| Risk Manager: | | Our Risk Manager is responsible to identify and quantify risks that the application services may encounter and to identify suitable controls that will reduce those risks to a manageable level. | | BS7799-3 is the UK Risk Standard for the Risk Management Service operated by the Risk Manager in full cooperation with ISO 27001. | | Risk cannot be eliminated but it can be managed and management means controls that cost money. | | The correct balance of controls with acceptable operational costs is required and the mission of our professional Risk Manager. |
| Controls: | | Risk is not eliminated by security but by controls imposed by people and technology working together. | | Controls include monitoring of sign in attempts so any abnormal behaviour can be detected and manually handled - both technology and people working hand-in-glove. |
| Availability: | | The AUP is a critical business document that is always available to staff using private application services. Each time the document is accessed, that fact is recoded and shown in the users profile. | | It can be a requirement for each person to access the AUP document from time to time. A gentle reminder by their manager will ensure that each user profile is updated with evidence that they have seen the AUP. | | The AUP is just a document - training and encouragement by management to abide by the policy is critical. |
| Monitoring: | | Business Internet services are monitored and all web sites viewed will be recorded as a normal business transaction. Where you do not want your Internet history to be monitored, please use a different computer or smart phone on a different Internet connection. | | Business Email services are monitored and all emails will be archived as normal busienss correspondance. Where you do not want your emails to be monitored, please use a different computer or smart phone with a different Internet connection. | | It is not a breach of a persons human rights to monitor business Internet and Email usage where it is publicised and all staff fully understand that monitoring takes place. |
| AUP: | | The business of managing access to the Internet, email, instant messaging and all other application services cannot be left to chance. | | The use of corporate application services must be subject to a published and enforced Acceptable Usage Policy (AUP). | | The AUP will set out the type of behaviour expected of people using application service that are provided by the business. | | The AUP will detail provisions that are designed to protect the business for particular areas of risk. | | The AUP will point out that corporate application services are predominatly for the benefit of the business and that personal use should not impact on daily work patterns. | | The AUP will remind people that all business applications are monitored and that failure to comply may lead to disciplinary action. |
| ITIL Risk: | | Risk can be rather wolly in the ITIL reference books and we have a real business requirement to quantify and qualify risk in a lot of detail. | | Our elaboration of risk as a significant management process is not accidental and it will exceed the level of importance that may be provided by others. |
| What is acceptable: | | Business Internet services may be used at any time for personal use, so long as using those services does not impact on the normal work flows and tasks undertaken in a normal day. Browsing the internet for personal use should be confined to natural work breaks and outside normal working hours. | | Business Internet services may be used outside normal work hours to download documents and files of no more than 1 MB in size. A file download must not be permitted to cause a network bottleneck that impacts on other peoples normal Internet usage. | | Business Email services may be used at any time for personal use, so long as using those services does not impact on the normal work flows and tasks undertaken in a normal day. The number of emails should not exceed two per hour and the size of an email (with attachments) must not exceed 1 MB. Unsolicited emails from companies and contacts that are not defined in the CRM are rejected without any reply. Emails are only permitted from companies and contacts that are defined in the CRM. Emails can only be sent to company contacts, friends and family that are defined in the CRM. | | Business Email services must not be used to communicate any inappropriate content that may offend a reader. Inappropriate business language will be changed to remove words and phrases that may offend. | | Business Internet services may be used for social networking so long as using these services does not imact on the normal work flows and tasks undertaken in a normal day. Staff are advised to to take great care when social networking for personal use and must not use social networking for any business purpose unless agreed in advance. People undertaking recruitment shall survey potential employees social network information and may take such information into account. | | Business Internet services must not be used for blogging of any kind. No person is permitted to publish company information before it has been cleared and published by way of a press release or other public statement. |
| | | Glossary: | | 1. Asset means the Bespoke Application Service to be protected; its infrastructure, its data, its network and its continual operation. The Risk Manager is appointed by the Application Service Provider to manage risk in compliance with ISO 31000 Risk Management Standard. | | 2. Threat means an action that could cause damage to the asset to be protected. A threat is a scenario of what could happen. A threat is something that cannot be controlled. | | 3. Risk means the possibility of a loss or bad consequence. A risk has a percentage possibility and a consequence of what could go wrong. Risk can be managed. | | 4. Vulnerability means a weakness to be controlled. A major vulnerability are people who may behave in an uncontrolled or unpredictable way. | | 5. Security Measure means a precautionary action to mitigate a risk possibility or/and a risk consequence. The Information Security Manager is appointed by the Application Service Provider to tactically manage security in compliance with ISO 27001 Information Security Standard. | | 6. Impact assessment means documenting all threats, identifying the risks and vulnerabilities then deploying applicable security measures. The Data Protection Officer is appointed by the Application Service Provider to strategically manage data protection in compliance with GDPR and PECR. |
| Tuition: | | The first step is to create and publish the corpoarte AUP, but then begins the continual job of refinement, training and justification. | | It can be a significant benefit if the reasons that the AUP contains such terms and conditions is explained in some detail. | | It would be wrong to imagine that staff do not want to know about computer security matters or that staff would willfully to things to impact the businss. | | The business has a duty of care to deliver safe and effective application services, but staff have a duty of care to use those application services in a reasonable way and comply with AUP provisions. |
| Remote working: | | Some evidence exists that staff working in their car, with a client or at home amy use business applications in ways that they would not use them when they are in the office. | | Downloading inappropriate content to a business laptop is not acceptable, even if the person is using their own Internet connection at the time. | | Connecting a business laptop to a Wi-Fi connection without adequate encryption is not acceptable - the Internet works two-ways, so if a business laptop is connected to an inappropriate web site, that web site is connected to the business laptop and may have access to business data and emails stored on the laptop. | | Blackberries and smart phones offer even greater security risks as all wireless connections will be intercepted and recorded. |
| Distributed Denial of Service (DDOS): | | A BOT can be a collection of thousands of infected computers that are always connected to the Internet. | | These private computers have a Trojan that does no harm and to make sure it is never removed, it will replicate itself hundreds of times in all parts of a computers operating system. | | Upon command over the Internet, all these computers can be directed to continually request a specific web page. | | Many low quality web sites will simply not be able to cope with the amount of network traffic and will cease to operate. |
| DDOS Protection: | | We implement two lines of defence: (1) we operate business-to-business applications that discard network traffic from unknown sources and (2) we operate from more than one data center so if one data center is attacked, we can quickly continue operations from a different data center. | | Our application services are elastic - they expand in capacity as needed to cope with transient surges in traffic. It is very hard for a traditional in-house web service to be elastic and cope with traffic spikes - DODS attacks are specifically targeted to in-house servers that can be overloaded. | | Our application services operate from at least 3 data centers, so while a BOT may attack one data center, the others continue without any impact. It is not practical for a traditional in-house web service to switch to another data center and so many thousands of BOT computers continually requesting data from that in-house server, it will not be able to continue. |
|