Introduction to IT Security Management - Literature review Example

IT Security Management By: Foundation Department: Introduction to IT Security Management Ms. Trench and her three co-directors should be aware of the importance of security. This includes the security of the building, security for employees and financial security which are of high priority; however, the organization comprises many other assets that require security, most notably its It infrastructure. An organization’s network is the lifeline that employees rely on to do their jobs and subsequently make money for the organization. Therefore it’s important to recognize that your IT infrastructure is an asset that requires top security. Security Risks to the Organization Below are the main potential security threats that Ms. Trench and her three co-directors are likely to be faced with; Spam The number one enemy to all email users has got to be spam. Having your inbox fill up with useless messages that promote fake designer goods, bogus get-rich quick schemes and insinuate that you need to improve your love skills is not fun. Spam has a large impact on the users and it has up to 94 % of threats to the end user in the email. Spam tends to be of a bigger problem besides filling a lot of junks in the email accounts; it is also be harmful. Besides some spammers do nothing more than direct you to websites to try to sell you things with least of your concern, there are spammers which include malicious links in their email that when clicked on will download spyware, malware or other harmful files into the system, which posts a greater threat to the users as well as to the whole company. (Darmanin 2009) Viruses A virus can copy itself and infect other machines within the system without the user even knowing that the system has been infected until disaster strikes. Whenever a virus hits one user in the system, it multiplies via the files transferred from one user to another, this leads to the whole station being infected and then the whole system being infested through its networks. Virus can also spread via email, instant messages, an intranet and other shared networks causing networks and workstations to overload and crash. They can also capture keystrokes which is where the problem of security lies because passwords and banking details can be revealed in this manner. (Darmanin 2009)Viruses can cause major security risks and start a cycle of problems for the organization Malware Malware comprises a variety of malicious software types such as Trojan, worms and spyware which will infiltrate your machine without you even realizing. Once the machines are infected it could easily spread to executable files on other workstations on the network thus causing an IT epidemic. Whilst some spyware, botnets and keystrokes loggers all have malicious intentions as they take control of infected machines and use them to continue proliferating the attack; they also track user’s login details for the sites that they use thus violating their privacy, as well as taking notes of credit card details if the user buys something over the internet. Malware encompasses more than just viruses; however, an antivirus solution is the solution to this ever-growing problem. Keeping your anti-virus up-to-date is key to keeping the whole system clean and malware free; failure to do so will leave the whole organization open to attack. (Darmanin 2009). Network monitoring Networks, servers, workstations all need to work seamlessly together for the organization to run its day-to-day tasks. If the server crashes, then the workstations are affected and people can’t carry on with the activities taking place in the organization. If the network fails the repercussions will affect the entire organization, and in turn affect production levels. So monitoring the network and servers regularly is the main task for any IT administrator; using network and server monitoring software this task can be automated with reports being generated on a regular basis. Server downtime equals business downtime which leads to a loss of profits which the organization wants to avoid. (Darmanin 2009) Vulnerability scanning and patch management Vulnerability issues, patch management and network auditing are all security features that need to be addressed when dealing with networks. Leaving ports open is one of the most common security liabilities and attackers are aware of this. Scanning your network for open ports, machines that are vulnerable to infections is the first step to security. Once the scan is complete, patches must be deployed on all machines that are at risk of infection. By assessing your network and keeping up-to-date with all patches you greatly reduce the risk of security attacks occurring. Security measures to be taken. For general system and computer security in the organization, the following security measures will help maintain and prevent threats and vulnerabilities for the organization. a) Computer Security Installing an anti-spyware tool. Spyware is the generic name given to programs that are designed to secretly monitor your activities on the computer systems. Spyware can be unwittingly installed within other file and program downloads, and their use is often malicious. They can capture passwords, banking credentials and credit card details, then relay them back to fraudsters. Anti-spyware helps to monitor and protect the whole system from spyware threats, and it is often free to use and update. (Adam Smith College 2012) b) Email security The organization should consider whether the content of the email received in the system should be encrypted or password protected. The IT or security team should be able to assist in the encryption. If the organization want to send an email to a recipient without leaving their address to other recipients, they should make sure to use blind carbon copy (bcc), not carbon copy (cc). The organization should be careful when using group email address. Check who is in the group and make sure the organization really want to send the message to everyone. If you send a sensitive email