19
Business Security Management Report by: Bina Kartika Candra Student’s ID Number: 211173061 Word count: 4008 MSC767 Business Security Management Date of submission: 16 th January, 2011 1
| Date post: | 17-Oct-2014 |
| Category: |
Documents |
| Upload: | chriscahya-wibisana-candra |
| View: | 26 times |
| Download: | 2 times |
Business Security Management Report
by: Bina Kartika Candra
Student’s ID Number: 211173061
Word count: 4008
MSC767 Business Security Management
Date of submission: 16th January, 2011
1
Table of ContentsExecutive summary...............................................................................................................................3
1. Chief Information Security Officer................................................................................................4
A. Advantage and Disadvantage.....................................................................................................4
2. Social Engineering threat against company...............................................................................6
A. Policies and procedures...........................................................................................................6
B. Case Studies...............................................................................................................................7
3. Outsourcing IT Security to Securities Service Provider(SSP)..................................................8
A. Advantage and Disadvantage..................................................................................................8
B. Case Studies................................................................................................................................10
4. Updating Security Policies........................................................................................................11
A. Steps in updateing security policy........................................................................................11
5. Conclusion..................................................................................................................................13
References...........................................................................................................................................14
2
Executive summary
Information is the primary commodity in Commerce. Each times a transaction is done, business generated data including Transaction data, Credit card information or Customer data which can worth millions for some company. As technology advance and business process becoming more complex Company wants to protects its data to ensure its confidentiality, integrity yet still available to person who need it.
This report will discuss main issue in business security management to help companies or CEO to make various decisions on designing and implementing its IT security policies. this report will give value to companies in 4 ways; by discussing the advantage and disadvantage of CISO in a company, by giving explanation to understand more about social engineering threat and give steps to counter it, by giving discussion regarding outsourcing company security and to give steps in designing and updating companies security policies as part of the defence against security threat in modern days.
3
1. Chief Information Security Officer
Dumnonia want to restructure its management structure and implement a new Chief Information Security Officer (CISO) position. Discuss the advantages and disadvantages in creating new security positions (e.g. CISO) and the impact upon the operational aspects of the organisation;
A. Advantage and Disadvantage
CISO or Chief Information Security officer is a person that is responsible for IT Security in organization, The CISO is different with CSO because the CISO is only responsible for the IT security, where CSO is responsible for physical security, risk management and business continuity. (Slater, Derek 2011) Describes Some Responsibilities of CISO is as follows: As Lead operational risk management Manager responsible for enterprise IT security
to increase the value of the enterprise Leading network security managers or teams who responsible for the company assets,
intellectual property and infrastructure. Set goals in IT Security protection in accordance with corporate strategic plan. Manage the development including update and implementation of global security
policy, standards, guidelines and procedures to ensure IT security of the enterprise. In some company also responsible for physical security of the company such assets protection, workplace surveillance and protection, access control system, etc.
Manage the enterprise’s incident response planning as well as the investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.
Work with security consultants as appropriate for independent security audits.
The advantages in employing a new Chief Security Officer are:
Reducing IT and Compliance riskThe CISO noted that reducing IT and compliance risk is viewed as a business objective and to complete this objective, the CISO will manage and implement global security policies including their standards, guidelines and procedures. As results the organizations that have CISO in their ranks will use these policies and targets for minimum acceptable downtime and maximum acceptable risk. The use of procedures and controls are nearly fully automated, and reporting of problem or IT risk occurs usually daily or weekly.
Reducing Financial Lost from IT failures and disruptionsAfter the policies are implemented every action involved in IT practices in organizations will be as efficient and effective as possible. Important customer data is being secured and backed up, and maintenance will be nearly automated. This will makes downtime from IT failures as minimum as possible making business transactions done by the company running more smoothly therefore financial loss can be avoided.
Even though the role of Chief Information Technology Officer (CISO) has many advantages, it also has some disadvantages as well, it was usually occur with small to medium company who just implement the role of CISO for the first time.
4
Some of the disadvantages are;
Financial StrainMost CISO begin their careers in the information technology departments. When a worker is promoted to CISO, his role shifts from solving day to day problems to achieving long-term goals. This can cause a strain on budgets in companies with small IT departments because the CISO former troubleshooting role still needs to be filled. A better choice for small to medium-size companies may be to do without a CISO and contract with an IT specialist when new systems are needed.
