assignment issa 2

7/31/2019 Assignment Issa 2

1/26

1.1 INTRODUCTION

Information system security involves understanding and managing of risks involved with network

traffic and security, protecting IT assets, data, electing and implementing effective controls to ensure

confidentiality, integrity and making sure information and communication systems that store, process

and transmit data are available at all times.There has been an increase in security threats due to ease of obtaining and using hacking tools, steady

advance in sophistication and effectiveness of attack technology and the dire consequences of new

and more destructive cyber-attacks etc., could affect the countrywide network of computerized

enhanced reservation and ticketing(CONCERT)

1.2 IT Security Audits

. INFORMATION SECURITY AUDIT

The objective of this audit was to identify the vulnerable areas of CONCERT system that could be

easily breached and also with a view to assessing whether adequate and effective information access

controls, network controls and operational system were implemented to protect confidentiality,

integrity and availability of the systems and data and offer recommendations. Information security

audits are a vital tool for governance and control of agency IT assets. This Guideline suggests actions

to make the efforts of auditors and agencies more productive, efficient, and effective.

1.1 Roles and Responsibilities

Agencies should assign an individual to be responsible for managing the IT Security Audit

Program for the E-seva. While the individual assigned this responsible will vary from agency to

agency, it is recommended that this responsibility be assigned either to the E-seva Internal Audit

Director, where one is available or to the Information Security Officer (ISO).

1.2 IT Security Audits

Information security audits are a vital tool for governance and control of agency IT assets. IT

security audits assist agencies in evaluating the adequacy and effectiveness of controls and

procedures designed to protect COV information and IT systems. This Guideline suggests

actions to make the efforts of auditors and agencies more productive, efficient, and effective.


2/26

2

1.3 Roles and Responsibilities

Agencies should assign an individual to be responsible for managing the IT Security Audit

program for the agency. While the individual assigned this responsible will vary from agency to

agency, it is recommended that this responsibility be assigned either to the agency Internal Audit

Director, wher one is available or to the Information Security Officer (ISO).

2 Planning

2.1 Coordination

As stated in the Audit Standard, at a minimum, IT systems that contain sensitive data relative to

one or more of the criteria of confidentiality, integrity, or availability, shall be assessed at least

once every three years. For maximum efficiency, the E-sevas IT Security Audit Program should be

designed to place reliance on any existing audits being conducted, such as those by the E-seva internal

audit organization, Certified information System Audit, or third party audits of any service provider.

When IT Security Audit Guideline

2.2 IT Security Audit Plan

The IT security audit plan helps the agency schedule the necessary IT Security Audits of the

sensitive systems identified in the data and system classification step in the risk management

process.

The V-Tech uses the IT security audit plan to identify and document the:

1. Sequencing of the IT Security Audits relative to both risk and the business cycle of the firm to

avoid scheduling during peak periods;

2. Frequency of audits commensurate with risk and sensitivity

3. Resources to be used for the audit such as Internal Auditors, the Auditor of Public

Accounts staff or a private firm that the agency deems to have adequate experience,

expertise and independence.

SCOPE


3/26

3

The scope included an assessment of the entire network system in e-Seva. The key personnel in

various departments were interviewed so as to identify critical data and ascertain how the

network was being used. We reviewed system logs for all network components to determine

stability issues. All the network hardware which was considered to be critical to e-Seva business

initiative was also reviewed to determine single points of failure. We also assessed the various

network perimeter devices to ascertain vulnerabilities and evaluated some of the e-Seva practices

that could lead to system breaches. The security controls were also assessed to determine

whether adequate access control has been put in place.

Opening Meeting

The audit meeting was opened with a word of prayer by the Assistant Director of E-seva. The

director e- seva then welcomed all the members present in the meeting

He Introduced he audit team from V-Tech company to the department members and alsopart of his team

They Reviewed the audit plan, scope and objectives for the audit and the timeline it willtake for the audit to be complete .it was decided that the audit would take almost three

weeks

Establishes the official communication link between department representative and auditteam .

AUDIT TEAM

1. Elizabeth Birgen BIT-1-4067-3/2010 CISA Lead AuditorCERTIFICATIONS

Certified Information Systems Auditor (CISA). IBM DB2 Universal Database

Over 10 years experience in auditing major companies in Kenya. She is responsible for auditing

operation systems

Experienced Global IT Service Delivery Manager leading an international organization ofDatabase and System Administrators located in the US, Mexico and India.

Extremely familiar with challenges, issues and opportunities associated with managing IToutsourcing contracts and vendors.
http://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htm


4/26

4

2. David Rotich BIT-1-2333-2/2010 CSSP AuditorCERTIFICATIONS

CSSP

CCIE

Experienced IT auditor and information security specialist.He is responsible for auditingNetwork security controls

Reduced the number of Incident tickets assigned to the organization by over 80% over aone year period of time.

