Klikněte pro vložení textu 20.4.2015 IT Service Management 20.4.2015 IS/IT outsourcing services RNDr. Stanislav Michelfeit IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 2 IT Service Management 20.4.2015 CONTENTS §Introduction in Security wintin Service Oriented Organization §Internal and Customer Security Standards §Internal Processes within the Service oriented Organization IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 3 IT Service Management 20.4.2015 Motivation §§ 257a - Poškození a zneužití záznamu na nosiči informací §Kdo v úmyslu způsobit jinému škodu nebo jinou újmu nebo získat sobě nebo jinému neoprávněný prospěch získá přístup k nosiči informací a –takových informací neoprávněně užije, –informace zničí, poškodí nebo učiní neupotřebitelnými, nebo –učiní zásah do technického nebo programového vybavení počítače, bude potrestán odnětím svobody až na jeden rok nebo zákazem činnosti nebo peněžitým trestem nebo propadnutím věci. §Odnětím svobody na šest měsíců až tři léta bude pachatel potrestán, spáchá-li čin uvedený v odstavci 1 jako člen organizované skupiny, nebo způsobí-li takovým činem značnou škodu nebo získá-li sobě nebo jinému značný prospěch. §Odnětím svobody na jeden rok až pět let bude pachatel potrestán, způsobí-li činem uvedeným v odstavci 1 škodu velkého rozsahu nebo získá-li sobě nebo jinému prospěch velkého rozsahu. §Czech republic law: § 257a - Missuse of connectivity or benefiting from unathorized access to data medium or information –imprisonment for six months to three years –imprisonment for one to five years - large-scale damage IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 > 4 IT Service Management 20.4.2015 Why to be interested in security Data Loss > Shutdown Service Unauthorized access to resources Loss of reputation and trust Limmited service or production Criminal actity issue IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 5 IT Service Management 20.4.2015 Why to be interested in security IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 6 IT Service Management 20.4.2015 Prevention §Education of responsible and interested §Set roles and access rights §Appropriate software §Regular software updates §Following basic rules §Regular inspection §Active inspection §Physical security §D / R procedure IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 7 IT Service Management 20.4.2015 Education of responsible and interested §Education of responsible persons §User Traning §Information for Customer §Maintaining a high level of knowledge §Current status §Warning against current threats IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 8 IT Service Management 20.4.2015 Set roles and access rights §Set roles and access rights based on business need §User roles and groups to lower the security maintenance cost §Remember non- PC devices –Network –Mobile devices –Printers –Restricted areas §Follow internal processes IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 9 IT Service Management 20.4.2015 Appropriate software §Appropriate OS §Security policy SW §Firewalls §Antivirus SW §Further SW based on need (anti-spam, anti-spyware, monitors, etc.) §SW needed for production which support security IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 10 IT Service Management 20.4.2015 Regular software updates §Regular OS update §Regular SW update §Regular Antivirus DB update §Regular maintenance of DB with user roles and access rights IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 11 IT Service Management 20.4.2015 Following basic rules §Any security rules are useless if the people inside the company behave irresponsibly §Good password §Personal responsibility §Social engineering IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 12 IT Service Management 20.4.2015 Regular inspection §It is necessary to regularly check –System –users and roles DB Setting of key applications §Found deviations must be quickly removed §All checks must be properly documented IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 13 IT Service Management 20.4.2015 Active inspection §Monitoring of network traffic §Monitoring of System operation §Ethical hacking IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 14 IT Service Management 20.4.2015 Physical security §Possible threats –Unauthorized access –Damage –Theft –Unintentional injury –Damage by fire or natural disaster IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 15 IT Service Management 20.4.2015 Physical security §Placing HW into rooms with a dedicated access §Fire Security §Backup power §Backups location in another place §Minimize the movement of foreign persons in buildings §Use of electronic security, cameras, security agencies IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 16 IT Service Management 20.4.2015 D / R procedure §Regular Backups §Secure Data Storage §Plan in the event of failure or damage IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 17 IT Service Management 20.4.2015 Internal and customer security standards and policies §Examples of standards and policies: –Internal (company) •ITCS300 - Basic IT staff rules •ITCS104 - IT Security Rules •CIO104 - IT Security •LEG116 - Classification