With the advent of internet, the companies are going world wide. Naturally, the concept of the enterprise has changed considerably with it. These days, the companies are getting more and more dependent on the information system. This has however, created an unprecedented surge in the information security.
In general this security protects the corporate data that are considered to be the main lifeline of the modern companies. It is one of the most sensitive things that a company poses. Naturally, they care for it very much. This is the reason why the integrity in the information security has become such a crucial factor. In fact, the management give more stress on this aspect of security than the security of the rest of the corporate assets. One can understand the need of it while considering the threats that exist on a company’s corporate information. Each and every day, the threats are increasing in number, nature, and complexity. Hackers are becoming more technologically advanced. This, in turn, is increasing the threat every single moment. Freeware and commercial tools like Metasploit Framework, Nmap, Security Forest, Ettercap, Yersinia, DSniff and Cain & Abel make the process of breaking into a network even more easier. Even script Kiddies, as they call them, without any strong hacking knowledge can use them. Today hackers are becoming more organized. They use web sites and IRC forums to exchange their ideas and exploit code. Searching on the Internet one can easily identify auction sites where hackers sell their exploit code and identified vulnerabilities. All these make the task of corporate governance even more difficult.The organizers can hardly take any chance. If the hackers managed to crack through the security, they can create sever damage to the legal compliance as well as the management and reputation of the company. The impact of it will be felt both in the long and short run. So, each and every organization should take proper steps to secure their information.However, a casual approach to it will not serve the purpose. It will be a mistake to identify the breaches in an ad-hoc basis. Rather, one needs a regular systematic approach to the risk identification and resolution. The legislations have made an effort to bring that through the protocols. This makes the firms liable criminally to implement and maintain the security measures regarding information. Sometimes, the regulations also make the directors liable for it.
All this has conferred some added responsibilities to the organizations. They have to document the security measures taken by them. This need to prove the proper functioning of their security system actually helps the companies to develop a better systematic outlook to the potential threats. It makes them more organized in terms of costs management, as well as the network security.
The development of ISMS (Information Security Management System) is a necessity for modern enterprises. The ISMS ensures that the appropriate security controls will not only be implemented but will be also correctly managed as well. However, deploying such a management infrastructure is not an easy task. The company has to identify the necessary employees that will participate in the ISMS, and then develop the appropriate Security Policies, Procedures and Corporate Guidelines. One of the best guides towards developing an ISMS system is the ISO27001:2005 standard. This ISO standard is widely accepted worldwide and describes the necessary security controls that must be in place to mitigate security risks. Please note that these standards will not propose specific technologies to be applied.
They will just discuss the necessary mechanisms that need to exist in a corporation. Examples of such mechanisms include:
* Allocation of Security Responsibilities
* Independent Review of Information Security
* Inventory of Assets
* Segregation of Duties
* Information Classification
* Physical Perimeter Security
* Cabling Security
* Controls against malicious code
* Network Connection Control
* Segregation in Networks
Gaining an ISO certification will not bring you out of the legal obligations, the ISO certification will help you get the legal defense after any breach in the security takes place. Along with the ISO27001 a number of other International Accepted Security certifications exist, examples of which are the SOX, the HIPAA, the PCI DSS and the WLA. Each standard usually targets specific industries or type of business. Depending on the country and the local laws, some corporations are obliged to gain some of these certifications in order to be able and operate. These standards assists organizations by providing a structured and a proactive approach to information security, by making sure the right people, processes, procedures and technology are in place to protect information assets and thus minimise possible harm to organisations that can be caused by deliberate or accidental acts.
Being compliant with a standard, means that a company has implemented the necessary security controls that the standards proposes. Corporations which have gained a security certification use it as a marketing tool, and have gained a competitive advantage over their competitors. Such certifications usually increase customer trust by reassuring them that the corporate management team is committed in protecting their confidential information. To receive certificate third party auditors will need investigate the corporateenvironment and ensure that the security controls proposed by a Standard (i.e ISO27001) have been applied correctly.
The Risk Assessment Process
To ensure that corporate information remain secure, Security Officers, use Risk Assessment methodologies to estimate the actual risks that exists on the corporate systems and procedures. The Risk Assessment process enables corporate managers to identify the risks associated with running the day to day corporate processes and also identify the necessary controls to mitigate them. Today a number of widely accepted Risk Assessment Methodologies exists that can be used by corporations to develop an assessment process. Examples of such are the NIST Risk Assessment methodology (SP800-30), the ISACA Risk Assessment and the ISO13335.
Companies must ensure that such a Risk Assessment process is regularly executed within the corporation. Assessors will use special questionnaires to interview managers and administrators, and also special tools to scan the corporate systems, network equipment and databases for vulnerabilities. Assessors must also check on the network architecture and identify potential flaws which may allow adversaries to access confidential data. Generally as a minimum a Risk Assessment Project must Include :
Mapping Phase: In this phase all important elements of the corporate infrastructure are identified and recorded (i.e. Services,Systems). These recordings in include business related information (i.e. Owner of the System) as well as technical related information (i.e. IP Address, version and type of Operating System).
Impact Assessment: The Impact Assessment tries to identify the damage that will happen to the corporation if a Confidentiality, Integrity or availability bridge takes place in one of the Corporate Services (e.g. As they have been identified from the above phase).
Threat Origin: In this phase the Risk Assessment Consultants identify and analyze the potential threats to the corporate services.
Vulnerability Assessment (VA): The VA is usually organize into two different Steps. The Managerial and Operational VA and the Technical VA. In the Managerial and Operational VA the problems relating to the luck of official corporate policies procedures and guidelines are identified. Along with this the luck of awareness training as well as insecure practices (i.e. use of telnet, use of group accounts, easy to break password, locally stored password,misuse of log records, insecure network design,insecure system/network administration) in the day to day procedures are also identify. The Technical VA phase tries to detect the actual technical vulnerabilities (i.e. missing patches,default accounts, open shares,insecure services that are running). For the VA phase consultants use custom made questionnaires, automated scanning tools,and manual analysis of systems and network configuration design.
Mitigation Strategy: For every vulnerability discovered, a mitigation strategy will be drawn in this phase. The necessary security controls (i.e. IDS, Network Restructuring, Firewalls, Patches, Change Management Procedure,DLP,Access Control) that required in order to mitigate the discovered vulnerabilities will be analyzed in this phase.
An addition to the previous that could be of great value to an organization is a Gap Analysis. In A Gap Analysis consultants compare the results produced by the Risk Assessment project with the requirements of an international Accepted Standard (i.e. ISO27001, SoX). This comparison will provide the security controls that need to be installed in order to ensure that the corporate environment will be compliant to the standard.
Another phase that could be incorporated in a Risk Assessment project and could be of value to many organizations is the Privacy Impact Assessment (PIA). PIA is the process which enables organizations to anticipate and address the likely impacts of new initiatives, foresee problems, and negotiate solutions regarding the privacy of the corporate data.
To assist them in this task, many vendors have produced software applications that automate many of the Risk Assessment process tasks (i.e. developing questionnaires, statistical analysis of results, performing interviews). An example of such a tool is the vsRisk.