INFORMATION SECURITY POLICY
The use of computer and the exchange of information electronically have developed rapidly in retail business. The confidentiality, integrity, and availability of information, play the major role in this. Failure to secure the customer information increases the risk of financial and reputational losses from which it will be difficult for the organization to recover. Due to the low cost of storage and information processing, lots of companies started using the electronic methods to store private and public details of the individual. So it’s important for the information security officer to make sure the personal details of the customers and the employees are stored in a secure manner. They also started outsourcing the data processing to the third parties who are often called as data processors.
This information security policy provides an insight into the company’s information security management. It gives the responsibilities and guiding principles that are essential to safeguard the security of the organization’s information systems. Supporting policies, guidelines, code of practice provide further details. The principles mentioned in the policy is applicable to all the physical and electronic devices that belong to the organization. This policy provides assurance that the information provided by the individual is maintained safely.
The main objective of this policy to deliver the confidentiality and security of networks, application and information systems owned by the organization
2.1. Ensuring all the staff members in the organizations are aware of their jobs and responsibilities which they are assigned to and completely abide by the legislation as mentioned in the information governance policy.
2.2. Awareness and training are provided in the organization to insist the need for information security as an integral part in their day to day work.
2.3. Information assets are protected by the respective authorities of the organization.
This policy is applicable to the people working in the organization, third parties, customers who interact with the information maintained by the organization and the system which are used to process and store them. This includes cloud systems, mobile devices, telephone systems which are used and connected to the organization’s network.
1. Information is categorized according to the level of confidentiality, integrity and, availability also in accordance with regulatory, contract and legislative requirements.
2. Staffs who have a particular responsibility (See the section : ) for information should acknowledge the classification of that particular information. They have to handle the information according to the importance mentioned in the classification.
3. Users who are all covered by the scope must handle the information according to the classification. Any breaches of this policy should be reported immediately.
4. The policy will be reviewed yearly through internal audits and penetration testing.
5. Information is protected against unauthorized and illegitimate users.
4.2 INFORMATION CLASSIFICATION
Information is classified according to the need to access them. Limited access is provided to personal data which requires needs for processing. Information is classified into various categories so that it will be protected properly and allocate security measures accordingly.
UNCLASSIFIED INFORMATION: This kind of information can be used in public without any obligations like advertisements of products, annual turnover. This information will be already in public domain
EMPLOYEE CONFIDENTIAL INFORMATION: This information is only accessible to the members of the organization. It must be encrypted from outside the system’s organization. It includes the employee’s pay, medical history, educational qualification etc…
COMPANY CONFIDENTIAL INFORMATION: This information includes source code, business strategies, methodologies, client contacts, password for the servers etc.
CLIENT CONFIDENTIAL: It includes personal information like name, client business, work history address, new product launch etc.
5. POLICY FRAMEWORK:
5.1 Security Management
-The responsibility of information security should reside within CEO of the company at board level.
– The security officer of the organization is responsible for the process of implementation, documentation, and monitoring of all the security requirements.
5.2 Training for Information Security
– New staffs must complete information security training during the induction process. Mandatory training should be provided to all the employees once a month.
5.3 Employment Contract
-Requirements for staff security should be mentioned during recruitment and the contract should contain a confidentiality clause.
– At job definitions, information security expectations from the employees should be mentioned.
5.4 Asset’s Security Control
Assets such as hardware, software should be name tagged with organization mentioning that it’s the company’s property.
5.5 Access control
By using access control systems information systems are protected. It includes internal (e.g.: password, user interface, and encryption) and external (firewall, devices that protect the port, authentication based on the host). Information owner is responsible to authenticate people who can access the resources.
User Access Control: Information can be accessed only by the restricted users who have proper justification business needs.
Computer Access Control: Pc/Laptops that belongs to the organization will only be accessed by the people who have the proper business needs.
Application Access Control: Only system/DB administrators will be able to access the data, source code, and system libraries. Authorization to those applications will be provided depending upon the availability of the license given by the supplier.
