Protocols and Policy to Secure Software - Essay Example

? Cyber Security Standards TABLE OF CONTENTS Introduction 3 Cyber Security Standards 3 Popular Security Standards 5 ISO27002 5 NERC 6 Standard of Good Practice 6 Merits of Cyber Security Standards 7 Challenges of Cyber Security Standards 9 Unification of Cyber Security Standards 10 References 12 Cyber Security Standards Introduction The world has continued to develop at a fast rate when it comes to the development of new of new software and technology and this trend has seen the emergence of new models and software into the market that has served to improve the operations that take place in various sectors of business as well as everyday life (Vacca, 2009). This however has not come without its own challenges and problems and one of the main problems that are being faced by organizations and individuals alike is the issue of cyber security. Cyber security can be defined as the safety of computers and related software from invasion by individuals without access permission. This invasion is done for the express purpose of taking advantage of the weaknesses that can be found in the software by the hacker and is usually done for monetary gain (Vacca, 2009). There are a number of measures that have been taken as a result to try and prevent this sort of interference by hackers and a number of cyber security standards have been developed with the aim of improving the level of protection that is available to this market. Cyber Security Standards Cyber security standards can be defined as the various established standards of security that have been set up by a number of bodies involved in the computer industry to assist organizations in the practice of safe techniques regarding security so as to reduce the number of successful attacks on their cyber security systems and if possible negate them altogether (Kontoghiorghes, 2006). The latter aim may prove to be difficult as hackers have become adept at countering the various measures that have been set up to keep them out and thus it considered to be a continuous process whereby weaknesses are identified, exploited and then fixed and improved by the organizations. The security standards have however have gone a long way in improving the level of security that is practiced by organizations and can be said to have provided guidelines on the best way to protect one’s company form cyber security attacks. These standards provide organizations with certain techniques and outlines that they can implement to enhance their cyber security. Some certain standards offer organizations that have been able to successfully implement the outlines and techniques that they have set out official cyber security certification that shows the company’s achievements. The certification is done by an accredited body that looks into the company before deciding whether they have reached the required level of success in their implementation to acquire the certification (Sipser, 2006). This certification holds a number of advantages for organizations that are able to acquire it such as enabling the company to easily acquire insurance policies on cyber security (Wong & Yeung, 2009). This is especially important in today’s technology market considering the high number of hacking incidents that take place on an almost daily basis and the sizable economic risk that comes with the potential of successful hacking attempts (Sipser, 2006). The loss of information can lead to a huge hit on an organization’s financial status and thus insurance on this risk has become a necessary endeavor for many large organizations. Popular Cyber Security Standards There are various standards that are available to organizations but some of the more popular cyber security standards include; ISO 27002 This can be considered to be a high standards guide to achieving cyber security for organizations and can be said to be the most popular cyber security standards that is currently available in the market (Kontoghiorghes, 2006). The standard actually incorporates parts of BS 7799 good security management practice standard and also consists of a framework that is provided for certification. Certification that attained for this standard lasts for three years during which none or a few audits may be carried out on the company depending on the auditing firm that the company is dealing with. The standard is arranged into 11 main areas which include incident handling, Communication and operations, security policy, business continuity management, Physical and environmental security, access controls, human resources security, Compliance and information systems acquisition, development and maintenance among others. NERC NERC (North American Electric Reliability Corporation) is  responsible for creating various standards with the most popular currently being NERC 1300 (Kontoghiorghes, 2006). These standards are mainly implemented by organizations that wish to ensure the security of large electric systems although there are other standards available for those companies that may interested in security in other areas (Wong & Yeung, 2009). The main standards however deal with the administration of network security. Standard of Good Practice This standard was published by Information Security Forum (ISF) and consists of a list of the best practices that should be implemented in the achievement of information security (Kontoghiorghes, 2006). The Information Security Forum updates the standard of good practice list every two years to ensure they keep up with the advancements that are made in the information technology industry ensuring these practices do not become out of date and easily bypassed as new hacking methods emerge (Sipser, 2006). In the beginning the list was only available to members of the Information Security Forum but it has now been made accessible to the public and any organization that wishes to do so may use it in the improvement of their security practices (Kontoghiorghes, 2006). The Information Security Forum offers its member organizations a benchmark program that is based on the standard of good practice list that helps them measure their level of success in following these practices. Organizations are able to choose from these and other standards that are available on the market depending on their particular needs and structure of the company (Sipser, 2006). There are other various factors that may be considered by an organization while they are deciding on which security standard they would prefer to implement in their company such as cost seeing as some various standards may cost more than others in terms of implementation (Kontoghiorghes, 2006). For example a company looking to cut down on the cost of cyber security implementation may choose to utilize the Standard of Good Practice as their list is available for free