Security Assurance Plan for The Sirius

Council Borough of Betelgeuse System

  Security Assurance Plan for The Sirius Council Borough of Document Number:

  Betelgeuse System Issue:

  1.0 Date:

  15 December 2010 Author: Gang Yang 7661449 Risk assessment group participants: Methawuth Poonpanich

  Yangchao Dong 7603433 7758699

  Hongwei Yang 7216260

  

© The National Computing Centre Limited 2009

All rights reserved

The copyright in this document template is vested in the National Computing Centre Limited. The

document must not be reproduced, by any means, in whole or in part or used for manufacturing

purposes, except with the prior written permission of The National Computing Centre Limited and

then only on condition that this notice is included in any such reproduction.

  

This template is supplied in good faith and NCC cannot be responsible for the way that it is

deployed. Information contained in this documents is believed to be accurate at the time of

publication but no liability whatsoever can be accepted by The National Computing Centre Limited

arising out of any use made of this information.

1. Modification History Revision Date Revision Description

  0.1 01/12/2010 System objectives & Asset register 0.2 04/12/2010 Risk assessments 0.3 06/12/2010 Risk treatment and countermeasures 0.4 11/12/2010 Business continuity 0.5 12/12/2010 Disaster recovery 0.6 13/12/2010 User training and awareness 0.7 14/12/2010 Quality Assurance regime 1.0 16/12/2010 Review and error check

  2. Contents

  

1. Modification History .................................................................................................................... 2

  

2. Contents ........................................................................................................................................ 3

  

3. System objective ........................................................................................................................... 5

  3.1. Purpose ..................................................................................................................................... 5

  3.2. Information lifecycle and classification ................................................................................... 5

  3.3. Relevant topics for compliance ................................................................................................ 5

  3.3.1. Regulation ........................................................................................................................ 5

  3.3.2. Standards .......................................................................................................................... 6

  3.4. Responsibilities and expert characteristics of stakeholders and users ...................................... 6

  3.5. Protection profile ...................................................................................................................... 7

  

4. Asset register ................................................................................................................................ 8

  4.1. Asset overview ......................................................................................................................... 8

  4.2. Asset ranking ............................................................................................................................ 9

  4.2.1. Hardware (IT infrastructures, network infrastructures and cable lines) ........................... 9

  4.2.2. Software (Application software and system software) ..................................................... 9

  4.2.3. Services ............................................................................................................................ 9

  4.2.4. Information ....................................................................................................................... 9

  4.2.5. People ............................................................................................................................. 10

  

5. Risk assessments ......................................................................................................................... 11

  5.1. Risks ....................................................................................................................................... 11

  5.2. Impact ..................................................................................................................................... 12

  5.2.1. Importance of asset ......................................................................................................... 13

  5.2.2. Risk severity ................................................................................................................... 13

  5.2.3. Probability of occurrence ............................................................................................... 13

  5.2.4. Impact ranking ................................................................................................................ 13

  

6. Risk treatment and countermeasures ....................................................................................... 14

  6.1. Hardware (Network infrastructures) ....................................................................................... 14

  6.2. Hardware (Cable lines) ........................................................................................................... 15

  6.3. Hardware (IT infrastructures) ................................................................................................. 16

  6.4. Software (System) .................................................................................................................. 16

  6.5. Software (Application) ........................................................................................................... 17

  6.6. Services .................................................................................................................................. 18

  6.7. Information ............................................................................................................................. 19

  6.8. People ..................................................................................................................................... 19

  

7. Business continuity ..................................................................................................................... 21

  7.1. Prioritisation ........................................................................................................................... 21

  7.2. Contacts .................................................................................................................................. 21

  7.3. Incident management ............................................................................................................. 21

  7.4. Audit ....................................................................................................................................... 22

  7.5. Business continuity plan ......................................................................................................... 23

  

8. Disaster recovery ........................................................................................................................ 25

