Security Assurance Plan for The Sirius Council Borough of Betelgeuse System

(1)

The copyright in this document template is vested in the National Computing Centre Limited. The document must not be reproduced, by any means, in whole or in part or used for manufacturing purposes, except with the prior written permission of The National Computing Centre Limited and

then only on condition that this notice is included in any such reproduction.

This template is supplied in good faith and NCC cannot be responsible for the way that it is deployed. Information contained in this documents is believed to be accurate at the time of publication but no liability whatsoever can be accepted by The National Computing Centre Limited Document Number: Security Assurance Plan for The Sirius Council Borough of

Betelgeuse System

Issue: 1.0

Date: 15 December 2010

Author: Gang Yang 7661449

Risk assessment group participants:

Yangchao Dong 7603433 Methawuth Poonpanich 7758699

Hongwei Yang 7216260

(2)

1. Modification History

Revision Date Revision Description

0.1 01/12/2010 System objectives & Asset register

0.2 04/12/2010 Risk assessments

0.3 06/12/2010 Risk treatment and countermeasures

0.4 11/12/2010 Business continuity

0.5 12/12/2010 Disaster recovery

0.6 13/12/2010 User training and awareness

0.7 14/12/2010 Quality Assurance regime

(3)

2. Contents

1. Modification History ... 2

2. Contents ... 3

3. System objective ... 5

3.1. Purpose ... 5

3.2. Information lifecycle and classification ... 5

3.3. Relevant topics for compliance ... 5

3.3.1. Regulation ... 5

3.3.2. Standards ... 6

3.4. Responsibilities and expert characteristics of stakeholders and users ... 6

3.5. Protection profile ... 7

4. Asset register ... 8

4.1. Asset overview ... 8

4.2. Asset ranking ... 9

4.2.1. Hardware (IT infrastructures, network infrastructures and cable lines) ... 9

4.2.2. Software (Application software and system software) ... 9

4.2.3. Services ... 9

4.2.4. Information ... 9

4.2.5. People ... 10

5. Risk assessments ... 11

5.1. Risks ... 11

5.2. Impact ... 12

5.2.1. Importance of asset ... 13

5.2.2. Risk severity ... 13

5.2.3. Probability of occurrence ... 13

(4)

6.1. Hardware (Network infrastructures) ... 14

6.2. Hardware (Cable lines) ... 15

6.3. Hardware (IT infrastructures) ... 16

6.4. Software (System) ... 16

6.5. Software (Application) ... 17

6.6. Services ... 18

6.7. Information ... 19

6.8. People ... 19

7. Business continuity ... 21

7.1. Prioritisation ... 21

7.2. Contacts ... 21

7.3. Incident management ... 21

7.4. Audit ... 22

7.5. Business continuity plan ... 23

8. Disaster recovery ... 25

8.1. Instructions for relocation ... 25

8.2. Rebuilding the information system ... 25

9. User training and awareness ... 26

9.1. Acceptable use ... 26

9.1.1. Computer and/or network skills training ... 26

9.1.2. Confidential policy awareness ... 26

9.2. Enforcement ... 26

10. Quality Assurance regime ... 27

10.1. Reviews ... 27

10.2. Inspections ... 27

10.3. Audits ... 27

10.4. Testing ... 27

(5)

3. System objective

3.1. Purpose

Under the background of knowledge-based economy, an increasing number of individuals and organisations have begun to recognise that information is the lifeblood of companies. In fact, information and communication technologies (ICTs) have become indispensable parts of business process and widely used on different industries, such as banking, education, manufacturing,

entertainment, etc. However, as intangible asset of companies, information is easy to be stolen or lost. As a result, an security assurance plans is always required when a company install/change network infrastructures and computer software, implement new services, and develop new business plan, for helping the company and its stakeholders:

 Protect information in the areas of confidentiality, availability, and integrity;

 Manage assets, including hardware, software, information, people, and service;

 Reduce/mitigate risks come from deliberate attacks, accidental damages and environmental threats.

 Engender trust between companies and their stakeholders.

The main purpose of this report is to formulate a security plan for new network strategy of Sirius Council Borough of Betelgeuse network system (which is made by CIAN Services) on the basis of relevant security standards and policies. The main contents of the reports consist of assets

identification and classification, risks assessment and treatment, business continuity planning, disaster recovery, user training and assurance regime establishment.

