Information Security by 3Jinfig4

VIEWS: 45 PAGES: 45

									                                      Information security
 Course             This course concentrates on information security improvement in small enterprises. The target
 description        group is enterprises, who do not have information security improvement plan and whose
                    resources are not adequate to improve the technical level of their information security.
                    The course covers protection of enterprise’s physical facilities as well as data protection. Also
                    computer devices’ security improvement is included in the course. The course introduces
                    naming conventions for files and folders and data backup operations of workstations, PDA-
                    devices and software.
                    The course aims to provide cost-efficient aids for information security improvement, which are
                    easy to manage and applicable in particular for small enterprises.

 Objectives         After completing the course the student will be able to
                       understand the significance of information security
                       map, plan and implement information security in small enterprise, in cooperation with the
                        company personnel and experts

 Credit units       2 ov / 3 op, ask about ECTS from your teacher

 Completion         Passing the course requires studying of the material, completion of the exercises and
                    answering to the feedback query.

 Assesment          Ask your course lecturer about the assessment in your school.

The course material is produced by Pauli Koskinen (Jyväskylä Vocational Institute) and the project groups of
Oili and Mylly projects (University of Jyväskylä, ITRI)

1 What is information security?
Enterprises need many kinds of information in their operations, for example knowledge of their personnel
and various data written on papers and saved on information systems. Access to correct data must be
assured in order to guarantee the company functionality. Thus, information security means studying the
company operations from the information systems point of view.




Information security is much bigger issue than personal information security of an individual or using
technological devices, such as virus protection or firewall, to protect computer data. Information security in
enterprise level is easier to grasp in parts. In larger enterprises the information security partition can be
made according to general information security classification, while small enterprises can use more compact
partition.
Through this course we will follow information security improvement in an example company. In the
beginning of each section side-by-side trainer Tiina will introduce the phase implementation.
       Example company scenario: Becoming aware of information security

                                                        The company CEO had read a newspaper article about
                                                        information security significance and its typically low status
                                                        in small enterprises. The company had previously had a
                                                        vocational trainee, who had given the personnel side-by-
                                                        side training about using email.
                                                        Now the CEO proposes, that Yrjö could contact the school
                                                        and ask, if the next vocational trainee could concentrate on
                                                        the company’s information security. The school provided an
                                                        enthusiastic information technologies student, who wished
                                                        to study the Information security –web-course and
                                                        complete her vocational training period in the particular
                                                        company.




More information
The office of the Data Protection Ombudsman http://www.tietosuoja.fi/1560.htm (in English)
A direct hyperlink to a data protection guide (in Finnish): http://www.tietosuoja.fi/uploads/zg5sofwogs.pdf

1.1 The significance of information security
Neglecting information security can cause data loss or data falling to competitors. Thus, information security
is an essential part of company’s information systems and other operations. Information security ignorance
can have very severe and far-reaching results, therefore information security risk assessment and
preparation is a major issue.
Realization of a information security risk can, at worst case, lead to company being unable to function, a
significant loss of work already done and major financial damages. Company closing down is an extreme
result. Getting compensations from the court requires that the company has taken concrete actions to
protect their business secrets. Otherwise, it is extremely difficult to get any compensation for the financial
losses suffered.

 Unless the company takes concrete actions to protect their business secrets and other important data, it has
 no protection against business espionage, business secrets breakings and malpractices.


Concrete actions can be for example having an information security plan and related instructions, and
adequate personnel training about the information security practices with appropriate written secrecy
regulations, when needed.


Information security risks can be prepared for by
      mapping the possible risks,
      making a information security plan,
      being committed in following the information security plan,
      keeping the information security plan and its instructions up to date and
      training the personnel with the information security practices.


More information (in Finnish):
http://www.internetopas.com/yleistietoa/tietoturva/




1.2 Improving the information security
Information security improvement is a continuous process that begins with an assessment of company’s
information security. The assessment method can be for example information security mapping. After
mapping the risks, the risk preparation adequacy is defined. Previous actions and actions planned for future
are collected into an information security plan. This plan covers all systematic actions, which the company
uses in preparing for the realization of information security risks. The aim of the plan is to add the
information security in the company.
Due to the changes in business environment and continuous development of new technologies, also
information security improvement must be continuous. Risks and the sufficiency of the risk preparation must
be systematically and continuously evaluated. Even in an environment, which previously has been secure,
can be confronted a new and sudden hazard, which requires immediate actions. New risks and the changes
they cause to company’s information security practices are added to the company’s information security
plan.
Information security plan and its systematic use in practice prove that the company has taken concrete
actions in order to secure the important company data, if an information security risk realizes.


The improvement of company’s information security must be systematic. The improvement process can be
as follows:
                                           Needs risk assessment

  Risk assessment           Risk preparation         Information          A new risk is
 - What can happen?       - What can be done?          security            identified
                                                      practices
                                                   - Avoid the risks
                                                   - Implement the
                                                  planned practices         What to do?
     Information Completes.. Information
       security                security
       mapping                   plan
                                                               Immediate action



1.3 Information security areas
Information security can include several different areas, and particularly in larger enterprises it is essential to
acknowledge all of them. A following general classification can be used when improving information security.
The column on the right side provides examples of each category.

     Administrative information            Information security assessments and information security plan, planning
             security                      the instructions and training, integrating the information security practices
                                           into daily business operations



         Personnel security                Secrecy agreements, substitution practices, external personnel, working
                                           arrangement during holiday seasons, practices related to beginning and
                                           ending of an employment, for example removing user rights


          Physical security                Door locking, access control, fireproof cabinets, electricity backup for
                                           computer system
          Network security               Protecting the telecommunication cables and devices from hacking and
                                         breakings, telecommunications’ fail-safety, security in distance work,
                                         mobile connection security, breaking attempts’ tracking, firewalls


         Computer security               Functionality assurance with service agreements, authorized personnel
                                         for service and maintenance, acquisition of new devices and withdrawal
                                         of old devices


          Software security              Security updates for operating systems and browsers, virus protection,
                                         user rights administration



        Data storage security            Data protection, security of portable devices (diskette, CD, memory-stick
                                         etc.), storage of files, documents and other data, backups, archiving,
                                         keeping copies, data destroying at secure manner

            User security                Appropriate management of user names and user rights, and consistent
                                         actions and practices according to information security instructions and
                                         plans

More information (in Finnish):
Valtionhallinnon keskeisten tietojärjestelmien turvaaminen, Valtionvarainministeriö,
http://www.vm.fi/tiedostot/pdf/fi/90727.pdf
PK -yritysten tietoturvaopas; Yritysturvallisuus EK, http://www.ek.fi/ytnk/pdf/tietoturva.pdf, Liite 5

1.4 Information security areas in small enterprise
For small enterprises the general information security classification can be too complicated and difficult to
understand. By combining categories and changing their names more suitable to smaller enterprises, the
above categorization can be tailored to better serve small enterprises’ needs. This simplified classification is
use in the information security mapping and planning presented in this course material. The relations
between the general classification and the simplified classification are provided in the following table.

Information security area in small enterprise            Information security areas in the general classification

                                                            Administrative information security
                                                            Personnel security
           Daily business operations
                                                            User security
Preventing information security accidents caused
by human actions. Improving the information
security of daily practices by training and
instructions. Information systems’ user practices
and system security as a part of daily business
operations.

                                                            Physical security

          Physical facilities
Physical protection of company facilities and data
processing from unauthorized use, data loss and
fire.
                                                          Data storage security

          Data
Storage, processing, identification, archiving,
backup and backup storage of files, documents
and other data media storages.

                                                          Network security
                                                          Computer security
           Hardware and software
                                                          Software security
Security of computer devices, networks and
software. Assuring the functionality with contracts,
virus protection and firewall.



2 Information security risks
Information security risks disturb the normal business operations of a company. Most common risks are
caused by human errors. Information security problems are often due to carelessness, lack of
understanding, lack of skills, faulty implementation of information systems and to wrong user operations.
Realization of an information security risk can, at worst case, lead to company being unable to function, a
significant loss of work already done and major financial damages. Company closing down is an extreme
result. The risks are prioritized according to their possible results, and the prioritization can be done by
making an information security mapping.




       Situation at the example company: Risk assesment

                                                                       The company started to consider factors
                                                                       that could be risks for the company
                                                                       operations. The risks where first identified
                                                                       from the customer point of view. If the
                                                                       specifications of an ordered item were lost
                                                                       or damaged, the company could not deliver
                                                                       the product at time. This would have a
                                                                       negative impact on the company image.




More information (in Finnish):
PK -yritysten tietoturvaopas; Yritysturvallisuus EK, http://www.ek.fi/ytnk/pdf/tietoturva.pdf
Valtionhallinnon keskeisten tietojärjestelmien turvaaminen, Valtionvarainministeriö,
http://www.vm.fi/tiedostot/pdf/fi/90727.pdf

2.1 Risk examples
What kind of information security risks there are in companies?
Possible risks can be exemplified with concrete cases. In the following list there are some typical information
risks and their consequences described. An example of possible consequences is given in parentheses.

                   *   The real estate of a company is burned in a fire. (All written data and data that are saved on
                       computers are lost. All planning and designing must be started from scratch.)

                   *   A computer that contains important data is stolen. (A marketing plan saved on the computer disk
                       is lost.)

                   *   Entrepreneur’s mobile phone is lost. (The contact information saved on the phone is lost.)



                   *   The most important employee moves to competitor. (Research and development knowledge is
                       lost for the competitor.)

                   *   An important design falls into competitor. (The competitor exploits the design work.)


Why the information risks are not prepared for in time?
Often the companies acknowledge their information security risks too late, at worst case when the accident
has already happened. Why the companies do not react to their risks earlier? Possible causes are:
   the information security risks are not acknowledged or their realization is not seen probable
   the risk damage can not be predicted and their extent evaluated
   the importance of continuous personnel training and instructions for avoiding the damage are not
    acknowledged
   The consequences of data misuse are not acknowledged or their extent can not be evaluated.

2.2 Risk assessment
Risk assessment is an important step in the systematic improvement of the information security. The
assessment facilitates to find the vital company information and information systems and to evaluate their
significance.
Usual risk assessment tools and methods can be used also in finding the information security risks.
The risk assessment aims to find answers for the following questions:
           What can happen?
           Why?
           What are the possible consequences?
           How big is the risk?
           Which risks are the greatest?


Information security risk assessment means systematic actions, which are taken to identify the information
security risks and their probabilities and to estimate the possible consequences of the risk realization.
The company management should make the information security improvement as a part of usual
management operations. In practice this means
             Taking care of resources for information security mapping and planning
             Assuring the implementation of the practical actions according to the plan
             Making the personnel and other partners committed to the information security plan and its
              activities by providing adequate instructions and training.
             Considering information security prerequisites also in future
External consultants can be needed in making the information security mapping and planning and for the
practical implementation of the planned activities. Company personnel have valuable expertise in identifying
the information security risks and finding the means for preparing them.