Lack in strategic Planning SkillsA large part of the CIO's role involves strategic planning. But as recently as 10 years ago, strategic planning was not a skill taught in IT schools. A CIO might be hired because of his track record in fixing IT problems, but still lack the business skills needed to achieve long-term goals
Leadership problemThe CIO has little time to directly oversee the IT staff. In small companies, essential tasks such as training may be handed off to members of the IT staff who already feel they are overworked. The mounting responsibilities can cause IT staff members to resent the CIO, reducing morale and efficiency in the workplace.
Time to adapt to new security policyNew policies means new trainings to employee, the employee must be given sufficient training on how the policies work and how it can help the company. And in large company this training will takes time to implement therefore the CISO will have to think how long the time needed to implement a security policy.
Resistant to changeMany implementations have failed due to strong resistance from the employee, older employee usually is resistant to these change because the nature of the change is not made clear to the people who are going to be influenced by the change therefore a clear explanation and training is needed for the change to work successfully
If the company decide to employ Chief information Security Officer (CISO) there will be a little change in operational aspect. Security in organisation is controlled by Chief Security Officer (CSO), this officer is usually control both physical security and IT security. By employing CISO the security in the company will be split into 2 area of operation, CSO will take control all physical security in a company, and CISO will take control the Information Security in Company. This include in Company Network and infrastructure, intellectual property, Confidential Data, etc.
CISO also have its own department budget in which they use it for upgrading its Network infrastructure and security. They also have the power to design, implement or updating security policies and can give training to its employee.
5
2. Social Engineering threat against company
Dumnonia is concerned about the threat of social engineering to the organisation. Discuss how new policies and procedures can be used to protect against this threat;
A. Policies and procedures
Social Engineering is a term that describes an intrusion that relies heavily on human interactions where this interaction is usually used to trick other people to break normal security protocol. Social engineering is considered a non-technical hacking into organization security (TechTarget 2001).
One example of social engineering is a “con game”, a person is using social skills to break into a computer network, this person will try to gain confidence of an authorized user and get them to reveal information that is critical to access the computer network such as password. Social engineer often relies on natural helpfulness of people.
Social engineering can attack anyone even corporation with secured network, even the network is technically secured with state-of-art technology. This protection will be useless when unauthorized user gain access with the help of social engineering. To build a defence against this kind of threat, a strong foundation must be built first. The foundation of IT Security is its security policies. Security policies will set the standards and the level of security in an enterprise.
The security policy must address a number of areas in order to be a foundation for social engineering resistance. It should address information access controls, setting up accounts, access approval and password changes. It should also deal with locks, ID’s, paper shredding, and escorting of visitors. The policy must have discipline built in and, above all, it must be enforced (Granger, “Combat Strategies”, p. 2)
Employee who are trained and know security policies will know that they must report on all security related information request and will be less likely to give important information without thinking first.
(David Gragg 2002) Social engineering policies are trap that is set up in the system to expose and stop the attack, several ideas to enforce security policies designed to mitigate social engineering attack is listed below:
The justified Know-it-allHacker or social engineer will use any means necessary to steal confidential information. They can be using disguise to gain entry to the company. Once inside the company, hacker can start looking around to find valuable information , Passwords maybe written out, customer data might be laying around on the desk or in filing cabinet, according to SANS institute, “The justified Know-it-all is a person who makes it his or her business to know everyone who is on the floor or walking around in a department.” This person is usually already been trained and brief on security risk of the social engineer and has permission to act against the treat of a social engineer. This policy is usually effective to identify social engineer even if someone is using badges to disguise as security. In many case, hackers will often use forged badges to gain entry to a company and will expect not to be confronted
6
Centralized Security LogA centralized security system will significantly help to prevent social engineering attack, any time an employee is log in to a system it will be logged the employee to the security log file, this log file contains the address where the system was access. If a hacker is getting security information o log in from an employee and using it to access the system, a pattern can be noticed in the log and action to deny the access can be taken. As soon as the pattern is noticed security personel can take action by warn an employee on why accessing the system from other place. all security events must be logged and employee must be trained and evaluated by their adherence to this policy, this is to make the security log more effective against security threat. This log is centralized and has to be monitored 24 hours so attack to the network can be as minimum as possible
Call backs by policyThis procedure is well known for it was simple yet very effective. The idea of this policy is that we only can give permission to access, change a confidential data to employee listed in our list. This policy requires help desk personnel and system administrator or any other employee that manages the networks to call back anyone requesting confidential data or any other information that is involved credential to security. The call back will verify the caller phone number to phone number that is listed in the directory for the person that is calling. If the caller refuse a call back policy or the phone number is not the number listed for that employee. The system administrator should have the power to grant or deny the request.