3.2. Information lifecycle and classification

The new Sirius Council Borough of Betelgeuse network system includes a range of information, such as, customer information, personal data, future plans and campaigns, sensitive company information, etc. They can be split into two categories according to the confidentiality, availability, and integrity. One group of information is open information, which can be spread to the public. Another group is confidential information, which only can be accessed at specific time, in specific place, and by specific people.

It is impossible that classified information always keep secret due to some issues (i.e. financial

condition). In fact, all the classified information in new Sirius Council Borough of Betelgeuse network system owns lifespan. As a result, its classification can be changed from ‘confidential’ to ‘open’ under some circumstance. For example, part of information in the network system can be opened when network frameworks are updated and no longer used in the future.

3.3. Relevant topics for compliance

(6)

2) Data Protection Act 1998

3) Electronics Communication Act 2000

4) Communication Act 2003

5) Computer Security Act of 1987

3.3.2. Standards

1) ISO/IEC 27001

2) ISO/IEC 27002: 2005

3) ISO/IEC 27005: 2008

4) ISO/IEC 15408

3.4. Responsibilities and expert characteristics of stakeholders and

users

This network system belongs to the organization of Sirius Council Borough of Betelgeuse. It is used to provide council services to internal and external users. Indeed, there are lots of stakeholders existing in the value chain of this network system. All the users can be summarised and classified as follows:

1) Internal users

a. IT support teams

i. Network Managers / Managed Network Services Unit (MNSU)

ii. IT Managers / Computer Services (CS)

b. Staffs of council

2) External users

a. CIAN Service

b. Internet service providers (ISPs)

c. Government and other councils

d. Ordinary citizens

As can be seen from following table, they have different permissions, responsibility, and proficiency of computer skills.

(7)

Internal users

MNSU Information

concerning LAN management

Check/modify LAN management (including voice

Check/modify IT infrastructures installation and

Staffs of council Information

concerning relevant department

Check/modify Public Service offer and department business

Basic use (CRM)

External users

CIAN Service Information concerning

network design and installation

Check/modify Network design and installation

Check/modify WAN management (including voice

Shared information Check None Basic use (CRM)

Ordinary citizens Open information Check None Basic use

Table [1] Responsibilities and expert characteristics of stakeholders and users

3.5. Protection profile

New Sirius Council Borough of Betelgeuse network system is available for providing better communication services among council, its key partners and ordinary citizens. According to its function, some assets should be protected in order to ensure the security of information and the operation of council services. Those assets include:

 Tangible assets: employees, software, hardware

(8)

4. Asset register

4.1. Asset overview

New Sirius Council Borough of Betelgeuse network system comprises of 47 tangible and intangible assets. They are located in different place and have different importance; therefore the lost or breakdown of those assets may exert an influence on business continuity in different degree. According to ISO/IEC 27002: 2005, those assets can be divided into five categories, hardware, software, services, people and information. Each category has some registered assets. Their security is in the charge of different teams or individuals. All the assets have been summarised in the following table.

Asset Definition Ownership Number Component examples

Hardware Hardware is a set of physical equipment of network and office, which are the carriers of software and services. They can be divided into three

21 Switches (backbone, branch), routers

(backbone, branch), hubs, gateway, cable lines, servers, PC, printer, fax machine, mobile, Kiosks, etc.

Software Software is the program operated in the hardware, which are the supporter of services. They can be split into two

categories, system software and application software

Almost all the software are in the charge of IT

16 Office applications, operation system

Services Service is kinds of intangible asset, which can be delivered to meet relevant demands of internal staffs and citizens.

Information Information is the core asset of the network system. Its loss or leak may lead a severe consequence to all the stakeholders

People People include all the staffs of council (working outside or

All the people employed by council are

(9)

inside) managed by the department of human resources

staffs

Table [2] Assets register

More details of those assets are provided in Risk Treatment Plan spreadsheet.

4.2. Asset ranking

In new Sirius Council Borough of Betelgeuse network system, assets have their own characteristics (location, owner, usage, function) and vulnerable; therefore they have different importance in this system. Due to limited capital, not all the assets can be given the best protection. As a result, before formulating assurance plan, an asset ranking is required to evaluate and assess the importance of assets. This assessment should be done according to three basic criteria, confidentially, availability, and integrity.

