What Is The Data Protection Act 1998

Published Date: 02 Nov 2017

Umair javed [gcpk-hnd1016]

Higher National Diploma in Computing and System Development, Grafton College, Islamabad.

Contents

Information Security

Introduction

The field of information Technology is now one of the largest in the world. There is a lot of research and development going on in this field and is a very profitable industry as well. But as the world of technology is advancing towards new heights, the risks and vulnerabilities in data integrity and personal security are also getting higher. Many individuals, businesses and companies have fallen victim to the hands of cyber criminals, hackers and viruses.

Types of security threats

As vast the field of IT is, the threats to its integrity are also of many kinds and genres. Following are the popular types of security threats:

Adware

Backdoor Trojans

Boot Sector Viruses

Chain Letters

Cookies

Denial of Service (DoS)

Worm

Obfuscated Spam

Parasitic Viruses

Pharming

Phishing

Sniffing

Page Jacking

Mouse Trapping

Adware

Adware is a software program that shows advertisements and popup screens when it is run on a PC. Running advertisements is not a problem but there are certain things in adware that might become problematic or annoying.

It is usually installed, hidden inside some other program that doesn’t ask for the user’s consent neither gives any notification. It usually hijacks your browser to display more ads and also modifies other software programs to show the ads while they are running.

Backdoor Trojans

Trojans always break into the computer by posing themselves as another legitimate program and then alloying another user to remotely access the infected computer. This virus is a big potential threat to a computer user’s security and privacy. Once the Trojan is executed, it can track all its activities, run the programs remotely, keep a record of key strokes and steal data.

Boot Sector Viruses

Boot sector virus is one of the oldest viruses and is rarely encountered today. It basically replaces the original files of the operating system with modified files so that when a computer is switched on, it can take control of the system. This virus can only infect if a person accidentally boots from an infected CD, floppy or Hard Disk.

Chain Letters

Chain letters are basically not typical viruses but simple emails that urge people to forward ahead as much as they can. They usually contain hoax information, false claims of prizes, petitions, jokes and pranks. They are usually made to be circulated to as many people as possible. That is why it contains some funny, interesting or thrilling news and offers. E.g. the claim that the internet would be closed for maintenance on 1st April.

Cookies

Cookies are small text files that store your personal data on the computer and send them to the websites you visit repeatedly, so that you don’t have to enter and fill forms again and again. So when a website is re-opened on a computer, rather than asking for all the same data input again, it simply gets it from the cookies.

This, as much it is a utility, can also become a problem. If the website shares your data with other advertising software or websites to share your interests so that it can display ads of your interest on your screen, it can get annoying or misleading.

Denial of Services (DoS)

This type of virus attack functions to overload or shutdown a target computer so that a physical user can’t access it. This type of attack is launched on the web servers more often.

Denial of Service attack sends oversized packets to a computer to overload it, give more instructions than it can handle or send an email with the attachment name longer than the mail service allows. A Distributed Denial of Service (DDoS) attack is launched from multiple computers on a single server or computer, for the same purpose as DoS attack. Multiple computers send rapid files, emails or instructions to overload the target PC.

Worm

Worms, unlike other viruses are independent files because they don’t need any carrier program to execute. They simply work on their own and make exact copy of themselves inside a computer to get the processor and RAM clogged and makes the computer slow. Not only in a computer, but it also can spread through several connected computers by exploiting security holes.

Obfuscated Spam

This type of spam is another attempt of hackers and spammers to bypass the anti-spam software. What it does is just simply make the file name in such format that the anti-spam doesn’t recognize it. It usually puts spaces between the letters of the name like "J A I L B R E A K" or replace letters with other symbols like "JA!LBR3AK".

Parasitic Viruses

Parasitic viruses are viruses attached to different files in such a way that if the program is run, the virus can execute before the control is transferred to the original program. In that way, the operating system does not recognize it as a malware and gives the same rights to the virus as well.

Pharming

Pharming is a term that refers to the redirecting users from legitimate websites to bogus ones for different purposes like getting ads, increasing traffic to a certain website or hacking personal data. How this is done, is the actual matter. To understand how it is done, we first have to understand this:

Every website has its own IP address in the form of 127.0.0.1 but remembering the complex numbers for each site is a very difficult task so each website is assigned a separate name so that it is easily remembered. But once a website name. e.g. www.google.com is entered, the name is then converted to its IP address by local host file on your PC or DNS on the internet. Pharming basically modifies the local host file on your PC with the help of Trojans or in the other case, it can "Poison" the DNS directory, which means the IP addresses saved in it are compromised.

