EUROPEAN POLYTECHNIC INSTITUTE, LTD.
BACHELOR
THESIS
2010
Jana HORÁKOVÁ
EUROPEAN POLYTECHNIC INSTITUTE, Ltd., Kunovice
Branch of study: Ekonomic informatics
Security Policy Proposal for Information System of the Municipality
Office in Veselí nad Moravou
(Bachelor thesis)
Author: Jana HORÁKOVÁ
Supervisor:
Ing. Petr KEBRLE
Kunovice, June
2010
I confirm that I am the sole author of this Bachelor Thesis
under the supervision of Ing. Petr Kebrle, and with the help of literature
and publications, which I listed in the Bibliography. I am aware that
creating this thesis is subject to the rights and obligations under the
Copyright Act No. 121/2000 Coll.
In Kunovice,
June 2010 ………………….……….
I would like to thank Ing. Petr
Kebrle, the Head of Department of the
mayor's and secretary’s office at the Municipal Office, for his great kindness, materials he gave me access
to, codes, valuable advice and comments provided to me during my work.
In Kunovice,
June 2010
Jana Horáková
Obsah
2.1 Security of Information
Networks (IS)
2.3 System and Data Protection
2.4 Information Security Management
2.5.3 The symmetric encryption.
2.5.4 The asymmetric encryption
2.6 Information Security Management System
3.1 The Municipal Office (Town
Hall) in Veselí nad Moravou
3.5.1 Sources used for the creation of information strategy
(IST)
3.5.2 The main objectives of the Information Strategy
3.6 SW used in the Municipal Office
3.6.3 Graphical information systems (GIS)
3.6.4 Graphics and other software
3.7 Hardware used in the Municipal Office
3.8.1 The analysis of questionnaire for management (leadership) of the city
3.8.2 Analysis of a questionnaire for IT professionals
3.8.3 Questionnaire
for the Municipal Office employee (officials)
3.9.1 Suggested solutions for management (leadership) of the city
3.9.2 Suggested solutions for IT Professional
3.9.3 Suggested solutions for the employees of the Municipal Office
(officials)
Introduction and Objective
Introduction
Security policy is a complex science, which deals not only
with data security, computers and computer networks, but also with the creation
and compliance directives that all employees must comply with within a
company. Security policy is also a part of the internal
regulations of industrial enterprises, banks, trade, transport,
telecommunications and security companies.
By
adopting the security policy a policy is implemented. Properly implemented
security policy causes the effective use of resources and tools for both safety
and development of the newly defined requirements. In the
establishment of a security policy there are not only new security projects and
internal regulations, but also the effectiveness of security measures is
increased and the introduction of safety management system (ISMS) comes in.
After
the introduction of security measures must follow the maintaining of the
security system. To verify the effectiveness and
quality of implementation of security policy, an audit is carried out regularly
in the security. If a system error is
detected, there are correction measures and processed internal regulations.
Furthermore, there is a continuous updating of internal regulations
according to standards and regulations. Update should be carried
out before each major intervention in technology by external influences,
but also after major accidents, natural disasters and other emergencies.
Today, however, there are
still many organizations without the concept of securing data, where there is
nobody to care for security and it is implemented only on ad hoc basis.
Therefore, it is the right solution for the introduction of the protection
process of risk analysis and security policy.
This Bachelor Thesis deals mainly
with information systems (IS), which are structurally complex and with the use
of electronic technology. These are the systems
usually used for information management support of medium and large
organizations, which includes The municipal Office in Veselí nad Moravou.
Municipal Office in
Veselí nad Moravou is exposed to many risks, such as disclosure of trade
secrets, personal data of employees, the city's inhabitants, transactions, and
finally, publication strategy and technology, which can mean a huge loss to the
Authority. It is therefore necessary
that all information are carefully protected. An
integral part of this protection against all external and internal attacks is
testing various control and attempted attacks.
Objective
The aim of this work is to get familiar with the general
principles of information security and process of constructing information
security management systems (ISMS), with risk prevention and identification of
basic principles for the design and creation of security policies in public
administration. It will deal with practical guidelines and recommendations,
among which, inter alia, belongs noticing employees about the protection of
their passwords and personal data.
For the final solution there should be set some milestones,
so it is necessary to indicate the basic outlines of a solution, that means a
procedure for dealing with information security in the organization of the
Municipality of Veselí nad Moravou, a description of the current state of
information system in the Town Hall and assessment of financial costs.
To meet the draft
security policy it is recommended to reduce the vulnerability of electronic
communications systems and to prevent possible incidents by identifying
potential attackers.
1 Methodology
In this thesis is determined the appropriate procedure of
dealing with information security in the state public body of the Municipal
Office (Town Hall), described the current state of information system in
the Municipality Office and the determined draft security policy.
The work also includes familiarization with the general
principles of information security and environment of the Municipal Office and
its departments, which are the Department of Secretary Office,
the Economic Department, the Development and City Administration Departement,
the Department of Internal Administration, the Environmental Department
and Construction Authority, the Department of Social Affairs and Health
Care, the Department of the Trade Office and the Department of the Mayor
Office. Total Municipal Authority operates with approximately ninety employees.
The beginning of the practical part of the work describes the
current state of the particular information system, on which the
proposal is applied.
Procedure and design for solutions of information security in
the Municipal Office is adapted to the standards released by the Czech
Standards Institute (CNI), which should be followed. Solution design is
justified and recommended to the Municipal Office staff in Veselí nad
Moravou.
2 Theoretical part
2.1
Security of Information
Networks (IS)
Security of information
networks, or information technologies (IS / IT) is a field, which includes
technological, legal, administrative and social components.
Safety of Information
System (IS) is a condition where the system is to some extent protected from
misuse, modification, disruption. As abuse is
considered using IS assets, such as reading confidential information. The aim
is to ensure the safety of IS data, securing integrity, availability,
reliability and confidentiality.
Security
Policy (BP) in the area of information technology (IT) is an important part
of the security policy of enterprise - an organization that presents a
summary of safety rules that define the way of the organization's security from
the physical protection through the protecting of professional interests
and to the protection of privacy and personal data.
The
security policy of IT organization is concerned with the choice of security
rules and regulations that meet the security policy of the organization
and generally formulate the safe use of information resources regardless
of the particular information technology used. It thus determines which data
are tricky for the organization and who is responsible for the data.
Further, it orders the infrastructure dealing with security and restricts
fundamental limitations that must be respected.
The
security policy of the organization is one of the fundamental pillars on which
stands the system of information security management. The whole system can be
built ineffectively and inefficiently, if some basic parameters are not clearly
defined. These basic parameters are the duties and responsibilities of key
roles and staff of the organization. [17]
The
framework identifies the information securities of organization and shall be
binding after approval by the leadership for all employees and is the standard
for all external entities that come into contact with information and
communication technologies (ICT) of the organization.
Security policy must be consistent with the policy
of the whole organization, it defines the basic strategy, goals, attitudes,
roles, responsibilities and principles relating to the activities
related to information security. It also draws
on existing and applicable internal guidelines and policies and develops them
with regard to the applicability of safety documentation within the
organization environment. It shows the conclusions derived from IS risk
analysis and defines mechanisms to ensure effective management of information
security. It is the basis for building lower and specific levels of security
documentation.
Errors with the
implementation of security policy in the information system:
·
lack of project readiness,
·
lack of user
training,
·
lack of financial preparedness,
·
dependence on an external company.
The main benefits of the
security policy:
·
security policy brings into the
organization clearly formulated basic principles of information security,
·
all employees are aware of their
basic responsibilities and obligations when working with information,
·
the basic requirements for the
behavior of external entities (eg suppliers) in the environment of
the information system of the organization, are defined,
·
safety policy increases the image of
the organization for business partners and cooperating agencies,
·
security policy is developed on the
basis of current rules and standards used in the field of security.
Negatives occurring in the
implementation of security policy:
·
financial costs,
·
need to comply with rules limiting
the practices of users,
·
need for increased
skills,
· support
of the organization management.
Information
security is a file that carries out technical and organizational measures
in the field of computer and communication security, administrative and
organizational security measures, personnel security and physical security of
the information system.
The information can be
divided into:
·
public - information is publicly
known, which requires no protection,
·
internal – information of non-public character that can
be, without serious consequences, accessible for all the staff,
·
strictly internal - information that
is accessible only to a limited number of people,
·
personal data - personal data and
sensitive personal data according to the Act No. 101/2000 Coll.,
Information privacy,
·
specific facts - the information
according to the Act No. 240/2000 Coll., Information on crisis management and
amending certain laws,
·
secret information - information
about the protection of secret information and about the amendment of some
laws.
2.2
Threats and Data
Loss
The subjects of many types of threats are assets. Threats can cause
undesirable damage to the system and its assets. Threats
can be of natural or human origin and may be accidental or intentional. Damage
caused by the incident may be of temporary nature
or may be permanent, as in the case of destruction or
irreversible damage to assets. [16]
Damage caused by the
threat, may vary beacuse of the infected virus can cause various degrees of
harm according to its actions. Such threats are associated with the degree of
power. Depending on the degree of force can be destructive or non-destructive
virus.
The examples of threat is the possibility of loss of
confidential corporate information transmitted by wireless local area networks
(WLAN) via interception initiated by competing organization. The holder of that threat is an operator hired by
competing organization.
The objects of threat are
confidential business information and the mechanism of threat is the
interception of communication in the non-protected corporate WLAN. [20]
In the data loss there are involved several factors that can cause it. From the several factors that account for the data loss the most responsible is usually the self-organization management. The reason is non-directing employees to comply with internal regulations and directives. Size of the loss factors are listed in Table 1.
|
Loss percentage |
Loss caused by |
|
50 - 80% |
the management of
one’s own organization |
|
10 - 30% |
employees of the organization |
|
5 - 8% |
"force majeure" |
|
0 - 8% |
external attacks |
Table 1: Classification
of shares in the losses
Source: [5]
Among the attacks, which can occur in the IS belong:
·
interception of transmitted data -
encrypted communication usually does not take place,
·
falsification of
identity - the other person's password should not be known, the passwords should
be changed every year,
·
unauthorized programs - banned
programs, it should be described in the directive of the organization
to install programs only with the consent of the Head of IT Department,
·
congestion of resources,
·
acquisition of private information,
·
misinformation and falsification of
information.
