Computer Security Policy and Procedures
Security Policy and Procedures protect information stored on the systems and networks that have become vital assets for businesses and users alike. For that reason, compliance policies and procedures are becoming more important in our daily lives.
The growth in networking combined with the use of smart devices entwined with e-commerce has added to that and while providing drivers for new markets and continued growth. They also provide opportunities for hackers and others engaged in illegal activities. As is the increasing trend of pushing users towards cloud technologies. Placing a greater reliance on security applied to third-party hosting and the additional services they seek to provide.
CCC have developed effective, workable security policy and procedures, for a number of well-known clients, providing maximum business potential while minimising risk to acceptable levels.
“Systems, are only as secure as their weakest link.”
Within most of the modern world, electronic data now has a legal status similar to physical assets. However, the manner in which companies store and use data. Frequently means that it is stored in a number of different locations across a number of jurisdictions. This too can present difficulties if policies fail to take this into consideration. As a result, what appear to be workable policies do not necessarily provide the protection sought, ensuring that compliance with obligations are maintained on behalf of the owner.
ISO/IEC Standard 17799 and ISO/IEC 27001 are the two main standards for information security management, which we use as a basis for our clients.
As a start point, we would normally perform a risk analysis. So that levels can be identified in order that; workable, tailored policies and procedures can be created commensurate with client needs.
Furthermore, we have often found factors that are often overlooked, examples of which, although they may sound odd, include:
- Does management support the security policy?
- Does management understand the risks?
- Are both policies and procedures workable?
- Do policies unjustly, hinder employees
- Will staff buy into the policies or look to find shortcuts?
- Has an effective balance been found?
A common example of where compromises can be made are the frequency with which good quality passwords need to be changed, due to policy. Despite the fact that there is no realistic chance of the password being compromised through decryption.
As a result of this requirement, some users may look to create sequential passwords that comply with the policy. But are easier to remember and consequently easier decrypt using masking techniques.
As an example, if there was a requirement to change passwords every month the following passwords are likely to conform with requirements. In that they are of sufficient length contain uppercase, lowercase, numeric and special characters:
And so on…
Any password cracker who had obtained the hash of one of these would be able to decrypt the encrypted hash in a relatively short time. Whereas a comparable more personal password of similar complexity could take years to decrypt.
We have often found there is a significant cost benefit, where effective policies and procedures have been implemented correctly. While providing adequate protection to business-critical data and reputation alike, by:
- Increasing the robustness of systems, reducing downtime
- Reducing the number of security incidents and their associated overheads.
- Secure networks and servers require less maintenance.
- Asset life-span tends to increase.
Our expertise and experience, uniquely combines electronic forensic skills, with an understanding of corporate finance.
Asset Tracing – Audit – Computer Security – Digital Forensics – Due Diligence – eDiscovery – Fraud Investigation
Intelligence Gathering -Passwords Analysis – Penetration Testing – Wireless Security
Services underpinned with expertise and experience.