which would be an advantage to companies with such a need. Merits of Cyber Security Standards There are various advantages that can be taken from the implementation of the various cyber security standards that are available to the market that a company is able to enjoy. Some of these merits include: Enhanced Security – This can be considered to be one of the most obvious advantages that an organization using the cyber security standards will enjoy (Wong & Yeung, 2009). The main basis of these standards and the guidelines and techniques that they provide is to strengthen an organizations security against any cyber attacks that may take place by hackers and in the process increasing the safety of an organization’s cyber network (Sipser, 2006). The enhanced security is an advantage in many ways as the increased protection allows the company to go about its business without the worry of attacks that may set them back in terms of finances as well as project development. Insurance – The attainment of certification for these standards will help an organization to obtain insurance against cyber attacks. The acquirement of notable certification will also ensure that the amount paid in the policy is not as high as it would be if this was not the case (Vacca, 2009). This is because the attainment of certification portrays that an organization has taken a step in ensuring that their cyber network is very secure thus reducing the risk an insurance company would be taking up by agreeing to offer a policy to the company. The lower the risk involved the lower the premiums to be paid by the company and this will in effect lower the cost needed to protect the organization from such an attack. Corporate Image – Organizations that are able to attain certification of cyber security are also able to enhance their public image by doing so (Vacca, 2009). A company that achieves certification portrays itself as one that is cautious and safe to work with and this will in turn attract more business and investors to the company who appreciate the fact that the organization is safe from cyber attacks and thus there is a lesser risk of losing money through such (Sipser, 2006). Cyber attacks have become very common in today’s business world and it is a genuine concern of those who may wish to work with certain organizations especially if the nature of their work is information based. Investors who are also involved in such a market would prefer to invest their money in a company that has taken the necessary precautions to protect itself from any attacks that may be aimed at an organization. Guidelines – There may be companies that may be interested in protecting itself from cyber attacks but may not be sure of how exactly to go about doing such (Sipser, 2006). The various cyber security standards that are available have established proven methods and techniques that a company is able to use in the achievement of this endeavor and thus provide guidelines for companies that are interested in securing themselves against cyber attacks. Challenges of Cyber Security Standards There are also a number of challenges that cyber security standards harbor as well, despite the advantages that they have to offer. Some of these challenges include: Cost – Depending on the standards that an organization opts to use in its objective of securing its cyber networks against attacks, the activity may prove costly and thus might only be possible for large companies with access to the funds to do such. These costs may come from various sectors such as the attainment of the various guidelines, techniques and information on how to implement them from their owners (Zittrain, 2008). Though the list created by Standard of Good practice is available to the public for free, this is not always the case when dealing with other standards (Sipser, 2006). The cost of certification is also not a cheap endeavor as this is not a process that is done for free and organizations will have to take up certain expenses such as the hiring of the auditors needed for this activity. Other costs may include the implementation of the techniques that are suggested by the guidelines which may mean the addition or removal of a number of things that will cost the company (Wong & Yeung, 2009). It should be noted that certification offered for cyber security only lasts for a period of time and is renewed after the expiry of this period which is another cost to be considered. Technology Development – The advancements that are continually being made in the technology industry has made so that the guidelines that were used for example 10 years ago may not be as effective today as hackers continue to develop ways in which they are able to get past the new techniques and methods that have been used to shut them out thus it is necessary for the standards to continue changing and developing as well if they are to remain successful in offering protection against cyber attacks (Vacca, 2009). Differentiation – There are a number of standards available in the market that an organization wishing to protect themselves form cyber attacks can choose from and though this may be a good thing in terms of consumer options it also brings about the confusion of which is the best standard to use and the most effective as they all claim to be successful in this endeavor (Sipser, 2006). The lack of an established set of guidelines that can be used by all companies on a global scale leads to the lack of surety in this fight against cyber crime and to a certain level of confusion within the industry as well. Unification of Cyber Security Standards One of the main issues in cyber security standards is the need for the formulation of a set of standards that can unify all the other standards and be used on a global scale such as Capability Maturity Model (CMM) and Information Security Standard (ISO) 27001 (Vacca, 2009). This is made possible through the corporation of the various bodies that are involved in this market to come together and work out the best techniques and guidelines available from all the standards and bring them together to form a global standard that can be followed worldwide. This means the involvement of experts on the various fields of cyber attack to determine the effectiveness of each technique and their relevance to the overall standard collection so as to ensure the best is chosen in the final draft. References Kontoghiorghes, J. E. (2006). Handbook of Parallel Computing and Statistics. CRC Sipser, M. (2006). Introduction to the Theory of Computation 2ed. Boston: PWS Publishing. Vacca, J. R. (2009) Computer and information security handbook, Burlington, Massachusetts: Morgan Kaufmann Publishers Wong, A. & Yeung, A. (2009) Network Infrastructure Security. New York: Springer Zittrain, J. (2008). 'The Future of the Internet. London: Penguin Books. Read More