Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...

More documents

Recommendations

Info

For teleworkers who normally connect via a VPN to the organisations network, their profile template will be delivered in the usual way. Dynamic updates to this profile template can also be achieved as though the computer was connected locally. 5. Systems development and maintenance [10] This clause deals with the security of the system itself, but not limited to the operating system and those applications that run on it. 5.1. Policy on the use of cryptographic controls [10.3.1] Where an organisation has developed a policy on the use of cryptographic controls these will need to be managed. RDP makes management of a cryptographic policy with regard to removable media very simple. The most onerous part of implementing cryptography is the management of crypto keys. RDP’s Encryption Policy Manager takes care of this aspect automatically. Once the policy has been invoked, any user accessing removable media will have a key pair produced for them without the need to ask. Should the user be part of a larger group who need to be able to share information stored on the removable media, group keys will also be added to facilitate this. Additionally a management escrow key will also be used so that management can access any data encrypted by the system. Users are authenticated by their operating system logon (user ID and password). In this way no further passwords are required by the system, unless the user has been granted the ability to access stored information on an encrypted device off-line. In this case the user will be prompted to choose and enter a password. Rules concerning password quality are also set by EPM and are viewable by users. All technical aspects of the encryption process such as algorithm used and key length are hard coded by the system, using industry standards. 5.2. Security of system files [10.4] Access to system files should be controlled. By maintaining system file integrity, a degree of confidence can be assumed. By implementing RDP’s Program Security Guard (PSG) all existing system executable files are locked as “read only” and therefore can not be modified or replaced by anyone but the designated system administrator. 5.3. Control of operational software [10.4.1 (a) (c)] Controls should be in place to allow only nominated personnel the freedom to update operational program libraries, and furthermore, executable code should not be allowed on to an operational system until it has been tested and authorised. PSG can be used to enforce this policy. © Reflex Magnetics Ltd 14
5.4. Change control procedures [10.5.1] Formal change control procedures should be enforced according to the standard. By locking the current configuration with regard to existing executable code, PSG achieves this enforcement. To aid systems maintenance, PSG has the ability to be instructed to allow certain processes exemption from its control. In this way, a system administrator can use software deployment tools to update existing software or install new packages whilst PSG is active. 5.5. Covert channels and Trojan code [10.5.4 (e)] The standard requires control of installed code to prevent modification of this code and checks to be in place for covert channels where Trojan code may be introduced. PSG can be used again to afford a level of assurance that existing executable code cannot be modified, and since the introduction on new executable code is also blocked, even a covert route for Trojan introduction will be blocked. 6. Compliance [12] This clause covers compliance with any criminal and civil law, statutory, regulatory or contractual. 6.1. Software copyright [12.1.2.2] Maintaining software licenses can be an onerous task unless there are measures in place to prevent users from installing software. The task of auditing what is actually installed across an organisation’s PCs can be never ending. By utilising the PSG module within RDP, an organisation can be certain that users are unable to introduce any new software without the permission of the system administrator. 6.2. Compliance with security policy [12.2.1 (d)] Ensuring compliance with this standard is for the most part a procedural one, unless some form of enforcement can be utilised. This document has sought to show how Reflex Disknet Pro software can be used to enforce policy. It is not a replacement for that policy and cannot be correctly installed and configured without reference to a security policy. However, having both a policy and an enforcement element ensures not just compliance but also an uniformed approach. Summary The desire to meet ISO/IEC 17799:2000 is a very worthy one. The challenge is that once an organisation achieves this standard, how best to maintain it. The policy that you have written will go a long way to helping you but it is the nature of human © Reflex Magnetics Ltd 15
Page 1 and 2: Using Reflex Disknet Pro to Aid Com
Page 3 and 4: 6.1. SOFTWARE COPYRIGHT [12.1.2.2]
Page 5 and 6: Meeting and Retaining the Standard
Page 7 and 8: From within the RDP administration
Page 9 and 10: RDP through the use of it’s Progr
Page 11 and 12: that make use of the products zero
Page 13: 3.7. Disposal of media [8.6.2 (a)]

Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...

Create successful ePaper yourself

Delete template?

Save as template?