technical level of their information security. The course covers protection of enterprise’s physical facilities as well as data protection. Also computer devices’ security improvement is included in the course. The course introduces naming conventions for files and folders and data backup operations of workstations, PDA- devices and software. The course aims to provide cost-efficient aids for information security improvement, which are easy to manage and applicable in particular for small enterprises. Objectives After completing the course the student will be able to understand the significance of information security map, plan and implement information security in small enterprise, in cooperation with the company personnel and experts Credit units 2 ov / 3 op, ask about ECTS from your teacher Completion Passing the course requires studying of the material, completion of the exercises and answering to the feedback query. Assesment Ask your course lecturer about the assessment in your school. The course material is produced by Pauli Koskinen (Jyväskylä Vocational Institute) and the project groups of Oili and Mylly projects (University of Jyväskylä, ITRI) 1 What is information security? Enterprises need many kinds of information in their operations, for example knowledge of their personnel and various data written on papers and saved on information systems. Access to correct data must be assured in order to guarantee the company functionality. Thus, information security means studying the company operations from the information systems point of view. Information security is much bigger issue than personal information security of an individual or using technological devices, such as virus protection or firewall, to protect computer data. Information security in enterprise level is easier to grasp in parts. In larger enterprises the information security partition can be made according to general information security classification, while small enterprises can use more compact partition. Through this course we will follow information security improvement in an example company. In the beginning of each section side-by-side trainer Tiina will introduce the phase implementation. Example company scenario: Becoming aware of information security The company CEO had read a newspaper article about information security significance and its typically low status in small enterprises. The company had previously had a vocational trainee, who had given the personnel side-by- side training about using email. Now the CEO proposes, that Yrjö could contact the school and ask, if the next vocational trainee could concentrate on the company’s information security. The school provided an enthusiastic information technologies student, who wished to study the Information security –web-course and complete her vocational training period in the particular company. More information The office of the Data Protection Ombudsman http://www.tietosuoja.fi/1560.htm (in English) A direct hyperlink to a data protection guide (in Finnish): http://www.tietosuoja.fi/uploads/zg5sofwogs.pdf 1.1 The significance of information security Neglecting information security can cause data loss or data falling to competitors. Thus, information security is an essential part of company’s information systems and other operations. Information security ignorance can have very severe and far-reaching results, therefore information security risk assessment and preparation is a major issue. Realization of a information security risk can, at worst case, lead to company being unable to function, a significant loss of work already done and major financial damages. Company closing down is an extreme result. Getting compensations from the court requires that the company has taken concrete actions to protect their business secrets. Otherwise, it is extremely difficult to get any compensation for the financial losses suffered. Unless the company takes concrete actions to protect their business secrets and other important data, it has no protection against business espionage, business secrets breakings and malpractices. Concrete actions can be for example having an information security plan and related instructions, and adequate personnel training about the information security practices with appropriate written secrecy regulations, when needed. Information security risks can be prepared for by mapping the possible risks, making a information security plan, being committed in following the information security plan, keeping the information security plan and its instructions up to date and training the personnel with the information security practices. More information (in Finnish): http://www.internetopas.com/yleistietoa/tietoturva/ 1.2 Improving the information security Information security improvement is a continuous process that begins with an assessment of company’s information security. The assessment method can be for example information security mapping. After mapping the risks, the risk preparation adequacy is defined. Previous actions and actions planned for future are collected into an information security plan. This plan covers all systematic actions, which the company uses in preparing for the realization of information security risks. The aim of the plan is to add the information security in the company. Due to the changes in business environment and continuous development of new technologies, also information security improvement must be continuous. Risks and the sufficiency of the risk preparation must be systematically and continuously evaluated. Even in an environment, which previously has been secure, can be confronted a new and sudden hazard, which requires immediate actions. New risks and the changes they cause to company’s information security practices are added to the company’s information security plan. Information security plan and its systematic use in practice prove that the company has taken concrete actions in order to secure the important company data, if an information security risk realizes. The improvement of company’s information security must be systematic. The improvement process can be as follows: Needs risk assessment Risk assessment Risk preparation Information A new risk is - What can happen? - What can be done? security identified practices - Avoid the risks - Implement the planned practices What to do? Information Completes.. Information security security mapping plan Immediate action 1.3 Information security areas Information security can include several different areas, and particularly in larger enterprises it is essential to acknowledge all of them. A following general classification can be used when improving information security. The column on the right side provides examples of each category. Administrative information Information security assessments and information security plan, planning security the instructions and training, integrating the information security practices into daily business operations Personnel security Secrecy agreements, substitution practices, external personnel, working arrangement during holiday seasons, practices related to beginning and ending of an employment, for example removing user rights Physical security Door locking, access control, fireproof cabinets, electricity backup for computer system Network security Protecting the telecommunication cables and devices from hacking and breakings, telecommunications’ fail-safety, security in distance work, mobile connection security, breaking attempts’ tracking, firewalls Computer security Functionality assurance with service agreements, authorized personnel for service and maintenance, acquisition of new devices and withdrawal of old devices Software security Security updates for operating systems and browsers, virus protection, user rights administration Data storage security Data protection, security of portable devices (diskette, CD, memory-stick etc.), storage of files, documents and other data, backups, archiving, keeping copies, data destroying at secure manner User security Appropriate management of user names and user rights, and consistent actions and practices according to information security instructions and plans More information (in Finnish): Valtionhallinnon keskeisten tietojärjestelmien turvaaminen, Valtionvarainministeriö, http://www.vm.fi/tiedostot/pdf/fi/90727.pdf PK -yritysten tietoturvaopas; Yritysturvallisuus EK, http://www.ek.fi/ytnk/pdf/tietoturva.pdf, Liite 5 1.4 Information security areas in small enterprise For small enterprises the general information security classification can be too complicated and difficult to understand. By combining categories and changing their names more suitable to smaller enterprises, the above categorization can be tailored to better serve small enterprises’ needs. This simplified classification is use in the information security mapping and planning presented in this course material. The relations between the general classification and the simplified classification are provided in the following table. Information security area in small enterprise Information security areas in the general classification Administrative information security Personnel security Daily business operations User security Preventing information security accidents caused by human actions. Improving the information security of daily practices by training and instructions. Information systems’ user practices and system security as a part of daily business operations. Physical security Physical facilities Physical protection of company facilities and data processing from unauthorized use, data loss and fire. Data storage security Data Storage, processing, identification, archiving, backup and backup storage of files, documents and other data media storages. Network security Computer security Hardware and software Software security Security of computer devices, networks and software. Assuring the functionality with contracts, virus protection and firewall. 2 Information security risks Information security risks disturb the normal business operations of a company. Most common risks are caused by human errors. Information security problems are often due to carelessness, lack of understanding, lack of skills, faulty implementation of information systems and to wrong user operations. Realization of an information security risk can, at worst case, lead to company being unable to function, a significant loss of work already done and major financial damages. Company closing down is an extreme result. The risks are prioritized according to their possible results, and the prioritization can be done by making an information security mapping. Situation at the example company: Risk assesment The company started to consider factors that could be risks for the company operations. The risks where first identified from the customer point of view. If the specifications of an ordered item were lost or damaged, the company could not deliver the product at time. This would have a negative impact on the company image. More information (in Finnish): PK -yritysten tietoturvaopas; Yritysturvallisuus EK, http://www.ek.fi/ytnk/pdf/tietoturva.pdf Valtionhallinnon keskeisten tietojärjestelmien turvaaminen, Valtionvarainministeriö, http://www.vm.fi/tiedostot/pdf/fi/90727.pdf 2.1 Risk examples What kind of information security risks there are in companies? Possible risks can be exemplified with concrete cases. In the following list there are some typical information risks and their consequences described. An example of possible consequences is given in parentheses. * The real estate of a company is burned in a fire. (All written data and data that are saved on computers are lost. All planning and designing must be started from scratch.) * A computer that contains important data is stolen. (A marketing plan saved on the computer disk is lost.) * Entrepreneur’s mobile phone is lost. (The contact information saved on the phone is lost.) * The most important employee moves to competitor. (Research and development knowledge is lost for the competitor.) * An important design falls into competitor. (The competitor exploits the design work.) Why the information risks are not prepared for in time? Often the companies acknowledge their information security risks too late, at worst case when the accident has already happened. Why the companies do not react to their risks earlier? Possible causes are: the information security risks are not acknowledged or their realization is not seen probable the risk damage can not be predicted and their extent evaluated the importance of continuous personnel training and instructions for avoiding the damage are not acknowledged The consequences of data misuse are not acknowledged or their extent can not be evaluated. 