Handbook of Information Security Management:Policy, Standards, and Organization

Previous Table of Contents Next


Audit/history — Information documenting the software change such as the work request detailing the work to be performed, test plans, test results, corrective actions, approvals, who performed the work, and other pertinent documentation required by the business.

Version and configuration control Refers to maintaining control over the versions of software checked out for update, being loaded to staging or production libraries, etc. This would include the monitoring of error reports associated with this activity and taking appropriate corrective action.

Periodic testing — Involves taking a test case and periodically running the system with known data which have predictable results. The intent is to ensure the system still performs as expected, and does not produce results that are inconsistent with the test case data. These tests could be conducted at random or on a regular schedule.

Random checking — Production checking of defined data and results.

Separation of duties — This procedural control is intended to meet certain regulatory and audit system requirements by helping ensure that one single individual does not have total control over a programming process without appropriate review points or requiring other individuals to perform certain tasks within the process prior to final user acceptance. For example, someone other than the original developer would be responsible for loading the program to the production environment from a staging library.

Access control of software — In some applications, the coding techniques and other information contained within the program are sensitive to disclosure, or unauthorized access could have economic impact. Therefore, the source code must be protected from unauthorized access.

Virus checking — All software destined for a PC platform, regardless of source, should be scanned by an authorized virus-scanning program for computer viruses before it is loaded into production on the PC or placed on a file server for distribution. Some applications would have periodic testing as part of a software quality assurance plan.

DEFINING ROLES and RESPONSIBILITIES

To have an effective Information Classification program, roles and responsibilities of all participants must be clearly defined. An appropriate training program, developed and implemented, is an essential part of the program. The Study Team identified to conduct the Business Impact Analysis is a good starting point to develop these roles and responsibilities and identify training requirements. However, it should be noted that some members of the original team such as Legal, Internal Audit, or Business Continuity Planning, most likely will not be interested in this phase. They should be replaced with representatives from the corporate organizational effectiveness group, training, and possibly corporate communications.

Not all of the roles defined in the sections which follow are applicable for all information classification schemes and many of the roles can be performed by the same individual. The key to this exercise is to identify which of the roles defined is appropriate for your particular organization; again, keeping in mind that an individual may perform more than one of these when the process is fully functional.

Information owner — Business executive or business manager who is responsible for a company business information asset. Responsibilities include, but are not limited to:

  Assign initial information classification and periodically review the classification to ensure it still meets the business needs.
  Ensure security controls are in place commensurate with the classification.
  Review and ensure currency of the access rights associated with information assets they own.
  Determine security requirements, access criteria, and backup requirements for the information assets they own.
  Perform or delegate, if desired, the following:
  Approval authority for access requests from other business units or assign a delegate in the same business unit as the executive or manager owner.
  Backup and recovery duties or assign to the Custodian.
  Approval of the disclosure of information act on notifications received concerning security violations against their information assets.


Previous Table of Contents Next



The CISSP Open Study Guide Web Site

We are proud to bring to all of our members a legal copy of this outstanding book. Of course this version is getting a bit old and may not contain all of the info that the latest version are covering, however it is one of the best tool you have to review the basics of security. Investing in the latest version would help you out in your studies and also show your appreciation to Auerbach for letting me use their book on the site.