BS 7799 Introduction to Information Security Management Systems using BS 7799

Information is the lifeblood of all organizations and can exist in manyforms. It can be printed or written on paper, stored electronically, transmittedby mail or by electronic means, shown in films, or spoken in conversation. Intoday's competitive business environment, such information is constantly underthreat from many sources. These can be internal, external, accidental, ormalicious. With the increased use of new technology to store, transmit, andretrieve information, we have all opened ourselves up to increased numbers andtypes of threats. To effectively deal with the complexity of this information there is a needto establish a comprehensive Information Security Management System. You need toensure the confidentiality, integrity, and availability of both vital corporateinformation and customer information. What is an Information Security Management System? An Information Security Management System (ISMS) is a systematic approach tomanaging sensitive company information so that it remains secure. It encompassespeople, processes and IT systems. The internationally recognised standard forInformation Security Management Systems is BS 7799. The Information Security Management System is composed chiefly of fourdocuments: Information Security Policy; Information Asset Register; RiskAssessment Report; and Statement of Applicability. What is BS 7799? BS 7799 is a standard setting out the requirements for an InformationSecurity Management System. It helps identify, manage and minimize the range ofthreats to which information is regularly subjected. The standard is composed of two parts: BS 7799 (ISO 17799) Part 1 - Code ofPractice on Information Security Management and BS 7799 Part 2 - Specificationfor Information Security Management Systems. The Code of Practice on Information Security provides a comprehensive set ofsecurity controls comprising the best information security practices in currentuse. It is strongly business-orientated, focusing on being a good managementtool rather than being concerned with technical details.

Ask any experienced manager and the chances are he will know of businesses that have suffered significant losses through:

corruption or loss of data; systems being down when they are needed; or loss of confidentiality

These are the unwelcome side effects of dramatic increases in dependence on information systems. The discipline which deals with these business risks is Information Security Management. Experience shows that managers who fail to manage these risks are gambling with the continuing existence of their business. Like the National Lottery, the odds of not losing are long. Fortunately for overworked managers, guidance is available. Despite some criticism from the computer industry, BS7799 (which has been based on practical controls used in larger companies) provides a helpful starting point. These articles look at some practical aspects of applying BS7799 in the context of Jersey businesses.

Structure of BS7799
The Standard contains an introduction and ten sections dealing with each component of security. The introduction emphasizes that security requirements stem from:

security risks and their potential business consequences; relevant regulatory and contractual requirements (e.g. trading partners, contractors and service providers); and information processing requirements (security controls must not obstruct efficient business operations).

The Standard explains that security risks need to be assessed in terms of the harm to the business that could result from loss, corruption, unavailability or breach of confidentiality of information. BS7799 does not, however, provide detailed guidance on any particular method for making that assessment. Finally, a number of critical success factors are suggested including the need for support and commitment from top management, understanding of business objectives and security risks. The bulk of the BS7799 is made up of the ten control sections. Fundamental controls are labelled "key" as a starting point for implementing information security. Most remaining controls are "baseline security controls" that is, accepted good practices appropriate to all situations. The Standard explicitly acknowledges that in some cases, further controls will be required. This is especially significant for local Financial Services Firms where the predominance of financial assets and emphasis on client confidentiality demand significantly stronger controls. Each category has aspects which require special consideration in the local context.

Information Assets are protected by controls built on a foundation of policy & organisation

1 - Security policy
A clear statement of policy underpins security management. Local businesses typically communicate policies without the formality found in larger organisations. However communicated, policy must be clear and management must be seen to unequivocally endorse information security.

2 - Security organisation
How do you organise security? In short, by specifying who is responsible for what. This sound advice is a foundation to all effective management. Independent specialist advice is also recommended by BS7799. This will be especially appropriate for local businesses which cannot justify employing a security specialist and for subsidiaries who find group resources do not provide the necessary support.

3 - Asset classification and controls

Classification deals with ownership of assets, including information. Treating information as an asset makes it obvious that it must be protected like any other. Even today, some sophisticated businesses in the Island do not identify owners for information assets. If nobody is accountable for the information, chances are it will not be complete, accurate, available when needed, or kept confidential.

