Reinforcing Your Network Security: Taking Personal Responsibility By Mark Merkow, CCP, CISSP
March 10, 2000
A second security goal of configuration management is ensuring that changes to the system are reflected in other documentation, such as the contingency plan. If the change is major, it may be necessary to reanalyze
some or all of the security of the system.
Backups
Support and operations personnel -- and sometimes users -- back up software and data. This function is critical to contingency planning. The frequency of backups will depend upon how often data changes and how important those changes are. Also, as a safety measure, it is useful to test that backup copies are actually usable. Finally, backups should be stored securely, as appropriate.
Users of smaller systems are often responsible for their own backups. However, in reality, they do not always perform backups regularly. In some organizations, support personnel are charged with making backups periodically for smaller systems, either automatically (through server software) or manually (by visiting each machine).
Media Controls
Media controls include a variety of measures to provide physical and environmental protection and accountability for tapes, diskettes, CDs, Zip Disks, printouts, and other media. From a security perspective, media controls should be designed to prevent the loss of confidentiality, integrity, or availability of information, including data or software, when stored outside the system. This can include storage of information before it is input to the system and after it is output.
The extent of media control depends upon many factors, including the type of data, the quantity of media, and the nature of the user environment. Physical and environmental protection is used to prevent unauthorized individuals from accessing the media. It also protects against such factors as heat, cold, or harmful magnetic fields. When necessary, logging the use of individual media (e.g., a tape cartridge) provides detailed accountability -- to hold authorized people responsible for their actions.
Marking
Controlling media may require some form of physical labeling. The labels can be used to identify media with special handling instructions, to locate needed information, or to log media (e.g., with serial/control numbers or bar codes) to support accountability. Identification is often by colored labels on diskettes or tapes or banner pages on printouts.
If labeling is used for special handling instructions, it is critical that people are appropriately trained. The marking of PC input and output is generally the responsibility of the user -- not the system support staff. Marking backup diskettes can help prevent them from being accidentally overwritten.
Logging
The logging of media is used to support accountability. Logs can include control numbers (or other tracking data), the times and dates of transfers, names and signatures of individuals involved, and other relevant information. Periodic spot checks or audits may be conducted to determine that no controlled items have been lost and that all are in the custody of individuals named in control logs. Automated media tracking systems may be helpful for maintaining inventories of tape and disk libraries.
Integrity Verification
When electronically stored information is read into a computer system, it may be necessary to determine whether it has been read correctly or subject to any modification. The integrity of electronic information can be verified using error detection and correction or, if intentional modifications are a threat, cryptographic-based technologies.
Physical Access Protection
Media can be stolen, destroyed, replaced with a look-alike copy, or lost. Physical access controls to limit these problems include locked doors, desks, file cabinets, or safes. If the media requires protection at all times, it may be necessary to actually output data to the media in a secure location (e.g., printing to a printer in a locked room instead of to a general-purpose printer in a common area).
Add ecommerce-guide.com to your favorites Add ecommerce-guide.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.xReceive news via our XML/RSS feed
IE 7
Firefox 2.0
