Processes for information security
Well, the security and privacy of information systems has become extremely important when we talk about work or even personal matters, since we all use systems to store our confidential information, which we want no one to want to see. That is why there are these tools such as cryptography, physical security, cybersecurity and logical security.
What is exposed in a computer component are:
– the hardware
- The software
– OR DATA
Data being the most important, if the hardware is damaged we replace the part that was damaged, if the software is damaged we just reinstall, but when we talk about data they are almost irrecoverable, almost because in computing data is never deleted, it is modified and when it already has several modifications it is already very difficult to recover.
PERSONNEL TRAINING AND AWARENESS PROCEDURE: It indicates the methodology used by the entity to carry out the training and sensitization of personnel on information security issues, taking into account the different roles and directives, the periodicity of training capacities and sensitization, etc.
PROCEDURE FOR ENTRY AND RELEASE OF PERSONNEL: This procedure indicates the way in which the entity safely manages entry and exit, including issues such as background checks, signing of confidentiality agreements, receipt of deliveries required to generate peace of mind, among other characteristics. This procedure goes hand in hand with the area of human resources management or recruitment and can be generated with your collaboration.
PROCEDURE FOR SECURE ENTRY TO THE INFORMATION SYSTEMS:
In this procedure, the entity must indicate how to manage access to its information systems in a secure manner, using preventive methods against brute force attacks, validating the complete data for entering the systems, using methods to encrypt the access information to through the network among others.
USER AND PASSWORD MANAGEMENT PROCEDURE:
this procedure, the entity will require how to create users and assign passwords (which require an acceptable level of security, based on a previously defined secure password policy), prohibiting its subsequent reuse, possibly users changing it often, they had a record of them. This procedure must apply to all information systems, it must also take into account the role that each user requires in the necessary systems, to provide the necessary access.
PROCEDURE OF CRYPTOGRAPHIC CONTROLS:
In this procedure, you must specify how cryptography will be used within the organization's information systems to guarantee their integrity, availability and confidentiality. You must specify the complexity of the cryptographic controls to the employees, the specification of the criticality of the information that will circulate through the network or will be selected hosted in a certain system. For example, using wep networks is an obsolete technology, it should not be used anymore, because it has keys from 64 to 128 bits, that means 2 raised to 128 bits is a huge amount. Ideally you would use wpa2 which fixes all wpa vulnerabilities and has a 256 bit key. Or, for example, if there is a web page in the company, it must have an SSL certificate (Transport Layer Security).
PHYSICAL ACCESS CONTROL PROCEDURE:
This procedure should describe how the different steps are executed to identify the secure access control to the facilities for authorized personnel. This procedure may include records of the date and time of admission, monitoring of the books or the registration platform. The request for permission to restricted areas must be considered, who grants it and what must be done in order to have access to the areas, etc... PROCEDURE FOR THE PROTECTION OF ASSETS: This
ASSET PROTECTION PROCEDURE:
This procedure must contain the steps with the equipment that is protected by the entity. It is recommended that this procedure specify how the location of the equipment that processes confidential information is determined, how the facilities are secured, the controls that are specified to minimize risks of natural disasters, physical threats, damage, dust, water, interference, discharges electrical etc
EQUIPMENT MAINTENANCE PROCEDURE:
This procedure must specify how preventive or corrective maintenance is carried out within the entity, indicating the intervals in which these determined requirements, based on the suggestions of the suppliers or if there are insurances tied to the equipment and maintenance are requirements. The way in which the maintenance will be carried out and the personnel that will have to execute it must be specified, facing the appropriate record.