10 tips for the security of your information system
The “IT and Freedoms” law requires organizations implementing files to guarantee the security of the data that are processed there. This requirement translates into a set of measures that file holders must implement, primarily through their information systems (IS) or IT manager.
Adopt a strict password policy
Access to a computer workstation or file by username and password is the first of the protections. The password must be individual, difficult to guess and remain secret. It must not be written on any medium. The IT department or the IT manager will have to set up a strict password management policy: a password must include at least 8 characters including digits, letters and special characters and must be renewed frequently (for example every 3 months) . The system must force the user to choose a password different from the three that he used previously. Usually assigned by the system administrator, the password must be changed by the user from the first login. Finally,
Design a procedure for creating and deleting user accounts
Access to workstations and applications must be made using nominative user accounts, not “generic” (compta1, compta2 …), in order to be able to be able to trace the actions performed on a file and thus, to empower all stakeholders. Indeed, the “generic” accounts do not make it possible to precisely identify a person. This rule should also apply to accounts of system and network administrators and other agents responsible for the operation of the information system.
Agent extensions must be set to automatically lock after a period of inactivity (10 minutes maximum); users should also be encouraged to lock their posts automatically as soon as they leave their office. These provisions are likely to limit the risks of fraudulent use of an application in case of momentary absence of the agent of the post concerned. In addition, the control of the use of USB ports on “sensitive” computers, for example forbidding the copying of all the data contained in a file, is highly recommended.
Identify precisely who can access the files
Access to personal data processed in a file must be restricted to only those persons who may legitimately have access to it for the performance of the tasks assigned to them. From this analysis, depends the “qualification profile” of the agent or employee concerned. For each movement or reassignment of an employee to a position, the hierarchical superior concerned must identify the file (s) that he / she needs to access and have his / her access rights updated. A periodic verification of application profiles and access rights to the directories on the servers is therefore necessary to ensure that the rights offered and the reality of the functions held by each of them are adequate.
Ensure the confidentiality of data vis-à-vis providers
The interventions of the various subcontractors of the information system of a data controller must provide sufficient guarantees in terms of security and confidentiality with regard to the data to which they may, if necessary, have access. The law requires that a confidentiality clause be included in subcontracts. The possible interventions of a service provider on databases must take place in the presence of an employee of the IT department and be recorded in a register. Data that may be considered “sensitive” under the law, such as health data or data relating to means of payment, must also be encrypted.
“Note”: the system and network administrator does not necessarily have the authority to access all of the organization’s data. Yet, he needs access to the platforms or databases to administer and maintain them. By encrypting the data with a key of which he has no knowledge, and which is held by a person who does not have access to this data (the security manager for example), the administrator can carry out his missions and confidentiality is respected.
Secure the local network
An information system must be secure against external attacks. A first level of protection must be provided by specific logical security devices such as filtering routers (LCDs), firewalls, anti intrusion probes, and so on. Reliable protection against viruses and spyware requires constant monitoring to update these tools, both on the server and on the agents’ desktops. E-mail must of course be particularly vigilant. Connections between the sometimes remote sites of a company or a local authority must be made in a secure manner, via private links or secure channels using “tunneling” or VPN (virtual private network). It is also essential to secure wireless networks given the ability to intercept remotely the information that circulates there: use of encryption keys, control of physical addresses of authorized client computers, etc. Finally, remote access to the information system by mobile stations must first be authenticated by the user and the station. Internet access to electronic administration tools also requires strong security measures, including the use of IPsec protocols, SSL / TLS or HTTPS. remote access to the information system by the nomadic stations must first be authenticated by the user and the station. Internet access to electronic administration tools also requires strong security measures, including the use of IPsec protocols, SSL / TLS or HTTPS. remote access to the information system by the nomadic stations must first be authenticated by the user and the station. Internet access to electronic administration tools also requires strong security measures, including the use of IPsec protocols, SSL / TLS or HTTPS.
Secure physical access to the premises
Access to sensitive premises, such as computer server rooms and network elements, must be restricted to authorized staff. These premises must be subject to special security: verification of clearances, guarding, locked doors, digital lock, access control by name badge, etc. The ISD or the IT manager must ensure that technical documentation, network addressing plans, contracts, etc. also be protected.
