Information Security Management - Literature review Example

?TMA01 Information security management QUESTION A Before conducting information security risk assessment, there are certain fundamental concepts thatneed to be recalled. One of them is a Threat that is defined as the probable network security breach which may occur in the future and will harm the network, as well as Information systems. The current trends in technology advancement have enabled the networks to be prevalent. People are connected at home, offices, as well as when they are travelling either via laptop or mobile phones. The evaluation is conducted to identify the severity of each information system, which deserves priority due to the value of data which needs to be protected. Both threats and vulnerabilities need to be considered concurrently. Threats can provide damage to the confidentiality, availability and integrity of information present in the information systems. They explore opportunities for security breaches to cause confidential data invasion via unauthorized access, amendment of data, removal of information from information systems. Threats can hit the network from various sources. Threats are confidential on the parameters of different capabilities and approach including external approaches by cyber criminals, hackers, terrorists. For handling threats of different nature different risk mitigation and control methodologies are required in the context of protecting the prioritized information systems. Vulnerabilities are the weaknesses which are present in the system against the current threats. Vulnerabilities can be distinguished as security loop holes in the system. If hackers find these loop holes in the system, results are devastating including unauthorized access, amendment or complete deletion of the system. A recent example is the hacking of wiki leaks website which impacted the whole world and also affected strategic and economic relations between countries as various confidential documents were leaked out from the website. Vulnerabilities are successful due to policy weaknesses, inadequate implementation of security infrastructure, and information of personal issues. For identifying any possible threats, testing of the security infrastructure including network components, hardware and software is essential which may occur in the future. The risk is defined as the likelihood of different threats via different circumstances, which are affecting the network and information systems. The circumstances should consider the strategy, security measures, environmental measures, own experience and the experience of other connected entities in the context of information security failure. The impact calculation is also required in terms of data integrity, availability; confidentiality and the cost associated with the fixing systems, lost availability and other related issues which are of prime concern to the network and information system operations. Measurements consist of Cost which is used to protect the information and systems Value of the information and information systems Threat probability and occurrence Effectiveness of Controls Hazards determine the identities and quantities of any chemicals or harmful substances present as pollute causes in the environment. There are different type of hazards required for cleaning and maintenance of the office furniture and items. Hazards may masquerade to human health or the network and information systems when spilled out accidentally by mistake. They also require flammable characteristics which may occur in severe threats and help to increase fire or other incidents. Assets are the components serving internally, as well as externally, within the network. Assets can be divided in to several different information technology environments. The physical infrastructure contains Servers, workstations, data centers, switches, routers etc. The core infrastructure contains virtual private networks, Microsoft active directory, domain controllers, email servers etc. The Internet infrastructure contains public cryptographic keys, training manuals, emails etc. i. Risk Analysis Methodology The ‘www.businessdictionary.com’ defines risk analysis as “Relative measure of risk or asset value based on ranking or separation into descriptive categories such as low, medium, high; not important, important, very important; or on a scale from 1 to 10”. Numeric values are assigned for measurements that can be analyzed to determine risk priorities. For performing risk analysis for the enterprise network, stages are divided in order to focus specific stage precisely. The objective is to make the system secure from threats and vulnerabilities. The methodology will illustrate decisions as outputs for each stage. ii. Evaluating Risks by Qualitative Risk Analysis A comprehensive definition of qualitative risk analysis is illustrated by (Hintzbergen, Hintzbergen et al. 2010) which says” Qualitative risk analysis, which is used more often, does not involve numerical probabilities or predictions of loss. Instead, the qualitative method involves defining the various threats, determining the extent of vulnerabilities and devising countermeasures should an attack occur”. Qualitative risk analysis can be performed on computerized data analysis, as well as manually. The objective is to identify only the most significant risk factors which are related to intrusion detection and cyber crime prevention. Qualitative risk analysis also provides evaluation of the potential damage in the context of security controls. Ineffective quantitative analysis involves unreliable and unproductive information on threat occurrence and probability along with the prospect reliability and performance of controls related to intrusion detection and cyber crime prevention. Fig 1.1 demonstrates quantitative analysis and the identified threats along with the occurrence and severity levels. Occurrence Risk Severity Identified Risks Highly likely to occur High risk 1) Network Monitoring Medium likely to occur High risk 2) Information Leakage Not likely to occur Medium/low risk Highly likely to occur Medium risk 3) IT Security Framework Medium likely to occur Medium/low risk 4) System and Network Administration Not likely to occur Low risk Highly likely to occur Low risk 5) Integration of data between systems Medium likely to occur Low risk Not likely to occur Low risk Fig1.1 Network monitoring(High Risk / Occurrence high ) Network monitoring is the prime responsibility of the organization after implementation. There are so many threats inventing on a daily basis. They adopt new ways of attacking networks. The constant and efficient monitoring of the network identifies any breach to the network at an initial stage. The early identification of any security breach helps the organization to quarantine the threats or minimize the impact of these threats on the network and systems. Alerts can be triggered for any unusual activity on the network. If the network monitoring is compromised, no malicious activity will be detected resulting in serious damage to the network components, as well as the information systems. System and Network Administration(Medium Risk / Occurrence Low) System administration risk involves issues such as Ant virus software are not up to date Latest system security patches are not installed Forgot to Security software not installed on every critical system Employees who have already resigned, user accounts still not deleted If the system administration policies are not implemented efficiently, threats are more likely to be conducted within the organization. Internal threats may occur. For example, unauthorized access, breaching in to highly classified information systems etc. Information Leakage(High Risk / Occurrence Medium) The information leakage can result in transmitting highly classified data to the hacker. The hackers can also send a malicious code to breach in the network. The small software can be installed on any system of the network