Phishing

Phishing is a term made up from two different terms. One term is "fishing" and the "ph" is used from the term "phreaker" which was used for telephone network hackers.

Phishing means sending bogus emails to people to get their personal data, passwords and accounts. It is usually pulled off by sending links of bogus websites, and requiring people to enter their account and password.

Sniffing

Sniffing refers to the process where hackers intercept the data packets being transferred to a computer. It is the most subtle and stealth form of hacking because the data is not even stolen, it is just copied to another PC and forwarded as it is. No one can trace it, once the data is sniffed. The only cure is prevention by firewalls, encryptions and tunneling.

Page Jacking and Mousetrapping

Page Jacking means making a fake copy of a legitimate website by copying its page descriptor information, META information and other contents to fool people into putting their information in it. This hack is pulled off by submitting the copy of the original website to popular search engines. When people search for it, they see both the websites and are misled to the bogus copy. Sometimes, it is followed by mousetrapping, which means once the user goes on the bogus website, he cannot get back out. The back button leads to other random pages. You either have to exit the web browser or restart your PC.

Data Protection act 1998 – and evaluation of data process regulations (w.r.t data protection act 1998 & computer misuse act 1990)

Under this heading, a general overview and explanation of the Data Protection Act 1998 is given in the form of Questions & Answers, definitions and examples:

What is the Data Protection Act 1998?

It is a law that protects personal privacy and upholds individuals’ rights.

Does the Act affect you?

Yes. The Data Protection Act applies to anyone who handles or has access to information about individuals. The Act also gives rights to the people the information is about. By law, everyone in the workplace must follow the rules set out in the Act and help protect individuals’ rights.

What are your responsibilities?

The Act helps make sure that the information held on computers and in some paper based systems is managed properly. You must protect personal information by following the eight principles of good practice.

Why do you need to know about the Data Protection Act (DPA)?

Anyone who handles personal information as part of his or her job must be aware of the DPA. The Act applies to both employers and employees of the Board.

Definitions

To understand the principles of the Act, you need to know what the main terms mean. Here are some definitions.

Data Controllers: are people or organizations that hold and use personal information. They decide how and why the information is used. As data controllers, employers have a responsibility to establish workplace practices and policies that comply with the DPA.

Data Subjects: are the people the information is about. Within the workplace, they may be current employees, people applying for jobs or former employees. Data subjects might also be pupils, suppliers or other people information is held about.

Data Users: include employees whose work involves processing personal information. As a data user, you have a legal duty to protect the privacy of individuals in the way you handle their information. You must follow your Unit’s procedures on handling and releasing information.

Data Processors: may be separate organizations that process information on behalf of data controllers. They must also follow the DPA and make sure information is handled properly and securely.

Data: is recorded information, whether stored electronically on computer or in paper- based filing systems.

Personal: means that the information is about an identifiable living being. Personal data can be factual, such as a name, address or date of birth, or it can be an opinion, such as how a manager thinks an employee has performed at an appraisal. It can even include a simple e-mail address.

Processing: is any activity that involves the data. This includes collecting, recording or retrieving the data, or doing work on the data, such as organizing, adapting, changing, erasing or destroying it.

Sensitive Personal Data: includes information about someone’s racial or ethnic origin, political opinions, and religious or other beliefs, trade union membership, health, sexuality, or criminal proceedings or convictions. Sensitive personal data can only be processed under strict conditions. In most cases, this means getting permission from the person the information is about.

The Act is based on eight data protection principles, or rules of good information handling.

In summary, the data must be:

1. Processed fairly and legally.

2. Processed for limited purposes and in an appropriate way.

3. Relevant and sufficient for the purpose.

4. Accurate.

5. Kept for as long as is necessary and no longer.

6. Processed in line with the individuals’ rights. Only transferred to other countries that have suitable data protection controls.

7. Secure.

8. Personal data must be processed fairly and legally.

Processing applies to all uses of data from collecting and storing data, to retrieving, organizing and destroying it. There are two main conditions to this first principle. Either the data subject must give their permission or the processing is necessary for legal or contractual reasons.

First Principle

For data to be processed ‘fairly’ the data subject should know who the data controller is why the data is being processed and any other necessary information, such as the likely consequences of the processing individuals must not be deceived or misled as to why the information is needed.

