Information Security Program - Case Study Example

? Review and evaluation of information security program In this essay, it is pointed out what information security governance is in a banking software company, how it has been implemented and its purpose in the company. It details an information security policy that provides total control, hence compliance, to ensure effective information security governance. Information is a main asset for any institution and measures to ensure security of assets is of key importance. A well implemented information security governance framework should direct and control security policies that are implemented at all levels of decision making Table of Contents 1. Introduction 3 2. Information security governance and its strategy 4 3. Regulations for information security in banking software industry and their influence on governance of the security program 4 4. Information security governance model and framework 6 5. Implementation of company’s security program, challenges and their remedies 12 6. Measuring the company’s information security program success 13 7. What is working well within the company’s security program? 14 8. What is not working well within the company’s security program? 16 9. Improvement of information security governance 17 10. conclusion 18 Review and evaluation of information security program 1. Introduction An IT oriented company is more prone to information security risks than a regular institution. The company in consideration provides banking software services which is a complex task requiring complete security to its clients. The company consists of several departments such as administration, finance, software development among others making the total workforce to be over 200 individuals. The company Information security governance formulates strategic goals, ensures achievement of goals, manages risks; make use of resources, and carefully assesse the achievement of the information security program. Information security for the company entails all aspects of information may it be spoken, written, printed or electronic. It also covers information handling that involves information creation, viewing, storing or transporting. 2. Information security governance and its strategy The company has a clear and comprehensible approach to information security and it regards that its information and data has to be safeguarded from threats. Previously the company has not had well-structured procedures to evaluate attainment of the set information security objectives in order to take appropriate intervention measures. As of now the company has an efficient approach to management of security threats and risks. This approach has been made possible by implementation of some aspects of security management. Information security policies According to Monaghan (2009), there are various security policies that ensure effective information security governance and provide a way of protecting organization’s information assets (information and information systems) from destruction, disruption, unauthorized access, use or disclosure. Personal Communication Devices and Voicemail policy describes Information Security's requirements for usage of Personal Communication Devices and Voicemail that include all handheld wireless devices, wireless cards and pagers for an organization. Bluetooth devices and voicemail boxes are issued to authorized personnel upon approval. This policy further dictates that files containing data that is deemed sensitive shall never be stored on these devices. Physical security policy governs access to facilities housing critical information systems and back-up systems like the company server rooms. These facilities are subject to access monitoring enabling the capture of identity of the person entering or exiting as well as the timestamp. This policy ensures secure location of network devices, servers and storage media are accessed by authorized personnel and that entry codes are changed periodically where locking mechanisms with keypads are used. It gives the directions on securing of unused keys and entry devices. Physical security policy detail environmental considerations made for the facilities housing critical information systems. It requires proper installation and functioning of fire suppression and prevention devices and routine maintenance and inspection of environmental facilities such as A/C, heating, water, and sewage. Safeguard against loss of power is guaranteed by use of uninterruptible power systems and backup generators. Technology Equipment Disposal policy defines the requirements for proper disposal of technology assets when they reached the end of their useful life. The policy is applicable to all company technology equipment. Data is securely erased from all the storage media in accordance with industry standard practices and removed from the company’s information technology inventory system. Information sensitivity policy entails the requirements for classifying and securing the organization's information in a manner appropriate to its sensitivity level. Purpose of this policy is to determine the kind of information to be disclosed to non-employees. It classifies company information into minimal sensitivity information that includes corporate information; some personnel and technical information and can be accessed by Company’s employees, contractors, and people enquiring for relevant business information. Brochures provide such information upon request. More Sensitive information includes financial, technical, and personnel information. This information is accessed only by Company’s employees and non-employees who have signed non-disclosure agreements. Trade secrets and source code are most sensitive information and are integral to the success of the company and hence are accessed only by approved individuals. Risk Assessment policy specifies the requirements and authorizes the information security team to identify and assess risks. Its purpose is to delegate power to information security team to perform information security risk assessments at regular intervals for the purpose of determining vulnerable areas, and initiation of suitable solutions. The Scope of this policy dictates that risk assessments can be performed on any of the company’s information systems including applications, running processes or procedures, servers, and networks on which these systems are administered and maintained. On the other hand employees are expected to