Accountable for Service Level Agreements and Disaster Recovery exercises for multipleclients.

3. Linda BuneiBIT -1-2342-1/2011 ORACLE AuditorCERTIFICATIONS

Oracle BDA

ITIL

Has 5 years experience in auditing oracle systems. She is responsible for auditing acces

controls

Developed and implemented a process to monitor database activity of Powerful Users. Developed and implemented a process to allow clients to review database access on a

quarterly basis.

Verified and approved that all Change and Release Management changes have properapproval, are documented, performed according to documented procedures and, that there

is an audit trail of changes performed.

Executing audit

Operational Systems

1. Documentation relating to software, hardware, network, error handling, etc. was noted tobe incomplete.

2. Assets and data were not classified on the basis of risk perception.3. Complete technical documentation including the source code was not obtained. This

made it impossible for identification of any unauthorized programme running in the

software application package.

4. There was no documented disaster recovery plan defining the roles, responsibilities, rulesand structures in the event of any disaster accidental or otherwise.

5. No alternative site was identified for data Centre activities in case of any disaster.
http://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htmhttp://www.raulgonzalez.com/certifications.htm


5/26

5

Operational Systems Recommendations

1. Documentations of the software, hardware, network and error handling issues should becomplete and precise at any given time.

2. Risky data and assets should be given higher security priority3. Complete documentation with code is essential because it will help other programmers to

go through them and know what the program is expected to do and be able to know help

other programmers navigate through your code easily in order to find bugs or to

determine where to add new features.

4. They should come up with disaster recovery process plans consisting of defining rules,processes, and disciplines to ensure that the critical business processes or

telecommunications resources upon which their operations depend, these key elements to

disaster plans should be emphasized

Establish a planning group, perform risk assessment and audits Establish priorities for applications and networks Prepare inventory and documentationplan

5. There should be an alternate site disaster recovery; the two main issues are thereconfiguring or rebuilding infrastructure, and moving data between the primary site and

the alternate site.

6. Develop adequate back up strategies The recommended number of backups should be taken and the back up

procedures should be in place

They should automate the backup with automating scripts just in case there is nopersonnel to do it, back-up will run as always and once a while they should try

testing the backup file by trying to do a recovery to check its validity.

Network controls

1. No review of functioning of network management tools was undertaken by themanagement to identify weaknesses.

2. There was a difference in number of transactions as reported by eSeva and twoparticipating departments which indicated that data transmission was incomplete on some

days.


6/26

6

3. Protocol analyzers, essential for ensuring network security were not used.4. Data was not classified as per sensitivity and was transmitted in clear text between eSeva5. Centres to data center instead of in an encrypted form. The risk of splicing the wire and

re-routing the data or tampering the data by way of unauthorized access could not be

ruled out.

6. Technical experts did not test the reliability of firewalls. Penetration test reports were alsonot produced to audit.

7. The logs of internet transactions were not maintained on a continuous basis. They wereneither archived nor reviewed.

Network Controls Recommendations

1. Develop intrusion detection strategies for the computer. Many of the common intrusiondetection methods depend on the existence of various logs that the systems produce and

on the availability of auditing tools that analyze those logs. In the deployment plan, the

kinds of information that will be collected and managed on each computer in support of

security should be described.

2. The number of transactions on documentation should tally with the number reported fromtheir systems

3. They should set up protocol analyzers and packet sniffer that analyses the networktraffic and displays the traffic situation on your network in real time

4. Data should be classified as per sensitivity and should be encrypted while being sent overa network to prevent the unauthorized personnel from accessing it.

5. They need to test their firewalls to prevent unauthorized persons from gaining access to aprivate network and occasionally do a penetration test, to evaluate the security of a

computer system or network by simulating an attack from malicious outsiders.

6. Backups of Web server logs are required. Backups of configuration and installationinformation are also required unless there is a configuration management system that can

be used to recover or rebuild a system from a trusted baseline.7. Reasonably up-to-date versions of system security agent software which must include

malware protection and reasonably up-to-date patches and virus definitions, or a version

of such software that can still be supported with up-to-date patches and virus definitions,

and is set to receive the most current security updates on a regular basis.


7/26

7

8. Education and training of employees on the proper use of the computer security systemand the importance of data security.

Access Controls

1. There was an incident of theft, which indicated lack of physical security.2. Password policy

Password policy did not exist with respect to the eSeva application, Oracle,database and operating system.

