Executive Summary This research report aims to establish and reveal a baseline of a security policy program for a company

which should be implemented in order to protect its physical and environmental resources against unauthorized system penetration attacks as well as internal threats. This report also includes a brief background of security standards’ evaluation on how ISO/IEC 17799:2005 has been developed and has become ISO/IEC 27002:2005. This is followed by explaining main components of a core standard including security policy, organization of information security, asset management, human resources security, physical and environmental security, communications and operations management, access control, development and maintenance, incident management, business continuity management, compliance. The research report basically shows that the issue arises from the information which is able to be accessed remotely is threatened by unauthorized access attempts by attackers. This is proven with three different case studies identified. One of the issues reveals that how a system was penetrated and 6 million of personal customer data was stolen through SQL injection. The next case study shows that how a malware attempted to get in the system that is running on one of the clients’ personal computer of Bank X. Last but not least it will be seen from the last case study, how insiders (employees) are other possible threats for companies as well as attackers. Intel experienced a top secret data theft by an employee from a well encrypted system. After all the case studies are analyzed, principals of a security policy program are examined. The importance of confidentiality, integrity and availability of data is underlined in the planning section. Then a detailed report is conducted which includes computer security policies under the titles of physical access controls, network security policies (for example, e-mail and Internet policies), data security policies, contingency and disaster recovery plans and security awareness and training.


Finally, it is highlighted that the purpose of creating a standard on acceptable security policy is required to reduce the risk aspects that may cause an internal or external harm to company resources. Then the reported concluded with the recommendation of a security policy program implementation for all companies which deal with massive transactions, possess huge databases and work with more than a hundred employees.


............................. the Internet and intranet networks......... workstations............................................................. Even there is a very high possibility....................16 6 Conclusion.................4 3 Case Studies................................. documented and implemented by companies..... in order to provide a secure environment and network against a wide variety of threats which are growing in sophistication and scope.............................................................................................. breaching of pre-specified policies might bring issues to the courts................................16 1 Introduction Since the organizational data.....................................Table of Contents 1 Introduction.............................................................. security norms have become one of the vital concerns in industrial area............................ At this point...........3 2 Background..... appropriate security policy programs and policy projects should be prepared................... However..6 4 Security Policy Program............ servers.............................................. This norm possesses a large meaning and comprises a variety of complicated issues under one single shell such as interconnection between databases.... intellectual property................................ It has become important for even small scale companies to protect themselves and also to maintain their reputation in the public eye................................. Organizations might be faced with particular issues including losing reputation in business area and liability in the clients’ eye... customer data and confidential information have started to be stored and accessed through electronic environment........................................ applications...............................................8 5 Recommendation............. 3 ......

asset management. the standards are brought in use. documenting in a suitable format and proper deployment throughout the company is another struggle for organizations. organization of information security. human resources security. At this point. 2007). ISO/IEC 27002 standard has been developed and enhanced in order to identify the boundaries of security aspects required. 2003). Hence. companies all over the world will be able to prove their security measures with the well documented standards (Danchev. 4 . is an internationally accredited technical guideline which is specifically improved to elaborate security concerns in IT. to provide an internationally acceptable certification. 2008). policies for controlling information and human resources. characteristics of the efficient security framework and constant monitoring for system vulnerabilities (Stallings. however. It consists of comprehensive set of policies. The purpose of creating a standard on information technology security is. Latest developed standard ISO/IEC 27002:2005. 2010): • • • • security policy. which is formerly known as ISO/IEC 17799:2005. Specifically for information technology. controls and best practices (ISO.defining the policies required. Essentially the standard comprises controls and functions for best code of practices in the areas as follows (ISO27001Security. 2 Background Standards were developed to create an organizational regulation to perform governance within predefined boundaries.

By doing so. communications and operations management. It starts with informing company’s employees regarding their responsibilities due to security policies prepared in the company borders. business continuity management. Figure 1: ISO 27002 Security Standards. insecure or improper use of the Internet and prohibited activities will be prevented. development and maintenance.• • • • • • • physical and environmental security. access control. compliance As it is illustrated in figure 1. 5 . information security incident management. it is designed as core security functions and each function branches into detailed business activities. information systems acquisition.