For data to be processed ‘legally’ it must not lead to any kind of discrimination and should not go against other laws such as the Human Rights Act 1998

Second Principle

Personal data must only be obtained for specific and legal purposes, and must only be processed in a way that is consistent with the specified purpose.

Data controllers and data users must not collect and use data unless there is a specific and valid reason for doing so.

The data subject must be told what the information will be used for personal data collected for one reason must not be used for any other unrelated purpose.

For example, names and addresses of staff that are held for employment purposes must not be given to a mail-order company, without their permission. See section on Forms page 10.

Third Principle

Personal data must be adequate, relevant and not excessive for the purpose it is processed for.

Only data needed for the specific purpose should be asked for or recorded. Information that is not relevant for the purpose must not be collected simply because it might be useful in the future!

Likewise, when filling in forms about staff, parents, pupils or other data subjects, you should only record relevant information, not inappropriate personal remarks. These comments would have to be disclosed if somebody asks to see their personal information.

Fourth Principle

Personal data must be accurate and where necessary, kept up to date.

Incorrect and misleading data are inaccurate. Data users should record data accurately and take reasonable steps to check the accuracy of information they receive from data subjects or anybody else.

Managers should review personal information held so that only up to date and accurate information is kept.

Fifth Principle

Personal data processed for any purpose must not be kept for longer than is necessary to fulfil that purpose.

Organizations will need to keep some data on current and past employees to respond to enquiries from a new employer or from the Inland Revenue. Data also needs to be kept to meet legal obligations or to support the business process.

Other types of personal data may not be relevant for future purposes and should not be kept for longer than necessary.

The Board has a Disposal of Records Schedule which identifies the retention period of files, including those files which contain personal data. If in doubt your Manager will be able to advise you on the Unit’s retention periods.

Sixth Principle

Personal data must be processed in line with the data subject’s rights. The rights of individuals are central to this principle:

These rights include the following:

The right of subject access lets individuals find out what information is held about them. Data subjects have a right to prevent processing that is likely to cause damage or distress to himself or herself or anyone else. They also have the right to claim compensation for damage and distress caused by someone breaking the conditions of the Act. - Rights in relation to automated decision- making means that significant decisions should not be made about individuals using automatic processing alone. Individuals have the right to prevent processing for direct marketing – data controllers must not use personal data for direct marketing purposes if the data subject asks them not to. - Individuals have the right to take action to correct, block, erase or destroy data that is inaccurate or contains opinions that are based on inaccurate data.

Exceptions

There may be situations in which these rights do not apply. For example, individuals do not have the right of subject access if it affects the way crimes are detected or taxes assessed.

Subject access may also be denied if the information requested involves disclosing personal data about a third party (that is another identifiable living individual) and he or she objects.

Seventh Principle

- Appropriate security measures must be taken to protect against unauthorized or illegal data processing.

Data controllers will make sure that security controls are in place and are followed. These may be technical (for example, relating to computer systems) or organizational (for example, management structures and the physical layout of the workplace).

Only employees who need to use personal data to carry out their work should have access to that data.

Eighth Principle

- [1] Transferring personal data outside the European Economic Area (EEA) is restricted unless the rights and freedom of data subjects are protected.

Some countries outside Europe do not have the same legal requirements to protect information. The eighth principle means your employer or data controller must take steps to make sure personal data that is transferred outside the EEA is secure!

Data Collection – Use of Forms

The Board collects personal data about pupils, staff etc. through the use of forms. The personal information being collected must be justifiable (see Principle No. 3) and clear as to what the data is to be used for. In this respect forms may need to declare the purpose of collecting/holding/processing the data and offer an assurance as to its processing.

Sensitive Personal Data Some Board Units may hold data, which is sensitive personal data under the Act. If you collect such data for the purpose of monitoring, i.e. religion or ethnic origin, medical data, you need to satisfy the requirements of Condition 9 of Schedule 3 of the Act. The purpose of collecting this type of data should always be stated. This information should be kept secure and confidential and this should be stated. If racial and ethnic origin data is being collected for any other reason the purpose must meet another condition within Schedule 3 of the Act before being processed in addition to meeting a condition from Schedule 2. If in doubt contact the FOI Unit.

The title on the form may already make it obvious to the data subject what their information will be used for. If this is clear a statement as to the purpose is not required.