4.2.1. Hardware (IT infrastructures, network infrastructures and cable lines)

In terms of hardware, the criteria of confidential and availability are more important than integrity. For one thing, some hardware should be placed in secure room in order to ensure it only can be accessed by authorised people, otherwise the information saved in hardware are easy to be stolen, modified or damaged. For another, as the basic components in the network system, hardware should be ensured to keep working all the time, because their malfunctions and damages will severely pose threat to the operation of services and software.

4.2.2. Software (Application software and system software)

Concerning software, assessment will pay more attention to the criteria of integrity and availability. Firstly, in order to ensure normal operation, the program and information in software must be 100% accuracy and integrity, otherwise incorrect or incomplete data may lead to serious results, for example, services breakdown and information leakage. Moreover, software should be available and easy to recovery invariably in order to ensure the on-going important business in the network system cannot be broken down.

4.2.3. Services

Services in this network system are used to keep communication among internal staffs, technical support teams and external customers. As a result, confidentiality and integrity should be adopted to assess the importance of services. For one thing, data and voice services should be ensured to get rid of authorised login. Otherwise, the information of the communication may be stolen or damaged. For another, in order to ensure the business continuity, all the data in the network service should be correct and 100% integrity.

4.2.4. Information

(10)

4.2.5. People

Availability and confidentiality are main criteria to assess the importance of people who employed by Sirius Council Borough of Betelgeuse. Firstly, part of staffs can access confidential information easily; therefore those people should be supervised to avoid them leaking secret regardless of whether they are on-the-job. Moreover, availability should also be paid attention in the network system in terms of people. The council should ensure the business cannot be interrupted when some council staffs leave their job.

The importance ranking table is available as follows.

Assets Information Services Software (System)

Cable lines

Hardware (IT infrastructures)

Software (Application)

Hardware (Network Infrastructures)

People

Average importance

5.0 4.4 4.0 3.8 3.6 3.4 3.3 3.3

Ranking 1 2 3 4 5 6 7 7

Table [3] Assets ranking

(11)

5. Risk assessments

5.1. Risks

Obviously, there are lots of general and Internet threats existing in new Sirius Council Borough of Betelgeuse network system. According to ISO/ITC 27005: 2008, some of threats come from deliberate human actions, such as Day Zero Attack, authorised access, and virus attack. Some of them are caused by accidental technical errors, such as inaccurate operation, software loophole and ISP error and inaccurate modification. Others derive from changeable environment, such as pollution, water damage and fire. If ignoring those threats, they may lead to information leakage or data loss. Those threats own different characteristics and have different influence on the assets of the network system. To analyse and assess the impacts of those threats, all the potential threats have been classified and summarised in the following table.

Asset Risk Environmental

risks/Deliberate attacks/Accidental failures

Hardware (Network infrastructures)

DOS Attack Deliberate attacks

Unauthorised Interception and Access Deliberate attacks

Technical Failure (Incorrect configuration) Accidental failures

Physical Damage (Failure) Environmental risks

Equipment Theft Deliberate attacks

ARP Spoofing Deliberate attacks

Hardware (Cable lines)

Line damage Accidental failures

ISP Error (Service breakdown) Accidental failures

Unauthorised Interception Deliberate attacks

Unauthorised Interception and Access Deliberate attacks

Technical Failure (Incorrect configuration) Accidental failures

Physical Damage (Failure) Environmental risks

Equipment Theft Deliberate attacks

(12)

Users' Misuse (Restriction ignorance) Accidental failures

Software (System)

Unauthorised Access (Illegal login and data manipulation)

Deliberate attacks

Malicious Code Attack (Virus, Trojan or other malicious programs)

Deliberate attacks

Day Zero Attack Deliberate attacks

Deliberate attacks

Malicious Code Attack (Virus, Trojan or other malicious programs)

Deliberate attacks

Software Loophole (Buffer overflow) Accidental failures

Services ISP Error (Service breakdown) Accidental failures

Loss of Key Personnel Deliberate attacks

Information Leakage Accidental failures

Deliberate attacks

Technical Failure (Incorrect configuration, inaccurate operation)

Accidental failures

Information Unauthorised Access (SQL injection) Deliberate attacks

Loss of Document Accidental failures

Inaccurate Modification Deliberate attacks

People Loss of Key Personnel Deliberate attacks

Information Leakage Accidental failures

Inaccurate Operation Accidental failures

Table [4] Risk summary

5.2. Impact

(13)

5.2.1. Importance of asset

To Sirius Council Borough of Betelgeuse, all the assets have different importance. Some assets are very important, for example, relational database management database. It has much core business information. As a result, its damage or information leakage may exert a severe impact on business of the network system. Conversely, information leakage of personal computer may only affect a few people and business.