laptops. 2009). As a result of incident. intellectual property. 2009) Issue Identified 2: Intel’s top secret files was stolen by an employee 6 . approximately 6 million retail and institutional clients’ personal and corporal trading information had been stolen and used to send spam to those clients. removable media and back-up tapes are the devices which are placed in the company and under the employees’ responsibility. database contents and removable disks consist of precious information which should be protected with security devices as well as security policies and programs. company assets. statistics of data theft can be divided into 2 parts. 2010). had been infiltrated by an intrusion. Issue Identified 1: Database infiltrated . Intercepting confidential data can be used to unauthorized account access of a customer’s or stealing massive customer information by hacking a database (Trend Micro.3 Case Studies Confidential data concept has a large meaning in behind it. This is an internal threat which has a lower impact of data lose. 39%.6 million customer data was stolen An incident reported in September 2007 says (Wilson. in terms of its content. Customer information. However. 23% and 16% respectively. the company hired a special team to perform a penetration test to prevent further possible attacks. This also can be seen from Figure 2 (CIO Magazine. Figure 2: Confidential Data Theft Statistics (CIO Magazine. After the incident. 2009). This is an external threat which has the highest percentage 57% and 46% respectively. Databases and file-sharing applications are the ones which can be accessible through the Internet by attackers. Ameritrade. one of the databases of an online trading company.

). a proper and separated monitoring mechanism should be implemented by companies like Intel to know the persons who would like to access to the documents. n. 2008). Zeus Malware was set up to wake up automatically when a URL entered or navigated to a bank website. Pani. especially small scale business customer accounts (Litan. Top secret documents. To overcome this problem.d. when and why. The issue was discovered by another employee heard a rumor that Pani was working for AMD while still working for Intel. due to naive programming. Issue Identified 3: Accounts of Bank X’s customer under Zeus Malware Threat Bank X (which would like to remain anonymous) has experienced a malware attack which transfers millions of dollars from its clients’ bank accounts to another country. new URL stream (which carries a specific token belongs to that session) was copied by the malware and transmitted to malware’s control server. The vulnerability identified was arising from a client’s computer of Bank X’s. After the user enter the account identification and password. Intel’s old employee. later admitted that he downloaded the documents from an encrypted system at Intel. 2010). However. the replicated URL 7 . The company should have implemented a special defense system which allows senior management screening download activities and also sending a notification to the security service (Perimetrix. should be stored in a separated encrypted system to ensure that protection is always at the highest level. The problem in Intel had risen from two different weaknesses. Then an investigation was conducted to report Pani’s activities showing access and download history on the system.Another incident reported as chipset producer giant Intel’s 13 top secret files which consist of designs and documents of Intel’s newest chips were captured by an employee of the company (Gaudin. there would always be a group of people who have been granted with proper authorization to access to the documents. First one is vulnerabilities on monitoring of critical confidential data and second one is the employee’s recruitment by another company without leaving the current company. like Intel’s chipset designs. However.

4 Security Policy Program The purpose of this section is to clarify the key points of creating an efficient and effective policy awareness program in order to protect all company assets. This is not just a plan for using and disseminating knowledge but also a guidance to define roles and responsibilities for managers. e-mail and Internet policies). Every company has a distinctive management approach and style. Bank X’s network administrators caught the attack straight after their authenticator application received the requester URL second time. However. the bank thwarted over $1 million loss of customer accounts and several malware interception attempts stopped. According to the plan. By doing so. Network security policies (for example. IT security team and LOB (another team that is responsible from online banking) came together and worked on malware’s behavior and replicated its working mechanism to thwart the attacker. 8 . Computer security awareness and training.session was transmitted a second time to the bank by the control server. A complete protection can only be performed by implementing a formal policy program including the aspects listed above. After all activities of the malware had been examined. Data security policies (access control and integrity controls). Contingency and disaster recovery plans and tests. a new rule was deployed to existing fraud detection system. Banks X had deployed an intrusion detection system against specifically for fraud in 2006. there are certain issue specific aspects that are exactly the same for all companies such as (Microsoft [1]. Computer security management and coordination policies. 2010): • • • • • • Physical computer security policies such as physical access controls.

firstly fundamentally a plan should be prepared. Planning Security is defined as 'the state of being free from unacceptable risk'. intellectual property and customers’ data against unauthorized interception. By 9 . • Integrity refers to the precision and comprehensiveness of data which should be protected against deliberate corruption and modification. in this section. building and implementing a program is a cooperative task among stakeholders although many users think that doing this is not their job and responsibility. online banking websites should be available 7/24. For example.administrators and employees for company’s current and future use. The threat/risk concerns the protection of the well-known three aspects of data as follows (UTS. Basically. To keep the company away from potential harm. In other words. SQL injection based database attacks. policies and programs have been divided into particular main areas and each area has been broken up sub-area of interests in its entirety. For example. identifying the threats. possible risks and its countermeasures as well as training employees in relation to what can do and cannot do with company’s resources. planning is defining the scope of the security policy program. For instance. 2008): • Confidentiality refers to the protection of confidential company data. • Availability ensures that the system operates on timely basis in order to provide required service to be aware of considerable losses. changing the figures of an important report or destroying electronic evidence by deleting. Policy and programs Fundamentally.

