Procedures

Senior management must select a strategy to determine who will pay for the information system’s services. Funding is an important topic because departments must have adequate funds to operate. Each funding option has its advantages and disadvantages. The three most common include these:

Shared cost
With this method, all departments of the organization share the cost. The advantage of this method is that it is relatively easy to implement and for accounting to handle. Its disadvantage is that some departments might feel that they are paying for something they do not use.

File or folder level encryption (or file system level) is an encryption system where specific folders, files, or volumes are encrypted by a third-party software package or a feature of the file system itself. Here is the pros and cons of implementing the file or folder level encryption. This pros and cons taken from Tony Bradley books about PCI compliances

Advantages

• More granular control over what specific information needs to be encrypted can be accomplished. Items that you desire to be encrypted can be stored in a particular folder or volume, and data that does not need to be protected can be stored elsewhere.
• Many file-level encryption products allow you to integrate access level restrictions.This allows you to manage who has access to what.
• When data is encrypted on a file level and is moved off the storage location, it is moved encrypted.This maintains the confidentiality of the data when it is moved to a backup tape.
• Less invasive to a database than column-level encryption.The schema of the database does not need to be modified and the access of data by authorized personnel (based on access control) is not hindered when querying and other management activities take place. This is an aspect of availability, one of the three tenets of the CIA triad.
• Tends to consume less resource overhead, thus less impact on system performance.
• Logging and auditing capabilities. Some file-level encryption systems offer the capability to track who attempts to access a file and when. Since the majority of data breaches are internal to the network, this kind of information is good to have.

Disadvantages

• Can cause performance issues for backup processes, especially with relational databases

The cornerstones of effective information security programs are well-written policy statements. This is the wellspring of all other directives, standards, procedures, guidelines, and other supporting documents. As with any assessment process, it is important to ensure that policies establish the direction management wants to go with regard to security

When reviewing policies, Thomas R. Peltier in his book about Managing a Network Vulnerability Assessment said that it will be necessary to remember that there are three general types of policies:

General or global policies.
These are high-level policy statements that define the intent of a specific topic and its scope within the organization. It also assigns responsibilities for implementation and compliance with the policy. Typical information security general or global policies include:

Need to audit an Oracle Database or Application; here is simple guidance, 5 basic controls that you should monitor.

1. Password Management

• Default Passwords, should be changed
• Required Passwords, should be enabled
• Password Composition, should be contain character, numeric and combination
• Password Expiration, should be expire within period e.g. 30 days
• Password History, should be not repeated after period e.g. 12 password.

2. User Management

• Administrator Account, should be secured. All administrator account should be stated clearly and who’s responsible with it.
• Default user account, should be removed or deactivated
• Vendor / third party account, should be monitored
• Dormant Account, should be maintained.

3. Security Feature

There are a lot of comparison between SAP and Oracle Finance available nowadays; this article is focusing the comparison in security or audit perspective.

1. Security Configuration

SAP stored their security configuration in application security level; Oracle Finance stored their security configuration in database security level. Storing configuration in application security level means that we could added the security level also in database configuration. So SAP will have two times higher security level than Oracle Finance.

Here is audit procedure to check both of Oracle Finance and SAP R/3 security configuration.

SAP R/3 Procedure:
Execute Transaction Code SA38
Run report RSPARAM

login/failed_user_auto_unlock           
login/fails_to_session_end              
login/fails_to_user_lock                
login/min_password_lng                  
login/multi_login_users                 
login/no_automatic_user_sapstar         
login/password_change_for_SSO           
login/password_expiration_time          
login/password_logon_usergroup          
login/password_max_new_valid            
login/password_max_reset_valid.          

As quoted in Dutchhasterdam,
"..Amsterdam’s Schiphol Airport is the first airport in the world to deploy full-body scanning machines.."

Amsterdam’s Schiphol airport has begun using a new body-scanning machines at security checkpoints, the first major airport to use the technology to find metals and explosives hidden under clothing. Schiphol also is one of the world’s most modern airports, with flat-panel screens, airport-wide Web access, and iris-scanners already on offer to those who want to bypass passport lines.

And become populer discussion through slashdot.org,
T-Ray Camera Sees Through Clothes, Preserves Privacy

"...that are claimed to use Terahertz radiation ("T-rays") to detect foreign objects under clothing, without revealing body details, from a distance of 25 meters and while the subject is in motion.."

So how should we design security procedures in airport, is still a challenge for security related auditor

 

The latest update of Linkedin.com one of the most popular social networking site for professional, is proven evidence that the social network is become very important in our life. The function is shift, not only as communication media but its also become place to find new career, develop larger network to corporate research.

However the massive usage of social network website also becomes another challenge for industry to create good enterprise policy for this matter. Any other idea, how to develop social networking website policy?

Read also:
Social networking threats manageable with good enterprise policy.
LinkedIn's latest updates take a few hints from Facebook

 

This policy provides guidance to ensure that company use of blogging and online dialogue appropriately considers the responsible engagement in this new, rapidly growing space of relationship, learning and collaboration.

1. Knowing and following Company Code of Conduct
2. Blogs are not corporate communications but are individual interactions. Identify yourself but ensure to protect your privacy,
3. Use a disclaimer when posting a blog that has something to do with work or subjects associated with Company.
4. Respect copyright, fair use and financial disclosure laws.
5. Don't provide confidential or other proprietary information.
6. Don't cite or reference clients, partners or suppliers without their approval.
7. Respect your audience and show proper consideration for others' privacy on topics that can be inflammatory such as politics and religion.
8. Find out who else is blogging on the topic and cite them.