from a secure server to an insecure recipient within the workstations, the whole security will be threatened. The organization may need to check that the recipient’s arrangements are secure enough before sending the message. (Adam Smith College 2012) c) Fax security The organization should consider whether sending the information by a means other than fax is more appropriate, such as using a courier service or secure email. It should make sure it only sends information that is required. It should also make sure that they double check the fax number in use, and that the fax recipient has adequate security measures. If the fax is sensitive, ask the recipient to confirm that they are at the fax machine, they are ready to receive the document, and there is sufficient paper in the machine. The organization should use a cover sheet, this will let anyone know who the information is for and whether it is confidential or sensitive, without them having to look at the contents. (Adam Smith College 2012) d) Other security measures The company should shred all confidential paper waste at all the three workstations as well as check the physical security of the whole organization premises. Risk assessment procedures i. Identify the scope of the Analysis Risk analysis is not a concept exclusive to the healthcare industry or the Security Rule. Risk analysis is performed using different methods and scopes. The risk analysis scope that the Security Rule requires is the potential risks and vulnerabilities to the confidentiality, availability and integrity of all the electronic storage media that a covered entity creates, receives, maintains, or transmits. This includes Electronic storage media in all forms of electronic media. Electronic media could range from a single workstation to complex communications networks connected between multiple locations. Thus, a covered entity’s risk analysis should take into account all of its Electronic storage media, regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of its Electronic storage media. (HIPAA 2006 Security Series 6) ii. Gather Data Once the scope of the risk analysis is identified, the covered entity should gather relevant data on Electronic storage media. For example, a covered entity must identify where the Electronic storage media is stored, received, maintained or transmitted. A covered entity could gather relevant data by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The data on storage media gathered using these methods must be documented. The level of effort and resource commitment needed to complete the data gathering step depends on the covered entity’s environment and amount of Electronic storage media held. For example, a small provider that keeps its medical records on paper may be able to identify all Electronic storage media within the organization by analyzing a single department which uses an information system to perform billing functions. In another covered entity with large amounts of Electronic storage media, such as this organization, identification of all Electronic storage media may require reviews of multiple physical locations, most (if not all) departments, multiple information systems, portable electronic media, and exchanges between business associates and vendors. (HIPAA 2006 Security Series 6) iii. Identify and Document Potential Threats and Vulnerabilities The next stage is the identification and documentation of potential threats and vulnerabilities, this process will assist in the identification of solutions to the problems of insecurity and threats. Through documentation, the organization also gets to keep reference of the various threats and vulnerabilities, for future solutions. This enables the organization to handle all the threats that they come across with ease. It also gives an organized way to of tackling the various threats through research. From this discussion, in order for the organization to handle the various threats, Ms. Trench and her three co-directors should be aware of the potential threats in the company as well as document on the vulnerabilities. iv. Assess Current Security measures The next step is to assess the current security measures. The goal of this step is to analyze current security measures implemented to minimize or eliminate risks to Electronic storage media. For example, a vulnerability is not likely to be triggered or exploited by a threat if effective security measures are implemented. Security measures can be both technical and nontechnical. Technical measures are part of information systems hardware and software. Examples of technical measures include access controls, identification, authentication, encryption methods, automatic logoff and audit controls. Non-technical measures are management and operational controls, such as policies, procedures, standards, guidelines, accountability and responsibility, and physical and environmental security measures. Security measures implemented to reduce risk will vary among covered entities. (HIPAA 2006 Security Series 6) v. Determine the Likelihood of Threat Occurrence Once the first four steps in the risk analysis process are complete, the covered entity has the information needed to determine 1) the likelihood that a threat will trigger or exploit a specific vulnerability and 2) the resulting impact on the covered entity. The next two steps (steps 5 and 6) use information gathered from the previous steps to help the covered entity make likelihood and impact determinations. The purpose of these steps is to assist the covered entity in determining the level of risk and prioritizing risk mitigation efforts. “Likelihood of occurrence” is the probability that a threat will trigger or exploit a specific vulnerability. Covered entities should consider each potential threat and vulnerability combination and rate them by likelihood (or probability) that the combination would occur. (HIPAA 2006 Security Series 6) vi. Determine the Potential Impact of Threat Occurrence If a threat triggers or exploits a specific vulnerability, there are many potential outcomes. For covered