Division of attackers by knowledge and professionalism:
·
amateurs - try to find weaknesses in information
system, and thus use them to their advantage,
·
hackers, schoolchildren - those
assailants attack the security systems because of personal problems, or because
of attempts to prove they are good,
·
professional criminals – they make constant
attacks on information systems in order to gain personal benefit. These criminals are usually computer specialists.
The usual type of attack is also the deliberate interference
into the communication channels. This type of
attack is carried out mainly against particular radio communication channels.
Nowadays, you can meet in the radio transmission system of the organization with methods of protection against intentional interference, which are called:
· adaptation of power transmission - the confidentiality of the
channel or minimization of mutual interference,
· adaptation of the working frequency - the frequency allocation
for radio communication selects the least distorted,
· adaptive antenna system – through changing the directional character
of antennas may come to curbing the influence of extraneous signals,
· spread of the spectrum - tuning of the working frequency of communicating radios.
2.3
System and Data
Protection
Protection is a part of the security policy in the
organization and it is any measure that reduces the frequency and size of the
loss of assets. Growing need for data protection
and securing relationships leads to expansion of the use of cryptographic
(encryption) devices.
The essential features of information which the protection
ensures, are:
·
confidentiality - information is
accessible only to those who is authorized to access it,
·
integrity - information is complete and intact,
·
availability - information is
available at any time for authorized users.
Protection may be of different nature:
· technical - antivirus, firewall, etc.
· personal - preventing the access of unauthorized people,
· organizational – directions and rules containing obligations for IS users, security management.
Personal information is any information. For
a more accurate representation, personal information is the data that can be
directly or indirectly identified by number, code or more elements.
There are three entities that are obliged to protect
sensitive data - personal data controller, processor and people who perform
operations for administrators or processors.
Administrator is a person who determines the means and
purpose of processing and gives the written contract to a processor. The
processor carries out processing determined by the administrator and people
performing work for the administrator or processor, are all employees
of the processor, but also people who are under a contract to perform something
for them. Processing means not only collecting various modifications,
retrieval, use, dissemination, but also working with personal data. According
to the law, this is applied on people who illegally collect personal
information.
Obligations in the processing of
personal data:
· the
obligation to ensure that the data subject does not suffer damage to their
rights – the dignity and the principle of proportionality must be maintained,
·
the obligation to obtain consent of
the subject from the direct marketing - direct marketing law allows to use some
personal information for commercial purposes,
·
the informational obligation and
guidance – it is required to notice the subject whose data are processed,
·
the obligation in relation to the
Authority,
·
the security of personal data - the
need to take technical, organizational and legal measures,
·
the obligation of confidentiality
the employees of the administrator or processor and other individuals must
remain silent about personal data, the obligation of confidentiality
persists even after the termination of the employment relationship.
2.4
Information Security
Management
2.4.1
Risk Analysis
Risk Analysis (AR) of the information system is
a necessary step in addressing security and it serves to establishment of the
current state of information system security.
The aim
is to verify the identity of the risks and to find the weaknesses
of the information system. Then it includes the learned knowledge in
the document called Risk Analysis. In this document the appropriate
countermeasures for the management and responsible business organizations
will be designed, according to the knowledge learned. The Risk Analysis
document includes the views of the administrative, physical, organizational,
personnel and computer security area, on which are also bound internal laws of
the company.
The analysis can be
implemented for the information system or organization, prior to drawing
up plans in the context of organization and information system. Before the
life cycle of an information system there comes to the creation of a security
policy. With each security change and change of threats, the risk analysis
should be updated and repeated.
The risk analysis
conceives:
·
identification of
assets,
·
valuation of assets,
·
identification of threats,
·
determining the scope of threats,
·
determining the
vulnerability of assets against threats,
·
calculation of risk for each asset
and threat.
In assessing the risks the damage of assets must be considered. These assets an be affected
due to failure of security.
During
evaluation, the potential consequences of loss of credibility, integrity,
availability of information and other assets must be taken into account. There
also needs to beconsidered the real possibility of error occurrence and
the currently implemented measures.
The
results and the resulting risk assessments help to facilitate the management
of organizations to identify strengths and provide the necessary steps and
procedures that lead to manage risks with information and to undertake certain
measures to prevent their occurrence.
In some cases the risk assessment and providing measures can be multiply
repeated, due to covering of different parts of the organization or
individual information systems.
The
revision of risks and organizational measures is to be carried out periodically
in order to determine changes in threats, which represent the requirements
and priorities of operators and administrators. The review must be taken
into account to consider new kinds of threats and vulnerabilities. Also the
appropriateness and effectiveness of measures should be confirmed by this
experience.
Revisions
are made in different depths. Size depth of the review depends
on the previous analysis results and changes in the level of risk,
which must accept the organization management accept. The risk assessment is usually carried out initially
at a general level. At this level, the risk assessment is used as an
aid to prioritizing resources of major risks. Only after this analysis a
further detailed analysis to determine specific levels of risk is carried out.
In the first phase of
the revision a level must be set at which the analyzed risks should be
eliminated. In this direction the aim to
eliminate all risks would lead to large and disproportionate costs in
implementing relevant measures, and thereby inevitably cause the permeability
of the system. For this reason, in the risk analysis there are assessed also
the residual risk issues in relation to threats, vulnerabilities and proposed
countermeasures. On the basis of this knowledge are selected appropriate
approaches and methods of risk analysis.
2.4.2
The Monitoring
Monitoring serves as one of the tools for status monitoring
and evaluation of changes and the level of information security in information
systems of the organization. The defined level of security
policy in the organization has the required level. Monitoring continuously monitors the process of IS and evaluates the
degree of its security, it produces feedback to previous phases of
information security policy and includes changes in security system.
During
the monitoring of the operational process there rises a management cycle
and a protection against incidents is ensured. There is also ensured the detection of intrusion
attempts into the IS and the regeneration after security incident.
IS monitoring provides:
·
responsibility of person,
·
detection of disturbances,
·
event reconstruction,
·
assistance in analyzing and solving of
budding problems.
2.5
Protection
sorts
2.5.1
Firewall
Firewall
is a network device used to control and secure the IS. As a definition we can describe firewall as rules
for communication between networks. Firewall also provides protection against
further attacks, such as fake addresses. Communication scheme
of the network is shown in the picture 1.
Nowadays,
firewalls are based on information of the connection status and knowledge of
the controlled protocols, or elements of intrusion detection in the system. If the firewall gateway is properly configured, the
attackers seeking unprotected computers cannot identify a protected
computer.
Basic types of firewalls:
·
software
gateway,
·
hardware
routers,
·
wireless
routers.
Picture 1: Communication
network diagram
Source: [8]
2.5.2
The Cryptology
With the
emergence of cryptology in the last century of electronic computers and Internet
connection, it was necessary to ensure confidential and sensitive data against
misuse. First, the internet connection was used by military forces and armies.
After several years, the internet became accessible to the public. The consequence
of mass expansion of the internet was that there began to emerge
viruses and criminal attacks on computers to obtain personal data of users.
It was therefore necessary to introduce into computer networks ciphers,
cryptology and antivirus programs, which were supposed to prevent the destruction
of computers and data leakage.
Cryptology
deals with the security of reports and it is a field, which includes
cryptography and cryptoanalysis and deals with encryption of the text.
Cryptology can be described also as a technique and theory of coding encrypted
messages.
Encryption
is the conversion of data into a form that can not be readable after the encryption.
The purpose is to ensure the safety of sensitive and private data from
the writer to the recipient even if the encrypted form of data can be accessed
by anyone else.
Decryption is the reverse
procedure of encryption. It means transcribing data
back to its original readable form.
Some secret information use encryption and decryption, which are called
the key. The same key can be used for
certain cryptographic methods and for the two operations, namely encryption and
decryption. For some methods is the key different. Nowadays, in the age
of computers, one can use cryptography for more than just encrypt and decrypt. It is e.g.
verification of authenticity, also known as authentication - it's important
because in this way the data are protected. Authentication is performed
with the electronic signature on documents, which usually carry out the
communication with authorities. Electronic, or digital signature, is one
plausible way to safeguard the integrity of data sent and the identity of the
sender is thus safely verified. Digital signature is used for verifying the
identity by using the computer as a communication device.
2.5.3
The symmetric encryption
Symmetric encryption is also known as conventional encryption.
Symmetric encryption arose before asymmetric, and thus it is simpler than
asymmetric encryption. This encryption uses the same key for encryption and
decryption. Among the greatest benefits of this symmetric encryption belongs
its high speed, and thus it can be easily used to encrypt large amounts of data.
Among its major weakness belongs the actual use of shared keys. In fact, the sender
who encrypted the message, can also decrypt it. It must not also be forgotten
that there is a need to secure key transmission path between two discrete
parties of communication (sender and recipient).
The security
of the cipher depends on the quality of used keys and it also depends on how
the key is sufficiently comprehensive and sufficiently random. If the key used does
not fulfill these conditions, the cipher used can be easily broken.
Symmetric encryption is
divided into two types of algorithms, called current algorithms and block
algorithms. The difference between current and
block algorithms is that current algorithms process the open text bit by bit,
while the block algorithms process it in the bit bundles.
2.5.4
The asymmetric encryption
Asymmetric
encryption uses two keys, the public key (used to encrypt data)
and the private key (used for decryption). These two keys can be
separated. Asymmetric algorithms are very slow and practically not useful for
encryption of large amounts of data.
When a
message encrypted with private key is sent and then received and decoded with
public key (by using this key a digital signature is implemented), then the
message that is decoded with public key, verifies the signature with the
corresponding private key. This method, however, does not provide security for
the content of the report, because the public key is freely available (for
example in the internet).