2.3 Other assessment methods
In risk identification several methods can be used, even in parallel when necessary. When selecting a
method its ease of use and applicability to the company needs should be considered. Common methods are
based on dividing the target into smaller parts and the risks are then identified one part at a time. Checklists
and keywords are often used to facilitate the risk identification. These kinds of methods for risk analysis are
for example:
      Checklists
      Potential problem analysis
      Scenario based risk analysis
      Vulnerability analysis


Checklists are used to consider whether a risk is related to company operations or not. The checklist is a
good tool for identifying the risks at high level and for localizing the problematic items. Checklists can be
used for memory support, when an impact of each risk is estimated. Checklists are never complete, thus
their coverage for company and environment specific risks should be carefully analyzed.
Potential problem analysis is carried out in two phases. In the first phase a brainstorm is arranged, to
search and acknowledge possible problems and hazards. In the second phase the reasons for possible
hazards are identified and risk estimations are defined. The adequacy of current precautions are assessed
and improvement actions are developed when needed (figure 1). For a successful analysis an external
consultant is recommended.
Risks can be classified for example in the following way: 1 (minor or insignificant risk), 3 (average or
probable risk) and 5 (big or very probable risk).

    The time spent on risk estimation does not increase nor decrease the risk itself. Thus, do not use too much time
    on risk estimations.


Object: __________________             Analysis Date:___________
Laatijat: Autohrs:__________________             Report: _________________

    Hazardous         Consequences Risk                   Current            Improvement
    event                                                 precautions        suggestions /
                                                                             additional
                                                                             questions




Figure 2. Potential problem analysis form.
Scenario based risk analysis is started with describing potential hazardous events. Knowledge on previous
information security hazards or near misses is good starting point.
Vulnerability analysis aims at defining the ways to carry on the usual operations, after a hazard has
happened. A risk database can be used to examine different parts of information security and to identify the
hazards related to company operations.


More information in Finnish:
Ohje riskien arvioinnista tietoturvallisuuden edistämiseksi valtionhallinnossa -opas
http://www.vm.fi/tiedostot/pdf/fi/53827.pdf käsittelee aihetta tarkemmin. POA - menetelmän
yksityiskohtaisempi kuvaus riskianalyysilomakkeineen on esitetty liitteessä 3. Lisää tietoa
riskianalyysimenetelmistä löytyy myös http://riskianalyysit.vtt.fi/
Riskienhallinta pk-yrityksissä:
http://www.pk-rh.com/
http://www.pk-rh.com/show_doc.asp?ID=443

2.4 Risk management
Risk management should be started from the risks that are estimated to be the biggest, and extend to other
risks if possible. Risks can be managed in several ways, but all risks can not be removed. It is recommended
to consider the time and money spent on insurances and other risk reduction activities.
The central risk management activities are (with examples):

 Risk avoidance A single risk can often be avoided only by refraining from the risky activities.
                (Access to company research and development facilities can be restricted to only
                authorized personnel. This prevents external persons from filming new products
                before their launch.)

  Risk removal      A single risk can possibly be removed, but it can follow a new risk.
                    (New user names and passwords are required for accessing a certain information
                    system. Users can not remember all their usernames and passwords by heart and
                    thus have them on a post-it note near their desks. Compare: User has only one
                    username and password for all information systems.)

                    Risk reduction should be aimed for preventing the harm or for reduce the risk
                    consequences.
 Risk reduction
                    (A company practice is that the last person who leaves the office in the evening
                    closes the doors. Sometimes the out door was left open. A new practice was
                    introduced, according to which a guard will close the doors at 5 pm. The guard
                    checks that the offices are empty and lights and coffee machine are switched off.
                    He also turns the alarm on.)

  Risk transfer     A risk can be transferred for example making a contract or purchasing insurance.
                    (The risk of server breakdowns can be transferred to a service provider by making
                    a maintenance contract, which covers also the costs followed from the server
                    breakdown.)

 Risk retention     Risk retention means accepting the possible consequences.
                    (The maintenance service covers only one of the company computers, for it
                    includes the most vital information. The money saved with leaving the other
                    computers without maintenance service can be used to purchase a new computer
                    every year. The company accepts the risk of possible service needed.)



2.5 Test your information security knowledge
In this exercise you can check how well you remember the issues presented in this and in the previous
section. This is a multiple-choice question, from which you will get feedback immediately. You can do the
exercise as many times as you wish.
Start the exercise here (opens to a new window).
3 Information security mapping
Information security mapping is a method for assessing the information security risk precautions. It is used
to map the events that could disturb normal company operations. These kinds of events can be for example
different faults, fires, water damages, thefts, mistakes and vandalism.
In this method the information security is recommended to divide into several parts. This material uses an
information security classification for small enterprises, which includes daily activities, company facilities,
data and hardware and software.
When the information security risks have been mapped in a company an action plan is built. This plan is
called information security plan.


        Situation in the example company: Mapping results

 Data: To begin the mapping, the needed company data
 was gone through, including both paper documents and
 files in electronic form. Customer specifications were
 identified as vital information. Some of these specifications
 arrive via e-mail, but often they exist only on paper format.
 The papers are kept in monthly arranged folders in the
 office bookshelf.
Hardware and software: The mapping considered also
the office computer and its age. The operating system had
grown old and updates had not been made for a while.
Virus-protection software was installed, but it was found
that the software provider no longer provided updates for
the particular software.


Practices: The computer office is mainly in executive director’s use for invoicing, payroll computing and
order processing.
Facilities: The company facilities were found to be rather well protected. Door locking and alarm systems
were in order, for there are valuable machines and devices in the building.

3.1 Mapping establishment
The first phase in improving the company information security is to map comprehensively security risks,
which can cause harm for the company (see the figure on improving the information security).

                                           Needs risk assessment

   Risk assessment          Risk preparation         Information          A new risk is
  - What can happen?      - What can be done?          security            identified
                                                      practices
                                                   - Avoid the risks
                                                   - Implement the
                                                  planned practices         What to do?
     Information Completes.. Information
       security                security
       mapping                   plan
                                                               Immediate action



Figure: Risk assessment by using the information security mapping
In making the mapping it is recommended to use the expertise of company personnel, for they have the best
knowledge of company practices, facilities and data. They often can best assess, what kind of consequences
possible hazards could have. The security improvement actions concerning these three areas (company
practices, facilities and data) are often very concrete, easy to understand and do not require complicated
technical solutions. The fourth area of information security in turn, namely hardware and software, can
require advanced ICT skills. In many companies separate instructions or an external IT-consultant is needed,
at least in the initial phase.
The risk management methods described in previous sections can be used in establishing the information
security mapping. This material includes questions, which aim to facilitate the discussions of the information
security areas in the company, and their significance to secure company operations.
The following section considers the information security mapping in more detail. Risks are classified in four
previously presented categories and their special characteristics are discusses.
More information (in Finnish):
http://www.tietoturvakartoitus.com

3.2 Daily business operations
             The improvement target in daily business operations is to consider the information security in all
             daily practices. The prime target is to prevent hazards that are due to human actions. Training,
             guidance and instructions are used to improve personnel’s daily practices, and thus to improve the
             information security of usual business operations.

Risks related to daily business operations are often due to exceptional situations, for instance holiday
seasons and substitutions. Inadequate instructions and training, ignoring data backup, ignoring protection of
physical facilities and sending or handing data to unauthorized persons can cause severe harm to the
company.
Issues to be considered are for example:
   Is the familiarization of new personnel adequate?
   Are the changes considering information security always communicated with personnel and interest
    groups?
   Do all employees know their responsibilities and obligations considering information security?
   Are information security training and instructions up to date?
   Who is information security contact person?
   Who has responsibility of improving the information security?


In the table below there are two risks identified and their priorities and consequences are estimated. The
precautions taken have been defined and the need for new security practices is evaluated.
TABLE: Examples of information security mapping considering daily business operations
                                                                                                          Timetable

            Risk                              Priority                         Current                                Person in
                                                                                                Actions


                                                                                                                       charge
                                                                             precautions



An email password leak to Severe: possible abuser can read and          No precautions
unauthorized person       send mails                                    taken, needs
                                                                        improvement

An email containing           Very severe: for example designing        Difficult to prepare
important information is      information can end up to competitor      for, but any case
accidentally sent to wrong                                              something should be
person                                                                  done



3.3 Company facilities
            The majority of company’s data processing is often taking place in the company facilities.
            Considering the facilities from the security point of view includes observing the personnel’s access to
            the data. Possible restrictions needed for external persons are also considered.

Issues to be considered are for example:
   Should the access to the company facilities be restricted?


Facilities for example research and design, financial matters, human resource development and computer
servers may need restricted access. If the access is decided to restrict, it is recommended to consider the
following issues:
   How is the restriction implemented?
   Is the access allowed only for particular person(s)?
   Can external persons access to the facilities?
   Can an external person stay in the facilities without an employee?


Reasons for access restrictions can be for example privacy protection or business secrets. These kinds of
things can be data about personnel, salaries or prices. Also features or looks of new products may be
needed to protect, for competitive reasons. In this case there is a need to consider who needs this data or
information and from whom they are protected.
In the table below two situations are described, where access to the company facilities can be an
information security hazard.
TABLE: Examples of information security mapping considering company facilities

                 Risk                           Priority             Current precautions




                                                                                                        Timetable

                                                                                                                    Person in
                                                                                              Actions


                                                                                                                     charge
An unauthorized person has access Severe: The computer            Usually the door is
to the office computer            contains private                locked, but there is a
                                  information                     need for improvement

Break into the production facilities    Severe: there are         Well prepared                         -           -
                                        important and valuable
                                        machines and devices.



3.4 Data
             The company operations are considered from the secure data processing, storage and destroying
             point of view.


Typically the risks are loss or disappearance of files, plans or other documents. It can be accidental, due to
faulty devices or lack of backup data. Using old versions can cause harm in case there are no practices for
naming, archiving and destroying the files. Same problems are encountered with paper documents.
Risk priorities are estimated by considering the harm caused by each hazard, for example
   disappearance or destruction of a design or a plan
   computer, software or mobile phone disappearance or breakage and the followed data loss


To the appropriate extent also fire, water damage, theft, business espionage and hacking should be
considered as possible hazards. Often precautions taken for these hazards can improve the security of
facilities as well.
In the table below there are examples of problems related to data disappearance. The second example in
the table is caused by lack of archiving practices. Fortunately in both examples serious harm has been
avoided.
TABLE: Examples of information security mapping considering data security




                                                                                                    Timetable

                                                                                                                Person in
                Risk                            Priority                 Current precautions




                                                                                                     Actions

                                                                                                                 charge
 Product specification attached       Very severe: without             In addition to usual          .
 to an order are destroyed or         specifications the correct       carefulness, no particular
 disappeared.                         product can not be               precautions taken. Needs
                                      produced                         improvement.