  8.1. Instructions for relocation ...................................................................................................... 25

  8.2. Rebuilding the information system ........................................................................................ 25

  

9. User training and awareness ..................................................................................................... 26

  9.1. Acceptable use ........................................................................................................................ 26

  9.1.1. Computer and/or network skills training ........................................................................ 26

  9.1.2. Confidential policy awareness ........................................................................................ 26

  9.2. Enforcement ........................................................................................................................... 26

  

10. Quality Assurance regime ......................................................................................................... 27

  10.1. Reviews .............................................................................................................................. 27

  10.2. Inspections .......................................................................................................................... 27

  10.3. Audits ................................................................................................................................. 27

  10.4. Testing ................................................................................................................................ 27

  

11. Coursework Submission Form.................................................................................................. 28

3. System objective

  3.1. Purpose

  Under the background of knowledge-based economy, an increasing number of individuals and organisations have begun to recognise that information is the lifeblood of companies. In fact, information and communication technologies (ICTs) have become indispensable parts of business process and widely used on different industries, such as banking, education, manufacturing, entertainment, etc. However, as intangible asset of companies, information is easy to be stolen or lost. As a result, an security assurance plans is always required when a company install/change network infrastructures and computer software, implement new services, and develop new business plan, for helping the company and its stakeholders:

   Protect information in the areas of confidentiality, availability, and integrity;

   Manage assets, including hardware, software, information, people, and service;

   Reduce/mitigate risks come from deliberate attacks, accidental damages and environmental threats.

   Engender trust between companies and their stakeholders. The main purpose of this report is to formulate a security plan for new network strategy of Sirius Council Borough of Betelgeuse network system (which is made by CIAN Services) on the basis of relevant security standards and policies. The main contents of the reports consist of assets identification and classification, risks assessment and treatment, business continuity planning, disaster recovery, user training and assurance regime establishment.

  3.2. Information lifecycle and classification

  The new Sirius Council Borough of Betelgeuse network system includes a range of information, such as, customer information, personal data, future plans and campaigns, sensitive company information, etc. They can be split into two categories according to the confidentiality, availability, and integrity. One group of information is open information, which can be spread to the public. Another group is confidential information, which only can be accessed at specific time, in specific place, and by specific people. It is impossible that classified information always keep secret due to some issues (i.e. financial condition). In fact, all the classified information in new Sirius Council Borough of Betelgeuse network system owns lifespan. As a result, its classification can be changed from ‘confidential’ to ‘open’ under some circumstance. For example, part of information in the network system can be opened when network frameworks are updated and no longer used in the future.

  3.3. Relevant topics for compliance

  Regulations and standards are necessary in the process of assessment. They should be determined and declared before establishing security assurance plan in order to meet the requirement of the council and keep the plan staying within the law.

3.3.1. Regulation

  1) Computer Misuse Act 1990

  2) Data Protection Act 1998

  This network system belongs to the organization of Sirius Council Borough of Betelgeuse. It is used to provide council services to internal and external users. Indeed, there are lots of stakeholders existing in the value chain of this network system. All the users can be summarised and classified as follows:

  Ordinary citizens As can be seen from following table, they have different permissions, responsibility, and proficiency of computer skills.

  Internet service providers (ISPs) c. Government and other councils d.

  CIAN Service b.

  2) External users a.

  IT Managers / Computer Services (CS) b. Staffs of council

  Network Managers / Managed Network Services Unit (MNSU) ii.

  IT support teams i.

  1) Internal users a.