There was no restriction on unsuccessful login attempts. There was no system of maintaining emergency passwords, which had to be kept

in a sealed cover with responsible authority for use in unforeseen situations.

There was no documented well-defined.procedure for creating user accounts.

The system did not provide for transaction logs, but did not provide for audit trail,which could trace the flow of transactions and processing at every stage.

It was noticed that the application allowed deletion of data without authentication.

Access Control Recommendations

1. The servers should be kept in a room under lock and key and the people who have access to

the key should be accountable at all times. Change lock combinations annually or following any

possible security compromise.

2. System resource profiles include a number of security-related parameters, in a particular

related to the use of passwords. It is possible to set restrictions on password composition,

complexity, aging, expiration and history. In addition it is also possible to set rules for locking

accounts after a number of failed login attempts, a maximum number of concurrent sessions for a

user, and rules to disconnect idle users.

3. There should be a proper documentation procedure for creating new users in the system anddeleting old users who are no longer in service.

4. Oracle provide for various methods of authentication. The most usual method would probably

be Oracle-based authentication based on username and password. It is also possible to use host-


8/26

8

based authentication, which is based on operating system user accounts being passed on to

Oracle. Auditing in Oracle is the monitoring and recording of activities within the database.

5. Oracle provides functions for auditing almost any action within the database (viewing,

modifying information, executing programs, deleting

CLOSING MEETING

The meeting ended after three hours and the following were to be put in place to make sure that

there is security in the e- seva:

Everyday new computer viruses are being released and it is essential that business is protected

from these viruses by keeping the anti-virus software up to date. If possible, companies should

look at policies whereby computers that do not have the most up to date anti-virus software

installed are not allowed to connect to the network.

As computer viruses can spread by means other than email, it is important that unwanted traffic

is blocked from entering the network by using a firewall. Sensitive areas with a companys

network should also be further segmented and protected using additional firewalls. For users that

use computers for business away from the protection of the companys network, such as home

PCs or laptops, a personal firewall should be installed to ensure the computer is protected.

All incoming and outgoing email should be filtered for computer viruses. This filter should

ideally be at the perimeter of the network to prevent computer viruses. Emails with certain file

attachments commonly used by computer viruses to spread themselves, such as .EXE, .COM and

.SCR files, should also be prevented from entering the network.

Ensure that all users know to never open an email attachment they are not expecting. Even when

the email is from a known source, caution should be exercised when opening attachments.

Recent viruses have spread because they appear to be from addresses familiar to the user.

Ensure that all files downloaded from the Internet are scanned for computer viruses before beingused. Ideally this scanning should be done from one central point on the network to ensure that

all files are properly scanned.


9/26

9

SECURITY POLICIES FOR E-SEVA PROJECT

Security Procedure Manual

Introduction Scope Sanctions Audit controls procedures Person or entity authentication Information access management Disaster recovery plan Risk management plan Appendix A. Confidentiality Declaration Appendix B. Data Protection Statement

INTRODUCTION

The purpose of this policy is to outline essential roles and responsibilities within the E-seva

community for creating and maintaining an environment that safeguards data from threats to

personal, professional and institutional interests and to establish a comprehensive data security

program in compliance with applicable law. This policy is also designed to establish processes

for ensuring the security and confidentiality of confidential information and to establish

administrative, technical, and physical safeguards to protect against unauthorized access or use

of this information.

SCOPE

This policy applies to all E-seva staff, whether full- or part-time, paid or unpaid, temporary or

permanent, as well as to all other members of the community. This policy applies to all

information collected, stored or used by or on behalf of any operational unit, department and

person within the community in connection with government operations

POLICIES

1.1 Sanctions

E-SEVA shall discipline workforce personnel who violate E-SEVAs security policies and

Procedures or violate the E-seva Security Rules.
http://www2.hud.ac.uk/cls/it/policy/securityproc.php#sec4http://www2.hud.ac.uk/cls/it/policy/securityproc.php#sec5http://www2.hud.ac.uk/cls/it/policy/securityproc.php#sec5http://www2.hud.ac.uk/cls/it/policy/securityproc.php#sec4


10/26

10

PERSONNEL

IT Manager

Security Officer

Privacy Officer

Human Resources

E-SEVA Workforce Members

System Administrator

Senior Management

PROCEDURES

1. Security Violations That Prompt Consideration of Disciplinary Action.

a) Human Resources may discipline a workforce member, in accordance with theDiscipline and Dismissal Policy of the Privacy Manual , who violates either the

Security Rule or this Manual relating to the safeguarding of information (a

Security Violation).

b) Human Resources may also discipline managers or supervisors, if their lack of diligenceor lack of supervision contributes to a subordinates Security Violation.