Device which is left alone for a while should be locked by its user and if it is not in use should be turned off to 10 . Physical Security Policies 1-Environment Before preparing the office plan. 2-Equipment Security All organizational devices should be accommodated in a secure environment to thwart unauthorized access. should be monitored and logged 24/7. A procedure should be prepared and guards should be informed as to how to escort to individuals who would like to visit the company. passwords and swipe cards which allow users access to the system or security rooms should be physically secure.doing so. Backup devices containing critical confidential customer and organizational data should be placed at a safe distance from the main site to ensure that a disaster would not harm the backup media. the most secure rooms should be defined for confidential data accommodation. protection of information boundaries and people responsibilities could be seen clearly. Devices should not be taken out of the company without permission. Especially company’s portable devices including laptops. Equipment required should be installed and tested in advance such as surveillance cameras and swipe card readers to eliminate possible threats. 3-Physical Access Control List of authorized employees who are responsible from critical devices including server rooms and backup rooms should be kept updated and be controlled occasionally. PDAs and mobile computing devices should be well-configured and should not be left on mode without proper lock settings. which are visited by legitimate users or guests. All rooms and data centers. All security keys.

Electronic mails which include attachments with . Internet access should be set up on a gateway for each office.exe extension should not be opened or forwarded. The portable storage media which is consistently taken out and got in from/to company should be scanned properly each time to ensure it does not include any infectious file or folder. Internet traffic should be monitored and logged to watch illegal user activities. Company’s email addresses containing entries should be protected against unauthorized infiltration and alteration. Company workers should not be allowed to use any other communication devices including broadband link.prevent illegal attempts. Employees should not plug any personal media 11 .com or . retention and destruction of e-mail messages. 2-Internet Security All users should be informed about acceptable internet use policies. Configuration deployed and management of information systems should be reviewed periodically. Network Security Policies 1-General Network Protection All internal networks should be configured properly with sufficient security measures against unauthorized access infiltration. The screen and keypad of a device should be located carefully so unauthorized users or guests will not be able to read it. dial-up modem or wireless interface without the permission of concerned department. Sent and received email should be scanned for malicious codes. All hardware and software should be maintained up-to-date for ensuring the resources are protected from malware attack. All confidential data should be transmitted with sufficient encryption. 3-Email Security Each department should announce an acceptable email usage to the users. A systematic process should be established and maintained by the administrators for recording. Downloaded materials should be scanned and verified by antivirus software before installation. 4-Protection against Malicious Software Company computers should have antivirus software which should be always on mode.

must be well documented. Data Security Policies Data security policy comprises overall data security and information backup to maintain confidentiality of resources. patches. Backup operations and recovery procedures. Backed-up data should be stored at remote distance from the system and should be accessible by only authorized persons. A periodic calendar should be defined and operations should be conducted based on this time table. Different data (depending on its sensitivity) is reached with different level of authentication. authentication. updates should not be installed. These standards should be implemented by organizations to ensure that sufficient security exist on corporate assets. privacy. Access Control Security Access control security consists of (mandatory) standards such as data access rights. however. user privileges and password management. properly implemented and tested regularly. all users should work in the pre-defined and published security policy program boundaries. 5-Software and Patch Management Software required to be installed should not be loaded before taking the responsible manager’s approval. The most important policy. first of all. User privileges should be assigned to a unique user or to 12 . Therefore. user identification. Network administrators should ensure that software patches are gathered from software vendors’ sites. In order to maintain data security throughout the company. data access rights should be granted for users or groups based on needs. They must avoid from the actions (deliberately or intentionally) that might harm organizational resources.to the corporate resources and also should not get involved any malicious code distribution deliberately. All kind of patches should be examined in a test environment to see if it has any side effects before its distribution. Distrustful hotfixes. is disclosure of confidential information. in which all users are responsible.