entities, the most common outcomes include, but are not limited to: Unauthorized access to or disclosure of Electronic storage media. Permanent loss or corruption of Electronic storage media. Temporary loss or unavailability of Electronic storage media. Loss of financial cash flow. Loss of physical assets. All of these outcomes have the potential to affect the confidentiality, availability and integrity of Electronic storage media created, received, maintained, or transmitted by covered entities. The impact of potential outcomes, such as those listed above, should be measured to assist the covered entity in prioritizing risk mitigation activities. Measuring the impact of a threat occurring in a covered entity can be performed using different methods. The most common methods are qualitative and quantitative. Both of these methods allow a covered entity to measure risk. (HIPAA 2006 Security Series 6) Qualitative method: - rates the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability on a scale such as high, medium and low. Quantitative method: - measures the tangible potential impact of a threat triggering or exploiting a specific vulnerability, using a numeric value associated with resource cost. vii. Determine the level of Risk Next, covered entities should determine the level of risk to Electronic storage media. As discussed earlier, risk is a function determined by the likelihood of a given threat triggering or exploiting a specific vulnerability and the resulting impact. The covered entity will use the output of the previous two steps (steps 5 and 6) as inputs to this step. The output of those steps, likelihood and potential impact of threat occurrence data, will focus the covered entity’s risk level determination to reasonably anticipated risks to Electronic storage media. viii. Identify Security Measures and Finalize Documentation. Once risk is identified and assigned a risk level, the covered entity should begin to identify the actions required to manage the risk. The purpose of this step is to begin identifying security measures that can be used to reduce risk to a reasonable and appropriate level. When identifying security measures that can be used, it is important to consider factors such as: the effectiveness of the security measure; legislative or regulatory requirements that require certain security measures to be implemented; and requirements of the organization’s policies and procedures. Any potential security measures that can be used to reduce risks to Electronic storage media should be included in documentation. (HIPAA 2006 Security Series 6) Data protection Procedures The organization needs to keep certain information about its employees, staff and other users to allow us to monitor recruitment, attendance, performance, achievements and health and safety. It is also necessary to process information so that staff can be recruited and paid, courses organized and legal obligations to funding bodies and government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the College must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998. In summary these state that personal data shall: Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met. (Data Protection Act 1998) Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose. Be adequate, relevant and not excessive for those purposes. Be accurate and kept up to date. Not be kept longer than is necessary for that purpose. Be processed in accordance with the data subject’s rights. Be kept safe from unauthorized access, accidental loss or destruction. Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data. The organization and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the organization has developed the Data Protection Policy, available on the Staff net. (Data Protection Act 1998) The organization will keep a register of staff authorized to access and process learner and staff data and these members of staff will be asked to sign a confidentiality statement. Physical Security issues All building exterior doors are to be kept locked at all times except where specific procedures have been established to leave a door unlocked. Doors shall be left unlocked or open only while a staff member is in a position to monitor access through the doorway. No one shall provide or allow access to any building or room to anyone who is not known to them to be an employee with authorization to work in that area, or an authorized visitor or vendor. (QP2.28: Data Protection Procedure) Individual workstations may be located in a single office or a larger room with multiple workstations. Users must control physical access to their office and thus their computer. All rooms shall be kept locked unless a staff member is in the room or within sight of the room (in a position to monitor access to the room) or specific procedures have been established to allow the room to be left unlocked. All rooms containing allocated systems, production servers and related equipment are to be kept locked with access limited to authorized employees. (QP2.28: Data Protection Procedure) All windows shall be kept locked unless an employee is in the room or in a position to monitor access to the room. It is very important to close and lock windows in rooms on lower floors. Office and building keys are distributed to the organization employees and authorized users based on the individual employee’s actual need for access to specific areas. Equipment assigned to the employee is the responsibility of the individual employee. If any equipment is moved, broken, or replaced, the Information Technology staff or vendors must be notified. In the event that any equipment is to be upgraded in accordance with the organization policy, the Information Technology Staff must give prior approval to the upgrade and perform the upgrade. Any non-mobile organization equipment taken off-site will require authorization in accordance with the organization written policies and procedures. Laptops, PDA’s and other mobile devices specifically assigned to an employee may be taken off-site by that employee without such specific