 New product designs are to be        Rather severe: does not
 presented to potential               convince the customer too
 customers, but the files are not     much and the customer can
 found from the computer.             be lost



3.5 Hardware and software
            Majority of companies’ data processing is done using computers, networks and software. Therefore
            the security of hardware and software is highlighted. It is essential to take care of the data
            accessibility, accuracy and storage.

Hardware and software risks often are related to data changes and disappearances. Typically, inadequate
virus-protection or lack of other protection can cause data changes in databases or in web sites. The
company image can suffer from these kinds of virus or hacker attacks.
The devices may break, which can cause data loss or software which has not been back upped. In the worst
case the software and its license has to be purchased again. Also mobile phones contain important
information. If the phone breaks or gets stolen, contact information and other data saved in the phone during
the years is lost.
Changes and disappearance of vital data always causes extra work and unnecessary costs. Often the harm
can be avoided with very small precautions, such as more secure practices and instructions.
The extra working time and costs, which are caused by the breakage, are often forgotten when estimating
the risk priorities. More and more often the work is stopped because of hardware and software malfunctions.
In the table below the first example describes how the reliability of the company is suffered because of
inadequate virus protection. In the latter example the actual consequences depend on the vitality of the data
lost. In worst case the harm can be significant.
TABLE: Examples of the information security mapping concerning hardware and software

         Risk                       Priority                       Current precautions
                                                                                                    Timetable

                                                                                                    Person in
                                                                                                     Actions

                                                                                                     charge




 Virus gets access      Very severe: Company           Virus protection software that came
 to a computer and      image is suffered and          with the manager’s computer, but
 starts to send mails   getting unambiguous            which is no longer up to date. Other
 to customers           mails is very inconvenient     computers have no virus protection, but
                        to customers                   there is not network connection either.

 The computer gets      Very severe: the data are      Back ups are not made, the insurance
 totally broken         lost and material damage       should cover at least part of the
 (for example falls                                    material damages
 on the floor or
 catches fire)
3.6 Test your knowledge on information security mapping
With this exercise you can check how well you remember the issues presented in this section. This is a
multiple-choice question, and you get the feedback immediately. You can do the exercise as many times as
you wish.
Start the exercise here (opens in a new window).



4 Information security plan
The information security plan aims to prevent possible harms and to ensure action plans in case of hazards.
A well made plan is an important part in decreasing the risk of losing vital data or information and the
financial harms due to the losses.

    The information security plan contains information security objectives, principles and implementation practices,
    approved by the company management.

In practice an information security plan includes:
      The issues related to company values. This means the company’s willingness and commitment to
       systematically improve the information security.
      Description of the current state of company’s information security. For example a risk analysis can be
       made to find out the strengths and weaknesses. Especially important are the estimated hazards and the
       security activities already implemented. In this material the risk analysis and the description of current
       state is implemented by making an information security mapping.
      The necessary actions and practices in order to reach the goals, considering also future information
       security requirements.
      Timetable and persons in charge of implementing the planned actions, including instructions and the
       time needed in training.
      Updating the plan regularly. Since the users and company operations can change, the plan needs to be
       checked in regular intervals.
      Precautions taken in case of high priority risks (including practicing etc..)




          Situation in the example company: Making the plan one part at a time

                                                                       The company started to make the information
                                                                       security plan. The following areas and practices,
                                                                       which all employees will follow, were included in
                                                                       the plan.
                                                                       Facilities security
                                                                          Doors are kept locked when an employee is
                                                                           absent
                                                                          Last one to leave the building in the evening
                                                                           will check the alarm system


                                                                       Data processing confidentiality
                                                                          The company’s data are carefully handled,
                                                                           to prevent their falling into wrong hands
                                                                          A non-disclosure agreement is always made
                                                                           when handing data to external partners or
                                                                           persons.
Data accessibility and integrity
      The data must be accessible to all authorized persons. A person in charge and a vice person were
       nominated. They have the master key for the office and maintenance passwords to the company’s
       computers.
      The nominated persons will make back up copies of the electronic data every week.
      The information that is only on paper format will be scanned or photographed digitally, and archived also
       electronically.


Hardware and software security
      The persons in charge will regularly check that operation systems and protection software are up to
       date.
      It was agreed, that in case of any information security problems or hazards the persons in charge will
       immediately be notified, who then investigates the matter and communicates it further.

4.1 Establishing the plan
The second phase in improving the company information security is to plan the necessary actions in case of
information security hazards (see the figure below).

                                             Needs risk assessment

     Risk assessment          Risk preparation         Information          A new risk is
    - What can happen?      - What can be done?          security            identified
                                                        practices
                                                     - Avoid the risks
                                                     - Implement the
                                                    planned practices         What to do?
       Information Completes.. Information
         security                security
         mapping                   plan
                                                                 Immediate action


Figure: Using information security plan in planning the risk precautions
Who makes the information security plan?
External consultants can be used in making the information security plan, but most essential is to identify
and prepare risks related to the particular company and its business operations. The company employees
know best the particular company and the related information security risks.
Information security plan in small enterprise

Information security       Daily business
area:                      operations

RISK                       PRIORITY                  ACTION                TIMETABLE         PERSON IN CHARGE




The significance of the different information security areas varies. Most important is to go through all the
areas and to assess their impact on the particular company and its operations’ security.
For example the following actions can be planned to decrease the information security risks:
          Actions related to organizational development, such as development of common rules,
           instructions, control and tracking, communication, work planning and distribution of liabilities.
          Actions related to improvement of individual scopes of actions, such as purchasing safer tools,
           making and information security instructions for the personnel, development of familiarization or
           organizing information security training.
       Technical actions, such as purchasing new equipment, protection development, making of back
        ups, purchasing alarm system or developing the system maintenance.

4.2 Daily business operations
              The two central risk areas related to daily business operations are:
                 taking care of exceptional working arrangements
                 Personnel training and guidance about information security in their daily activities
The first point includes working arrangements during holiday seasons, familiarization for substitutes and
operations performed in cooperation with company partners and other external persons. The second point, in
turn, includes the information security instructions, training and nomination of persons in charge.
The practices related to the above mentioned situations are written down in the information security plan.
Training and guidance resources can be decreased by good planning and well working instructions.
In the example below the company’s current information security practices have been found to be partly
inadequate. Training and instructions are established to improve the situation.
TABLE: An example of information security plan and its daily business operations part.

       Risk           Priority         Current             Action            Timetable         Person in
                                     precautions                                                charge

 E-mail            Severe: the      No               Instructions for      The instructions   Executive
 password          abuser can       precautions      passwords are         are made           Director
 leaks to          read and         taken, needs     made: The             during
 unauthorized      send e-mails     to be            passwords may         December.
 person                             improved         not be kept
                                                     visible near the
                                                     computer, and it
                                                     may not be told to
                                                     anyone. The
                                                     password must
                                                     be complicated
                                                     enough, and not
                                                     to be easily
                                                     guessed.

 An e-mail         Very severe:     Very difficult   Instructions are      The consultants    Executive
 containing        product          to prepare       made about how        are searched       Director
 important         specifications   for, but any     to use e-mail. An     for during
 information is    can be fallen    case             external              December. The
 accidentally      into             something        consultant is         training is
 sent to a         customer’s       should be        hired to hold e-      planned for
 wrong             competitor       done             mail training for     January.
 recipient                                           the personnel.



4.3 Company facilities
              The actions for company facilities protection are written in the information security plan. The
              protection actions assure that
                  the company personnel can work safely and without too many restrictions in the facilities
                  hazards due to external persons are minimized
                  Information security stays unharmed in all situations
The information security plan should include protecting the facilities in case of fire, water damage, theft,
business espionage and hacking, as well as preventing and minimizing the harms for company data and
data processing devices, followed by these hazards.
Fireproof cabinets, safes and shredders should be considered as means to prevent the hazards above. Also
the appropriate placing of the cabinets and shredders must be remembered, for if they are placed in wrong
places they may be experienced too laborious to use.
Alla olevassa esimerkissä tilojen tietoturva ja sen parantaminen vaikuttaa suoraan tietojenkäsittelyn
turvallisuuteen. In the table below the facilities security and its improvement has a strong effect on
information security in general.
TABLE. An example of information security plan related to company facilities

         Risk            Priority         Current                     Action                  Timetable    Person in
                                        precautions                                                         charge



    An                Severe: the     Usually the door     The office door is kept        This practice    Office
    unauthorized      computer        is locked, but the   locked when the office is      is introduced    secretary
    person is         contains        practices should     empty. An instruction is       immediately.     (and all
    accessed to the   confidential    be improved.         given to lock one’s                             other
    office            information.                         computer when leaving it,                       employees
    computer.                                              even for a while. A                             on their
                                                           password is needed to                           own
                                                           unlock the locked computer.                     computers)
                                                                                                           .

    The production    Severe: there   Well prepared.       No further actions needed,     -                -
    facilities are    are valuable                         the alarm system is already
    broken into.      machines                             in use.
                      and devices
                      in the
                      facilities



4.4 Data

            The actions ensuring free data access, processing and destruction are written
            down to the information security plan.

     The data needed for various work tasks must be accessible to all employees who need it
     Data storage responsibilities and means are agreed
     Destroying the needless data and its responsibilities are agreed
     Processing confidential and secret data is separately agreed.


It is especially important to remember that:
     Documents, plans or files containing important information are not left lying around desks, copy
      machines or printers, or sent accidentally to wrong recipients.
     Devices for destroying needless data are placed on appropriate places, where they are easy to use. For
      example a shredder is places next to a copy machine.


Processing confidential or secret information should be agreed separately and with written documents. The
following issues should be considered:
     The information saved on documents or technological devices as well as oral information is defined as
      company property. This information can be used only by the separately agreed manner, in favor the
      company. The principles are written as separate instructions.
     This instruction considers also the employees moving to other positions, resigned and removed
      employees and external partners like subcontractors.
     Separate written instructions are made for handling business secrets.
     Key persons will have a separate written contract considering competitive activity and inventions made
      during employment.
     The instruction about handling confidential information is distributed to all employees. It is made sure
      that the employees follow the given instructions.
In the table below there is an example of preparing the harms due to loss of important data. The back up
copying and data archiving are improved in order to keep the company image unharmed in case of any
hazard.
TABLE. An example of information security plan considering data security.

