Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Using</strong> <strong>Reflex</strong> <strong>Disknet</strong> <strong>Pro</strong> <strong>to</strong> <strong>Aid</strong><br />
<strong>Compliance</strong> <strong>with</strong><br />
<strong>BS</strong> <strong>7799</strong> & <strong>ISO</strong>/<strong>IEC</strong> 1<strong>7799</strong>:2000<br />
A whitepaper by <strong>Reflex</strong> Magnetics Ltd.
Contents<br />
INTRODUCTION 4<br />
EXECUTIVE OVERVIEW 4<br />
MEETING AND RETAINING THE STANDARD 5<br />
1. ASSET CLASSIFICATION AND CONTROL [5] 6<br />
1.1. INVENTORY OF ASSETS – PHYSICAL ASSETS [5.1.1 (C)] 6<br />
2. PHYSICAL AND ENVIRONMENTAL SECURITY [7] 7<br />
2.1. SECURITY OF EQUIPMENT OFF-PREMISES [7.2.5 (A) & (C)] 7<br />
2.2. SECURE DISPOSAL OR RE-USE OF EQUIPMENT [7.2.6] 8<br />
3. COMMUNICATIONS AND OPERATIONS MANAGEMENT [8] 8<br />
3.1. OPERATIONAL CHANGE CONTROL [8.1.2] 8<br />
3.2. INCIDENT MANAGEMENT PROCEDURES [8.1.3 (A) (B) (C)] 9<br />
3.3. PROTECTION AGAINST MALICIOUS SOFTWARE [8.3] 10<br />
3.4. CONTROLS AGAINST MALICIOUS SOFTWARE [8.3.1 (A) (B) (E) (F)] 11<br />
3.5. MEDIA HANDLING AND SECURITY [8.6] 12<br />
3.6. MANAGEMENT OF REMOVABLE MEDIA [8.6.1 (A) (B)] 12<br />
3.7. DISPOSAL OF MEDIA [8.6.2 (A)] 13<br />
3.8. EXCHANGES OF INFORMATION AND SOFTWARE [8.7] 13<br />
3.9. SECURITY OF MEDIA IN TRANSIT [8.7.2 (C)] 13<br />
4. ACCESS CONTROL [9] 13<br />
4.1. EVENT LOGGING [9.7.1 (A) (B) (C) (E)] 13<br />
4.2. MOBILE COMPUTING AND TELEWORKING [9.8] 13<br />
5. SYSTEMS DEVELOPMENT AND MAINTENANCE [10] 14<br />
5.1. POLICY ON THE USE OF CRYPTOGRAPHIC CONTROLS [10.3.1] 14<br />
5.2. SECURITY OF SYSTEM FILES [10.4] 14<br />
5.3. CONTROL OF OPERATIONAL SOFTWARE [10.4.1 (A) (C)] 14<br />
5.4. CHANGE CONTROL PROCEDURES [10.5.1] 15<br />
5.5. COVERT CHANNELS AND TROJAN CODE [10.5.4 (E)] 15<br />
6. COMPLIANCE [12] 15<br />
© <strong>Reflex</strong> Magnetics Ltd 2
6.1. SOFTWARE COPYRIGHT [12.1.2.2] 15<br />
6.2. COMPLIANCE WITH SECURITY POLICY [12.2.1 (D)] 15<br />
SUMMARY 15<br />
© <strong>Reflex</strong> Magnetics Ltd 3
Introduction<br />
Just like any other business asset information has a value, and consequently we<br />
should as organisations look at protecting that most valuable of assets. Having a<br />
recognised standard <strong>to</strong> work <strong>to</strong>ward is both desirable and effective. Since compliance<br />
<strong>with</strong> a recognised standard will clearly identify <strong>to</strong> others that you have seriously<br />
considered the subject in question. The <strong>ISO</strong> (International Organisation for<br />
Standardisation) and the <strong>IEC</strong> (International Electrotechnical Commission) form the<br />
specialised system for worldwide standardisation. Numerous national bodies make<br />
up the membership of these organisations developing and publishing internationally<br />
recognised standards. Gaining accreditation of <strong>BS</strong> <strong>7799</strong> or <strong>ISO</strong>/<strong>IEC</strong> 1<strong>7799</strong>:2000 is<br />
fast becoming the accepted minimal standard for Information Security.<br />
More and more companies are demanding that their suppliers and partners become<br />
compliant, thereby indicating that they have taken credible steps <strong>to</strong> implement<br />
information security. Why is information security required and what is causing so<br />
many organisations <strong>to</strong> sign-up <strong>to</strong> this standard? Confidentiality, integrity and<br />
availability of information are probably the main drivers, which are directly linked <strong>to</strong><br />
competitive edge, cash-flow, profitability, legal compliance and not least commercial<br />
image.<br />
Executive Overview<br />
Since <strong>BS</strong> <strong>7799</strong> was converted in<strong>to</strong> the international standard <strong>ISO</strong>/<strong>IEC</strong> 1<strong>7799</strong>:2000 it<br />
has become almost a prerequisite when implementing information security. This<br />
standard or code of practice covers all aspects of IT including such elements as;<br />
Security Policy, Organisational Security, Physical and Environmental Security,<br />
Systems Development and Maintenance and Business Continuity Management.<br />
The standard is divided in<strong>to</strong> twelve main sections, each section sub-divided <strong>to</strong> allow<br />