2. Investigation of Security Violation.

a) A workforce member who becomes aware of a Security Violation shall promptlycommunicate the report to the Security Officer and his or her supervisor or Human

Resources

b) After receiving a reported Security Violation, the Security Officer or someonedesignated by him or her shall determine the facts and circumstances

surrounding the violation, and report the findings to Human Resources.

3. Imposition of Discipline.Human Resources shall impose sanctions for a Security Violation in accordance with the

Discipline and Dismissal Policy of the Privacy Manual.

4.

Reporting of Security Violations.The failure to report a known Security Violation because each workforce member has an

obligation to report any Security Violation of which the workforce member becomes aware

to the Security Officer and to his or her supervisor or the Human Resources Department.

POLICY


11/26

11

1.1 Audit Controls

E-SEVA shall record and examine activity in information systems that contain or use

electronic database for the purposes of identifying suspect activity, identifying high-risk

activity, identifying security breaches, responding to potential security weaknesses, and

assessing E-SEVAs security program.

IMPACTED SYSTEMS

This policy shall apply to all computer systems that contain or access electronic PHI, including,

but not limited to, network servers, application servers, desktop computer systems, laptops, data

management systems, and server devices.

PROCEDURES

1. Implementation of Audit Control Mechanisms

a) The System Administrator shall ensure that all computer systems that contain or accesselectronic Database have in place audit controls for recording and examining activity.

b) The System Administrator shall configure any new computer system received by E-SEVA to record or examine activity on the system, if not already contained on the new

system. The System Administrator shall not bring this new system online until audit controls

have been established.

2. Activity to Be Logged

System Administrator shall implement software on E-SEVA information systems (including

applications or processes) containing or accessing electronic Database that records system

activity such as logon, logoff, file access, file activity, attempted logons, and failed logons

concurrent with the system activity.

3. Information Logged

The implemented audit control mechanism shall identify:

a. Who or what is accessing data;

b. When the data is accessed;

c. What data was accessed;

d. The activity that occurred (read only, add, delete, modify data);

e. Whether data is accessed by anyone outside of E-SEVA; and

f. Successful and unsuccessful login attempts.


12/26

12

4. Respond to System Activity

System Administrator shall promptly respond to any observed or reported suspect

activity. System Administrator should follow E-SEVA Security Incident Procedures with

respect to any suspect activity.

5. Audit Trails.E-SEVA shall maintain audit trails showing system activity for a minimum of 6 years.

The Security Officer shall be responsible for maintaining the audit trail information.

Audit trail information and reports containing audit trails shall remain confidential. The

audit trail shall contain:

a. The type of event;

b. The User associated with the event;

c. The date the event occurred;

d. The method or program used to access the information system; and

e. The activities undertaken with respect to the data accessed.

6. Review System Activity

a. Security Officer-on-call shall oversee the review of audit trails at least monthly.

b. Security Officer shall review audit trails at least semi-annually in accordance with

the procedures set out in E-SEVAs Security Management Policy

The System Administrator shall work with the Security Officer in reviewing the audit

logs. Specifically, System Administrator shall identify for the Security Officer any

suspect activity and any potential security weaknesses. Security Officer or Privacy

Officer shall be responsible for determining whether an external review is necessary

for E-SEVAs audit control system.

c. System Administrator shall add automated monitoring software to E-SEVAs computer

systems that contain or access electronic Database that logs activities within the

computer systems and notifies or alarms security personnel upon detecting any

suspicious activity. The System administrator shall review and report to SecurityOfficer detected suspicious activity.

Section 1.2: Person or Entity Authentication

POLICY


13/26

13

E-SEVA shall employ technical safeguards to verify that a person or entity seeking

access to the servers is the one claimed. This policy shall apply to all E-SEVA locations. End

Users shall be familiar with this policy.

PROCEDURE

1. Personnel Responsibility

a. Implementation of Procedures. System Administrator shall initiate and oversee the

implementation of the following procedures for person and entity authentication,

either singly or in combination, to authenticate that the person or entity seeking

access to electronic protected health information is the one claimed.

b. Monitoring Access Attempts. System Administrator shall review access logs to monitor

and detect unauthorized access attempts.