2.2 Risk assessment Risk assessment is an important step in the systematic improvement of the information security. The assessment facilitates to find the vital company information and information systems and to evaluate their significance. Usual risk assessment tools and methods can be used also in finding the information security risks. The risk assessment aims to find answers for the following questions: What can happen? Why? What are the possible consequences? How big is the risk? Which risks are the greatest? Information security risk assessment means systematic actions, which are taken to identify the information security risks and their probabilities and to estimate the possible consequences of the risk realization. The company management should make the information security improvement as a part of usual management operations. In practice this means Taking care of resources for information security mapping and planning Assuring the implementation of the practical actions according to the plan Making the personnel and other partners committed to the information security plan and its activities by providing adequate instructions and training. Considering information security prerequisites also in future External consultants can be needed in making the information security mapping and planning and for the practical implementation of the planned activities. Company personnel have valuable expertise in identifying the information security risks and finding the means for preparing them. 2.3 Other assessment methods In risk identification several methods can be used, even in parallel when necessary. When selecting a method its ease of use and applicability to the company needs should be considered. Common methods are based on dividing the target into smaller parts and the risks are then identified one part at a time. Checklists and keywords are often used to facilitate the risk identification. These kinds of methods for risk analysis are for example: Checklists Potential problem analysis Scenario based risk analysis Vulnerability analysis Checklists are used to consider whether a risk is related to company operations or not. The checklist is a good tool for identifying the risks at high level and for localizing the problematic items. Checklists can be used for memory support, when an impact of each risk is estimated. Checklists are never complete, thus their coverage for company and environment specific risks should be carefully analyzed. Potential problem analysis is carried out in two phases. In the first phase a brainstorm is arranged, to search and acknowledge possible problems and hazards. In the second phase the reasons for possible hazards are identified and risk estimations are defined. The adequacy of current precautions are assessed and improvement actions are developed when needed (figure 1). For a successful analysis an external consultant is recommended. Risks can be classified for example in the following way: 1 (minor or insignificant risk), 3 (average or probable risk) and 5 (big or very probable risk). The time spent on risk estimation does not increase nor decrease the risk itself. Thus, do not use too much time on risk estimations. Object: __________________ Analysis Date:___________ Laatijat: Autohrs:__________________ Report: _________________ Hazardous Consequences Risk Current Improvement event precautions suggestions / additional questions Figure 2. Potential problem analysis form. Scenario based risk analysis is started with describing potential hazardous events. Knowledge on previous information security hazards or near misses is good starting point. Vulnerability analysis aims at defining the ways to carry on the usual operations, after a hazard has happened. A risk database can be used to examine different parts of information security and to identify the hazards related to company operations. More information in Finnish: Ohje riskien arvioinnista tietoturvallisuuden edistämiseksi valtionhallinnossa -opas http://www.vm.fi/tiedostot/pdf/fi/53827.pdf käsittelee aihetta tarkemmin. POA - menetelmän yksityiskohtaisempi kuvaus riskianalyysilomakkeineen on esitetty liitteessä 3. Lisää tietoa riskianalyysimenetelmistä löytyy myös http://riskianalyysit.vtt.fi/ Riskienhallinta pk-yrityksissä: http://www.pk-rh.com/ http://www.pk-rh.com/show_doc.asp?ID=443 2.4 Risk management Risk management should be started from the risks that are estimated to be the biggest, and extend to other risks if possible. Risks can be managed in several ways, but all risks can not be removed. It is recommended to consider the time and money spent on insurances and other risk reduction activities. The central risk management activities are (with examples): Risk avoidance A single risk can often be avoided only by refraining from the risky activities. (Access to company research and development facilities can be restricted to only authorized personnel. This prevents external persons from filming new products before their launch.) Risk removal A single risk can possibly be removed, but it can follow a new risk. (New user names and passwords are required for accessing a certain information system. Users can not remember all their usernames and passwords by heart and thus have them on a post-it note near their desks. Compare: User has only one username and password for all information systems.) Risk reduction should be aimed for preventing the harm or for reduce the risk consequences. Risk reduction (A company practice is that the last person who leaves the office in the evening closes the doors. Sometimes the out door was left open. A new practice was introduced, according to which a guard will close the doors at 5 pm. The guard checks that the offices are empty and lights and coffee machine are switched off. He also turns the alarm on.) Risk transfer A risk can be transferred for example making a contract or purchasing insurance. (The risk of server breakdowns can be transferred to a service provider by making a maintenance contract, which covers also the costs followed from the server breakdown.) Risk retention Risk retention means accepting the possible consequences. (The maintenance service covers only one of the company computers, for it includes the most vital information. The money saved with leaving the other computers without maintenance service can be used to purchase a new computer every year. The company accepts the risk of possible service needed.) 2.5 Test your information security knowledge In this exercise you can check how well you remember the issues presented in this and in the previous section. This is a multiple-choice question, from which you will get feedback immediately. You can do the exercise as many times as you wish. Start the exercise here (opens to a new window). 3 Information security mapping Information security mapping is a method for assessing the information security risk precautions. It is used to map the events that could disturb normal company operations. These kinds of events can be for example different faults, fires, water damages, thefts, mistakes and vandalism. In this method the information security is recommended to divide into several parts. This material uses an information security classification for small enterprises, which includes daily activities, company facilities, data and hardware and software. When the information security risks have been mapped in a company an action plan is built. This plan is called information security plan. Situation in the example company: Mapping results Data: To begin the mapping, the needed company data was gone through, including both paper documents and files in electronic form. Customer specifications were identified as vital information. Some of these specifications arrive via e-mail, but often they exist only on paper format. The papers are kept in monthly arranged folders in the office bookshelf. Hardware and software: The mapping considered also the office computer and its age. The operating system had grown old and updates had not been made for a while. Virus-protection software was installed, but it was found that the software provider no longer provided updates for the particular software. Practices: The computer office is mainly in executive director’s use for invoicing, payroll computing and order processing. Facilities: The company facilities were found to be rather well protected. Door locking and alarm systems were in order, for there are valuable machines and devices in the building. 3.1 Mapping establishment The first phase in improving the company information security is to map comprehensively security risks, which can cause harm for the company (see the figure on improving the information security). Needs risk assessment Risk assessment Risk preparation Information A new risk is - What can happen? - What can be done? security identified practices - Avoid the risks - Implement the planned practices What to do? Information Completes.. Information security security mapping plan Immediate action Figure: Risk assessment by using the information security mapping In making the mapping it is recommended to use the expertise of company personnel, for they have the best knowledge of company practices, facilities and data. They often can best assess, what kind of consequences possible hazards could have. The security improvement actions concerning these three areas (company practices, facilities and data) are often very concrete, easy to understand and do not require complicated technical solutions. The fourth area of information security in turn, namely hardware and software, can require advanced ICT skills. In many companies separate instructions or an external IT-consultant is needed, at least in the initial phase. The risk management methods described in previous sections can be used in establishing the information security mapping. This material includes questions, which aim to facilitate the discussions of the information security areas in the company, and their significance to secure company operations. The following section considers the information security mapping in more detail. Risks are classified in four previously presented categories and their special characteristics are discusses. More information (in Finnish): http://www.tietoturvakartoitus.com 3.2 Daily business operations The improvement target in daily business operations is to consider the information security in all daily practices. The prime target is to prevent hazards that are due to human actions. Training, guidance and instructions are used to improve personnel’s daily practices, and thus to improve the information security of usual business operations. Risks related to daily business operations are often due to exceptional situations, for instance holiday seasons and substitutions. Inadequate instructions and training, ignoring data backup, ignoring protection of physical facilities and sending or handing data to unauthorized persons can cause severe harm to the company. Issues to be considered are for example: Is the familiarization of new personnel adequate? Are the changes considering information security always communicated with personnel and interest groups? Do all employees know their responsibilities and obligations considering information security? Are information security training and instructions up to date? Who is information security contact person? Who has responsibility of improving the information security? In the table below there are two risks identified and their priorities and consequences are estimated. The precautions taken have been defined and the need for new security practices is evaluated. TABLE: Examples of information security mapping considering daily business operations Timetable Risk Priority Current Person in Actions charge precautions An email password leak to Severe: possible abuser can read and No precautions unauthorized person send mails taken, needs improvement An email containing Very severe: for example designing Difficult to prepare important information is information can end up to competitor for, but any case accidentally sent to wrong something should be person done 3.3 Company facilities The majority of company’s data processing is often taking place in the company facilities. Considering the facilities from the security point of view includes observing the personnel’s access to the data. Possible restrictions needed for external persons are also considered. Issues to be considered are for example: Should the access to the company facilities be restricted? Facilities for example research and design, financial matters, human resource development and computer servers may need restricted access. If the access is decided to restrict, it is recommended to consider the following issues: How is the restriction implemented? Is the access allowed only for particular person(s)? Can external persons access to the facilities? Can an external person stay in the facilities without an employee? Reasons for access restrictions can be for example privacy protection or business secrets. These kinds of things can be data about personnel, salaries or prices. Also features or looks of new products may be needed to protect, for competitive reasons. In this case there is a need to consider who needs this data or information and from whom they are protected. In the table below two situations are described, where access to the company facilities can be an information security hazard. TABLE: Examples of information security mapping considering company facilities Risk Priority Current precautions Timetable Person in Actions charge An unauthorized person has access Severe: The computer Usually the door is to the office computer contains private locked, but there is a information need for improvement Break into the production facilities Severe: there are Well prepared - - important and valuable machines and devices. 