Security Policy – Management of Security Incidents
Encryption
Encryption consists of making data illegible to an unauthorised third party and preventing them from saving or transferring the data. The use of this method is recommended when transferring information classed as vital and confidential for the organisation, in particular during E-mail communications. The choice of encryption method falls to the IT manager. If necessary, they may consult with external specialists (SMEs: see Interception of communications).
Applying Security Measures To:
- File servers
- E-mail servers
- Fixed network
- Internal Wi-Fi network
- Customer Wi-Fi network
- Computers connected to the Internet
- Laptop computers
Directly Associated Organisational Measures:
- Classification and monitoring of resources
- Physical and environmental security
- Operational and communications aspects
- Development and maintenance of systems
- Compliance
Technical Measures:
Implementation
Some examples of free encryption tools:
VeraCrypt
VeraCrypt is a free encryption software with which you can encrypt a whole hard drive or create encrypted containers into which you can place sensitive files. These containers can be located on a hard drive, a file server or even on removable devices. It is easy to use and reliable from a security point of view.
7Z
7Z is a free tool used to compress and archive files. This tool also has an AES 256-bit strong encryption option. It can, therefore, be used to transfer confidential encrypted files on removable devices or by e-mail since the files are located in a compressed archive.
It is a symmetrical encryption tool like Truecrypt, so you need to exchange the encryption key securely with the recipient. Use a channel that is safe but different from the one used for the transfer of data. You can, for example, send the key by post, fax, SMS, or hand it to them in person.
Deposit of Encryption Keys
Responsibility
The CSSI and the key administrator are responsible for the encryption process.
Deposit Creation
The CSSI defines a secure location (typically a safety-deposit box classified as SECRET) in which copies of the keys made available to users are kept. The deposit has no backup. If they are destroyed, the key administrators should deposit their cases again.
‘Paper’ Deposit of Keys Classified as SECRET in a Safety-Deposit Box.
Applicable security measures:
- Two people are necessary (“four eyes” principle; separate authentication);
- Protocol for opening and access to keys;
- Keys in sealed envelopes;
- Content inventory stating:
- the name of the key creator; the name of persons authorised to access it;
- the name of the environment and the software for use with the key;
- the type of data being protected;
- the identifier of the envelope containing the value of the key.
‘Electronic’ Deposit (for CO keys)
This is the same procedure as detailed above, except for the four-eyes principle, as only the CSSI may access the safety-deposit box. This is why they may keep keys in electronic form (in a sufficiently protected container). They can replace the key identifier with the key itself. The CSSI does, however, have to ensure that their safeguards can also enable access to the key file.
Importing into the Physical Deposit
The author of the key drafts a form, noting down the key, and encloses it in the presence of the person responsible for the safety-deposit box, after having shown this person the form, solely for sufficient time for this person to see that the form has been fully completed and that the quality of the key is sufficiently good.
The person responsible for the deposit updates the deposit inventory and has it signed by the author of the added key.
Exporting a Key from Deposit
No key can be removed from the deposit. In case of usage, the following should be authorised:
- author of the key;
- any person explicitly mandated by the administrator of the information protected by the key, on condition that there is a legitimate purpose validated by the security manager.
Any export of the safety-deposit box inventory shall be signed by the person who examined the key, as well as the safety-deposit box managers.
Destruction of a Key from Deposit
On written request by the author and validated by the manager of the information protected, the safety-deposit box managers proceed with the destruction of a key. To this end, they destroy the envelope with the key inside in a document destroyer, after having verified the destruction request. The inventory is updated, keeping the destruction request as proof of legitimisation.
Electronic Signatures
An electronic signature is a method used to guarantee the authenticity of the source of a message (sender), and the integrity of its contents.
This technology should be implemented during dialogue via e-mail with external entities which may represent a commitment for the organisation. It is the responsibility of the IT manager to implement this technology for users.
LuxTrust provides electronic signature solutions. OpenPGP is a free alternative for signatures and encryption.
Electronic signatures can be affixed to documents and e-mails. The signature guarantees the authenticity of the sender, as well as the integrity of the content of the file relating to the message.
Applying Security Measures To:
- guarantee integrity
- guarantee non-repudiation
Organisational Measures:
Technical Measures:
Managing Technical Vulnerabilities
All types of organisations need to monitor risks relating to the exploitation of technical vulnerabilities which have been subject to publication.
To do this, they should introduce effective and systematic management of technical vulnerabilities for all their operating systems and network equipment. This is done through the application of corrective or other tools designed to prevent the exploitation of technical vulnerabilities. Monitoring the measures undertaken will enable their actual effectiveness to be gauged.
Applying Security Measures To:
Behavioural Measures:
Directly Associated Organisational Measures:
- E-mail of Security * Attribution of responsibilities
- Human factors
- Operational and communications aspects
- Management of security incidents