5.2.2. Risk severity

Risk severity is another criterion of impact assessment. Threats of varying degrees may lead to different results. Some results are severe, for example, authorised access. Hackers can get all the information in the network by authorised access. As a result, it has much serious influence on the network system. Adversely, the loophole of software may only affect one computer, and it can be recovered easily.

5.2.3. Probability of occurrence

Although new Sirius Council Borough of Betelgeuse network system has lots of security threats, some of them are rarely happened. For example, it is impossible that equipment theft frequently occurs in the system. In contrast, technical errors are taken placed nearly every day. As a result, the impacts taken by those threats are different.

5.2.4. Impact ranking

The impact ranking of different assets is available as follows.

Asset Information Services Software (System)

People Hardware (Network infrastructures)

Hardware (Cable lines)

Average impact

44% 40% 39% 35% 29% 24% 24% 22%

Ranking 1 2 3 4 5 6 6 8

Table [5] Impact ranking of different assets

(14)

6. Risk treatment and countermeasures

There are many risks existing in new Sirius Council Borough of Betelgeuse network system. They make a severe influence on the system operation. As a result, a risk treatment plan is required to mitigate potential risks. In this plan, security requirement will be analysed on the basis of three basic criteria, confidentiality, availability, and integrity in the beginning. Then, some policies to meet those requirements will be formulated according to ISO/IEC 27002: 2005. At last, corresponding business measures will be presented to implement those policies.

Five basic risk solutions can be used in risk treatment plan.

 Acceptance: Some risks are difficult to avoid or the solution is too expensive; therefore, the risks have to be accepted and live with the business in the network system.

 Prevention: Some risks can be predicted before the disaster occurs; therefore they are likely to be avoided by corresponding artificial measures.

 Reduction: Some risks cannot be avoided, but their incidence or damage can be reduced by using relevant solutions.

 Transference: Some risks are hard to be solved; therefore they have to be transferred to manufactures or services providers.

 Contingency: Some risks rarely occur. They do not need to be cared for.

6.1. Hardware (Network infrastructures)

Components Network infrastructures comprise ATM Backplane Switches (HAL 8274), ISDX/REALITIS (Voice) Switches, Smaller Switches (HAL 8273), Backbone Hubs, Routers and Novos Gateways.

Security requirement In terms of network infrastructures, confidential and availability are main security requirement (according to chapter 4.2.1). Some common risks of network infrastructures include DOS Attack, Unauthorised Interception and Access, Technical Failure (Incorrect configuration), Physical Damage (Failure), Equipment Theft and ARP Spoofing.

Policies to meet those requirements

Policies: Physical and environmental security, access control (Network access control)

Controls: Some measure should be taken to reduce the risks of network infrastructures.

1) In order to avoid authorised access, network infrastructures should be placed in a secure room (such as DMZ) to avoid theft and unauthorised access. Any access to the infrastructures should be recorded.

2) IT infrastructure and network infrastructures should be placed separately.

3) Firewall should be deployed in network infrastructures to prevent Controls to implement

(15)

network from DOS attack and ARP spoofing.

4) Network infrastructures should be configured according to instruction manual by professional engineers.

5) Standby routers and relevant configuration should be available for business continuity.

6) Inspections and test should be conducted regularly by internal technical supporting team and external inspectors.

Table [6] Hardware (Network infrastructures) treatment plan

6.2. Hardware (Cable lines)

Components Fibre Optic (Backbone LAN), Category 5 UTP, 10Base5/10Base2 (LAN), Fibre Optic Link, Digital Leased Circuit (WAN), Dial Up ISDN Digital Circuits (WAN) and ISDT Circuit, and 2Mbps Digital Circuit (WAN) belong to the cable lines group.

Security requirement Confidential and availability are the most important security requirement to cable lines (according to chapter 4.2.1). Common risks of cable lines contain Line damage, ISP Error (Service breakdown) and Unauthorised Interception.

Policies: Physical and environmental security (Cabling security, equipment maintenance), operation and communication management (Third party service delivery management, network security management )

Controls: In order to protect cables line from common risks, some measures should be done as follows.