2. Person Authentication

a. Person Password Authentication.

i. System Administrator shall assign to each E-SEVA workforce personnel and

any other person that must access the servers stored on E-SEVAs computer

systems each Users unique User ID pursuant to the Access Control Policy

ii. Users shall select passwords in accordance with the procedures described in the

Access Control Policy

iii. Each User shall enter a password along with his or her unique User ID to authenticate his

or her identity. A User shall be denied access if the password entered does not

match the password assigned to the User ID entered by the User.

b. End User Responsibility

i. Users shall be responsible for keeping their User IDs and passwords shall be

confidential and be forbidden from sharing their User IDs and passwords with anyone,

unless authorized by System Administrator.

ii. If User becomes aware that someone has improperly obtained his or her User ID and

password or has improperly accessed E-SEVAs health care operations-related

electronic system through the use of the User ID and password, the User shall

immediately notify the Security Officer or System Administrator. System

Administrator shall promptly disable access rights to that User ID.


14/26

14

iii. If Users unique User ID and password are improperly used to gain access to the

databases, the User may be subject to discipline in accordance with E-SEVAs Sanctions

Policy, which may include the loss of his or her access rights.

3. Entity Authentication.

a. Entity Password Authentication.

i. System Administrator shall assign to each entity needing access to E-SEVAs electronic

information system containing PHI a unique ID pursuant to the Access Control.

ii. Entities shall select passwords in accordance with the procedures described in the Access

Control Policy.

iii. Each entity shall enter a password along with the unique User ID assigned to it to

authenticate its identity. An entity shall be denied access if the password entered does

not match the password assigned to the User ID entered by the entity.

b. Entity Responsibility.

i. Entities shall be responsible for maintaining the confidentiality of their unique User IDs

and the passwords. Entities shall not make E-SEVAs assigned User IDs and their

passwords available company-wide. The unique User ID and password shall only be

provided to those entity personnel with a need to know to perform a service on E-

SEVAs behalf. An entity may lose its access rights for failing to protect the

confidentiality of the unique User ID and password.

ii. If an entity determines that any of its personnel or any other person or entity has

improperly obtained its User ID and password or has improperly accessed E-SEVAs

health care operations-related electronic system through the use of the User ID and

password, the entity shall immediately notify Security Officer. System Administrator

shall promptly disable access rights to that entitys User ID.

iii. The Security Officer shall determine the proper response to an entitys failure to properly

safeguard its User ID and password. Such response may include a

recommendation to the Chief Operating Officer to deny access rights to the entity or

termination of the business relationship.


15/26

15

4. Two-factor Authentication.

E-SEVA has determined at this time not to require two-factor authentication based

upon its risks analysis and cost/benefits analysis. The Security Officer shall review

this determination on an annual basis to determine whether it is reasonable and

appropriate to implement two-factor authentication. Person and Entity Authentication

5. Digital Signature Authentication.

E-SEVA has determined at this time not to require digital signature authentication

based on public key encryption due to a lack of infrastructure support. Security

Officer shall review this determination on an annual basis to determine whether it is

reasonable and appropriate to implement such digital signature authentication.

1.3 Information Access Management

POLICY

E-SEVA shall establish procedures that (i) assign and manage access to electronic protected

Government information in a manner commensurate with the role of each workforce member,

and (ii) are consistent with the Security Rule. This policy shall apply to all E-SEVA personnel.

SYSTEMS AFFECTED

This policy shall apply to E-SEVAs computer systems that contain or access the databases,

including, but not limited to, network servers, application servers, desktop computer systems,

laptops, handheld devices, data management systems, and infrastructure devices.

PROCEDURES

1. Access Authorization

a) The Security Officer shall establish role-based access as set forth in the Access ControlPolicy and Workforce Security Policy.

b) The authorization criteria shall include required levels of training and trainingcertification requirements commensurate with the level of access in accordance with the

Security Awareness and Training Policy. The access level shall be established by eitherthe Security Officer or his or hers designee, and approval may be for a limited period.

Renewal or a change of access level may require full re-evaluation of access needed and

may require additional training.


16/26

16

c) A member of the workforce shall not be authorized to access another workforcemembers client record unless it is for the purpose of treatment, payment, or health care

operations associated for the member of the workforce whose record is accessed.

2. Access Establishment

a) Information Security shall implement the following procedures to ensure appropriateaccess and access authorization:

i. Upon hire, each workforce member shall be identified by the security class applicableto their job functions.

ii. User department shall ensure that new workforce members complete the appropriateaccess request form in order to establish the appropriate level of access and to request

a unique user identification number. The department head of the new workforce

member shall sign the access request form to verify accuracy.

iii. Once approval is obtained and the appropriate access request form has been signed byall necessary parties, as set forth above, Information Security or Director on Call will

assign appropriate access.

3. Access Modification.

a. If a workforce members employment is terminated or if a workforce member leaves E-

SEVA or if a workforce members position is changed so that the workforce member is

performing a different role:

i User department shall notify Security Officer.

ii Security Director and Security Officer-on-call shall implement the procedures set forth in

the Workforce Security of this Manual if the workforce member is being terminated.

iii System Administrator shall modify or terminate access upon instruction from Security

Officer or Director-on-call, as set forth in the Access Control Policy of this Manual.

