Processes for information security

Well, the security and privacy of information systems has become extremely important when it comes to work or even personal information, as we all use systems to store our confidential information that we don't want anyone to see. That is why there are such tools as cryptography, physical security, cybersecurity and logical security.

What is exposed in a computer component are:

- the hardware

- The software

- O DATA

Data being the most important, if the hardware is damaged we replace the damaged part, if the software is damaged we only reinstall, but when we talk about data it is almost unrecoverable, almost because in computing a data is never deleted, it is modified and when it already has several modifications it is very difficult to recover.

PERSONNEL TRAINING AND SENSITIZATION PROCEDURE: Indicates the methodology used by the entity to train and sensitize personnel on information security issues, taking into account the different roles and directives, the periodicity of the training and sensitization capabilities, etc.

PROCEDURE FOR THE HIRING AND DISMISSAL OF PERSONNEL: This procedure indicates the way in which the entity safely manages the entry and exit, including issues such as background checks, signing of confidentiality agreements, receipt of deliveries required to generate peace of mind, among other characteristics. This procedure goes hand in hand with the human resources management area or recruitment can be generated with their collaboration.

PROCEDURE FOR SECURE ACCESS TO INFORMATION SYSTEMS:

 In this procedure, the entity must indicate how to manage access to its information systems in a secure manner, using preventive methods against brute force attacks, validating complete data for system access, using methods to encrypt access information through the network, among others.

USER AND PASSWORD MANAGEMENT PROCEDURE:

In this procedure, the entity will require how to perform the creation of users and the assignment of passwords (which must have an acceptable level of security, based on a policy of secure passwords previously defined), prohibiting its subsequent reuse, possibly to users to change it often, had a record of them. This procedure should apply to all information systems, and should also take into account the role that each user requires in the necessary systems to provide the necessary access.

CRYPTOGRAPHIC CONTROLS PROCEDURE:

This procedure shall specify how cryptography will be used within the organization's information systems to ensure their integrity, availability and confidentiality. You must specify the complexity of cryptographic controls to employees, specifying the criticality of the information that will circulate through the network or will be selected hosted on a particular system. For example using wep networks is an obsolete technology that should not be used anymore, because it has keys from 64 to 128 bits that means 2 raised to 128 bits is a huge amount. Ideally, use wpa2 which fixes all the vulnerabilities of wpa and has a 256-bit key. Or, for example, if there is a web page in the company, it must have a SSL certificate (Transport Layer Security).

PHYSICAL ACCESS CONTROL PROCEDURE:

This procedure should describe how to execute the different steps to identify the secure access control to the facilities for authorized personnel. This procedure may include date and time of entry records, book tracking or registration platform. The request for permission to access restricted areas, who grants and what must be done to gain access to the areas, etc., must be considered.

ASSET PROTECTION PROCEDURE:

 This procedure should contain the steps with the equipment that is protected by the entity. It is recommended that this procedure specifies how the location of equipment that processes confidential information is determined, how the facilities are secured, the controls that are specified to minimize risks of natural disasters, physical threats, damage, dust, water, interference, electrical discharges, etc.

EQUIPMENT MAINTENANCE PROCEDURE:

This procedure should specify how preventive or corrective maintenance is performed within the entity, indicating the intervals at which these requirements are determined, based on suggestions from suppliers or if there is insurance tied to the equipment and the maintenance is required. The way in which the maintenance will be carried out and the personnel that will perform it must be specified, facing the appropriate record.