Otherwise, the message is
encrypted by public key and decrypted by private key, which ensures the safety
of the message. The originator of the message
encrypts its content using the public key of the recipient. Only recipient
can decrypt the received message. In this case, the identity of the message is
not ensured, ie. that the message comes from the particular sender.
2.5.5
The digital signature
Digital signature is the
most effective means for ensuring the integrity of data sent and for the
verification of the message sender.
The
principle of the digital signature is that first the cryptographic checksum
is calculated from data and from the cryptographic checksum a digital
signature is calculated on the principle of the secret key. Then follows the
verification of digital signature, where the recipient verifies that the
digital signature corresponds with the identity of the sender's public key.
After verifying, the cryptographic checksum of received data is calculated
and compared with the cryptographic checksum received from the sender. If
cryptographic totals correspond to each other, it means that the data were not
changed after they had been sent by the client.
The sender's public key can verify the digital signature. This key cannot be used to create a valid digital signature, and anyone may know it.
2.6
Information Security Management
System
Information
security management system (ISMS) is a documented system in which information
assets are protected. The information assets include information in any form
(paper or digital form), software, hardware, facilities, rooms and people (eg
employees). Information assets are information either written, spoken or
digital. Assets may be structured or unstructured. In structured assets, the
information can be processed by software and hardware which are located in
rooms. This information is processed by both physical and legal persons.
It may be an extern, but usually they are employees of the organization.
When
implementing ISMS in an organization one should follow the standard ISO / IEC
27001, in which are shown the recommendations and it has a link to other
standard ISO / IEC 27002, which contains the recommended best practices. When
becoming more familiar with these standards, it comes to emphasis of the
essential difference between these two standards. Standard ISO / IEC 27001
specifies how to implement, monitor, maintain and improve information security
management system in the organization. While the standard ISO / IEC 27002 provides
a detailed overview of security measures that can be implemented. [22]
Information security
must be managed, despite the divided organizations, for example what type of
organization it is, whether small or large company with many employees.
The difference between types of firm size is only in deadlines and
workload.
Information
security management system is given, there are only different interpretations
of the recommendations, procedures and solutions how to achieve the best
possible target. The principle of the ISMS is shown in the picture 2.
Picture 2: Safety
management information system
Source: [18]
Benefits of ISMS implementation and certification in the organization:
·
an overview of assets and their classification,
·
development of control documentation,
·
effective use of resources and
capacities,
·
risk reduction,
·
easy to find threats in the area of security
of sensitive information,
·
increased accountability of staff in
the organization,
·
awareness of the organization
management,
·
increased credibility of the
organization (better image of the company).
2.7
Concepts
Audit log is
a record of events that may affect the safety of the information system.
Assets are
the hardware (HW), software (SW), information and documentation of the information
system.
Authentication of
the subject is a process of the subject identity verification that meets the
required degree of assurance.
Authorization of
the subject is granting of certain rights for carrying out activities.
Confidentiality of data is
ensuring access to information only to those who have authorization to access.
Creating information
systems of public administration is the
process of introducing information and communication technologies, including
its legal, organizational, technical and knowledge ensurance. [17]
Object is
a passive element of an information system that contains or receives information.
Protecting of information is a summary of technical and organizational measures, which
are designed to ensure the availability and non-marketability of information.
Risk analysis is
a process in which assets of the information system are detected and also
threats, vulnerabilities, likelihood of threats and estimation of their
consequences.
Security mechanism is the very realization of the security function.
Service is
providing of operations of the information system that meets the requirements
of the authorized body and it is associated with the function of the
information system. [17]
Subject is
an active element of an information system that transmits information between
objects, or changes the system state.
Threat is
any possibility of loss of assets.
3
The practical part
3.1
The Municipal Office
(Town Hall) in Veselí nad Moravou
Veselí
nad Moravou is a town within the meaning of the Municipalities Act 128/2000
Coll. This means that it is the basic territorial self-governing community of
citizens, a territorial unit that is set with the border area of the town.
Veselí
nad Moravou is a public corporation, which has its own property.
The municipality appears in the legal relations in its own name and takes
responsibility resulting from these relations. Strictly spoken, everything that
concerns the property of the town, such as contracts, invoices, movable
property and immovable property, etc., refers to the municipality.
The
municipality takes care of universal development of its territory and of the
needs of its citizens. In carrying out its tasks it also protects the
public interest expressed in laws and other legislation. It also manages
its own affairs in a separate application and it is governed by
the laws and generally binding legal regulations issued by central authorities.
On the basis of the mandate it carries out state administration in the area of
Veselí nad Moravou municipality and within the catchment area.
The authorities of the municipality are the vestry, the
municipal council, the mayor and the municipal office. The municipal
office in Veselí nad Moravou is an authority of this town.
The municipal office in a separate application provides
in its territory economic, social and cultural development, protection and
creation of a healthy environment, apart from the activities that are by
special laws conferred on other bodies, such as the exercise of state administration.
Furthermore, in the delegated powers it carries out the administration
to the extent determined by special laws.
3.2
Organizational Structure
The
municipal office is located in two buildings, which lie about 100 m from each
other. The office is divided into several departments, there are fifty offices,
in which operate a total of approximately ninety employees.
Figure 3
draws the organizational structure of the municipal office. For a better
understanding of the image there was deliberately plotted the Municipal Police
Unit and the Fire Service into the picture, because the both of them
are also the authorities of the municipality. The
abbreviations of departments are explained in the following paragraph.
Figure 3: Organizational Structure
Source: own production
Departments of the
Municipal Office Veselí nad Moravou:
· Department
of the mayor’s and secretary’s officer (KST),
· Economic Department (E),
· Department of Municipal Development and
Administration (RSM),
· Department of Internal Administration (VS),
· Department of Environment and Construction
Authority (ŽPSÚ),
· Department of Social Affairs and Health Care
(SVZ),
· Department of Trade Office (SR).
Some departments are further divided into units. Further units are:
· Department of Municipal Development and Administration (RSM),
· Department of Municipal Development,
· Department of Municipal Administration,
· Department
of Internal Administration (VS),
· Department of Home Affairs,
·
Separation
of Traffic Records,
· Department
of Environment and Construction Authority (ŽPSÚ),
· Department of Trade Environment,
· Department of the
Building Authority,
·
Department of Area Planning,
· Department
of Social Affairs and Health (SVZ),
· Department of Assistance in Material Need,
· Department of Social -
Legal Protection of Children,
· Department of Social Services.
Figure 4: Location
map of the two buildings of the Municipal Office Veselí nad Moravou
Source: [21]
3.3
Current state
After
several visits and consultations with the Town Hall staff it was found that
the security policy in the organization is in a bad condition. There
are no internal rules on safety of the information system (BIS). BIS is not in a good condition, and that
is why there should be worked on the new BIS, which includes network
security, because an unsecured network present an opportunity for criminal
activity. The best-known and very threatening to the Municipal Office,
are:
·
frauds with an electronic identity,
·
attacks on the banking and financial
operations,
·
stealing data and send them from the
computer without the user’s knowledge.
Each employee of
the Municipal Office was allotted a computer, but some of them unnecessarily
leave the passwords to their PC and programs on a visible and easily
accessible. This easily allows any attack from other Town Hall employees and citizens
who are coming into their offices.
In the Municipal Office, the data are continuously and automatically backed up. For the physical security
of computer networks there is a system and there are suitably located servers
and active components. It means that the computing environment is well
protected.
Furthermore, on all workstations and servers are installed
anti-virus systems and legal software programs, that are approved for the
Municipal Office functioning.
With the
help of the firewall the security of the connection of IS to the internet
is provided. Firewall also allows communication between internet and
internal PC on request from the internal PC, and that only in strictly-defined
manner.
The state in detail,
namely the analysis of existing IS was identified with the help
of the questionnaire for all Town Hall staff. It is given later in
the Bachelor Thesis (Analysis of the existing
IS, cap.3.8.).
3.4
Technologic Architecture
The technologic architecture of the Municipal Office IS
comes from its division into two buildings (Masaryk’s Avenue, No. 119 and Park of
Petr Bezruč, No. 697), which are communicatively connected and thus create
a unity. The main elements are servers, workstations, wire
structured cables, active components, equipment for connection
to the Internet.
Computer network in the building on the Masaryk’s
Avenue was established during the year 2000. It
consists of Category 5 cables, which determines the transmission speed of 100Mbps.
The building in the Park of Petr Bezruč was
reconstructed and put into operation in late 2002. All internal wiring is
already Category 5e, which allows transfer speed up to 1 Gbps.
The
connection of the two buildings is ensured by two optical fibers from the total
of twelve-fibre cable - those fiber cables connect the two buildings with 1Gbps
speed. Internet connection uses the WiFi free zone with the
speed of 6 Mbps.
All active components were purchased
and acquired from HP ProCurve brand.
Figure 5: The current network
architecture
Source: own production
3.5
Information strategy
Information Strategy was lately updated in
2004.
3.5.1
Sources used for the
creation of information strategy (IST)
Among the used sources belong:
· ISVS standards,
· world trends of IS / IT development,
· projects for the development of IT in the CR and JMK (South Moravia Region),
· the current status of IT in the town (HW + SW),
· organization rules of the Municipal Office Veselí nad Moravou,
· the organizational structure of the Municipal Office,
· employment frame of the Municipal Office Veselí nad Moravou,
· workload of the staff.
3.5.2
The main objectives of the Information Strategy
The main objectives of the Information Strategy are:
· coordinating the activities of the gradual strenghtening and modernizing of the informatik infrastructure of the city,
· priorization of information strategy,
· prevention of wasteful use of funds.
3.6
SW used in
the Municipal Office
All installed software is licensed and the
installation media are stored in cabinets in the IT office.