1) Network cables should to be placed in private secure channel, such as locked room.

2) Power cables and network cables should be kept separately. 3) Electromagnetic shielding should be adopted to avoid interference.

4) Physical inspection and data monitoring should be conducted regularly to prevent from authorised access.

5) New cables should be installed according to relevant installation guideline.

6) Backup link should be deployed to ensure business continuity.

7) Keeping in touch with Internet service providers to avoid unexpected service breakdown.

Controls to implement those policies

(16)

6.3. Hardware (IT infrastructures)

Components The components of IT infrastructures include HDK Team/Super Servers, Hardware: Nouvelle Servers, Terminal Servers, (Dumb) Terminals, Printers, Fax Machines, Mobile Telephones, Personal Computers, Information Kiosks and Call Information Logging Equipment.

Security requirement As same as other hardware in this network, IT infrastructures should be paid more attention to confidential and availability (according to chapter 4.2.1). The threats to IT infrastructures comprise Unauthorised

Interception, Technical Failure (Incorrect configuration), Physical Damage (Failure), Equipment Theft, Malicious Code Attack (Virus, Trojan, or other malicious programs) and Users' Misuse (Restriction ignorance).

Policies: Physical and environmental security, access control (user access management)

Controls: Some measures should be done to protect IT infrastructures from security risks.

1) Security Responsibilities should be distributed to each department.

2) Some important IT infrastructures, such as servers, should be placed in secure room (DMZ) to avoid theft and unauthorised access.

3) All the IT infrastructures should be inspected and test regularly.

4) IT infrastructure should be installed and used according to instruction manual.

Table [8] Hardware (IT infrastructures) treatment plan

6.4. Software (System)

Components The system software consists of Nouvelle Netware Operating System, HDK DRS 6000 and HDK Series 39 Mainframe System, PCSoft

ScreenFrame YQ, UNIX Operating System and VME Operating System.

Security requirement System software requires high integrity and availability (according to chapter 4.2.2). Unauthorised Access (Illegal login and data manipulation), Malicious Code Attack (Virus, Trojan or other malicious programs) and Day Zero Attack are the common risks of system software in this network system.

(17)

requirements and operations management (Protection against malicious and mobile code)

Controls: In terms of system software, some measures should be taken to keep the software working and restrict the access to authorised users for reducing risks.

1) Users can only access operation system by using identifier (user ID), password and authentication servers.

2) All the information involved operations, including using application software, data modification and message should be monitored and recorded.

3) Firewall and anti-virus software should be installed and updated regularly in order to avoid Malicious Code Attack.

4) Systems should be backed up and patched regularly.

5) The connection time of operation system should be limited. The interaction should be interrupted automated as soon as the session finish or time out.

Table [9] Software (System) treatment plan

6.5. Software (Application)

Components The application software comprises Electronic Mail System, Network Management System (NMS), Document Management Systems (DMS), Geographical Information System (GIS), Document Image Processing (DIP), Relational Database Management Systems, AutoCAD, PCSoft Office, MDIS System, Firefox/FTP and NOVOS Software.

Security requirement Integrity and availability are the security requirement of application software (according to chapter 4.2.2). Some threats of this application software group consist of Unauthorised Access (Illegal login and data manipulation), Malicious Code Attack (Virus, Trojan or other malicious programs) and Software Loophole (Buffer overflow).

Policies: Access control (Application and information access control), communication and operations management (Protection against malicious and mobile code, exchanges of information, electronic commerce services)

Controls: Application software assets have a range of function. They are widely used in common business; therefore, their security should be paid more attention. To reduce relevant risks, following measures should be done.

1) Application software should be installed according to installation guideline.

2) Firewall and anti-virus software should be installed and updated Controls to implement

(18)

3) Some software can only be accessed by specific users by using usernames, strong passwords or authentication servers.

4) Some business information flows exchanged between

communication-related applications (e-mail, voice, documents) should be encrypted by strong encryption algorithm.

5) The application software should be packed and updated regularly.

6) Some operations (delete, execute, edit and add) concerning important business data should be monitored and recorded.

Table [10] Software (Application) treatment plan

6.6. Services

Components The services of the network system include Primary Call Handling, Message/Enquiry, Call Centre (Revenue Information, Social Services Direct), Control Centre (Out of Hours, Community Alarm Function), PBX System and Network, and Remote Network Access (ISDN, PSTN and Leased Line).