all aspects of this vast subject <strong>to</strong> be considered. For any organisation either looking<br />
<strong>to</strong> implement this standard or for those that have already attained accreditation and<br />
require <strong>to</strong> remain compliant, <strong>Reflex</strong> <strong>Disknet</strong> <strong>Pro</strong> offers a software solution that will<br />
enforce policy in six of the twelve main areas:<br />
• Asset classification and control<br />
• Physical and environmental security<br />
• Communications and operations management<br />
• Access control<br />
• Systems development and maintenance<br />
• <strong>Compliance</strong><br />
Investment in information security and it’s formal acknowledgement via <strong>ISO</strong> 1<strong>7799</strong><br />
accreditation is not <strong>to</strong> be taken lightly. Not<strong>with</strong>standing the benefits already<br />
described above, any product which is capable of offering support of this standard<br />
whilst in itself providing further benefits in enforcing policy and security in a uniformed<br />
and manageable way, is worthy of consideration. The remaining pages of this<br />
document illustrate how <strong>Reflex</strong> <strong>Disknet</strong> <strong>Pro</strong> delivers just that.<br />
© <strong>Reflex</strong> Magnetics Ltd 4
Meeting and Retaining the Standard<br />
What follows will be a description of various aspects of the standard complete <strong>with</strong> an<br />
explanation of how <strong>Reflex</strong> <strong>Disknet</strong> <strong>Pro</strong> (RDP) addresses this issue. Screen shots<br />
have been included for completeness, however it is not essential that the reader<br />
have a thorough knowledge of RDP. Reviewing this document will give the reader an<br />
understanding of how RDP can be used <strong>to</strong> achieve this compliance.<br />
RDP is a software product that is constructed around client>server architecture. The<br />
client element being installed on all PCs connected <strong>to</strong> the network. These PCs can<br />
be removed from the network, as in the case of a mobile user’s and still be part of the<br />
security shield that RDP provides. The server element communicates <strong>with</strong> the client<br />
and pushes security profiles on<strong>to</strong> the client PCs. It also receives information from the<br />
client <strong>with</strong> regard <strong>to</strong> audit information and security alerts. Management of this<br />
software is conducted through a Microsoft Management Console (MMC), which can<br />
either be sited on the server machine, or any other PC connected <strong>to</strong> the network.<br />
This software itself has been submitted for Common Criteria accreditation (<br />
http://csrc.nist.gov/cc/ ).<br />
To aid reference <strong>with</strong> <strong>ISO</strong>/<strong>IEC</strong> 1<strong>7799</strong> each aspect discussed below will have the<br />
relevant numbering convention of that standard in brackets after the section heading.<br />
© <strong>Reflex</strong> Magnetics Ltd 5
1. Asset classification and control [5]<br />
By identifying assets and nominating an owner who will have responsibility for that<br />
asset, it is possible <strong>to</strong> assign an appropriate level of control.<br />
1.1. Inven<strong>to</strong>ry of assets – physical assets [5.1.1 (c)]<br />
Magnetic media and other removable s<strong>to</strong>rage devices can be accounted for using<br />
RDP by implementing the Removable Media Manager. This control mechanism<br />
identifies individual devices and will either allow or deny access <strong>to</strong> them dependant<br />
on the policy in force for that particular user. If the policy allows access <strong>to</strong> the device,<br />
there is a process of authorisation that must be undertaken.<br />
Fig. 1<br />
All requests <strong>to</strong> access any removable memory device will first be checked against the<br />
policy in force. If access is possible, the device is checked for a unique RDP<br />
identifier. However, if this is not present the authorisation mode commences. This<br />
may include the scanning of the device <strong>with</strong> a third party anti-virus <strong>to</strong>ol <strong>to</strong> check for<br />
known viruses and/or a scan of the device <strong>with</strong> RDP’s own content scanner. This<br />
content scanner is used <strong>to</strong> ensure that only data can be imported. It can be<br />
