Responsibilities And Excepted Characteristics Of Stakeholders And Users

Published Date: 02 Nov 2017

Document Number:

IAP - 7514338

Issue:

Author:

GOKULANATHAN MURTHY

Approval Authority:

Chief Executive of the Council

Distribution:

Each Service group’s head

Risk assessment group participants:

ANTONY AROKYA DAS GILBERT - 7567197

ISRAH ELRAJHY-7544726

ASEIM SAFAYA-7576502

MANJARI KUPPAYIL SAJI-7536043

CHARALAMBOS LAOS-7515288

NOHA ALNAZZAWI-7461593

CHIOASCA EROL VALERIU-7497701

ROOPA DAS-7521367

EIRINI ALEVIZOU-7489024

SURENDIRAN SHANMUGAM-7500624

ETIKO OLUWATOYIN-7511654

TEMILOLA ABIMBOLA OTI-7524152

GAURAV AGARWAL-7536485

Modification History

Revision

Date

Revision Description

0.01

02/01/2010

Initial draft

0.02

13/01/2010

Updated Risk treatment and counter measures

0.02

14/01/2010

Updated Business continuity plan

1.0

16/01/2010

Final

Contents

1. Modification History 2

2. Contents 3

3. System Objectives 7

3.1. Purpose 7

3.1.1. Information security 7

3.2. Information Lifecycle and Classification 7

3.2.1. Information assets (Physical) 7

3.2.2. Information Assets (Logical) 8

3.3. Relevant Topics for Compliance 8

3.3.1. Regulations 8

3.3.2. Standards 8

3.4. Responsibilities and Excepted Characteristics of Stakeholders and Users 8

3.4.1. Human Resources Manager 8

3.4.2. Security Manager 9

3.4.3. Line of Business Manager 9

3.4.4. Operations Manager 9

3.4.5. Network Manager 9

3.4.6. IT Manager 9

3.4.7. Voice Service Manager 9

3.4.8. Database Administrator 9

3.4.9. Employees 9

3.5. Protection Profile 10

4. Asset Register 10

4.1. Asset Identification 10

4.2. Asset Ownership 10

4.3. Asset Classification 10

5. Risk Assessment 11

6. Risk Treatment and Countermeasures 11

6.1. Application Threats and Countermeasures 12

Spoofing 12

Tampering 12

Information disclosure 12

Denial of Service 12

Elevation of privilege 13

6.2. Network Threats and Countermeasures 13

Information Gathering 13

Sniffing 13

Spoofing 13

Session Hijacking 14

Denial of Service 14

6.3. Software Threats and Countermeasures 14

6.4. Information Security policy 15

6.5. Access control Policy 16

6.6. Email & Internet Usage 16

6.7. Data management 16

6.8. Personal Security Policy 17

6.9. Physical Security policy 17

6.10. Equipment Security Policy 18

6.11. General Security policy 18

6.12. Third Part Security policy 18

7. Business continuity 19

7.1. Business Continuity Objectives 19

7.2. Business Impact Analysis 20

7.3. Business Continuity Plan 20

7.3.1. Prioritisation 20

7.4. Contacts 21

7.5. Incident Management 22

7.5.1. Incident Identification 22

7.5.2. Incident Classification 22

7.5.3. Incident Response 23

7.5.4. Incident Recovery 23

7.5.5. Incident Prevention 23

7.6. Response and Recovery Checklist 23

7.7. Log Sheet 24

7.8. Audits 24

7.9. Testing the BCP 25

8. Disaster Recovery 26

8.1. Emergency Response during disaster 26

8.2. Disaster Recovery Team 26

8.3. Disaster Recovery Plan 27

8.4. Log sheet 28

9. User training and Awareness 28

9.1. User training 28

9.1.1. Policy statement 28

9.1.2. Scope 28

9.1.3. Controls 29

9.2. User awareness 29

9.2.1. Responding to Security Incidents and Malfunctions 29

9.2.2. Policy Statement 29

9.2.3. Scope 29

9.2.4. Controls 29

9.3. Compliance 29

9.3.1. Compliance with Legal Requirements 29

9.3.2. Acceptable use and Enforcement 30

10. Quality Assurance Regime 30

10.1. Review of Information Security Policy 30

10.1.1. Policy Statement 30

10.1.2. Controls 31

10.2. Inspection 31

10.3. Audits 31

10.3.1. Policy Statement 31

10.3.2. Controls 31

10.4. Testing 32

11. Reference 32

12. Coursework Submission Form 34

System Objectives

Purpose

This document contains the security assurance plan formulated for Sirius Council Borough of Betelgeuse. The Purpose of this report is to define security requirements and policy to mitigate the risks and eliminate threats. This document contains policies and guidelines for various departments across the council. This document highlights all the assets and their owners in Sirius Council Borough of Betelgeuse. Assets are identified on the basis of criteria such as confidentiality, integrity and availability. This document elaborates the risk involved and security threats to these assets and the treatment plan. This document also explains the steps to be taken for business continuity, disaster recovery, training and quality assurance.

