Information Security

Information security includes company policies, standards and solutions that should be incorporated in the design of business processes and information flows to ensure access to data is authorized. These company
policies and directives should also be followed by systems to ensure that data cannot be inadvertently altered and is reliable.

Personnel Security

The following personnel security components exist at KHA:

• Security Education

• Virus Protection

• Personnel and Information Controls

  • Procedural Controls

  • Audit logs

  • Identification

  • Account passwords

  • Authentication

  • Low trust entities

Operational Security: Risk Assessment

Guiding Principle

The results of a risk assessment are only the beginning of an ongoing process aimed at reducing the possibility of, or degree to which, systems will be adversely affected by a security event.  KHA will continually update its assessments as components are changed, and applications replaced.

Periodic reassessments are done to maintain an accurate picture of the enterprise’s security posture. As results are reported, changes in policy are made to better address the weak points in the existing security program.

Systems’ Role in Risk Mitigation and Assessment

Systems incorporate in their design the risk mitigation they decide to implement. The controls that a system selects should address specific, identified vulnerabilities, or specific identified threat-sources, thereby reducing the overall threat it faces. The beginning of the system life cycle is the best time to address security to ensure cost effective, interoperable solutions.

Systems should choose controls or security goals after evaluating risks (risk-adjusted goals. Costs affect goals and sources of costs are:

• Capital costs

• Hardware and software purchases

• Reduced operational effectiveness, if system performance or functionality may be reduced for increased security

• Costs of implementing additional policies and procedures

• Costs of hiring additional personnel to implement proposed policies, procedures, or services

• Training costs

A system should adjust security controls using the following guidelines:

• If control would reduce risk more than needed, then see if a less expensive alternative exists

• If control would cost more than the risk reduction provided, then find something else

• If control does not reduce risk enough, then look for more controls or a different control

• If control provides enough risk reduction and is cost-effective, then use it

Physical Security

The following are physical security measures in place at KHA:

• The KHA IT servers will be in the Data Center, a secure building that is equipped to protect them from natural threats such as floods, earthquakes, and electrical storms, and environmental threats such as long-term power failure, pollution, chemicals, liquid leakage. The Data Center has voltage regulating transformers, uninterruptible power supplies, and on-site power generators.

• Only employees who are US persons can enter the Data Center. Please refer to the HR System for a definition of a US Person

Network Security

The following are network security measures:

• Network Security is a vital component of every area of security, whether it be information, operational, physical or personnel security. KHA systems are contained within the KHA intranet. KHA intranet  is protected from the Internet by use of a Firewall. The Firewall has the DNS server, Mail and HTTP content-scanning servers (for protection against viruses or malicious ActiveX controls, and for scanning of keywords, addition of disclaimers, etc), Reverse-proxy servers and WAP gateways.

The diagram below shows KHA’s Firewall:

Data packets that go in and out of the KHA will use non-SSL and SSL with a 128-bit encryption. The firewalls control access to ports 80 and 443 while the Reverse Proxy servers hide the actual IP addresses of KHA devices.