The statement can appear on the top or bottom of the form so that the data subject is made aware of the implications of their data being processed before they sign the form.

Suggested Data Protection Statements could be:

(a) If purpose of form is clear from title: The information on this form is covered by the Data Protection Act 1998.

(b) If purpose of form is unclear: The information on this form is required for the purpose of <state the purpose>. The information is covered by the provisions of the Data Protection Act 1998. Your signature to the form is deemed to be an authorization by you to allow the Board to process and retain the information for the purpose(s) stated.

It may be necessary to inform the data subject how long their data will be kept. This would probably apply whenever the data is kept for longer than the statutory minimum periods and where the information is likely to cause harm or distress if it is used after it becomes inaccurate or out of date.

Disclosures

Personal information can only be disclosed:

1. to the data subject (the person to whom the data relates);

2. with the data subject's consent;

3. If required in life and death situations (Schedule 2 of the Act);

4. If it is not covered by an exemption;

5. If it is to a notified recipient (a registered disclosure). This would be detailed in the Notification of Personal Data form for automated data (see Intranet for details of the Board’s Notification); or

6. If the disclosure is necessary to carry out the purpose for which the personal data has been obtained fairly and lawfully (note: the data subject should be aware of such disclosures).

If you need to disclose an individual's information to deal with an enquiry one of points 1 - 6 above should apply. If you are at all unsure about making a disclosure, take the individual's telephone number and speak with your line manager.

(a) Disclosing Information to the Data Subject

Before disclosing any personal information you must be satisfied that you are talking to the data subject by asking for proof of identity. If they have no proof of identity or the enquiry is over the telephone, the following procedure should be followed:

• Ask questions, which you believe only the data subject could answer, i.e. child’s birth date, address, family names, etc.

• The data subject must answer at least two questions correctly before you disclose any personal information to them. If you are at all unsure of the individual's identity or your questions were not answered correctly ask more questions.

• If you are still unsure of the data subject's identity, apologize to the person/caller and explain that you cannot give out any personal information because under the terms of the 1998 Data Protection Act you are unsure of their identity. Advise them to write or return with suitable identification if the information is still required.

• If you are satisfied that you are speaking to the data subject and they have answered at least two questions correctly, they can only be supplied with information which relates to themselves in order to deal with their enquiry.

(b) Disclosing Information with the Data Subject's Consent

If an organization or individual calls and requests information about an individual, the data subject's consent must be gained before any information is disclosed, unless there is a legislative reason for the disclosure. Such consent may have been given at the point of collection of the personal data, if the person or organization was listed as a possible disclosure to which the data subject agreed by completing the form, or a disclosure in the Board’s Notification.

Should the request be by telephone, first check the caller's identity. To do this check the telephone number by contacting Directory Enquiries and then telephone them back, preferably via a switchboard.

If you are at all unsure of the caller's identity you can refuse to disclose information over the telephone and ask the caller to put their request in writing.

You may need to check that the request has the consent of the data subject before releasing the information, for example, details of salary for mortgage application.

(c) Disclosure of Personal Information Covered by an Exemption

There are a number of exemptions from various provisions of the Act relating to disclosures. The following are the most common exemptions whereby personal information may be disclosed:

• To someone acting on the data subject's behalf who has their written consent.

• For the prevention or detection of crime, apprehension or prosecution of offenders and for taxation purposes.

• Required by Statute, rule of court or by order of the court. A court order or proof of the relevant Act of Parliament is needed.

• National security.

• For obtaining legal advice and in legal proceedings where the person making the disclosure is a party or a witness.

• To prevent damage to anyone's health.

(d) Tracing Disclosures

All disclosures should be traceable in order that any errors may be corrected. Systems should be in place to enable the manager to trace persons or organizations to whom personal data has been disclosed. A Data Subject is also entitled to this information when making a Subject Access Request.

Dealing with a Subject Access Request.

A data subject whose details are held by the Board, as data controller, has the right to receive a copy of information held about them.

To obtain this information the data subject will need to make a Subject Access Request in writing. Subject Access Requests must be logged with the FOI Unit. They are then entitled to be told whether the Board, or someone else acting on its behalf, is processing their personal data and if so be given a description of:

• The personal data;

• the purpose(s) for which it is being processed;

• to whom the data are or may be disclosed;

• the source of the information;

• Logic behind processing (except in cases of trade secrets)

A charge can be made to individuals making Subject Access Requests from time to time, as set down by the Information Commissioner.