Information security

Every asset has some information about the council. Information security is about safeguarding all the information owned by the Council. Information is the heart of every Council, because of its value it is exposed to various security threats and vulnerabilities. A security threat can be malicious software, Virus, Trojan, information leakage by staff, data corruption, system failure, unauthorised access etc. For securing this information from the security threats the policies and the guidelines should be reviewed based on the requirements. To keep the information secure from the security threats is information security.

Information Lifecycle and Classification

The council handles information about its business, resource, employees, suppliers and citizen which is the most valuable asset. To create an information life cycle we have to identify assets and classify them in categories. Importance to the asset is given on the basis of Confidentiality, Integrity and Availability properties of the asset. Based on the importance given to the asset; the security level of the asset is decided. Information can be classified at different levels. Few types of information levels:

Personal

Important

Secret

Top Secret

Address Only

Cosmic Top Secret

An information asset can be either logical or physical. Following are the list of assets found in the council.

Information assets (Physical)

PCs

Routers

Servers

Document Image Processors

Phones, etc

Information Assets (Logical)

Databases

Software

Personal records

Email

Training materials, etc

Note: The list of all the assets can be found in the attached Gokulanathan Murthy (7514338).xls file

Relevant Topics for Compliance

This section lists the important regulations and standards that are followed across the Council to conduct an information security compliance assessment.

Regulations

The Council employees should be in compliance with the following regulations as mentioned in ISO/IEC 27001:2005

Data Protection Act

Freedom of Information Act

Council’s record protection

Communication Act

Computer Misuse Act

The Privacy and Electronic Communication Regulations

Standards

Standard assures system’s security from all threats. Sirius Council Borough of Betelgeuse and its staff should comply with the following standards

Information Security Management (ISO/IEC 27002:2005, ISO 17799)

Quality Assurance (ISO 9001)

Risk Management Guide for Information Technology Systems (NIST 800-30)

Responsibilities and Excepted Characteristics of Stakeholders and Users

Every stakeholders and users has certain responsibility in this System assurance plan. Use of technology doesn’t guarantee security for the system, to make the systems more secure the council should define the responsibilities and guidelines that are to be followed by its stakeholders and users. Regular checks should be made to make sure the guidelines are been followed by the stakeholders and the users.

Human Resources Manager

HR Manager is responsible for the employees recruited during their tenure. HR Manager should check the background of the employee before recruiting them. Each employee should know their limitation in accessing certain resource about the council. HR manager are responsible for providing the required resource for the employees and should make sure that employees follow the guidelines.

Security Manager

Security Manager and his team are responsible for developing security measures across the council. Security Manager should make sure that their security policy reaches to all the departments and they follow it. The restricted section in the council should be accessed only by the authorised personal; their identity should be verified by the security management team before giving accesses to them.

Line of Business Manager

All the documents and report of the council are maintained by the Line of Business Management department. They are responsible to backup the important documents and should ensure proper security to the files. Updates made to the file should be made in the backup file also and authorisation to access those files should be made at the time of creating the file.

Operations Manager

Operation Manager is responsible for the reviewing the agreement with the external suppliers and should make sure the business continuity. He is also responsible to make backup plans when the external suppliers are not able to provide service to the council.

Network Manager

The Network Manager and his team are responsible for the network and they ensure that the network is secured from external and internal attack. Network is secured in such a way that the performance of the system is not compromised. The backup plan is formulated by the network management team, and the antivirus and the firewall are kept up-to-date to face the threat which grows every day.

IT Manager

IT Manager is responsible for the IT infrastructure of the council. Access to the systems by the employees is defined by the IT Manager. The integrity of the system and the files has to be maintained by the IT Manager, his responsibility is to safeguard the system from threats and stop the misuse of the system utilities.

Voice Service Manager

Voice Service Management team is responsible for the voice network across the council. To measure the quality of the call, each call is recorded. Stored voice data should be protected from unauthorised access.

Database Administrator

The Sirius Council Borough of Betelgeuse functions on the information they possess. The Database Administrator is responsible for storing and securing the data. DB Administrator must ensure the integrity of the data entered and should secure it from unauthorised access, data corruption, virus attack, etc. DB Administrator has the right to provide data access to the employees.

Employees

Employees are the major part of the council, they are expected to follow all the security policies and handle the asset with care. If any condition goes out of their hand, they are expected to report to their higher officials.