It also must be controlled and updated periodically to support the standards mentioned above. Contingency Plans and Incident Management. Identify the risks to each asset. the risk assessment can be examined under three main category as natural disasters (floods and fire). should promise the continuity of the business to its clients. companies are being protected against possible outside attacks. documenting and testing a contingency and disaster recovery plan in detail. firewalls and so on). An organization. particular further countermeasures should be taken in advance. Protection: Risk Assessment. passwords.predefined groups. First of all. However. The contingency plan sheet should consist of the information needed in a disaster situation such as (Microsoft. Essentially. Identify the methods. The ultimate goal is to maintain confidentiality. or unintentional risk). if the company is penetrated despite all the cautions (encrypted data transfers. intentional external malicious attackers and unintentional user mistakes/intentional user harm (Microsoft[2]. Determine the category of the cause of the risk (natural disaster risk. 1-Risk Assessment Basically. or techniques the threats use. This information then can be divided into sub categories in detail: • • • • Identify the assets you want to protect and the value of these assets. 2-Contingency Plan Risk assessment is then followed by preparing. 2010): 13 . 2010). a risk assessment should be conducted to determine possible risks. which performs hundreds or thousands of online transaction in a day. intentional risk. tools. integrity and availability of the data to maintain the protection on corporate assets.

system breakdowns and IDS alerts should be reported to the authorized person straightaway according to the incident management procedures (SCU. This can be achieved by training people whereby policies and procedures. The instructions to update the software. The instructions how to move production to another place. understanding and complying with documented security policy program should be compulsory for every company. Reading. 3-Incident Management To perform a complete incident management. The biggest mistake among employees is the thought of ‘accept the system fully protected.): 14 . An updated staff list that reveals responsible persons to act in a disaster situation. online business activities should be monitored and collected data (logs of screening) should be stored as evidence for further needs. The researches reveal that the majority of the organizational problems are cultural not technological. Particular roles and responsibilities are listed in general as follows (SANS. Gathered data is then reviewed by administrators to determine the pattern of incoming/outgoing stream. Suspicious attempts. administrators. 2004). Defining roles and responsibilities for all stakeholders including managers. The instructions to access latest backup data. employees and contractors is one of the most essential key factors to thwart undesired incidents. n.• • • • • Persons who must do what. when and where to maintain the business continuity. once technical equipment has been deployed’. People and Projects: Computer Security Consciousness and Training.d.

2003): • Password management definition should be made including creation (password should contain numbers.• Roles and responsibilities should be documented uniquely and signed by each employee that would be evidence showing the person has read. and protection (do not leave or tell your password to anyone else) of password. A survey should be conducted to enforce all users to see new updates through intranet. • • • Personal media device is not allowed to plug to company’s resources. therefore. • Weekly company magazines can be used to let employees know about new incompany regulations and changes. • • • General roles and responsibilities should be kept as hardcopy and softcopy. particular training material should be documented and transmitted to all company bodies. Company’s network allowed and restricted activities should be defined and announced as some personal research can be done however Facebook account should not be used through company’s internet. frequency of changes (monthly). • • Protection from malicious codes should be explained as not to open unknown emails and attachments. Particular rules have been listed as follows (NIST. The team members should be trained for incidents might occur anytime. letters and special characters). user should be careful regarding shoulder surfing to protect his/her password. Each user is responsible from its own actions. Updated softcopy should be published on the company’s intranet as all users can easily reach and read. 15 . An incidence response team guideline is a part of user training. To improve security consciousness of all employees. understood and accepted its role in the company. Survey results should be reviewed to ensure that all employees read and understand new changes and add-ons.

Depending upon different company needs. 5 Recommendation After issues identified are analyzed and background of information technology based standards are examined. structural design. implementation. stakeholders’ participation is 16 . all size of organizations dealing with confidential data should conduct their businesses on a trustworthy platform. Also. Then a suitable standard program is able to be documented and deployed to the system. organizations are busy workplaces to structure their businesses on a proper framework by themselves. However. security policies are the basis of organizational security strategy and they are considered as “best practices” for IT departments of all organizations. rules and policies required should be specified by company’s professional managers. Therefore. While implementing a standard framework is accepted as a de facto obligation for several companies such as banks and hospitals. Users are not allowed to install software (might include infectious code) without proper authorization. They are the fundamentals for security plan. they outsource this complicated process from particular companies whose profession is assisting organizations to establish a security baseline with well designed templates and professional training. 6 Conclusion In conclusion. So. companies are able to improve their existing structure with a specialized assistance. and practices. Visitors should be accommodated at the entrance of the company and escorted to the department they need to visit. implementing a security policy program is strongly recommended. It is a compulsory process for all size of organizations and companies working with hundreds of people and processing thousands of online transactions. Employees should report any unusual activity or stranger to responsible person. Maintaining their reputation in the public eye and keeping their clients satisfied are directly related with the platform they are operating their businesses on.• • • • Organizational portable resources are a security issue while travelling.

