Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...

More documents

Recommendations

Info

3.5. Media handling and security [8.6] Clause 8.6 asks that all media should be controlled and protected from theft and unauthorised access. 3.6. Management of removable media [8.6.1 (a) (b)] There should be procedures for the management of removable computer media. RDP was designed specifically to offer this type of management control. All media must be authorised for use which will necessitate a content scan using either a third party anti-virus product or RDP’s own content scanner. It may indeed require both of these scans to be performed. Once authorised for use, an audit trail can be kept of all files stored on the device. Fig. 6 shows one event from a removable media log file. Fig. 6 You will note that there is a unique ID number, time, operation, host name (PC), process, file name, and user name recorded. Protecting the media’s contents from unauthorised access is achieved by making the policy dictate that all removable media should be encrypted, as discussed in section 2. © Reflex Magnetics Ltd 12
3.7. Disposal of media [8.6.2 (a)] Safe disposal of media is required where sensitive information may have been recorded on that media. The standard talks of incineration or shredding to provide this protection. However, with a policy enforced by RDP of encryption of removable media, this will negate the need to securely erase or incinerate the media to achieve the desired level of protection. 3.8. Exchanges of information and software [8.7] The objective here is to prevent loss, modification or misuse of information exchanged between organisations. 3.9. Security of media in transit [8.7.2 (c)] Information can be vulnerable to unauthorised access or misuse during physical transport. The use of encryption when applied to information in transit will obviate this concern. 4. Access control [9] “Access to information and business processes should be controlled on the basis of business and security requirements. This should take account of policies for information dissemination and authorisation.” 4.1. Event logging [9.7.1 (a) (b) (c) (e)] The standard requires audit logs to be produced and kept for exceptions and other security related events. RDP is able to audit all of its monitored and controlled areas, such as removable media management, unauthorised attempts to introduce new software and any attempted malicious code activity. These log files include all of the following information; user ID, date and time, type of event, and files accessed or copied. Where devices are forbidden or blocked, any failed attempt to connect is also recorded, including this detailed information. 4.2. Mobile computing and teleworking [9.8] When considering mobile computing or teleworking, the standard requires that the protection be commensurate with the risks these specific was of working cause. RDP’s use of profile templates to set the security level for any particular authorised user, works particularly well in the case of mobile or teleworking. If the computer is mobile and not connected to the organisations network when the user logs on, they will receive the last known profile template as their security control. If this template has been corrupted in anyway then a default “lock down” template would apply. Updates to the profile template in force can be achieved by importing a new template file, although this would need administrator rights. All audit information will be stored locally and transferred when the computer next connects to the network. © Reflex Magnetics Ltd 13
Page 1 and 2: Using Reflex Disknet Pro to Aid Com
Page 3 and 4: 6.1. SOFTWARE COPYRIGHT [12.1.2.2]
Page 5 and 6: Meeting and Retaining the Standard
Page 7 and 8: From within the RDP administration
Page 9 and 10: RDP through the use of it’s Progr
Page 11: that make use of the products zero
Page 15 and 16: 5.4. Change control procedures [10.

Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...

Create successful ePaper yourself

Delete template?

Save as template?