Protection Profile

Information possessed by the council should be protected from threats and the priority to the asset should be based on the information sensitivity. Information must have a back up in a remote location. Security measures for information systems such as Antivirus software, firewall, should be installed and regularly updated. Access to sensitive areas in the council should be restricted to unauthorised persons and it should be monitored by surveillance videos, CCTV cameras should be installed in sensitive areas to monitor the threat from external and internal threats.

Asset Register

Please refer Gokulanathan Murthy (7514338).xls file for the list of assets assessed as part of the plan for Information assurance plan

The three steps in asset register are

Asset Identification

Assigning asset ownership

Asset Classification

Asset Identification

Asset identification helps us to understand the important resource for the business, and protection to the asset can be decided on the sensitivity it brings to the Sirius Council Borough of Betelgeuse. The asset that brings the highest value to the council is given the highest priority and it is secured.

Asset Ownership

Every asset will have an owner; the owner is accountable for the asset. In a department the department head will be the owner of the asset used by that department. Owner is identified based on their association with the asset.

Asset Classification

Assets can be broadly categorised in the following manner:

Electronic information assets

Core IT equipment

Paper based assets

Software assets

People

Support service/Equipment

Information Classification and Accountability of Assets

All the council information is considered propriety and will be protected from unauthorised access or disclosure commensurate with its sensitivity. Classification and associated protective controls for the asset shall be determined by business needs for sharing or restricting information. Risk analysis of all the assets shall be conducted to assess the security vulnerability and effectiveness of existing controls.

Information Labelling and Handling

Sensitive information of the council should be protected against disclosure to individuals who do not have a need for such information. Information shall be labelled and handled in accordance with the classification scheme adopted by the Council. Information Copying, distribution, storage and disposal should be in accordance with the classification scheme adopted by the council.

Software Licensing, Purchase and Insurance

Legal compliance, ongoing vendor support and protection against piracy should be ensured. A separate log should be used to keep a track about the license of the software. Purchasing resources shall be carried out in accordance with well-defined and documented steps to ensure that the business, technical and security requirements behind all such purchases are met. All the council resources, data and associated hardware should be protected against theft, damage, lost, etc.

Server hosting policy

Servers shall be hosted as per-defined criteria

ASP services shall be selected as per a pre-defined set of criteria

Risk Assessment

Please refer Gokulanathan Murthy (7514338).xls file for the lists of risk and its impact strategy as a part of the plan for Information assurance plan.

Risk Treatment and Countermeasures

Please refer Gokulanathan Murthy (7514338).xls file for the Risk treatment and Countermeasures.

Countermeasure: Steps taken to counteract a threat and mitigate the risk.

Listed below are the threats faced by the council’s assets and their categories

Category

Threats

Authentication

Brute force attacks

Dictionary attacks

Cookie replay

Credential theft

Network eavesdropping

Authorisation

Elevation of privilege

Disclosure of confidential data

Data tampering

Configuration Management

Unauthorised access to management interface

Unauthorised access to administration files

Over privileged service account

Session Management

Man in the middle

Session hijacking

Session replay

Cryptography

Poor key generation

Weak encryption

Exception Management

Information disclosure

Denial of service

Auditing and Logging

User denies performing an operation

Attacker covers his or her tracks

Attacker exploits an application without trace

The following section will discuss the threats and their countermeasures in detail.

Application Threats and Countermeasures

Threats faced by applications can be categorized based on the goals and purposes of attacks. Each application threat [1] has a corresponding set of countermeasure techniques that should be used to reduce risk. The appropriate countermeasure depends on the specific attack.

The application threats and their countermeasures are as follows:

Spoofing

Attempt to gain unauthorised access to the system by using a false identity. The asset in the system are at high risk if an attacker gains access to the system.

Tampering

Man in the middle attack will try to modify the data that we send through the network. While transmitting files through a network it is vulnerable.

Information disclosure

Information disclosure by the employees may be intentional or unintentional. Some examples include comment on a webpage which have link to the database, weak exception handling. This information can be useful to the attacker.

Denial of Service

Making the system unavailable or making the service unavailable is DoS. A Dos attack might be accomplished by bombarding a server with a request message to consume all the resource thus crashing the whole application.

Elevation of privilege

User with limited privilege tries to gain access to control a highly privileged and trusted process or account.

Policy Statement

Use tools to detect the integrity of the application, use third part to validate the application.

Countermeasures

Use strong authentication

Do not pass credentials in plain text over wire

Protect authentication cookies with SSL

Use data hashing and signing

Use digital signatures

Use strong authorization

Use strong encryption

Do not store secrets (for example, passwords) in plain text

Use resource and bandwidth throttling techniques

Validate and filter input

Follow the principle of least privilege and use least privileged service accounts to run processes and access resources.