4 - Personnel security
In contrast to popular images, security breaches typically occur through individuals rather than technical weaknesses. Effective personnel measures are essential. This includes defining security responsibilities, providing adequate training and enforcing discipline. Businesses in the Island typically have fewer employees

and thus limited opportunity for division of duties. This creates exceptional dependence on the integrity of key individuals. Recruitment screening and subsequent monitoring controls can help, especially for employees in sensitive positions, but are easily overlooked. Does your business use these measures effectively?

5- Physical and environmental security

Physical security is an obvious area to prevent attack or accident. Important aspects which are sometimes missed include protecting cabling from accidental damage and procedures to effectively erase data from equipment being disposed of.

6 - Computer and network management

Widespread use of networks amongst local businesses creates a number of vulnerabilities. For example, operational procedures and responsibilities are sometimes not documented. As a result the business becomes excessively reliant on the knowledge of particular skilled individuals. Similarly, systems planning is needed to prevent the business being brought to its knees by unexpected capacity and resource problems. The technical environments operated by businesses in the Island are often complex. A rigorous and disciplined approach is needed but not always evident. Virus controls are a particular hazard. Virus programs are increasingly sophisticated and difficult to detect. Many island homes have PCs and connections to the Internet. Many businesses are on the verge of electronically sharing files. These factors increase opportunities for virus propagation. Not surprisingly, virus control is identified as a key in the Standard. Finally, Electronic Data Interchange is especially sensitive for Jersey businesses using electronic fund transfer services such as SWIFT, Euroclear or CHAPS. These are inherently susceptible to serious abuse. Are you confident that your controls are adequate?

7 - System access control

Access controls included in BS7799 will be familiar to most managers. Password techniques are commonly used to check the identity of the user. Users should be uniquely identified and held accountable based on logging of their actions. It is important to distinguish "end users, who generally will be restricted to particular applications and functions within those applications, and "special" cases such as Information Systems personnel. The latter need access to privileges and utilities. Whilst all access should be on a need to use basis, attention should be focused on utilities and privileges as some of these by-pass other controls. Even in simple environments, administration of access control requires sound technical understanding. In many local businesses senior IT staff will control access. This creates a conflict since the same staff also typically use the utilities and privileges which by-pass other controls. Are you sure your IT manager cant change the payee details on the electronic payments file being transmitted to the bank? Independent review can be a cost effective answer to this dilemma. For businesses wishing to do it themselves, help with understanding the technical aspects and by-pass risks is available from the Information Systems Audit and Control Association bookstore amongst other sources.

8 - System development and maintenance

All businesses will benefit from considering security when developing and maintaining applications. This will be particularly relevant to local organisations who have identified opportunities to redesign their processes to exploit automation and eliminate manual procedures. This usually eliminates paper records and can be enabled by new technologies such as workflow management, document image processing, EDI, etc. Managers are sometimes wary of this transition. However, if you understand the possibilities that the new technologies offer, automated processes can produce substantial savings and provide better, more effective controls. Related to this, the integrity of live applications depends on software quality assurance, including rigorous testing, documentation and enforcement of appropriate standards. This is clearly relevant for large businesses which develop their own applications. But local businesses often use packages which are customised or are not in common use, or develop applications using sophisticated software such as PC database management systems or spreadsheets. Many of the costs are hidden. How many applications have been abandoned because the person who developed them is no longer around to provide support? How much time is lost sorting out or

correcting bug ridden, rickety applications? If these costs were foreseen would outsourcing have been a better strategy? These costs can be avoided. Unlike the larger company, local users typically shoulder the responsibility for analysing, designing and testing complex applications or custom enhancements. These users do not have the advantage of the training, methodologies and experience of the Information Systems professional. The challenge should not be underestimated. Investing in up front planning and focused professional support for project management and quality assurance will have a significant payback.

9 - Business Continuity Planning

Statistics show that businesses of the size found in Jersey are less likely to have adequately addressed business continuity planning. The baseline measures in the Standard provide a valuable, if brief, framework for this area. As with other areas of security, primary responsibility rests with management to ensure that key requirements are understood and suitable procedures are put in place and tested. Is your plan like that of one local business who only found out when disaster struck that their back up routine was ineffective? All their data was lost. The message is simple, a plan which is not tested is worthless.