POLICY

E-seva shall establish procedures for responding to an emergency or other occurrence thatdamages E-SEVAs information systems that contain electronic protected personal information

including implementation of a Data Backup Plan, a Disaster Recovery Plan and an Emergency

Mode Operation Plan.

PROCEDURES


17/26

17

1. Data Backup Plan. The IT Manager-on-call shall oversee the implementation of the

following procedures that provide for the creation and maintenance of retrievable exact copies of

electronic INFORMATION.

a. Personnel Responsibility. The IT Manager-on-call shall establish specific backup

schedules and procedures for E-SEVAs networks and computer systems.

b. Daily Backups. E-SEVA shall back up all software, applications, files, data, and messages

related to its personal care operations stored on E-SEVAs networks and other information

systems to tape, CD-ROM, disk, or other storage media

c. Backup Validation. The IT Manager-on-call or his or her designee shall validate the

accuracy, completeness and integrity of the backup performed each night. IT Manager-on-call

shall act to promptly resolve errors shown by the validation process and shall either resolve

the errors or seek outside technical support to assist in the resolution of errors in the backup

process.

d. Onsite Storage. The storage media from the previous day or current week shall be stored

onsite in an area secured in a safe. Security officer and the E-seva Management shall

have the combination to this safe.

e. Offsite Storage.

(i) The Security Officer shall approve an environmentally secure offsite location that

provides adequate security and protection from fire and other disasters for storage of a copy

of E-SEVAs backup media.

(ii) The IT Manager-on-call shall cause to be sent three days per week a copy of the stored

data to the offsite location.

(iii) E-SEVA shall store up to 5 weeks of backup data at the offsite facility.

(iv) The Security Officer and designated administrators for backup and restoration shall be

entrusted with keys and granted passwords to access the offsite storage area.

f. Restoration of Lost Data. For backup data stored offsite, the Security Officer and

IT Manager-on-call shall develop a plan for the retrieval of such backup data. The SecurityOfficer shall ensure that any necessary backup data is retrieved from the offsite location using

the most expedient means practical in case of a partial or complete system failure.

2. Disaster Recovery Plan. The Security Officer and IT Manager-on-call shall oversee the

implementation of the following procedures to restore any loss of data in the case of a


18/26

18

catastroinformationc event such as an emergency, fire, vandalism, system failure, or natural

disaster.

a. Disaster Assessment. Once a disaster has occurred, IT Manager-on-call shall assess the

effect of the disaster on E-SEVAs personal care operations information system to

determine any lost functionality and loss of data. If IT Manager-on-call has determined that

data has been lost, IT Manager-on-call should consult with the Security Officer on

whether to implement this Disaster Recovery Plan.

b. Personnel Responsibility. IT Manager-on-call is responsible for

implementation of this Disaster Recovery Plan and the restoration of any lost data.

c. Notify Administrators. IT Manager-on-call shall notify security personnel of the disaster

and notify the designated administrators for backup and restoration. The administrators

for backup and restoration shall be designated by the Security Officer and the IT Manager-on-

call.

d. Secure Facilities. In the event of a catastroinformationc event, E-SEVA security

personnel shall immediately ensure that all facilities housing E-SEVAs personal care

operations information systems remain secure under the circumstances. E-SEVA

security personnel shall limit access to facilities to only the following authorized personnel to

assist in disaster recovery:

(i) Security Officer;

(ii) Facilities Manager;

(iii) IT Manager-on-call;

(iv) Administrators for backup and restoration; and

(v) Approved outside vendors to assist in disaster recovery.

e. Password Access. IT Manager-on-call and other administrators for backup and

restoration shall have access to system passwords to perform restores of necessary systems and

data.

f. Onsite Backup Data. The IT Manager-on-call shall ensure that theadministrators for backup and restoration have access to any backup media stored onsite if

necessary to restore software, applications, information and data to E-SEVA information

systems.


19/26

19

g. Systems Architecture and Diagrams. The IT Manager-on-call and

administrators for backup and restoration shall develop and maintain detailed descriptions

of E-SEVAs main system hardware components to help rebuild the system in the event of

disaster. The administrators for backup and restoration shall maintain updated profiles

for each system configuration and maintain lists of installed software, including current

installed patches, drivers, and O/S distribution media.

h. Offsite Storage. The Security Officer shall determine whether offsite backup files are

necessary.

(i) IT Manager-on-call and/or administrators for backup and restoration shall retrieve all

necessary backup files stored offsite.