Network Threats and Countermeasures

The primary components that make up a generic network infrastructure are routers, firewalls, and switches. Vulnerabilities in the infrastructure will be targeted by the attacker, such as weak installation settings, missing security patch. The network threats faced and the appropriate countermeasure techniques used for them are as follows:

Information Gathering

Open ports are the gateway for the attackers; they scan the port to see if any port is open. Once the attacker enters the port he gathers information and attacks network which is vulnerable.

Sniffing

Sniffing is the process of monitoring the network traffic for data such as password. Attacker can also crack the packets and can decipher payload.

Spoofing

Spoofing is a technique of hiding one's true identity on the network and hide the address of the attacker. Carefully spoofed packet may never be tracked back.

Session Hijacking

It is also known as man-in-the-middle attacks; the attacker deceives the server into accepting the upstream host (attacker host) and manipulates the network so that attackers host appears to be the desired destination.

Denial of Service

It denies legitimate users access to a server or services. The attacker sends more request to a server than it can handle. The attack exploits the vulnerability in th TCP/IP connection and floods the server’s pending connection queue.

Policy Statement

Use firewalls and update and apply patches to it regularly. UPS should be available at times of power failure in the network

Countermeasures

Configure routers requests.

Use firewall to protect network against denial of service

Network should be adequately managed and controlled 

Special controls for confidentiality and integrity over public networks 

Information in network should be secure

Systems and applications connected to the network should be securely  maintained 

Procedures for management of remote equipment must be established 

Special controls for availability of network services 

Operational Responsibility for networks must be separate

Proper segmentation and physical security can prevent DoS

Use encryption technique for communication, including authentication credentials

Filter packets that appear to come from an invalid local IP address.

Use encrypted session negotiation.

Use encrypted communication channels.

Apply the latest patches.

Use a network Intrusion Detection System (IDS) use to detect and respond to SYN attacks.

Software Threats and Countermeasures

These threats affect the system software upon which the application are built

Top-level host threats include:

Viruses, Trojan horses, and worms

Foot printing

Expiring licence

Profiling

Password cracking

Denial of service

Policy Statement

Install antivirus on each workstation and make sure they are updated regularly. Authentication must be checked before providing permission for any user to use particular software.

Countermeasures

Stay updated with the latest operating system upgrades and software patches.

Disable unnecessary protocols.

Buy new licence before the old licence ends

Lock down ports with appropriate firewall configuration.

Configure web server to prevent information disclosure through banner grabbing.

Use strong passwords for all account types.

Configure applications, services, and operating system with denial of service in mind.

Ensure the application is capable of handling high volumes of traffic

Ensure thresholds are in place to handle abnormally high loads.

Review the application's fail-over functionality.

Information Security policy

Policy Statement

To establish rules to manage information security within the council

Countermeasures

Security committees shall be formed to ensure that management support for security initiatives

Information security committees should comprise members from all department which will coordinate the implementation of information security controls

Authorisation and responsibilities of individuals should be clearly defined

Independent review of information security policy should be done from time to time

Important data and information file should me moved to a remote site, backup should be done regularly

Access control Policy

Policy Statement

Access rights of all employees, third party to information asset should be provided based on the role they play in the Council.

Countermeasures

Server room access should be given access to responsible department; access to the room should be given using biometric, Iris detection etc.

Unauthorised access by any employee should be investigated thoroughly

Such access control should be implemented for all applications and software also.

Access control to the systems should be password protected and should be changed periodically

The allocation of password shall be controlled through a formal password management process

Review the access control periodically and changes should be made

Sensitive systems shall have a dedicated (isolated) computing environment

Email & Internet Usage

Policy Statement

Audits for the number of mails sent and received will be done on regular basis to discourage unofficial mails. The objective is to protect information from leaked via email and internet.

Countermeasures

Housekeeping of your inbox and outbox

Give Training for the employees to segregate mails

Any logs not confirming to company policy or not in line with companies interest would be bought to attention of their respective managers and disciplinary action should be initiated.

Use encryption and decryption technique for all mails.

Employees should comply with the copyright, fair usage and license agreements

Internet usage on council premises shall be in accordance with pre-defined criteria.

Data management

Policy Statement

To establish procedures to store the data and make it available when it is needed. Procedures should be reviewed periodically and updated.

Countermeasures

Have security inspection to check the integrity of storage area.

Access should be allowed through the use of swipe cards, biometrics etc.

Store the data in the database using encryption and decode it while retrieving the information

Data should not be shared with others without the permission of the owner of the data

Disciplinary actions must be in place abiding to Data Protection Act 1998

Data backup should be made in a remote site

Personal Security Policy

Policy Statement

Personal security controls will ensure that users granted access to the Councils IT systems are appropriately screened, evaluated, and trained. The objective is to reduce human errors, theft, fraud or misuse of information asset

Countermeasures

Include the security roles and responsibilities in job responsibilities

Do character reference check, CV check, on all the council staffs at the time of job application

Employees should sign a confidentiality agreement as a part of terms and conditions

Controls and procedures shall ensure that all employees comply with security processes

Access card should be used to enter the council and each department should have access cards to access their asset.