10 - Compliance
The final section of BS7799 deals with compliance matters. Legal issues include control over software copying, and the requirements of, in Jerseys case, the Data Protection (Jersey) Law 1987, the Computer Misuse (Jersey) Law (currently with Privy Council). Banks will, in addition need to consider the requirements of the Banking Business (Jersey) Law 1991

Standard Objectives The objectives of the Standard are actually two-fold: - To provide a common basis for companies to develop, implement and measure effective security management practices. - To provide confidence in intercompany trading Basic Components The Standard has been specifically designed to protect information and information assets and, in doing so addresses three basic components: Confidentiality - the protection of sensitive information from unauthorised disclosure. Integrity - the safeguarding of information accuracy and intactness. Availability - ensuring the availibility of information, and associated services, when required. Information by its very nature takes many forms and includes computer data, paper documents and even the spoken word. Thus, from the security perspective, all information should be subject to appropriate protection. The Standard is comprehensive in nature and is divided into ten sections (see below) to ensure best practice controls are appropriately addressed: How Does the Standard Concern You ?

If you have information upon which your organisation is dependent in any form then the Standard should concern you. More specifically, the "c:cure" scheme is aimed at those who, for example: * trade electronically with other organisations * manage information on behalf of others * facilitate the transmission or processing of information * handle personal information which falls unders the terms of Data Protection Acts * want to maintain confidentiality of information * place reliance on the availability and accuracy of information. Balance and Benefits There is no pretence that the implementation of effective information controls in an organisation will be easy. It requires commitment, communication, planning, good management and a great deal of hard work. Further, a common concern voiced by many organisations is that the implementation of such controls would adversely impact on operational processes. However, BS7799 provides the flexibility necessary to enable complementary controls to be developed and implemented. Further, appropriate adherence to the best practices advocated by the Standard produce a number of additional benefits, in that it: * enables information security to be addressed in a comprehensive, realistic, practical and cost-effective manner. * establishes mutual trust between networked sites and trading partners * enhances quality assurance * demonstrates high standards of security to prospective and existing customers * substantially increases the ability to survive a disaster * assures compliance with legal and contractual requirements. The Future The Standard has changed a great deal since it was introduced in Code of Practice format. This is understandable, as awareness of it has grown and commerce has been given the opportunity to articulate its needs. As communication between the accreditation body and "users" is already good, this is likely to continue and the Standard will, undoubtedly, continue to change over the years to accurately reflect business needs. At the end of the day, by adhering to best practice we can only win as we will be providing appropriate safeguards to information which is vital to our organisations.

Implementing an Information Security Management System The steps to implement an Information Security Management System follow: Scoping Study This step sets the scope of the project. It should reflect the objectives ofthe business and be centred on a business process, such as the provision of IT.At this point consideration is given to setting an initial scope with an eye tofuture growth and how the scope could be extended. Gap Analysis A gap analysis is conducted against the controls listed under the tensections of BS 7799 to identify the level of compliance within the scope againstthe ten areas identified with BS 7799. At this stage it is possible to identify areas that fall outside the scope.These can be formally excluded if the organisation does not undertake theactivity, such as code development, or if it is a valid activity but outside thescope, such as employee vetting by the HR department, a Service Level Agreementcan be put in place. Risk Assessment The risk assessment is undertaken to identify the information assets, thethreats posed against them and the likelihood of those threats materialising. Initial Statement of Applicability The Statement of Applicability (SOA) is a description of the applicablecontrols identified during the gap analysis, with reference to how they apply toyour environment. Security Improvement Program The policies and procedures to protect the information assets against therisks identified must be developed to improve security. At this stage it ispossible to identify any technical resources required, such as Windows domainsecurity policy, firewalls, anti-virus software, etc. Testing and Review The actions taken as a result of the policies and procedures should be testedto ensure they provide adequate protection of the assets. This could includevulnerability assessments, penetration testing and social engineering. Implementation When the policies and procedures have been developed it is necessary tointroduce them to the users and integrate them into current working practices.This can be done using awareness training and awareness material, such as screensavers, and ongoing information provision such as an intranet or document management system.

Document Finalisation The documentation must be finalised in the light of the steps above,including the Statement of Applicability. Certification Audit The auditors will assess your compliance with BS 7799 and makerecommendations accordingly.