configured further <strong>to</strong> ban particular data file types, such as .MP3 for instance.<br />
© <strong>Reflex</strong> Magnetics Ltd 6
From <strong>with</strong>in the RDP administration management console a security profile can be<br />
built <strong>to</strong> apply <strong>to</strong> a user, or more usually a group of users. By selecting “<strong>Pro</strong>file<br />
Templates” a range of policy decisions can be enforced. Fig. 1 above shows the<br />
Removable Media Manager tab from <strong>with</strong>in the profile template of a “standard user”<br />
2. Physical and environmental security [7]<br />
This section deals <strong>with</strong> unauthorised access, damage and interference <strong>to</strong> business<br />
premises and information. RDP addresses issues raised under clause 7.2 Equipment<br />
security.<br />
2.1. Security of equipment off-premises [7.2.5 (a) & (c)]<br />
The standard maintains that “regardless of ownership, the use of equipment outside<br />
an organisation’s premises for information processing should be authorised by<br />
management. The security provided should be equivalent <strong>to</strong> that for on-site<br />
equipment used for the same purpose, taking in<strong>to</strong> account the risks of working<br />
outside of the organisation’s premises.”<br />
RDP ensures that the last security profile template in force when that equipment<br />
(PC/lap<strong>to</strong>p) was last used inside the organisation’s premises, will apply <strong>to</strong> the<br />
equipment when used outside of the premises. If the PC/lap<strong>to</strong>p was never<br />
connected <strong>to</strong> the network where a security profile template would be au<strong>to</strong>matically<br />
applied or had specifically imported on<strong>to</strong> it a security profile template, then the default<br />
“lock-down” template would apply. In this way, controls can be applied <strong>to</strong> mobile<br />
workers consistent <strong>with</strong> those controls that apply <strong>to</strong> members of the organisation’s<br />
LAN.<br />
This clause also raises the issue of media left unattended. The risk here is the<br />
unauthorised access <strong>to</strong> information. It is essential that the information contained on<br />
the local hard disk of the PC/lap<strong>to</strong>p be protected, either by access control<br />
mechanisms or encryption. Equally, the security of removable media needs <strong>to</strong> be<br />
addressed, especially since modern portable s<strong>to</strong>rage devices can hold vast amounts<br />
of data. The 2Gig memory stick is a reality.<br />
RDP manages this risk by providing a centrally managed encryption system. Users<br />
and groups can be au<strong>to</strong>matically supplied <strong>with</strong> keys <strong>to</strong> encrypt and decrypt all<br />
information s<strong>to</strong>red on removable devices. Fig. 2 below shows the EPM (Encryption<br />
Policy Manager) tab from <strong>with</strong>in the profile template. <strong>Using</strong> the options on this tab, an<br />
administra<strong>to</strong>r can create a policy where all removable media is encrypted by default.<br />
Segregation of information can also be achieved by dictating if the user can view<br />
information written by another user.<br />
The system also allows the off-line access <strong>to</strong> encrypted information via the input of<br />
the users personal password, where desirable. This is achieved <strong>with</strong>out the need <strong>to</strong><br />
install any additional software on the host machine.<br />
© <strong>Reflex</strong> Magnetics Ltd 7
Fig. 2<br />
2.2. Secure disposal or re-use of equipment [7.2.6]<br />
The issue of secure disposal is covered by this clause. Both sensitive data and<br />
licensed programs should be rendered inaccessible when no longer required. The<br />
standard advise that overwriting and removed be used. However the EPM option<br />
above (Fig. 2) can also be used <strong>to</strong> put this information beyond the reach of<br />
unauthorised users. If the contents of a disposed memory device are encrypted, it is<br />
more secure than just overwriting the data.<br />
3. Communications and operations management [8]<br />
One of the largest sections of the standard covers all operational issues concerning<br />
information processing. RDP can be used <strong>to</strong> enforce nine of the sub clauses<br />