Department concerned with transfer and termination cases should be notified in order to withdraw the accesses.

CCTV camera should be kept n place to monitor the council 24/7

Physical Security policy

Policy Statement

Physical protection for unauthorised access, physical damage is needed for the council’s information assets, peripherals, terminals and other related equipments.

Countermeasures

Site selection and constructions should be in accordance to the security guidelines

Selection of doors and windows should be in accordance with defined procedures

Cameras shall be used and monitored and images of people entry into the council shall be processed

Secure areas shall be protected by appropriate entry controls, so that only authorised personal are allowed access

Additional controls and guidelines for working in secure area shall be used to enhance the security of secure areas.

Fire fighting equipments, Fire exit, and smoke/fire sensors should be placed at appropriate place and evacuation drills should be done periodically.

Equipment Security Policy

Policy Statement

To establish rules to prevent loss, damage or compromise of assets and related interruptions to business activities

Countermeasures

Equipment shall be sited in a manner that reduces the risk from natural disaster and unauthorised access

Equipments shall be protected from power failures and other anomalies

Cables should be covered so that it protected from interception or damage

It should be maintained for continuous availability and integrity

To use the equipment outside premises shall require authorisation by security committee.

Information should be erased before disposal of the equipment

General Security policy

Policy Statement

To establish rules to prevent compromise or theft of information and information processing facilities

Countermeasures

A clear desk and clear screen policy should be implemented to reduce the risk of unauthorised access, loss of information

Equipment, information and software belonging to the Council shall not be removed without authorisation of the security committee.

Third Part Security policy

Policy Statement

Council partners will also have the same access restriction to which internal users would be subjected. They will be required to formally acknowledge their responsibility for confidentiality through a written statement.

Countermeasures

Partners to the council should be selected as per pre-defined criteria

Third part access to IT assets shall be based on formal service contract

All the contractors/consultant shall be required to sign a non-disclosure agreement

Business continuity

Business continuity ensures the continuous operation of its business processes and the services it offers. Unplanned events or interruptions such as natural disaster, System malfunctioning, absence of key employee may halt the council operations. A business continuity plan ensures the business continuity by planning necessary backups for the resource and the assets at a remote site.

Purpose

Procedures to be carried out in the Sirius Council Borough of Betelgeuse during various disasters.

Assign the responsibility for various groups in different cases of disasters.

Business Continuity Objectives

Before a disaster event

Reducing dependence on key personnel

Improving documentation

Decreasing potential threats and exposures

Lowering the possibility of a disaster event

During a disaster event

Avoiding disruptions to essential operations

Protecting employees and users

Safeguarding critical assets

Minimizing confusion and delays

After a disaster event

Reducing financial loss

Decreasing potential legal liability

Ensuring council stability and an orderly recovery

Adhering to legal, statutory and regulatory requirements

Business Impact Analysis

BIA covers the impact of business due to malfunctioning of any asset at the council. The priority of the assets is indentified and plans for continuity are made as per the analysis. BIA identifies the critical processes and their associated systems, application and technology. Analyse the impact of an outage, determine the recovery windows and recovery strategies.

Business Continuity Plan

Prioritisation

The assets are prioritised based on the sensitivity and the impact the assets bring to the council. The asset which enables continuous work flow is given more priority. During any disaster the assets based on its priority level should be restored within the specified time. Importance should be given to the asset with highest priority.

The BCP for the Sirius Council Borough of Betelgeuse is listed below

S.No

Assets

Priority

Impact

Alternative plan

Restore within

Relocation? (Can it be carried out elsewhere)

1.

Information Systems

High

Loss of data

Restore the crashed systems, use data from remote site

3 hours

No

2.

Software:OS, Antivirus, firewall

High

Crash/license expires

Try to fix or Re install

5 hours

No

3.

Mainframes

High

Crash/ loss of data

Restore the crashed systems, use data from remote site

2 hour

No

4.

Servers

Critical

Overload, breakdown

Try to retrieve data from the server. Use secondary servers till new servers are installed

1 hour

No

5.

Data Warehouse

Medium

Crash/ Loss of data

Restore the crashed systems, use data from remote site

1 day

No

6.

Customer services

Medium

Service terminated

Redirect calls to other location

2 hours

Yes

7.

Communication devices: Routers, modem Cables

High

Physical damage, Malfunctioning

Repair or replace with secondary cables

2 hours

No

8.