Anticipate the risk of data loss or disclosure
The loss or disclosure of data may have several origins: error or malice of an employee or agent, theft of a laptop, hardware failure, or a consequence of water damage or fire. Care must be taken to store the data on server spaces provided for this purpose and subject to regular backups. Backup media must be stored in a separate room from the one hosting the servers, ideally in a fireproof vault. Servers hosting sensitive or critical data for the activity of the organization concerned must be backed up and may be equipped with a fault-tolerance device. It is recommended that you write an “emergency – rescue” procedure that will describe how to quickly remount these servers in the event of a breakdown or major disaster. Nomadic devices (laptops, USB sticks, personal assistants, etc.) must be specifically secured, by encryption, with regard to the sensitivity of the files or documents they can store. End-of-life computing equipment, such as computers or copiers, must be physically destroyed before being discarded, or expunged from their hard drives before being donated to associations. Hard disks and removable storage devices that are repaired, reassigned, or recycled must first be formatted at a low level to erase the data that can be stored there. in view of the sensitivity of the files or documents they can store. End-of-life computing equipment, such as computers or copiers, must be physically destroyed before being discarded, or expunged from their hard drives before being donated to associations. Hard disks and removable storage devices that are repaired, reassigned, or recycled must first be formatted at a low level to erase the data that can be stored there. in view of the sensitivity of the files or documents they can store. End-of-life computing equipment, such as computers or copiers, must be physically destroyed before being discarded, or expunged from their hard drives before being donated to associations. Hard disks and removable storage devices that are repaired, reassigned, or recycled must first be formatted at a low level to erase the data that can be stored there.
Anticipate and formalize a security policy of the information system
The set of rules relating to computer security must be formalized in a document accessible to all agents or employees. Its drafting requires the preliminary inventory of possible threats and vulnerabilities that weigh on an information system. This document needs to be updated regularly in light of changes to the IT systems and tools used by the organization concerned. Finally, the “security” parameter must be taken into account before any project related to the information system.
Sensitize users to “IT risks” and the “IT and freedoms” law
The main risk in terms of computer security is human error. Users of the information system must therefore be particularly aware of the IT risks associated with the use of databases. This awareness can take the form of training, dissemination of memos, or the periodic sending of fact sheets. It will also be formalized in a document, such as a “computer charter”, which can specify the rules to be respected in terms of computer security, but also those relating to the proper use of telephony, electronic mail or the Internet. This document should also mention the conditions under which an employee or an agent can create a file containing personal data, for example after having obtained the agreement of his manager, the legal department or CIL of the company or organization in which he works. This document must be accompanied by a commitment of responsibility to be signed by each user.
Note: ensure that users regularly clean their old documents and e-mails on their workstations. Similarly, regularly clean the exchange directory shared between the different services so that it does not turn into a “catch-all” space (personal files of agents mixed with sensitive files)
Enablement Profile: An Enablement Profile defines, for a group of users, their rights to a set of data and / or applications.
Filter Router and LCD: A router is a device that allows the routing of information between two networks. Some routers include a traffic filtering feature, such as firewall, which implements a list of allowed and unauthorized access control lists.
Firewall (or “firewall”): software and / or hardware equipment for partitioning networks. It implements inbound and outbound filtering rules and must prohibit the use of unsecured communication protocols (Telnet for example).
“Tunneling” or VPN(virtual private network): a VPN makes it possible to secure the exchange of data of “extranet” type. For this, it implements a mechanism for authentication and encryption of data. This is called encapsulation of data through a “tunneling” protocol.
Encryption: A method of encoding / decoding data that typically implements a logical key mechanism (s) to make it impossible to read a file to third parties who do not have the key (s).
IPsec, SSL / TLS, HTTPS: network protocols for securing remote access by encrypting transmitted data.
Failure tolerance:security device implemented in particular at the level of hard disks that can guard against the failure of a disk by avoiding the termination of applications or damage to the stored data.
BIOS: A system that executes basic operations such as hardware control, device boot scheduling, and sector playback on a disk when a computer is turned on.