The use of computer and the exchange of information electronically have developed rapidly in retail business. The confidentiality, integrity and availability of information, plays the major role in this. Failure to secure the customer information increases the risk of financial and reputational losses from which it will be difficult for the organization to recover. Due to the low cost of storage and information processing, lots of companies started using the electronic methods to store private and public details of the individual. So it’s important for the information security officer to make sure the personal details of the customers and the employees are stored in a secure manner. They also started outsourcing the data processing to the third parties who are often called as data processors.
This information security policy provides an insight about the company’s information security management. It gives the responsibilities and guiding principles that are essential to safeguard the security of the organization’s information systems. Supporting policies, guidelines, code of practise provide further details. The principles mentioned in the policy is applicable to all the physical and electronic devices that belongs to the organization. This policy provides assurance that the information provided by the individual is maintained safely.
The main objective of this policy to deliver the confidentiality and security of networks, application and information systems owned by the organization
2.1. Ensuring all the staff members in the organizations are aware of their jobs and responsibilities which they are assigned to and completely abide by the legislation as mentioned in the information governance policy.
2.2. Awareness and training is provided in the organization to insist the need for information security as an integral part in their day to day work.
2.3. Information assets are protected by the respective authorities of the organization.
This policy is applicable to the people working in the organization, third parties, customers who interacts with the information maintained by the organization and the system which are used to process and store them. This includes cloud systems, mobile devices, telephone systems which are used and connected to the organization’s network.
1. Information is categorized according to the level of confidentiality, integrity and availability also in accordance with regulatory, contract and legislative requirements.
2. Staffs who has particular responsibility (See section : ) for information should acknowledge the classification of that particular information. They have to handle the information according to the importance mentioned in the classification.
3. Users who are all covered by the scope must handle the information according to the classification. Any breaches to this policy should be reported immediately.
4. The policy will be reviewed yearly through internal audits and penetration testing.
5. Information is protected against unauthorized and illegitimate users.
4.2 INFORMATION CLASSIFICATION
Information is classified according to the need to access them. Limited access is provided to personal data which requires needs for processing. Information is classified into various categories so that it will be protected properly and allocate security measures accordingly.
UNCLASSSIFIED INFORMATION: This kind of information can be used in public without any obligations like advertisements of products, annual turnover. These information will be already in public domain
EMPLOYEE CONFIDENTIAL INFORMATION: These information are only accessible to the members of the organization. It must be encrypted from outside the system’s organization. It includes employee’s pay, medical history, educational qualification etc…
COMPANY CONFIDENTIAL INFORMATION: These information includes source code, business strategies, methodologies, client contacts, password for the servers etc.
CLIENT CONFIDENTIAL: It includes personal information like name, client business, work history address, new product launch etc.
5. POLICY FRAMEWORK:
5.1 Security Management
-The responsibility of information security should be reside within CEO of the company at board level.
– The security officer of the organization is responsible for the process of implementation, documentation and monitoring of all the security requirements.
5.2 Training for Information Security
– New staffs must complete information security training during induction process. Mandatory training should be provided to all the employees once a month.
5.3 Employment Contract
-Requirements of staff security should be mentioned during recruitment and the contract should contain confidential clause.
– At job definitions, information security expectations from the employees should be mentioned.
5.4 Asset’s Security Control
Assets such as hardware, software should be name tagged with organization mentioning that it’s the company’s property.
5.5 Access control
By using access control systems information systems are protected. It includes internal (e.g.: password, user interface and encryption) and external (firewall, devices that protects the port, authentication based on host). Information owner is responsible to authenticate people who can access the resources.
User Access Control: Information can be accessed only by the restricted users who have proper justification business needs.
Computer Access Control: Pc/Laptops that belongs to the organization will only be accessed by the people who has the proper business needs.
Application Access Control: Only system/DB administrators will be able to access the data, source code and system libraries. Authorization to those application will be provided depending upon the availability of the licence given by the supplier.
5.6 Transfer of data and mobility
Information which are highly sensitive with respect to the organization should not be stored or transferred through laptop/PC, USB, hard disk, CD/DVD or mobile devices unless they are encrypted by the proper encryption technology approved by information security division.
5.7 Information System Accreditation
The security officer of the organization will ensure that all network system, application and information system are provided with proper security plan before they are used in the company.
5.8 System Access monitoring
The data and access to the system used by the employee of the organization are reviewed on the regular basis. The Regulation of Investigatory Power Act of 2000 allows monitoring and recording of employee’s communication through electronic medium for the below reason
-To establish the facts that are existing.
– Unauthorised usage of the system is detected and investigated
– To prevent the crime
– Asserting the standards achieved by the person using the system
INTELECTUAL PROPERTY RIGHTS
The information security officer will ensure the organization’s information licence. User are not allowed to install any software without the permission of the authority. Users who breaches this contract are obliged to disciplinary actions.
POLICY OF DATA COLLECTION AND RETENTION
The most effective way for mitigating the problem of stolen personal data of a person is not to hold those data in the first place beyond the need. For example the credit card details of the customers should be deleted immediately after the transaction is completed. The information security officer should always know about the flow of data across the organization, otherwise it will become a difficult task to protect the data.
The users must use password, smart card some other kind of token to access the personal information. Password should be the combination of letters, punctuations, symbols and numbers and should be atleast 8 character. Passwords should not be obvious like birthday, maiden name, place where you live, pets name, relative’s name. Smart cards gives authentication by providing code generation. The token provides PIN number that is valid for only short period of time. These are used along with password for user authentication.
ENCRYPTION OF DATA
Encryption is the procedure of encoding the details stored on the computer that will add another layer of security. The public and private key must be complex and should not be cracked by brute force method.