Staff processing personal data should check their notified systems as soon as possible for information relating to the named person. The Data Protection Act requires data controllers to reply to Subject Access Requests as quickly as possible and in all cases within 40 calendar days, or later if the data subject has not given enough information for a search to be made.

Subject Access Exemptions

There is some information that may be exempt from the Subject Access provisions. If this is the case then the data subject has no right to this information and must be informed, "I do not hold any personal data that I am required to reveal to you". The Exemptions are as follows:

• National Security

• Prevention of crime and taxation purposes

• Health, Education and Social Work (Educational records are covered by other legislation)

• Special Purposes (must meet certain criteria) - Journalism - Artistic purposes - Literary purposes

• Judicial appointments and Honors

• Crown employment and Crown or Ministerial appointments

• Management forecasts/management planning

• Negotiations

• Corporate Finance

• Examination scripts

• Legal professional privilege

• Statistical or research data that does not identify an individual

• Confidential references given by the data controller (but not received by the data controller).

• Data incriminating the data controller: An employee need not comply with any request or order if compliance would expose him/her to proceedings for an offence. (Section 7 of the Act). Information disclosed cannot be used in legal proceedings against the Board.

The FOI Unit can provide guidance on responding to subject access requests.

Notification – What is it?

What is notification?

The Information Commissioner maintains a public register of data controllers. - Each register entry includes the name and address of the data controller and a general description of the processing of personal data by a data controller. - Individuals can consult the register to find out what processing of personal data is being carried out by a particular data controller.

Notification is the process by which the data controller’s details are added to the register.

Why does the Board need to notify?

The Data Protection Act 1998 requires every data controller who is processing personal data to notify annually. Failure to notify is a criminal offence.

How can we view the Board’s Notification?

The Board’s Notification details are published on the Board’s Intranet

Or we can view the details on the Information Commissioner’s website:

Changes to the Notification

If any Board Unit is processing, or intends to process, personal data for a purpose other than what is in the Board’s Notification then the manager must contact the FOI Unit immediately so that amendments/alterations can be processed.

Remember: No Board Unit can process personal data for a particular purpose if that purpose has not be notified’.

Security of Personal Information

In the Workplace

The following points are intended to act as a guide for staff to follow when using personal information during the working day:

Unauthorized staff and other individuals should be prevented from gaining access to personal information.

Visitors should be received and supervised at all times within Board premises, especially where information about individuals is stored.

All computer systems containing personal data should be password protected. The level of security will depend on the classification of data being held.

Staff should have access to personal information on a "need to know" basis.

Computer workstations should not be left signed on when not being used. Remember you are responsible for your logon. Passwords should never be divulged to another person.

CDs, disks, USB memory sticks, tapes, printouts and other storage media containing personal data should be stored securely when they are not in use.

Be careful about what is sent via email and to whom information is sent. Generally personal data should not be sent in an email unless data can be encrypted or files password protected.

The same applies to faxes. If it is absolutely necessary to send personal data via fax then check that the intended recipient of a fax containing personal information is aware that it is being sent in order that they can ensure security on delivery.

Ensure that paper files are stored in secure locations and accessed on a "need to know" basis only.

Do not disclose personal information to anyone other than the data subject unless you have his or her consent, it is a registered disclosure, or it is required by law or permitted by a Data Protection Exemption. Always ask for proof of identity before making a disclosure.

When processing personal information do not leave it on public display. All paper files containing personal information should be locked away at the end of each day and not left on desks.

Computer monitors should be positioned so that personal data cannot be viewed by anyone not authorized to do so.

Security arrangements should form part of a written agreement between the data controller and data processor, if processing is carried out by an external source/third party.

Subject to relevant retention periods, redundant personal data should be destroyed by shredding if possible, or by use of an appropriate confidential waste system. If disposable bags are used, they should not be left lying in corridors for collection. CDs, disks, tapes, and other storage media should be either electronically "wiped" or physically destroyed beyond recovery.

Does it Act affect us?

Yes. The Data Protection Act applies to anyone who handles or has access to information about individuals. The Act also gives rights to the people the information is about. By law, everyone in the workplace must follow the rules set out in the Act and help protect individuals’ rights.

What are our responsibilities?

The Act helps make sure that the information held on computers and in some paper based systems is managed properly. You must protect personal information by following the eight principles of good practice.