Voice network

High

Connection failure

Get service from secondary service provider

4 hours

No

9.

Data network

Critical

Network failure

Get service from secondary service provider

2 hour

No

10.

LAN/WAN

High

Network failure

Use different channel to communicate (ex: ISDN)

1 day

No

11.

Email

Medium

Crash/overloaded

Restore back to previous state, use information from back up sites to reply to queries in other form (telephone)

2 days

No

12.

Reporting tools

High

Crash

Try to fix or Re install

3 hours

No

13.

Staffs

Medium

Unavailability

Use temporary staff from the resource available until new recruitment is done.

2 days

No

14.

Power

Critical

Power failure

UPS backup should be activated once power failure occurs

2 hours

No

15.

Office buildings

High

Physical Damage

Alternate location

2 days

Yes

Contacts

The name and the contact details of the members involved in the BCP should be made available to all the employees

Department/Team

Contact Person (s) name

Phone no

Additional information about responsibilities

Central IT Team

XYZ

111

PCs, Applications, Network devices.

Supplier’s details shall also be made available for the employees. In case of emergency suppliers can be contacted to rectify the errors

Company Name

Contact No

Email

Additional information about product/ licensing details

AVG

000

[email protected]

License expires on 12/07/10

Incident Management

Incident management ensures the orderly response to the incident occurred and the steps to pacify the result of the incident. Examples of incidents are Application error, Server down, Service not available, Denial of service.

Incident Identification

The admin should have a close look at the incident and should find the risk that matches the incident, if not look for a similar incident and match the risk associated of that incident to the new incident. The process of the affected business part should be closely monitored and managers should be ready to brief the incident to the management.

Incident Classification

Incidents can be classified based on the intensity of the incident; it is classified into two categories:

Major Incidents

When the impact of the incidents spreads across the council infection more systems and hence bringing the process to a halt. Ex: Virus, worm, Trojan attack.

Minor Incidents

Minor incidents don’t affect the business continuity. The impact of the incident is limited to single department or a small group of systems. Ex: Service not available.

Incident Response

Any suspicious incident will be reported to the Incident Response team (IRT), the responsibilities if IRT is to analyse the incident and should take the issue to the department which is involved. The IRT keeps a close look on the progress of the business unit which is affected. The report should contain Description, cause for the incident, Damages observed, steps taken to pacify the incident. Warnings should be sent to similar department which may also be affected by the similar incident.

Incident Recovery

It is the process of eliminating the causes of the incident and brings back the system and the process to normal. This involves implying security measures to tackle the incident and reconfigure the system in such a way that the incident never happens again. Once the recovery from the incident is done the affected portion should be monitored to find out the effectiveness of the implied security measures.

Incident Prevention

After the incident the IRT should make sure that all the operations are back to normal and the involved team should be informed about the termination of the incident. People involved in tackling the incident to bring the process to normal should be informed about their work and given incentives. Review the way the incident was handled and search for any better methods which would have been used, if there is any better method document it for future purpose.

Response and Recovery Checklist

Use this checklist for the steps to be taken during emergency

Preparation Phase

Establish a building evacuation plan

Post the names of the department/supervisor to which the employees should report at the time of incident

Keep track of the changes made to the network

Regularly update the resource available and information added being added to it.

Maintain contact information of the employee and regularly update it

Maintain a list of all vendors/customers/shareholders and their scheduled delivery dates.

Store resource at remote site and make sure the response team members know where it is.

Response Phase

Determine the nature and extent of the emergency.

Inform employees in the building/department of the emergency.

Make sure all the trace of the incident is totally removed.

Contact other location and inform them about the situation.

Contact your vendors/customers/share holders

Make sure security is in place.

Activate your Disaster Recovery plan.

Log Sheet

The log sheet must be used to record the actions taken during the emergency time.

Date

Time

Action taken

Person Responsible

Audits

Audits should be conducted regularly to ensure the validity and relevance of the business process. The audits should be made internally and also by the third party and the criteria for the audit should be set by the council.

All the methods and processes mentioned in the business continuity plan should be implemented

Test the councils ability to handle a incident

All the action taken by the incident response team during the incident is recorded and reviewed by the audit team

Review the BCP and update it as per the need of the day

From the audit results changes are made in the concern department to make the system more secure

Testing the BCP

Test the BCP to find whether all angles have been covered and whether the plan is achievable

Check whether the third part involved in the BCP are ready to respond

Measure the time required to run the backup systems

Check whether the BCP are realistic and can it be put in place in expected timescale

Check the validity of the backup data and check for updates in the backup data

Test the employees how they react during a emergency period

Drills to be done bi-annually as per plan

Lessons learnt to be fed accordingly to the BCP to roll out next version

Disaster Recovery

Disaster recovery is the steps to be taken to restore the council’s operations after a disaster. Disaster can be as a result of hacker attack, malicious software, natural disaster, unauthorised access of council’s data, etc.

