Posts Tagged ‘Risk Management’

Security Awareness and Training are Important

Information security, like everything else, is a human enterprise and is influenced by factors that impact the individual. It is well recognized that the greatest information security danger to any organization is not a particular process, technology, or equipment; rather, it is the people who work within the “system” that hide the inherent danger. Therefore, IT security is a “people issue” and awareness programs address common “people” problems.

We know that solutions for yesterday’s security issues are obsolete today, and the security solutions we have today may be obsolete tomorrow. The security environment is constantly changing and the variety of solutions is growing at a phenomenal rate. Awareness is a crucial element in addressing these issues.

Company-wide security awareness training and education initiatives that include, but are not limited to classroom style training sessions, security awareness websites, helpful hints via e-mail, or even posters as a campaign are methods that can help ensure employees have a solid understanding of company security policy, procedure and best practices.

A well-designed, effective awareness program reminds everyone — IT staff, management, and end users — of the dangers that are out there and things that can be done to defend the organization against them. Providing your personnel with the security and privacy information they need, and ensuring they understand and follow the requirements, is an important component of your organization’s business success.

If your personnel do not know or understand how to maintain confidentiality of information, or how to secure it appropriately, you not only risk having one of your most valuable business assets (information) mishandled, inappropriately used, or obtained by unauthorized persons, but also risk being in noncompliance of a growing number of laws and regulations that require certain types of information security and privacy awareness and training activities. You also risk damaging another valuable asset, corporate reputation.

Information security awareness, training and education are important for many reasons, including the following.

1. Regulatory Requirements Compliance

There are an increasing number of laws and regulations that require some forms of training and awareness activities to occur within the organizations over which they have jurisdiction. Failure to train employees for product, process, policy and practice, could violate compliance requirements and expose enterprises to legal liability. Laws requiring security and privacy awareness or training programs apply to:

  • The Federal Government (Federal Information System Security Managers’ Act) 
  • The Health Care Industry (Health Insurance Portability and Accountability Act) 
  • Financial Institutions (Gramm-Leach-Bliley Act and Sarbanes-Oxley Act) 
  • Publicly-traded Companies (Sarbanes-Oxley Act) 

The Federal Information System Security Managers’ Act (FISMA) requires government agencies to report on their security awareness and training efforts annually.

National Institute of Standards and Technology (NIST) has developed Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, which addresses controls that Federal organizations are required to implement for unclassified information systems. One of those controls is “security awareness training”. Successful integration of security and privacy controls into ongoing organizational processes will demonstrate a greater maturity of security and privacy programs and provide a tighter coupling of security and privacy investments to core organizational missions and business functions.

NIST also acknowledges that the awareness program must comply with the 5 Code of Federal Regulations (C.F.R.) Part 930.301, whereby everyone must receive initial awareness training before accessing systems and refresher training at least annually. It defines 5 specific roles that must receive awareness training:

  1. All users
  2. Executives
  3. Program and functional managers
  4. Chief Information Officers (CIOs), IT security program managers, auditors, and other security-oriented personnel (e.g., system and network administrators, and system/ application security officers)
  5. IT function management and operations personnel

NIST SP 800-50, Building An Information Technology Security Awareness and Training Program, provides guidance for building an effective information technology (IT) security program and supports requirements specified in the FISMA. The NIST Computer Security Handbook cites the importance of managers to understand security consequences and costs, and thereby they must take security as an important factor when making decisions.

OMB Circular A-130 requires that system users receive security awareness instruction prior to being granted access to the system, and it requires periodic refresher training for continued access.

2. Customer Trust and Satisfaction

Respect for customer security and privacy is one of the most important issues facing your company today. The public is getting sick and tired of reading about privacy breaches every day in the headlines, and they want to know that your company is doing everything reasonable and responsible to safeguard their personally identifiable information (PII).

To gain and keep customer trust, your company must exercise good judgment in the collection, use, and protection of PII. Not only do you need to provide training and awareness of this to your personnel, but you also need to keep your customers, with whom you already have a business relationship, and consumers, with whom you would like to have a business relationship, and who may have provided some information to you, informed regarding what you are doing to protect their privacy and ensure the security of their information through various awareness messages.

All employees or companies directly handling or influencing the handling of your company’s customer PII should receive targeted security and privacy training before handling customer information. They should also receive ongoing awareness communications to reinforce security and privacy issues and requirements and help to embed such practices within their daily work activities.

3. Corporate Reputation

Reputation is another critical organizational business success asset. Without a good reputation, customers leave, sales drop, and revenue shrinks.

A component of managing a good reputation is ensuring that personnel and business partners follow the right information security and privacy precautions to lessen the risk of compromising private information; such incidents will likely lead to some very unfavorable news reports and media attention.

In conclusion, Government and industry organizations must protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment. The best way to achieve a significant and lasting improvement in information security is not by throwing more technical solutions at the problem, instead it is by raising awareness, training and educating everyone who interacts with computer networks, systems, and information in the basics of data, information, network and cyber security. Information security awareness programs serve a critical role in keeping an organization safe by keeping the user community vigilant against the dangers of intruders.

E-SPIN as the end-to-end security solution services provider, supply consultancy, technology and services for the clients to yield the holistic return on their security program and investment. Please feel free to contact info@e-spincorp.com for the package solution that go beyond product technology that comes with consultancy, training and maintenance support for the effectiveness of enterprise IT risk management best practice.

Read Full Post »

We’ve delved into the realm of Enterprise Risk Management in previous blogs, and now its time to take a look at a subset of ERM: IT Risk Management (ITRM). The publication Risk IT by ISACA notes that ITRM covers both the negative impacts and benefits to operations/service delivery by missing the chance to utilize technology in enabling or enhancing business. In other words it is the practice of applying risk management to the information technology aspects of a business to mitigate IT risks which are on the rise due to the increasing reliance on technology. In this blog we will take a look at ITRM areas that can be missed by CIOs which can have a disastrous outcome.