5.6 Transfer of data and mobility
Information which is highly sensitive with respect to the organization should not be stored or transferred through laptop/PC, USB, hard disk, CD/DVD or mobile devices unless they are encrypted by the proper encryption technology approved by information security division.
5.7 Information System Accreditation
The security officer of the organization will ensure that all network system, application and information system are provided with proper security plan before they are used in the company.
5.8 System Access monitoring
The data and access to the system used by the employee of the organization are reviewed on the regular basis. The Regulation of Investigatory Power Act of 2000 allows monitoring and recording of employee’s communication through the electronic medium for the below reason
-To establish the facts that are existing.
– Unauthorised usage of the system is detected and investigated
– To prevent the crime
– Asserting the standards achieved by the person using the system
INTELECTUAL PROPERTY RIGHTS: The information security officer will ensure the organization’s information license. Users are not allowed to install any software without the permission of the authority. Users who breach this contract are obliged to disciplinary actions.
POLICY OF DATA COLLECTION AND RETENTION
The most effective way of mitigating the problem of stolen personal data of a person is not to hold those data in the first place beyond the need. For example, the credit card details of the customers should be deleted immediately after the transaction is completed. The information security officer should always know about the flow of data across the organization, otherwise, it will become a difficult task to protect the data.
The users must use password, smart card some other kind of token to access the personal information. The password should be the combination of letters, punctuations, symbols, and numbers and should be at least 8 characters. Passwords should not be obvious like birthday, maiden name, place where you live, pet’s name, relative’s name. Smart cards give authentication by providing code generation. The token provides a PIN number that is valid for an only short period of time. These are used along with the password for user authentication.
ENCRYPTION OF DATA
Encryption is the procedure of encoding the details stored on the computer that will add another layer of security. The public and private key must be complex and should not be cracked by brute force method.
ANTIVIRUS SOFTWARE AND PATCHING
Antivirus software protects infection from the internet and prevents from the virus, Trojan horse and worms. It is important that all the software should be updated to the latest version on the regular basis that mitigates the potential threats. E-mail which comes from unauthorized source should not be opened which will prevent any attack.
If the system is accessed from outside the organization like offsite it leads to potential weakness of the system. So the need for those kinds of remote access should be properly addressed and security measures should be provided before granting the access. Information security officer is responsible for the security of an organization’s network regardless of remote access.
When a computer tries to access the server through the wireless network it can expose the network to attack. The Good firewall should be placed in order to avoid those attack. It is advised that unsecured WIFI should not be used while doing any transactions or at least secure web sessions should be in place.
LOGS AND AUDIT TRAILS
There is no use of security policies and access control systems if the system is not able to identify whether the information has been compromised. Proper log systems should be maintained which identifies the user that access the system and also the time of the access. Logs and audit trails help in identifying people who tend to abuse the system and also helps in ensuring the effective administration of system security. Monitoring should not only be placed on OS, networks, intruder detection system but it should also take web activities and database activities into consideration.
PROTECTION OF DATA
– Backup and transfer of data: Data can be transferred only through the encrypted medium by using a VPN connection to ensure the integrity of the information.
– Access to External System: If there is a need to access the external system, the supervisor/department head should be contacted to carry out this process. They will assist in accessing the external system through a secure method.
– E Mail: Any personal information should not be sent through the company’s id unless it is encrypted. Appropriate personnel like privacy officer will be able to help with the procedure that is used for email transmission.
– Public Network: Tasks which involves the use of the company’s sensitive information should not be carried out when the computer is connected to public networks like a hotel, airport Wi-Fi.
ROLES AND RESPONSIBILITIES
CHIEF EXECUTIVE OFFICER: Securing organization’s information is even though everyone’s responsibility, the ultimate power is in the hands of CEO and that is carried out through the Information security officer.
INFORMATION SECURITY OFFICER: They are responsible for the action of managing the security of information across the organization. They will maintain and carry out the policies effectively, takes effective measures to avoid data breaches. Also makes sure the company is following the appropriate required regulations and legislation.
SENIOR MANAGER: They will take care of the security of an organization’s physical environments where the information is stored and effectively processed. They are also responsible for the company’s permanent, contract employees and the information. Senior managers should make sure that all the employees are aware of the security policy.