3.1. Operational change control [8.1.2]<br />
This clause states amongst others, “inadequate control of changes <strong>to</strong> information<br />
processing facilities and systems is a common cause of system or security failures.<br />
Formal management responsibilities and procedures should be in place <strong>to</strong> ensure<br />
satisfac<strong>to</strong>ry control of all changes <strong>to</strong> equipment, software or procedures.”<br />
© <strong>Reflex</strong> Magnetics Ltd 8
RDP through the use of it’s <strong>Pro</strong>gram Security Guard (PSG) can enforce the policy of<br />
preventing change <strong>to</strong> installed software and software configuration. It will also<br />
prevent new unauthorised software from being installed.<br />
Fig. 3<br />
Fig. 3 shows the PSG tab from <strong>with</strong>in the profile template. PSG when activated, as<br />
part of a user profile will effectively lock by default all executable files as read only,<br />
and prevents new executable code from being introduced by the user. Additional file<br />
types can be added <strong>to</strong> the default list of protected files using the “Unsafe file types”<br />
configure but<strong>to</strong>n.<br />
3.2. Incident management procedures [8.1.3 (a) (b) (c)]<br />
This clause requires procedures <strong>to</strong> be established <strong>to</strong> ensure a quick, effective and<br />
orderly response <strong>to</strong> security incidents.<br />
RDP makes use of an alerting system for specific security incidents moni<strong>to</strong>red by the<br />
software. The system allows for any of the specified events (see Fig. 4) <strong>to</strong> be added<br />
<strong>to</strong> an audit log. When used in conjunction <strong>with</strong> the “Alerts” mode <strong>with</strong>in the<br />
management console, this can generate an email alert <strong>to</strong> be sent <strong>to</strong> the system<br />
administra<strong>to</strong>r or other designated personnel.<br />
© <strong>Reflex</strong> Magnetics Ltd 9
Fig. 4<br />
By initiating an immediate log of the event and also activating an email alert (Fig. 5)<br />
<strong>to</strong> designated personnel security, incidents can be dealt <strong>with</strong> immediately.<br />
All moni<strong>to</strong>red events are added <strong>to</strong> a security log on the local PC/lap<strong>to</strong>p that is<br />
periodically synchronised <strong>with</strong> a central audit log. This audit log records a unique ID<br />
log number, time, the event name, whether an alert was issued, user name, host<br />
name (PC), source and message. Since audit logs by nature have a habit of growing<br />
in size very quickly, filtering is also supplied so that specific events can be viewed or<br />
incidents for a specific user or group can be viewed.<br />
3.3. <strong>Pro</strong>tection against malicious software [8.3]<br />
This clause deals <strong>with</strong> the protection from computer viruses, network worms, Trojan<br />
horses and logic bombs, collectively referred <strong>to</strong> as malware. Malware at worst has<br />
the ability <strong>to</strong> destroy or alter software and information. Even in its most benign form,<br />
it can disrupt systems by replicating and sending au<strong>to</strong>mated emails <strong>to</strong> those<br />
addresses s<strong>to</strong>red in the host computers address book. Anti-virus software can be<br />
used <strong>to</strong> detect known viruses and if kept regularly up <strong>to</strong> date, effectively this means<br />
daily at the very least, perform reasonably. However, there is always the “window of<br />
opportunity” between when a new virus or worm is released in<strong>to</strong> the world and the<br />
anti-virus companies issue an update <strong>to</strong> their products that will recognise it.<br />
<strong>Pro</strong>tection for this period has become known as “zero day” protection, and is<br />
considered by some as the “Holy Grail” <strong>with</strong> regard <strong>to</strong> anti-virus research. RDP has<br />
the potential <strong>to</strong> offer zero day protection. Indeed, <strong>Reflex</strong> Magnetics Ltd have clients<br />
© <strong>Reflex</strong> Magnetics Ltd 10
that make use of the products zero day protection capabilities and report no virus<br />
infections. Logic bombs present a real problem for anti-virus software since a logic<br />