Vulnerabilities
Vulnerabilities are weaknesses in the physical layout, organization, procedures, personnel, management, administration, hardware, or software that may be exploited to cause harm to system. The goal of the preliminary vulnerability assessment is to develop a list of system vulnerabilities (flaws or weaknesses) that could be exploited by a potential threat. For new systems, the search for vulnerabilities should focus on security policies, planned procedures, system requirements definitions, and security product analysis. For operational systems, analyze technical and procedural security features and controls used to protect the system. Vulnerability analysis encompasses the following five security control areas: Technical - hardware, software, system architecture, and modes of communication Operational - procedures that people perform with respect to an information system Administrative - weak countermeasures in the administrative procedures that affect information systems Physical - weak countermeasures in the physical layout of, and access to, facilities and enclosures where automated information systems are housed Personnel - weak countermeasures in policy, process, and procedures used for security screening of staff having access to the system

After analyzing the technical, operational, administrative, physical, and personnel controls on the system, the vulnerabilities are paired with specific threats to create a set of vulnerability-threat pairs. The next step is to analyze vulnerability-threat pairs and to identify and determine which existing system countermeasures reduce or mitigate specific vulnerabilities. This is the beginning of the risk assessment process.

Five Tips for Secure Wireless Web Surfing

If you travel on behalf of your organization, you likely bring along a laptop so you can stay productive while you're away. And because many airports, hotels, and coffee shops are now equipped with so-called hotspots access points that let you surf the Web using a wireless Internet connection you probably take advantage of these opportunities to check your email, log in to your non profit's intranet, and generally find out what's going on back at the office. But while using a public hotspot to surf the Internet can help you get work done from the road, it can also potentially compromise your organization's privacy. Because public hotspots lack any sort of security measures, it's possible that other people using the same wireless

connection can intercept the information you send and receive across the Internet; savvier hackers and data thieves might even be able to gain entry to your computer and access important files. The good news is that there are a few things you can do to minimize your risk on the wireless Web. Take the following precautions each time you surf the Internet on an unsecured public network, and you're very likely to sidestep the vast majority of threats. 1. Install and use firewall and antivirus software. When you're surfing the Web from your nonprofit's offices, your computer is more than likely protected from threats by a centralized firewall a piece of hardware or software that blocks potentially harmful traffic traveling between the network and the Internet. Most public hotspots, however, fail to include this protective barrier; even if a hotspot does happen to have a firewall set up, it won't protect you from hackers who are also using the access point. Therefore, make sure you have a personal firewall up and running before you log in at the airport or the hotel lobby. Free personal firewalls include Zone Alarm Free and Jetico Personal Firewall. Top Ten Reviews' article Firewall Software Review explores several other options worth considering. Since the majority of public hotspots also lack antiviral protection, there's the possibility that other users could unknowingly (or intentionally) unleash a virus on the wireless network. For this reason, you'll also want to have a good antivirus program running on your laptop any time you surf the Web from an open hotspot. If your nonprofit already has antivirus software running on its network, check with your IT staff or volunteers to see if they can install this program on your local machine. If your organization currently lacks a centralized antivirus solution, you should install a program on your machine and leave it running at all times. While most antivirus programs such as Norton AntiVirus (available for $15 from TechSoup Stock) and McAfee VirusScan Plus cost money, you do have a number of free options, including Grisoft AVG Anti-Virus Free Edition and ClamWin Free Antivirus. 2. Use a VPN whenever possible. A virtual private network (VPN) allows users working from a remote machine to access resources on a private computer network, such as an organization's intranet. A VPN is essentially a secure tunnel through the Internet, from the user's machine to the private network, in which all information is encrypted so that would-be snoopers can't get at it. If your organization's IT director has set up its network for use with VPNs, it's best to log in through your VPN client when surfing the Web at an unsecured spot. But if you plan to send sensitive information to the Web over the VPN, you should still check with the IT department to make sure that the client provides a high enough level of security to protect your data. If your nonprofit does not currently have a VPN solution in place, you can subscribe to a service such as HotSpotVPN, which creates a secure environment using the VPN features that are built into Windows or Macintosh operating systems. But don't let your guard down: No matter which VPN method you use, it's still a smart idea to keep your firewall and antiviral software running at all times.