3.4 Data The company operations are considered from the secure data processing, storage and destroying point of view. Typically the risks are loss or disappearance of files, plans or other documents. It can be accidental, due to faulty devices or lack of backup data. Using old versions can cause harm in case there are no practices for naming, archiving and destroying the files. Same problems are encountered with paper documents. Risk priorities are estimated by considering the harm caused by each hazard, for example disappearance or destruction of a design or a plan computer, software or mobile phone disappearance or breakage and the followed data loss To the appropriate extent also fire, water damage, theft, business espionage and hacking should be considered as possible hazards. Often precautions taken for these hazards can improve the security of facilities as well. In the table below there are examples of problems related to data disappearance. The second example in the table is caused by lack of archiving practices. Fortunately in both examples serious harm has been avoided. TABLE: Examples of information security mapping considering data security Timetable Person in Risk Priority Current precautions Actions charge Product specification attached Very severe: without In addition to usual . to an order are destroyed or specifications the correct carefulness, no particular disappeared. product can not be precautions taken. Needs produced improvement. New product designs are to be Rather severe: does not presented to potential convince the customer too customers, but the files are not much and the customer can found from the computer. be lost 3.5 Hardware and software Majority of companies’ data processing is done using computers, networks and software. Therefore the security of hardware and software is highlighted. It is essential to take care of the data accessibility, accuracy and storage. Hardware and software risks often are related to data changes and disappearances. Typically, inadequate virus-protection or lack of other protection can cause data changes in databases or in web sites. The company image can suffer from these kinds of virus or hacker attacks. The devices may break, which can cause data loss or software which has not been back upped. In the worst case the software and its license has to be purchased again. Also mobile phones contain important information. If the phone breaks or gets stolen, contact information and other data saved in the phone during the years is lost. Changes and disappearance of vital data always causes extra work and unnecessary costs. Often the harm can be avoided with very small precautions, such as more secure practices and instructions. The extra working time and costs, which are caused by the breakage, are often forgotten when estimating the risk priorities. More and more often the work is stopped because of hardware and software malfunctions. In the table below the first example describes how the reliability of the company is suffered because of inadequate virus protection. In the latter example the actual consequences depend on the vitality of the data lost. In worst case the harm can be significant. TABLE: Examples of the information security mapping concerning hardware and software Risk Priority Current precautions Timetable Person in Actions charge Virus gets access Very severe: Company Virus protection software that came to a computer and image is suffered and with the manager’s computer, but starts to send mails getting unambiguous which is no longer up to date. Other to customers mails is very inconvenient computers have no virus protection, but to customers there is not network connection either. The computer gets Very severe: the data are Back ups are not made, the insurance totally broken lost and material damage should cover at least part of the (for example falls material damages on the floor or catches fire) 3.6 Test your knowledge on information security mapping With this exercise you can check how well you remember the issues presented in this section. This is a multiple-choice question, and you get the feedback immediately. You can do the exercise as many times as you wish. Start the exercise here (opens in a new window). 4 Information security plan The information security plan aims to prevent possible harms and to ensure action plans in case of hazards. A well made plan is an important part in decreasing the risk of losing vital data or information and the financial harms due to the losses. The information security plan contains information security objectives, principles and implementation practices, approved by the company management. In practice an information security plan includes: The issues related to company values. This means the company’s willingness and commitment to systematically improve the information security. Description of the current state of company’s information security. For example a risk analysis can be made to find out the strengths and weaknesses. Especially important are the estimated hazards and the security activities already implemented. In this material the risk analysis and the description of current state is implemented by making an information security mapping. The necessary actions and practices in order to reach the goals, considering also future information security requirements. Timetable and persons in charge of implementing the planned actions, including instructions and the time needed in training. Updating the plan regularly. Since the users and company operations can change, the plan needs to be checked in regular intervals. Precautions taken in case of high priority risks (including practicing etc..) Situation in the example company: Making the plan one part at a time The company started to make the information security plan. The following areas and practices, which all employees will follow, were included in the plan. Facilities security Doors are kept locked when an employee is absent Last one to leave the building in the evening will check the alarm system Data processing confidentiality The company’s data are carefully handled, to prevent their falling into wrong hands A non-disclosure agreement is always made when handing data to external partners or persons. Data accessibility and integrity The data must be accessible to all authorized persons. A person in charge and a vice person were nominated. They have the master key for the office and maintenance passwords to the company’s computers. The nominated persons will make back up copies of the electronic data every week. The information that is only on paper format will be scanned or photographed digitally, and archived also electronically. Hardware and software security The persons in charge will regularly check that operation systems and protection software are up to date. It was agreed, that in case of any information security problems or hazards the persons in charge will immediately be notified, who then investigates the matter and communicates it further. 4.1 Establishing the plan The second phase in improving the company information security is to plan the necessary actions in case of information security hazards (see the figure below). Needs risk assessment Risk assessment Risk preparation Information A new risk is - What can happen? - What can be done? security identified practices - Avoid the risks - Implement the planned practices What to do? Information Completes.. Information security security mapping plan Immediate action Figure: Using information security plan in planning the risk precautions Who makes the information security plan? External consultants can be used in making the information security plan, but most essential is to identify and prepare risks related to the particular company and its business operations. The company employees know best the particular company and the related information security risks. Information security plan in small enterprise Information security Daily business area: operations RISK PRIORITY ACTION TIMETABLE PERSON IN CHARGE The significance of the different information security areas varies. Most important is to go through all the areas and to assess their impact on the particular company and its operations’ security. For example the following actions can be planned to decrease the information security risks: Actions related to organizational development, such as development of common rules, instructions, control and tracking, communication, work planning and distribution of liabilities. Actions related to improvement of individual scopes of actions, such as purchasing safer tools, making and information security instructions for the personnel, development of familiarization or organizing information security training. Technical actions, such as purchasing new equipment, protection development, making of back ups, purchasing alarm system or developing the system maintenance. 4.2 Daily business operations The two central risk areas related to daily business operations are: taking care of exceptional working arrangements Personnel training and guidance about information security in their daily activities The first point includes working arrangements during holiday seasons, familiarization for substitutes and operations performed in cooperation with company partners and other external persons. The second point, in turn, includes the information security instructions, training and nomination of persons in charge. The practices related to the above mentioned situations are written down in the information security plan. Training and guidance resources can be decreased by good planning and well working instructions. In the example below the company’s current information security practices have been found to be partly inadequate. Training and instructions are established to improve the situation. TABLE: An example of information security plan and its daily business operations part. Risk Priority Current Action Timetable Person in precautions charge E-mail Severe: the No Instructions for The instructions Executive password abuser can precautions passwords are are made Director leaks to read and taken, needs made: The during unauthorized send e-mails to be passwords may December. person improved not be kept visible near the computer, and it may not be told to anyone. The password must be complicated enough, and not to be easily guessed. An e-mail Very severe: Very difficult Instructions are The consultants Executive containing product to prepare made about how are searched Director important specifications for, but any to use e-mail. An for during information is can be fallen case external December. The accidentally into something consultant is training is sent to a customer’s should be hired to hold e- planned for wrong competitor done mail training for January. recipient the personnel. 4.3 Company facilities The actions for company facilities protection are written in the information security plan. The protection actions assure that the company personnel can work safely and without too many restrictions in the facilities hazards due to external persons are minimized Information security stays unharmed in all situations The information security plan should include protecting the facilities in case of fire, water damage, theft, business espionage and hacking, as well as preventing and minimizing the harms for company data and data processing devices, followed by these hazards. Fireproof cabinets, safes and shredders should be considered as means to prevent the hazards above. Also the appropriate placing of the cabinets and shredders must be remembered, for if they are placed in wrong places they may be experienced too laborious to use. Alla olevassa esimerkissä tilojen tietoturva ja sen parantaminen vaikuttaa suoraan tietojenkäsittelyn turvallisuuteen. In the table below the facilities security and its improvement has a strong effect on information security in general. TABLE. An example of information security plan related to company facilities Risk Priority Current Action Timetable Person in precautions charge An Severe: the Usually the door The office door is kept This practice Office unauthorized computer is locked, but the locked when the office is is introduced secretary person is contains practices should empty. An instruction is immediately. (and all accessed to the confidential be improved. given to lock one’s other office information. computer when leaving it, employees computer. even for a while. A on their password is needed to own unlock the locked computer. computers) . The production Severe: there Well prepared. No further actions needed, - - facilities are are valuable the alarm system is already broken into. machines in use. and devices in the facilities 4.4 Data The actions ensuring free data access, processing and destruction are written down to the information security plan. The data needed for various work tasks must be accessible to all employees who need it Data storage responsibilities and means are agreed Destroying the needless data and its responsibilities are agreed Processing confidential and secret data is separately agreed. It is especially important to remember that: Documents, plans or files containing important information are not left lying around desks, copy machines or printers, or sent accidentally to wrong recipients. Devices for destroying needless data are placed on appropriate places, where they are easy to use. For example a shredder is places next to a copy machine. Processing confidential or secret information should be agreed separately and with written documents. The following issues should be considered: The information saved on documents or technological devices as well as oral information is defined as company property. This information can be used only by the separately agreed manner, in favor the company. The principles are written as separate instructions. This instruction considers also the employees moving to other positions, resigned and removed employees and external partners like subcontractors. Separate written instructions are made for handling business secrets. Key persons will have a separate written contract considering competitive activity and inventions made during employment. The instruction about handling confidential information is distributed to all employees. It is made sure that the employees follow the given instructions. In the table below there is an example of preparing the harms due to loss of important data. The back up copying and data archiving are improved in order to keep the company image unharmed in case of any hazard. TABLE. An example of information security plan considering data security. Risk Priority Current Action Timetable Person in precautions charge Product Very severe: There always are at least Practice is Order specifications Without the two copies of each planned to receiver In addition to are destroyed specification specification. If the be in use by (office usual or the correct specifications are on the end of secretary) carefulness, disappeared. product can paper format, they are the no precautions not be immediately copied and November. taken. Needs produced. placed to a folder in improvement. office. If the specification is on electronic format it is saved on the computer and printed out for the production. The data on the computer is back upped weekly. Documents on paper format are held in the same place with the back up –CDs. New product Rather A logical directory The Kalle designs are severe: Does structure is planned to directory Koponen presented to not convince make the files easier to structure (production potential the customer find. and the manager, customers, and the placement of does also but the customer can paper marketing) appropriate be lost. documents files are not will be found on the planned on computer. a common meeting in January. 