Auditing is the basic activity of any organization, which can easily be termed as the heart of the organization. With the help of auditing, any organization becomes able for risk management, governance and control its business. The purpose of auditing is to protect the assets of the organization, make it sure that the organization use its resources efficiently, and set objectives and operational goals for the organization. Information system audit certifies that the system is free of errors and security threats. This report discusses the security policy of a company to ensure its system security
I. Antivirus Policy
· What will be the guidelines for Information system security and Anti-Virus policy
II. Risk Assessment
· What steps should be taken for managing risk assessment?
III. Methods of Virus Detection
· How Viruses can be detected in a system?
· How damages, made by viruses, can be corrected?
· How record of security threats can be maintained through documentation
· Methods of training employees to cope with potential security threats
VII. Policy Assessment
· How Security policy of a company assessed?
· Restatement of the main points and statement of personal opinion
Computer has always been a tool with great problem solving potential. The challenge is to identify problems and develop appropriate computer solutions; but computer is also one of the most vulnerable machines. Security is always one of the most important concerns in the use of computers (Gasser).
Thus the Anti-virus policy of a company must ensure that the anti-virus software will be updated regularly
A good Information System security and Anti-Virus policy must be based on the following guidelines (Lawrence et al.):
- Roles and Responsibilities: everyone must know that what is his or her responsibility under the Anti-virus and security policy of the company. Responsibilities are either organizational or functional. Organizational responsibilities are concerned with higher management while functional responsibilities deal with middle management
- Compliance: it is the duty of the management to define everyone’s role and responsibility in Anti-Virus policy and also clearly identify, what happens if anyone violates this policy. It is also necessary to make it very clear that penalties will be same for every person, either belongs to higher management or lower level
- Accreditation: it is the process to get exact knowledge about the data processed in the system, type of network, information about the persons who have access to the system etc.
- Risk Assessment: it is the longest and most important part of a company’s security policy. It is the process of assessing the potential dangers of company’s IT assets and how these risks can be avoided
Managements Risk Assessment & Vulnerabilities
There are four general categories of threats:
- Interruption: An asset of the system is destroyed or become unavailable or unusable. This is threat to availability
- Interception: An unauthorized party gains access to an asset. This is threat to secrecy. The unauthorized party could be a person, a program or a computer
- Modification: An unauthorized party not only gains access but tempers with an asset. This is threat to integrity
- Fabrication: An unauthorized party inserts counterfeit object into the system. This is a threat to integrity (Hoffman)
To prevent these threats following steps could be taken:
- Talk with IT: A chief Security Officer and other IT personnel are assigned to make sure that security and Anti-Virus policy is strictly followed by every one in the company
- Identify risk in software: A key threat to the software security is to make its availability difficult. Software, especially the operating systems are easy to delete. Software can also be altered or damaged to render it useless. The other problem regarding the security of the software is that software can be modified, which means that the software is still working but behaves in a different manner. To prevent this vulnerability of software, it need to be prevented with the help of anti-Virus software and must be checked regularly
- Examine Hardware components: hardware must be checked regularly as sometimes intruders and virus may take control and manage the system to work according to their instructions
· Review end users: there are two approaches used to review and control end users; centralized and decentralized. If A centralized approach is used then the network provides a log-on service to determine who is allowed to use the network and to whom the user is allowed to connect. In a decentralized approach, the destination host does the user log-on process
· Network Architecture: In addition to the potential vulnerability of the various communication links, the process along the path is itself subject to attack. An attack can take the form of attempts to modify the hardware or software, to gain access to the memory of the processor, or to monitor the electromagnetic emanations (Davies and Price). Thus in order to prevent a network, it is necessary that first the nature of its architecture is determined
- Unauthorized Software: Programs that exploit vulnerabilities in computer systems present the most sophisticated threats to computer systems. These threats can be divided into two categories; those that need a host program and those that are independent. These two types can be differentiated between those software threats that cannot replicate and those that do. There should be regular check for such software in Information system
- Virus Infection: Virus is such a program that causes a copy of it to be inserted in one or more other programs. In addition to propagation, the virus usually performs some unwanted functions. There are some viruses, which can replicate it and send copies from computer to computer across network connections. Upon arrival, they may be activated to replicate and propagate again. Anti-Virus software is the best protection against viruses
- Application of Anti Virus Software: The ideal solution for virus and other malicious programs is prevention; don’t allow a virus to get into the system in the first place. This goal is, in general, impossible to achieve, although prevention can reduce the number of successful viral attacks. It is the duty of IT personnel, responsible for Information Security Systems of a company, to review all the available Anti-Virus solutions and use the best and most appropriate Anti-Virus for their company
- Where viruses can be checked? Viruses can be checked and prevented through Anti-Virus software. Present generation is the fourth generation of Anti-Virus software. Anti-Virus uses many techniques like activity trap, scanning components and access control capability, which protect the system from virus penetration. These Anti-Virus software must be installed to all systems and to main Servers to prevent them from all security threats
Methods of Virus Detection
Anti-Virus software follows the following steps to protect a system from virus threat (Denning):
- Detection: Once the infection has occurred, determine that it has occurred and locate the virus
- Identification: once the detection has been achieved, identify the specific virus that has infected a program. Remove the virus from all infected systems, so that the disease cannot spread further
- Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state.