3. Take care when entering sensitive data on a Web site. When using a hotspot, the only foolproof way to ensure that your organization's sensitive data stays private is to avoid sending it into cyberspace altogether. If you need to transfer funds using online banking or make a virtual purchase with your nonprofit's credit card, it's always best to wait until you're back on a network that you know is secure. Still, if an emergency arises and you absolutely must deal with private data at a public hotspot, make sure you're using a secure Web site that encrypts the information. Secure sites begin in "https" (instead of "http") and generally display a lock icon in the lower-right corner of the browser window. Note that while many financial institutions and e-commerce sites secure all aspects of the transactions, some sites only encrypt part of the exchange. For example, while Web-based email services such as Yahoo Mail and Gmail encrypt your password by logging you in from an https site, your inbox is available from a nonsecure http site, meaning that others on the hotspot might be able to access your messages. 4. Encrypt emails and documents. As previously mentioned, most Web-based email services only encrypt your password and do not protect your actual inbox. Therefore, it's unwise to use these services to send or receive confidential emails when working from a public hotspot. (Indeed, it's unwise to use these services to send highly confidential messages from anywhere, unless you're confident in the privacy and email retention policies of the companies offering the services.) However, newer versions of Microsoft Outlook provide a built-in email encryption feature, which is accessible by clicking the Tools menu item, selecting Options, and browsing to the Security tab. One way to encrypt Outlook email is to install version 7.0.3 of Pretty Good Privacy (PGP), a free encryption platform that was open-source. For step-by-step instructions on installing and configuring PGP, read Datateknik's article Email Encryption for the Lazy. If you don't want to bother with installing and configuring software, you can also encrypt Outlook email by purchasing your own digital certificate, a small file that proves your identity. If you decide to buy a digital certificate and don't have a lot of software experience, you will probably want to ask your IT staff to help you install and configure. However, before you buy a certificate, first check with your organization's IT staff; they may have already set up a system that distributes digital certificates to individual users on the network. If your laptop contains files with sensitive information, you might also choose to encrypt individual documents or entire folders. While you should definitely disable all shared folders when using a hotspot, you might also want to secure confidential data using a dedicated encryption utility such as Jetico BCArchive or TrueCrypt, both of which are free. 5. Look out for fraudulent hotspots. Another potential danger when using public wireless networks are so-called "evil twins," hotspots set up by hackers to collect personal information. A data thief may do this by setting up an open hotspot near a valid one or by simply configuring his or her laptop to transmit a wireless signal. When nearby users check the list of available connections, they'll also see the evil twin. If a users happen to log in to this fraudulent access point, the hacker can track their

Internet travels and emails and might be able to access private data they send across the Web, including credit card numbers. In order to make sure you steer clear of evil twins, it's always a smart idea to try to find an employee at the coffee shop, hotel, or airport to verify the name of the legitimate hotspot. Also, some wireless laptops are configured by default to automatically connect to the nearest or strongest signal; you might consider disabling this feature to avoid inadvertently logging in to fraudulent hotspot. Using a public hotspot doesn't have to mean sacrificing security for convenience. So next time you hit the wireless Web, remember to take the proper preventative measures; you'll spend less time fretting about your private data and more time making positive things happen for your organization.

Setting Up a Secure Wireless Network

The Growth of the Intranet and Extranet Few technologies have been accepted as rapidly as Intranets within organizations. Virtually unknown four years ago, Intranets are now ubiquitous. Analysts at Zona Research predict that the Intranet market will exceed the Internet market by a ratio of 2 to 1 by 1999. Killen & Associates estimated the market for Intranet software, equipment, and services in the US would exceed $20 billion by the year 2000. Early in 1997, Booz Allen & Hamilton reported that nearly every member of the Fortune 500 had deployed an Intranet or was in the process of doing so. Many of these organizations are now extending their Intranets to reach key customers and/or business partners via Extranets. A 1998 survey of 1,400 chief information officers by market research firm RHI Consulting showed that 38 percent of respondents expect the popularity of Extranets to "increase significantly" during the next three years. Another 44 percent said they expect their popularity to "increase somewhat" during the same period. The Expanding Network

Networks

Industry Extranets show similar promise. For example, within the automotive and retail industries, many companies are establishing Extranet-based supply chain networks, allowing real-time inventory, order, and delivery information to be communicated between retailers, distributors, manufacturers, and suppliers. This helps dramatically improve the ability of all organizations within the supply chain to match the supply of goods for the demand of goods, while simultaneously decreasing inventories. This improves efficiency, inventory management, and, ultimately, profitability throughout the entire supply chain.

