Security
The security of your business has never been more
important. As the numbers of websites, e-mails and electronic files
increase, and the ways to access them become more flexible, the threat
to your information mounts. This section provides practical advice and
guidelines to help you negotiate your way through the maze of information
security threats.
Guides - display list
Background
Security standards
Viruses
Inappropriate usage
Unauthorised access
Theft
Systems failure
How To guides and checklists
Useful links - display list
GUIDES
Information Security: Hard facts
A look at the importance of information security, how
to deal with security breaches and the preventative measures your business
can take. URN: 04/619
Technology and the law
Information security; data protection; hacking; viruses;
how to comply with the law.
Information security: A business guide to using the
internet
Using the internet brings great benefit to your business
but its openness makes it vulnerable to security threats. This guide
covers the five steps you can take to protect your business. URN 04/624
Information security: A business manager’s guide
This guide looks at what information security is, why
it’s important and how to implement information security solutions.
It includes guidance on developing a security policy, security roles
and responsibilities and risk management. URN 04/623
BS 7799 and the Data Protection Act
This guide explains how BS 7799 can help you meet the
requirements of the Data Protection Act. URN 04/621
Guide to Electronic Communications Act 2000
A look at the importance of secure electronic trading
and an overview of the Electronic Communications Act. URN 04/622
Guide to the UK ISO/IEC 17799 users’ group
ISO/IEC 17799 is the international standard for information
security management. The User’s Group
looks at the uptake of the standards. URN 04/620
Electronic signatures
A factsheet describing what electronic signatures are
and the benefits they can offer.
DTI Information Security Breaches Survey 2002: Technical
Report
Full report of findings of 2002 Information security
Breaches Survey, a joint DTI/business survey undertaken on a biennial
basis.
DTI Information Security Breaches Survey 2002: Executive
Summary
Key findings of the 2002 Breaches Survey including Top
Ten Actions for the Board.
BACKGROUND
Risk Management
Provides an introduction to the risks associated with
information security. Also includes risk analysis and risk statistics.
Education & awareness
Introduces the idea that a well-trained, well-informed
workforce can be the best form of defence against information security
threats.
Tools & Techniques
Provides links to tools and techniques that may prove
useful when dealing with information security.
Legislation
Summarises the main areas of legislation concerned with
information security - largely centred around the monitoring of staff
and privacy.
Police sites
Contact details for UK police forces with related crime
and emergency contacts
Business Continuity Management
Introduces the process developed to counteract systems
failure, not just in terms of I.T., but across organisations as a whole.
Crisis management
Introduces the concept of a crisis, including associated
risk and crisis management processes.
Good housekeeping
Details some of the quickest and most effective ways
of dealing with information security issues at a basic level.
Business Continuity Management (Process)
Summarises the four-stage Business Continuity Management
process - Initiation, Requirements/Strategy, Implementation and Operational
Management.
Business Continuity Management (Impact Analysis)
Explains Impact Analysis as required in stage 2 of the
Business Continuity Management process.
Business Continuity Management (Risk Analysis)
Explains Risk Analysis as required in stage 2 of the
Business Continuity Management process.
Business Continuity Management (Strategy)
Explains the Strategy, developed using information collated
from the business impact analysis and the risk assessment (both completed
within stage 2 of the Business Continuity Management process).
Business Continuity Management (Plans & Process)
Summarises the importance of plans at all levels of the
Business Continuity Management process.
Business Continuity Management (Risk Reduction)
Explains how the requirements analysis (completed within
stage 2 of the Business Continuity Management process) should identify
issues that need to be addressed through risk reduction rather than
recovery.
Business Continuity Management (Operational Management)
Explains operational management (stage 4 of the Business
Continuity Management process) and the responsibilities of the business
continuity manager.
Business Continuity Management (10 Point Plan)
Details areas identified by the Business Continuity Institute
(BCI) and the Disaster Recovery Institute International (DRII) as being
key to effective business continuity planning.
Business Continuity Management (Testing)
Summarise the purpose of and requirements for testing
(stage 3 of the Business Continuity Management process).
Policy & Standards implementation
Introduces ideas for implementing new policies and procedures
within an organisation.
Policy & Standards terminology
Outlines terms used to describe different governance
publications.
Incident Management
Sets out guidelines for managing incidents, whatever
the cause.
More crisis management
Provides a more detailed analysis of crisis management
and surrounding issues.
Incident reporting
Summarises reporting procedures for both internal and
external incidents relating to viruses, inappropriate usage, unauthorised
access, theft and systems failure.
Reporting an incident to the police
Provides links to different incident reporting channels,
including police forces and the National Hi-Tech Crime Unit.
Forensics and the law
Summarises issues surrounding the admissibility of evidence,
which is regulated by a complex formula of domestic law, international
law and precedent.
Forensics checklist
Examines principles that apply to all forensic investigations,
and should be considered before embarking on an incident management
process.
Related sites
A one-stop directory for information security links (including
virus defence software companies, government contacts, legislation,
standards bodies, etc).