If detection succeeds but either identification or removal is not possible, then the alternative is to discard the infected program and reload a clean backup version. Early viruses were relatively simple code fragments and could be identified and purged with relatively simple software packages. Now the viruses and anti-viruses both become more complex and sophisticated (Perkins).
In order to detect the virus into the system following steps could be taken:
- Virus Infection: Viruses are the threat for physical, as well as software security of the system. Thus it is necessary that the system will be checked regularly and if there is any virus infection, above-mentioned steps must be followed to remove it
- Virus Definition and Virus engine update: arms race against viruses continues. More and more new viruses appear every day and hence it is necessary to update Anti-Virus system regularly otherwise it will not offer any protection against new viruses
Inevitably, the best intrusion and virus prevention system will fail. A system’s second line of defense is intrusion detection. Following these steps can make correction of the damage, made by any intrusion from viruses (Makhija):
· Halt an Outbreak: If a virus intrusion is detected quickly enough, virus can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to prompt the intruder, the sooner that the intrusion is detected, the less the amount of damage, and the more quickly that recovery can be achieved
· Reporting Virus Occurrence: it is suggested that if virus is detected in a system, it should be immediately reported to the IT personnel, responsible for Information system security to take necessary action to remove that virus and to avoid any damage
· Damage Assessment: once a virus has gained entry into a system by infecting single software, it is in position to infect some or all other executable files on the system when the infected program executes. Thus it is necessary to Assess in advance that what damage any virus can maximum cause and how this damage can be corrected
The objective of the virus is to gain access to a system and make changes. Generally, this requires the virus to acquire information that should have been protected. Thorough documentation should be a part of a company’s Information security policy. It will clearly define who is responsible for security and to make sure that there is no copyright violation of software. Password protection is the front line of defense against intruders. Typically, a system must maintain a file that associates a password with each authorized user. If such a file is stored with no protection, then it is an easy method to gain access to it and learn passwords. Information Security Policy clearly identifies who is liable if passwords of company personnel are hacked. Who is responsible to use certain resources etc. All such information must be maintained in the form of proper documentation.
Proper training must be given to all employees to cope with any threat of Information system security. This training may be composed of (Pfleeger):
- Employee Meeting: A warning about any new virus or security threat may be given to all relevant system users at employee meeting
- Email Notification: an email from chief security officer may be sent to all system users about new viruses and methods of avoiding these viruses
- Security Awareness websites: teach system users to visit security websites regularly to check any new development in security threats and viruses
To ensure the Information system security, company’s Information System policy must be assessed on the following guidelines:
- Policy Documentation: company must have proper and thorough documentation about all the issues of Security policy
- Threat analysis: Common threats to the system security must be analyzed properly and on regular basis
- Prevention of Infection: Prevention techniques must be defined very clearly and strictly followed
- Infection detection tools: infection detection tools are properly managed and updated regularly
- Infection Correction: policy must define, if a system is infected how it can be corrected and what maximum damage can a threat cause in a system
The increasing reliance by business upon the use of data processing systems and the increasing use of networks and communications facilities to build distributed systems have resulted in strong for computer and network security.
In order to ensure its Information system security, company has to follow a security policy, which clearly defines, through proper documentation, how to manage risk assessment, detect viruses and other security threats, how to correct the damage caused by these viruses and to train employees properly to cope with any potential threat to the Information System Security (GAO Accounting and Information Management Division).