IT Security policy procedures

An IT Security Policy is the most critical element of an IT security program. A security policy identifies the rules and procedures that all persons accessing computer resources must adhere to in order to ensure the confidentiality, integrity, and availability of data and resources. Furthermore, it puts into writing an organization’s security posture, describes and assigns functions and responsibilities, grants authority to security professionals, and identifies the incident response processes and procedures.

Note: The security-related decision’s you make, or fail to make largely determine how secure or insecure your network is, how much functionality your network offers, and how easy your network is to use. However, you cannot make good decisions about security without first determining what your security goals are. Until then, you cannot make effective use of any collection of security tools because you simply will not know what to check for and what restrictions to impose.

What Determines a Good IT Security Policy?

In general a good IT Security Policy does the following:

Communicates clear and concise information and is realistic;

Includes defined scope and applicability; Makes enforceability possible;

Identifies the areas of responsibility for users, administrators, and management;

Provides sufficient guidance for development of specific procedures;

Balances protection with productivity;

Identifies how incidents will be handled; and

Is enacted by a senior official (e.g., CEO)

Development of a security policy should be a collaborative effort with security officials, management, and those who have a thorough understanding of the business rules of the organization. A security policy should not impede an organization from meeting its mission and goals. However, a good policy will provide the organization with the assurance and the "acceptable" level of asset protection from external and internal threats.

What are the Components of a Security Policy?

A key point to consider is to develop a security policy that is flexible and adaptable as technology changes. Additionally, a security policy should be a living document routinely updated as new technology and procedures are established to support the mission of the organization. The components of a security policy will change by organization based on size, services offered, technology, and available revenue. Here are some of the typical elements included in a security policy.

Security Definition – All security policies should include a well-defined security vision for the organization. The security vision should be clear and concise and convey to the readers the intent of the policy. In example:

"This security policy is intended to ensure the confidently, integrity and availability of data and resources through the use of effective and established IT security processes and procedures."

Further, the definition section should address why the security policy is being implemented and what the corresponding mission will entail. This is where you tie the policy to the mission and the business rules of the organization.

Enforcement – This section should clearly identify how the policy will be enforced and how security breaches and/or misconduct will be handled.

The Chief Information Officer (CIO) and the Information Systems Security Officer (ISSO) typically have the primary responsibility for implementing the policy and ensuring compliance. However, you should have a member of senior management, preferably the top official, implement and embrace the policy. This gives you the enforcement clout and much needed ‘buy-in’.

This section may also include procedures for requesting short-term exceptions to the policy. All exceptions to the policy should be reviewed and approved, or denied, by the Security Officer. Senior management should not be given the flexibility to overrule decisions. Otherwise, your security program will be full of exceptions that will lend themselves toward failure.

User Access to Computer Resources - This section should identify the roles and responsibilities of users accessing resources on the organization’s network. This should include information such as:

Procedures for obtaining network access and resource level permission;

Policies prohibiting personal use of organizational computer systems;

Passwords;

Procedures for using removal media devices;

Procedures for identifying applicable e-mail standards of conduct;

Specifications for both acceptable and prohibited Internet usage;

Guidelines for applications;

Restrictions on installing applications and hardware;

Procedures for Remote Access;

Guidelines for use of personal machines to access resources (remote access);

Procedures for account termination;

Procedures for routine auditing;

Procedures for threat notification; and

Security awareness training;

Depending on the size of an organization’s network, a more detailed listing maybe required for the connected Wide Area Networks (WAN), other Local Area Networks (LAN), Extranets, and Virtual Private Networks (VPN).

Some organizations may require that other connected (via LAN, WAN, VPN) or trusted agencies meet the terms and conditions identified in the organization’s security policy before they are granted access. This is done for the simple reason that your security policy is only as good as the weakest link.

For example, If Company ‘A’ has a rigid security policy and Company ‘B’ has a substandard policy and wants to partner with Company ‘A’, Company ‘B’ may request to have a network connection to Company ‘A’ (behind the firewall). If Company’ A’ allows this without validating Company ‘B’s’ security policy then Company ‘A’ can now be compromised by exploits launched from Company ‘B’.

When developing a security policy one should take situations such as this one very serious and develop standards that must be met in order for other organizations to be granted access. One method is to require the requesting organization to meet, at a minimum, your policy and guidelines.27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E 46

Security Profiles - A good security policy should also include information that identifies how security profiles will be applied uniformly across common devices (e.g., servers, workstations, routers, switches, firewalls, proxy servers, etc.). The policy should reference applicable standards and procedures for locking down devices. Those standards may include security checklists to follow when adding and/or reconfiguring devices.