4.5 Hardware and software The hardware and software connected to internet can be protected by the three following instructions: Have fire wall to protect the company network from external hazards. Have the computer operating systems up to date in case of security breaches. Use virus-protection software and keep it up to date. Essential for software security is: to take care of security updates (for example www-browsers), to use only software for which you have license and to take care of back upping the software and the data related to the software All devices, software and communications should be protected physically, technically and/or programmatically. Servers and telecommunication devices can be placed in a separate locked space, where only authorized persons have access. The telecommunications are technically protected with firewall and appropriate virus- protection. The computers are protected programmatically with passwords every time when leaving the computer. The personnel is trained and instructed to follow the company security practices. The information security risks related to hardware and software can be assessed for example with the following questions: Can the security essentially be improved by having maintenance contracts with external service providers? Is the expertise of service providers enough exploited in technology acquisitions? How big benefit is gained by investing for more secure information technology? What is the business risk if the information technology acquisition is not made? Does legislation or other regulations require better technological security? In the example below the hardware and software security is improved by software acquisitions and by preparing for material harms. The significance of a maintenance contract should be considered as a means to prevent any production interruptions. TABLE. An example of information security plan related to hardware and software security Risk Priority Current Action Timetable Person in precautions charge A virus gets Very Virus protection Virus protection Software Executive access to a severe: software came software is purchased and Director computer Company with the office for every computer. software and starts image computer, but it The executive providers to send e- suffers and is no longer up director’s and the are looked mails to getting to date. The office computer will for during customers. unambiguo computers in the have an automatic November. us mails in production update; the other two The inconvenie facilities have no computers that are not acquisitions nt for the virus protection, connected to network are made customers. but there is no are updated monthly. 10.12. at network Files for these latest. connection computers are either. separately scanned before opening the files. A computer Very Back up copies In the data security The Office gets totally severe: do not exist, part was described the insurances Secretary broken Data are insurance will needed actions for are (falls on the lost and cover some improving back up checked floor or material material copying. The during catches damage. damages. insurances and their December. fire) covering policies are checked. 4.6 Implementing the plan From plan to practical actions To ensure that the information security plan will actually work in practice is important that The company will reserve enough resources for information security development All employees are trained and instructed to understand their own responsibilities related to the practices defined in the information security plan Persons in charge of information security are nominated and contacted, when security problems arise. The information security plan and related instructions are kept up to date. When the needed actions are decided, the implementing means, timetables and persons in charge are agreed. The implementation progress is tracked regularly, for example every six months. All improvement actions can not be made immediately. The implementation should start with removing or reducing the biggest risks that have been identified during the security assessment. Sometimes the improvement actions need further investigations, more planning and more investments. However, at the same time when dealing with the biggest risks, smaller improvements can be made to prepare for smaller hazards. Often small improvements can be made with only little effort, for example by introducing new practices and training the personnel. A summary of the tables in this section. 4.7 Test your knowledge on information security plan With this exercise you can check how well you remember the issues presented in this section. It is a multiple- choice question and you will get the feedback immediately. You can do the exercise as many times as you wish. Start the exercise here (opens in a new window.) 5 Practical actions The last phase in improving the company information security is to implement the planned improvement actions. The aim is to prevent the hazards which can cause harm to the company operations and to achieve the information security level that is best for the particular company (see figure below). In this section some practical instructions are given to implement typical information security improvements. Needs risk assessment Risk assessment Risk preparation Information A new risk is - What can happen? - What can be done? security identified practices - Avoid the risks - Implement the planned practices What to do? Information Completes.. Information security security mapping plan Immediate action The starting point is that the company has the responsibility to develop their information security. Consultants, experts and service providers can be used to facilitate the decision making. The aim is not to destroy the company data but to secure them! Do you know what you are doing? If not, don’t do it! If you do, are you sure that you know what you are doing? If yes, then do it. NB! In this section various utility software are presented to facilitate the practical actions. Before installing any software, read carefully the copyrights. Some software are available for free for private use, but in business use there can be a license required. Study the copyrights and licenses before using the software. Situtation in the example company: Practical improvement actions New virus protection software was purchased to replace the old one. The software was installed on all computers and the updating procedures were agreed. A copy of company’s information security plan was given to employees and all of them committed to follow the instructions. The employees were guided to identify their own areas of responsibility from the plan. Necessary trainings were defined and organizing the training sessions was agreed. 5.1 Updating the operating system In order to keep the computer secure, the operation system and other software must be updated. In the course of time new security breaches are found from the software, which possible abusers can exploit. Security updates fix these breaches. Other updates commonly contain new features or fixes to known problems. To have the operation system automatically updated in Windows 200 or Windows XP –systems, select Control Panel and then double-click the Automatic Updates –icon. The updates can be completely automatic: or semi-automatic, which means that the computer notifies when new updates are available. In addition to the automatics, and particularly in other Windows-operating systems a handy way for updating is to open the Internet Explorer from the Start –menu or from its icon: .. and wiriting the address: http://windowsupdate.microsoft.com/ From this page select the image Express-installation: The updates can be searched and adjusted from the Control Panel. Open the Control Panel from the Start –menu and double-click the Automatic Updates –icon. See a video about searching for the updates with Control Panel. If you have a fixed line, it is recommended to have the updates downloaded automatically. The Windows Update –sites allows fetching the updates at most convenient time. More information (in Finnish): http://www.tietoturvaopas.fi/kolme_askelta_tietoturvaan/kayttojarjestelma.html 5.2 Software updates In principle all applications that is used on the computer, must be updated. Especially important is operating system (see above), Internet browsers and possible e-mail applications. Virus protection and firewall are primary as well. Also in office applications and other applications there can be security breaches, bugs and vulnerabilities. Most applications have their own feature for searching and downloading updates. For example in MS Word – text processing application this feature is in the Help-menu: Mozilla Firefox –users can look for updates from the browser menu Tools > Options. Select Advanced from the opening window and then click Check Now -button. NB: In order to update the browser successfully, activate the Allow web sites to install… -selection in Web features –view. See a video about looking for updates for Firefox. Internet Explorer –browser is automatically updated at the same time as Windows operating system. However, complete instructions can not be given for all applications and their updating. The user has to find the update functions from each software, and often the Help –menu is a good place to start. Many applications have menu selections such as Updates, Check the updates or something else. Sometimes the functionality is under different menu, like in Microsoft AntiSpyware it is under File-menu: Often the software provider has web-sites, where software updates are available. English websites often have links such as Support or Downloads, where the updates can be downloaded. In many applications, for example in virus protection applications, the updates can be set to be automatic. If the computer has a fixed line connection to internet, the user does not have to worry about the updates. Some software notify the user whenever new updates are available, and they can be downloaded by clicking the OK-button. 5.3 Improving document management In this example is described some practical actions which facilitate classification and organization of the company data, in order to have the data available for the employees. When classifying the data, paper documents, electronic documents as well as documents in picture format must be considered. The classification is done according to the tasks and the information that is needed in each task. Also employees’ authorization to the particular data is considered. This helps to separate business secrets, which is meant only for executive managers. Even though all company data is not confidential, passing the company data to external persons must always benefit the company. 1. Requirement analysis (consider all the company data that is saved on different formats): Make a list of document management needs and identified problems. This forms a basis and goals for the document management. Common goals are to facilitate the finding of particular documents. The data is achieved from customers and partners and it is also forwarded to other parties, thus also their needs may be good to acknowledge (for example in naming the electronic folders and in grouping the files into folders). 