STAFFS: All the staffs should follow the policy and regulations and be aware of how information should be properly transferred and stored. If they come across any security beaches staffs are obliged to inform that to the security officer.
CUSTOMERS: The customers should use the strong password for login to online purchase, and they should keep the information of login details discrete and not to reveal anyone or note down in any public documents/papers.
THIRD PARTIES: All the third parties who are associated with the company’s employee and customer’s information are obliged to keep the information in the protected and encrypted pattern. Any breach of the data should be reported immediately to the organization and necessary action should be taken immediately.
A Data breach can happen due to various reasons including, stealing the information or data by breaking into organization’s premises, by hacking, human error, failure of servers, unauthorized usage due to weak access controls. It is mandatory for the organization to put breach management to handle the data breach. It includes the following steps
– IDENTIFICATION OF BREACH
There should be a procedure where all the staff members can report about the breach. They should be aware of whom to contact in case they come across any leak. This will allow the management to identify the incident in the earlier stage. Details about the breach should be collected which includes logs, timestamp, servers involved, error messages which are related to the incident.
– CONTAINMENT OF BREACH
Once the breach is identified the company should make sure who should lead the investigation and take the responsibility for finding the issue. They have to make sure affected network and servers should be isolated from the rest of the network. Immediate actions should be taken to inform the affected users and passwords and access rights should be changed. If it’s relevant and appropriate they have to mention the incident to the police.
– RISK ASSESSMENT
Risk assessment plays an important role when the data breach is detected. It considers the following details like what kind of data has been leaked, how sensitive the data, if any encryption method is used to protect the data, and what is the number of people who are affected and lost their data because of the breach?
If the personal data is lost according to the data protection act the person who has the knowledge about the breach should notify about the incident immediately to the information security officer.
The data breach and reviewed by the information security manager to identify the data leak and methods to improve in the area where we can protect future incidents.
FORENSIC INVESTIGATION OF DATA BREACH AT A RETAIL SHOP
Shop here Ltd is the retail chain situated in Ireland. It has around 3000 staffs. It contains both physical outlet and online shopping. There are around 30 shops situated in Ireland. Thousands of customers are part of Shop here Ltd who regularly use online shopping.
Recently data breach has been reported on shop here ltd. Customer card and personal data of the customers have been stolen and they are available on the net for sale. So the company approached the forensic analyst after two weeks to investigate the data theft.
So as a digital forensic investigator we arrived at the scene of crime once the issue is reported. We got all the information required for further investigation from the information security officer of the company.
While investigating, we came to know that the attacker tries to access the customer’s account through the brute force method over a month by trying various combinations of passwords and username. They finally gained access to some of the accounts. After that, the attackers try to withdraw money from the account. Also, we found that the payment system has been compromised by malware. They used web spoofing and cross site scripting. Web spoofing works in such a way that the users believe that they are accessing the official website whereas they have been redirected to the page created by the attacker where there has been a slight change in the html code which usually end user does not notice. That spoofed website as created in such a way that the particular malware copied the customer’s personal information on the payment page while doing a transaction. The attacker took the copy of the personal information and posted it on the internet.
While investigating the breach as a forensic investigator we came to know that the organization failed to take security measures in storing the personal data and customer card details which included the following
– There was no service level agreement existed between information security officer and data processor.
– The information security officer was not updated with the details of the new employees joining the organization
– Failed to make sure whether the access control and user authentication were in place
– Systems were not secured and protected using the firewall and there was no security configuration for the website platform.
– The company failed to report the breach within 72 hours. They approached some third party within the organization to mitigate the issue initially.
So from the above details, we provided the detailed report by checking the company’s information security policy. We mentioned that the company failed to comply with the General Data Protection Regulation. Recommendations were provided to reduce the risk identified.
– To ensure that the customers are using the strong password by following the alpha numerical pattern.
– Information security officer should make sure that software are updated to the latest version and firewall is provided for the maximum protection.
– The organization should make sure that they should delete the personal information of customer after that they are no longer needed.
– To implement the extensive policy for data retention.