The managers of individual SW equipments are
several. The Table 2 shows the managers of SW facilities, the other common
applications are in the holding of the IT staff by the Mayor’s and Secretary’s
Office.
|
Program name |
Purpose |
Manager |
|
EMOFF |
agenda of crisis management |
South Moravia
Region |
|
eTesty |
agenda of driver tests |
Ministry of Transport |
|
Register of Commercial Activities RŽP |
agenda of business registration |
Ministry of
Industry and Trade |
|
IISSDE |
agenda
of population register, ID
cards, passports, driving licences |
Ministry of Internal
Affairs |
|
EVPE Editor of water rights records |
agenda
associated with water management register |
Ministry of
Agriculture |
|
Evidence of agricultural entrepreneurs |
evidence
of agricultural entrepreneurs |
Ministry of
Industry and Trade |
|
OKnouze |
Agenda
of the Ministry of Social Affairs |
Ministry of Labour
and Social Affairs |
|
OK smart |
Integration
software for smart cards |
Ministry of Labour
and Social Affairs |
Table 2: Overview of SW managers
Source: own
production
In the
following table 3 are presented softwares used in the Municipal Office. The differenciation
of certain SW programmes equipment databasis is outlined in colour for better
understanding. All softwares are numbered according to their degree of
priority:
•
0 - exposed
•
1 - less protected,
•
2 - more important
•
3 - personal information
•
4 - sensitive personal data,
•
5 - emergency information.
Color
Coding for Data Definition:
·
emergency
iformation,
·
personal data,
·
database engine.
|
Program´s
name |
Manufacturer - Contractor |
Purpose |
Department |
User |
Priority |
|
ArcView |
Arcdata
Praha |
Creation and administration GIS dat |
ŽPSÚ |
3 |
|
|
ASPI |
ASPI
a.s. |
Collection
laws |
all |
selected |
0 |
|
EZOP |
Asseco,
a.s. |
Filling
service |
all |
all |
3 |
|
IS
Fenix |
Asseco,
a.s. |
Agenda
accounting and reporting |
E |
2 |
|
|
Microstation |
BENTLEY |
Creation and administration GIS dat |
ŽPSÚ |
3 |
|
|
eTrust
ITM 8.x |
COPROSYS
s.r.o. |
antivir
a antispyware |
all |
all |
0 |
|
Crypta |
Česká
pošta, s. p. |
simple
encryption program for
communication with Česká pošta |
SVZ,E |
0 |
Table 3:
Overview of software supporting the activities of individual departments
Source: own production
|
Registration
disabled |
Dataprotect
– Solař |
Ei
- Evidence disabled people |
SVZ |
3 |
|
|
Curator of adult |
Dataprotect
– Solař |
Ek
- Evidence of problem people |
SVZ |
4 |
|
|
MISYS |
GEPRO |
GIS -
technical map, networks |
ŽPSÚ |
3 |
|
|
Evidence
of Sheets |
Goldcard
s.r.o. |
evidence
of sheets |
all |
selected |
1 |
|
Map´s server |
HSRS |
Map´s
server |
ŽPSÚ |
3 |
|
|
Informix IDS 9.x |
IBM |
Database engine to IS Radnice VERA |
jako
VERA |
4 |
|
|
EMOFF |
Jihomoravský
region |
Crisis
management agenda |
KST |
5 |
|
|
MS Office 2003,2007 |
Microsoft |
Office
suites |
all |
all |
0 |
|
MS Server 2000 a 2003 |
Microsoft |
Operation
system of servers |
all |
all |
0 |
|
MS SQL Server |
Microsoft |
Database engine to EZOP |
all |
all |
3 |
|
MS Windows XP a Vista |
Microsoft |
Operation
system |
all |
all |
0 |
|
eTesty |
Ministerstvo
dopravy ČR |
Agenda
test drivers |
VS |
3 |
|
|
Register
of Commercial Activities EPA |
ICZ
a.s. |
Agenda
register of enterpreneurs |
ŽPSÚ |
3 |
|
|
IISSDE |
Ministerstvo
vnitra ČR |
Agenda
population register, ID
cards, passports, Driving
licences |
VS |
3 |
|
|
EVPE Editor of water rights records |
Ministerstvo
zemědělství ČR |
Water
management agenda associated with logs |
ŽPSÚ |
2 |
|
|
ISVAK |
agenda
waters and sewerages |
ŽPSÚ |
2 |
Continuation
Table 3: Overview of software supporting the activities of individual departments
Source: own production
|
Evidence of
agricultural entrepreneurs |
PC
HELP |
evidence
for agricultural entrepreneurs |
ŽÚ |
3 |
|
|
JASU- Reporting |
MÚZO Praha s.r.o. |
Creation
of summary financial |
E |
2 |
|
|
OKnouze |
OKsystem,
s. r. o. |
Agenda
of the Ministry of social affairs |
SVZ |
4 |
|
|
602XML
Filler |
Software602,
a. s. |
Client
for viewing, |
all |
0 |
|
|
TRANIS |
TRANIS
s.r.o. |
technical
descriptions |
VS |
0 |
|
|
VEMA
PAM a PER |
VEMA
a.s. |
agenda
of human resources and payroll |
E |
3 |
|
|
IS
Radnice VERA |
VERA
s.r.o. |
Many
modules such as registration population, economy entities, income expenses,
dogs, registry office |
all |
selected |
4 |
|
VITA |
VITA
SW |
Building
authority |
ŽPSÚ |
3 |
|
|
An
Electronic notifications register |
WEBHOUSE
s.r.o. |
Keeping
the registry a notice of activities, assets, income, gifts and commintents to
public functionaries |
TAJ |
4 |
|
|
VISMO Online |
WEBHOUSE
s.r.o. |
CMS
Web Site |
all |
selected |
1 |
|
Evidence of transport agendas |
YAMACO
Software |
agenda
transport agendas |
VS |
3 |
|
|
Registration of fishing licenses |
YAMACO
Software |
agenda
hunting and fishing tickets |
ŽPSÚ |
3 |
|
|
Evidence of hunting |
YAMACO
Software |
1time
per year summary |
ŽPSÚ |
3 |
Continuation Table 3: Overview of software
supporting the activities of individual departments
Source: own production
|
Starting System |
Kadlec
elektronika s.r.o. |
Developing
the system (press advisory cards – ID cards, passports, driving licences) |
VS |
0 |
|
|
Janitor2 |
system for analysis and synthesis of data |
ŽPSÚ |
selected |
1 |
|
|
Air SQL |
Kvasar,
spol. s r. o. |
agenda related to environment |
ŽPSÚ |
selected |
2 |
|
EVI |
INISOFT
s.r.o. |
Records
of waste |
ŽPSÚ |
selected |
2 |
|
ESPI |
INISOFT
s.r.o. |
Records
of administrative proceedings |
ŽPSÚ |
selected |
2 |
|
Total
Commander |
Ghisler |
filemanager |
all |
all |
0 |
|
Kristýna-GIS
viewer 1.2 |
GIS
data viewer |
ŽPSÚ |
0 |
||
|
ICQ |
ICQ
LLC |
communicator |
all |
selected |
0 |
|
Mozilla
Firefox |
Browser Web Site |
all |
0 |
||
|
Zoner
Photo Studio |
ZONER
software, a.s. |
Graphics program |
KST,ŽPSÚ |
0 |
|
|
SafeSign |
Smart Card Reader |
ŽÚ |
0 |
||
|
Adobe
Photoshop+Illustrator+Acrobat |
graphics package |
KST |
0 |
||
|
ABBYY
FineReader |
ABBYY
Software House |
ORC
recognition
software |
KST |
0 |
|
|
CorelDRAW |
Corel
Corporation |
Graphics program |
ŽPSÚ |
selected |
0 |
|
BDE |
Borland |
Machine
data |
all |
selected |
0 |
|
Nero |
burning software |
all |
selected |
0 |
|
|
Kubik
SMS DreamCom |
sending
SMS |
KST |
0 |
||
|
View
Companion Pro |
Software
Companion |
viewer
and printing press |
ŽPSÚ |
selected |
0 |
Continuation
Table 3: Overview of software supporting the activities of individual departments
Source: own production
|
Heletax |
Topol
Pro s.r.o. |
viewer
LHO and LHP |
ŽPSÚ |
selected |
1 |
|
PerfectDisk |
Raxco |
Defragmenter
of discs |
all |
selected |
0 |
|
OK
smart |
OKsystem,
s. r. o. |
Integration
software |
SVZ |
0 |
|
|
ERMa |
ÚHÚL
- Hosp. úprava lesa |
Evidence
of reproductive material |
ŽPSÚ |
2 |
Continuation
Table 3: Overview of software supporting the activities of individual departments
Source: own production
This licensed software equipment can be divided
further:
·
freely used (freeware)
·
freeware with author charges for their continued use
(shareware)
·
other software (commercial licensed Software).
From the SW programmes there are used: 602XML Filler, Chris - GIS viewer 1.2, ICQ,
Mozilla Firefox and BDE. Total Commander and Kubik SMS DreamCom on the other
hand are freely distributable softwares with author charges for their continued
use.
Other licensed softwares from Table 3 are
commercially licensed.
3.6.1
Operating Systems
On the servers are installed:
·
Municipal Office - Debian
Linux, others - Windows Server 2000/2003,
On the workstations are installed:
·
Microsoft Windows XP -
installed in 75% of computers,
·
Vista - installed in 25% of
computers.
3.6.2
Office Software
The Municipal Office in Veselí nad Moravou uses exclusively
an office software by Microsoft that seems to be the best for its users.
Types
of office software from Microsoft:
·
MS Office 2003 - installed in 75% of computers,
·
MS Office 2007 - installed in 25% of computers.
3.6.3
Graphical information systems (GIS)
There are used the GIS products by MicroStation. From the products by ESRI
GIS a freeware ArcView is used. GIS data are stored on the server GLOBUS.
3.6.4
Graphics and other software
The graphics
programs used in the Municipal Office are: the package of graphic programs
Adobe (Photoshop, Illustrator, InDesign) and also a shareware program Paintshop
Pro. To convert images in text the program ABBYY FineReader is used.
The other
products used are WinRAR, Total
Commander, Attendance GOLDCARD GCS 7800, ITM InoculateIT antivirus program.