        Risk             Priority        Current                  Action                 Timetable      Person in
                                       precautions                                                       charge

    Product           Very severe:                      There always are at least       Practice is    Order
    specifications    Without the                       two copies of each              planned to     receiver
                                      In addition to
    are destroyed     specification                     specification. If the           be in use by   (office
                                      usual
    or                the correct                       specifications are on           the end of     secretary)
                                      carefulness,
    disappeared.      product can                       paper format, they are          the
                                      no precautions
                      not be                            immediately copied and          November.
                                      taken. Needs
                      produced.                         placed to a folder in
                                      improvement.
                                                        office. If the specification
                                                        is on electronic format it is
                                                        saved on the computer
                                                        and printed out for the
                                                        production. The data on
                                                        the computer is back
                                                        upped weekly.
                                                        Documents on paper
                                                        format are held in the
                                                        same place with the back
                                                        up –CDs.

    New product       Rather                            A logical directory             The            Kalle
    designs are       severe: Does                      structure is planned to         directory      Koponen
    presented to      not convince                      make the files easier to        structure      (production
    potential         the customer                      find.                           and the        manager,
    customers,        and the                                                           placement of   does also
    but the           customer can                                                      paper          marketing)
    appropriate       be lost.                                                          documents
    files are not                                                                       will be
    found on the                                                                        planned on
    computer.                                                                           a common
                                                                                        meeting in
                                                                                        January.



4.5 Hardware and software
               The hardware and software connected to internet can be protected by the three following
               instructions:
                    Have fire wall to protect the company network from external hazards.
                Have the computer operating systems up to date in case of security breaches.
                Use virus-protection software and keep it up to date.

Essential for software security is:
           to take care of security updates (for example www-browsers),
           to use only software for which you have license and
           to take care of back upping the software and the data related to the software


All devices, software and communications should be protected physically, technically and/or
programmatically.
Servers and telecommunication devices can be placed in a separate locked space, where only authorized
persons have access. The telecommunications are technically protected with firewall and appropriate virus-
protection. The computers are protected programmatically with passwords every time when leaving the
computer. The personnel is trained and instructed to follow the company security practices.
The information security risks related to hardware and software can be assessed for example with the
following questions:
           Can the security essentially be improved by having maintenance contracts with external service
            providers?
           Is the expertise of service providers enough exploited in technology acquisitions?
           How big benefit is gained by investing for more secure information technology?
           What is the business risk if the information technology acquisition is not made?
           Does legislation or other regulations require better technological security?


In the example below the hardware and software security is improved by software acquisitions and by
preparing for material harms. The significance of a maintenance contract should be considered as a means
to prevent any production interruptions.
TABLE. An example of information security plan related to hardware and software security

     Risk          Priority         Current                Action             Timetable        Person in
                                  precautions                                                   charge

 A virus gets    Very          Virus protection     Virus protection          Software       Executive
 access to a     severe:       software came        software is purchased     and            Director
 computer        Company       with the office      for every computer.       software
 and starts      image         computer, but it     The executive             providers
 to send e-      suffers and   is no longer up      director’s and the        are looked
 mails to        getting       to date. The         office computer will      for during
 customers.      unambiguo     computers in the     have an automatic         November.
                 us mails in   production           update; the other two     The
                 inconvenie    facilities have no   computers that are not    acquisitions
                 nt for the    virus protection,    connected to network      are made
                 customers.    but there is no      are updated monthly.      10.12. at
                               network              Files for these           latest.
                               connection           computers are
                               either.              separately scanned
                                                    before opening the
                                                    files.

 A computer      Very          Back up copies       In the data security      The            Office
 gets totally    severe:       do not exist,        part was described the    insurances     Secretary
 broken          Data are      insurance will       needed actions for        are
 (falls on the   lost and      cover some           improving back up         checked
 floor or        material      material             copying. The              during
 catches          damage.         damages.              insurances and their          December.
 fire)                                                  covering policies are
                                                        checked.



4.6 Implementing the plan
From plan to practical actions
To ensure that the information security plan will actually work in practice is important that
        The company will reserve enough resources for information security development
        All employees are trained and instructed to understand their own responsibilities related to the
         practices defined in the information security plan
        Persons in charge of information security are nominated and contacted, when security problems
         arise.
        The information security plan and related instructions are kept up to date.
When the needed actions are decided, the implementing means, timetables and persons in charge are
agreed. The implementation progress is tracked regularly, for example every six months.
All improvement actions can not be made immediately. The implementation should start with removing or
reducing the biggest risks that have been identified during the security assessment. Sometimes the
improvement actions need further investigations, more planning and more investments. However, at the
same time when dealing with the biggest risks, smaller improvements can be made to prepare for smaller
hazards. Often small improvements can be made with only little effort, for example by introducing new
practices and training the personnel.
A summary of the tables in this section.

4.7 Test your knowledge on information security plan
With this exercise you can check how well you remember the issues presented in this section. It is a multiple-
choice question and you will get the feedback immediately. You can do the exercise as many times as you
wish.
Start the exercise here (opens in a new window.)



5 Practical actions
The last phase in improving the company information security is to implement the planned improvement
actions. The aim is to prevent the hazards which can cause harm to the company operations and to achieve
the information security level that is best for the particular company (see figure below). In this section some
practical instructions are given to implement typical information security improvements.

                                             Needs risk assessment

  Risk assessment             Risk preparation         Information          A new risk is
 - What can happen?         - What can be done?          security            identified
                                                        practices
                                                     - Avoid the risks
                                                     - Implement the
                                                    planned practices         What to do?
       Information Completes.. Information
         security                security
         mapping                   plan
                                                                 Immediate action


The starting point is that the company has the responsibility to develop their information security.
Consultants, experts and service providers can be used to facilitate the decision making. The aim is not to
destroy the company data but to secure them!
Do you know what you are doing? If not, don’t do it! If you do, are you sure that you know what you are
doing? If yes, then do it.

 NB! In this section various utility software are presented to facilitate the practical actions. Before installing any
 software, read carefully the copyrights. Some software are available for free for private use, but in business use
 there can be a license required. Study the copyrights and licenses before using the software.




        Situtation in the example company: Practical improvement actions

                                                                          New virus protection software was
                                                                          purchased to replace the old one. The
                                                                          software was installed on all computers
                                                                          and the updating procedures were agreed.
                                                                          A copy of company’s information security
                                                                          plan was given to employees and all of
                                                                          them committed to follow the instructions.
                                                                          The employees were guided to identify
                                                                          their own areas of responsibility from the
                                                                          plan. Necessary trainings were defined
                                                                          and organizing the training sessions was
                                                                          agreed.




5.1 Updating the operating system
In order to keep the computer secure, the operation system and other software must be updated. In the
course of time new security breaches are found from the software, which possible abusers can exploit.
Security updates fix these breaches. Other updates commonly contain new features or fixes to known
problems.
        To have the operation system automatically updated in Windows 200 or Windows XP –systems,
         select Control Panel and then double-click the Automatic Updates –icon.


        The updates can be completely automatic:
       or semi-automatic, which means that the computer notifies when new updates are available.




       In addition to the automatics, and particularly in other Windows-operating systems a handy way for
        updating is to open the Internet Explorer from the Start –menu or from its icon:




       .. and wiriting the address: http://windowsupdate.microsoft.com/ From this page select the image
        Express-installation:




The updates can be searched and adjusted from the Control Panel. Open
the Control Panel from the Start –menu and double-click the Automatic
Updates –icon.
See a video about searching for the updates with Control Panel.
If you have a fixed line, it is recommended to have the updates downloaded
automatically. The Windows Update –sites allows fetching the updates at
most convenient time.




More information (in Finnish):
http://www.tietoturvaopas.fi/kolme_askelta_tietoturvaan/kayttojarjestelma.html

5.2 Software updates
In principle all applications that is used on the computer, must be updated. Especially important is operating
system (see above), Internet browsers and possible e-mail applications. Virus protection and firewall are
primary as well. Also in office applications and other applications there can be security breaches, bugs and
vulnerabilities.
Most applications have their own feature for searching and downloading updates. For example in MS Word –
text processing application this feature is in the Help-menu:
Mozilla Firefox –users can look for updates from the browser
menu Tools > Options. Select Advanced from the opening
window and then click Check Now -button.
NB: In order to update the browser successfully, activate the
Allow web sites to install… -selection in Web features –view.
See a video about looking for updates for Firefox.
Internet Explorer –browser is automatically updated at the
same time as Windows operating system.




However, complete instructions can not be given for all applications and their updating. The user has to find
the update functions from each software, and often the Help –menu is a good place to start. Many
applications have menu selections such as Updates, Check the updates or something else. Sometimes the
functionality is under different menu, like in Microsoft AntiSpyware it is under File-menu:




Often the software provider has web-sites, where software updates are available. English websites often
have links such as Support or Downloads, where the updates can be downloaded.
In many applications, for example in virus protection applications, the updates can be set to be automatic. If
the computer has a fixed line connection to internet, the user does not have to worry about the updates.
Some software notify the user whenever new updates are available, and they can be downloaded by clicking
the OK-button.

5.3 Improving document management
In this example is described some practical actions which facilitate classification and organization of the
company data, in order to have the data available for the employees. When classifying the data, paper
documents, electronic documents as well as documents in picture format must be considered. The
classification is done according to the tasks and the information that is needed in each task. Also employees’
authorization to the particular data is considered. This helps to separate business secrets, which is meant
only for executive managers. Even though all company data is not confidential, passing the company data
to external persons must always benefit the company.
1. Requirement analysis (consider all the company data that is saved on different formats): Make a list of
document management needs and identified problems. This forms a basis and goals for the document
management. Common goals are to facilitate the finding of particular documents. The data is achieved from
customers and partners and it is also forwarded to other parties, thus also their needs may be good to
acknowledge (for example in naming the electronic folders and in grouping the files into folders).
2. Data classification (consider all the company data that is saved on different formats): Go through the
different company operations and the information that is needed and handled in each operation. Find out
where the information is saved, who handles the data and in what kind of work tasks. This helps you to
group the data according to the user groups, who need the particular data. If there is a need to restrict
access to business secrets, it is easier to handle when the data is grouped according to work tasks. For
example, papers for sales personnel are grouped by customers in their folders and the respective electronic
data is organized in similar electronic customer folders. Business secrets can be classified for example
according to the following grouping (source: Käytännön tietoturvallisuusopas PK-yrityksille. Hyperlink
below.):
   strategic data,
   operational, financial and commercial data,
   data related to research and development and to products,
   data related to production methods and to machines and devices,
   And financial administration data.