Data Protection Act
Introduces the Data Protection Act, including the rights
of data subjects, information security issues and related legislation.
Practical data protection
A practical approach to The Data Protection Act, including
how to register with the Information Commissioners Office, and practical
steps to help ensure compliance with the Act.
Computer Misuse Act
Introduces the Computer Misuse Act, which aims to meet
the general threat of unauthorised access (often called hacking).
RIPA
Introduces the Regulation of Investigatory Powers Act
2000 (RIPA), which aims to control how organisations deal with intercepting
communications on networks (covering a wide range of media, including
post, e-mail messages, telephone calls, faxes and internet usage).
Getting started with a computer system
Provides basic advice for getting started with a new
IT system when setting up a small business (includes hardware, software,
backups, the Internet, networks and weekly tasks).
Broadband
Examines some of the most common methods of establishing
a broadband connection (high speed access) to the Internet (including
ADSL, LMDS and Satelite links).
Online trading
Summarises key areas to consider when implementing an
online trading facility (including how to get online, building and managing
web sites, managing sales, rules and regulations and common pitfalls).
Frauds and scams
Details some common frauds and scams which are directed
at small companies and individuals, often utilising the Internet and
technology.
How To and checklist PDFs
Provides links to (and summary information for) available
'How To' guides and checklists.
Mobile technology
Introduces some of the security risks associated with
the rise of mobile technology, and how to minimise those risks.
Information Security glossary
Provides a brief explanation for some of the more technical
terms associated with information security.
SECURITY STANDARDS
Policy & standards
A brief introduction to the role of policies and standards
(corporate governance) within organisations.
Existing standards
Summarises various standards that exist for issues surrounding
Information Security (including BS 7799, COBIT and GASP).
BS 7799 explained
Summarises BS 7799 Part 1 (10 sections of guidance and
explanatory information) together with the certification process and
requirements.
BS7799 Part 1 Section 1
A more detailed explanation of BS 7799 Part 1, Section
1 (Security Policy).
BS7799 Part 1 Section 2
A more detailed explanation of BS 7799 Part 1, Section
2 (Organisational Security).
BS7799 Part 1 Section 3
A more detailed explanation of BS 7799 Part 1, Section
3 (Asset Classification and Control).
BS7799 Part 1 Section 4
A more detailed explanation of BS 7799 Part 1, Section
4 (Personnel Security).
BS7799 Part 1 Section 5
A more detailed explanation of BS 7799 Part 1, Section
5 (Physical and Environmental Security).
BS7799 Part 1 Section 6
A more detailed explanation of BS 7799 Part 1, Section
6 (Communications and Operations Management).
BS7799 Part 1 Section 7
A more detailed explanation of BS 7799 Part 1, Section
7 (Access Control).
BS7799 Part 1 Section 8
A more detailed explanation of BS 7799 Part 1, Section
8 (System Development and Maintenance).
BS7799 Part 1 Section 9
A more detailed explanation of BS 7799 Part 1, Section
9 (Business Continuity Management).
BS7799 Part 1 Section 10
A more detailed explanation of BS 7799 Part 1, Section
10 (Compliance).
ISO/IEC 17799 Users' Group
Introduces the business-led group, facilitated by the
DTI, offering a forum for networking and discussion of best information
security practice.
Registration Form for ISO/IEC 17799 Users' Group Workshop
May 2004
Downloadable registration form for the next ISO/IEC Users'
Group workshop.
Consent Form for ISO/IEC 17799 Users' Group
Downloadable consent form, required when joining the
ISO/IEC Users' Group.
Membership Form for ISO/IEC 17799 Users' Group
Downloadable membership form for the ISO/IEC Users' Group.
Terms of reference for ISO/IEC 17799 Users' Group
Downloadable terms of reference for the ISO/IEC Users'
Group.
BS7799 Newsletter
Contains a sample newsletter, as published for the ISO/IEC
17799 Users' Group on a regular basis.
VIRUSES
Virus definition
Includes information regarding the definition, characteristics
and transmission of viruses (including variants such as worms and Trojan
horses).
Virus risk
Highlights the risks to information security from computer
viruses and how to minimise them.
Virus Recovery
Details the signs of a virus infection and five key steps
to recovery.
Virus prevention
Explains how to prevent systems from virus infection
using techniques including user vigilance, virus defence software, strategy
and alert services.
Virus case studies
Details actual events to illustrate the risks associated
with computer viruses, together with lessons that can be learnt.
Virus hoaxes
Introduces the concept of a virus hoax and provides links
to further hoax-related information.
Virus defence software companies
Provides links to virus defence software vendors and
broader services (including e-mail scanning, content filters and firewalls).
Macro Viruses
Introduces the concept of macro viruses, which use standard
applications (such as Microsoft Word and Excel) to perform unexpected
tasks.
Signs of a virus infection
Summarises the key signs of a virus infection.
Virus defence software deployment
Summarises the logistics of implementing virus defence
software on different systems (internet gateways, servers and PCs) together
with different types of virus defence software.