Expanding Networks Increase Possible Points of Attack

Figure 2 illustrates the growth in network complexity has increased the potential points of attack both from outside and from within organizations. Fortunately, the methods of protecting against these attacks have also expanded. Two of the most common security precautions in use today are firewalls and passwords. Passwords are designed to prevent unauthorized individuals from directly gaining access to sensitive data stored on servers. Firewalls, by contrast, are designed to provide a perimeter defense mechanism, preventing unauthorized individuals outside the organization from gaining access to sensitive data inside the organization. According to a recent IDC study, virtually 100% of Fortune 500 organizations have already deployed firewalls. Despite their important role in network security and widespread adoption, firewalls provide only a partial solution. As shown in Figure 2, perimeter defenses can do little to prevent against attacks by insiders (e.g. disgruntled employees, contractors, or others). Passwords are also largely ineffective against inside attacks. Most passwords are notoriously easy to guess; where passwords are not guessed, they can often be discovered on sticky pads on employees computers or intercepted as they pass, in the clear, over corporate networks.

Even when passwords are not guessed, or when more sophisticated access control methods are used, it is important to note that access control alone can not ensure that information remains confidential. While a good password system might prevent someone from directly entering a server to obtain confidential information, passwords do not protect data as it passes "over the wire" between the server and the client. The same general problem applies to data that passes outside the firewall, between corporate servers and branch offices, customers, suppliers, and remote employees. Any time that data is sent between your servers and organizations outside your firewall, the data can be intercepted using "sniffers." Hackers do not need to get "in" to your system, if you are sending data outside the perimeter. Types of Security Risks Encountered on an Intranet and Extranet Intranet and Extranet security breaches can take a variety of forms. For example,

An unauthorized person, such as a contractor or visitor, might gain access to a companys computer system. An employee or supplier authorized to use the system for one purpose might use it for another. For example, an engineer might break into the HR database to obtain confidential salary information. Confidential information might be intercepted as it is being sent to an authorized user. For example, an intruder might attach a network sniffing device to the network. While sniffers are normally used for network diagnostics, they can also be used to intercept data coming over the wire. Users may share documents between geographically separated offices over the Internet or Extranet, or telecommuters accessing the corporate Intranet from their home computer can expose sensitive data as it is sent over the wire. Electronic mail can be intercepted in transit.

These are not merely theoretical concerns. While computer hackers breaking into corporate computer systems over the Internet have received a great deal of press in recent years, in reality, corporate insiderssuch as employees, former employees, contractors working onsite, and other suppliersare far more likely to attack their own companys computer systems over an Intranet. In a 1998 survey of 520 security practitioners in U.S. corporations and other institutions conducted by the Computer Security Institute of San Francisco with the participation of the FBI, 44 percent reported unauthorized access by employees compared with 24 percent reporting system penetration from the outside. Such insider security breaches are likely to result in greater losses than attacks from the outside. Of the organizations that were able to quantify their losses, the Computer Security Institute survey found that the most serious financial losses occurred through unauthorized access by insiders, with 18 companies reporting total losses of $50,565,000 as compared with losses of $86,257,000 for the remaining 223 companies that were able to put a dollar value on their losses. As organizations increasingly install Intranets and Extranets, therefore, it is becoming critical for them to secure these systems from inside attacks.

Average Losses from Various Types of Attacks

Goals of Intranet and Extranet Security Systems Fortunately, there are a variety of techniques available to address these security holes within Extranets and Intranets. Before choosing a particular technology, however, it is important to understand the full range of issues that security systems should address:

Authenticationensuring that entities sending messages, receiving messages, or accessing systems are who they say they are, and have the privilege to undertake such actions Privacyenabling only the intended recipient to view an encrypted message Content Integrityguaranteeing that messages have not been altered by another party since they were sent Non-Repudiationestablishing the source of a message so that the sender cannot later claim that they did not send the message Ease of useensuring that security systems can be consistently and thoroughly implemented for a wide variety of applications without unduly restricting the ability of individuals or organizations to go about their daily business

This last goal is frequently overlooked. Organizations must not only develop sound security measures, they must also find a way to ensure consistent compliance with them. If users find security measures cumbersome and time consuming to use, they are likely to find ways to circumvent them thereby putting your Intranet and Extranet at risk. Organizations can ensure the consistent compliance to their security policy through:

Systematic application. The system should automatically enforce the security policy so that security is maintained at all times. Ease of end-user deployment. The more transparent the system is, the easier it is for end-users to useand the more likely they are to use it. Ideally, security polices should be built into the system, eliminating the need for users to read detailed manuals and follow elaborate procedures. Wide acceptance across multiple applications. The same security system should work for all applications a user is likely to employ. For example, you should be able to use the same security system whether you want to secure e-mail, e-commerce, server access via a browser, or remote communications over a virtual private network.

