Security Risk Assessment and Audit into the connection of the internal network with the Internet - Essay Example

? Security Risk Assessment and Audit into the connection of the internal network with the Internet Security Risk Assessment and Audit into the connection of the internal network with the Internet 1.0 Implementation of an Information Security Program 1.1 Purpose of an Information Security Program An information security program is one of the fundamental aspects of security management that must be properly implemented to ensure that information within the computer systems are appropriately protected (Krause & Tipton, 2007). Threats to information systems include unauthorized access and use, disclosure, modification or even destruction (Dexter, 2002). In order to prevent the above from occurring, confidentiality, integrity and availability of information has to be controlled through a careful process (Dexter, 2002). Information confidentiality is maintained by preventing unauthorized persons from accessing vital system information. Integrity handles an aspect that prevents that information from being manipulated by other external sources. Data should also be available for use when required by the relevant parties and not hoarded by other system resources. It is thus fundamental to protect these aspects of data in order to ensure that information within an organization is secure. In order to ensure appropriate security management of information within an organization it is vital that the mission statement and the charter be defined for reference (Deswarte, Cuppens & Jajodia, 2004). The mission statement outlines the overall goals that the information security program within the organization seeks to achieve and provides guidelines necessary for strategic direction. The charter on the other hand avails provisions for the specific rights and privileges granted to the security team members from the organization. 1.2 Justification for use of a security metrics program A security management program cannot be complete without the use of security metrics (Dexter, 2002). These are used to show the changing maturity of an information security program over time. The combination of metrics and reporting tools can be used to display the results and outcomes of past investments in information security and guide decisions for future information systems. 2.0 IT Security Management It security risk management is considered a series of steps that are undertaken to ensure the safety of information within an organization. It is a continuous process that begins from the process of assessment right down to implementation. And even after implementation, the process loops back to assessment because risks to information networks are diverse and constantly change necessitating the iterative process (Sennewald, 2011). This process is detailed below: Figure 1: An iterative process to IT security Management Risk assessment is the initial step that involves the identification of potential threats to the information networks ((Boyce & Jennings, 2002). Based on the results of this assessment, an appropriate policy is developed to maintain a secure protection framework. This includes the development of security guidelines, assigning security responsibilities to members of staff and implementing total technical security protections. Once this has been achieved, a series of compliance reviews and re-assessment activities are conducted to provide assurance that the security controls have been properly implemented. This information is collected through a process of periodic audits on the system (Purser, 2004). 3.0 Differences between a Security Risk Assessment and Security Audit 3.1 Security Risk Assessment This is conducted at the beginning of the process of security management to identify areas of change. It is often referred to as the baseline study that will be used to depict the amount of change that the organization has gone through since the last assessment (Snedaker & McCrie, 2011). It includes an analysis of all the assets and processes that relate to the system. It also identifies all the threats that could affect the integrity of the system and the potential impacts that this could have on the overall functionality of the system (Snedaker & McCrie, 2011). It then provides the basis for the protection requirements that are necessary in order to shield the organization from the associated risks. In order to obtain such information, input is required from the relevant parties within the organization. This includes managers and computer network operators who are constantly utilizing the system resources. This can be achieved through the use of various tools including interviews and observations. The type of tool used depends largely on the scope of assessment and the intended methodology for use. A security assessment is often conducted by a security expert owing to the expert knowledge required in collecting and analyzing the information. IT security risk assessment is beneficial in the provision of a strategic approach to IT security management because it provides alternative solutions for decision making and consideration. It is also easier to estimate costs using this system because it provides a reasonably objective approach for IT security expenditure, budgeting and costs estimation. As such, it provides a basis for future comparisons of changes made in IT security measures allowing for continuity (Dexter, 2002). 3.2 Security Audit A security audit is a cyclic check process that is conducted in the organization from time to time (Snedaker & McCrie, 2011). It is often undertaken to ascertain whether the appropriate security measures have been implemented. Security measures should be implemented according to policy hence it only through an audit that the knowledge of this aspect is made possible. A security audit can be divided to handle certain sections of security management at a time (Snedaker & McCrie, 2011). It is also conducted through the use of various tools like interviews and observations that are utilized depending on the nature of data required (Blokdijk & Menken, 2008). It also requires extensive technical support that enables it to reveal security loopholes within the system. Similar to a risk assessment, a risk audit also provides information for use in formulation or modification of a security policy document (Snedaker & McCrie, 2011). It is also essential that auditors be selected from a knowledgeable pool of auditors with relevant experience in IT security management. 