2. Data classification (consider all the company data that is saved on different formats): Go through the different company operations and the information that is needed and handled in each operation. Find out where the information is saved, who handles the data and in what kind of work tasks. This helps you to group the data according to the user groups, who need the particular data. If there is a need to restrict access to business secrets, it is easier to handle when the data is grouped according to work tasks. For example, papers for sales personnel are grouped by customers in their folders and the respective electronic data is organized in similar electronic customer folders. Business secrets can be classified for example according to the following grouping (source: Käytännön tietoturvallisuusopas PK-yrityksille. Hyperlink below.): strategic data, operational, financial and commercial data, data related to research and development and to products, data related to production methods and to machines and devices, And financial administration data. In the following example the data of an imaginary company ”IronSteel Oy” is organized according to its operations: + Operation planning (for example only for executive director and for the board of directors) + Marketing + Brochures + Covering notes + Sales + Invitations for tenders + Tenders + Orders + Customer projects + Project documentation of One Ltd. + Project documentation of Two Ltd. + Production + Working schedules + Production reports + Financial administration + Calculation of salaries + Book keeping Financial administration and other data can be in several formats, for example as paper documents, electric files or saved in software databases. This should be remembered when planning data back ups and archiving. 3. Naming the files (this applies to electronic files such as text files, calculation sheets, digital pictures, etc.): In addition to good folder structure, also naming conventions facilitate finding the appropriate files when they are needed. A well planned naming policy helps to differentiate the files from each other, and enables to search them with the computer’s search function. A naming convention is useful also for different file versions, see the following example. [the identifiers in the file name are: companyname | documenttype | versionnumber.doc] One_ProjectPlan_v01.doc (version 0.1: e.g. the first version made by a salesperson) One_ProjectPlan_v02.doc (version 0.2: e.g. small changes by the salesperson) One_ProjectPlan_v10.doc (version 1.0: e.g. a version accepted by sales manager) [the identifiers in the filename: companyname | businessoperation/specifier | documenttype | date.doc] IronSteel_Board_minute_20061128.doc The following picture presents Windows Explorer and a folder structure, which has been constructed by the above instructions. In the picture there is also an example of a naming convention (in this case for project plans). 4. Data storage and back up copying (this applies to electronic files such as texts, calculation sheets, digital pictures etc.): A recommended document management principle is to have the data in one place and to take care of its storage and back up. Often there is a need to make copies of both paper documents and electronic files, but particularly electronic files are easy to lose in the computer folders and to get mixed with the different versions. Considering saving and storage of electronic files, most practical is to have the company document on one computer or server. This prevents needless copies and facilitates making of back ups. If there are several computers in the company and some employees need to use common documents, it is recommended to build a computer network inside the company. The network can be either a peer-to-peer network or the data can be saved on a server. Server facilitates the back up copying, since all data is only on one place. The back ups can be made by using external memory, tape securing station or by making cd-disks or dvd-disks. 5. Instructions, guiding and introduction: Collect the central document management practices as a short guideline, which the users can have as a memory support. This kind of guideline is useful also when familiarizing new employees to their work tasks and work environment. For example, if there a new folder structure is planned, it should briefed with the employees. A short and concise guideline about document management will help in having these briefings. Afterwards the employees can start to use the new structure by moving their files from the old structure to the new one. The document management guideline can include for example following items: A guideline for an individual employee: No matter how hurry you have, always follow the agreed practices Save the documents correctly (paper documents to their folders, electronic files to their specific folders) Give the electronic documents and files individual and descriptive names. Use a version number or other method to differentiate between the old and new versions, particularly if there is a need to use also the old versions later on. Contact information of the person in charge of document management In which situations the person in charge should be contacted (for example problems, ideas, etc. ) A guideline for the person in charge of document management No matter how hurry you are, always follow the agreed practices Make back up copies Maintain the archiving practices Contact information of the persons in charge of company business operations (e.g. sales, production, financial administration) 6. Maintenance and development: The technical maintenance of document management includes that functionality and storage capacity are checked regularly and taken care of. See a video about document management. REFERENCES: Ovatko yrityksesi tietoriskit hallinnassa? – Käytännön tietoturvallisuusopas PK-yrityksille. Uudistettu laitos. Teollisuus ja Työnantajat. http://www.ek.fi/ytnk/pdf/tietoturva.pdf, s. 21. 5.4 Back up copies All storage media can get broken, which means that accessing the files becomes extremely difficult or even impossible. Thus, important files should be back upped regularly. In practice, regularly means that the intervals of data changes are identified and also the period, during which a vast amount of changes is made, which can not be lost, is known. Important files, in turn, require that first the important files are identified. All important data is not necessarily saved on computers, but it can also be in paper format. If vital information is only on paper, a scanner can be recommended, which enables the data to be scanned to digital format, and thus to be back upped with the methods presented later in this section. Depending on the information on the papers, also a regular copy can be adequate back up for a paper document. This copy is then kept in a safe place, similar to electronic back ups, and preferably in different place than the originals are kept. In this case the requirements for paper archiving qualifications must be checked and ensured, that the ink will stay readable the required time. Most important is to find appropriate and secure means to fulfill the particular company’s needs. The locations of electronic important data must first be known, before they can be back upped. The locations of data saved by different software must be determined. To facilitate the back up it is recommended to have a disk partition or a specific folder, where the data to be back upped is saved. Often important data is accidentally saved only on Windows desktop, when they are easily forgotten to back up. Back up methods are many, and the selection of a good method is done based on the amount of data to be back upped, requirements for storing the copies, Internet –connection speed and other resources. It is recommended to think over how much back ups are necessary and what the appropriate price for the back upping is. Different disks and tapes can be used to store the back upped data. This allows to have several back up versions, in case of one version gets broken, and allows to recycle the tapes and disks. The newest back ups usually overwrites the oldest ones. This naturally requires that the media is re-writable. For example, if the used disks are not re-writable, all the back up versions can be kept. Even though re-writable disks are more expensive and often require a more extensive station to use, the disks them selves are not needed to buy more all the time. In addition to disks and tapes, the back up copies can be saved on a separate external hard disk or even to a USB –memory stick. Depending on the amount of data only one back up copy at a time can be enough. If there is enough capacity, the external hard disk can be divided into folders, which are named according to the back up date. It is also possible to buy the whole back up copying as a service, which leaves the media management and back up operations to the service provider. In the following table there are few examples on how to do a regular back up copying. The table is based on the course “Basic computer skills”. Back up medium Capacity Requirements +/- 650-700 MB Writable cd-drive Cheap (1€ apiece), not the most CD-R / CD-RW (quite cheap reliable, rather small capacity -disk nowadays) DVD -disk 4,7 GB Writable DVD-drive Big capacity, rather reliable. DVD – (more expensive than disks are quite cheap (from 1€). Can a writable CD- drive) be the cheapest medium compared to its capacity. Re-writable DVD-RW – disks are more expensive (~ 4€). External hard disk ~ 20 - 80 GB USB 2.0 connection Handy for large amounts of data, for the transferring speed is high. The price is about 100-200 €. The biggest capacities are suitable for several versions of back up copies. Tape-drive 20/40 GB SCSI connection Tape price ~11€, drives from 400€ and up. Handy for large amounts of data. Disk 1.44 MB Disk-drive Very unreliable, but better than no back up copies at all. Can not be recommended. Memory stick Up to 5 GB USB -connection Prices are few euros and up. 1 GB memory stick costs about 30 euros, and the prices are coming down all the time. Service provider No limits (the Fast and fixed line Service purchase requires some makes the back up price depends preliminary work. For example 1 GB copies to their on the in mmd.net –service costs 10 € server, over a capacity /month. If the amount of back up data network needed) is vast, the internet connection must be very fast. For an entrepreneur this kind of outsourced service is easy, for no technical knowledge is required, and this solution provides also security in case of fire or other disaster in the company facilities. NB! The requirements and the prices are only suggestive. Making the back up copies on a CD can be a good choice for a small enterprise. A writable DVD-drive can increase the back up capacity remarkably. A service outsourcing can also be reckoned, if the company has fast fixed line Internet connection. Prices of external hard disks are moderate considering their disk capacity, for example 80 GB hard disk costs about a hundred euros. The back up copying can be set automatic with appropriate software. For example SyncBack software is available also totally cost free. In the following example the back up operation is set to be done every Wednesday to a USB memory stick. In this case you must naturally remember to have the memory stick connected to the computer at that time. See a video about setting back up settings with SyncBack –software. If there is a writable cd –drive in the computer, there usually is delivered also software for writing the CDs. With this kind of software it is easy to make back up copies of small amounts (< 700Mt) data. Many cd- writing software are used in a similar way: first you choose the CD type as Data-CD, and then drag and drop the selected files to the CD-representative window. In the following figure and in the video we have used NTI CD&DVD-Maker –software, but like said, many Cd-writing software are used in very similar way. See a video of how to make a back up CD. It is not enough, that one believs that the data is saved on the back up copies, but the back ups need to be tested every now and then. This is to ensure, that the data is saved correctly to the back up media and that it can be restored if needed. More information: SyncBack software enables to schedule the back upping for example to the network drive. http://www.2brightsparks.com/syncback/ Information on various mass memories (in Finnish): http://appro.mit.jyu.fi/doc/tietokone/index5.html 5.5 Virus protection Viruses are best avoided by the user him/herself. Do not download software from strange web-sites and do not install any software which you don’t know what they are. Further, don’t save any strange attachments coming via e-mail, and don’t even open the email attachment if you are not absolutely sure about its’ contents. If a virus however gets access to your computer, despite all the precautions, it can not stay unnoticed very long, if you only have virus protection software properly installed and updated. Virus protection software or service is the best way to protect the computer from viruses and worms. The software and services are available for example by internet operators, computer stores or in internet. If you download virus protection software from internet, use only known and reliable web-sites and service providers. To find the right services use a internet search, for example Google, and use the name of the software as a search word. Doing this enables you to see what other users think about the particular software, and helps to judge whether the software or service is reliable or not. When you have found, downloaded and installed the software, take few moments to study its features. A typical virus protection software includes the following functionalities: Scan all files (Full Scan) Scan Specific Folder Real time protection on/off (scan the files when they are copied or used) Automatic updates on/off Search for updates Have the scanning done at a specific time (Scheduled Tasks) It is recommended to have the automatic updates and the real-time protection turned on, and to have the full