Security requirement Concerning services, confidentiality and integrity are their security

requirement (according to chapter 4.2.3). Relevant threats to service include ISP Error (Service breakdown), Loss of Key Personnel, Information

Leakage, Unauthorised Access (Illegal login and data manipulation) and Technical Failure (Incorrect configuration, inaccurate operation).

Policies: Communications and operations management (Third party service delivery management, network security management, exchanges of

information, electronic commerce service), access control (Network access control)

Controls: All the service (data and voice) provided by ISP or Call centre should be protected from information security incident by following measures.

1) It is necessary to sign responsibility agreement with concerned service providers.

2) Backup and inspection should be done regularly with the help of service providers.

3) Security reports given by service providers should be reviewed regularly.

4) Only Authorised users can access internal services (Such as Internet service and voice service) by using usernames, strong passwords or authentication servers.

5) Internal service s should be supervised to avoid staffs using them to do their own business.

(19)

6) Internal servers should be backed up and tested regularly.

7) Internal services can be provided to external users by using virtual private network (VPN).

Table [11] Services treatment plan

6.7. Information

Components Data Warehouse and Where is IT are the components of information group.

Security requirement Security requirement of information include confidentiality, availability, and integrity (according to 4.2.4). Unauthorised Access (SQL injection), Loss of Document and Inaccurate Modification are the common threats of Information.

Policies: Information systems acquisition, development and maintenance

Controls: information, including contract, license, database and source code, are the core asset of the network system. To reduce risks, following measures should be implemented.

1) The correctness and integrity of input and output data should be checked.

2) Any changes (delete, update, repair, copy, add) concerning classified information and assets should be monitored by relevant staffs and recorded into log.

3) Confidential data should be encrypted with strong key for transmission and storage.

4) Security responsibilities should be distributed to specific staffs.

5) Backup and inspection should be done regularly.

6) Only Authorised users can access data by using usernames, strong passwords or authentication servers.

Table [12] Information treatment plan

6.8. People

Components People of the network system contain Telephone Operators, Home-workers, and Central Staffs.

(20)

requirements information security awareness, education and training, termination responsibility)

Controls: In order to ensure the security of this network, some measure concerning employees should be done when they are just employed, on the job, and off the job.

1) Confidential policy should be formulated to supervise information/resources usage and avoid information leakage.

2) Staffs who can access classified information should comply with confidential policy.

3) Staffs should be trained before they start the job. The training includes two part, computer and/or network skills training and confidential policy awareness.

4) Assets (smart card, key, memory stick) should be returned to council when staffs leave their jobs.

Table [13] People treatment plan

(21)

7. Business continuity

There are many threats still existing in new Sirius Council Borough of Betelgeuse network system. Some of them are very likely to happen and make a huge influence to network system, for example, virus attack. As a result, the security assurance plan should be put into practice as soon as possible in order to ensure the business of the council. The purpose of business continuity plan is to avoid the business being interrupted.

In order to keep the plans running effectively in new Sirius Council Borough of Betelgeuse network system, some measures should be taken in the very beginning. Firstly, due to limited resources of the council, all the resources, including budget, time, and human power should be distributed reasonably according to security prioritisation of assets. Moreover, directly responsible individuals or teams, their contacts, and treatment process should be identified, planned and managed. Beyond this, in order to preventing emergencies and evaluate the treatment plan, some rehearsals and tests should be taken if the treatment plan make change or update.

7.1. Prioritisation

As can be seen from the table [5], information (contract, database) is the key asset in new Sirius Council Borough of Betelgeuse network system. The loss and damage of information assets may exert most serious impacts to this network system. As a result, relevant individuals and team in charge should be paid more attention to the risks and countermeasures of information assets. Beyond this, reminder assets should also be concerned in business continuity procedure according to their impacts.

7.2. Contacts

To ensure the implementation of treatment plan, a contacts network should be built at the same time. It should be operated on the basis of both telephone and network system. Additionally, the address and contacts of relevant scenario action team, service contractors, suppliers, and maintenance companies should be informed to every user by using websites, posters, security lectures, etc. All the measures are delivered to ensure users can directly contact relevant departments in time when potential safety hazard emerge or the disaster happen in the new Sirius Council Borough of Betelgeuse network system.