4.0 Security Risk Assessment 4.1 Frequency and Type Security risk assessment is an ongoing process and in the development of a new system, this activity should be conducted early enough in the systems development life cycle so as to properly identify security risks (Purser, 2004). This allows for the implementation of appropriate methods to reduce security risks. It should be conducted once every two years or when major risks are perceived with the system as part of an exploration process. It is however never used as a standalone process because it presents information that represents the state of security at a point in time (Boyce & Jennings, 2002). Frequent assessment is thus essential to discover security threats as they develop in the system. There are three types’ security risk assessment types including high-level assessment, comprehensive assessment and pre-production assessment (Managing Information Security Risk: Organization, Mission and Information System View). High level assessment focuses on the general aspects of security within the system. In-depth analysis into the details and technical nature of these risks is not presented with this kind of assessment. It often emphasizes the analysis of the organizational security systems factoring only the overall design process. Comprehensive assessment provides a more detailed security aspect of a system. It is conducted periodically as well to ensure the integrity of the security system. The activities conducted under the comprehensive assessment are similar to those conducted in the pre-production assessment. The only difference lies in the fact that pre-production assessments are conducted on a new information system before it is implemented for use in an organization. It can also be use after there has been implementation of a different system that implies the change to a new system. It is a fundamental form of assessment because it ensures that the security systems are properly implemented before information is manipulated through these systems. 4.2 General Security Risk Assessment Steps 4.2.1 Planning 4.2.1.1 Project Scopes and objectives In planning for a security assessment, it is vital that various areas of study be defined first. This implies that the scope of project should be well defined to enable all members have an understanding of their boundaries (Krause & Tipton, 2007). The scope of a security risk assessment may include the organization's connection of its internal network with the internet. The objectives of the study have to be listed to allow understanding of which aspects of this connection that requires assessment. In this case, it may be the identification of the security protection mechanisms that the organization has in place that govern its connection with the internet. 4.2.1.2 Background information Background information into the organization is relevant because it allows the assessment to be carried out in context of the organization's activities (Sennewald, 2011). Historical and current information is included here stating the parties that are related to the organization and the results of any recent assessments that have been undertaken on the organization. 4.2.1.3 Constraints The expected constraints are also listed to enable the team to place sufficient measures in place to handle these. These may include time; cost and technology constraints that often have a significant impact on the nature of methodology that the organization chooses to implement (Deswarte, Cuppens & Jajodia, 2004). 4.2.1.4 Roles and Responsibilities of Stakeholders The roles and responsibilities of all the members of the team need to be stated so that each aspect of the project is essentially covered. Some of the stakeholders include system administrators, IT security officers, computer operations staff, database administrators among others (Deswarte, Cuppens & Jajodia, 2004). 4.2.1.5 Approach and Methodology The approach and methodology for use in the project is stated to determine its suitability before initiation. There are two main types of approaches to choose from namely the qualitative and quantitative approaches that provide different forms of data depending on the requirements (Deswarte, Cuppens & Jajodia, 2004). In essence, the results should produce more quantitative data to allow quantitative analysis of the problem at hand. Qualitative statements should be minimized to describing the impact and appropriate security measures that need to be implemented. 4.2.1.6 The Project Size and Schedule The project size and schedule are also included so that the members know the various areas to cover during their data collection (Deswarte, Cuppens & Jajodia, 2004). This aspect of design is often used as a fundamental tool for monitoring progress of the project. 4.2.1.7 Data and Tools Protection The data and tools protection methodology is also explained to allow members of the team understand how to handle the data once it has been collected in order to ensure integrity of the whole process. Sensitive data about the organization should be stored with appropriate file encryption tools or in lockable cabinets that should be catered for during the planning stages (Deswarte, Cuppens & Jajodia, 2004). Various tools should also be stored safely and only used by authorized team members because of the potential damage that their misuse can bring to the system. Senior management members and the research team should also be reminded to treat the results of the research and the eventual report with strict confidence. 4.2.2 Information Gathering The process of information gathering should provide information on the risks encountered by the organization through the analysis of information collected. As such, the data collection process should be thorough to ensure that the appropriate information is collected. Two common types of information collection modes include the general control review and the systematic review both implemented depending on the objectives of the study (Deswarte, Cuppens & Jajodia, 2004). 