  

3.4. Responsibilities and expert characteristics of stakeholders and

users

  3) Electronics Communication Act 2000

  ISO/IEC 15408

  ISO/IEC 27005: 2008 4)

  ISO/IEC 27002: 2005 3)

  ISO/IEC 27001 2)

  1)

  3.3.2. Standards

  5) Computer Security Act of 1987

  4) Communication Act 2003

  Permission Check/modify Responsibility Computer skills

  Internal users MNSU Information

  Check/modify Network design and installation Software related network design, installation and test

   Intangible assets: information, services

   Tangible assets: employees, software, hardware

  New Sirius Council Borough of Betelgeuse network system is available for providing better communication services among council, its key partners and ordinary citizens. According to its function, some assets should be protected in order to ensure the security of information and the operation of council services. Those assets include:

  Ordinary citizens Open information Check None Basic use

Table [1] Responsibilities and expert characteristics of stakeholders and users

  Shared information Check None Basic use (CRM)

  Government and other councils

  Software related WAN management

  Check/modify WAN management (including voice network and data network )

  concerning external access of WAN access management

  ISPs Information

  concerning network design and installation

  concerning LAN management Check/modify LAN management

  External users CIAN Service Information

  Basic use (CRM)

  concerning relevant department Check/modify Public Service offer and department business

  Staffs of council Information

  Relevant computer management Software

  IT infrastructures installation and management

  Check/modify

  concerning IT infrastructures management (except network infrastructures)

  CS Information

  Software related LAN trouble shooting and management

  (including voice network and data network )

3.5. Protection profile

4. Asset register

4.1. Asset overview

  5 Call centre, PBX, Remote network access, and control centre.

  3 Telephone operators, home-workers, and central

  All the people employed by council are

  staffs of council (working outside or

  People People include all the

  2 Data warehouse and ‘Where is IT’ (regulation)

  Information belongs to its generators. Here are council and CIAN Services

  asset of the network system. Its loss or leak may lead a severe consequence to all the stakeholders

  Information Information is the core

  New Sirius Council Borough of Betelgeuse network system comprises of 47 tangible and intangible assets. They are located in different place and have different importance; therefore the lost or breakdown of those assets may exert an influence on business continuity in different degree. According to ISO/IEC 27002: 2005, those assets can be divided into five categories, hardware, software, services, people and information. Each category has some registered assets. Their security is in the charge of different teams or individuals. All the assets have been summarised in the following table.

  Asset Definition Ownership Number Component examples Hardware

  Service is kinds of intangible asset, which can be delivered to meet relevant demands of internal staffs and citizens.

  Services

  16 Office applications, operation system applications (PC/server/network infrastructure), call centre applications, mail system, management system, browsers applications, etc.

  Almost all the software are in the charge of IT Managers of Computer Services, except the software operated in the network infrastructures

  program operated in the hardware, which are the supporter of services. They can be split into two categories, system software and application software

  Software Software is the

  21 Switches (backbone, branch), routers (backbone, branch), hubs, gateway, cable lines, servers, PC, printer, fax machine, mobile, Kiosks, etc.

  Network infrastructures and cable belong to Managed Network Services Unit (MNSU). Others belong to Computer Services (CS)

  Hardware is a set of physical equipment of network and office, which are the carriers of software and services. They can be divided into three categories, cable, IT infrastructures and network infrastructure

  ISPs and relevant departments of council are the providers of most services inside) managed by the staffs department of human resources

  

Table [2] Assets register

More details of those assets are provided in Risk Treatment Plan spreadsheet.

4.2. Asset ranking

  In new Sirius Council Borough of Betelgeuse network system, assets have their own characteristics (location, owner, usage, function) and vulnerable; therefore they have different importance in this system. Due to limited capital, not all the assets can be given the best protection. As a result, before formulating assurance plan, an asset ranking is required to evaluate and assess the importance of assets. This assessment should be done according to three basic criteria, confidentially, availability, and integrity.

  4.2.1. Hardware (IT infrastructures, network infrastructures and cable lines)

  In terms of hardware, the criteria of confidential and availability are more important than integrity. For one thing, some hardware should be placed in secure room in order to ensure it only can be accessed by authorised people, otherwise the information saved in hardware are easy to be stolen, modified or damaged. For another, as the basic components in the network system, hardware should be ensured to keep working all the time, because their malfunctions and damages will severely pose threat to the operation of services and software.