3.7
Hardware used in the Municipal Office
3.7.1
Servers
·
TOWN - firewall, mail server, proxy server,
·
GOLEM2 - database and application server for City Hall IS
VERA (Informix DB)
·
TITAN - domain server, DNS server, partly file server,
·
ATLAS - database and application server for filing
service Aesop and applications of Building Authority. Used DB MS SQL 2000
·
GLOBUS - Windows update server, file server, GIS local -
MISYS,
·
MAPS - Web map server.
3.7.2
Workstations
In the Municipal Office there are about one hundred PCs.
All are connected to the local network. Currently, the office uses for printing
the local printers of various brands (mostly by HP) and copiers by volume
printing.
3.8
Analysis of existing IS
The
real state of security policy has been established with the help of the
analysis of questionnaires to determine the current state of information
security. They were created using Internet network www.vyplnto.cz. The
questionnaires were given or sent to the e - mails of Municipal Office
employees according to their job functions. Questionnaires are shown in Annexes
of the thesis.
Distribution
of questionnaires, according to the Departments:
•
questionnaire for management (leadership) of the city,
•
questionnaires for IT department
•
Security Policy
•
organizational structure
•
physical security,
•
Backup and recovery after disaster
•
providing technical assistance,
•
Telecommunications security
•
questionnaire for employees of the Municipal Office
Departments (officials).
3.8.1
The analysis of questionnaire for management (leadership)
of the city
This questionnaire was designed for the management of the Municipal Office,
namely for the mayor, two vicemayors, the secretary, and the both Councils of
the City Veselí nad Moravou (ZMV and RMV).
Of the total number of points in the questionnaires given to the city management
followed the total of 38 points. According to Table 4 it can be seen that the
result is on the boundary between "decent" and
"satisfactory" evaluation. That means above all that the management
is aware of the need to protect the information and knows the strategic
objectives.
The city administration said only one respondent, who is familiar with the situation of
security policy in Veselí nad Moravou.
For example one question was selected, whether the
workers aware of the responsibility for protecting information resources. The
graph 1 shows that workers and union leaders recognize their responsibility
almost.
Graph 1: The questionnaire for the management of the city
Source: own pruduction
3.8.2
Analysis of a questionnaire for IT professionals
The following questionnaire was designed for the IT professionals in the
Town Hall in Veselí nad Moravou. In the organization work three computer
specialists who care for the correct and secure operation of
information networks.
3.8.2.1 Security
Policy
According to IT specialists there came to a total number of 43 points. From
Table 5 it can be concluded that the security policy can be evaluated with
the word "satisfactory". Information Department staff are aware that
there are some activities and protection of information which are still in
development and that they drive continuously to improve the security
policy.
The questionnaire on security policy, answered all of the
information department of 4 employees. From
Graph 2 shows that 50% of respondents think that the policy does not define
"information", 25% of respondents think that almost defines and 25%
think that defines the term "information".
Graph 2: Questionnaire Security Policy
Source: own pruduction
3.8.2.2 Organizational Structure
The total comes out to 60 points, which, according to
Table 6, indicates that the organizational structure is satisfactory. In
the Municipal Office a team is set for information security and
the staff are always informed about the changes that occur. Some activities are
still under development, the management (leadership) of the city is aware of it
and agrees with data and information protection.
Organizational
structure of the questionnaire answered 3 Workers of the information department
of the 4th. For the sample was selected one of the questions that
examined whether the system administrators receive safety training relating to
their work. The graph 3 shows that 66.67%
of the respondents think that almost do not receive specific
training, while 33.33% of the respondents said that all receive training
specific to their work.
Graph 3: Questionnaire Organizational Structure
Source: own pruduction
3.8.2.3 Physical security
Of the total number of points according to IT
department staff comes out a total of 42 points, which according to Table 7
indicates that physical security is at a very good level. The access to
important areas is protected and IT staff are informed and aware
of the procedures in the event of disaster occurrence. Also in there
are introduced many activities in the Municipal Office.
When asked whether they
are properly protected confidential information, each respondent answered
differently. One third of respondents according to Graph 4 can be sure that
confidential information is adequately protected, third, with the exceptions
that are adequately protected, and one third said that the problem is in
development.
Graph 4: Questionnaire,
physical security
Source: own pruduction
3.8.2.4 Backup and Recovery after Disaster
Of the total number of
points the overall result came out 39 points. According to Table 8 it can be determined
that the outcome is on the boundary between assessment of "Satisfactory"
and "bad". This means that backup and recovery is not good. Backup schedule
is formulated, but the list of critical situations is yet being prepared. The
critical resources are identified and backups are stored in off-site of the acquisition.
From Graph 5 it follows, in 66.7% of
respondents said they are planning a backup copy is updated regularly. 33.33%
of respondents answered that they are exceptions to copy the backup plan
is updated regularly.
Graf 5:
Questionnaire from Advances Recovery
Source: own pruduction
3.8.2.5 Technical Security
According to the result of
the sum of 41 points, according to table 9 technical support is at a very
decent level. The result is indeed very close to the rating of "Above
Average". Part of the activities is also implemented and the system and
network administrators are trained. The Municipal Office accepted the security
policy and network standards are in development.
On the question concerning the
implementation of vulnerability assessment on the network. Here the
respondents completely agreed that this problem is only vulnerability
assessment in development.
Graph 6: Questionnaire from Technical Security
Source: own pruduction
3.8.2.6 Telecommunication security
Grand total came out 37
points, which according to Table 10 indicates that the telecommunications
security is satisfactory. Some activities are still in development and most
of the management (leadership) of the city agrees with data and information
protection. Policies and procedures are only identified and telecommunications
standards are in development.
On the questionnaire, concerning the
safety telecommunications personnel responded Information Officer 3 of 4 One of
the questions dealt with automatic blocking of all accounts and cards in the
event of termination of employment with an employee of the municipality
in Veselí nad Moravou. From Graph 7 shows that 66.67% of the respondents
replied that the accounts and cards are automatically blocked. 33.33% of
the respondents said that except in the event of termination of employment of
all blocked accounts and cards.
Graph 7: Questionnaire from
telecommunication security
Source: own pruduction
3.8.3 Questionnaire for the Municipal Office employee (officials)
This questionnaire was designed for ordinary employees
of different departments, namely workers who work in offices.
Of the total number of points according to employees
of different departments came the total of 31 points, which is the result
according to Table 11 as "decent". That means above all that staff
are aware of the need to protect corporate data and information, but some
do not comply with all guidelines, if they are given to them.
Therefore, to the best of information security awareness is a little bit lacking.
The questionnaire for other ordinary employees of the Municipal
Office responded to 29 employees. For the sample was selected one
question regarding the creation of a password according to the
directive. This question was deliberately chosen
because it was found that employees leave their passwords freely
accessible from the Graph 8 shows that 41.38% of the respondents created their
passwords according to the directive. 24.14% of respondents stated
that generates passwords marginally 10.34% to almost does not. 24.14%
of respondents do not create a password completely by the Directive.
Graf 8: Question of the questionnaire for ordinary workers
Source: own pruduction
3.9
Suggested solution
Solution proposal is structured in sections according to the
questionnaire and is intended for the Municipal Office management, as well as for
IT staff and officials. These are the very recommendations, which may help to
fasten the security policy of the Town Hall.
3.9.1
Suggested solutions for management (leadership) of the
city
For city managers, it is recommended that they more
frequently participate on the creation of security standards and let
themselves submit regular reports on the current state of security policy from
their subordinates. Management should not also forget the review and approval
of the priority list of critical applications. It is also recommended that
there should be a budget on the security program in the overall city budget.
3.9.2
Suggested solutions for IT Professional
IT staff are recommended following suggestions according
to the security parts.
3.9.2.1 Recommended
solutions for Security Policy
To better ensure the safety policy it is appropriate that there should be an
information security manual at every workplace, which would include the whole
policy and which would establish the liability of individual employees and the
degree of their responsibility. The manual should also include the
consequences of possible disobedience of the directives.
3.9.2.2 Suggested
solutions for organizational structure
To determine the appropriate organizational structure, it is recommended
that security policy and procedures should be regularly tested and this testing
should be carried out in a separate environment. Regular audits
are recommended, too, and there should be a person assigned to
monitor the audit records. Naturally, this should include documentation
mechanisms at all workplaces.
3.9.2.3 Suggested
solutions for physical security
Above all, the personnel that cleans after the working hours of the
officials should be monitored. At the workplaces there should be introduced
procedures to remove classified information and procedures and policiy must be
reviewed after any incident because of their possible modification. There
should also be established a complete plan of recovery after the disaster,
which should be tested after any disaster.
3.9.2.4 The
recommended solution for backup and recovery after disaster
As the right solution planning is recommended, which would identify all
critical programs and resources carrying out tasks that are required during the
recovery of the system. There should be identified a critical time for renewal of
applications and systems. Also, emergency response measures should be visible
to employees. A compilation is recommended and also review and updating of new
analysis of systems and applications (ASA), which affect the strategic
processes. For good backup there should be bought a new product for central
backup of the software.
3.9.2.5 Suggested
solutions for technical security
In order for technical support to function properly, the firewalls
must be regularly tested and the vulnerability of the network periodically
evaluated. Workers must be properly instructed about creating appropriate
passwords and shall be required to change their passwords frequently. The log
register should also be reviewed quite often.
3.9.2.6 Suggested
solutions for telecommunication security
For this part it is recommended to build a policy for the
use of telecommunication resources, which would outline sanctions of external
staff and employees, so that they would realize the importance of
telecommunication policy. This telecommunication policy, however, must be
updated regularly. Phones, which allow the monitoring must be regularly
reviewed to detect any misuse.
3.9.3
Suggested solutions for the employees
of the Municipal Office (officials)
For employees, particularly for officials,
it is recommended that they know the penalties for breaking the rules and
create passwords in accordance with internal regulations. Furthermore, they
should be interested and aware of the strategic objectives of the city Veselí
nad Moravou. They should also restrict the acces of other people to their
computers and use internet and computer resources for private
purposes as little as they could. When leaving the office they must not forget
to protect their PC, or log out.