In the following example the data of an imaginary company ”IronSteel Oy” is organized according to its
operations:
+ Operation planning (for example only for executive director and for the board of directors)
+ Marketing
                + Brochures
                + Covering notes
+ Sales
                + Invitations for tenders
                + Tenders
                + Orders
                + Customer projects
                                + Project documentation of One Ltd.
                                + Project documentation of Two Ltd.
+ Production
                + Working schedules
                + Production reports
+ Financial administration
                + Calculation of salaries
                + Book keeping
Financial administration and other data can be in several formats, for example as paper documents,
electric files or saved in software databases. This should be remembered when planning data back ups
and archiving.
3. Naming the files (this applies to electronic files such as text files, calculation sheets, digital pictures, etc.):
In addition to good folder structure, also naming conventions facilitate finding the appropriate files when they
are needed. A well planned naming policy helps to differentiate the files from each other, and enables to
search them with the computer’s search function. A naming convention is useful also for different file
versions, see the following example.
[the identifiers in the file name are: companyname | documenttype | versionnumber.doc]
One_ProjectPlan_v01.doc (version 0.1: e.g. the first version made by a salesperson)
One_ProjectPlan_v02.doc (version 0.2: e.g. small changes by the salesperson)
One_ProjectPlan_v10.doc (version 1.0: e.g. a version accepted by sales manager)


[the identifiers in the filename: companyname | businessoperation/specifier | documenttype | date.doc]
IronSteel_Board_minute_20061128.doc
The following picture presents Windows Explorer and a folder structure, which has been constructed by the
above instructions. In the picture there is also an example of a naming convention (in this case for project
plans).




4. Data storage and back up copying (this applies to electronic files such as texts, calculation sheets, digital
pictures etc.): A recommended document management principle is to have the data in one place and to
take care of its storage and back up. Often there is a need to make copies of both paper documents and
electronic files, but particularly electronic files are easy to lose in the computer folders and to get mixed with
the different versions.
Considering saving and storage of electronic files, most practical is to have the company document on one
computer or server. This prevents needless copies and facilitates making of back ups. If there are several
computers in the company and some employees need to use common documents, it is recommended to
build a computer network inside the company. The network can be either a peer-to-peer network or the data
can be saved on a server. Server facilitates the back up copying, since all data is only on one place. The
back ups can be made by using external memory, tape securing station or by making cd-disks or dvd-disks.
5. Instructions, guiding and introduction: Collect the central document management practices as a short
guideline, which the users can have as a memory support. This kind of guideline is useful also when
familiarizing new employees to their work tasks and work environment. For example, if there a new folder
structure is planned, it should briefed with the employees. A short and concise guideline about document
management will help in having these briefings. Afterwards the employees can start to use the new structure
by moving their files from the old structure to the new one.
The document management guideline can include for example following items:
     A guideline for an individual employee:
         No matter how hurry you have, always follow the agreed practices
         Save the documents correctly (paper documents to their folders, electronic files to their specific
          folders)
         Give the electronic documents and files individual and descriptive names. Use a version number
          or other method to differentiate between the old and new versions, particularly if there is a need to
          use also the old versions later on.
         Contact information of the person in charge of document management
            In which situations the person in charge should be contacted (for example problems, ideas, etc. )


   A guideline for the person in charge of document management
           No matter how hurry you are, always follow the agreed practices
           Make back up copies
           Maintain the archiving practices
           Contact information of the persons in charge of company business operations (e.g. sales,
            production, financial administration)


6. Maintenance and development: The technical maintenance of document management includes that
functionality and storage capacity are checked regularly and taken care of.


See a video about document management.


REFERENCES:
Ovatko yrityksesi tietoriskit hallinnassa? – Käytännön tietoturvallisuusopas PK-yrityksille. Uudistettu laitos.
Teollisuus ja Työnantajat. http://www.ek.fi/ytnk/pdf/tietoturva.pdf, s. 21.

5.4 Back up copies
                              All storage media can get broken, which means that accessing the files
                              becomes extremely difficult or even impossible. Thus, important files
                              should be back upped regularly. In practice, regularly means that the
                              intervals of data changes are identified and also the period, during which a
                              vast amount of changes is made, which can not be lost, is known.
                              Important files, in turn, require that first the important files are identified.
                              All important data is not necessarily saved on computers, but it can also be
                              in paper format. If vital information is only on paper, a scanner can be
                              recommended, which enables the data to be scanned to digital format, and
                              thus to be back upped with the methods presented later in this section.

Depending on the information on the papers, also a regular copy can be adequate back up for a paper
document. This copy is then kept in a safe place, similar to electronic back ups, and preferably in different
place than the originals are kept. In this case the requirements for paper archiving qualifications must be
checked and ensured, that the ink will stay readable the required time. Most important is to find appropriate
and secure means to fulfill the particular company’s needs.
The locations of electronic important data must first be known, before they can be back upped. The locations
of data saved by different software must be determined. To facilitate the back up it is recommended to have
a disk partition or a specific folder, where the data to be back upped is saved. Often important data is
accidentally saved only on Windows desktop, when they are easily forgotten to back up.
Back up methods are many, and the selection of a good method is done based on the amount of data to be
back upped, requirements for storing the copies, Internet –connection speed and other resources. It is
recommended to think over how much back ups are necessary and what the appropriate price for the back
upping is.
Different disks and tapes can be used to store the back upped data. This allows to have several back up
versions, in case of one version gets broken, and allows to recycle the tapes and disks. The newest back
ups usually overwrites the oldest ones. This naturally requires that the media is re-writable. For example, if
the used disks are not re-writable, all the back up versions can be kept. Even though re-writable disks are
more expensive and often require a more extensive station to use, the disks them selves are not needed to
buy more all the time. In addition to disks and tapes, the back up copies can be saved on a separate external
hard disk or even to a USB –memory stick. Depending on the amount of data only one back up copy at a
time can be enough. If there is enough capacity, the external hard disk can be divided into folders, which are
named according to the back up date. It is also possible to buy the whole back up copying as a service,
which leaves the media management and back up operations to the service provider.
In the following table there are few examples on how to do a regular back up copying. The table is based on
the course “Basic computer skills”.

 Back up medium        Capacity         Requirements               +/-
                       650-700 MB       Writable cd-drive          Cheap (1€ apiece), not the most
 CD-R / CD-RW                           (quite cheap               reliable, rather small capacity
 -disk                                  nowadays)

 DVD -disk             4,7 GB           Writable DVD-drive         Big capacity, rather reliable. DVD –
                                        (more expensive than       disks are quite cheap (from 1€). Can
                                        a writable CD- drive)      be the cheapest medium compared to
                                                                   its capacity. Re-writable DVD-RW –
                                                                   disks are more expensive (~ 4€).

 External hard disk    ~ 20 - 80 GB     USB 2.0 connection         Handy for large amounts of data, for
                                                                   the transferring speed is high. The
                                                                   price is about 100-200 €. The biggest
                                                                   capacities are suitable for several
                                                                   versions of back up copies.

 Tape-drive            20/40 GB         SCSI connection            Tape price ~11€, drives from 400€
                                                                   and up. Handy for large amounts of
                                                                   data.

 Disk                  1.44 MB          Disk-drive                 Very unreliable, but better than no
                                                                   back up copies at all. Can not be
                                                                   recommended.

 Memory stick          Up to 5 GB       USB -connection            Prices are few euros and up. 1 GB
                                                                   memory stick costs about 30 euros,
                                                                   and the prices are coming down all
                                                                   the time.

 Service provider      No limits (the   Fast and fixed line        Service purchase requires some
 makes the back up     price depends                               preliminary work. For example 1 GB
 copies to their       on the                                      in mmd.net –service costs 10 €
 server, over a        capacity                                    /month. If the amount of back up data
 network               needed)                                     is vast, the internet connection must
                                                                   be very fast. For an entrepreneur this
                                                                   kind of outsourced service is easy, for
                                                                   no technical knowledge is required,
                                                                   and this solution provides also
                                                                   security in case of fire or other
                                                                   disaster in the company facilities.

NB! The requirements and the prices are only suggestive.
Making the back up copies on a CD can be a good choice for a small enterprise. A writable DVD-drive can
increase the back up capacity remarkably. A service outsourcing can also be reckoned, if the company has
fast fixed line Internet connection. Prices of external hard disks are moderate considering their disk capacity,
for example 80 GB hard disk costs about a hundred euros. The back up copying can be set automatic with
appropriate software. For example SyncBack software is available also totally cost free. In the following
example the back up operation is set to be done every Wednesday to a USB memory stick. In this case you
must naturally remember to have the memory stick connected to the computer at that time.
See a video about setting back up settings with SyncBack –software.
If there is a writable cd –drive in the computer, there usually is delivered also software for writing the CDs.
With this kind of software it is easy to make back up copies of small amounts (< 700Mt) data. Many cd-
writing software are used in a similar way: first you choose the CD type as Data-CD, and then drag and drop
the selected files to the CD-representative window. In the following figure and in the video we have used NTI
CD&DVD-Maker –software, but like said, many Cd-writing software are used in very similar way.




See a video of how to make a back up CD.

 It is not enough, that one believs that the data is saved on the back up copies, but the back ups need to be
 tested every now and then. This is to ensure, that the data is saved correctly to the back up media and that it
 can be restored if needed.



More information:
SyncBack software enables to schedule the back upping for example to the network drive.
http://www.2brightsparks.com/syncback/
Information on various mass memories (in Finnish):
http://appro.mit.jyu.fi/doc/tietokone/index5.html



5.5 Virus protection
Viruses are best avoided by the user him/herself. Do not download software from strange web-sites and do
not install any software which you don’t know what they are. Further, don’t save any strange attachments
coming via e-mail, and don’t even open the email attachment if you are not absolutely sure about its’
contents. If a virus however gets access to your computer, despite all the precautions, it can not stay
unnoticed very long, if you only have virus protection software properly installed and updated.
Virus protection software or service is the best way to protect the computer from viruses and worms. The
software and services are available for example by internet operators, computer stores or in internet. If you
download virus protection software from internet, use only known and reliable web-sites and service
providers. To find the right services use a internet search, for example Google, and use the name of the
software as a search word. Doing this enables you to see what other users think about the particular
software, and helps to judge whether the software or service is reliable or not. When you have found,
downloaded and installed the software, take few moments to study its features. A typical virus protection
software includes the following functionalities:
           Scan all files (Full Scan)
            Scan Specific Folder
            Real time protection on/off (scan the files when they are copied or used)
            Automatic updates on/off
            Search for updates
            Have the scanning done at a specific time (Scheduled Tasks)


It is recommended to have the automatic updates and the real-time protection turned on, and to have the full
scan done for example every night or otherwise regularly. This enables the software to keep its virus
database up to date, and thus to prevent effectively the possible virus attacks.
In the picture below a window of McAfee –virus protection software is presented, while it is doing real-time
scanning.