  4.2.2. Software (Application software and system software) Concerning software, assessment will pay more attention to the criteria of integrity and availability.

  Firstly, in order to ensure normal operation, the program and information in software must be 100% accuracy and integrity, otherwise incorrect or incomplete data may lead to serious results, for example, services breakdown and information leakage. Moreover, software should be available and easy to recovery invariably in order to ensure the on-going important business in the network system cannot be broken down.

  4.2.3. Services

  Services in this network system are used to keep communication among internal staffs, technical support teams and external customers. As a result, confidentiality and integrity should be adopted to assess the importance of services. For one thing, data and voice services should be ensured to get rid of authorised login. Otherwise, the information of the communication may be stolen or damaged. For another, in order to ensure the business continuity, all the data in the network service should be correct and 100% integrity.

  4.2.4. Information

  Information (policy, database, and contract) is the core component of the network system, because it contains all the confidential and open data of the business process. As a result, it should be given the heaviest protection. To access the information, all the criteria, containing confidentiality, availability, and integrity should be considered.

4.2.5. People

  Availability and confidentiality are main criteria to assess the importance of people who employed by Sirius Council Borough of Betelgeuse. Firstly, part of staffs can access confidential information easily; therefore those people should be supervised to avoid them leaking secret regardless of whether they are on-the-job. Moreover, availability should also be paid attention in the network system in terms of people. The council should ensure the business cannot be interrupted when some council staffs leave their job.

  The importance ranking table is available as follows.

  Information Services Software Cable Hardware (IT Software Hardware People Assets (System) lines infrastructures) (Application) (Network Infrastructures) Average

  5.0

  4.4

  4.0

  3.8

  3.6

  3.4

  3.3

  3.3

  importance Ranking

  1

  2

  3

  4

  5

  6

  7

  7 Table [3] Assets ranking More details concerning asset ranking can be check in Risk Treatment Plan spreadsheet.

5. Risk assessments

5.1. Risks

  Obviously, there are lots of general and Internet threats existing in new Sirius Council Borough of Betelgeuse network system. According to ISO/ITC 27005: 2008, some of threats come from deliberate human actions, such as Day Zero Attack, authorised access, and virus attack. Some of them are caused by accidental technical errors, such as inaccurate operation, software loophole and ISP error and inaccurate modification. Others derive from changeable environment, such as pollution, water damage and fire. If ignoring those threats, they may lead to information leakage or data loss. Those threats own different characteristics and have different influence on the assets of the network system. To analyse and assess the impacts of those threats, all the potential threats have been classified and summarised in the following table.

  Asset Risk Environmental risks/Deliberate attacks/Accidental failures Hardware (Network infrastructures)

  DOS Attack Deliberate attacks Unauthorised Interception and Access Deliberate attacks Technical Failure (Incorrect configuration) Accidental failures Physical Damage (Failure) Environmental risks Equipment Theft Deliberate attacks ARP Spoofing Deliberate attacks

  Hardware (Cable lines)

  Line damage Accidental failures

  ISP Error (Service breakdown) Accidental failures Unauthorised Interception Deliberate attacks

  Hardware (IT infrastructures)

  Unauthorised Interception and Access Deliberate attacks Technical Failure (Incorrect configuration) Accidental failures Physical Damage (Failure) Environmental risks Equipment Theft Deliberate attacks Malicious Code Attack (Virus, Trojan or other malicious programs)

  Deliberate attacks Users' Misuse (Restriction ignorance) Accidental failures

  Software Unauthorised Access (Illegal login and data Deliberate attacks (System) manipulation)

  Malicious Code Attack (Virus, Trojan or other Deliberate attacks malicious programs) Day Zero Attack Deliberate attacks

  Software Unauthorised Access (Illegal login and data Deliberate attacks (Application) manipulation)

