Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
Using Reflex Disknet Pro to Aid Compliance with BS 7799 & ISO/IEC ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
For teleworkers who normally connect via a VPN <strong>to</strong> the organisations network, their<br />
profile template will be delivered in the usual way. Dynamic updates <strong>to</strong> this profile<br />
template can also be achieved as though the computer was connected locally.<br />
5. Systems development and maintenance [10]<br />
This clause deals <strong>with</strong> the security of the system itself, but not limited <strong>to</strong> the operating<br />
system and those applications that run on it.<br />
5.1. Policy on the use of cryp<strong>to</strong>graphic controls [10.3.1]<br />
Where an organisation has developed a policy on the use of cryp<strong>to</strong>graphic controls<br />
these will need <strong>to</strong> be managed.<br />
RDP makes management of a cryp<strong>to</strong>graphic policy <strong>with</strong> regard <strong>to</strong> removable media<br />
very simple. The most onerous part of implementing cryp<strong>to</strong>graphy is the<br />
management of cryp<strong>to</strong> keys. RDP’s Encryption Policy Manager takes care of this<br />
aspect au<strong>to</strong>matically. Once the policy has been invoked, any user accessing<br />
removable media will have a key pair produced for them <strong>with</strong>out the need <strong>to</strong> ask.<br />
Should the user be part of a larger group who need <strong>to</strong> be able <strong>to</strong> share information<br />
s<strong>to</strong>red on the removable media, group keys will also be added <strong>to</strong> facilitate this.<br />
Additionally a management escrow key will also be used so that management can<br />
access any data encrypted by the system.<br />
Users are authenticated by their operating system logon (user ID and password). In<br />
this way no further passwords are required by the system, unless the user has been<br />
granted the ability <strong>to</strong> access s<strong>to</strong>red information on an encrypted device off-line. In<br />
this case the user will be prompted <strong>to</strong> choose and enter a password. Rules<br />
concerning password quality are also set by EPM and are viewable by users.<br />
All technical aspects of the encryption process such as algorithm used and key<br />
length are hard coded by the system, using industry standards.<br />
5.2. Security of system files [10.4]<br />
Access <strong>to</strong> system files should be controlled. By maintaining system file integrity, a<br />
degree of confidence can be assumed.<br />
By implementing RDP’s <strong>Pro</strong>gram Security Guard (PSG) all existing system<br />
executable files are locked as “read only” and therefore can not be modified or<br />
replaced by anyone but the designated system administra<strong>to</strong>r.<br />
5.3. Control of operational software [10.4.1 (a) (c)]<br />
Controls should be in place <strong>to</strong> allow only nominated personnel the freedom <strong>to</strong> update<br />
operational program libraries, and furthermore, executable code should not be<br />
allowed on <strong>to</strong> an operational system until it has been tested and authorised.<br />
PSG can be used <strong>to</strong> enforce this policy.<br />
© <strong>Reflex</strong> Magnetics Ltd 14