Lecture 4: Operational

Issues and Policy

Learning Outcomes

At the end of this lesson, you are able:

 To describe trends, auditing, asset management, standards,
enforcement, legal Issues and disaster recovery
 To discuss issues related to trends, auditing, asset management,
standards, enforcement, legal Issues and disaster recovery
Trends
Trends
Trends
Auditing

What does auditing mean?

The general definition of an audit is an evaluation of a

person, organization, system, process, enterprise, project or
product. The term most commonly refers to audits in
accounting, but similar concepts also exist in project
management, quality management, and energy conservation.
Auditing :
Why we need auditing of information security?

 Performing an IT security audit can help organizations by

providing information related to the risks associated with their IT
networks. It can also help in finding security loopholes and
potential vulnerabilities in their system. Thereby patching them
on time and keeping hackers at bay.
 This includes things like vulnerability scans or conducting
penetration tests to gain unauthorized access to the systems,
applications, and networks. Finally, the
penetration testing reports generated after performing all the
necessary procedures are then submitted to the organization for
further analysis and action.
Auditing:
Who can perform the audit?
 Internal Auditors (Some employees within the
organization itself)
 External Auditors (External consulting firm)
Auditing

 It is recommended that you hire an external consulting firm to

perform auditing service for your company, with adequate
training, would be a sufficient alternative.

 The reason why company much prefer an external auditor is that

a "neutral, third party" is usually more objective since they are
not stakeholders nor are they friendly with stakeholders.
There's nothing like an unbiased opinion.
Auditing

It's widely recognized that

 auditing can provide assurance of a company's compliance with

market and regulatory requirements.
 Auditing can also be used as a tool to strengthen your
business, providing you the validated information you need to
make informed business decisions on everything from product
quality to business security.
Asset management
 Asset management
refers to any system whereby monitoring and maintaining things that are of value to an entity or group.

 It may apply to both:

 tangible assets and
 intangible concepts such as intellectual property and goodwill.

 Asset Management is a systematic process of operating , maintaining, and upgrading assets cost-
effectively, (American Associate of State Highway and Transportation Officials).

 Alternative views of Asset Management in the engineering environment are:

 The practice of managing assets so that the greatest return is achieved.

 The process by which built systems of facilities are monitored and maintained, with the objective of
providing the best possible service to users.
Standards
 “A standard is a set of agreed rules and guidelines for common and
repeated use for a particular, pre-defined, purpose. It needs to lay down
a solid and equitable foundation for the global exchange of goods
and services, incorporating all the key elements required by market and
social forces.” (Quote from ISO definition).
 It is important to have the ability to process and communicate
information in a completely unambiguous way in order to reduce
the cost of managing data information and provide clarity both internally
as well as with external customers and suppliers.
 The use of Standards, and which Standards to adopt, needs to be
assessed within an overall business requirement.
 Internal standardization is more urgent than external. In other
words, first standardize the internal business processes and then adopt
coherent internal technical standards, before investing time and
resource to external Standards.
 Although there are many Standards to choose from, they need to be
selected and adopted in order to achieve the cost benefits.
What are the Risks of applying
standards?
There are too many technical Standards to choose from. The need to
support multiple Standards results in extra costs and can limit effective
communication between business parties.
 Some organizations can finish up with two or more systems each with
different Standards. The adoption of different Standards in the same
business process results in increased cost and less effective
management information.
 Standards are not yet finalized which can result in ongoing / continual
costs making the lifetime cost of ownership too high.
 Standards are being developed too slowly which results in
customization and hence costs to each organization. There is also
duplication and ’islands’ of Standards, typically within market
communities.
 There is a risk of costs in determining which Standards to use and
a risk of picking a Standard which is superseded in the future. Standards
which can be further developed, but continue to support backwards
compatibility, typically reduce the overall cost of maintenance and
upgrades.
Enforcement

 Policy enforcement typically refers to the creation,

categorization, management, monitoring, and automated
execution of a specific set of requirements for use of a computer
or communications network—that is, not only the enforcement of
policies but policy definition, application, and management more
generally.
 Policies may address virtually any “who, what, where, when, how,
or why” parameters, including who can access resources, when,
from where, using what devices or software, what the user can
and cannot do once access is granted, for how long, and with
what auditing or monitoring. Policies may also address more
technical interactions or requirements such as protocols to
accept, ports to use, or connection timeouts.
Enforcement – Why it is
important?
 Organizations create policies to control, manage, and sometimes
monetize their assets and services. Network policy enforcement
helps to automate data and asset security measures, including
BYOD requirements. It can enable a service provider, for
instance, to create differential rates for specific services or times
of use. It also can be used to help enforce enterprise ethical
standards (such as use of company equipment and time for
personal ends) and to better understand and manage network
use.
Legal Issues

Contracts

At the heart of e-commerce is the need for parties to be

able to form valid and legally binding contracts online.

- Each party should trust the other before signing the

contract.
- the E-business contract is more sensitive than normal
contract
Legal Issues
Security

Security over the Internet is of immense importance

to promote e-commerce. Companies that keep
sensitive information on their websites must ensure
that they have adequate security measures to
safeguard their websites from any unauthorized
intrusion.