scan done for example every night or otherwise regularly. This enables the software to keep its virus database up to date, and thus to prevent effectively the possible virus attacks. In the picture below a window of McAfee –virus protection software is presented, while it is doing real-time scanning. See a video of using McAfee VirusScan: http://www.titu.jyu.fi/oili/vierikoulutus1/videot/virus.wmv More information (in Finnish): http://www.tietoturvaopas.fi/kolme_askelta_tietoturvaan/virustorjuntaohjelmisto.html 5.6 Protection against malicious programs Malicious programs are for example spyware or adaware, which try to use the computer for their own purposes without the actual user to even notice it. Malicious programs differ from viruses and worms, for they do not spread by them selves, but they access the computer hidden to some other program, or through the browser security breaches, while visiting some strange web-sites. For example the peer-to-peer application KaZaa, which was popular for some time ago, gave access to several small malicious programs to user’s computer. Malicious programs aim at getting financial advantages by using the attacked computer. Typically the programs send advertisements as pop-up windows, direct http –requests to advertisement sites, track the sites where the user visits and sometimes even steal the user data, for example credit card numbers. If there is a malicious program in the computer, the computer can for example slow down and weird pop-up windows can appear on the screen. However, it is not always possible to notice that there is a malicious program in the computer. Easiest way to avoid these programs is to have at least two different software installed, which can identify the possible malicious programs, for one software can not recognize all spyware and adaware. Using these software is similar to virus protection software’s use. Their databases must be updated regularly, that they can recognize even the newest malicious software. In the picture below is presented Microsoft AntiSpyware. Used together with for example LavaSoft Ad-Aware can keep the computer clean. See videos here: http://www.titu.jyu.fi/oili/vierikoulutus1/videot/MS_Anti.wmv http://www.titu.jyu.fi/oili/vierikoulutus1/videot/lava_ad.wmv 5.7 Firewalls Firewalls are used to protect the computer from network hazards. For example hackers may try to access the computer that is connected to the internet. If they do get the access, they can steal files, passwords, emails and other important information from the user. The firewall blocks unauthorized connections and in best case even protects the computer from being seen by other users in the network. There are firewall software and firewall devices; in this case we concentrate on firewall software. Installing an firewall This example is based on Zone Alarm (http://www.zonelabs.com/store/content/home.jsp) firewall. Installing a firewall is a similar procedure to any software installation. After copying the application files, the software asks for some background information (e.g. connection type). The firewall can be configured to permit all outgoing internet connections, or it can be set to ask permission from the user every time when a software tries to connect to the internet. In the following picture ZoneAlarm update has just been installed. In the upper right corner (Programs –section, on orange background) are visible the icons of those applications that are allowed to connect to the internet. The text ”Inbound Protection” in the picture means blocking the connection requests coming from the network and ”Outbound Protection” means blocking the connections from the computer to the network. When the software has been installed, its icon appears to the right corner of the taskbar (next to the clock), where the icons of the other applications that are running on the background are visible as well. Firewall updates are available every now and then, and it is recommended to install the updates immediately. The firewall functionality can be checked from the following address: https://www.grc.com/x/ne.dll?bh0bkyd2 (Selections: First click Proceed, then click the button All Service Ports.) Configuring firewall In ZoneAlarm the protection is divided into two different levels: Internet (the whole network) and Trusted (known addresses). The user can define different web-addresses to the Trusted –level, and thus to give these addresses less restricted access to the computer. Both levels can be separately configured. The restrictions can further be divided into two types: Incoming (Inbound) and outgoing (Outbound). Inbound- restrictions have three levels: High: The computer operates in hidden (stealth) mode, which means that the computer can not be seen from the network. Medium: The computer is visible in the network, but its resources are protected Low: The firewall is not in use. Outbound –restrictions consider different applications and their access to the network. In the picture below the configurations for the outboud-restrictions are presented. Access means that the application is allowed to connect to internet and Server means that the application can function as a server in the network. These settings can be made separately for the Internet and Trusted –levels. The alternatives are: ? = Ask the user when the application tries this action X = Do not allow the application to do this √ = Allow this action for the application See a ZoneAlarm video here: http://www.titu.jyu.fi/oili/vierikoulutus1/videot/zonealmr.wmv NB! Windows XP has its own firewall. Take care; that you only use one firewall software at a time, for different firewalls can mix up each others functionalities. Windows XP firewall is configured in Control Panel. See a video of how to introduce the Windows XP firewall: http://www.titu.jyu.fi/oili/vierikoulutus1/videot/xppalomuuri.wmv If you are using wireless network, remember to protect it from the unauthorized users. Ask more information from your service provider. More information (in Finnish): http://www.tietoturvaopas.fi/kolme_askelta_tietoturvaan/palomuuri.html 5.8 Encrypting telecommunications Encryption is used to conceal important information. Encryption is classified in two classes: encrypting the telecommunications and encrypting the files. This section concentrates on telecommunications encryption and file encryption is introduced in the following section. Telecommunications encryption begins with personal actions. When doing business in the internet it is essential to have common sense and not to give any personal data to any other services than those, which you definitely trust and know their reliability. 99,99% of all “You have won…” adverts are hoaxes. In general level there are two kinds of www- sites: unprotected, whose address starts with http:// and protected, which starts https:// (HyperText Transfer Protocol Secure). Services, where registration or any other personal data are given, should always use https:// -protocol to secure your data. Do not give your information on any sites which use unprotected http:// -protocol, for a hacker can easily steal your information from this kind of services. In the picture below there is e-mail service that is protected with https:// protocol, which can be seen from the browser’s address bar. Many browsers have feature which can remember the user names and passwords for different sites, to facilitate the registrations. Generally, it can not be recommended to save the passwords or user names, for if they are saved, anyone who uses your computer can access the service with your password and Usernames and passwords are too easy to find from the browser’s files (try for example Google- search with search words ” [browser] passwords”) Remember to clear the browser’s cache every time when you finish your business with a service which needs registration, for example in internet banking. Closing the browser is also recommended, even after clearing the cache. This is particularly important when using a common computer that has also other users. 5.9 Encrypting files Encrypting the files begins with users own actions: When leaving the computer, even for a short time, protect it by locking it with the key combination ctrl+alt+del and then select lock the computer. A shortcut key combination is windows –key+ L. Windows-key is usually between ctrl and alt-keys, or next to spacebar. (This applies only for Windows operating systems.) Do not have your passwords on paper, at least not near the computer. Use passwords, which are not easy to guess. Take care of your data media, for example CD or DVD –disks, not to fall to wrong hands Extremely important and confidential information can be encrypted in case of crackers or burglars. Particularly laptops are more vulnerable than desktops in locked facilities, for a laptop can be stolen from car, in airports etc. For similar reasons also the confidential data carried around in CD-disks is recommended to be encrypted. Encryption can be done in several different ways, easiest is to use an application made for it. For example Cypherix (http://www.cypherix.com/cryptainerle/) provides a free application up to 25 Mb. This application is easy to use: first choose the folder where the data is located and then open the folder with the application. Add or remove files to the folder. Take care that you close the folder with File /Unload cryptainer volume – selections when you are ready. See a video of how to open the Cryptainer, to handle the files and to close the Cryptainer: http://www.titu.jyu.fi/oili/vierikoulutus1/videot/crypt.wmv Kingston provides an easy way to protect the contents of USB memory stick with a password. Kingston Data Traveler –series have memory sticks which have built in reliable 128 bit AES-encryption (Advanced Encryption Standard). Another handy way is to use the encryption feature included in packing software (WinZip, WinRar, WinAce, etc.). This example is based on the encryption feature of WinZip –application. When creating the package, click the Password –button and type your password. Click OK to close the window and then click Add – button to add the files into the protected package. See a video of how to create a password protected package: http://www.titu.jyu.fi/oili/vierikoulutus1/videot/winzip.wmv 5.10 Training and instructions In order to make the information security a natural part of daily business, the employees should be familiarized with the new practices and related guidelines. Training, instructions and guidelines may be needed related to for example following items: responsibility of computer use in work and other environment carefulness with the user names and passwords using internet and email remote access to the computer and distance work secure use and storage of data, documents and information technological devices privacy protection when handling particular private data action in problematic situations other specific features of the company Often it is not enough just to make a plan or instructions, but the employees may need more regular guiding and training. The training should last long enough to ensure the mastering of the training contents. Well done planning and good instructions can decrease the amount of training needed. 5.11 Purchases When purchasing new information technology, the following questions should be considered: What are the information security properties of the particular product? Is the new product compatible with the current systems? How big benefit is gained by investing on a more secure information technology? Does the legislation or other regulations require better information security from the currently used information technology? The product can have some advantageous information security properties, but if the product is not compatible with the current system, it may not be used, or extra costs can be caused if the property is introduced. To avoid this kind of situation, it is recommended to consider the following: Is suppliers’ and service providers’ expertise enough exploited when making information technology acquisitions? Can the company information security be essentially improved by making maintenance contracts with service providers? Some information security procedures can be outsourced, particularly if the company does not have, or is not willing to invest in, resources to handle the technologies by them selves. When considering outsourcing, the company needs and requirements should be defined as accurately as possible, for example to ensure the compatibility with new and old systems and software. The following questions can help to formulate the service requirements when making invitations for tenders: How reliable the product is? What kind of licensing policy the product has? What kind of guarantee the product has? How is the maintenance provided for the whole lifecycle of the product? What is included in the contract? (for example a maintenance service can include repairing the product within next 72 hours or help desk, etc.) What are the expertise and reliability of the service provider as a long-term partner? (references, experiences, company continuity) In information technology acquisitions, as in other acquisitions as well, the purchase price is not the most important aspect, but the costs for the whole product life cycle. This includes the costs due to acquisition, introduction, use and replacing the old product with a new one. Extra costs can be caused for example by: product inappropriateness to its intended use unreliability and breaks caused by this ignored product development and lack