Emergency Response during disaster

Activate the Disaster Recovery Team to implement the disaster recovery plan

Make sure all the employees assemble outside the building (in case of earthquake, fire), it can be Civic centre parking area

When there is a disaster Emergency Response Team should be called and they should measure the intensity of the disaster and should assign Disaster Recovery Team for each case

All the staffs members should know how to contact their Disaster Recovery Team

Decide on which Disaster plan can be implemented for the disaster

Disaster Recovery Team

The disaster recovery team is formed by the members from different department. Each department will have a member in the team, so that taking decision for each department will be quick and precise. The aim of the team is to implement the disaster recovery plan and restore the functions of the council. The team should restore the lost asset and ensure the continuous operation. The duties of the disaster recovery team are:

Prepare a quick report about the disaster

Analyse the situation and check whether any asset can be saved from further disaster

Test if the business continuity plan can be carried on without any blockage

Split the work among the team based on the specialisation of the members

Establish a emergency service within 2 hours to notify the clients/shareholders about the work done for the restoration of service

Restore key services within 4 hours of the incident

Identify the root cause and try to reduce the impact

Work with the owner of the asset to learn more about the asset and its impact on the council

Assets should be given priorities based on the intensity of the damage and its impact on business

Mock drills should be performed after the recovery from disaster

Document the proceeding and review the steps taken and if necessary do changes to it.

Risk assessment should be done once a year

Training for the employees about how to act at times of disaster

Record all the actions and log it for future reference

Measure the cost of the impact to claim insurance

Disaster Recovery Plan

Disaster Recovery Plan (DRP) lists the key asset that needs to be restored or recovered after a disaster. DRP ensures the stability of the process and the integrity of the system used. The DRP should be stored in a remote location; the plan should be assessable at times of disaster. The table below highlights the key assets of the council and the ways to recover it.

Asset

Impact Rating

Department Responsible

Contact Person (s)

Recovery Plan

Recovery Time

Information Systems

1

IT Department

Mr. ABC

Replace the affected system/ Upgrade

1 - 2 Hours

Software: OS, Antivirus, firewall

1

IT Department

Mr. ABC

Reinstall

1 - 2 Hours

Mainframes

2

IT Department

Mr. ABC

Backup/ Remote location storage

1 days

Documents Financial, strategy

2

Management Team

Mr. ABC

Backup/ Revise it

1day

Servers

1

Networking Team

Mr. ABC

Secondary backup servers

1 day

Public kiosk

3

IT

Mr. ABC

Replace it

3 days

Data Warehouse

2

Database admin

Mr. ABC

Backup in remote location

1 day

Email

2

IT Department

Mr. ABC

Reconfigure, Secondary servers

1 day

Cables, Routers, Modem

3

IT

Mr. ABC

Replace it

1 day

Networks: LAN, WAN, Data, Voice

1

Network department

Mr. ABC

Alternative connection

4 - 6 Hours

Staffs

2

HR Department

Mr. ABC

Replacement/ temporary resource

2 days

Reporting Tools

2

IT Department

Mr. ABC

Reinstall

5 hours

Power

3

IT Department

Mr. ABC

UPS backup

4 - 6 hours

Office buildings

3

Security Department

Mr. ABC

Alternate location

2 days

Customer services

2

IT Department

Mr. ABC

Alternate Location

2 days

Impact: 1=Major impact, 5=Minor impact

Log sheet

The log sheet must be used to record the actions taken during the Recovery time

Date

Time

Disaster type

Action taken

Person responsible

User training and Awareness

Growth in technology has resulted in fast processing and accuracy, illiteracy in use of those new technologies may breach the security code. It is the council’s responsibility to provide training to the council employees. Training brings the awareness among the employees about the threats and vulnerabilities to the information they possess. They become aware about the policies and controls they have to follow

User training

Policy statement

All the users of the council systems should be provided training with regards to Sirius Council’s policies, standards and guidelines to ensure that users are aware of the information security threats and concerns, and are equipped to support Sirius Council Borough of Betelgeuse Information Security policy in the course of their normal work.

Scope

This policy shall apply to all the Council associates, and all information assets in the custody of respective owners, including client data, software, application, storage, access and distribution to users both internally and external.

Controls

Information security Education and Training

All employees of the council and, where relevant, third party users shall receive appropriate training and regular updates in councils policies and procedures.

User awareness

Responding to Security Incidents and Malfunctions

User should be aware of the council’s policies, standards and guidelines, awareness by experience will give the employees confidence to face any problems. Each employee should be aware about how they should respond to an incident

Policy Statement

Establish rules to minimize the damage from security incidents/malfunctions, and to monitor and learn from such incidents.