Above all, for the entire Municipal
Office it is recommended that they should create internal regulations and
guidelines, which would clearly include the procedures, sanctions and definitions
of security policy. Furthermore, passwords and the sharing of passwords should
be changed - passwords must not be shared. It is also recommended to update the
information strategy and its acceptation by the bodies of the city.
3.10 Financial
evaluation
Municipal
Authority in Veselí nad Moravou does not have a central backup system, which, in
case of failure of database server, would cause data loss. Furthermore, the
Office should address the central back-up power supply for servers, active elements and key stations.
Employees may continue to work in case of network outage, but only on local
computers. Therefore it is necessary to purchase it.
The proposed
expenditure for the following central backup:
- software
for central backup
Symantec
Backup Exec (price depends on configuration) …… 50 000 Kč with VAT,
- tape drive
the HP StorageWorks DAT base ………………………………. 50 000 Kč with
VAT,
- complementing
of the existing disk array by
software for backup with the help of "snapshots“…………………………………………………….
100 000 Kč with VAT,
·
central
backup of power supply for a server room, active elements and key stations
APC Symmetra PX 10kW Scalable to
40kW N+1 …………… 500 000 Kč with VAT.
Σ 700.000Kč s DPH.
Symantec Backup Exec software for
central backup was selected for its good characteristics, which include data backup
and recovery, improved access for technical support and support of the new
Microsoft products.
For central backup system it was chosen
a tape drive by HP StorageWorks DAT because the IT department staff have a good
experience with the Hewllet Packard brand. This type of tape drive is excellent
for Municipal Office data protection, it uses technology from HP DAT drives.
They are good because of the performance sensitivity.
APC Symmetra PX 10kW Scalable to 40kW N
+1 is a redundant power source, which was chosen for its good price and it is
very suitable for workstations or important servers.
Furthermore,
in the Office there is not an internal security law that should be developed
and printed by the Office staff. There must not also be forgotten to develop
and print the processes and measures in the case of an accident for 50 offices.
The training of employees on safety is also important.
- internal
regulations
drawing up own internal regulations of employees ………. 50 000 Kč with VAT,
- issue of procedures and measures in case of accident
(call numbers 112, 150 …)
………………………………………………………………... 5000 Kč with VAT,
- training employees on safety ………………………………...
50 000 Kč with VAT,
Σ 105 000 Kč with VAT.
Prices are approximate,
since the deployment of backup is always individual and depends on the
requirements of the Municipal Office.
Conclusion
This thesis is divided into two parts,
namely the theoretical and the practical part. The practical part is
divided into a general overview of the public administration, then into a detailed
analysis of the state of information security, and subsequently on the basis
of analysis results there are recommended some measures for the Town Hall
in Veselí nad Moravou.
The paper analyzed the security
situation in the Municipal Office Veselí nad Moravou, and then there were written
and recommended appropriate measures and recommendations for the proper
protection of information and data security. For the Office staff in Veselí
nad Moravou it is especially important to set some specific rules for
network security. First, the management and the IT department staff must
develop and implement the organization's internal regulations, which all
employees must follow.
Managers may according to the proposed
financial assessment decide what type of centralized backup they choose to
purchase, select the person who develops the internal rules and decide what
means should be used for drawing up the procedures and measures in the
event of an accident.
The benefit of this work is that it
provides an overview of security policy as such, of the state of security
policy in the Town Hall, of security policy and financial evaluation proposal.
The work devoted considerable effort to identify the current state of security
policy by using questionnaires and it suggested a solution, which was necessary
to prepare for the Municipal Authority.
In
the future it is therefore necessary to address the entire security policy
in the Municipal Office in Veselí nad Moravou and regularly update
it.
Summary
Abstract
The security policy project for the information
system of the Municipal Office Veselí nad Moravou.
Key terms: Security policy, threats
and data loss, system and data protection, information security management,
information security management system, information strategy, organizational
structure, technologic architecture.
My bachelor work deals with the security policy application for the
information system of the Municipal Office Veselí nad Moravou. The
emphasis is placed on the theoretical part as well as on the practical
part. The theoretical part explains the definitions of terms and reasons
for the information systems protection - securing the systems against attacks,
viruses and hackers.
The pratical part deals with the documentation of the Municipal Office
security state analysis, financial evaluation and of decide chat means should
be used for drawing up the procedures and measures in the event of an accident.
Bibliography
[1]
ČSN BS 7799-2.
Systém management bezpečnosti informací –
Specifikace s návodem pro použití. Praha: Český normalizační institut,
2005-01-01. 40 s. Třídící znak 36 9790.
[2]
ČSN ISO/IEC
17799. Informační technologie – Soubor
postupů pro management bezpečnosti informací. Praha: Český
normalizační institut, 2006-09-01. 102 s. Třídící znak 36 9790.
[3]
ČSN ISO/IEC
27001. Informační technologie –
Bezpečnostní techniky – Systémy management bezpečnosti informací - Požadavky.
Praha: Český normalizační institut, 2006-10-01. 35 s. Třídící znak 36 9790.
[4]
Česko. Vyhláška č.529/2006 Sb. ze dne 6.
prosince 2006. In Vyhláška o požadavcích
na strukturu a obsah informační koncepce a provozní dokumentace a o požadavcích
na řízení bezpečnosti a kvality informačních systémů veřejné správy. 2006, částka
172. Dostupný také z WWW: < http://www.mvcr.cz/clanek/vyhlaska-c-529-2006-sb-o-dlouhodobem-rizeni-informacnich-systemu-verejne-spravy.aspx >. ISSN 1802-6575.
[5]
BELLOVIN, S. Firewally a bezpečnost Internetu, aneb Jak zahnat
lstivého hackera. 1. vyd. Veletiny: Science, 1998. 290 s. ISBN
80-86083-01-2.
[6]
BURDA, K. Bezpečnost informačních systémů. Brno:
Vysoké učení technické v Brně, 2005. 103 s.
[7]
DOSTÁLEK, L.
a kol. Velký průvodce protokoly TCP/IP,
část Bezpečnost. 2. vyd. Praha: Computer
Press, 2003. 571 s. ISBN 80-7226-849-X.
[8]
DRYŠL,
K. Řízení bezpečnosti IT
v malých až středních podnicích. Brno: 2006, Mendelova
zemědělská a lesnická univerzita v Brně.
[9]
CHAPMAN, D.; ZWICKY,
E. Firewally: principy budování a udržování. 1. vyd. Praha: Computer Press, 1998. 508 s. ISBN
80-7226-051-0.
[10]
PELTIER, T.
R. Information security risk analysis. Boca Raton: Auerbach, 2001.
281 s. ISBN 0-8493-0880-1.
[11] PUŽMANOVÁ, R. TCP/IP v kostce.
1. vyd. České Budějovice: Kopp, 2004. 607 s. ISBN 80-7232-236-2.
[12]
RODRYČOVÁ, D.; STAŠTA, P. Bezpečnost informací jako podmínka
prosperity firmy. 1. vyd. Praha: Grada, 2000. 143 s. ISBN ISBN
80-7169-144-5.
[13]
ŠEBESTA, V.; ŠTVERKA, V.; STEINER, F.;
ŠEBESTOVÁ, M. Praktické zkušenosti
z implementace systému managementu bezpečnosti informací podle ČSN BS 7799
– 2: 2004. ISBN 80-7283-204-2.
[14]
THOMAS, M. T. Zabezpečení počítačových sítí bez předchozích znalostí. Brno: CP
Books, a.s., 2005, 338 s.
[15]
Analýza rizik. [online]. 2009 [cit. 2009-04-15]. Dostupný z WWW:
< http://www.tsoft.cz/index.php?q=cz/analyza-rizik >.
[16]
Bezpečnostní informace. [online]. 2009 [cit. 2009-04-15]. Dostupný z WWW:
<
www.isvs.cz/bezpecnost/bezpecnostni-politika-2-dil-.html >.
[17]
Bezpečnostní politika - organizace. [online]. 2009, [cit. 2009-04-16].
Dostupný z WWW: < http://www.cleverlance.cz/cz/sluzby/Informacni-bezpecnost/Bezpecnostni-politika-organizace/>.
[18]
Information security [online]. 2010 [cit. 2010-04-15].
Dostupný z WWW:< http://en.wikipedia.org/wiki/Information_security>.
[19] MěÚ
Veselí nad Moravou. Organizační řád [online]. 2009, [cit. 2009-04-09]. Dostupný
z WWW: < http://www.veseli-nad moravou.cz/vismo/dokumenty2.asp?id_org=18072&id=145604&p1=28200>.
[20]
STEINER, F. Bezpečnostní politika. [online]. 2009 [cit. 2009-04-15].
Dostupný z WWW:< http://home.zcu.cz/~steiner/ZPI/P%F8edn%E1%9Aka%202.pdf>
[21]
Veselí nad Moravou [online]. 2010 [cit. 2010-05-18].
Dostupný z WWW:< http://www.mapy.cz/#mm=ZTtTcP@sa=s@st=s@ssq=vesel%C3%AD%20nad%20moravou@sss=1@ssp=120560748_126938828_150019180_149892812@x=139973504@y=131992352@z=15
>.
List of Abbreviations
AR risk
analysis
BIS information
system security
BP security
policy
ČNI Czech
standards institute
E finance
department
GIS geographical
information systems
HW hardware
KST office
of mayor and secretary
IS information
system
IS/IT information
systems/information technology
ISMS security
management system
ISt information
strategy
ISVS public
administration information systems
IT information
technology
MěÚ Municipal
Office
PC personal
computer
RSM department of development and city
administration
SVZ department
of social affairs and health
SW software
VS department
of internal administration
WLAN wireless
local area network
ŽPSÚ department
of environment and construction authority
ŽÚ department
of trade office
List of Annexes
Annex 1:
Questionnaire for the management (leadership) of the city [10]
Annex 2:
Questionnaire for IT Professional [10]
Annex 3:
Questionnaire for Municipal Office employees (officials) [10]
Annex 4:
Evaluation thesis by leadership of the municipality office
Annex
1: Questionnaire for the management (leadership) of the city
Response options: 1 = yes, 2 = nearly so, 3 = almost
not, 4 = no
1.