of updates lack of expertise by customer, supplier or service provider inefficient use and general dissatisfaction with the product, which can be due to inadequate training and instructions 5.12 Protecting www-sites Company web-pages are an electronic business card and are an important part in creating company image. Thus, it is essential to protect the websites and prevent any unauthorized changes. Web-pages on outsourced server If the company web-pages are hosted by a service provider, it is important to consider the following aspects: Use only reliable web-hosts Keep the passwords safe Change the password at regular intervals A general operations model is to make the pages on a personal workstation and only after that to transfer the contents to the server. The medium and server should use SSH-protection (Secure Shell), which is much more secure than the usual FTP –protocol. For example SSH Secure Shell (www.ssh.com), PenguiNet (http://www.siliconcircus.com/penguinet/) and WS FTP Professional (http://www.wsftp.com/products/ ws_ftp/index.asp) all use SSH-protection. Picture: SSH Secure File Transfer connection. Web pages on a company server If the company has an own server where the web-pages are on, consider the following aspects: Remove all networks applications from the server, except http/https services (ports 80/443). Configure the fire wall to protect all other ports (more info about the ports: http://www.webopedia.com/quick_ref/portnumbers.asp). In addition to the regular access control, use password and identification to ensure that only the authorized persons can change the homepage contents. Track the system reports to notice any possible problems. Control logs must be encrypted either on the web-server or on separate workstation on the company intranet. Establish an action plan and ensure that it is available in the case of hacker attacks. The plan should be a part of company information security plan. Do not accept remote administration without disposable passwords or encrypted connections. If the remote administration is necessary, ensure that a protected connection (e.g. SSH) is used. Ensure that the remote administration contract includes detailed definitions and rules about information security. Do not keep any confidential data on www- server, where anyone can access. Visit your homepages regularly and check their contents; have the web-page for example as a starting page when opening the browser. 5.13 Mobile devices In addition to computers, also various mobile devices can contain important information. Thus the information security of these devices must also be considered. Mobile devices are for example: Mobile phones PDA –devices (Personal Digital Assistant), hand held ”pocket computers”. Usually works with a separate pen and touch screen. E-mail and electronic calendar are general applications. Communicators are intermediate forms of mobile phones and PDAs. They have keyboard or touch screen. In addition to voice calls, also e-mail, internet browsing, data transfer, WAP and other applications are included. Handheld PCs are intermediate forms of PDAs and laptops. They have keyboard and generally more applications than in PDAs. Considering mobile devices, it is important to notice that gsm –encryption is a network property, not a phone property. Nearly all operators use this encryption, but when traveling abroad it is recommended to ask the encryption from the local phone operator. If you use an answering service, remember to set your personal password to protect your messages. Never borrow your phone to strangers, for the borrower may listen to your messages in your answering service. When you communicate confidential information over phone, ensure that your communicating partner also acknowledges this. Say, that you are using a mobile phone and check that there is no people whithin listening range. Software can be downloaded to several mobile devices in the same way as to computers. Thus, similar security requirements must be considered. Virus protection software must be updated, and if the device is used in an external network, it must be protected with a firewall. The remote connections must be protected. Mobile devices and laptops are unshielded from thefts and disappearances. Thus, the data in the mobile devices and laptops must be protected. When working in a public space lock the computer or log out before you leave the computer, even for a minute. Handheld computers and PDAs can be protected with password that is asked everytime when the device is turned on. This kind of password is not however very effective, for PDAs do not have hard disk, but all data is saved on the device memory. Specific software are available for protecting the data, and they are recommended. The software enables protecting the data in similar way as in desktop workstations, and thus theft or disappearance of the device does not cause information security hazard. Many mobile devices include a cable or infrared connection, which enables making back up copies of the data. The data in the mobile device is copied to a computer and moved to a separate back up media, if necessary. Mobile devices are different, thus detailed instructions vary as well. Ask the reseller or check manufacturer’s website for more information. More information: Microsoft: Information security in mobile world – new challenges http://www.microsoft.com/uk/security/default.mspx 5.14 Accounting software BACK UPS AND ARCHIVING Accounting software must be back upped according to the Finnish bookkeeping committee regulations (22.5.2000): to ensure the data storage if the harware breaks down (for example if the hard disk breaks down) if you wish to move the bookkeeping to another computer to enable you to return to the previous task, for example to the moment before closing the accounts or before an error happened In addition to the hard disk, the back up is made: to CD-ROM disk or memory stick or to another data medium, for example to a server folder The back up should be made as often as possible: for example after every book keeping session after enterin a large amount of data always before closing the accounts or before closing the accounting period before deleting any data, for example when deleting an old accounting period An example of making a back up copy in Econet application Select File / Back Up from the menu or press the toolbar button Define the time when you wish the software to remind about the back up Select one disk, when the back up is copied to the hard disk and when the back up is saved only on one single medium (for example on one single tape) Select Multiple disks, when the back up is copied to several disks or when the amount of back up data needs several disks The application will divide the data to the different media automatically Back ups taken in different phases are recommended to give descriptive names, to enable to go back to the particular state later on. Do not change the file extension after the dot. In the bookkeeping aplication choose the company whose data you wish to back up. Select Back up from the menu type or browse the correct folder path where you wish to save the back up type the file name (note the file extension) the software will save all data related to that particular company, for example name, accounting period, account scheme and book entries Restoring the back up Select the appropriate company in the book keeping application, or establish a new company Select Restoring the back up / Introduction from the menu Browse the back up file from the appropriate medium The application will restore the back upped data NB! This means that the back up data overwrites the current company data, and the data entered after making the back up copy are lost. Ensure that this is OK! Archiving of book keeping data (book keeping legislation 2:8§, Book keeping committee guideline 22.5.2000): During the book keeping period the book entries can be stored to hard disk. The back up must be made often enough by using a reliable back up method, for example to a CD-ROM disk. During the accounts closure the book keeping data of the book keeping period must be printed out OR the data must be copied to a computerized data medium which is permanently stored and which can not be changed afterwards, for example to a read-only CD (CD-ROM). After copying the data to an external medium, the data can be deleted from the hard disk, if this is needed (for example to save disk space). The above mentioned papers or data media must be stored 10 years after the book keeping period has ended. 5.15 Wireless local area network (WLAN) WLAN aka wireless local area network means a network where the computers can communicate either by their own or with the help of a base station. The data is moving in the air, not in the cables. The base station can be connected to a traditional fixed network. In practice this means that the computer can be connected to the internet without any cables between the computer and network. WLAN has become more and more popular when laptops have become common. The working place must no longer be near the network plug, for wlan allows free movement inside the wlan range. The installation is cheaper, for there is no need for cables. Is very suitable for facilities, where the network is needed only temporarily The greatest security risk considering wireless local area networks is that the users often have no security settings at all, but they are using unprotected network. This can cause information leaks and unauthorized access to the network. Security risks are Tapping of telecommunications An unauthorized hacker can access to the network The connections can break down due to the excessive load caused by the hacker The hacker can establish an unauthorized base station to the network by using your internet connection WLAN can be protected from information leaks and from unauthorized access by having a user identification. This means that all users, or their computers, who try to use the particular wlan network are identified by defining their identities for the base station. The most typical protection methods are presented below. MAC (Media Access Control) Every wireless pc-card have their own unique identitity which is called a MAC-address Many base stations enable listing of the MAC addresses that are allowed to access the wlan. Thus, only listed MAC addresses are allowed to access the network. External users, whose computers are not listed, can not access the network. WEP (Wired Equivalent Privacy) This technology is based on a base station’s password. Thus, all devices that connect to the particular wlan network must know the base station password. The wlan base station asks the correct password from all users who try to access the network. Hence, external hackers can not use the network without knowing the base station password. The base station password can be set to the computer settings. This means that the correct password is automatically given when the particular computer connects to the base station. The user does not have to type the password separately everytime. WEP password is an easy solution in cases there are many users and the users must be added and deleted every now and then (for example in school networks). The WEP – password practice is described in more detail in the following. Instructions on how to establish a WEP password for a router (These instructions are made for D-Link router. Some selections can be different when using other routers.) Install the WLAN router according to the manufacturer’s instructions. Connect the computer to the router: Open an internet browser and type address: 192.168.1.1 (This is a general router IP-address. If this does not work, see more instructions from the router manual.) On the front page of the opening page type the following information: User name: admin Password: admin (These are common default username and password. If they do not work with your router, check the correct user name and password from your router manual.) Select Security Setup –tab and then click the text Wireless Settings. (In other routers find similar pages.) Select WEP as an encryption method. In the case of D-Link this is done by selecting the radio button WEP on the Security point. Define a password that is used to access the network. This password must include 10 characters and it must be composed only of small letters a-f and numbers 0-9. After this more selections are enabled. First select Enable WEP Wireless Security and then type a password to the first Encryption Key row. Then click the Apply -icon. Then save the settings: Select Tools–tab and then click text System Commands. Click Save all - button. After this you will receive a message confirming the saving. See a video of how to configure the WLAN WEP encryption in D-Link router Instructions to other than D-link modems: http://www.telewell.fi/ohjeet/tw_ea2000/wlan_turva_asetus_2000_1000.htm http://www.zyxel.fi/includes/file_download.asp?deptid=11459&fileid=1668&file=ZyXEL%20WLAN%201.2.pdf &pdf=1 6 Summary Needs risk assessment Risk assessment Risk preparation Information A new risk is - What can happen? - What can be done? security identified practices - Avoid the risks - Implement the planned practices What to do? Information Completes.. Information security security mapping plan Immediate action 6.1 Risk management Risk assessment and management The risk assessment should be as simple as possible Risk assessment must be performed continously and regularly. Risk management is recommende to start from risks that are assessed to be the greatest All risks can not be removed A well done planning will facilitate the implementation A reliabale person is nominated to be in charge The risk assessment is recommended to do in a group, consisting of 3-6 persons plus team leader. External consultants can be used if necessary. The starting point for risk management should be company development, for example practices and knowledge. Only after that technical protection methods are considered. 