I. Company mergers and acquisitions: When companies decide upon a merger or are bought out there is a flurry of activity going on for the parties involved. IT personnel are left with the daunting task of ensuring systems are merged together to work seamlessly which is easier said than done. Companies using legacy systems may need to be merged with systems that are incompatible, or completely different IT practices need to be melded to one. Failure to ensure that compliance standards are met can lead to loopholes in the system or worse complete loss of data.

On top of all the internal tasks involved, staff are left wondering if the merger will leave them out of a job or the inevitable they are actually laid off. CIOs and IT personnel have to keep track of such events to mitigate the possibilities of sensitive data being leaked, sabotage ( ranging from non-compliance with work practices all the way to malicious reworking of systems/data)

II. Vendor relationships: Data is vital, and vendors are responsible for providing you with tools and products to manage your company. When deals are made that span years, it is vital that companies understand their vendors and understand their intentions. Planning to mitigate risks such as vendors falling out of business (working on contingency vendors that support your systems, or forecasting a vendor’s financial stability), or vendor acquisitions (can lead to changes in products the vendor carry which can be detrimental to your future partnership) is a necessary step to take in ITRM. Steps such as clauses regarding the right to terminate will help in such cases.

III. Management of IT personnel: It may not seem like an area that can be prone to having high risk associated with it, but on the contrary appropriate management of IT skills is crucial. Every IT personnel has skills they bring to table that makes them sought out by project managers. What happens is there are times when a certain person’s skillset is required for project Y but the person is currently tasked with handling Project X. This leads to issues where projects are stalled due to a complete lack of the appropriate person, or project managers fill in the requirement with less experienced personnel increasing the overall risk of the project. Smaller issues such as the idea of employee favoritism and discontent amongst workers can arise through employee “hogging”.

IV. Outdated Disaster Recovery: As systems expand, and evolve involving more complexity; the necessity to have an up to date Disaster Recovery plan is vital. Ensuring that all aspects of the documentation is kept relevant through to making sure offsite locations are still viable to making sure the latest system hardware/software change is documented.

V. Risk management of Application Development: For any entity that works on developing applications (Proprietary software) the need to implement proper Risk Management during the SDLC is of the utmost importance. Especially in times where the demand for a product can force companies to fore-go thorough practices leading to backlashes from the end user(s).
In the graphic above, you can see that SecureState (A company specializing in information security and risk services) has developed a thorough set of practices (tools) for each stage of the SDLC to help seek out and mitigate and technical issues (that would be potential risks for the application).

As with ERM, ITRM has a host of beneficial aspects to ensuring it gets performed, and as companies are becoming ever more reliant on their IT Departments, the time is now to seize the opportunity to better implement IT risk management practices.


Read Full Post »

vulnerabilities threats model

Today’s high-tech network security appliances ensure a great job of keeping the vulnerabilities threats from invading your business. These vulnerabilities threats can increase the level of vulnerabilities and penetrates to your host system and network assets to obtain the confidential info and utilized illegally for their own benefits.

Where do these vulnerabilities generated from?

  1. USB thumb drives – The ubiquity of thumb drives hackers to develop targeted malware, such as the notorious Conficker worm, that can automatically execute upon connecting with a live USB port
  2. Hardware, Laptop and netbooks – With a handy Ethernet port for tapping directly into a network, a laptop may already have malicious code running in the background which is tasked to scour the network and find additional systems to infect.
  3. Wireless access points – Wireless APs provide immediate connectivity to any user within proximity of the network and are naturally insecure, regardless if encryption is used or not. Protocols such as wireless encryption protocol contain known vulnerabilities that are easily compromised with attack frameworks, such as Aircrack
  4. Smartphones and other digital devices – Phones are full-functioning computers, complete with Wi-Fi connectivity, multithreaded operating systems, high storage capacity, high-resolution cameras and vast application support. However, these devices also have the potential to elude traditional data-leak prevention solutions.
  5. E-mail – An electronic mail carries the messages with confidential information that can easily be forwarded to any external target which the e-mails themselves can carry nasty viruses in targeted e-mail via phishing for access credentials from an employee. These stolen credentials would then be leveraged in a second-stage attack.

What can I do to combat with these vulnerabilities threats?

To combats these harmful, dangerous, potential vulnerabilities threats, E-SPIN’s offer a comprehensive portfolio of Vulnerability Management, Risk Assessment and Compliance Assurance Solutions (http://www.e-spincorp.com/espinv3/index.php/solutions) to automate the process of vulnerability management and policy compliance across the enterprise to keep your host system and network assets safe and secure from these vulnerabilities threats by:

  • Providing network and network security device to secured laptops, netbooks or any digital devices, USB devices
  • Server and system, OS, web application
  • Database and wireless access point
  • Mobile device discovery for smart phones and other digital devices.
  • Mapping, asset prioritization, vulnerability assessment reporting and remediation tracking accordingly to business risk
  • Policy compliance allows auditing, enforcing and documenting compliance with internal security policies and external regulations.

What are E-SPIN’s Solutions offers and specialties?

  • Vulnerability Management, Vulnerability Assessment, Security Audit, Penetration Testing, Network Assessment, Network Device Audit, Web Application Audit, Database Security Audit, Wireless Network Assessment, Mobile Device Security Audit, Exploitation Management and Testing, Vulnerability Reporting
  • Automating Vulnerability Management, Enforcing IT Policy Compliance, in deep and comprehensive reporting, best of breed industry de factor solutions, maintaining regulatory compliance, Automated and Advanced Exploitation Testing.

Read Full Post »