Can management trust that information is properly used by staff? Can companies trust vendors or suppliers to secure their assets? Any financial impact when some part of requirements of the security infrastructure is compromised?
Security becomes key in today’s world. Information in an organisation is of vital importance to all kind of businesses. That information may come from business processes, such as order information, invoices, shipping notes, etc. It may be located in many media, such as hard paper, blue print, microfilm, information systems and processing. Most information in the modern business world is supported by information systems and processing such as ERP (Enterprise Resource Planning), MRP (Material Requirements Planning), MIS (Management Information System) workflow systems and/or in-house development systems. This means that the information system in an organisation is very important in terms of preserving confidentiality, availability and integrity. The security of an information system is a key concern. Organisation needs to ensure that their information is well maintained. The challenge is that lack of security management awareness at all levels of an organisation.
This article offers guidance of how to secure an information system and how to protect information inside the system from modification, disclosure, deletion and access by unauthorised persons.
Security Concerns in Each Phase of the Life Cycle
1. Phase: Concept and Requirement of A New Information System
In the concept and requirement phase, the requirements of the new information system will be collated. Normally, a system analysis will collate the system requirements focusing on business logic/practicality and functional requirements. Security requirements must also be identified to address any potential security concerns. Examples of security requirements include, but are not limited to:
- User access management - What kind of access rights control of the system will be used? This will include authentication architecture, password management, user access idle time and session time out etc..
- Log and monitoring requirements - Are there any logs for vulnerability analysis? For example, the false log or error log, the log duration (log size).
- Capacity and performance requirements - How about the maximum capacity of a system? The concurrent session, maximum user, and transaction growth rates.
- Security test requirements - Are there any security tests planned during the development and deployment stages, such as penetration test and vulnerability assessment?
- Development and test environment - Are there any requirements in the development and test environment? If so, should it be isolated from the production environment totally, or in the same hardware but in a separate database and folder?
- Special requirements for the operation and maintenance - Are there any additional requirements for operation and maintenance, such as backup, database compact, purge cache and temp?
2. Phase: Design
The design phase is one of the most important phases, because the designer will transform the requirements into a new system architecture and component. Within the system architecture and component, we have to address system security, to prevent any threat to and/or vulnerability of new system that may be caused by its design.
- Architecture security design - A secure design should be applied and established. The concerned security aspects such as technologies, tools, protocols, etc. should be reviewed. Encryption and cryptographic may be applied, such as database and network architecture. However the performance of a system should be reviewed once the secure structure has been applied.
- Redundancy and DRC site - Establish and implement appropriate redundancy for critical system and its component. The redundancy rate depends on system availability requirements which may be impacted by threats such as power outage and hardware problems. In terms of critical systems that may interrupt business activities, the disaster recovery centre site may be of concern. Factors such as distance, location, environment, travelling etc. should be used to evaluate and identify the best DRC site.
- Backup - The backup plan should be included in the design phase and should consider at the operating system (OS), application and database levels. The system configuration, such as application and network configurations, shall be included in plan.
- Access rights/roles matrix - The pre-defined roles and access rights shall be established for supporting access rights management and presented as a matrix.
- Handling of design documents, confidential when dealing with third parties - Design documents, including system requirements shall be identified by labelling method; stamp, header, footer, etc. The media that is used for the repository of all documents shall be handled securely.
3. Phase: Construction
- Secure coding guidelines - The system requirement and specification from the design phase will be used to setup and allocate the construction team (programmer / coder). A secure coding guideline shall be established to ensure that team members follow the guidelines. The programmer shall code in accordance with the secure technique. Some training may be required for the programmer / implementer.
- Software / source code - Access to source code shall be protected, and limited to only authorised persons. The version control of software packages, source code and requirements shall be established and maintained.
4. Phase: Verification and Testing
- Test data - Sometimes, the implementer may use real data from the production environment for system testing. The testing data shall be controlled to prevent any disclosure from the development and testing environment. The disposal process shall be established once testing is complete. The rule “dispose after test” shall apply.
- Security testing - Security testing shall be conducted to ensure that there is no vulnerability in system. Many security testing levels can be applied, such as vulnerability scans and penetration tests, etc..