and is not detectable. The small software then tries to establish a connection with mission critical information systems to either damage the data or transmit the data to the hacker. IT security framework (Medium Risk/ Occurrence High) An efficient design of the security infrastructure is necessary focusing on the potential threats and vulnerabilities. All the process and functions are performed on the security framework of the network and information systems. If the framework or the security infrastructure is not adequate, organizations may face severe threats and vulnerabilities in the future. Integration of data between systems (Low Risk / Occurrence High) The transmission of data internally and externally is unsafe. The connections to the external system are the gateways for hackers to enter the network. Encryption protocols need to be implemented for encrypting the data between the internal and external systems. QUESTION B For providing improved functionality for the organization, policies and procedures must be defined. They play a vital role for an organization’s smooth functioning. In order to implement policies and procedures, group discussions are required for constructing and implementing them in a real world scenario. The first requirement is to differentiate both of them. A security policy comprises in the form of a document or rules that specify the statement ‘What must be done’ in order to assure security measures in the system or the network. Whereas, procedures are associated with the rules and practices that are implemented in order to impose the rule. For instance, in a network security scenario, where there is a requirement for preventing the wireless network, anonymous access must be blocked. Likewise, the security policy document will define ‘What needs to be done’ to block anonymous access for a wireless network. Whereas, the procedures will define the practices and rules that needs to be followed in order to block the anonymous access (In InfoSecCD '05: Proceedings of the 2nd annual conference on Information security curriculum development, 2005). After differentiating both the security policies and procedures, these two are associated with development and administration in an organization. The term security in terms of development and administration is more like a management issue rather than a technical issue in an organization. The justification is to utilize and classify employees of an organization efficiently. Moreover, from the management perspective, discussions take place for describing various vulnerabilities and threats along with the creation of policies and procedures that may contribute for the achievement of organization goals. After the discussions and alignment of policies and procedures to contribute for organization’s success, the development process is initiated at a high level, and afterwards implemented at lower levels within an organization. The conclusion reflects the development of policies and procedures, requirement of an approval from concerned personnel and then implementing them smoothly for the employees (In InfoSecCD '05: Proceedings of the 2nd annual conference on Information security curriculum development, 2005). On the other hand, initiation of these security policies is easy and not expensive, but the implementation is the most difficult aspect. If the development and administration do not comply effectively, or fails to establish awareness between employees related to the policies and procedures, the disadvantages may affect inadequately for the organization. For instance, an attack from a social engineering website such as ‘Facebook’, ‘twitter’, or ‘MySpace’ may extract sensitive information from senior or trusted employees of an organization. If the policies and procedures were understood or implemented properly, employees will be well aware of not providing any credentials or they will verify authorization before providing information on the sites. Moreover, privacy and trust is a debatable topic that is also referred as identity theft. A good definition of identity theft is available in network dictionary that states as, “Identity theft is a crime in which an imposter obtains key pieces of personal information, such as Social Security or driver’s license numbers, in order to impersonate someone else. The information can be used to obtain credit, merchandise, and services in the name of the victim, or to provide the thief with false credentials”. Many organizations have suffered security breaches initiated from a social networking site. There is a requirement for creating awareness between employees by developing policies and procedures related to the attacks associated with social engineering sites along with coping up these attacks. There is a requirement of identifying critical information systems within the organization. All the users must be categorized for accessing these servers by a level of trust. The level of trust can be categorized as allowing everyone, allowing none, and allowing some specific individuals (In InfoSecCD '05: Proceedings of the 2nd annual conference on Information security curriculum development, 2005). To protect information systems for organization is a complex task as hackers create new vulnerabilities every now and then. The security devices are updated for only protecting the data and network from the current known threats and vulnerabilities. The probability for new threats cannot be assumed. Deployment of firewall cannot protect the network, as risks are associated with both internal and external network. In order to protect the network, dimensions are created in terms of physical security, operating system security, database security and network security. Physical security is associated with rules and procedures to be followed by the users. For instance, if an organization has the policy to configure password for a screen saver, every employee must follow, although these are the basics but need to be followed. Moreover, the data servers must have a backup server on some other physical location that is replicated. The operating system security must define rules and procedures for employees to update antivirus regularly, security patches, and any other software patch that the network administrator has just shared for probable vulnerabilities. Moreover, employees should scan the system occasionally or during their lunchtime to avoid security breaches. In order to provide database security, organization must complete all the required stages before making it operational. The stages include design, development and propagation of policies and procedures. The three critical parameters that are associated with database include integrity, availability, and data. Furthermore, the discretionary and access control is also essential as it restricts and allows specific users to access the database (In InfoSecCD '05: Proceedings of the 2nd annual conference on Information security curriculum development, 2005). For incorporating strict policies and procedures to ensure network security and information assets, implementation of IDS is recommended as it sense unusual activities on the network. It is defined in ‘network dictionary’ as “Network-based intrusion detection system (NIDS) refers to an intrusion detection system (IDS) that monitors activity on a network, instead of a particular host”. The NIDS will listen to all network activities instead of restricting for just one host. Moreover, disabling USB ports from the employee workstations can also secure the network from viruses and Trojans that came along with the flash drives. References HINTZBERGEN, J., HINTZBERGEN, K., SMULDERS, A. and BAARS, H., 2010. Foundations of Information Security: Based on ISO27001 and ISO27002. Van Haren Publishing. In InfoSecCD '05: Proceedings of the 2nd annual conference on Information security curriculum development (2005), pp. 49-53, doi:10.1145/1107622.1107634 Network-Based Intrusion Detection System. 2007. Network Dictionary, , pp. 340-340. Read More