(ii) Backup media shall be retrieved so that data can be restored as soon as reasonably

permitted under the circumstances.

3. Emergency Mode Operation Plan. Callier Center Management shall oversee the

implementation of the following procedures to enable continuation of critical

business processes for protection of the security of electronic INFORMATION while operating

in emergency mode.

a. Emergency. For the purposes of this Emergency Mode Operation Plan, an Emergency

shall be defined as an incident that either disables, wholly or partially, or substantially impairs

E-SEVAs personal care operations central computing system or any computer system or

network that contains or allows access to INFORMATION for a period of 48 hours.

e. Backup Servers. If necessary, IT Manager-on-call shall ensure that E-SEVAs

backup servers containing critical security applications are brought online to safeguard and

continue critical business processes, applications (such as firewalls), and virus protection

software, that protect computer systems and networks that contain electronic information

.

5.RISK MANAGEMENT POLICY

OverviewRisk management is the ongoing process of identifying risks and implementing plans to address

them. Often, the number of assets potentially at risk outweighs the resources available to manage

them. It is therefore important to know where to apply available resources to mitigate risk in a

cost-effective and efficient manner.


20/26

20

This policy lays the framework for a formal risk management program by establishing

responsibility for risk identification and analysis, security planning for risk mitigation, and

program management and oversight. It is important to note that program management and

oversight is a university-wide responsibility that calls for the active involvement of executive

leadership, departmental management, data stewards, and others with information management

responsibility1.

Policy Statements

1. The E-seva Risk Management Officer (RMO) is responsible for coordinating thedevelopment and maintenance of risk management policies, procedures, standards and

forms for the University.

2. The RMO is responsible for the ongoing development and day-to-day management of theuniversitys Risk Management Program (Program) for information privacy and security.

3. Organizational Unit heads shall ensure that risk assessments are performed at least onceannually on all computing systems and/or business processes under their units control

that involve non-public information, following guidance from the RMO on assessment

method, format, content, and frequency.

4. Organizational Unit heads shall submit the risk assessment results and associatedremediation plans to the RMO for review. Remediation plans shall include specific

actions with expected completion dates, as well as an account of residual risks.

5. The RMO shall advise the Head of Information Services on risk management strategiesand provide periodic reports on Program progress.

Policy Implementation

The RMO is responsible for coordinating the implementation of this policy and for providing

guidance on the interpretation of specific policy requirements.

DefinitionsRisk: The potential of harm to the University or its stakeholders.


21/26

21

Risk Assessment: A qualitative or quantitative evaluation of the nature and magnitude of risk to

government information. The evaluation is based upon known or theoretical vulnerabilities

and threats, as well as the likelihood of the threats being realized and the potential impact to

the the firm and its stakeholders.

Risk Management:

The process of evaluating and responding to risks to goverment information for the purpose of

reducing those risks to acceptable levels. Risk management is inclusive of the risk

assessment process, and uses the results of risk assessments to make decisions on the

acceptance of risks or on taking action to reduce those risks.

Checklist for perfoming Audit

Application Systems Controls

The application system before being implemented has to be reviewed by the

auditor if various controls suggested by Users are incorporated in the

application system. The various controls,which have to be included in the system are

as follows:

Logical Access Controls

1. Does the software allow creation of user-IDs in the same name more than once?Does the software encrypt the passwords one way and store the same in encrypted

form?

2. Does the software display the password as it is keyed in?3. Does the software lock the user-ID if it is used for 3 unsuccessful times to logon to

the system?

4. Does the software force the User to change the password at set periodical intervals?5. Does the software maintain password history i.e., does not allow the same

password to be used again on rotation basis?

6. Is there any audit trail for the maintenance of User profiles?7. Does the software have provision to create and maintain user-IDs based on

users designations and positions held?


22/26

22

8. Can DBA change others password? If so is it reflected in the audit trail?9. If a user-id record is deleted, does the software delete it physically or logically?

Does the software capable of producing a report of logically deleted User-IDs?

10. Does the software have provision to restrict different menu options to differentuser-Ids based on user level (based on designation / powers, etc.)?

11. Does the software have provision for defining access rights to users such as, ReadOnly,Read and Write, Modify, Delete, etc.?

12. Does the software allow automatic logical deletion of inactive users after certainperiod of time?

13. Does the system maintain password length to be of minimum 6 or 8characters or as indicated in the password policy?

14. Can the user-IDs be created without passwords?15. Does the system limit the maintenance of system control parameters to

privileged user level having sufficient authority only?

CRYPTOGRAPHY

16.Is there a cryptography/encryption policy for various types of classified informationthat travels/gets stored within and outside the E-sevas network(s)?