5. Phase: Installation and trial
- Control of software installation package and source code - The media and version control of software packages shall be established. In case of software package in scrip file (PHP, JSP, ASPX), the access controls shall apply. The installation path shall be protected from unauthorised access. Network access to installation folders, such as ftp and network folder sharing, shall be temporary granted to the authorised person. The network connection shall be disabled once installation is complete.
- Hardening of operating system - Once installation is complete, the major thing for security concern is system hardening which comprises of OS, application and network levels. The security baseline for each level of an information system shall be established and implemented before providing services. The vulnerability and patch management, vulnerability assessment and malware control shall also be carried out.
6. Phase: Go live / Production
After the trial phase, the new system continues to the production phase. It means the system is ready to provide services. However, for any events arising in the production phase, the incident / problem management shall be resolved and properly managed. The system change during manage incident/problem should be closely controlled.
7. Phase: Operation and System Maintenance
For the operation and system maintenance phase, we assume that the system is working fine in the production/operation environment. The following activities shall be carried out to prevent any failure risk of the system’s confidentiality, integrity and availability:
- Backup - The backup plan shall be established, implemented and monitored. A backup test shall be performed to ensure that backup data can be used once required.
- Access right review - The user access rights, including OS and application levels shall be reviewed regularly. In case of resignation or job relocation, it shall be reviewed independency, but not later than its effective date.
- Capacity management - The capacity of an information system shall be identified, such as hardware performance, disk storage, software performance and network performance. Analysis comparing the capacity threshold shall be taken for the improvement plan.
- Change management - Changes in operation shall be controlled and risks identified. A change plan shall be established for control activities during change and validation of changes shall be completed. A post change evaluation, including updating change information in related documents, shall be carried out.
- Vulnerability assessment - The security risk from vulnerabilities such as security patches shall be updated in the system. Patch testing shall be done before installation in the production environment. Vulnerability assessments, such as VA scan, Penetration Test, shall be carried out and fixed on a regular basis.
- Log and monitoring - The exception, malfunction and false log shall log incidents for support monitoring process. Analysis shall be performed to highlight hardware, software and application issues. Short term and long term fixes shall be performed, with evaluation. The system utilisation shall be monitored to support capacity management.
- Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) testing - The DRP and BCP shall be established based on the risk the information system presents to the business processes. A testing plan, with pre-defined test scenarios, shall be established and used to support the test process. The testing plan shall be revised and updated based on testing evaluation results.
- Supplier management - Assess the risk of suppliers/vendors who may access the information system. A non-disclosure agreement for both individuals and organisations shall be signed before they start work. Close monitoring should be maintained to reduce any risk from suppliers/vendors.
8. Phase: End of Life [EOL]
The EOL phase means the information system will not continue to support business functions. There may be a new system and/or new technology to replace it. However, we should be aware of valuable information in the EOL system.
- System backup, data backup - A full backup should be in-place, which shall be covered at system stage (OS level) and application/database level. A system recovery test should be carried out to ensure that nothing is missed during the backup process. The operation team should have the recovery instruction and procedure. In case it’s needed in the future, ensure that the operation team can recover it properly.
- Data disposal process - The information in an EOL system shall be strictly controlled because it is real production information. The disposal process shall be established and implemented. The request for disposal, approval and validation shall be carried out as defined. The identification labelling may be needed for identifying status information disposal at hardware level, such as “EOL with existing information”, “EOL and disposed” etc..
- Appoint contact windows - A system operator, who knows in-depth of the EOL system, shall be appointed. The intention is to assign someone who can operate that EOL system in the future. If an organisation has the need, it shall be this contact person who can recover data inside the system, extract configuration etc..
In conclusion, we hope that the audience can use this best practice, in eight phases, to protect the valuable information and information system in organisation. The level of implementation in this guideline is dependent on business impact and risk of information system in an organisation. It means, some is mandatory but some may not be required. It depends on many factors such as the size of an organisation, complexity of an information system and may even depend on resources.
However, this guidance is just the beginning of best practice for information security protection. You can expand an organisation’s security control practice by using an ISO 27001 information security management system. ISO 27001 is based on risk management of information assets in an organisation. It is not only technical, but also contains management details based on a Plan-Do-Check and Action model.