See a video of using McAfee VirusScan:
http://www.titu.jyu.fi/oili/vierikoulutus1/videot/virus.wmv


More information (in Finnish):
http://www.tietoturvaopas.fi/kolme_askelta_tietoturvaan/virustorjuntaohjelmisto.html

5.6 Protection against malicious programs
Malicious programs are for example spyware or adaware, which try to use the computer for their own
purposes without the actual user to even notice it. Malicious programs differ from viruses and worms, for they
do not spread by them selves, but they access the computer hidden to some other program, or through the
browser security breaches, while visiting some strange web-sites. For example the peer-to-peer application
KaZaa, which was popular for some time ago, gave access to several small malicious programs to user’s
computer.
Malicious programs aim at getting financial advantages by using the attacked computer. Typically the
programs send advertisements as pop-up windows, direct http –requests to advertisement sites, track the
sites where the user visits and sometimes even steal the user data, for example credit card numbers.
If there is a malicious program in the computer, the computer can for example slow down and weird pop-up
windows can appear on the screen. However, it is not always possible to notice that there is a malicious
program in the computer. Easiest way to avoid these programs is to have at least two different software
installed, which can identify the possible malicious programs, for one software can not recognize all spyware
and adaware. Using these software is similar to virus protection software’s use. Their databases must be
updated regularly, that they can recognize even the newest malicious software. In the picture below is
presented Microsoft AntiSpyware. Used together with for example LavaSoft Ad-Aware can keep the
computer clean.
See videos here:
http://www.titu.jyu.fi/oili/vierikoulutus1/videot/MS_Anti.wmv
http://www.titu.jyu.fi/oili/vierikoulutus1/videot/lava_ad.wmv

5.7 Firewalls
Firewalls are used to protect the computer from network hazards. For example hackers may try to access the
computer that is connected to the internet. If they do get the access, they can steal files, passwords, emails
and other important information from the user. The firewall blocks unauthorized connections and in best case
even protects the computer from being seen by other users in the network. There are firewall software and
firewall devices; in this case we concentrate on firewall software.
Installing an firewall
This example is based on Zone Alarm (http://www.zonelabs.com/store/content/home.jsp) firewall. Installing a
firewall is a similar procedure to any software installation. After copying the application files, the software
asks for some background information (e.g. connection type). The firewall can be configured to permit all
outgoing internet connections, or it can be set to ask permission from the user every time when a software
tries to connect to the internet. In the following picture ZoneAlarm update has just been installed. In the
upper right corner (Programs –section, on orange background) are visible the icons of those applications that
are allowed to connect to the internet.
The text ”Inbound Protection” in the picture means blocking the connection requests coming from the
network and ”Outbound Protection” means blocking the connections from the computer to the network.
When the software has been installed, its icon appears to the right corner of the taskbar (next to the clock),
where the icons of the other applications that are running on the background are visible as well. Firewall
updates are available every now and then, and it is recommended to install the updates immediately. The
firewall functionality can be checked from the following address:
https://www.grc.com/x/ne.dll?bh0bkyd2
(Selections: First click Proceed, then click the button All Service Ports.)
Configuring firewall
In ZoneAlarm the protection is divided into two different levels: Internet (the whole network) and Trusted
(known addresses). The user can define different web-addresses to the Trusted –level, and thus to give
these addresses less restricted access to the computer. Both levels can be separately configured.
The restrictions can further be divided into two types: Incoming (Inbound) and outgoing (Outbound).
Inbound- restrictions have three levels:
             High: The computer operates in hidden (stealth) mode, which means that the computer can not
              be seen from the network.
             Medium: The computer is visible in the network, but its resources are protected
             Low: The firewall is not in use.
Outbound –restrictions consider different applications and their access to the network. In the picture below
the configurations for the outboud-restrictions are presented. Access means that the application is allowed to
connect to internet and Server means that the application can function as a server in the network. These
settings can be made separately for the Internet and Trusted –levels. The alternatives are:
    ? = Ask the user when the application tries this action
    X = Do not allow the application to do this
    √ = Allow this action for the application
See a ZoneAlarm video here:
http://www.titu.jyu.fi/oili/vierikoulutus1/videot/zonealmr.wmv
NB! Windows XP has its own firewall. Take care; that you only use one firewall software at a time, for
different firewalls can mix up each others functionalities.
Windows XP firewall is configured in Control Panel. See a video of how to introduce the Windows XP
firewall:
http://www.titu.jyu.fi/oili/vierikoulutus1/videot/xppalomuuri.wmv

 If you are using wireless network, remember to protect it from the unauthorized users. Ask more
 information from your service provider.


More information (in Finnish):
http://www.tietoturvaopas.fi/kolme_askelta_tietoturvaan/palomuuri.html

5.8 Encrypting telecommunications
Encryption is used to conceal important information. Encryption is classified in two classes: encrypting the
telecommunications and encrypting the files. This section concentrates on telecommunications encryption
and file encryption is introduced in the following section.
Telecommunications encryption begins with personal actions. When doing business in the internet it is
essential to have common sense and not to give any personal data to any other services than those, which
you definitely trust and know their reliability. 99,99% of all “You have won…” adverts are hoaxes.
In general level there are two kinds of www- sites: unprotected, whose address starts with http:// and
protected, which starts https:// (HyperText Transfer Protocol Secure). Services, where registration or any
other personal data are given, should always use https:// -protocol to secure your data. Do not give your
information on any sites which use unprotected http:// -protocol, for a hacker can easily steal your
information from this kind of services. In the picture below there is e-mail service that is protected with https://
protocol, which can be seen from the browser’s address bar.
Many browsers have feature which can remember the user names and passwords for different sites, to
facilitate the registrations. Generally, it can not be recommended to save the passwords or user names, for if
they are saved,
           anyone who uses your computer can access the service with your password and
           Usernames and passwords are too easy to find from the browser’s files (try for example Google-
            search with search words ” [browser] passwords”)
Remember to clear the browser’s cache every time when you finish your business with a service which
needs registration, for example in internet banking. Closing the browser is also recommended, even after
clearing the cache. This is particularly important when using a common computer that has also other users.



5.9 Encrypting files
Encrypting the files begins with users own actions:
           When leaving the computer, even for a short time, protect it by locking it with the key
            combination ctrl+alt+del and then select lock the computer. A shortcut key combination is
            windows –key+ L. Windows-key is usually between ctrl and alt-keys, or next to spacebar.
            (This applies only for Windows operating systems.)
           Do not have your passwords on paper, at least not near the computer. Use passwords, which
            are not easy to guess.
           Take care of your data media, for example CD or DVD –disks, not to fall to wrong hands


Extremely important and confidential information can be encrypted in case of crackers or burglars.
Particularly laptops are more vulnerable than desktops in locked facilities, for a laptop can be stolen from
car, in airports etc. For similar reasons also the confidential data carried around in CD-disks is recommended
to be encrypted.
Encryption can be done in several different ways, easiest is to use an application made for it. For example
Cypherix (http://www.cypherix.com/cryptainerle/) provides a free application up to 25 Mb. This application is
easy to use: first choose the folder where the data is located and then open the folder with the application.
Add or remove files to the folder. Take care that you close the folder with File /Unload cryptainer volume –
selections when you are ready.
See a video of how to open the Cryptainer, to handle the files and to close the Cryptainer:
http://www.titu.jyu.fi/oili/vierikoulutus1/videot/crypt.wmv
Kingston provides an easy way to protect the contents of USB memory stick with a password. Kingston Data
Traveler –series have memory sticks which have built in reliable 128 bit AES-encryption (Advanced
Encryption Standard).
Another handy way is to use the encryption feature included in packing software (WinZip, WinRar, WinAce,
etc.). This example is based on the encryption feature of WinZip –application. When creating the package,
click the Password –button and type your password. Click OK to close the window and then click Add –
button to add the files into the protected package.




See a video of how to create a password protected package:
http://www.titu.jyu.fi/oili/vierikoulutus1/videot/winzip.wmv

5.10 Training and instructions
In order to make the information security a natural part of daily business, the employees should be
familiarized with the new practices and related guidelines.
Training, instructions and guidelines may be needed related to for example following items:
   responsibility of computer use in work and other environment
   carefulness with the user names and passwords
   using internet and email
   remote access to the computer and distance work
   secure use and storage of data, documents and information technological devices
   privacy protection when handling particular private data
   action in problematic situations
   other specific features of the company
Often it is not enough just to make a plan or instructions, but the employees may need more regular guiding
and training. The training should last long enough to ensure the mastering of the training contents. Well done
planning and good instructions can decrease the amount of training needed.

5.11 Purchases
When purchasing new information technology, the following questions should be considered:
       What are the information security properties of the particular product?
       Is the new product compatible with the current systems?
       How big benefit is gained by investing on a more secure information technology?
       Does the legislation or other regulations require better information security from the currently used
        information technology?


The product can have some advantageous information security properties, but if the product is not
compatible with the current system, it may not be used, or extra costs can be caused if the property is
introduced. To avoid this kind of situation, it is recommended to consider the following:
       Is suppliers’ and service providers’ expertise enough exploited when making information technology
        acquisitions?
       Can the company information security be essentially improved by making maintenance contracts
        with service providers?


Some information security procedures can be outsourced, particularly if the company does not have, or is
not willing to invest in, resources to handle the technologies by them selves. When considering outsourcing,
the company needs and requirements should be defined as accurately as possible, for example to ensure
the compatibility with new and old systems and software. The following questions can help to formulate the
service requirements when making invitations for tenders:
       How reliable the product is?
       What kind of licensing policy the product has?
       What kind of guarantee the product has?
       How is the maintenance provided for the whole lifecycle of the product?
       What is included in the contract? (for example a maintenance service can include repairing the
        product within next 72 hours or help desk, etc.)
       What are the expertise and reliability of the service provider as a long-term partner? (references,
        experiences, company continuity)


In information technology acquisitions, as in other acquisitions as well, the purchase price is not the most
important aspect, but the costs for the whole product life cycle. This includes the costs due to acquisition,
introduction, use and replacing the old product with a new one. Extra costs can be caused for example by:
        product inappropriateness to its intended use
        unreliability and breaks caused by this
       ignored product development and lack of updates
       lack of expertise by customer, supplier or service provider
       inefficient use and general dissatisfaction with the product, which can be due to inadequate training
        and instructions

5.12 Protecting www-sites
Company web-pages are an electronic business card and are an important part in creating company image.
Thus, it is essential to protect the websites and prevent any unauthorized changes.
Web-pages on outsourced server
If the company web-pages are hosted by a service provider, it is important to consider the following aspects:
       Use only reliable web-hosts
       Keep the passwords safe
       Change the password at regular intervals


A general operations model is to make the pages on a personal workstation and only after that to transfer the
contents to the server. The medium and server should use SSH-protection (Secure Shell), which is much
more secure than the usual FTP –protocol. For example SSH Secure Shell (www.ssh.com), PenguiNet
(http://www.siliconcircus.com/penguinet/) and WS FTP Professional (http://www.wsftp.com/products/
ws_ftp/index.asp) all use SSH-protection.




