Information Assurance: Overview of Services

Policy and Organisation

Security Policy

  • Information Security Policy- A written security policy document and supporting documentation as necessary to ensure compliance with the Security Policy, relevant laws and regulations.
  • ISO:IEC 27000 – Advice on implementation, certification and compliance along with assessments and audits assessing compliance.

Security Organisation

  • Information Security Infrastructure -A management framework for Information Security with explicitly defined responsibilities.
  • Security of 3rd Party Access – Assessment of risks from 3rd party access and implement appropriate security controls
  • Outsourcing – Address security requirements for any outsourcing in the contract with the outsourcers
  • 3rd Party relationships – Address security requirements for 3rd party relationships, customer, suppliers, agents etc

Solutions Implementation

IT Asset Classification & Control

  • Accountability for Assets – Maintain inventory of all important assets
  • Information Classification – Utilising Security Classification or Protective Marking (labels) to ensure that information assets receive the appropriate level of protection appropriate to business and organisational needs

Human Resources Security

  • Security in Job definition, Resourcing & employment termination– Include definition of security responsibilities and Roles in job descriptions. Social engineering; staff integrity/naivety checks, management of status changes, job roles, employment termination
  • User Training – Give users appropriate training and regular updates in organisational policies and procedures training as and when required
  • Responding to Security Incidents & Malfunctions – Report security incidents, security weaknesses, software malfunctions, to minimise damage and create a ‘knowledge base’ along with estimates of possible costs incurred as a result of any incident or malfunction
  • Physical & Environmental Security
  • Secure Areas – Advise and/or implement physical access controls.
  • Equipment Security – Siting, power, cabling, maintenance. Erase information from equipment prior to disposal or re-use
  • General Controls – Clear screen/desk policy; control removal of property

Communications & Operations Management

  • Operational Procedures & Responsibilities – Appropriate procedures and responsibilities should be established, including incident management procedures and operational change control. Segregate duties to minimise risk of negligent or deliberate system misuse. Separate development and operational facilities
  • System Planning & Acceptance – Capacity planning and system acceptance criteria
  • Protection against Malicious Software – Detect and prevent malicious software (anti-virus)
  • Housekeeping – Data back-ups for integrity and availability. Maintain operator and fault logs
  • Network Management – Define management procedures and controls
  • Media Handling and Security – Secure control and disposal of removable media
  • Exchanges of Information & Software – Establish agreements with external organisations for secure exchange of information and software. Protect exchanges, including E-Mail non-repudiation aspects, if necessary, and information publishing

Access Control

  • Business Requirement for Access Control – Define and document the business requirement
  • User Access Management – Establish formal user registration and de-registration procedures. Control/restrict the allocations and use of privileges. Manage allocation of user passwords securely. Review user access rights regularly
  • User Responsibilities – Passwords and unattended workstations
  • Network Access Control – Authenticate connections by and to remote users and computers. Control access to diagnostic ports securely. Segregate groups of services/users/systems to enhance security. Specify security attributes of network services clearly
  • Operating System Access Control – Automatic terminal identification for connections to specific locations. Authenticate users by login passwords. Ensure logon identity id for sole use of one user for traceabilty/accountability. Use of Password Management System to ensure quality of passwords. Control access to system utilities. Set high-risk inactive terminals to time-out. Duress alarms for users who may be targets of coercion. Restrict connection times for high-risk applications
  • Application Access Control – Control access to information and applications. Sensitive systems might require a dedicated computing environment
  • Monitoring System Access & Usage – Maintain audit logs of security events and keep for an agreed period. Establish procedures for monitoring system usage
  • Mobile Computing and Teleworking – Formal policy and controls required

Systems Development & Maintenance

  • Security requirement of Systems – Business requirements to define required security in advance
  • Security in Application Systems – Implement data validation checks. Use message authentication to enable non-repudiation.
  • Cryptographic Controls – Define policy on use of encryption to protect confidentiality, for non- repudiation. Use of digital signatures for authenticity and integrity. Key management based on recognised national and international standards.
  • Security of System Files – Control the implementation of operational software. Control access to system files and test data
  • Security in Development & Support processes – Discourage modification to software and allow only essential changes under formal controls. Review and test the security impact of all changes to check for covert channels and ‘Trojan’code

Business Continuity Management

  • Aspects of Business Continuity Management – Create, maintain and test business continuity plans to protect critical business from major failures or disasters or deliberate interruption to the organisation’s activities.
  • Supply, Installation and Commissioning of Hardware & Software
  • Security Hardware & Software Assessment – Ensure that existing security hardware and software is optimally configured and operational to meet existing business needs
  • Report and Recommendation – Provide a fully documented report stating any weaknesses or ‘unfitness’ for the task in existing security hardware and software. Provide documented recommendation for optimum hardware and software implementation to best meet current and future business requirements
  • Source & Supply – Where required, provide quotation for the supply, installation, commissioning and maintenance of new hardware and software.

Incidents and Compliance

Incident Investigation

  • Incident Investigation policy – An integral part of (or an appendix to) the Security Policy document available to those with security management responsibilities
  • Investigation Launch – Scope, objectives, priorities
  • Evidence seizure and preservation – Searches. Witness interviews/statements. Drive/Disk imaging. Data recovery and analysis. Audit log analysis. Investigation report
  • Involvement of Police – Legal advice
  • Countermeasures – Damage Assessment
  • Analysis & Proactivity – Preventative measures to minimise security breach


  • Compliance with Legal & Regulatory requirements – Explicitly define and comply with all relevant statutory, regulatoryand contractual requirements. Includes personal data protection, IPR, licensing. Protect important records from loss, falsification and destruction
  • Review of Security Policy & Technical compliance – Ensure that security within areas of responsibility is correctly carried out and subject to regular review for compliance with security policy. Check IT for compliance with security implementation standards
  • System Audit consideration – Plan audits to minimise disruption to business. Control and restrict access to system audit tools