bomb can be targeted at a particular organisation. Therefore, the first people <strong>to</strong> see<br />
this malicious code will be the target and as such their anti-virus software will not<br />
recognise the attack. RDP’s zero day protection will also help <strong>to</strong> combat this threat.<br />
Fig.5<br />
3.4. Controls against malicious software [8.3.1 (a) (b) (e) (f)]<br />
The standard requires that a formal policy exists requiring compliance <strong>with</strong> software<br />
licences, prohibiting the use of unauthorised software, and one that protects against<br />
the risks associated <strong>with</strong> obtaining files and software from or via external networks,<br />
or on any other medium. RDP can be used <strong>to</strong> absolutely enforce such a policy. By<br />
selecting the PSG option, which prevents the addition of any new executable files<br />
whilst locking the currently installed executables files as “read only”, software<br />
licensing is maintained since no new software can be installed <strong>with</strong>out the permission<br />
of the system administra<strong>to</strong>r. It does not matter where these types of file are intended<br />
<strong>to</strong> be introduced, they will be blocked. Non executable files can be subjected <strong>to</strong> a<br />
virus scan as an added precaution before the media on which they are s<strong>to</strong>red is<br />
authorised for use. This will include the checking of email attachments. The PSG<br />
tab from <strong>with</strong>in the profile template can be viewed at Fig. 3.<br />
© <strong>Reflex</strong> Magnetics Ltd 11
3.5. Media handling and security [8.6]<br />
Clause 8.6 asks that all media should be controlled and protected from theft and<br />
unauthorised access.<br />
3.6. Management of removable media [8.6.1 (a) (b)]<br />
There should be procedures for the management of removable computer media.<br />
RDP was designed specifically <strong>to</strong> offer this type of management control. All media<br />
must be authorised for use which will necessitate a content scan using either a third<br />
party anti-virus product or RDP’s own content scanner. It may indeed require both of<br />
these scans <strong>to</strong> be performed. Once authorised for use, an audit trail can be kept of<br />
all files s<strong>to</strong>red on the device. Fig. 6 shows one event from a removable media log<br />
file.<br />
Fig. 6<br />
You will note that there is a unique ID number, time, operation, host name (PC),<br />
process, file name, and user name recorded.<br />
<strong>Pro</strong>tecting the media’s contents from unauthorised access is achieved by making the<br />
policy dictate that all removable media should be encrypted, as discussed in section<br />
2.<br />
© <strong>Reflex</strong> Magnetics Ltd 12
3.7. Disposal of media [8.6.2 (a)]<br />
Safe disposal of media is required where sensitive information may have been<br />
recorded on that media. The standard talks of incineration or shredding <strong>to</strong> provide<br />
this protection. However, <strong>with</strong> a policy enforced by RDP of encryption of removable<br />
media, this will negate the need <strong>to</strong> securely erase or incinerate the media <strong>to</strong> achieve<br />
the desired level of protection.<br />
3.8. Exchanges of information and software [8.7]<br />
The objective here is <strong>to</strong> prevent loss, modification or misuse of information<br />
exchanged between organisations.<br />
3.9. Security of media in transit [8.7.2 (c)]<br />
Information can be vulnerable <strong>to</strong> unauthorised access or misuse during physical<br />
transport. The use of encryption when applied <strong>to</strong> information in transit will obviate<br />
this concern.<br />
4. Access control [9]<br />
“Access <strong>to</strong> information and business processes should be controlled on the basis of<br />
business and security requirements. This should take account of policies for<br />
information dissemination and authorisation.”<br />
4.1. Event logging [9.7.1 (a) (b) (c) (e)]<br />
The standard requires audit logs <strong>to</strong> be produced and kept for exceptions and other<br />
security related events.<br />
RDP is able <strong>to</strong> audit all of its moni<strong>to</strong>red and controlled areas, such as removable<br />
media management, unauthorised attempts <strong>to</strong> introduce new software and any<br />