Picture: SSH Secure File Transfer connection.
Web pages on a company server
If the company has an own server where the web-pages are on, consider the following aspects:
       Remove all networks applications from the server, except http/https services (ports 80/443).
        Configure the fire wall to protect all other ports (more info about the ports:
        http://www.webopedia.com/quick_ref/portnumbers.asp).
       In addition to the regular access control, use password and identification to ensure that only the
        authorized persons can change the homepage contents.
       Track the system reports to notice any possible problems. Control logs must be encrypted either on
        the web-server or on separate workstation on the company intranet.
       Establish an action plan and ensure that it is available in the case of hacker attacks. The plan should
        be a part of company information security plan.
       Do not accept remote administration without disposable passwords or encrypted connections. If the
        remote administration is necessary, ensure that a protected connection (e.g. SSH) is used. Ensure
        that the remote administration contract includes detailed definitions and rules about information
        security.


 Do not keep any confidential data on www- server, where anyone can access.
 Visit your homepages regularly and check their contents; have the web-page for example as a starting page
 when opening the browser.



5.13 Mobile devices
In addition to computers, also various mobile devices can contain important information. Thus the
information security of these devices must also be considered. Mobile devices are for example:

        Mobile phones
        PDA –devices (Personal Digital Assistant), hand held ”pocket computers”. Usually works
         with a separate pen and touch screen. E-mail and electronic calendar are general
         applications.
        Communicators are intermediate forms of mobile phones and PDAs. They have keyboard
         or touch screen. In addition to voice calls, also e-mail, internet browsing, data transfer,
         WAP and other applications are included.
        Handheld PCs are intermediate forms of PDAs and laptops. They have keyboard and
         generally more applications than in PDAs.

Considering mobile devices, it is important to notice that gsm –encryption is a network property, not a phone
property. Nearly all operators use this encryption, but when traveling abroad it is recommended to ask the
encryption from the local phone operator. If you use an answering service, remember to set your personal
password to protect your messages. Never borrow your phone to strangers, for the borrower may listen to
your messages in your answering service. When you communicate confidential information over phone,
ensure that your communicating partner also acknowledges this. Say, that you are using a mobile phone and
check that there is no people whithin listening range.
Software can be downloaded to several mobile devices in the same way as to computers. Thus, similar
security requirements must be considered. Virus protection software must be updated, and if the device is
used in an external network, it must be protected with a firewall. The remote connections must be protected.
Mobile devices and laptops are unshielded from thefts and disappearances. Thus, the data in the mobile
devices and laptops must be protected. When working in a public space lock the computer or log out before
you leave the computer, even for a minute.
Handheld computers and PDAs can be protected with password that is asked everytime when the device
is turned on. This kind of password is not however very effective, for PDAs do not have hard disk, but all
data is saved on the device memory. Specific software are available for protecting the data, and they are
recommended. The software enables protecting the data in similar way as in desktop workstations, and thus
theft or disappearance of the device does not cause information security hazard.
Many mobile devices include a cable or infrared connection, which enables making back up copies of the
data. The data in the mobile device is copied to a computer and moved to a separate back up media, if
necessary. Mobile devices are different, thus detailed instructions vary as well. Ask the reseller or check
manufacturer’s website for more information.
More information:
Microsoft: Information security in mobile world – new challenges
http://www.microsoft.com/uk/security/default.mspx



5.14 Accounting software

BACK UPS AND ARCHIVING
Accounting software must be back upped according to the Finnish bookkeeping committee regulations
(22.5.2000):
   to ensure the data storage if the harware breaks down (for example if the hard disk breaks down)
   if you wish to move the bookkeeping to another computer
   to enable you to return to the previous task, for example to the moment before closing the accounts or
    before an error happened




In addition to the hard disk, the back up is made:
   to CD-ROM disk or memory stick or
   to another data medium, for example to a server folder


The back up should be made as often as possible:
   for example after every book keeping session
   after enterin a large amount of data
   always before closing the accounts or before closing the accounting period
   before deleting any data, for example when deleting an old accounting period


An example of making a back up copy in Econet application
   Select File / Back Up from the menu or press the toolbar button
   Define the time when you wish the software to remind about the back up




   Select one disk, when the back up is copied to the hard disk and when the back up is saved only on one
    single medium (for example on one single tape)
   Select Multiple disks, when the back up is copied to several disks or when the amount of back up data
    needs several disks
   The application will divide the data to the different media automatically
Back ups taken in different phases are recommended to give descriptive names, to enable to go back to the
particular state later on. Do not change the file extension after the dot.
      In the bookkeeping aplication choose the company whose data you wish to back up.
      Select Back up from the menu
      type or browse the correct folder path where you wish to save the back up
      type the file name (note the file extension)
      the software will save all data related to that particular company, for example name, accounting period,
       account scheme and book entries


Restoring the back up
      Select the appropriate company in the book keeping application, or establish a new company
      Select Restoring the back up / Introduction from the menu
      Browse the back up file from the appropriate medium
      The application will restore the back upped data




    NB! This means that the back up data overwrites the current company data, and the data entered after making
    the back up copy are lost. Ensure that this is OK!

Archiving of book keeping data (book keeping legislation 2:8§, Book keeping committee guideline
22.5.2000):
      During the book keeping period the book entries can be stored to hard disk.
      The back up must be made often enough by using a reliable back up method, for example to a CD-ROM
       disk.


During the accounts closure
      the book keeping data of the book keeping period must be printed out OR
      the data must be copied to a computerized data medium which is permanently stored and which can not
       be changed afterwards, for example to a read-only CD (CD-ROM).
      After copying the data to an external medium, the data can be deleted from the hard disk, if this is
       needed (for example to save disk space).
      The above mentioned papers or data media must be stored 10 years after the book keeping period has
       ended.

5.15 Wireless local area network (WLAN)
      WLAN aka wireless local area network means a network where the computers can communicate either
      by their own or with the help of a base station. The data is moving in the air, not in the cables. The base
      station can be connected to a traditional fixed network. In practice this means that the computer can be
      connected to the internet without any cables between the computer and network.
      WLAN has become more and more popular when laptops have become common.
              The working place must no longer be near the network plug, for wlan allows free movement
               inside the wlan range.
              The installation is cheaper, for there is no need for cables.
              Is very suitable for facilities, where the network is needed only temporarily


   The greatest security risk considering wireless local area networks is that the users often have no
   security settings at all, but they are using unprotected network. This can cause information leaks and
   unauthorized access to the network. Security risks are
              Tapping of telecommunications
              An unauthorized hacker can access to the network
              The connections can break down due to the excessive load caused by the hacker
              The hacker can establish an unauthorized base station to the network by using your internet
               connection


   WLAN can be protected from information leaks and from unauthorized access by having a user
   identification. This means that all users, or their computers, who try to use the particular wlan network
   are identified by defining their identities for the base station. The most typical protection methods are
   presented below.
   MAC (Media Access Control)
              Every wireless pc-card have their own unique identitity which is called a MAC-address
              Many base stations enable listing of the MAC addresses that are allowed to access the wlan.
               Thus, only listed MAC addresses are allowed to access the network. External users, whose
               computers are not listed, can not access the network.


   WEP (Wired Equivalent Privacy)
              This technology is based on a base station’s password. Thus, all devices that connect to the
               particular wlan network must know the base station password.
              The wlan base station asks the correct password from all users who try to access the
               network. Hence, external hackers can not use the network without knowing the base station
               password.
              The base station password can be set to the computer settings. This means that the correct
               password is automatically given when the particular computer connects to the base station.
               The user does not have to type the password separately everytime.
              WEP password is an easy solution in cases there are many users and the users must be
               added and deleted every now and then (for example in school networks). The WEP –
               password practice is described in more detail in the following.


Instructions on how to establish a WEP password for a router
(These instructions are made for D-Link router. Some selections can be different when using other routers.)
      Install the WLAN router according to the manufacturer’s instructions.
      Connect the computer to the router: Open an internet browser and type address: 192.168.1.1 (This
       is a general router IP-address. If this does not work, see more instructions from the router manual.)
      On the front page of the opening page type the following information:
          User name: admin
          Password: admin (These are common default username and password. If they do not work with
           your router, check the correct user name and password from your router manual.)
          Select Security Setup –tab and then click the text Wireless Settings. (In other routers find similar
           pages.)
          Select WEP as an encryption method. In the case of D-Link this is done by selecting the radio
           button WEP on the Security point.
          Define a password that is used to access the network. This password must include 10 characters
           and it must be composed only of small letters a-f and numbers 0-9. After this more selections are
           enabled. First select Enable WEP Wireless Security and then type a password to the first
           Encryption Key row. Then click the Apply -icon.
          Then save the settings: Select Tools–tab and then click text System Commands. Click Save all -
           button. After this you will receive a message confirming the saving.
See a video of how to configure the WLAN WEP encryption in D-Link router


Instructions to other than D-link modems:
http://www.telewell.fi/ohjeet/tw_ea2000/wlan_turva_asetus_2000_1000.htm
http://www.zyxel.fi/includes/file_download.asp?deptid=11459&fileid=1668&file=ZyXEL%20WLAN%201.2.pdf
&pdf=1



6 Summary
                                             Needs risk assessment

     Risk assessment          Risk preparation         Information          A new risk is
    - What can happen?      - What can be done?          security            identified
                                                        practices
                                                     - Avoid the risks
                                                     - Implement the
                                                    planned practices         What to do?
       Information Completes.. Information
         security                security
         mapping                   plan
                                                                 Immediate action



6.1 Risk management

Risk assessment and management
      The risk assessment should be as simple as possible
      Risk assessment must be performed continously and regularly.
      Risk management is recommende to start from risks that are assessed to be the greatest
      All risks can not be removed
      A well done planning will facilitate the implementation
      A reliabale person is nominated to be in charge
The risk assessment is recommended to do in a group, consisting of 3-6 persons plus team leader. External
consultants can be used if necessary.