  Malicious Code Attack (Virus, Trojan or other Deliberate attacks malicious programs) Software Loophole (Buffer overflow) Accidental failures

  Services

  ISP Error (Service breakdown) Accidental failures Loss of Key Personnel Deliberate attacks Information Leakage Accidental failures Unauthorised Access (Illegal login and data Deliberate attacks manipulation) Technical Failure (Incorrect configuration, Accidental failures inaccurate operation)

  Information Unauthorised Access (SQL injection) Deliberate attacks

  Loss of Document Accidental failures Inaccurate Modification Deliberate attacks

  People Loss of Key Personnel Deliberate attacks

  Information Leakage Accidental failures Inaccurate Operation Accidental failures

  

Table [4] Risk summary

5.2. Impact

  In order to assess the influence of threats to new Sirius Council Borough of Betelgeuse network system, three criteria should be considered, importance of the asset, risk severity and the probability of occurrence.

  5.2.1. Importance of asset

  To Sirius Council Borough of Betelgeuse, all the assets have different importance. Some assets are very important, for example, relational database management database. It has much core business information. As a result, its damage or information leakage may exert a severe impact on business of the network system. Conversely, information leakage of personal computer may only affect a few people and business.

  5.2.2. Risk severity

  Risk severity is another criterion of impact assessment. Threats of varying degrees may lead to different results. Some results are severe, for example, authorised access. Hackers can get all the information in the network by authorised access. As a result, it has much serious influence on the network system. Adversely, the loophole of software may only affect one computer, and it can be recovered easily.

  5.2.3. Probability of occurrence

  Although new Sirius Council Borough of Betelgeuse network system has lots of security threats, some of them are rarely happened. For example, it is impossible that equipment theft frequently occurs in the system. In contrast, technical errors are taken placed nearly every day. As a result, the impacts taken by those threats are different.

  5.2.4. Impact ranking The impact ranking of different assets is available as follows. Information Services Software Software People Hardware Hardware Hardware (IT Asset (System) (Application) (Network (Cable infrastructures) infrastructures) lines) Average 44% 40% 39% 35% 29% 24% 24% 22% impact Ranking 1

  2

  3

  4

  5

  6

  6

  8 Table [5] Impact ranking of different assets More assessments of risk system (risk events, probability of occurrence, risk severity, etc.) in new Sirius Council Borough of Betelgeuse network system are available in Risk Treatment Plan spreadsheet.

6. Risk treatment and countermeasures

  There are many risks existing in new Sirius Council Borough of Betelgeuse network system. They make a severe influence on the system operation. As a result, a risk treatment plan is required to mitigate potential risks. In this plan, security requirement will be analysed on the basis of three basic criteria, confidentiality, availability, and integrity in the beginning. Then, some policies to meet those requirements will be formulated according to ISO/IEC 27002: 2005. At last, corresponding business measures will be presented to implement those policies.

  Five basic risk solutions can be used in risk treatment plan.

   Acceptance: Some risks are difficult to avoid or the solution is too expensive; therefore, the risks have to be accepted and live with the business in the network system.

   Prevention: Some risks can be predicted before the disaster occurs; therefore they are likely to be avoided by corresponding artificial measures.

   Reduction: Some risks cannot be avoided, but their incidence or damage can be reduced by using relevant solutions.

   Transference: Some risks are hard to be solved; therefore they have to be transferred to manufactures or services providers.

   Contingency: Some risks rarely occur. They do not need to be cared for.

6.1. Hardware (Network infrastructures)

  Components Network infrastructures comprise ATM Backplane Switches (HAL 8274),

  ISDX/REALITIS (Voice) Switches, Smaller Switches (HAL 8273), Backbone Hubs, Routers and Novos Gateways. Security requirement In terms of network infrastructures, confidential and availability are main security requirement (according to chapter 4.2.1). Some common risks of network infrastructures include DOS Attack, Unauthorised Interception and Access, Technical Failure (Incorrect configuration), Physical Damage (Failure), Equipment Theft and ARP Spoofing. Policies to meet those Policies: Physical and environmental security, access control (Network requirements access control)

  Controls: Some measure should be taken to reduce the risks of network Controls to implement those policies infrastructures.