collaborate in any risk assessment activity being conducted on systems for which they are answerable and participate fully in the development of a plan to correct the problem. The enforcement of these aforementioned policies is effected and any violations are subject to disciplinary action including termination of employment of the respective violator (Monaghan, 2009, p. 1-3). The company has employed staffs who have expertise skills for effective security program that cover all areas of the company. It has also affirmed the degree of completeness of the security measures that were implemented and provided consultation services on information security particularly monitoring of threats from the internet. The company has regularly tested and reviewed its technology advancement and ensured that the controls work properly. This has been made possible by establishing a network of people who gather information from all the stakeholders of the company. The company has considered some goals that are influenced by the success of information security governance. There should be; minimal disruption of IT services and security incidences as possible, high level of trust in transactions and exchange of information and the establishment of a work plan for averting information security risks. The approach taken by the company towards information security governance has ensured that; there are well defined roles and responsibilities, no security overlaps, and there is cohesion in assurance activities, thereby forming a security barrier which is reliable in protecting the company’s information resources. 3. Regulations for information security in banking software industry and their influence on governance of the security program As the company try to be competitive, it has to react to pressures to cut costs through deployment of automation systems, which translates to more information systems. Therefore the company has become more dependent on these systems making it difficult to make decisions concerning the administration of effective information security. According to Corporate Information Security Working Group (2004), organizations from the private sector are subject to the information security implications of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), (Corporate Information Security Working Group, 2004, p.4). This regulation gives health insurance protection to employees and their families. Center for Internet Security (CIS) is a non-profit motivated organization focused on providing security benchmarks and enhancing cyber security through collaboration with both private and public sectors in measuring compliance. International Organization for Standardization (ISO) is a non-governmental organization formed by merging of national standards organizations throughout the world. Evaluation Criteria for IT Security standard evaluates the functional requirements of a technology product thereby certify its security assurance. The Data Governance Council, require the board of directors to give strategic supervision relating to information security by obtaining regular information security reports from the management, development and implementation of effective information security program and the thorough review of the program. Another key governance roles and responsibilities regulation that has been developed is, Control Objectives for Information and related Technology (COBIT). COBIT is a security standard framework that allows management to link business goals to IT goals, provide metrics and models that measure their success, and identify the obligations of caretakers of business and IT processes. All the regulations mentioned above have several elements in common that direct the executive management to consider and respond to these regulations. As a result the boards of directors have been expected to make radical changes in the management of the company by including information security in the enterprise’s governance efforts and provide the necessary financial support for the program. The overall effect of such regulations has been high level of information security with increased cost of production. 4. Information security governance model and framework To achieve effective information security governance, the company management has established and maintained a framework that aid in the development and review of an all-rounded information security program. This framework is comprised of: 1. A system of methods followed in management of information security risk 2. An organizational security structure that is capable of accomplishing its purpose 3. Security plan of action adopted by the company that covers security check, strategy and regulation of information security, a security policy evaluation and update process 4. A well-documented set of security standards that ensure information security policy procedures and guidelines comply. 5. A security scheme that is closely linked to business IT goals and gives details concerning the net worth of the information protected. 6. Monitoring processes that ensure compliance and provide feedback mechanism on effectiveness and lessening of the severity or intensity of risk This framework provides the foundation for the development of information security program which is productive relative to its cost and supports the laid company’s goals. It gives a platform where the adverse effects of security incidences can be averted or reduced, hence provide assurance on protection of information resources. The framework brings forth activities that aid in achievement of the set goals. Security roles are exercised by diverse parties that may include groups, committees and individuals within the company. In the framework the board of directors (trustees) place information security on board’s agenda, identify leaders of information security, support them and place accountability responsibilities on them. They are also responsible in ensuring that information security policy is reviewed and sanctioned. As reported by Corporate Information Security Working Group (2004), the ultimate duties for information security rest with the Board of Directors/Trustees in its function as custodian of the governance framework (Corporate Information Security Working Group, 2004, p.4). The executives implement reliable security governance by elaborating the complex strategic security objectives of the company. It is the duty of executive management to give support and leadership for a successful security