4.2.2.1 General Control Review This process collects information on threats that result from the general existing security processes. It does so by examining the systems manually through a series of procedures. These procedures include: Site Visits This includes visits to various areas that are essential to the study. These include the data center, computer rooms, and offices which are some of the areas that utilize computer networks (Deswarte, Cuppens & Jajodia, 2004). This is done so as to identify potential risks which are noted down as observations by the study team. Some of the relevant security aspects that are to be noted include end user behavior like the use of passwords on various computers to determine whether relevant security procedures are being effected (Austin, 2001). Group Discussion This is an open forum of discussion that involves the relevant stakeholders within the organization. It is also structured in a way that derives only the necessary information from the respondents. The discussion can have a topic and format that ensures that the perceptions of employees on their current security system are elicited (Deswarte, Cuppens & Jajodia, 2004). Other aspects that may come out include dissatisfaction with the system and some of the various problems like viruses that have been experienced by users when they connect to the internet from their local machines. Multi-level interviews Key respondents can be interviewed through the use of focused questionnaires that aim at extracting information of a certain specific nature (Deswarte, Cuppens & Jajodia, 2004). This can include system administrators, database administrators and IT security officers among others. Accuracy and completeness of information can also be enhanced through the use of this type of interview whereby information from the group discussion can be assessed against those of multi-level interviews for relevance. Questionnaires These can be developed and structured in a variety of ways depending on the type of information being elicited. Observation checklists can be used to determine by observation the existence of a variety of security measures in the organization (Austin, 2001). This can detail the presence or absence of computer anti-virus software for those computers connecting to the internet. Hence through the use of a variety of data collection methods, information on the organization can be collected depending on the nature of study. 4.2.2.2 System Review This is another type of information collection mode that seeks to identify any vulnerabilities in the network or system of computers (Snedakar & McCrie, 2011). It is a more technical form of review because it focuses on the operating system, administration and monitoring tools that are utilized in various platforms within the organization. Some of the information that can be collected in these systems includes encryption and authentication tools used when computers connect to the internet, network management tools and logging or intrusion detection tools that the organization may have in place at the time (Site Security Handbook, 2007). This data can be collected by the research team through a variety of methods that include observation. Activities like intrusion can be detected by observing the operations of the system. Network management tools that are in place should also be checked against the available security policy that is in place in the organization to determine whether they have been fully implemented. 4.2.3 Risk Analysis 4.2.3.1 Asset identification and valuation All assets that are involved with the connection of the internal network to the internet should be listed. These include information, services, hardware and software, personnel and supporting utilities must be identified (Krause & Tipton, 2007). This includes computers, modems and IT operations staff among others. These resources will thus be assigned values depending on various criteria. Tangible values can be assigned items that have a replacement cost like IT equipment, and staff. Intangible values can also be assigned to items like data which cannot have a tangible replacement cost once lost in the network. 4.2.3.2 Threat Analysis Threats are things that can potentially damage a computer network and its resources (Snedaker & McCrie, 2011). These include human error, computer fraud, theft industrial espionage and environmental disasters. The likelihood of occurrence of these threats is also detailed to determine how often a computer is threatened. Information relating to this can be extracted from computer logs and systems errors reports that can be converted into threat event information (Adams & Lloyd, 1999). 4.2.3.3 Vulnerability Analysis A vulnerability presents a weakness within the system that could result from operational and technical deficiencies in the method of security control in the system (Snedakar & McCrie, 2011). These can include interception of data transmission and unauthorized access of information by third parties within the internet. Hence vulnerability analysis is the process of identifying and analyzing the vulnerabilities within the system. A connection to the internet makes a system more vulnerable to external attack by third parties (Snedakar & McCrie, 2011). Systems connected to the internet also have a variety of users who can log in remotely while the local network only has a limited set of users making it more safe. Hence there is a higher degree of vulnerability when using an internet connection in the internal network of the organization. In order to determine vulnerability, a variety of tools can be used within the internal network to determine the system's ability to withstand intentional attempts. A system of hacking tools and software can be introduced into the system to determine whether it can detect these and sufficiently stop their action. Some of these methods include Internet Protocol (IP) address probing, mail bombs, brute-force password attacks and Internet Control Message Protocol (ICMP) flooding among others (Adams & Lloyd, 1999). 4.2.3.4 Assets/Threats/Vulnerabilities Mapping This kind of mapping can assist with the identification of the possible combinations that could create the most damage ((Snedakar & McCrie, 2011). It is stated that unless a threat can exploit a certain vulnerability in the current system then it ceases to be a risk to an asset in the organization. In this case a virus could significantly exploit vulnerabilities in the computers network security system making it a threat to software programs in the organization. 