How digital certificates work

In physical transactions, the challenges of identification, authentication, and privacy are solved with physical marks, such as seals or signatures. In electronic transactions, the equivalent of a seal must be coded into the information itself. By checking that the electronic "seal" is present and has not been broken, the recipient can confirm the identify of the message sender and ensure that the message content was not altered in transit. To create an electronic equivalent of physical security, digital certificates use advanced cryptography. Cryptographic systems have been used to protect valuable information for thousands of years. Traditionally, cryptographic systems have attempted to ensure security using some variant of the secret key system. Secret key systems require that both parties in a communication scheme have a copy of the same secret code or "key." When two people wanted to share information, the sender would encrypt the information using his copy of the secret key. The recipient could decrypt the message only by using her copy of the same key. If somebody intercepted the message, that person could not decipher it without the key. Despite their widespread use, secret key systems have several critical limitations. First, simply transmitting the secret key poses risks, because the key can be intercepted in transit by unauthorized parties. Second, if one of the sharing parties uses the key maliciously, that party can deny or repudiate, the transaction. Alternatively, the malicious party can impersonate the sender, or can use the secret key to decrypt other sensitive information. To prevent against this sort of attack, organizations must require users to have different secret keys for each party with whom they communicate. If an organization has a hundred people, literally millions of different secret keys will need to be used to accommodate all possible combinations. Digital certificates employ the more advanced public key cryptography system, which does not involve the sharing of secret keys. Rather than using the same key to both encrypt and decrypt data, a digital certificate uses a matched pair of keys that

uniquely complement each other. When a message is encrypted by one key, only the complementary key can decrypt it. In public key cryptography systems, when your key-pair is generated, you keep one key private. This key is called the "private key," and nobody other than you, as the rightful owner, should ever have access to it. However, the matching "public key," can be freely distributed as part of a digital certificate. You can share your digital certificate with anyone, and can even publish your certificate in directories. If someone wants to communicate with you privately, they use the public key in your digital certificate to encrypt information before sending it to you. Only you can decrypt the information, because only you have your private key. Figure 5. Encrypting Information Using Digital Certificates

Conversely, you can use your key pair to digitally sign a message. To sign a message, you simply encrypt the message with your private key. The message can be decrypted using the public key contained within your certificate. While many people have access to your certificate, only you could have signed the message, because only you have access to your private key. A digital certificate is a binary file. Your digital certificate contains your name and your identifying information along with your public key-- it tells correspondents that your public key belongs to you. Digital certificates generally also contain a serial number, an expiration date, and information about the rights, uses, and privileges associated with the certificate. Finally, the digital certificate contains information about the certificate authority (CA) who issued the certificate. All certificates are digitally signed using the private key of the Certificate Authority. (Generally, the Certification Authorities own certificate (called a root certificate) is widely deployed in software packages, allowing people to seamlessly identify legitimate certificates issued by the certification authority.) If the CA maintains good security protection of their private key, it is virtually impossible for anyone to forge a digital certificate. It is important to note that certificates are not only issued to individuals. Organizations, as well as entities such as servers and routers, can also be issued certificates.