Key questionsAnother policy that can be enforced is key Question, this policy will provides list of questions that is set with all employee in advance. The help desk will be obvious to the employee but not to others. For an example: what is the full name of your spouse? Each user will the provide an answer for that list of question. The question and answer are available to the help desk employee to help verify the identity of the caller. A variation of this policy can be Secret question, PIN question or bogus question
B. Case Studies
Kevin Mitnick is one of the famous hacker and Social Engineer in the world. He was arrested by FBI on February 15, 1995. He was convicted of many crime including wire transfer, hacking, breaking into computer system of Fujitsu, Motorola, Nokia and Sun Microsystems. He is light on technical skills but even someone who know little about security can do great damage to company with social engineering. Kevin Mitnick is the example of threat from social engineering. Social engineering is dangerous even on system with state-of-art technology because no matter how secure it is the weak link in enterprise security are the users and without proper training and without no security policy implemented in the enterprise social engineering will be a threat to company (Mitnick, Kevin 2001).
7
3. Outsourcing IT Security to Securities Service Provider(SSP)
Dumnonia is concerned about the ongoing cost of information security (e.g. technical, human costs) and are considering security outsourcing as an option for the organisation. Discuss the advantages and disadvantages to Dumnonia in adopting security outsourcing as an effective approach;
A. Advantage and Disadvantage
Security is critical to the profitability in an enterprise, business face many barriers to achieve and maintain the security of its networks including their confidential market or customer data. Challenge in today’s business security
Rise in Cyber Crime & fraudsAbout 34% of 3,877 companies in 78 countries said they had been a victim of frauds. The reports from pricewaterhouseCoopers(PWC) said, this threat is rising from 30% of business in 2009. Research also reveal that some industries especially the high-tech, financial services, and media are more often victimized than others(PhysOrg, 2011).
Growing mobile workforceAn increasing in mobile workforce means there will be increase in telecommuting, remote computing resulting in increase in data transmitting from and to enterprise thus creating problem for companies as traditional LANs and WANs infrastructure are insufficient to support the growing in off-site work force. Enterprise are driven to protect their information and physical assets they also have to ensure that security will not limit the employee productivity.
Shortage in qualified IT professionalIT qualified professional are short in supply, Experienced information professional are hard to find, expensive to hire and difficult to retain due extremely strong market demands. This is becomes one of challenge in hiring IT professional.
Because of these challenge some company choose to outsource its security to other company. Large company on the other hand have their own security department. This maybe fine for large enterprise but for small or medium growing enterprise IT department can be a financial black hole. if the cost of making the network secure is too high or even burdening the organization financials it will also makes the company at risk.
8
Source : Fitzsimmons, J & Fitzsimmons, M, (2004, p.320)
In this section we will discuss the advantage and the disadvantage to Dumnonia in outsourcing the security to other Security Service providers, we also discuss the ethical point that the outsource company have to comply in order to respect the privacy of our client/customer.
(Bycroft, Andrew 2002)Advantage of outsourcing Security Service provider is as follows
Experience and dedicated security expertsExpertise of the security analyst and engineer in Security Service provider who manage and monitor the security of our system/network on a full time basis is a valuable resource. This experienced analyst and engineer research and respond to security incidents everyday. This means they are aware of potential threats and have knowledge on how to mitigate the attack to company network. By outsourcing the service of SSP, Dumnonia indirectly employ these professional experts to work for their security.
Reliable 24/7 security managementMany security service providers monitor the network of its clients on 24 hour basis. This SSP provide “always on” business environment, securing their clients network and infrastructure from hackers. This makes Dumnonia network and infrastructure protected by SSP every day.
