|
|
|
|
|
|
The Iso 17799 The Definite Guide For Security Geeks (Part 6)
|
In this part of the ISO series we will discuss the sixth and the seventh section of the standard , The Sixth section ( Personnel Security) talks about the proper hiring process for a company that wants to minimize security risks.
The standard in 6.1 calls for adding security requirements in the employee’s contracts, background checking and screening for employees in critical positions.
Clause 6.2 talks about the necessity of proven security trainings for regular users, clause 6.3 discusses the security incidents handling procedures and that there should be a known disciplinary action policy known and communicated to all users.
To some extent clause 6.1 is implemented in Egypt as a common best practice as a part of the routine of hiring, but we need to invest some time on the clauses to follow but I can assure you that Egyptian companies are on the right track when it comes to users security training. You can’t compare the training programs nowadays with the ones we used to have 5 years ago for instance.
The clause 6.3 that requires a proper method for incidents handling is somewhat immature in Egypt but actually it’s the same status in many other countries. As we know adopting a damage assessment mentality requires a world class organization.
One of the very exciting controls is section 7 (physical and environmental security), the objective is to: prevent unauthorized access, damage and interference to business premises and Information.
What would all the firewalls in the world do if an intruder can walk away with a hard disk or an SDLT tape holding the company backups or even shoving a USB thumb drive in a server and copying all the confidential folders?
I have seen some really extreme measures taken in that regard, for instance in one of England’s top ISPs and upon entering the servers room a tile at the door step actually weighs your weight while entering the server room and then it weighs you again on your way out , you wouldn’t be happy if you gained some weight inside.
The minute a weight variance is detected, the alarm happily sings.
So my advice is to never walk out of that room holding a hard disk for instance.
But the standard doesn’t go that far, it asks for very basic and simple things for example in clause 7.1 (physical security):
• The security perimeter around your equipment should be clearly defined.
• Physical access should be controlled (Security personnel, IDs, Biometrics, sweeping cards, keypad locks…etc.
• As much as possible minimize the number of stations located in open areas.
• All personnel should be trained to report any suspicious act or a never seen before personnel working around the data center of instance.
• Visitors should never be left unattended and should be escorted at all times.
In clause 7.2 (Equipment security), the standards strongly remind us that we should have policies or company procedures governing the below:
• A clear desk and clear screen policy for instance, where employees should never leave confidential papers scattered around their office or on their desks.
• Also employees should take extreme care in leaving their machines logged on and got attend a two-hour meeting. Thus a decent security auditor would name a company if it doesn’t implement an automatic screen lock after 15-20 minutes of in-activity on any of the company computers.
• Secure cabling: Companies should have redundant paths as much as possible, use fiber cables, initiate regular sweeps to check if any external/alien device is connected to the company cables. Taking computer equipments outside the premises should be controlled so that employees should be aware that Portable computers should be carried as hand luggage and disguised where possible when traveling.
• Offsite backups: Moving a copy of the company backups outside the premises to a remote secure location is a very recommended best practice, but those backups should be removed in a secure and controlled way, some companies encrypt the offsite backups as a precaution.
Posted by ROOT Technologies
|
|
|
|
|