authorization. The employee is responsible for the physical security of any company equipment to which he or she is entrusted. (QP2.28: Data Protection Procedure) If organization issued equipment becomes lost or stolen, the individual with responsibility for the equipment must immediately report this to the Information Security Officer. Designing and implementing a security policy for the organization Suitability of Tools Used In the organization a. Risk management Dashboard In our opinion, a risk management dashboard (RMD) is absolutely essential. It is the single most important technology to the operation of an IT security team. Confidentiality, integrity, availability, and accountability (CIA2) risks in the enterprise are often monitored by disparate systems and processes with no single interface for data aggregation, correlation, and risk remediation. b. Anti-Malware technologies A dedicated anti-malware system is the key to protecting the whole Information System against networks threats available on programs as well as against user’s actions and from outside online intruders. There are generally two separate types of tools to protect against malware: antivirus and anti-spyware, which provide most effective, responsive and efficient protection against cybercrime: those from malware, spam, hackers, sophisticated cyberespoinage tools and more. c. Network Anomaly Detection While anti-malware keeps an eye on systems, network anomaly detection (NAD) monitors the common pathways, watching for well-known indicators of suspicious behavior and reporting this information to the RMD for remediation. One interesting possibility here is for the network anomaly detectors to be built into the host anti-malware software or firewall, casting a net of protection where all the included computers help watch for and potentially stop attacks before they spread. Human resource issues Human beings are the most important resource in an organization. A firm’s success depends on the capabilities of its members. Most problems, challenges, opportunities and frustrations in an organization are people related. Human Resources Management is one of the toughest duties of a manager since humans differ in terms of attitudes, values, aspirations, motivations, assumptions, psychology, and life goals. The first corner stone to achieve is the development of new initiatives, programs and agendas. Human Resources must move beyond being the “police of policy” and “regulatory guard”. Instead, HR must be the pioneers in assisting the organizations achieve results, especially by helping employees to enhance their capabilities to ensure organizational objectives are met. The future of HR depends on its ability to align HR with the changes that are happening in the workplace and the economy. New models of competitiveness are needed so that organizations can better service their customers. Consequently HR must be the champions to help gear employees to provide added value. (Eng. Mustapha Tannir, Training Manager, O.G.E.R.O/2007) The new approach of HR is to emphasize new mindsets and new ways of thinking about business instead of sticking to policies and bureaucratic patterns. HR professionals should and must focus on cultural change, and the development of human capital, especially in international organizations. ‘Think globally. Act locally”. HR should sponsor a model of change, which will help the employees adapt to and be comfortable with changes. Here, a lot of question may arise, such as: How do we decide which practices to be transformed and which should be kept for purpose of continuity? How do we change and learn rapidly? How do we honor the past yet change the future? How do we capture the hearts and minds of employees? (Eng. Mustapha Tannir, Training Manager, O.G.E.R.O/2007) References Computer Systems Laboratory Bulletin. Threats to Computer Systems: An Overview. March 1994. Interagency Reports 4749. Sample Statements of Work for Federal Computer Security Services: For Use In-House or Contracting Out. December 1991. Special Publication 800-12. An Introduction to Computer Security: The NIST Handbook. October 1995. Special Publication 800-14. Generally Accepted Principles and Practices for Securing Information Technology Systems. September 1996. Co-authored with Barbara Guttmann. Special Publication 800-18. Guide For Developing Security Plans for Information Technology Systems. December 1998. Co-authored with Federal Computer Security Managers Forum Working Group. Alexander D et al – Information Security Management Principles (BCS, 2008) ISBN-13:978-1902505909 Tipton H – Information Security Management Handbook: v. 4 (Auer Bach Pubs, 2010) ISBN-10: 1439819025 TalkTeckToMe. Security Threats to an Organization by Jesmond Darmanin on August 3, 2009 http://www.gfi.com/blog/10-security-threats-to-an-organization-part-1/ EMERGING TECH (2007). 10 physical security measures every organization should take by Deb Shinder July 16, 2007. http://www.techrepublic.com/blog/10-things/10-physical-security-measures-every-organization-should-take/ HMG InfoSec Standard No.2 (2005) RISK MANAGEMENT AND ACCREDITATION OF INFORMATION SYSTEMS. CPNI Centre for the protection of National Infrastructure. Website (www.cpni.gov.uk) HIPAA Security Series 6 (2006) Basics of Risk Analysis and Risk Management. Volume 2 Paper 6. Website (www.cpni.gov.uk) ADAM AND SMITH COLEGE (2006) Data Protection Procedure (QP2.28) SECURITY RISK ANALYSIS AND MANAGEMENT. A white paper by: B.D. Jenkins, Countermeasures, Inc. Information Security Risk Assessment (1999) Practices of Leading Organizations. A Supplement to GAO’s May 1998 Executive Guide on Information Security Management. CITY AND ISLINGTON COLLEGE. (2009/10). Data Protection Policy and Procedures by Phenny Seal, version 2 West Nottinghamshire College. (2010) Data Protection Policy and Procedure by Keith Mellor Information Security procedure (2008) Receivership Data Privacy and Security Procedures National Institute of Standard and Technology (2002) Risk management Guide for Information technology Systems. Special Publication 800-30. Read More