Relevant incidence response and disaster recovery teams include:  Network Managers / Managed Network Services Unit (MNSU)

 IT Managers / Computer Services (CS)

 Internet service providers (ISP)

 Software/hardware manufacturers

 CIAN Services

7.3. Incident management

(22)

Scenario Action Teams Responsibility

Network Managers / Managed Network Services Unit (MNSU)

LAN infrastructures, software and services

IT Managers / Computer Services (CS) IT infrastructures (except network)

Internet service providers (ISP) WAN infrastructures software and services

Software/hardware manufacturers Serious hardware issues and software loopholes

CIAN Services Basic network design issues

Table [14] Responsibility map

The process of incident can be expressed as follows.

1) Internal staffs or external users find the incident (such as information leakage, virus attack, physical damage, etc.). Then they contact relevant scenario action teams (CS/MNSU).

2) Scenario action teams arrive at the scene. Then they begin to rebuild or recovery the infrastructures, software, or services.

3) If scenario action teams cannot repair the breakdown, then the will inform relevant

manufacturers or providers (hardware/software manufacturers, Internet service providers or CIAN Services) to solve the problems

4) The solution of this incident will be recorded in the log.

5) The assurance plan will be updated to mitigate the risks of relevant incident.

7.4. Audit

To protect the security of information and get rid of risks, the examination should be conducted when:  Install new infrastructures, software and services

 Update software, services, and database

 Recover from a disaster

Beyond this, a regular examination is required every one/three/six/twelve months to avoid emergency.

Impact Examination cycle

40% < impact Every month

40% > impact> 20% Every three/six months

impact < 20% Every twelve months

(23)

More details of audit plan are available in Risk Treatment Plan spreadsheet.

7.5. Business continuity plan

Hardware (Network infrastructures)

Business importance

Situation Prevention Recovery/Resumption Contingency

Hardware

(24)

People 5 Loss of staffs

Improve human resource management Employ reserved staffs

Employ and train new staffs

Reinstating retired or dismissed staffs

(25)

8. Disaster recovery

It is impossible that all the threats can be avoided or prevented in new Sirius Council Borough of Betelgeuse network system; therefore, disaster recovery plan is required to deal with emergent

incident. It must be ensured that the basic functions of the network system can be recovered as soon as possible. In fact, according to the risk assessment plan, some disasters have a slight impact on the common operation of this network system, for example, the software loophole of personal computer. As a result, the relevant scenario action teams can be given a long time to address the problem. On the other hand, some assets (i.e. relational database management system) are the core of the network system. Once they go wrong (breakdown or loss), the whole or part of the business in the council will stop working. It is really a disaster. As a consequence, it is required a recovery plan to mitigate the loss taken by the disaster. According to ISO/IEC 27002, there are two basic methods to deal with the disasters: relocation and rebuilding.

8.1. Instructions for relocation

This method is often used to recover from foreseeable disaster, for example, route failure, services breakdown, and technical failure. The advantage of this method is that once the error occur in the network system, interrupt business can be recover immediately without any artificial work. However, sometimes, it is only a temporary solution. More specifically, two technologies of relocation can be adopted in new Sirius Council Borough of Betelgeuse network system.

Backup: This technology is often adopted in logical assets, such as services, software and database. It can help users copy important documents into a spare storage, which has no relationship with current affair. However, once a breakdown happened in the network system, all the data stored in the storage can be copied into current network.

Re-route: This technology is often used in network infrastructures, such as routers, switches, cable line, etc. The core function of the technology is to help data reroute to other network infrastructures when a single point failure occur in the network.

8.2. Rebuilding the information system

If the network system cannot be recovered by backup or re-route, it can only be recovered by rebuilding. Compared to relocation, rebuilding is not a temporary solution. In fact, it can

(26)

9. User training and awareness

It is necessary to provide training to all the new users and managers of new Sirius Council Borough of Betelgeuse network system, especially to the internal staffs (including teleworkers, technical support teams, and core staffs), because all the staffs of the council have the responsible for protecting the information assets. The training can be divided into two part, computer and/or network skills training and confidential policy awareness.

9.1. Acceptable use

9.1.1. Computer and/or network skills training

In terms of different new staffs, they need to master different computer or network skills. For common staff, they should only be taught some basic operation methods of software (Office, firewall, e-mail., etc.) and hardware (printer, fax machine, PBX), and network (ADSL, Voice). However, for technical staffs, who work in Managed Network Services Unit (MNSU) or Computer Services (CS) should be impacted more professional skills, for helping them install, manage, and repair network infrastructures, IT infrastructures, software, database, and services.