and management of Materials –Public •ISO / IEC DTR 13335-1 Information technology •ITIL - Security Management IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 18 IT Service Management 20.4.2015 Internal and customer security standards and policies §Identification §Authentication §Authorization §Privacy and confidentiality of information §Reliability and availability of services §Audit §Review §Reporting and management of security incidents §Managing physical access IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 19 IT Service Management 20.4.2015 Internal and customer security standards and policies §Identification –Unique key for each user –Digital Certificates created and validated by CA §Group 1: Key applications and data storages needed for core bussiness §Group 2: SWs or data storages with clasified informations, parts of key processes or subject of certification (audit) §Group 3: Other BAU SW §Group 4: Traninf, test and development systems. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 20 IT Service Management 20.4.2015 Internal and customer security standards and policies §Authentication –User-authentication system •Verification of user identity •Passwords must meet prescribed rules •Times applicable passwords must be protected •Authentication tokens must be protected –System-system authentication •Can be used noon expiration password IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 21 IT Service Management 20.4.2015 Internal and customer security standards and policies §Authorization –Access must be authorized by owner of the application with regard to the actual needs of access, but access to the application having access to restricted information must be separately approved. –Access by a third party to internal services must be authorized by the corporate management, in parallel with providing only the strictly necessary access rights. §Remote access for employees –Remote access to corporate networks must be carried out only in an approved manner. §Warning –When you log into the internal company network must be displayed warning and guidance. §User Resources –Service provider must set the initial provision of the means provided by users. –Application and data storage that allows users to manage access rights to their own resources, must contain a tool to perform this management. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 22 IT Service Management 20.4.2015 Internal and customer security standards and policies §Protection and confidentiality of information –Is a set of technical and procedural measures designed for the purpose of preventing unauthorized access to protected corporate data, personal information of employees, business partners, customers and site visitors. –Media containing sensitive data must be properly labeled. §Residual information –It is necessary to ensure illegibility residual classified or personal data in ways suitable for the medium. §Encryption –Company information relevant to an unpublished technology, business plans, financial information and nonpublic personal information such as credit card numbers, financial or medical records must be encrypted when sent through the Internet. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 23 IT Service Management 20.4.2015 Internal and customer security standards and policies §Reliability and availability of services §Managing system resources –System resources must be protected from normal users –Regular user permissions must be based on the business needs, determined by service provider or owner of the application. §Malware –It is necessary to have an active technical tools to prevent the spread and run malicious code. –Application developers must provide written assurance that the antivirus test conducted as part of the final tests. §Monitoring weaknesses –According to the type of network you have to choose tools, timing and extent of monitoring weaknesses. §Warning system - security patches –Is necessary to set the process for timely installation of patches. –It is must to upgrade OS to a supported OS with respect to the end of support for the OS. This upgrade may be delayed for extended support for security patches. §Modification Center –Any modification of application software must be approved by corporate management and the installation of such software must go through the approval process. §Availability of –It is necessary to have an active technical tools to prevent the DoS attack –It is necessary to have an active technical tools to prevent and detect unlimited number of unsuccessful attempts to log on to the service. –It is necessary to have a process for detecting and processing of systematic attack. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 24 IT Service Management 20.4.2015 Internal and customer security standards and policies §Setup Audit §For systems, applications, data storage, network equipment, where it is technically possible it is necessary to log an alert : –successful and unsuccessful login attempt –Modification of system resources –Attempt to read system resources, which will be labeled as an exception. –Attempt to run system resources that will be labeled as an exception. All activities conducted with Security Administrator authority. Successful assignment and allocation of IP addresses. §For internal services should be alert for: –All attempts to remote access to internal company network. §Internal log cannot be stored on customer environment. §Audit records must include the date, time, type a user identification §Audit records must be stored for 60 days. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 25 IT Service Management 20.4.2015 Internal and customer security standards and policies §Health check –It is necessary to carry out a health check at regular intervals. §Verification of the security procedures –Security procedures must be regularly checked on representative samples §In-house acreditations and certification –The method and implementation of tests and checks must be changed whenever a service is changed. –It is necessary to carry out an annual recertification for all intra-company services. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 26 IT Service Management 20.4.2015 Internal and customer security standards and policies §Reporting and management of security incidents §It is necessary to contact the responsible person and inform them of: –Contact persons for the management and technical area. –Description of the problem, the extent of systems or data that have been affected by the incident, already performend activities. §Immediately create a record containing all information regarding the incident. For each piece of information is necessary to state the date and time. §Technical support must begin actions to mitigate the consequences, without delay. §Responsible persons will provide information and instructions on how to proceed. §It Is wrong: –Conduct investigations on your own. Risk may be premature disclosure of an investigation or modifying records. –Contact the persons or companies suspected of causing the incident, without direct instruction responsible person. –Try to go attack the attacker (the System). Such behavior is easily reaches beyond the law. –Try to clean up (delete data), without direct instruction responsible person. Risk could be loss of data necessary to discover the cause. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 27 IT Service Management 20.4.2015 Internal and customer security standards and policies §Managing physical access §Physical protection of systems and networks –System and network equipment must be protected against damage and theft. –Each entry into the protected area must be secured. §Physical protection and inventory of media –Media containing key data, backups, archive data and D / R must be physically protected from unauthorized access, theft and damage. –Protected library media must be inspected at least once a year. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 28 IT Service Management 20.4.2015 Internal and customer security standards and policies §Operating Systems –AIX Platforms –Linux Servers –Microsoft Windows 2008 Servers –Microsoft Windows 2003 Servers –Microsoft Windows 2000 Servers –Microsoft Windows NT Servers –Novell Netware –OS/2 based OS –OS/400 Platforms –zOS, OS390 and MVS Platforms –z/VM and VM Platforms –VMWare ESX/GSX Servers §Application software / middleware –Apache Web Servers –DB2 Universal Databases –Lotus Domino Servers –Netview –OS/2 LAN Servers –Websphere Application Server –SSH Servers –Samba §Network infrastructure –Local Area Network (LAN) equipment –Wireless Equipment –Firewalls §Voice infrastructure –Avaya Media Server –Cisco Call Manager –Call Management System §Other devices –Printers –Industrial devices –Remote terminals IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 29 IT Service Management 20.4.2015 Internal and customer security standards and policies §The process is –Long time –event driven –structured sequence of activities that require a •People •Information •Technology §in order to achieve the objective. IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 30 IT Service Management 20.4.2015 Internal and customer security standards and policies Internet ISP Provided Access Router Internet Access Packet Filter Internet Server Firewall Firewall Firewall Intranet Data Access Application server Data/Support server IHP Internet Hosting Provider ICO Internet Content Owner Red Zone (or Internet access LAN) §Under physical control of ISP §No security control Yellow Zone (or Internet server LAN) §Under physical control of Vendor §Separated from Intranet by Firewall §Separated from Red zone at least by Packet filter Green Zone (or Internet server LAN) §Under physical control of Vendor §Separated from Yellow by Firewall Internet user IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 31 IT Service Management 20.4.2015 Internal and customer security standards and policies §Physical security controls –Areas –Devices –Prints –Responsibility only for own premises, not the customer's premises IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 32 IT Service Management 20.4.2015 Internal and customer security standards and policies §Encryption –Secure method –Performance and recovery issues –Law restrictions IBM IDC Brno © 2003 IBM Corporation ‹#› 20.4.2015 33 IT Service Management 20.4.2015 Questions?