Do
you actively participate on the creating 1 4
of security?
2.
Do
you participate on the creating of safety 1 2 3 4
standards in the office?
3.
Does
the management regularly let themselves 1 2 3 4
submit
reports about the state of information
security
in the office, including the list of incidents?
4.
Do
you crosscheck and approve the priority 1 2 3 4
list of critical
aplications?
5.
Does
the annual report about the level of 1 2 3 4
information security depend on your assent?
6.
Are
you able to execute your tasks efficiently and 1 2 3 4
effectively,
while you comply with security techniques?
7.
Does
the municipal council of Veselí nad Moravou 1 2 3 4
actively support the
information security program?
8.
Does
the information security have its own
budget 1 2 3 4
in the overall municipal
budget?
9.
Does
the town have enough employees to 1 2 3 4
backup current business targets?
10.
Do
the employees and department leaders 1 2 3 4 realize their responsibility for the
information sources protection?
11.
Are
the staff properly trained for fulfilling 1 2 3 4
their tasks?
12.
Does
the municipality have enough qualified workers
1 2 3 4
for implementing the
programme to increase
the information security
awareness?
13.
Do
the employees know the strategic targets 1 2 3 4
of the office?
14.
Is
the IT department leader sufficiently qualified? 1 2 3 4
15.
Does
the IT department leader have a view of 1 2 3 4
the office, key processes,
information and their
importance for the
existence and prosperity of the office?
|
Total points |
Presumable current state |
Evaluation |
Evident situation |
|
|
15 - 26 |
MO deals actively with the information security. |
over average |
The management fully supports the development of security. Sufficient
amount of qualified employees. Head of IT department also sufficiently
qualified. |
|
|
27 - 38 |
MO lacks something to the optimal state of imformation security. |
good |
The management is aware of the need of information security. The
employees know the strategic targets of the city |
|
|
39 - 50 |
In the MO the information security is introduced only globally. |
satisfactory |
The management does not almost care for the information security. |
|
|
51 - 60 |
MO does not care for information security. |
bad |
The management does not support the information security creation at
all. The employees do not have any notion about information and about the
need to protect them. |
Table 1: Management questionnaire results
Source: [10]
Annex
2: Questionnaire for the IT department staff
Response options: 1 = yes, 2 = nearly so, 3 = almost
not, 4 = no
1. Security policy
1.
Is
there an information security implemented 1 4
at
every workplace?
2.
Is
in the policy determined what is and what 1 2 3 4
is not allowed?
(1 = comprehensibly, 2 = less comprehensibly,
3 = a little incomprehensibly, 4 = incomprehensibly)
3.
Does
the policy affect at least globally all the 1 2 3 4
information
aspects?
4. Does the policy define the
term 1 2 3 4
„information“?
5. Does the policy support
business 1 2 3 4
targets
and the mission of the city?
6. Does the policy identify
the 1 2 3 4
responsibilities
of managementu and workers?
7. Does the policy determine the
consequences 1 2 3 4
of not
observing the rules?
8. Do the processes at
workplaces implement 1 2 3 4
the
information security policy?
(1 = fully, 2 = almost fully, 3 = in development, 4 = not yet)
9. Are the policies and
processes constantly 1 2 3 4
evaluated
according to the needs of the town?
10. Is there an informational security manual 1 4
at every
workplace?
11. Does the manual cover the whole
policy? 1 2 3 4
12. Does the manual identify
important issues 1 2 3 4
of the security policy?
13. Does the manual determine the
employee‘s 1 2 3 4
responsibilities?
14. Does the manual point out the
degree of the 1 2 3 4
employee’s
personal responsibility?
15. Does the manual specify the consequences
of 1 2 3 4
eventual
breach?
|
Total points |
Presumable current state |
Evaluation |
Evident situation |
|
|
15 - 26 |
The majority of
activities is implemented. The majority of employees is acquainted with the
information policy. |
over average |
Information security is
implemented. Supporting standards and
processes are integrateda at a workplace. |
|
|
27 - 38 |
Many activities are
implemented. Many employees are acquainted with the information policy. |
good |
Information protection is
not at the first place. Supporting standards and
processes are under development. The employees‘ awareness is
in embryo. |
|
|
39 - 50 |
Some activities are under
development. Majority of the management agrees with information protection. |
satisfactory |
Information protection is
evidently under development. |
|
|
51 - 60 |
Policies, standards and
processes are lacking or are not implemented. Management and employees are
not aware of the need of information protection. |
bad |
Management expressed the
need of information protection. Audit is awaited. |
Table 2: Security policy questionnaire results
Source: [10]
2. Organizational structure
1. Does the management of the
city support 1 4
the
information security program?
2. Does the information security
program have 1 4
its
own budget in the overall city budget?
3. Does the annual report about
the information 1 4
security degree depend on the
management agreement?
4. Does the company have enough
employees for 1 4
the
support of current trade targets?
5. Do the employees and
department leaders realize 1 4
their
responsibilities for the information sources protection?
6. Are the employees properly
trained in carrying out 1 4
their
tasks?
7. Is the access to sensitive
and secret data monitored? 1 2 3 4
(1 = fully, 2 = almost fully, 3 = under development, 4 = not yet)
8. Do employees know the
strategic 1 2 3 4
targets?
9. Are the employyes provided
with training specific 1 2 3 4
for
their occupation?
10. Does the security training
reflect changes and 1 2 3 4
new
methods?
11. Are the systém administrators
provided with 1 2 3 4
the
training specific for their occupation?
12. Is there a regular security
awareness and training 1 2 3 4
program
at every workplace?
13. Are the security policies and
processes 1 2 3 4
currently
tested?
14. Are the documentation
mechanisms at every 1 2 3 4
workplace
and in all the platforms?
15. Are errors and failures
registered? 1 2 3 4
16. If the employee is caught in
breaking the 1 2 3 4
security
policy, does it have a consequence
in
proper disciplinary proceedings?
17. Are audits performed regularly?
1 2 3 4
18. Are there preformed also any
unplanned 1 2 3 4
or
startling audits?
19. Is any person intended for the
monitoring of the 1 2 3 4
audit entries?
20. Does the preparatory testing
take place in a 1 2 3 4
separate environment?
|
Total points |
Possible current state |
Evaluation |
Evident situation |
|
|
20 - 43 |
Majority of activities is implemented. The
majority of employees is acquainted with the information policy. |
over average |
The manager and relevant
employees for security are established. Employees trainings take
place. The training program is
at the workplace. Information policy is
regularly checked. |
|
|
44 - 52 |
Many activities are implemented. Many employees
are acquainted with the information policy. |
good |
Security tasks are under
development. The employees‘ awareness
about the information protection is
yet in embryo. |
|
|
53 - 68 |
Some activities are under development. Majority
of the management agrees with information protection. |
satisfactory |
A team for information
security is set. The employees are
informed about the changes to come. |
|
|
69 - 80 |
Policies, standards and processes are lacking or
are not implemented. Management and employees are not aware of the need of
information protection. |
bad |
Management has an
information security project. It is needed to carry out
an audit. |
Table 3: Organizational structure questionnaire
results
Source: [10]
3. Physical security
Response
options: 1 = yes, 2 = with exceptions, 3 = under development, 4 = no
1.
Is
the access to buildings restrained? 1 2 3 4
2. Is the access to computer
equipment restrained? 1 2 3 4
3. Is there an adequate degree of control for the 1 2 3 4
access
out of the working hours?
4. Is there monitoring
introduced(„logs“)? 1 2 3 4
5. Is the system and other HW
adequately 1 2 3 4
protected
against theft?
6. Are there determined and
introduced processes at the 1 2 3 4
workplace
for proper elimination of secret data?
7. Is the area which contains
important information 1 2 3 4
properly
secured?
8. Are the workstations
protected after working hours? 1 2 3 4
9. Are keys and access cards
properly protected? 1 2 3 4
10. Are secret information
properly protected? 1 2 3 4
11. Are the activities of the
personnel that cleans 1 2 3 4
offices after working hours
monitored?
12. Is there a team set for the
case of accident? 1 2 3 4
13. Are the staff acquainted with
what they are supposed 1 2 3 4
to do if they are noticed about
the accident?
14. Are the policies and processes
after incidents 1 2 3 4
checked
for the assesment of possible need
of
modification of these policies and processes?
15. Is there a plan set for the
recovery after disaster? 1 2 3 4
16. Was the plan for recovery
after disaster tested 1 2 3 4
during
last twelve months?
17. Are the systems, applications
and data backups 1 2 3 4
regularly
sent at some secure place outside of the
place
of acquisition?
|
Total points |
Possible current state |
Evaluation |
Evident situation |
|
|
17 - 30 |
Majority of activities is implemented. The
majority of employees is acquainted with the information policy. |
over average |
The acces to important areas is protected with
computerized mechanism. The team for the case of accident is set. |
|
|
31 - 43 |
Many activities are implemented. Many employees
are acquainted with the information policy. |
good |
The access to important areas is usually
protected. The staff are aware of the processes in case of disasters. |
|
|
44 - 56 |
Some activities are under development. Majority
of the management agrees with information protection. |
satisfactory |
The access to important areas is on the base of
logging in. The staff contact the IT department in case of
problem occurrence. |
|
|
57 - 68 |
Policies, standards and processes are lacking or
are not implemented. Management and employees are not aware of the need of
information protection. |
bad |
The access to important areas is not adequately
protected. Incidents are solved only loccaly. |
Table 4: Physical security questionnaire results
Source: [10]
4. Backup and recovery after
disaster
Response
options: 1 = yes, 2 = with exceptions, 3 = under development, 4 = no
1. Does the backup planning
contain identification 1 2 3 4
of
all critical programs, documents and sources
that
necessarily require exerting the tasks during
the
time of system recovery?
2. Is the critical time for
recovery of all applications
1 2 3 4
and
systems identified?
3. Does the Municipal Council
check and approve 1 2 3 4
for
the list of critical applications?
4. Is the list of current
important phone numbers of 1 2 3 4
the
police, fire service, first aid and officials strategically
placed
during the working hours and outside the
place
of acquisition?