9.1.2. Confidential policy awareness

Except computer and network skills, staffs of the council should be aware of the confidential policy. It is implemented to protect the information of the network system. Some core items of the policy are available as follows.

 All the tangible and intangible assets (including software, hardware, services, information, human resources) in the network system belong to Sirius Council Borough of Betelgeuse. They cannot be used for personal business.

 To confidential information, any operation (access, modify, update, and delete) should be conducted and recorded according to relevant confidential policy.

 Confidential information of the network system can only be accessed, modified, updated, and deleted by relevant authorised staffs. Any other operations conducted by unauthorised staffs are illegal.

 Staffs cannot transfer confidential information to the unauthorised people regardless of whether they are on the job.

The policy will be supervised by disciplined staffs. Any violation will be punished.

9.2. Enforcement

(27)

10. Quality Assurance regime

In order to ensure the quality of this assurance plan of new Sirius Council Borough of Betelgeuse network system, examinations should be taken periodically or if significant change occur. The examinations concern lots of activities, such as document analysis, users’ interview, questionnaires, and physical inspection. The targets of those examinations should include:

 Whether all the vulnerabilities of the network system have been identified?

 Whether the assurance plan can be implemented properly and correctly?

 Whether the risks of network system can be decreased and mitigated?

In fact, all the activities can be classified into four categories, reviews, inspections, audits and testing.

10.1. Reviews

Review is an important process of quality assurance regime. It should be done periodically by internal technical team. The purpose of reviews is to conclude previous experience and access opportunities for updating information security management. As a result, it is often conducted on the basis of documents (such as previous security reviews, users’ feedbacks, security management reports, and security incident reports) or interviews (face to face interview with internal staffs and external users).

10.2. Inspections

Compared to review, inspection is more formal and structured. It is often conducted periodically according to relevant policies of the security assurance plan. Since the inspection is not related to confidential information, it can be conducted by specific inspection teams or third parties. The targets of the inspections include IT/network infrastructures and software, service, information, and

employees.

10.3. Audits

For ensure the implementation of the security assurance plan, some auditors should be trained to supervise and record all the information involved activities, including equipment

installation/update/access, software usage/update, database access/modification/deletion, services usage, and personnel change. The reports of audit can be update the information security management and revise the information security plan.

10.4. Testing

(28)

11. Coursework Submission Form

By submitting your coursework you are making the following declarations (please read them):

Declarations:

1. I confirm that this is my own work and that use of materials from other sources has been properly and fully acknowledged in the coursework submission.

2. I confirm that this work has not been submitted either partly or wholly for any other assignment.

3. I confirm that the submitted work has been created exclusively by me and that I have not been assisted nor have copied part or all of somebody else's work, either with their explicit approval or without their knowledge and consent.

4. I confirm that I have read a copy of the current University regulations and notes on coursework and academic malpractice, including plagiarism, and that I fully understand the meaning of these terms.

5. I confirm that the information I have given is correct to the best of my knowledge.

6. I agree that any work I submit may be screened (including electronically and by other means) for Academic Malpractice, using internal and/or external detection systems, to check against any appropriate other material, including but not limited to other submitted work and material on the web. I understand that a case of suspected Academic Malpractice may proceed at any time during or after my degree programme.

7. I agree that the University may make, and may authorise third parties to make, copies of any work submitted by me for assessment but only for the following purposes:

a. assessment of my work;

b. comparison with databases of earlier answers or works or other previously available works to confirm there is no plagiarism;

c. addition to databases of works used to ensure that future works submitted at this institution and others are not subject to plagiarism from my work.

d. for the University to include my work in any public archives of academic work which it may maintain, under the University Copyright and Intellectual Property regulations applied to such work.

The University will not make any more copies than are necessary for these purposes, will only use copies made for these purposes and will only retain such copies as remain necessary for those purposes. Where copies are made and retained for the purposes identified in clauses (b) and (c) above, it shall ensure that no personal data is made available to any third party.

I may request, in writing before submitting my work, that the University does not use my submission for one or more of purposes 5(b)-(d), giving full reasons for the request.

Signature: Gang Yang

Student name: Gang Yang Student

number:

7661449

Module COMP61421 Computer and Network Security