attempted malicious code activity. These log files include all of the following<br />
information; user ID, date and time, type of event, and files accessed or copied.<br />
Where devices are forbidden or blocked, any failed attempt <strong>to</strong> connect is also<br />
recorded, including this detailed information.<br />
4.2. Mobile computing and teleworking [9.8]<br />
When considering mobile computing or teleworking, the standard requires that the<br />
protection be commensurate <strong>with</strong> the risks these specific was of working cause.<br />
RDP’s use of profile templates <strong>to</strong> set the security level for any particular authorised<br />
user, works particularly well in the case of mobile or teleworking. If the computer is<br />
mobile and not connected <strong>to</strong> the organisations network when the user logs on, they<br />
will receive the last known profile template as their security control. If this template<br />
has been corrupted in anyway then a default “lock down” template would apply.<br />
Updates <strong>to</strong> the profile template in force can be achieved by importing a new template<br />
file, although this would need administra<strong>to</strong>r rights. All audit information will be s<strong>to</strong>red<br />
locally and transferred when the computer next connects <strong>to</strong> the network.<br />
© <strong>Reflex</strong> Magnetics Ltd 13
For teleworkers who normally connect via a VPN <strong>to</strong> the organisations network, their<br />
profile template will be delivered in the usual way. Dynamic updates <strong>to</strong> this profile<br />
template can also be achieved as though the computer was connected locally.<br />
5. Systems development and maintenance [10]<br />
This clause deals <strong>with</strong> the security of the system itself, but not limited <strong>to</strong> the operating<br />
system and those applications that run on it.<br />
5.1. Policy on the use of cryp<strong>to</strong>graphic controls [10.3.1]<br />
Where an organisation has developed a policy on the use of cryp<strong>to</strong>graphic controls<br />
these will need <strong>to</strong> be managed.<br />
RDP makes management of a cryp<strong>to</strong>graphic policy <strong>with</strong> regard <strong>to</strong> removable media<br />
very simple. The most onerous part of implementing cryp<strong>to</strong>graphy is the<br />
management of cryp<strong>to</strong> keys. RDP’s Encryption Policy Manager takes care of this<br />
aspect au<strong>to</strong>matically. Once the policy has been invoked, any user accessing<br />
removable media will have a key pair produced for them <strong>with</strong>out the need <strong>to</strong> ask.<br />
Should the user be part of a larger group who need <strong>to</strong> be able <strong>to</strong> share information<br />
s<strong>to</strong>red on the removable media, group keys will also be added <strong>to</strong> facilitate this.<br />
Additionally a management escrow key will also be used so that management can<br />
access any data encrypted by the system.<br />
Users are authenticated by their operating system logon (user ID and password). In<br />
this way no further passwords are required by the system, unless the user has been<br />
granted the ability <strong>to</strong> access s<strong>to</strong>red information on an encrypted device off-line. In<br />
this case the user will be prompted <strong>to</strong> choose and enter a password. Rules<br />
concerning password quality are also set by EPM and are viewable by users.<br />
All technical aspects of the encryption process such as algorithm used and key<br />
length are hard coded by the system, using industry standards.<br />
5.2. Security of system files [10.4]<br />
Access <strong>to</strong> system files should be controlled. By maintaining system file integrity, a<br />
degree of confidence can be assumed.<br />
By implementing RDP’s <strong>Pro</strong>gram Security Guard (PSG) all existing system<br />
executable files are locked as “read only” and therefore can not be modified or<br />
replaced by anyone but the designated system administra<strong>to</strong>r.<br />
5.3. Control of operational software [10.4.1 (a) (c)]<br />
Controls should be in place <strong>to</strong> allow only nominated personnel the freedom <strong>to</strong> update<br />
operational program libraries, and furthermore, executable code should not be<br />