NETWORK INFORMATION SECURITY

17.Have the Network data monitoring tools (e.g., sniffers, datascopes, and probes)utilized by the product/service been approved by the e-sevas IT Department?

19.Has dial-in connectivity been prohibited on network-connected machine (server

and workstation) except where documented and explicitly approved in writing by

BusinessManagement and the IT Department.

20.Have the remote control products used in a dial in environment been approved by the

IT Department explicitly?

Backup and recovery

Software


23/26

23

21.Verify if a latest copy of backup of software (Operating System, RDBMS,

application,etc.) is taken and preserved at the user site.

Data

22. Verify if different types of data backup are taken periodically at specified

intervals as advised by the software developer / vendor.

23 Are there proper records for noting the media in which different data backups are stored,

data type, location where it is stored, date of backup, due date for recycle, etc.

- Check if appropriate parameters are implemented in the operating system of the web

server so that the super user account will lock out if too many unsuccessful attempts

are made across the network, but remain unlocked at the system console.

24.Check if sensitive operating system related executable program files and data files on

the web server are not stored on public area but in any other secure location with audit

duly enabled.

25.IP routing should be disabled in the web server. Check and confirm this.

26.Ensure that unauthorized ports for e.g., UDP port No.443 are not allowed inside the

webserver. Also, ensure that unnecessary services like ftp, messenger, SMTP, telnet,

etc. are not installed and active on the web server.

27.The facility to shutdown the machine should be restricted to the system

console on the web server. Check and ensure this.

28.Access to floppy drive, CD-ROM drive, etc. should be restricted in the web

server to interactive only to prevent these devices from being shared by all

processes on the system. Check and ensure this.

Logs of activity

29.Ensure that auditing is enabled in the web servers operating system and whether the

logs are reviewed and authenticated by authorized officials periodically.

30.Check if audit trail is enabled on the firewall to log the changes made to the

rule base settings and verify whether the logged entries are approved by higherauthorities in the IT Department.

31.Check Whether the system administrators are monitoring the logs produced by

the Intruder Detection System (IDS) (An intrusion detection system helps in

recognizing Security threats and is capable of scanning packets for vulnerabilities.


24/26

24

It ensures that distributed denial of service attacks are prevented) and escalating

the access violations to the Checklists for IS Audit

Database Controls

It is important to ensure the following with reference to databases:

Database is physically secure and free of any corruption

Access to the database is restricted and permitted only to authorized personnel

Referential Integrity of the data is ensured at all times

Accuracy of the contents of the database is verified periodically

Database is also technically verified periodically, in terms of storage space, performance

tuning and backup

Backups of the database are periodically retrieved and ensured that they are in order


25/26

25

REFFERENCES

1.http://www.isect.com

2.http://www.sas70exam.com

3.information security management handbook 4th

edition by Tiptoh.H and Crause M.

4.Litchfield, David. Hackproofing Oracle Application Server (A guide to securing

Oracle 9). NGSSoftware Insight Security Research Publication, 10 January 2002.

URL: http://www.nextgenss.com/papers/hpoas.pdf (5 March 2002)

5) Theriault, Marlene and Heney, William. Oracle Security. Sebastopol, CA:

OReilly & Associates, Inc, 1998.
http://www.isect.com/http://www.isect.com/http://www.isect.com/http://www.sas70exam.com/http://www.sas70exam.com/http://www.sas70exam.com/http://www.sas70exam.com/http://www.isect.com/


26/26

26

OUTLINE

1.1 introduction ............................................................................................................................... 1

information security audit ............................................................................................................... 1

1.1 roles and responsibilities ........................................................................................................... 1

1.2 it security audits ....................................................................................................................... 11.3 roles and responsibilities ....................................................................................................... 2

2 planning..................................................................................................................................... 2

2.1 coordination .......................................................................................................................... 2

2.2 it security audit plan .............................................................................................................. 2

opening meeting .............................................................................................................................. 3

executing audit ................................................................................................................................ 4

closing meeting ............................................................................................................................... 8

security procedure manual........................................................................................................... 9

personnel ....................................................................................................................................... 10

impacted systems .......................................................................................................................... 11

section 1.2: person or entity authentication ................................................................................ 12

Person authentication ................................................................................................................... 13

Entity authentication. .................................................................................................................... 14

Two-factor authentication. ........................................................................................................... 15

Digital signature authentication. ................................................................................................... 15

checklist for perfoming audit ....................................................................................................... 21

cryptography ................................................................................................................................. 22

network information security ........................................................................................................ 22

backup and recovery ..................................................................................................................... 22

refferences ..................................................................................................................................... 25

assignment issa 2

Documents