Scope

This policy shall apply to all the Council associates, and all information assets in the custody of respective owners, including client data, software, application, storage, access and distribution to users both internally and external.

Controls

Reporting of Security Incidents/weaknesses/Malfunctions

The user of the asset should be able to note and report any suspected security incidents/security weaknesses/software malfunctions through appropriate management channels as quickly as possible.

Learning from incidents

The types, volumes and costs of incidents and malfunctions shall be quantified and monitored to the extent possible.

Disciplinary Process

The violation of Council security policies and procedures by associates shall be dealt with through a formal disciplinary process.

Compliance

Compliance with Legal Requirements

Policy Statement

To establish the rules to avoid breach of any criminal and civil law, statutory, regulatory and/or contractual obligation, and any security requirements.

Controls

Identification of Applicable Legislation

All relevant statutory, regulatory and contractual requirements shall be defined explicitly and documented for each information systems.

Intellectual Property Rights

Legal restriction on the use of propriety software products and other material shall be complied with.

Safeguarding of Council Records

Important records of the Sirius Council Borough of Betelgeuse shall be protected from loss, destruction and falsification.

Prevention of Misuse of Council Information Processing Facilities

Council security committee shall authorise the use of information processing facilities and controls shall be applied to prevent the misuse of such facilities.

Collection of Evidence

Where action is taken against an employee in the council which involves the law, either civil or criminal, the evidence presented shall conform to the rules for evidence laid down in the relevant law. This shall include compliance with policy, control and standards published by the Sirius Council Borough of Betelgeuse.

Acceptable use and Enforcement

With all the policy, controls and guidelines the employees should be given training about the use of the asset they handle. Training materials, manuals should be made available to all the employees of the council. Any update in the policy/guidelines should be made available to the employees. Third part involved with the council should sign a agreement where the policy and controls should be mentioned.

Employees must be aware of the level of authorisation they have to the asset. All the employees and staffs working in the council should sign a policy declaration form at the joining time. Any violation by the employee will face disciplinary action according to the law of books. Serious offence may result in termination from the council and legal action will be taken.

Quality Assurance Regime

Quality assurance is required to assess the business plan of the council. Quality assurance regime is required for the council to provide service with high standards. Quality should be improved in the security policies, procedures, processes and controls. So regularly updates, reviews, audits, testing should be made to maintain a level of quality standard.

Review of Information Security Policy

Policy Statement

Establish rules to ensure compliance of system with Council security policies.

Controls

Compliance with Information Security Policy

Reviews should be made quarterly and updates should be amended to the information assurance plan. Review should have certain criteria so that the effectiveness of the policy is tested and necessary changes can be made. The review should test the technical, standards and usability of the system. Whenever there is an introduction of new technology to the council, the review team should review the new system and their feedback should be available for the department working with the new technology. All the reviews and feedback should be documented for future reference.

Technical Compliance Checking

System should be checked regularly for compliance with security implication standards. Obsolete systems should be replaced and the software’s should be updated regularly.

Inspection

Inspection should be done periodically in random departments. Inspection should be done without any prior notice. The aim of inspection is to find out the negligence of the employees in following any standards/policy. Inspection team should be formed by one staff from each department. After each inspection a detailed report should be submitted by the team to the management. All the report and the proceedings should be recorded.

Audits

Policy Statement

To establish rules to maximise the effectiveness of the security policy, and to find ways for improvement. Audits will be conducted to

Ensure integrity, confidentiality and availability if information and resources

Investigate possible security incidents

Ensure conformance to Sirius Council Borough of Betelgeuse security policy

Monitor user or system activity where appropriate

Controls

System Audit Controls

Audits of operational system shall be planned and performed at a frequency and in a manner that minimizes the risk of disruptions to business processes.

Protection of System Audit Tools

Access to system audit tools should be protected to prevent any possible misuse or compromise.

Testing

Each department should have a team to test the platform and the process. The team should use tools like nmap, X-scan, Nagios to test their network. System should be scanned with antivirus to detect virus, spyware, malwares and other vulnerabilities. Mock test should be done for the Business continuity plan and the Disaster recovery plan to make sure that they are up-to-date. Mitigate/eliminate the vulnerabilities which are associated to the asset. Testing should be done regularly and also when a new system or technology is introduced in the council. Test should be made on new technology to make sure it does the required job without any error.

Penetration testing should be done to test the vulnerability present for the hacker /cracker to destroy/steal information. The testing should be done by someone who knows about hacking/cracking. Third part penetration testing can also be done to find out vulnerabilities. Once any vulnerability is found the system administrator and the owner of the asset is informed to do the changes to make the system secure. The intent of penetration testing is to find out the business impact if such an attack occurs.