2010 from http://www. D.05. The Global State of Information Security. a security policy program consists of detailed policies and procedures from human resources training to equipments’ updates.04.pdf 17 .pwc.com/pages/securitypolicy.windowsecurity. Building and Implementing a Successful Information Security Policy.evidently as essential as company’s firewalls in protecting the company and its assets properly.pdf Danchev. References CIO Magazine. Therefore. viewed on 28. (2003).2010 from www. (2009). viewed on 13.com/en_GX/gx/information-securitysurvey/pdf/pwcsurvey2010_cio_reprint.

2010 from http://download.org/ ISO27001Security. (2008). viewed on 25. S.pdf/?start Microsoft [1]. (2010).org/eweb/DynamicPage. . (2008). Code of Practice for Information Security Management.com/resources/download.entrust.05.com/s/article/9114592/Former_Intel_engineer_charge d_with_stealing_trade_secrets?source=rss_topic17 HIPAA.iso.com/html/27002. (2010).2010 from http://www. Security Planning.com/en-us/library/cc723503.aspx Microsoft [2].microsoft. viewed on 28.05. (2010).2010 from http://www.05.aspx? site=_fei&webcode=ferf_pub_detail&prd_key=3de00f4b-a538-4c0d-9b5f9e43467309d5 Gaudin.2010 from http://www. viewed on 05.2010 from http://www. Security Strategies. http://www. "What is COSO? Defining the Alliance that Defined Internal Control". (2010).iso27001security.cfm/24050/entrust3342.2010 from http://technet. viewed on 15.FERF. (2003).04. ISO/IEC 27002:2005 Code of Practice for Information Security Management. viewed on 19. Former Intel engineer charged with stealing trade secrets.com/en-us/library/cc723506. The Health Insurance Portability And Accountability Act.2010 from http://technet.html#ContentOfISO17799-2000 ISO.05.microsoft. viewed on 15.financialexecutives.computerworld.org/iso/catalogue_detail?csnumber=50297 Litan. viewed on 19.05.04. (2010). A. Case Study: Bank Defeats Attempted Zeus Malware Raids of Business Accounts.hipaa.asp 18 .

05.05.php SCU.).gov/DAS/EISPD/ESO/Pub/Trends/Trends_2009_11.html Wilson. (2004). Trend Micro. viewed on 15. Security Policy Research Project. The Laws that Govern the Securities Industry. Computer Security. ‘Security Standards’.uts.pdf 19 .edu.shtml Stallings.pdf UTS.05.pdf Perimetrix.scu. (2009). ESO – Security Trends Report.2010 from csrc. viewed on 11.pdf SANS.2010 from http://www.05.NIST.04. T.05.d).au/policies/itsecurity. Secret Documents Lifecycle.05.05. viewed on 13. viewed on 02.gov/publications/nistpubs/800-50/NIST-SP800-50. viewed on 20.html Trend Micro.2010 from http://www.php?doc_id=583&site_id=36 SEC. (n.d.oregon.05.gov/about/laws.2010 from www.sec.trendmicro. (2008). W.com/downloads/wp/WP_Perimetrix_SDL_eng.edu. viewed on 29. Information Technology Security Policy. viewed on 18.d.com/web/about/ac123/ac147/archived_issues/ipj_104/104_standards. viewed on 18.).com/imperia/md/content/us/pdf/products/enterprise/leakproof/wp0 1_leakproof_dlp_100105us. Security Incident Management Policy. Data Loss Prevention. viewed on 07.2010 from http://perimetrix. (n.Computer Security: Principles and Practices.2010 from http://www.gsu. (2010).au/it/download.org/security-resources/sec_policy.2010 from http://apac.2010 from http://www.2010 from http://www. (2003).nist. (n. (2007).sans.cisco.

20 .

Sign up to vote on this title
UsefulNot useful