5. Is the backup area sufficiently
remote from danger 1 2 3 4
which
would threaten the main data center?
6. Were the backup and recovery
processes tested 1 2 3 4
during
last twelve months?
7. Is there a training provided
for all relevant staff 1 2 3 4
which
backups or recovers?
8. Is there an Analysis of
systems and applications 1 2 3 4
(ASA)
which influence important trade processes?
9. Is ASA checked and updated
regularly with 1 2 3 4
the
emphasis on new technologies and changes
of
trade targets?
10. Is at least one copy of backup
planning regularly 1 2 3 4
updated?
11. Are the proceedings for the
case of accident 1 2 3 4
placed
at places with HW, SW and visible for all workers?
12. Do the employees partake in
backuping? 1 2 3 4
|
Total points |
Possible current state |
Evaluation |
Evident situation |
|
|
12 - 21 |
Majority of activities is implemented. The
majority of employees is acquainted with the information policy. |
over average |
Backup plan is tested at
workplaces. Workers are trained in
backuping. Backup plan is regularly
updated. |
|
|
22 - 30 |
Many activities are implemented. Many employees
are acquainted with the information policy. |
good |
Backup plan is written. Workers know their role in
the backup plan. Management support the
backup plan. |
|
|
31 - 39 |
Some activities are under development. Majority
of the management agrees with information protection. |
satisfactory |
Backup plan is formulated. The list of critical
situations is being built. Critical sources are yet
being identified. Backups are stored out of
the place of acquisition. |
|
|
40 - 48 |
Policies, standards and processes are lacking or
are not implemented. Management and employees are not aware of the need of
information protection. |
bad |
The audit determined weak
places of backup plan. Management is aware of
the responsibility for backuping. |
Table 5: Plan of backup and recovery after disaster
questionnaire results
Source: [10]
5. Technical security
Response
options: 1 = yes, 2 = with exceptions, 3 = under development, 4 = no
1. Are the table spaces properly
secured ? 1 2 3 4
2. Are the host systems and
servers as well as 1 2 3 4
application
servers secured?
3. Are the passwords and
accounts shared? 1 2 3 4
4. Are the unsecured user
accounts 1 2 3 4
(„guest“) active?
5. Are temporary user accounts
banned 1 2 3 4
and
cancelled in a due time?
6. Are the workers trained in
creating 1 2 3 4
right
passwords?
7. Are the employees who provide net services 1 2 3 4
demanded
to change initial default passwords?
8. Do the net and system
administrators 1 2 3 4
have
adequate experience with the implementation
of
safety standards?
9. Are the log records regularly
reviewed? 1 2 3 4
10. Do the administrators use
suitable tools 1 2 3 4
for
carrying out their tasks?
11. Is the current net diagram
accessible? 1 2 3 4
12. Is there a distant access on
the place? 1 2 3 4
13. Are critical servers
adequately protected? 1 2 3 4
14. Is the net infrastructure
regularly controlled? 1 2 3 4
15. Are there evaluations of the
vulnerability 1 2 3 4
carried
out on the net?
16. Do the changes or improvements
pursue current 1 2 3 4
trends
in security development?
17. Are the firewalls tested to
determine 1 2 3 4
possible
external interference?
18. Are there any other products
that increase 1 2 3 4
the
degree of FW security?
19. Are FW maintained and
monitored 7x24? 1 2 3 4
20. Are all the services which
passed or try 1 2 3 4
to
pass FW documented?
|
Total points |
Possible current state |
Evaluation |
Evident situation |
|
|
20 - 40 |
Majority of activities is implemented. The
majority of employees is acquainted with the information policy. |
over average |
The net security policies and processes are
implemented. System and net administrators are trained in
security. FW is implemented and monitored. |
|
|
41 - 54 |
Many activities are implemented. Many employees
are acquainted with the information policy. |
good |
The net security policy is accepted. Net standards are under development. FW administrator is not employed yet. |
|
|
55 - 67 |
Some activities are under development. Majority
of the management agrees with information protection. |
satisfactory |
The team is set for security policy and
processes. FW is not implemented yet. |
|
|
68 - 80 |
Policies, standards and processes are lacking or
are not implemented. Management and employees are not aware of the need of
information protection. |
bad |
Management only expressed the need of securing
the net infrastructure. |
Table 6: Technical security questionnaire results
Source: [10]
6. Telecommunication security
Response
options: 1 = yes, 2 = with exceptions, 3 = under development, 4 = no
1. Is the policy of using
telecommunication 1 2 3 4
sources published?
2. Are all employees aware of the
telecommunicaton 1 2 3 4
policy?
3. Do the employees realize the
importance of the 1 2 3 4
office data that need authorization for the internet access?
4. Do the employees communicate
with the help of 1 2 3 4
mobile or wireless phone despite of the dangerous
version of this technology?
5. Did the organization publish
the recourse policy 1 2 3 4
of
employees and externs?
6. Are the organization data
filed on laptops secured
1 2 3 4
against
unauthorized access?
7. Is the change of automatic
and initial passwords 1 2 3 4
demanded
with the users of all companies that
provide
communication systems?
8. Are the phones which can be
monitores regularly 1 2 3 4
checked
for detection of possible misuse?
9. Are the employees aware of
their responsibility 1 2 3 4
of
keeping the access codes properly safe
against
unauthorized accesses and uses?
10. Are the users that use laptops
provided with 1 2 3 4
mechanism
which enables the backup of sensitive
information
and server or portable stock media applications?
11. Is there determined an
employee for the maintaining 1 2 3 4
of
telecommunication sources?
12. Is the telecommunication
policy regularly 1 2 3 4
updated?
13. If the employment contract is
dissolved, are the 1 2 3 4
former
employee’s accounts and cards
blocked?
|
Total points |
Possible current state |
Evaluation |
Evident situation |
|
|
12 - 23 |
Majority of activities is implemented. The majority of employees is
acquainted with the information policy. |
over average |
Telecommunication
security policy and processes are implemented. Telecommunication administrator
is trained in security issues. |
|
|
24 - 33 |
Many activities are implemented. Many employees are acquainted with
the information policy. |
good |
Telecommunication
security policy is only approved for. Monitoring of the operation
is introduced. Standards are under
development. |
|
|
34 - 43 |
Some activities are under development. Majority of the management
agrees with information protection. |
satisfactory |
Policies and processes
are only identified. Telecommunication
standards are under development. |
|
|
44 - 52 |
Policies, standards and processes are lacking or are not implemented.
Management and employees are not aware of the need of information
protection. |
bad |
Management is only aware
of the need of telecommunication security policy. The audit identified the
weaknesses of the telecommunication security. |
Table 7:
Telecommunication security questionnaire results
Source: [10]
Annex
3: Questionnaire for the Municipal Office departments employees (clerks)
Response options: 1 = yes, 2 = marginally, 3 = almost
not, 4 = no
1. Are you acquainted with the
information security 1 2 3 4
of
the town Veselí nad Moravou?
2. Do you know what is or is not
allowed? 1 2 3 4
3. Do you know the list of
recourses for eventual 1 2 3 4
infringement of rules?
4. Do you make passwords
according to the 1 2 3 4
relevant standard?
5. Do you know the strategis
targets and mission 1 2 3 4
of the town Veselí nad Moravou?
6. Do you mind securing the
computer in the time 1 2 3 4
of
your absence
7. Do you use internet or
computer devices also 1 2 3 4
for
private purposes?
8. Do you secure adequately your
cards or keys? 1 2 3 4
9. Do you regularly carry out
backup of important data? 1 2 3 4
10. Do you file all important
documents on the server 1 2 3 4
that
is backed up?
11. Do you use only licensed
versions of SW? 1 2 3 4
12. Do you know who is responsible
for the crisis 1 2 3 4
management
in the field of information techology?
13. Do you think you are adequately
trained in the
problmatics
of information security in terms of 1 2 3 4
your
profession?
14. If you use laptop, do you keep
at disposition 1 2 3 4
the
mechanism enabling the backup of information
on
the server or portable mediums?
15. If you use unsecured
communication via mobile 1 2 3 4
phone,
do you speak only shortly?
16. Do you realize the importance
of organization‘s 1 2 3 4
information
protection against external environs?
|
Total points |
Possible current state |
Evaluation |
Evident situation |
|
|
16 - 27 |
Information security is fully implemented along
with the information awareness program.
Pracovníci plně chápou potřebu chránit podniková
data. |
over average |
The workers are acquainted with the information
security in the organization. The workers know what they can or cannot venture. They are also fully interested in carrying out
the tasks in connection with the information protection. |
|
|
28 - 40 |
Information security is at decent level. There is something lacking to the optimal
awareness of information security. |
good |
The workers are aware of the need of protecting
organization‘s data. However, they do not keep all guidelines. |
|
|
41 - 53 |
„Some“ information security is only introduced. Not all the workers are aware of it. |
satisfactory |
The workers are aware of information security
only globally. They do not keep all operations. |
|
|
54 - 64 |
Information security does not exist in the
organization. |
bad |
The workers do not absolutely know that there is
some information security. |
Table 83: Questionnaire for ordinary
employees results
Source: [10]
Annex 4: Evaluation of thesis by
leadership of the municipality office
European
polytechnic institute, L.t.d.
Osvobození
699, 686 04 Kunovice
http://www.edukomplex.cz,
epi@edukomplex.cz
Evaluation
of thesis by leadership of the municipality office
in Veselí nad Moravou
Title of the BT: Security policy proposal
for information system of the municipality office in Veselí nad Moravou
Author: Jana
Horáková
Bachelor thesis was prepared under the
leadership of the department offices of mayor and secretary Ing. Kerble Petr
who has issues of IT security policy in the charges, in the period from 10.2009
to 04.2010.
Student had always worked independently and professionally.
Student in their work use of modern techniques for the
questionnaires using the Internet.
Objectives of the bachelor thesis
has been achieved and the output is fully usable for the operation of Town
Hall.
In Veselí nad Moravou,
27.5.2010
………………………………
Ing.
Jaroslav Miklenda