    The starting point for risk management should be company development, for example practices and
    knowledge. Only after that technical protection methods are considered.
6.2 Mapping
When establishin an information                                                              Needs risk assessment
security mapping in a company it is
recommended to consider                        Risk assessment              Risk preparation                Information                   A new risk is
                                              - What can happen?          - What can be done?                 security                     identified
       the security of daily business                                                                       practices
        operations                                                                                        - Avoid the risks
                                                                                                          - Implement the
                                                                                                        planned practices                 What to do?
        the security of the facilities from      Information Completes.. Information
                                                   security                security
        the data processing point of               mapping                   plan
        view                                                                                                            Immediate action

       access to the correct data and
        their secure processing
       usage of secure devices and
        software

The hazards that can disrupt the company business operations are identified in the information security
mapping. The hazards can be for example:
   different faults,
   fires,
   water damages,
   thefts,
   mistakes and
   vandalism.
After the information security risks are mapped, an action plan is established. This plan is called information
security plan.

6.3 Planning
The information security plan includes:                                                            Needs risk assessment


       Items related to compay values                     Risk assessment
                                                          - What can happen?
                                                                                    Risk preparation
                                                                                  - What can be done?
                                                                                                             Information          A new risk is
                                                                                                                                   identified
                                                                                                               security


                                                                                                              practices
        The current state of the information                                                               - Avoid the risks
                                                                                                           - Implement the
        security in the company                              Information Completes.. Information          planned practices         What to do?

                                                               security                security
       The planned actions in order to reach                  mapping                   plan
                                                                                                                       Immediate action
        the objectives set.
       Timetable and persons in charge of
        each action
       keeping the plan up to date
       Preparing for the serious hazards
        (including e.g. training)

The second phase in developing the company information security is to plan the practical actions in case of
the hazards. The significance of information security risk areas for a company varies. Most important is to go
through all the areas and assess their significance to the particular company and to its secure operation. The
deficiencies are written down and development actions are defined and listed.
The actions to be written in the information security plan can be for example related to
         organisational development,
         individuals’ scopes of action or
         Technical operations, for example purchasing new equipment.
In order to make the plan working also in practice it is important that
           The company commits to the information security improvement with adequate resources
           All employees are trained and instructed to understand their own responsibilities considering the
            various items in the information security plan
           Persons in charge are nominated, which are to be contacted when information security hazards or
            other related problems arise.
           The information security plan and the related instructions are kept up to date.

6.4 Development
                                                Needs risk assessment

      Risk assessment            Risk preparation         Information          A new risk is
     - What can happen?        - What can be done?          security            identified
                                                           practices
                                                        - Avoid the risks
                                                        - Implement the
                                                       planned practices         What to do?
          Information Completes.. Information
            security                security
            mapping                   plan
                                                                    Immediate action

      The last phase in improving the company information security is to implement the planned development
       actions, in order to avoid the information security risks and hazards and to achieve the most suitable
       information security level for the particular company.
      The starting point is that the company has the responsibility on information security development. If
       necessary, experts and consultants can be used to provide information for the actual decision making.
       The purpose is not to destroy the company data but to secure them.
      There are several utilities available for information security development. Before installing any software,
       read carefully the copy rights and license agreements. Several software are available for free for home
       use, but in business use there might be some payment required. Check the pricing and licensing before
       starting to use the software.



7 Information security training
A practical training of information security mapping and planning is required for passing this course. The
training can have several formats:

               As a part of vocational training related to your studies, for example in a small enterprise


               A training session organised by your school, where information security of the school or some other
               organisation is mapped.

               In the company where you work or do your training period.


               Ask your course teacher about other possibilites to do the training.




    NB. If you are going to do the information security mapping and planning as a part of your vocational training
    in a company, you must ask the company a permission to do the side-by-side training. Ask your teacher for
    more information about side-by-side training.
7.1 Training phases
                      1. Organising the training
                     Find a company or other organisation, where you can make the information security
                     mapping and planning. First present your idea to your course teacher. After the teacher has
                     accepted your training you can agree the training period and other details with the company.
                      Phase result: Teacher’s acceptance for the training company

                      2. Making the information security mapping
                     Map the company’s information security by using the Information security plan –form. You
                     will find the forms from the portal. Ask for your teacher the username and password for the
                     portal. In the end of this section you will find instructions for downloading the forms. The
                     filled forms are returned to the teacher and saved on the portal.
                     Phase result: Information security mapping

                      3. Making the information security plan
                     Make an information security plan for the company. Use the Information security plan –form.
                     Complete the information security mapping you have made in the previous phase by
                     entering the planned actions and other required information. You will find the forms from the
                     portal. Ask for your teacher the username and password for the portal. In the end of this
                     section you will find instructions for downloading the forms. The filled forms are returned to
                     the teacher and saved on the portal.
                      Phase result: Information security plan and ESR –control form.



 The information security plan –form is used in both phases; to map the information security
 and to establish the actual plan. In the end of this section you will find the instructions for
 downloading the forms. The data is entered to the form in two phases: first fill the mapping part and
 when it is finished complete the planning part. The different parts of the form are in separate columns.



7.2 Information security mapping
Information security mapping is made by interviewing the company management and other personnel. The
interviewees should work in different jobs and in different departments, to enable as holistic view as possible.
Write down the interview results to the Information security plan –form. You will find the form from the
portal.The form is primarily made to be used in companies, but it is also used if the organisation is for
example your own school. In this case the form is filled for appropriate parts.
First fill the Information security mapping part, which includes
Risk
          What can happen?
          Why?
          What are the information security hazards and vulnerabilities?
Priority
          How propable or serious the risk is?
          How great and serious harms the hazards can do for the company?
Current precautions
          How the risk is prepared for?
          Are the current preparations enough?
    Do the information security mapping carefully, for the gathered data is used as a basis for the information
    security planning!



7.3 Information security plan
When the mapping is done, complete the form to be an Information security plan:
Actions
              Which concrete practical actions are done in the company to manage the identified risk?
Timetable
              When the planned actions are implemented?
              How the information security development will proceed?
              What are the main development phases and their timetable?
Person in charge
              Who is responsible for implementing each action?
              Are external persons needed in implementation?
              Who will control the implementation?


The plan is established by interviewing the company personnel and agreeing the actions with them. You can
present your own ideas and opinions on good ways to improve the information security, but remember that
the personnel have the best view on their work. In any case, the final decisions are made by the company.

        The starting point is that the company has the responsibility on information security development. If
         necessary, experts and consultants can be used to provide information for the actual decision making.
         The purpose is not to destroy the company data but to secure them.
    Do you know what you are doing? If not, then don’t do it! If you do, are you certain that you still know what you
    are doing? If yes, then do it!

After the mapping part and the planning part of the information security plan are finished, the form is
returned to the teacher and saved on the portal. Ask your teacher for more detailed instructions.
The plan is also given for the company to use. The company can use the plan in developing their information
security and update the plan when it is necessary.

7.4 Downloading the forms from the portal
.
1. Go to the portal by following the links in these pages or write the browser address:
http://www.titu.jyu.fi/vierikoulutusportaali
2. Find the appropriate Word- form that you need: Click the file icon and save it to your computer or for
example on memory stick or CD-disk.
3. If you are having side-by-side trainings in the company, you will need permission from the company for it.
The permission form is in the portal, in PDF-format.
4. Follow the course instructions and fill the Word- forms in appropriate order. Always keep your files in a
safe place.
5. After you have finished your training, go to the portal again.
6. Next to each form icon you will see a hyper link, which you can use to upload the filled form to the
portal.
       Click the Browse –button
       Find and select the form you have finished from the computer or disk and click Open.
   Click the Save –button to upload the form to the portal.



7.5 ESF- control
If you are having side-by-side trainings in the companies, you must fill the ESF –control form. The form is
filled and saved in the portal. Ask your teacher for a username and password for the portal.
The side-by-side training based operations model is developed in Oili and Mylly –projects. These projects
are funded by the European Social Fund aka ESF. The ESF –control form is used to collect names and
salary information of the employees who have received side-by-side training. Usually the companies pay a
participation fee for the project and report their salary costs that are due to the participation the ESF. In Mylly
and Oili there is no participation fee for the companies, but ESF still needs the salary information.
Information technology research institute (ITRI) will forward the salary information to the funder of the Mylly
and Oili projects, namely the County Administrative Board of Western Finland.



8 Course completion and the feedback questionnaire
Ask your teacher for more information about the course completion, timetable and assessment.
Note that passing this course requires that the following forms are filled and returned:
       Permission from the company to give side-by-side training
       Information security plan
       Training follow up
       ESF –form (the student must take care, that the company, where side-by-side training is given, will
        fill and return this form)
       Feedback –questionnaire. Open the questionnaire here.


All answers are handled confidentially and a single respondent can not be identified from them. The
answers will only be used in the Information Technology Research Institute and they are used to
improve the course. The schools will not have the results for their use as such.

9 References (in Finnish)
Joka kodin tietoturvaopas; http://www.tietoturvaopas.fi/, Ohjeita tietokoneen turvalliseen käyttämiseen
Internetissä ja ohjeita ongelmatilanteiden varalle
PK -yritysten tietoturvaopas; Yritysturvallisuus EK, http://www.ek.fi/ytnk/pdf/tietoturva.pdf
Käyttäjän tietoturvaohje, Valtionvarainministeriö, http://www.vm.fi/tiedostot/pdf/fi/51024.pdf
Ohje riskien arvioinnista tietoturvallisuuden edistämiseksi valtionhallinnossa, Valtionvarainministeriö,
http://www.vm.fi/tiedostot/pdf/fi/53827.pdf
Valtion tietohallinnon internet-tietoturvallisuusohje, Valtionvarainministeriö,
http://www.vm.fi/tiedostot/pdf/fi/39681.pdf
Valtionhallinnon keskeisten tietojärjestelmien turvaaminen, Valtionvarainministeriö,
http://www.vm.fi/tiedostot/pdf/fi/90727.pdf
http://www.tieke.fi/julkaisut/oppaat_yrityksille/tietoturvaopas/
Tiivis tietoturvasanasto; http://www.tsk.fi/fi/info/TiivisTietoturvasanasto.pdf; tietoturvasanasto suomeksi,
ruotsiksi ja englanniksi; Sanasto käsittelee paitsi yleisesti tietoturvaan liittyviä käsitteitä myös tietoturvauhkia
ja tietoturvan keinoja. Käsitteet on kuvattu määritelmien ja huomautuksiin sisältyvien esimerkkien (suomeksi)
avulla niin, että yhtäältä käsitteiden erottaminen toisistaan ja toisaalta käsitteiden välisten yhtymäkohtien
löytäminen on mahdollista. Sanaston kohderyhmänä ovat tietotekniikan peruskäyttäjät.

								
To top