  1) In order to avoid authorised access, network infrastructures should be placed in a secure room (such as DMZ) to avoid theft and unauthorised access. Any access to the infrastructures should be recorded.

  2)

  IT infrastructure and network infrastructures should be placed separately. 3)

  Firewall should be deployed in network infrastructures to prevent network from DOS attack and ARP spoofing. 4)

  Network infrastructures should be configured according to instruction manual by professional engineers. 5)

  Standby routers and relevant configuration should be available for business continuity. 6)

  Inspections and test should be conducted regularly by internal technical supporting team and external inspectors.

  

Table [6] Hardware (Network infrastructures) treatment plan

6.2. Hardware (Cable lines)

  Components Fibre Optic (Backbone LAN), Category 5 UTP, 10Base5/10Base2 (LAN), Fibre Optic Link, Digital Leased Circuit (WAN), Dial Up ISDN Digital Circuits (WAN) and ISDT Circuit, and 2Mbps Digital Circuit (WAN) belong to the cable lines group.

  Security requirement Confidential and availability are the most important security requirement to cable lines (according to chapter 4.2.1). Common risks of cable lines contain Line damage, ISP Error (Service breakdown) and Unauthorised Interception.

  Policies to meet those Policies: Physical and environmental security (Cabling security, equipment requirements maintenance), operation and communication management (Third party service delivery management, network security management )

  Controls to implement Controls: In order to protect cables line from common risks, some measures those policies should be done as follows.

  1) Network cables should to be placed in private secure channel, such as locked room.

  2) Power cables and network cables should be kept separately. 3) Electromagnetic shielding should be adopted to avoid interference. 4)

  Physical inspection and data monitoring should be conducted regularly to prevent from authorised access. 5)

  New cables should be installed according to relevant installation guideline. 6) Backup link should be deployed to ensure business continuity. 7)

  Keeping in touch with Internet service providers to avoid unexpected service breakdown.

  

Table [7] Hardware (Cable lines) treatment plan

6.3. Hardware (IT infrastructures)

  Components The components of IT infrastructures include HDK Team/Super Servers, Hardware: Nouvelle Servers, Terminal Servers, (Dumb) Terminals, Printers, Fax Machines, Mobile Telephones, Personal Computers, Information Kiosks and Call Information Logging Equipment.

  Security requirement As same as other hardware in this network, IT infrastructures should be paid more attention to confidential and availability (according to chapter 4.2.1). The threats to IT infrastructures comprise Unauthorised Interception, Technical Failure (Incorrect configuration), Physical Damage (Failure), Equipment Theft, Malicious Code Attack (Virus, Trojan, or other malicious programs) and Users' Misuse (Restriction ignorance).

  Policies to meet those Policies: Physical and environmental security, access control (user access requirements management) Controls to implement Controls: Some measures should be done to protect IT infrastructures from those policies security risks.

  1) Security Responsibilities should be distributed to each department. 2)

  Some important IT infrastructures, such as servers, should be placed in secure room (DMZ) to avoid theft and unauthorised access. 3) All the IT infrastructures should be inspected and test regularly. 4)

  IT infrastructure should be installed and used according to instruction manual.

  

Table [8] Hardware (IT infrastructures) treatment plan

6.4. Software (System)

  Components The system software consists of Nouvelle Netware Operating System, HDK DRS 6000 and HDK Series 39 Mainframe System, PCSoft ScreenFrame YQ, UNIX Operating System and VME Operating System.