4.2.3.5 Impacts and Likelihood Assessment Impact assessment determines the overall damage that the threat would have on the system. This includes aspects of revenue loss in the event that crucial data is lost from the system because of a viral threat from the internet. A likelihood assessment would also need to be carried out to determine the possibility of occurrence of the threat within a given period of time (Snedakar & McCrie, 2011). Likelihood increases with an increase in the number of users who are authorized to use the system. Hence the likelihood of an internal network getting attacked by viruses increases with an increase in the number of users who access the system. 4.2.3.6 Risk Analysis These risks can then be analyzed using qualitative or quantitative methods to determine their overall effect on the internal network. A matrix approach can also be used to classify the effect of the various threats as high, medium or low depending on the expected nature of output (Snedakar & McCrie, 2011). With classification of these risks comes a guideline on what should be done in the event that they are encountered. This includes a description of some actions which range from acceptable risk in some low risk threats to reduction, avoidance or transfer of liability of those risks to third parties. Hence in the case of a virus, the description for such a risk would include avoidance of the risk through the installation of a fully functional anti-virus into the computer systems (Adams & Lloyd, 1999). 4.2.4 Safeguards Safeguards should also be identified and evaluated for effectiveness so as to mitigate the possible effects of threats and vulnerabilities. Some of the safeguards include barriers that keep unauthorized persons completely away from the system resources. In addition, hardening components can also be implemented to make unauthorized parties unable to access critical system resources (Adams & Lloyd, 1999). Monitoring is also vital with such systems to detect any unauthorized activity and initiate a timely response. The use of passwords and authentication mechanisms can be used as safeguard measures (Austin, 2001). Developments of encryption programs as well as staff awareness programs of security compliance are essential. Safeguards should however be developed with the intended threat in mind. There are some safeguards that would be entirely useless in certain instances. Cultural factors also have to be considered in the development of these safeguards bearing the fact that social customs and beliefs, working styles and other aspects of society as they may not respond positively to some safeguards. Time, financial and technological constraints also have to be factored in because not all safeguards are appropriate for use with each threat (Dexter, 2002). 4.2.5 Monitoring and Implementation The above stages of risk assessment should be properly documented to ensure that an appropriate auditing exercise can be conducted in future (Site Security Handbook, 2007). This exercise will also pave the way for monitoring and review processes which are essential in keeping track of the changing environment and changing priority of identified risks. Documentation will also provide baseline data for comparison with reassessment data to determine any changes that have occurred in the system (Information Technology – security Techniques – Code of Practice for Information Security Management, 2005). Process of implementation will also find a firm basis through previous assessment data. 5.0 Security Audit 5.1 Audit Frequency and Timing Security audits should be undertaken at certain defined periods to ascertain whether the security policies have been implemented properly and are functioning as they should (Krause & Tipton, 2007). They can be conducted two times with the second time providing data that will be used to verify the results of the first audit. The second audit can be conducted after a period of between one to three months after the first audit to allow time for implementation of the recommended policies. However, it should be understood that the period between the first audit and the second audit should not be too long otherwise the integrity of the process is compromised. This is because as earlier elaborated, the threats and vulnerabilities of the system change rapidly over time. Audits can be performed randomly when the organization wishes to evaluate their systems at a point in time (Krause & Tipton, 2007). They can also be conducted after the introduction of various changes to the organization to determine their operation. Audits can also be conducted regularly as per a certain schedule that is developed by the organization and implemented. 5.2 Auditing Tools and Steps Various tools can be used for the auditing process depending on the nature of vulnerabilities that the system has. In the case of auditing of the internal networks, various tools like hacking software can be introduced into the system to determine how well the system will be able to handle such issues (Novak, 2001). The auditing process follows a series of steps that include planning, collecting the audit data, analysis and reporting of this data that is finalized by a process of recommendations of specific areas of change. 6.0 Follow Up Follow up is a fundamental process resulting from the recommendations made from a risk assessment and audit of security within an organization. It is main reason for the development of recommendations from these two forms of assessment. Recommendations made by security consultants or auditors should be specific and clear (Boyce & Jennings, 2002). It is because of obscurity that some of the recommendations made to organizations are not fully implemented necessitating the need for use of proper convincing and persuasive language based on sufficient evidence. Recommendations also need to be based on verifiable results that are feasible and practical for implementation (Purser, 2004). In the event that a recommendation is not practical, it may not be implemented appropriately. The recommendations also need to be significant and in context of the organization's operational requirements. Stating recommendations that are in no way related to the organizational operations will only result in wastage of resources at the expense of other areas of the organization that require change. These recommendations should be made in plain clear simple language for management to be able to understand because they are the ones