Process involved in setting security in the networks

Phase One: Assess Your Business Needs and Security Risks: VeriSign recommends that you start out any "Security Assessment" by thinking critically about the business needs of your Intranet and Extranet. Understand the nature of the communications that are needed, and the security goals (content integrity, non-

repudiation, etc.) that your communications goals imply. VeriSign then recommends getting an objective assessment of the security gaps in your existing infrastructure. Phase Two: Make a long-term Plan for Deploying PKI: Many organization start embracing certificate technology without considering the long-term needs for deploying robust technology, infrastructure, and practices. Many of the companies with whom VeriSign works initially tried to deploy stand-alone "software-only" solutions, but quickly came to realize that long-term support, scalability, and total cost of ownership factors lend themselves more readily to VeriSigns OnSite solutions than to the "software-only" solutions. Phase Three: Start by Securing your Servers: Most organizations face a critical security issue with communications between their servers and their internal and external users. One single technology solutiondeploying SSL on your servers using Server IDsprovides an easy and effective first step to dramatically improving security throughout your system. This step will be discussed in detail in the following section of this guide. Phase Four: Continue by deploying Client ID and VPN solutions: These solutions take somewhat more effort to deploy than Secure Server IDs and SSL. However, these steps are necessary to achieve the goals of authenticating users on your network and to ensure non-repudiation of transactions or communications. With the OnSite solution, your organization can use the same interface and infrastructure to issue Server IDs for SSL, Client IDs for SSL, S/MIME, and other applications; and IPSEC IDs for router, firewalls, and other parts of your Virtual Private Network.

Information technology audit

An information technology audit, or information systems audit, is an examination of the controls within an Information technology (IT) infrastructure. An IT audit is the process of collecting and evaluating evidence of an organization's information systems, practices, and operations. The evaluation of obtained evidence determines if the information systems are safeguarding assets, maintaining data integrity, and operating effectively and efficiently to achieve the organization's goals or objectives. These reviews may be performed in conjunction with a financial statement audit, internal audit, or other form of attestation engagement. IT audits are also known as automated data processing (ADP) audits and computer audits. They were formerly called electronic data processing (EDP) audits.

Purpose
An IT audit should not be confused with a financial statement audit. While there may be some abstract similarities, a financial audit's primary purpose is to evaluate whether an organization is adhering to standard accounting practices. The primary functions of an IT audit are to evaluate the system's efficacy and security protocols, in particular, to evaluate the organization's ability to protect its information assets and properly dispense information to authorized parties. The IT audit's agenda may be summarized by the following questions:

Will the organization's computer systems be available for the business at all times when required? (Availability) Will the information in the systems be disclosed only to authorized users? (Confidentiality) Will the information provided by the system always be accurate, reliable, and timely? (Integrity)

The IT audit focuses on determining risks that are relevant to information assets, and in assessing controls in order to reduce or mitigate these risks. By implementing controls, the effect of risks can be minimized, but cannot completely eliminate all risks.

Types of IT audits
Various authorities have created differing taxonomies to distinguish the various types of IT audits. Goodman & Lawless state that there are three specific systematic approaches to carry out an IT audit Technological innovation process audit. The aim of this audit is to construct a risk profile for existing and new projects. The audit will assess the length and depth of the company's experience in its chosen technologies, as well as its presence in relevant markets, the organization of each project, and the structure of the portion of the industry that deals with this project or product. organization and industry structure. Innovative comparison audit. This audit, as its name implies, means conducting an analysis of the innovative abilities of the company being audited, in comparison to its competitors. This requires examination of company's research and development facilities, as well as its track record in actually producing new products. Technological position audit: This audit reviews the technologies that the business currently has and that it needs to add. Technologies are characterized as being either "base", "key", "pacing", or "emerging".

Others describe the spectrum of IT audits with five categories of audits: Systems and Applications: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity. Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions. Systems Development: An audit to verify that the systems under development meet the objectives of the organization, and to ensure that the systems are developed in accordance with generally accepted standards for systems development. Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.

Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify that controls are in place on the client (computer receiving services), server, and on the network connecting the clients and servers.

And some lump all IT audits as being one of only two type: "general control review" audits or "application control review" audits.

IT Audit Process
The following are basic steps in performing the Information Technology Audit Process: 1. 2. 3. 4. 5. Planning Studying and Evaluating Controls Testing and Evaluating Controls Reporting Follow-up

Professional certifications of note

Certified Information System Auditor (CISA) Certified Internal Auditor (CIA) Certification and Accreditation Professional (CAP) Certified Computer Professional (CCP) Certified Information Systems Security Professional (CISSP) Certified Information Security Manager (CISM) Certified Public Accountant (CPA) Chartered Accountant (CA) ISO 27002 Lead Auditor (ISO/IEC27002)

Other employees involved in IT audits

Board of directors Senior management Audit management External audit staff Internal audit staff Operations managers