ANTIVIRUS SOFTWARE AND PATCHING
Antivirus software protects infection from the internet and prevent from virus, Trojan horse and worms. It is important that all the software should be updated to the latest version on the regular basis that mitigate the potential threats. E-mail which comes from unauthorised source should not be opened which will prevent from any attack.
If the system is accessed from outside the organization like offsite it leads to potential weakness of the system. So the need for those kind of remote access should be properly addressed and security measures should be provided before granting the access. Information security officer is responsible for the security of organization’s network regardless of remote access.
When a computer tries to access the server through wireless network it can expose the network to attack. Good firewall should be placed in order to avoid those attack. It is advised that unsecure WIFI should not be used while doing any transactions or atleast secure web sessions should be in place.
LOGS AND AUDIT TRAILS
There is no use of security policies and access control systems if the system is not able to identify whether the information has been compromised. Proper log systems should be maintained which identifies the user that access the system and also the time of the access. Logs and audit trails helps in identifying people who tends to abuse the system and also helps in ensuring effective administration of system security. Monitoring should not only be placed on OS, networks, intruder detection system but it should also take web activities and database activities into consideration.
PROTECTION OF DATA
– Backup and transfer of data: Data can be transferred only through the encrypted medium by using VPN connection to ensure the integrity of the information.
– Access to External System: If there is a need to access the external system, supervisor/department head should be contacted to carry out this process. They will assist in accessing the external system through secure method.
– E – Mail: Any personal information should not be sent through company’s id, unless it is encrypted. Appropriate personnel like privacy officer will be able to help with procedure that is used for email transmission.
– Pubic Network: Tasks which involves the use of company’s sensitive information should not be carried out when the computer is connected to public networks like hotel, airport Wi-Fi.
ROLES AND RESPONSIBILITIES
CHIEF EXECUTIVE OFFICER: Securing organization’s information is even though everyone’s responsibility, the ultimate power is in the hands of CEO and that is carried out through Information security officer.
INFORMATION SECURITY OFFICER: They are responsible for the action of managing the security of information across the organization. They will maintain and carry out the policies effectively, takes effective measures to avoid data breaches. Also makes sure the company is following the appropriate required regulations and legislations.
SENIOR MANAGER: They will take care of the security of organization’s physical environments where the information are stored and effectively processed. They are also responsible for the company’s permanent, contract employees and the information. Senior managers should makes sure that all the employees are aware of the security policy.
STAFFS: All the staffs should follow the policy and regulations and be aware of how information should be properly transferred and stored. If they come across any security beaches staffs are obliged to inform that to the security officer.
CUSTOMERS: The customers should use the strong password for login to online purchase, and they should keep the information of login details discrete and not to reveal anyone or note down in any public documents/papers.
THIRD PARTIES: All the third parties who are associated with the company’s employee and customer’s information are obliged to keep the information in the protected and encrypted pattern. Any breach to the data should be reported immediately to the organization and necessary action should be taken immediately.
Data breach can happen due to various reasons including, stealing the information or data by breaking into organization’s premises, by hacking, human error, failure of servers, unauthorised usage due to weak access controls. It is mandatory for the organization to put breach management to handle data breach. It includes the following steps
– IDENTIFICATION OF BREACH
There should be procedure where all the staff members can report about the breach. They should be aware to whom to contact in case they come across any leak. This will allow the management to identify the incident in the earlier stage. Details about the breach should be collected which includes logs, timestamp, servers involved, error messages which are related to the incident.
– CONTAINMENT OF BREACH
Once the breach is identified the company should make sure who should lead the investigation and take the responsibility for finding the issue. They have to make sure affected network and servers should be isolated from the rest of the network. Immediate actions should be taken to inform the affected users and passwords and access rights should be changed. If it’s relevant and appropriate they have to mention the incident to police.
– RISK ASSESSMENT
Risk assessment plays an important role when the data breach is detected. It considers the following details like what kind of data has been leaked, how sensitive the data is, if any encryption method is used to protect the data, and what is the number of people who are affected and lost their data because of the breach?
If the personal data is lost according to the data protection act the person who has the knowledge about the breach should notify about the incident immediately to the information security officer.
The data breach and reviewed by the information security manager to identify the data leak and methods to improve in the area where we can protect future incidents.
Shop here Ltd is the retail chain situated in Ireland. It has around 3000 staffs. It contains both physical outlet and online shopping. There are around 30 shops situated in Ireland. Thousands of customers are part of Shop here Ltd who regularly use online shopping.
Recently data breach has been reported on shop here ltd. Customer card and personal data of the customers have been stolen and they are available on the net for sale. So the company approached the forensic analyst after two weeks to investigate the data theft.
So as a digital forensic investigator we arrived at the scene of crime once the issue is reported. We got all the information required for further investigation from the information security officer of the company.
While investigating, we came to know that the attacker tries to access the customer’s account through brute force method over a month by trying various combinations of passwords and username. They finally gained access to some of the accounts. After that the attackers try to withdraw money from the account. They achieved this by adding the new payment method. Also we found that the payment system has been compromised by malware. That particular malware copied the customer’s personal information at the payment page while doing transaction.
While investigating the breach as a forensic investigator we came to know that the organization fails to take security measures in storing the personal data and customer card details which included the following
– There was no service level agreement existed between information security officer and data processor.
– The information security officer was not updated with the details of the new employees joining the organization
– Failed to make sure whether the access control and user authentication were in place
– Systems were not secured and protected using firewall and there was no security configuration for the website platform.
– The company failed to report the breach within 72 hours. They approached some third party within the organization to mitigate the issue initially.
So from the above details, we provided the detailed report by checking the company’s information security policy We mentioned that the company failed to comply with the General Data protection Regulation.