  Security requirement System software requires high integrity and availability (according to

  chapter 4.2.2). Unauthorised Access (Illegal login and data manipulation), Malicious Code Attack (Virus, Trojan or other malicious programs) and Day Zero Attack are the common risks of system software in this network system. Policies to meet those Policies: Access control (Operation system access control), communication requirements and operations management (Protection against malicious and mobile code) Controls to implement Controls: In terms of system software, some measures should be taken to keep the software working and restrict the access to authorised users for those policies reducing risks.

  1) Users can only access operation system by using identifier (user ID), password and authentication servers.

  2) All the information involved operations, including using application software, data modification and message should be monitored and recorded.

  3) Firewall and anti-virus software should be installed and updated regularly in order to avoid Malicious Code Attack.

4) Systems should be backed up and patched regularly.

  5) The connection time of operation system should be limited. The interaction should be interrupted automated as soon as the session finish or time out.

  

Table [9] Software (System) treatment plan

6.5. Software (Application)

  Components The application software comprises Electronic Mail System, Network Management System (NMS), Document Management Systems (DMS), Geographical Information System (GIS), Document Image Processing (DIP), Relational Database Management Systems, AutoCAD, PCSoft Office, MDIS System, Firefox/FTP and NOVOS Software.

  Security requirement Integrity and availability are the security requirement of application software (according to chapter 4.2.2). Some threats of this application software group consist of Unauthorised Access (Illegal login and data manipulation), Malicious Code Attack (Virus, Trojan or other malicious programs) and Software Loophole (Buffer overflow). Policies to meet those Policies: Access control (Application and information access control), requirements communication and operations management (Protection against malicious and mobile code, exchanges of information, electronic commerce services)

  Controls to implement those policies Controls: Application software assets have a range of function. They are widely used in common business; therefore, their security should be paid more attention. To reduce relevant risks, following measures should be done.

  1) Application software should be installed according to installation guideline.

  2) Firewall and anti-virus software should be installed and updated regularly in order to avoid Malicious Code Attack.

  3) Some software can only be accessed by specific users by using usernames, strong passwords or authentication servers.

  4) Some business information flows exchanged between communication-related applications (e-mail, voice, documents) should be encrypted by strong encryption algorithm.

5) The application software should be packed and updated regularly.

  6) Some operations (delete, execute, edit and add) concerning important business data should be monitored and recorded.

  

Table [10] Software (Application) treatment plan

6.6. Services

  Components The services of the network system include Primary Call Handling, Message/Enquiry, Call Centre (Revenue Information, Social Services Direct), Control Centre (Out of Hours, Community Alarm Function), PBX System and Network, and Remote Network Access (ISDN, PSTN and Leased Line).

  Security requirement Concerning services, confidentiality and integrity are their security requirement (according to chapter 4.2.3). Relevant threats to service include

  ISP Error (Service breakdown), Loss of Key Personnel, Information Leakage, Unauthorised Access (Illegal login and data manipulation) and Technical Failure (Incorrect configuration, inaccurate operation).

  Policies to meet those Policies: Communications and operations management (Third party service requirements delivery management, network security management, exchanges of information, electronic commerce service), access control (Network access

  Controls to implement control) those policies Controls: All the service (data and voice) provided by ISP or Call centre should be protected from information security incident by following measures.

  1) It is necessary to sign responsibility agreement with concerned service providers.

  2) Backup and inspection should be done regularly with the help of service providers.

  3) Security reports given by service providers should be reviewed regularly.

  4) Only Authorised users can access internal services (Such as

  Internet service and voice service) by using usernames, strong passwords or authentication servers. 5)

  Internal service s should be supervised to avoid staffs using them to do their own business.

6) Internal servers should be backed up and tested regularly.

  7) Internal services can be provided to external users by using virtual private network (VPN).

  

Table [11] Services treatment plan

6.7. Information Components Data Warehouse and Where is IT are the components of information group.

  Security requirement Security requirement of information include confidentiality, availability, and integrity (according to 4.2.4). Unauthorised Access (SQL injection), Loss of Document and Inaccurate Modification are the common threats of Information.