In E-business you may have threat for all the security

systems includes
- System security.
- Network Security.
- Internet Security.
Legal Issues

Authentication

Though the Internet eliminates the need for physical

contact it does not do away with the fact that any
form of contract or transaction would have to be
authenticated.
Legal Issues
Privacy and Data Protection

An important consideration for every e-commerce

website is to maintain the privacy of its users. Use of
innovative technologies and lack of secure systems
makes it easy to obtain personal and confidential
information about individuals and organizations.
Legal Issues

Intellectual Property Rights

One of the foremost considerations that any company

intending to commence e-commerce activities should
bear in mind is the protection of its intellectual assets.
Legal Issues
Domain Names

A company that commences e-commerce activities

would at first have to get its domain name
registered. While registering domain names, if the
company chooses a domain name that is
similar to some domain name or some existing
trademark of a third party, the company could be
held liable for cyber squatting.
Legal Issues

Jurisdiction

In addition to the nature of corporate structure, decisions will also

have to be taken with respect to the jurisdiction in which the
corporate structure should be situated, as it will determine the
extent of any liability that may arise against the website.

Liability

Owners of websites should guard against the potential sources

of liability since the Internet knows no boundaries.
Legal Issues
Taxation

 The massive growth of e-commerce business has not gone

unseen by the tax authorities. Realizing the potential of earning
tax revenue from such sources, tax authorities world over are
examining the tax implications of e-commerce transactions and
resolving mechanisms to tax such transactions.

Other Legal Issues

a. Content Regulation
b. Advertisement
c. Electronic Payment Issues
d. Foreign Direct Investment
e. Corporate Structure and Funding
Disaster recovery

Disaster recovery is the process, policies and procedures related

to preparing for recovery or continuation of technology
infrastructure critical to an organization after a natural or
human-induced disaster. Disaster recovery is a subset of
business continuity. While business continuity involves planning
for keeping all aspects of a business functioning in the midst of
disruptive events, disaster recovery focuses on the IT or
technology systems that support business functions.
Network Audit
 Network Audit Procedure

 The first step toward administering a network is to have accurate

and complete documentation of the network. Documenting a
network will reduce administration time for issues such as
updates, user problems and disaster recovery.

 There are four basic parts of a network that should be

documented: LAN Software, LAN Hardware, Network Diagram
and User Names (ID numbers) and network numbers.

 All documents should be kept in a secured location. Make sure

that you have a policy in place and a person assigned to the
responsibility of keeping all documentation up to date and
accurate.
 Documenting your network
1) Obtain or construct a building diagram/floor plan.
2) Obtain or construct a physical network diagram.
3) Obtain or construct a logical network diagram. (Software
packages can research and... record all hardware information.)
4) Hardware information should include make, serial numbers,
numbers of ports as well as MAC and NIC numbers.
5) Research and record all configuration, protocol and DNS
information.
6) Print copies of configurations files, keep those copies on tape for
removable disk.
7) Document specific software configurations.
8) Research and record all corporate contact and vendor
information.
9) Product and maintain device log sheets for all applicable
 Documenting your network

10) Product and maintain a network cabling labeling scheme. Do not

base the labeling on names of users.
11) Product and maintain procedure documentation.
12) Product and maintain computer and network acceptable use
policies.
13) Product and maintain computer and network security policies.
14) Product and maintain a disaster recovery plan.
15) Schedule to update and maintain these items on a regular basis.
16) Never share these documents with unauthorized individuals --
ever!
 Network diagrams

 Documenting your network doesn't exactly sound like the most

exciting way to spend your time, does it? It involves creating a
diagram, usually with a documentation tool such as Visio or
LanFlow that illustrates how your servers, routers and switches
are connected, either logically or physically.

 However, a comprehensive network documentation can be of

vital importance. In addition to serving as a network blueprint, it
can also help you remember what you did to your network, and
just as importantly, why. This can make maintaining your network
and troubleshooting problems a much easier and smoother
process.

Diagram samples are provided from Tom Lancaster.

Diagram Sample 1
Diagram Sample 2
 Network cabling documentation

 Picture these scenarios:

A quick and simple network change turns into disaster when instead of
disconnecting the correct cable, you actually disconnect the cable to a
critical server.
A security audit requires you to document the physical path location of
cables carrying sensitive information and who has access to those
cables. But your documentation of cable location and the identity of all
the endpoints to which they are connected is out of date.
 Network auditing

 Network auditing may be a time-consuming chore that you probably

don't have time for. It's more than likely, however, that someone has
already gone to the trouble and is scanning your network for weak
points to attack. It could be someone within your organization; FBI
statistics show that more than 60% of computer crimes originate inside
the enterprise. So remember that the best defense is a good offense,
and you cannot raise a good defense unless you know where your
network is weak.
 Before a network services audit can begin, a network inventory must be
conducted. An inventory includes collecting host identification
information, such as IP address, network interface hardware (NIC)
address and DNS entries, for all network nodes. While some of this
information will be on hand in most environments, often it will have
errors. In most cases, NIC information and MAC addresses will not be
recorded.
 Even if you think you have the information, it's a good idea to conduct
 Performing a network audit

1) Use outside vendors to conduct and audit. This will ensure that there is
no favoritism or politics in the results, and provide credibility with senior
management. Ensure the vendor or contractor you use covers the items
listed below as a minimum. Find out who will be conducting the audit
and review resume and references from past audited companies. Ensure
goals of the audit are adhered to.
2) It is highly recommended that you perform an internal audit prior to
outside audit so you can compare results.
3) Establish and document baseline performance of all network
components.
4) Review, document and analyze controls over Internet, intranet and
network resources.
5) Review and document all network connections, client/server, LAN, WAN,
etc.
6) Review and document controls over network operations and
 Performing a network audit

7) Review and assess network segmentation and identify and audit any
internal firewalls.
8) Review and assess a single point of failure analysis. How is your network
affected by critical equipment? Do you have backups installed and
ready?
9) Prepare a risk assessment and develop and implement a risk mitigation
plan.
10) Review and document all software licenses required/possessed for all
locations.
11) Verify and record all installed software. Remove all unauthorized
software and secure hardware and software to prevent future downloads
or installations.
THE END