program by ensuring cooperation and integration of the stake holders. The Steering Committee ensures that all stakeholders affected by security are involved. It is comprised of the chief executive officer, chief security officer, business unit executives, chief financial officer, IT director, and the heads from human resources, audit, operations and public relations departments. The committee serves as vessel in which policy compliance is achieved through traditions that encourage beneficial security practices. The company has chief security officer or security director who is responsible for company’s corporate security goals, strategy and programs and guide staff in identifying, creating, enforcing and maintaining security processes. This framework provides the basis for a work plan that is comprised of one or more security programs that when implemented, will achieve the stipulated security objectives. It contains provisions for monitoring and well defined metrics that determine the level of success. As a result the chief information security officer gets reliable information which enables timely correction and ensures that defined security objectives are met. Information security benchmarks on information resources are developed by the managers and directors depending on the level of protection required. 5. Implementation of company’s security program, challenges and their remedies The company initiated the information security program through a number of steps. These steps include creation of a security governance structure. This is organized from an existing committee or governance body within the company. Its mandate is to set goals and identify the different roles and responsibilities. It is composed of individuals from all the departments of the company where each stakeholder area is represented. Together as a team the committee members meet and review security policies. Identifying the company’s information assets by collecting all existing security policies, agreements, contracts and memorandum of understanding that are related to sensitive and confidential information. Inventory collections such as databases, training materials, application software, computers and removable media among others are gathered and well documented. The company identifies all government regulations, statutes, and laws that affect it depending on their field of business. This company is governed by payment card industry regulations that govern the usage of credit cards like master card or visa. Understanding the business needs through improved personal relations and determining the importance of privacy and confidential matters within the company, technology reliance level and who manages the company’s technology. Access to information is limited to certain individuals therefore assessing information can be difficult unless the information security officer is in co-operated. The company has determined the level of risk by having a risk management strategy that establishes the level of the risk management process required. The company chooses an assessment tool that determines risks and threats. The assessment results obtained determine the controls that are implemented. Also by developing an up to date work plan enable effective management of the information security program. Measuring the progress of information security program as time passes exposes areas that need improvement and what can be done to meet the expectations. Lastly the management of risk is done in a continuous manner in sensitive areas such as the implementation of a new system or network infrastructure. 6. Measuring the company’s information security program success The company has undergone tremendous changes occasioned by the advent of new technologies. The success of information security program is indicated by some metrics. The supervising and evaluation processes of the security program involve identifying performance indicators, setting benchmarks and preparing monitoring reports. Various performance indicators the company has used are: • Frequency at which the reputation of the company is at stake. • Number and the kind of access violations • Number and kind of malicious programs prevented. • Number and kind of security breach occurrences • Number of IP addresses without official authorization and traffic types denied • Number of access rights authorized, reversed or reset. • Number and kind of disused accounts • Number of information systems where security essentials are not met • Time to allot, alter, suspend and get rid of access privileges In order for the monitoring and evaluation process to be effective, the company has put in place a feedback mechanism that ensure coordination of all the units involved. The evaluation is undertaken by an external consultancy while monitoring is carried out periodically. The maturity of the company’s security operational processes has been very crucial and done by considering some factors that include: Effective solving of security incidences and problems, effective request and introduction of changes into the security circles, documentation of security governance of the company, effective data recovery and backup processes, effective management of key areas susceptible to security attack, and lastly effective planning for capacity requirements. 7. What is working well within the company’s security program? The company has established appropriate information monitoring and defense mechanisms. Reliable malicious code protection has been ensured by installing antivirus programs that protect computers from Viruses, Worms, and Trojans. Additional controls such as cameras and special access authorization in restricted areas have been installed to enable effective event and activity monitoring. Through a broad scope business impact analysis, the company has identified all the categories of information assets and assigned priorities to these assets based on sensitivity and criticality. The company embraces work plan that addresses risks and points out their solution. A work plan identifies security policy-related processes, the actions to be taken, their number of occurrences, and who is responsible to execute the process. The company has a complete record of acknowledgement that all computer users in the company and third party providers have read the policies and understood the consequences of non-compliance with the policies By the setting up of various policies and standards such as Internet use policy and acceptable use policy, the company has sensitized its staff on what is acceptable in the usage of company’s computing resources. Information technology is very dynamic and the company has taken steps to review most of policies at regular time intervals. By doing so, policies and rules that address legislative, and contractual requirements is guaranteed. For instance all mobile handsets and personal laptops used within the company have been registered and the owners have to follow proper guidelines provided in the policies. Most of the staffs have the knowledge of identifying an incident and reporting it to the right authority meanwhile the company has put in place detection and defense systems in place and monitors network for intrusion. 