  Policies to meet those Policies: Information systems acquisition, development and maintenance requirements Controls: information, including contract, license, database and source code, are the core asset of the network system. To reduce risks, following

  Controls to implement those policies measures should be implemented.

  1) The correctness and integrity of input and output data should be checked.

  2) Any changes (delete, update, repair, copy, add) concerning classified information and assets should be monitored by relevant staffs and recorded into log.

  3) Confidential data should be encrypted with strong key for transmission and storage.

  4) Security responsibilities should be distributed to specific staffs. 5) Backup and inspection should be done regularly. 6)

  Only Authorised users can access data by using usernames, strong passwords or authentication servers.

  

Table [12] Information treatment plan

6.8. People

  Components People of the network system contain Telephone Operators, Home- workers, and Central Staffs. Security requirement To the assets of people, availability and confidentiality are their security requirement (according to chapter 4.2.5). Some threats to them comprise

  Loss of Key Personnel, Information Leakage and Inaccurate Operation. Policies to meet those Policies: Human resources security (Management responsibility, requirements information security awareness, education and training, termination responsibility) Controls: In order to ensure the security of this network, some measure concerning employees should be done when they are just employed, on the job, and off the job.

  1) Confidential policy should be formulated to supervise information/resources usage and avoid information leakage.

  2) Staffs who can access classified information should comply with confidential policy.

  3) Staffs should be trained before they start the job. The training includes two part, computer and/or network skills training and confidential policy awareness.

  4) Assets (smart card, key, memory stick) should be returned to council when staffs leave their jobs. Controls to implement those policies

  

Table [13] People treatment plan

  More risk treatments and countermeasures of new Sirius Council Borough of Betelgeuse network system can be checked in Risk Treatment Plan spreadsheet.

7. Business continuity There are many threats still existing in new Sirius Council Borough of Betelgeuse network system.

  Some of them are very likely to happen and make a huge influence to network system, for example, virus attack. As a result, the security assurance plan should be put into practice as soon as possible in order to ensure the business of the council. The purpose of business continuity plan is to avoid the business being interrupted.

  In order to keep the plans running effectively in new Sirius Council Borough of Betelgeuse network system, some measures should be taken in the very beginning. Firstly, due to limited resources of the council, all the resources, including budget, time, and human power should be distributed reasonably according to security prioritisation of assets. Moreover, directly responsible individuals or teams, their contacts, and treatment process should be identified, planned and managed. Beyond this, in order to preventing emergencies and evaluate the treatment plan, some rehearsals and tests should be taken if the treatment plan make change or update.

  7.1. Prioritisation

  As can be seen from the table [5], information (contract, database) is the key asset in new Sirius Council Borough of Betelgeuse network system. The loss and damage of information assets may exert most serious impacts to this network system. As a result, relevant individuals and team in charge should be paid more attention to the risks and countermeasures of information assets. Beyond this, reminder assets should also be concerned in business continuity procedure according to their impacts.

  7.2. Contacts

  To ensure the implementation of treatment plan, a contacts network should be built at the same time. It should be operated on the basis of both telephone and network system. Additionally, the address and contacts of relevant scenario action team, service contractors, suppliers, and maintenance companies should be informed to every user by using websites, posters, security lectures, etc. All the measures are delivered to ensure users can directly contact relevant departments in time when potential safety hazard emerge or the disaster happen in the new Sirius Council Borough of Betelgeuse network system. Relevant incidence response and disaster recovery teams include:

   Network Managers / Managed Network Services Unit (MNSU)

  

  IT Managers / Computer Services (CS) 

  Internet service providers (ISP) 

  Software/hardware manufacturers 

  CIAN Services

  7.3. Incident management

  To manage the incident, treatment responsibility should be distributed to relevant departments in the beginning.

  Scenario Action Teams Responsibility Network Managers / Managed Network Services LAN infrastructures, software and services Unit (MNSU)