Security patches
Introduces the concept of virus patches, released by
vendors of software and operating systems to fix or 'patch' identified
vulnerabilities (includes links to useful websites).
INAPPROPRIATE USAGE
Inappropriate usage definition
Includes a definition of inappropriate usage of systems,
including issues surrounding e-mail, disclosure of information and inadvertent
misuse.
Inappropriate usage risk
Highlights the risks to information security from inappropriate
usage (including liability, viruses and reputation).
Inappropriate usage recovery
Details the basic principles for recovery from an inappropriate
usage incident, and key steps required.
Inappropriate usage case studies
Details actual events to illustrate the risks associated
with inappropriate usage, together with lessons that can be learnt.
Inappropriate usage prevention
Explains how to prevent systems from inappropriate usage,
including policy development, virus defence software, e-mail content
checking, filtering and monitoring.
HR screening
Examines HR issues surrounding the verification and vetting
of staff, including legal implications.
HR dismissal discipline
Offers pragmatic advice on HR issues surrounding discipline
and dismissal (including terms and conditions, non-disclosure agreements,
job descriptions and termination of employment).
HR monitoring
Provides a legislative background on the monitoring of
staff (including the Human Rights Act, The Data Protection Act and The
Regulation of Investigatory Powers Act (RIPA).
Hints & tips for e-mail policy
Provides a starting point when considering the implementation
of an e-mail policy within the workplace.
UNAUTHORISED ACCESS
Unauthorised access definition
Includes a definition of unauthorised access to computer
systems and introduces the practice of hacking.
History of hackers
Provides an insight into the origins of hacking and the
different types of hackers that exist.
Unauthorised access risk
Examines the risks associated with inappropriate usage
(including 'the enemy within') and summarises some of the main reasons
why hackers operate.
Unauthorised access recovery
Outlines high-level principles that should be considered
before setting up a formal response to an unauthorised access incident.
Unauthorised access prevention
Explains how to minimise the risks associated with unauthorised
access using a combination of defence strategy, technology tools and
user vigilance.
Unauthorised access case studies
Details actual events to illustrate the risks associated
with unauthorised access, together with lessons that can be learnt.
THEFT
Theft definition
Includes an introduction to the issues surrounding data
theft and highlights the value of information.
Theft risk
Highlights the risks associated with data theft, depending
on the nature of businesses involved.
Theft recovery
Outlines areas for consideration in the event of an information
theft incident, in the context of incident response and incident management.
Theft prevention
Explains how to minimise the risks associated with information
theft, including physical security, technical controls and people-based
controls.
Theft case studies
Details actual events to illustrate the risks associated
with information theft, together with lessons that can be learnt.
Physical security
Examines different methods of ensuring physical security,
including physical access, security perimeters, secure areas, environment,
delivery areas and storage areas.
Physical security and remote working
Examines physical security in the context of remote working,
including security issues for working away from the office (or at home)
and insurance.
SYSTEMS FAILURE
Systems failure definition
Summarises different types of systems failure within
the context of incident and crisis management.
Systems failure risk
Presents a series of questions to help provide an indication
of whether steps should be taken to protect systems.
Systems failure recovery
Details incident management principles upon which recovery
from systems failure is based (qualification, containment, assessment
and countermeasures).
Systems failure prevention
Provides a high-level guide to preventing (or at least
reducing the likelihood of) systems failure.
Systems failure case studies
Details actual events to illustrate the risks associated
with systems failure, together with lessons that can be learnt.
HOW TO GUIDES AND CHECKLISTS
Asset inventory checklist
Provides an outline proforma for creating an asset inventory
in a form specifically designed to download and print for the workplace.
How To protect yourself against computer viruses
Summarises how to recognise, recover from and prevent
computer viruses in a form specifically designed to download and print
for the workplace.
E-mail checklist
Lists fundamental, practical controls that can be implemented
easily to protect e-mail systems, in a form specifically designed to
download and print for the workplace.
Good housekeeping checklist
Lists high-level steps that establish best practice for
small organisations, in a form specifically designed to download and
print for the workplace.
Incident handling checklist
Provides straightforward ways of deciding whether to
and how to report an incident, in a form specifically designed to download
and print for the workplace.
How To write an Information Security policy
Provides detailed advice to help create an Information
Security Policy, in a form specifically designed to download and print
for the workplace.
How To choose an ISP
Summarises points to consider when selecting an Internet
Service Provider, in a form specifically designed to download and print
for the workplace.
How To outsource and make use of external services
Provides advice and guidelines to consider when outsourcing
work to third parties, in a form specifically designed to download and
print for the workplace.
Physical security checklist
Suggests a series of practices designed to make small
offices (and homes) more secure.
Privacy policy checklist
Highlights key areas which should be addressed when developing
a privacy policy.
USEFUL LINKS
Further e-business information
An archive of information on using technology in your
business.
E-business case studies
Practical examples of technology in action.
|