allowed on <strong>to</strong> an operational system until it has been tested and authorised.<br />
PSG can be used <strong>to</strong> enforce this policy.<br />
© <strong>Reflex</strong> Magnetics Ltd 14
5.4. Change control procedures [10.5.1]<br />
Formal change control procedures should be enforced according <strong>to</strong> the standard. By<br />
locking the current configuration <strong>with</strong> regard <strong>to</strong> existing executable code, PSG<br />
achieves this enforcement.<br />
To aid systems maintenance, PSG has the ability <strong>to</strong> be instructed <strong>to</strong> allow certain<br />
processes exemption from its control. In this way, a system administra<strong>to</strong>r can use<br />
software deployment <strong>to</strong>ols <strong>to</strong> update existing software or install new packages whilst<br />
PSG is active.<br />
5.5. Covert channels and Trojan code [10.5.4 (e)]<br />
The standard requires control of installed code <strong>to</strong> prevent modification of this code<br />
and checks <strong>to</strong> be in place for covert channels where Trojan code may be introduced.<br />
PSG can be used again <strong>to</strong> afford a level of assurance that existing executable code<br />
cannot be modified, and since the introduction on new executable code is also<br />
blocked, even a covert route for Trojan introduction will be blocked.<br />
6. <strong>Compliance</strong> [12]<br />
This clause covers compliance <strong>with</strong> any criminal and civil law, statu<strong>to</strong>ry, regula<strong>to</strong>ry or<br />
contractual.<br />
6.1. Software copyright [12.1.2.2]<br />
Maintaining software licenses can be an onerous task unless there are measures in<br />
place <strong>to</strong> prevent users from installing software. The task of auditing what is actually<br />
installed across an organisation’s PCs can be never ending.<br />
By utilising the PSG module <strong>with</strong>in RDP, an organisation can be certain that users<br />
are unable <strong>to</strong> introduce any new software <strong>with</strong>out the permission of the system<br />
administra<strong>to</strong>r.<br />
6.2. <strong>Compliance</strong> <strong>with</strong> security policy [12.2.1 (d)]<br />
Ensuring compliance <strong>with</strong> this standard is for the most part a procedural one, unless<br />
some form of enforcement can be utilised.<br />
This document has sought <strong>to</strong> show how <strong>Reflex</strong> <strong>Disknet</strong> <strong>Pro</strong> software can be used <strong>to</strong><br />
enforce policy. It is not a replacement for that policy and cannot be correctly installed<br />
and configured <strong>with</strong>out reference <strong>to</strong> a security policy. However, having both a policy<br />
and an enforcement element ensures not just compliance but also an uniformed<br />
approach.<br />
Summary<br />
The desire <strong>to</strong> meet <strong>ISO</strong>/<strong>IEC</strong> 1<strong>7799</strong>:2000 is a very worthy one. The challenge is that<br />
once an organisation achieves this standard, how best <strong>to</strong> maintain it. The policy that<br />
you have written will go a long way <strong>to</strong> helping you but it is the nature of human<br />
© <strong>Reflex</strong> Magnetics Ltd 15
eings that they will require more tangible methods of guidance. Security software<br />
such as <strong>Reflex</strong> <strong>Disknet</strong> <strong>Pro</strong>, we believe is worthy of consideration for this task. As an<br />
enforcer it will sit quietly in the background not troubling the user unless they try <strong>to</strong> do<br />
something that they should not. At that point, clear and precise messaging can be<br />
displayed informing the user of the problem and an audit record will be recorded.<br />
When the area of malicious code is considered, this software acts as an excellent<br />
backs<strong>to</strong>p for your chosen anti-virus product. With true zero day protection in place<br />
RDP will keep hostile code off of your network.<br />
Further information about <strong>Reflex</strong> <strong>Disknet</strong> <strong>Pro</strong> or <strong>Reflex</strong> Magnetics can be found at<br />
www.reflex-magnetics.com or by contacting one of the following email addresses<br />
enquires@reflex-magnetics.com or sales@reflex-magnetics.com.<br />
© <strong>Reflex</strong> Magnetics Ltd 16