New devices come shipped with the default configuration for ease of deployment and it also ensures compatibility with most architectures. This is very convenient for the vendor, but a nightmare for security professionals. An assessment needs to be completed to determine what services are necessary on which devices to meet the organizational needs and requirements. All other services should be turned off and/or removed and documented in the corresponding standard operating procedure.

For example, if your agency does not have a need to host Internet or Intranet based applications then do not install Microsoft IIS. If you have a need to host HTML services, but do not have a requirement for allowing FTP, then disable it.

Passwords - Passwords are a critical element in protecting the infrastructure. Remember, your security policy is only as good as the weakest link. If you have weak passwords then you are at a higher risk for compromise not only by external threats, but also from insiders. If a password is compromised through social engineering or password cracking techniques, an intruder now has access to your resources. The result will mean that, you have just lost confidentiality and possibly the integrity of the data, and availability may have been compromised or in progress.

The policy should clearly state the requirements imposed on users for passwords. Passwords should not be any of the following:

Same as the username, password, any personal information that a hacker may be able to obtain (e.g., street address, social security number, names of children, parents, cars, boats, etc.), a dictionary word or telephone number.

These are some examples of passwords not to use. You should force users through automated password policy techniques to require a minimum of eight characters, use of a combination of symbols, alpha charters, and numerals, and a mixture of uppercase and lowercase. Users should be required to change their password at least quarterly. Previous passwords should not be authorized. Lastly, an account lockout policy should be implemented after a predetermined number of unsuccessful logon attempts.

Another tip to consider is that you should be logging all successful and failed logon attempts. A hacker may be trying several accounts to logon to your network. If you see several ‘failed’ logon attempts in a row and then no activity; does this mean the hacker gave up or did he "successfully" logon?

E-mail – An email usage policy is a must. Several viruses, Trojans, and malware use email as the vehicle to propagate themselves throughout the Internet. A few of the more recent worms were Code Red, Nimda, and Gonner. These types of exploits prey on the unsuspecting user to double click on the attachment thereby infecting the machine and launching propagation throughout the entire network. This could cause several hours and/or days of downtime while remedial efforts are taken.

A couple of things you may want to address in your policy are content filtering of email messages. Filtering out attachments with extensions such as *.exe, *.scr, *.bat, *.com, and *.inf will enhance your prevention efforts. Also, personal use of the email system should be prohibited. Email messages can and have been used in litigation (Microsoft anti-trust case). This includes all email messages both personal and business. Additionally, some institutions archive email messages indefinitely (Federal Government). Those messages are subject to the Freedom of Information Act (FOIA) requirements. Just think how embarrassing it would be if several email messages with vulgar content were released to a law firm or the media. This could have significant negative publicity for your organization.

Internet – The World Wide Web was the greatest invention, but the worst nightmare from a security standpoint. The Internet is the pathway in which vulnerabilities are manifested. The black-hat community typically launches their ‘zero day’ and old exploits on the Internet via IRC chat rooms, through Instant Messengers, and free Internet email providers (Hotmail, yahoo, etc.). Therefore, the Internet usage policy should restrict access to these types of sites and should clearly identify what, if any, personal use is authorized.

Moreover, software should be employed to filter out many of the forbidden sites that include pornographic, chat rooms, free web-based email services (Hotmail, Yahoo, etc.), personals, etc. There are several Internet content filtering applications available that maintain a comprehensive database of forbidden URLs.

Anti-Virus - Anti-virus software is a ‘must’ in the detection and mitigation of viruses. The policy should identify the frequency of updating the virus definition files. The policy should also identify how removable media, attachments to email, and other files should be scanned before opening. Your anti-virus software should be configured to automatically scan all incoming and outgoing files. If a virus is found you need to identify what action should be taken (e.g., clean, notify administrator, deny access to file, etc.). Anti-virus vendors include:

MacAfee (http://www.mcafee.com )

Norton (http://www.symantec.com )

Computer Associates Inoculate IT (www.ca.com/innoculate)

Back-up and Recovery – A comprehensive back-up and recovery plan is critical to mitigating incidents. You never know when a natural or other disaster may occur. For example take the 9/11 incident. What would have happened if there were no off-site storage locations for the companies in the World Trade Center?