8. What is not working well within the company’s security program? The current geographical location and the number and distribution of ICT rooms pose a major challenge to both administrators and the staff. Therefore monitoring for breaches and compromises into the company’s facilities are not well done. User identification and authentication processes are not effective. Results from a survey carried out showed that security guards did not check credentials of some of the staff entering the facilities probably because they are pals or they talk to them nicely hence no need to check for badges or even enquire if they are allowed to enter those facilities. User account management is wanting. There is laxity with the information security administration. There is delay in deactivation of security badges or access codes in an event where a user is no longer valid to enter or access the company’s facilities and information centers; despite the fact that there are information security officers who should enforce security of information. A core concern in the security program is that there is irregular check and test of the monitoring devices or devices required in case of contingency. The company has not yet tested if these devices function appropriately. The above notwithstanding the company faces a greater risk in the event of the worst. The strength of the security program depends on the implementation part. There may be good security policy but the implementation is wanting. Some operating systems are more prone to virus and spyware attack than others. The security program details the use of Linux operating system on the desktop and laptops in the company but this has not been the case because most of the company’s employees prefer to use other operating systems that are familiar to them but are easily breached. 9. Improvement of information security governance I propose that the company cluster all the ICT related rooms together to allow close monitoring by the information security officer who does risk assessment. The company management should recognize the need to provide education and training to its staff, promoting information security and inculcating security of information for viable security program. In this regard the company should establish a full-fledged information security course, enhance the security of information by making sure that the staff are familiar with and use systems that operate on operating systems that are not easily tampered with such as Linux or UNIX. Further, the users have to be made aware of the existing security policies and protocols and be trained on how they can identify threats and the appropriate measures to be taken in case of security threat. Monaghan (2009) stresses the need to take the initiative and evaluate the physical security requirements for environmental considerations each time there is a security incident, significant modification of the facility layout, or change to systems placed in the facility. There should be at least an annual review and test of access and environmental considerations of these facilities (Monaghan, 2009, p. 3). Most employees assume and tend to consider company materials and equipment as their own. The company should safeguard IT equipment and removable storage media from loss or theft by implementing a proper fixed asset system together with property identification numbers. Storage media equipment should be inventoried in accordance with security policy, accounted for, and safeguarded from loss and unauthorized use. There should be consistent control and labeling of removable storage media such as key drives, disk, CDs, thereby reduce cases of misplacement and loss or unauthorized disclosure of confidential information. Information security governance will remain viable if all its operations meet or even exceed the set standards. To ensure that information is secure the ISO will remove a user from the system once he/she becomes an invalid user. 10. Conclusion A well formulated security program specifies goals objectives targets and resource allocation against which planned performance is weighed over a period of time. It entails complete institutionalization of Information security governance; establish a security culture and development of a framework that assess security of information. Work cited Anderson, R. (2001). Security Engineering: A Guide to Building Dependable Distributed Systems. Hoboken, NJ: John Wiley and Sons, Inc. Brotby, K. (2010). Information security governance. Wiley. Charles P. (1989). Security in computing. Prentice-Hall. Corporate Information Security Working Group (2004). Report of the Best Practices and Metrics Teams. Retrieved April 20, 2013 from http://www.educause.edu/library/resources/corporate-information-security-working-group Curtin, M. (2001). Developing Trust: Online Privacy and Security. Berkeley, CA: Apress LP. Gollmann, D. (2006). Computer Security (2nd Ed.). Hoboken, NJ: John Wiley and Sons, Inc. Johnson, R. (2011). Security policies and implementation issues. Sudbury: Jone & Bartlett Learning. Maconachy, W.V. (1989). Computer Security Education, Training, and Awareness: Turning a Philosophical Orientation into Practical Reality. Proceedings of the 12th National Computer Security Conference, November 1989 (pp. 557) National Computer Security Center. Peltier, Thomas R.. (2002). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Boca Raton, FL: Auerbach publications. Schneier, B. (2000). Secrets and Lies: Digital Security in a Networked World. Hoboken, NJ: John Wiley and Sons. Inc. Simon Monaghan (2009). Sample Physical Security Policy. Retrieved April 20, 2013 from www.salt.n-i.nhs.uk/ Solms, S., & Solms, R. (2009). Information security governance. New York, NY: Springer. Read More