to be presented with the recommendations for approval and implementation (Purser, 2004). Management should be pro-active enough to implement the necessary changes that have been recommended by consultants. They should also allocate sufficient resources to support the upcoming audit process and promote staff awareness. Staff should then be encouraged to participate directly in the implementation of these recommendations through a process that allocated training and sufficient resources for their use (Boyce & Jennings, 2002). Management should also set up an efficient monitoring and follow up system that ensures that the recommendations that were provided have been properly implemented. Some of the follow up actions include reviewing the implementation plans, documentation and time frames for planned actions. Determining why some of the actions that had been recommended were not implemented is also fundamental to the process of security management (Blokdijk & Menken, 2008). This will enable the development of other processes and functions to ensure a more efficient method of risk assessment. Alternative methods of implementing various recommendations should also be documented in addition to all the accomplishments that the organization has been able to achieve to this effect. 7.0 Benefits of a Security Metrics Program A security metrics program provides visibility into the information security program currently in use within an organization (Deswarte, Cuppens & Jajodia, 2004). They provide insight into the current state of the information security program even before the goals and objectives have been defined. It also provides a set of common terms that can be utilized an understood throughout the organization and not simply by the security team (Sennewald, 2011). It provides key information for various staff members by informing them of the fundamental aspects of the state of information security within the organization in a simplified manner. The measurement of security metrics also enables improvement of the security system within the organization (Deswarte, Cuppens & Jajodia, 2004). It does so by identifying the fundamental areas that require improvement within the information system. Security metrics can then be used to fix a security process that is broken and focus all the resources on protecting the most valuable security assets of the organization. These processes are adjusted in order to maximize or minimize a particular outcome. Measurements are taken at an initial point in time at which the organization is setting up their security system. This data form the baseline that is used to compare against other recurring measurements that are undertaken periodically (Deswarte, Cuppens & Jajodia, 2004). These differences are thus taken into considerations and discussions undertaken to improve operations and close the gap between the current measurement and the desired outcome. A security metrics program is also fundamental in ensuring that decisions are made in an efficient manner at both operational and strategic level. These metrics influence the day to day decisions of an organization and thus optimizes the decision making process. This facilitates the management of the information security program making it different from those programs governed and informed by the absence of data. Data from security metrics can be used to support a form of technology or methodology that has been adopted by an organization in an objective manner. This facilitates testing and experimentation to produce results that are verifiable and can be replicated. Decisions that are supported by these metrics are also credible and likely to be sustainable. This is because these metrics have been carefully designed to align to the objectives and requirements of the information security team. This approach enables the organization to achieve sustainable change within the organization. 8.0 Challenges of creating a security Metrics Program The measurement of security metrics utilizes both quantitative and qualitative data. Quantitative data may be easy to collect and analyze but qualitative data may not be as simple. The process of data collection is thus complicated and may pose significant challenges (Snedaker & McCrie, 2011). Security metrics are also challenged by the fact that technology is ever changing throughout the years. Hence recommendations that would have been feasible at one time may be obsolete after a short time. In addition, tests on the security of the system may become obsolete because hackers are constantly evolving in the manner of development of viruses and spyware that for potential threats to the information security system (Adams & Lloyd, 1999). References Adams, C. and Lloyd, S. (1999). Understanding Public-Key Infrastructure: Concepts, Standards, and Deployment Considerations. Macmillan Technical Publishing. Austin, T. (2001). PKI: A Wiley Tech Brief. John Wiley & Sons, Inc. Blokdijk, G. and Menken, I. (2008). IT Security Management Best Practice Handbook. Lighting Source Inc. Boyce, J. and Jennings, D. (2002). Information Assurance: Managing Organizational IT Security Risks. Butterworth-Heinemann. Deswarte, Y., Cuppens, F. and Jajodia, S. (2004). Information Security Management, Education and Privacy. Springer. Dexter, J. (2002). The Cyber Security Management System: A Conceptual Mapping. The SANS Institute. Information Technology - Security Techniques - Code of Practice for Information Security Management. ISO17799:2005. Krause, M. and Tipton, H. (2007). “Handbook of Information Security Management”. Isc2 Press. (2007) Managing Information Security Risk: Organization, Mission, and Information System View. Special Publication 800-39, NIST. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-39/SP800-39-final.pdf Novak, D. (2001). “The Theory Underlying Concept Maps and How to Construct Them”. Cornell University. Purser, S. (2004). A Practical Guide to Managing Information Security. Artech House. Ryan, J. (2001). A Practical Guide to the Right VPN Solution. Applied Technologies Group Inc. Retrieved from http://www.techguide.com/html/vpnsolu.pdf Sennewald, C. (2011). Effective Security Management. Elsevier. Site Security Handbook. Request for Comments (RFC) No. 2196, IEFT. (2007). retrieved from http://tools.ietf.org/html/rfc2196 Snedaker, S. and McCrie, R. (2011). The Best Damn IT Security Management Book Period. Syngress. Read More