6.2 Mapping When establishin an information Needs risk assessment security mapping in a company it is recommended to consider Risk assessment Risk preparation Information A new risk is - What can happen? - What can be done? security identified the security of daily business practices operations - Avoid the risks - Implement the planned practices What to do? the security of the facilities from Information Completes.. Information security security the data processing point of mapping plan view Immediate action access to the correct data and their secure processing usage of secure devices and software The hazards that can disrupt the company business operations are identified in the information security mapping. The hazards can be for example: different faults, fires, water damages, thefts, mistakes and vandalism. After the information security risks are mapped, an action plan is established. This plan is called information security plan. 6.3 Planning The information security plan includes: Needs risk assessment Items related to compay values Risk assessment - What can happen? Risk preparation - What can be done? Information A new risk is identified security practices The current state of the information - Avoid the risks - Implement the security in the company Information Completes.. Information planned practices What to do? security security The planned actions in order to reach mapping plan Immediate action the objectives set. Timetable and persons in charge of each action keeping the plan up to date Preparing for the serious hazards (including e.g. training) The second phase in developing the company information security is to plan the practical actions in case of the hazards. The significance of information security risk areas for a company varies. Most important is to go through all the areas and assess their significance to the particular company and to its secure operation. The deficiencies are written down and development actions are defined and listed. The actions to be written in the information security plan can be for example related to organisational development, individuals’ scopes of action or Technical operations, for example purchasing new equipment. In order to make the plan working also in practice it is important that The company commits to the information security improvement with adequate resources All employees are trained and instructed to understand their own responsibilities considering the various items in the information security plan Persons in charge are nominated, which are to be contacted when information security hazards or other related problems arise. The information security plan and the related instructions are kept up to date. 6.4 Development Needs risk assessment Risk assessment Risk preparation Information A new risk is - What can happen? - What can be done? security identified practices - Avoid the risks - Implement the planned practices What to do? Information Completes.. Information security security mapping plan Immediate action The last phase in improving the company information security is to implement the planned development actions, in order to avoid the information security risks and hazards and to achieve the most suitable information security level for the particular company. The starting point is that the company has the responsibility on information security development. If necessary, experts and consultants can be used to provide information for the actual decision making. The purpose is not to destroy the company data but to secure them. There are several utilities available for information security development. Before installing any software, read carefully the copy rights and license agreements. Several software are available for free for home use, but in business use there might be some payment required. Check the pricing and licensing before starting to use the software. 7 Information security training A practical training of information security mapping and planning is required for passing this course. The training can have several formats: As a part of vocational training related to your studies, for example in a small enterprise A training session organised by your school, where information security of the school or some other organisation is mapped. In the company where you work or do your training period. Ask your course teacher about other possibilites to do the training. NB. If you are going to do the information security mapping and planning as a part of your vocational training in a company, you must ask the company a permission to do the side-by-side training. Ask your teacher for more information about side-by-side training. 7.1 Training phases 1. Organising the training Find a company or other organisation, where you can make the information security mapping and planning. First present your idea to your course teacher. After the teacher has accepted your training you can agree the training period and other details with the company. Phase result: Teacher’s acceptance for the training company 2. Making the information security mapping Map the company’s information security by using the Information security plan –form. You will find the forms from the portal. Ask for your teacher the username and password for the portal. In the end of this section you will find instructions for downloading the forms. The filled forms are returned to the teacher and saved on the portal. Phase result: Information security mapping 3. Making the information security plan Make an information security plan for the company. Use the Information security plan –form. Complete the information security mapping you have made in the previous phase by entering the planned actions and other required information. You will find the forms from the portal. Ask for your teacher the username and password for the portal. In the end of this section you will find instructions for downloading the forms. The filled forms are returned to the teacher and saved on the portal. Phase result: Information security plan and ESR –control form. The information security plan –form is used in both phases; to map the information security and to establish the actual plan. In the end of this section you will find the instructions for downloading the forms. The data is entered to the form in two phases: first fill the mapping part and when it is finished complete the planning part. The different parts of the form are in separate columns. 7.2 Information security mapping Information security mapping is made by interviewing the company management and other personnel. The interviewees should work in different jobs and in different departments, to enable as holistic view as possible. Write down the interview results to the Information security plan –form. You will find the form from the portal.The form is primarily made to be used in companies, but it is also used if the organisation is for example your own school. In this case the form is filled for appropriate parts. First fill the Information security mapping part, which includes Risk What can happen? Why? What are the information security hazards and vulnerabilities? Priority How propable or serious the risk is? How great and serious harms the hazards can do for the company? Current precautions How the risk is prepared for? Are the current preparations enough? Do the information security mapping carefully, for the gathered data is used as a basis for the information security planning! 7.3 Information security plan When the mapping is done, complete the form to be an Information security plan: Actions Which concrete practical actions are done in the company to manage the identified risk? Timetable When the planned actions are implemented? How the information security development will proceed? What are the main development phases and their timetable? Person in charge Who is responsible for implementing each action? Are external persons needed in implementation? Who will control the implementation? The plan is established by interviewing the company personnel and agreeing the actions with them. You can present your own ideas and opinions on good ways to improve the information security, but remember that the personnel have the best view on their work. In any case, the final decisions are made by the company. The starting point is that the company has the responsibility on information security development. If necessary, experts and consultants can be used to provide information for the actual decision making. The purpose is not to destroy the company data but to secure them. Do you know what you are doing? If not, then don’t do it! If you do, are you certain that you still know what you are doing? If yes, then do it! After the mapping part and the planning part of the information security plan are finished, the form is returned to the teacher and saved on the portal. Ask your teacher for more detailed instructions. The plan is also given for the company to use. The company can use the plan in developing their information security and update the plan when it is necessary. 7.4 Downloading the forms from the portal . 1. Go to the portal by following the links in these pages or write the browser address: http://www.titu.jyu.fi/vierikoulutusportaali 2. Find the appropriate Word- form that you need: Click the file icon and save it to your computer or for example on memory stick or CD-disk. 3. If you are having side-by-side trainings in the company, you will need permission from the company for it. The permission form is in the portal, in PDF-format. 4. Follow the course instructions and fill the Word- forms in appropriate order. Always keep your files in a safe place. 5. After you have finished your training, go to the portal again. 6. Next to each form icon you will see a hyper link, which you can use to upload the filled form to the portal. Click the Browse –button Find and select the form you have finished from the computer or disk and click Open. Click the Save –button to upload the form to the portal. 7.5 ESF- control If you are having side-by-side trainings in the companies, you must fill the ESF –control form. The form is filled and saved in the portal. Ask your teacher for a username and password for the portal. The side-by-side training based operations model is developed in Oili and Mylly –projects. These projects are funded by the European Social Fund aka ESF. The ESF –control form is used to collect names and salary information of the employees who have received side-by-side training. Usually the companies pay a participation fee for the project and report their salary costs that are due to the participation the ESF. In Mylly and Oili there is no participation fee for the companies, but ESF still needs the salary information. Information technology research institute (ITRI) will forward the salary information to the funder of the Mylly and Oili projects, namely the County Administrative Board of Western Finland. 8 Course completion and the feedback questionnaire Ask your teacher for more information about the course completion, timetable and assessment. Note that passing this course requires that the following forms are filled and returned: Permission from the company to give side-by-side training Information security plan Training follow up ESF –form (the student must take care, that the company, where side-by-side training is given, will fill and return this form) Feedback –questionnaire. Open the questionnaire here. All answers are handled confidentially and a single respondent can not be identified from them. The answers will only be used in the Information Technology Research Institute and they are used to improve the course. The schools will not have the results for their use as such. 9 References (in Finnish) Joka kodin tietoturvaopas; http://www.tietoturvaopas.fi/, Ohjeita tietokoneen turvalliseen käyttämiseen Internetissä ja ohjeita ongelmatilanteiden varalle PK -yritysten tietoturvaopas; Yritysturvallisuus EK, http://www.ek.fi/ytnk/pdf/tietoturva.pdf Käyttäjän tietoturvaohje, Valtionvarainministeriö, http://www.vm.fi/tiedostot/pdf/fi/51024.pdf Ohje riskien arvioinnista tietoturvallisuuden edistämiseksi valtionhallinnossa, Valtionvarainministeriö, http://www.vm.fi/tiedostot/pdf/fi/53827.pdf Valtion tietohallinnon internet-tietoturvallisuusohje, Valtionvarainministeriö, http://www.vm.fi/tiedostot/pdf/fi/39681.pdf Valtionhallinnon keskeisten tietojärjestelmien turvaaminen, Valtionvarainministeriö, http://www.vm.fi/tiedostot/pdf/fi/90727.pdf http://www.tieke.fi/julkaisut/oppaat_yrityksille/tietoturvaopas/ Tiivis tietoturvasanasto; http://www.tsk.fi/fi/info/TiivisTietoturvasanasto.pdf; tietoturvasanasto suomeksi, ruotsiksi ja englanniksi; Sanasto käsittelee paitsi yleisesti tietoturvaan liittyviä käsitteitä myös tietoturvauhkia ja tietoturvan keinoja. Käsitteet on kuvattu määritelmien ja huomautuksiin sisältyvien esimerkkien (suomeksi) avulla niin, että yhtäältä käsitteiden erottaminen toisistaan ja toisaalta käsitteiden välisten yhtymäkohtien löytäminen on mahdollista. Sanaston kohderyhmänä ovat tietotekniikan peruskäyttäjät.
Pages to are hidden for
"Information Security"Please download to view full document