Answer: All data would have been permanently lost! Back-ups are your key to the past. Organizations must have effective back-up and recovery plans that are established through a comprehensive risk assessment of all systems on the network. Your back-up procedures may be different for a number of systems on your network. For example, your budget and payroll system will have different back-up requirements than a miscellaneous file server.

You may be required to restore from a tape back-up, if the system crashes, you get hacked, upgrade hardware, and/or files get inadvertently deleted. You should be prepared. Your back-up and recovery policy (separate document) should stand on its own, but be reflected in the security policy. At a minimum, your back-up recovery plan should include:

Back-up schedules;

Identification of the type of tape back-up (full, differential, etc.)

The type of equipment used;

Tape storage location (on and off-site);

Tape labeling convention;

Tape rotation procedures;

Testing restorations; and

Checking log files.

Intrusion Detection – A Network Intrusion Detection System (NIDS) is a system that is responsible for detecting anomalous, inappropriate, or other data that may be considered unauthorized occurring on a network. Unlike a firewall, an NIDS captures and inspects all traffic, regardless of whether it's permitted or not. Based on the contents, at either the IP or application level, an alert is generated [4]

Intrusion detection tools will help assist in the detection and mitigation of access attempts into your network. You need to make the decision through the risk assessment process of whether to implement network or host based NDIS or a combination of both. Additional standard operating procedures should be derived form the policy to specifically address intrusion detection processes and procedures. Following are some examples of NDIS systems: Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

ISS - (http://www.iss.com)

Cisco - (http://www.cisco.com/warp/public/cc/pd/sqsw/sqidsz/)

Snort - (http://www.linuxsecurity.com/feature_stories/usingsnort.html)

Zone Alarm – (http://www.zonealram.com)

Remote Access - Dial-up access to your network will represent one of your greatest risks. Your policy should identify the procedures that one must follow in order to be granted dial-up access. You also need to address whether or not personal machines will be allowed to access your organization’s resources.

The whole issue of remote access causes heartburn for security officials. You can lock down you’re your perimeter, but all it takes in one remote access client dialing into the network (behind the firewall) who has been compromised while surfing the Internet with that Trojan ready and willing to start looking for other unsuspecting prey. Next thing you know your network has been compromised. Following are some examples to include in your policy:

Install and configure personal firewall on remote client machines

(Examples: Norton or BlackIce Defender);

Ensure antivirus software, services packs and security patches are maintained and up-to-date;

Ensure modems are configured to not auto answer;

Ensure file sharing is disabled;

If not using token or PKI certificates, then username and password should be encrypted;

If possible push policies from server to client machines; and

Prohibit the use of organizational machines from being configured to access personal Internet Service Provider accounts.27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E 46

Auditing - All security programs should be audited on a routine and random basis to assess their effectiveness. The security officer must be given the authority, in writing, by the head of the organization to conduct audits of the program. If not, he or she could be subject to legal action for malicious conduct. Random and scheduled audits should be conducted and may include:

Password auditing using password cracking utilities such as LC3 (Windows) and PW Dump (Unix and Windows);

Auditing user accounts database for active old accounts (persons who left the agency)

Penetration testing to check for vulnerabilities using technical assessment tools such as ISS and Nessus;

Social Engineering techniques to determine if you can get a username or password from a staff member;

Simulate (off hours) network failure and evaluate your incident response team’s performance and readiness;

Test your back-up recovery procedures;

Use Tripwire or similar product to monitor your critical binary files;

Configure your Server OS to audit all events and monitor several times a day for suspicious activity;

Use a port scanner (Nmap, Nessus, etc.) within your network to determine if your system administrators catch the traffic and take appropriate action.

These are just a few examples of the things to audit. The extent of your auditing will depend on the level of your security program.

Awareness Training

Security Awareness training for organizational staff must be performed to ensure a successful program. Training should be provided at different levels for staff, executives, system administrators, and security officers. Additionally, staff should be retrained on a periodic basis (e.g., every two years). A process should be in place for training newly hired staff within a certain time period. Staff completing training should be required to sign a written certification statement. This signed statement helps the security officer and management enforce the organization’s security policies.

Trained staff can help alleviate some of the security burden from security officers. Trained staff can and often do provide advanced notification of suspicious events encountered on their machines which could prevent a worm or other Trojan from propagating throughout the entire network.