Cost effective approach to security management By using security service provider to provide protection for its data, network and infrastructure, Dumnonia avoid extensive cost in personel cost in hiring, training and retaining its employee. Managed security service can reduced the total cost of ownership by allowing our companies to transfer the personnel cost to variable cost or security cost. This service is usually billed on monthly basis thus allowing dumnonia to better predict its security related budget
Freedom to focus on company growthBy outsourcing the security of our network to SSP, the executive on Dumnonia can be more focus on their business objective and not to worry the security of its network. This allow the executive to shift its IT resource to a more central business priorities.
9
After we discuss the advantage of outsourcing our security to SSP, in this section we will discuss the Disadvantage of outsourcing our security to SSP.
Loss of managerial controlsWhen we sign the contract to have other company to manage our network security, we are turning the management and control of our IT security to another company. Even if we owned the infrastructure but the managerial control of the infrastructure will be belong to other company. We have to aware that the objective of our company and SSP are different as their objective is to make profit from services that they are providing to us.
Quality problemsSSP are motivated by profit by providing the security to companies, since the contract will fix the price, the only way for SSP to increase their profits is to decrease their expense. This can be a problem because even if they decrease their service quality, as long as the conditions of the contract are met we will have to pay. In addition the contract will be very specific and we will pay extra for changes.
Threat to security and confidentialityThe biggest problem in outsourcing is to keep the confidentiality of our data to any third party, even if the third party is responsible to secure the network in the company. For example if we have customer data, payroll report or financial report that will be transmitted through the SSP there will be a possibility that the confidentiality of our data may be compromised. We should have the ability to set the access control to our data and we have to evaluate the SSP carefully to make sure our data is protected and should have a strict penalty clause in contracts if incidents occurs.
Tied to financial of other companySince we will turning the security of our company to other company, we will also be tied to the financial of that company. We have to aware that an outsourcing company could go bankrupt and leave us in charge of our own security.
B. Case Studies
Sand Pharmaceuticals is world leader in new treatments for debilitating disease and medical conditions. They have IT staff of 40, with 5 dedicated to managing information security. They have implemented firewalls and IDS (Intrusion Detection System). In this case studies we will compare the operation cost with in-house security with outsource to Service Security Provider.
Title : IT Security Outsource Case Studies
10
Source : McLendon, Jim 2011
4. Updating Security Policies
Dumnonia has developed effective IT security organisational policy in 2008, but it is now dated. Discuss the steps that Dumnonia would need to ensure that the policy is kept up to date and how to ensure that the policy is updated to deal with new security risks and threats.
A. Steps in updateing security policy
In order to keep the protection to our network secure, we have to always update the security policy of our company. Dumnonia in this case already develop an effective security organizational policy in 2008. This policy is effective to all threat pre 2008.
According to Information Shield (Information Shield Incorporated, 2011) information security documents should be updated at least once a year or when there is a major change that occurs in a company. This major change is including an incident or intrusion on our infrastructure or merger with another company, we fell that we have to update the policy because when there is an intrusion, it means that the policy is not working properly allowing an incident to happen. it also
11
the same when there is a merger in company or any other managerial change, when there is a managerial change in a company there may be a change in access control in some department.
In this section we will discuss the step that is needed to ensure security policy up to-date
1. Perform risk assessment or IT audit to determine the enterprise IT security, from this assessment we also can determine the security needs.
2. Ensure roles and responsibility that is related to IT security is clarified, access control is set, this include the responsibility for the issuing and maintaining policies.
3. Collect and read data regarding our IT Security, data about intrusion or any incident. This will help us to make decision whether we have to renew our security policy.
4. Examine other policies issued by or company, for example from Human resource, or IT department to identify the format of the policy, the coverage, style, tone, length and reference. This step will help us to produce information that conforms to previous policy.
5. Using data from risk assessment, prepare ta list of critical security needs or essentials policy. 6. Revised a draft in response to essentials policy needs and have it comment by stakeholders,
expect this step to be repeated several times.7. Request top management on approval on the policy. 8. Implement the new policies and develop test to determine whether the workers understand
the security policy.9. Schedule review date to review the effectiveness of the security policy.
Process of updating our security policy began from reviewing the previous policy. To facilitate this process, the policy administrator should implement a mechanism in which individuals can submit recommendation, critique or revision to the policies or other documents, recommendation method could be included emails, office email, or anonymous drop box. Once the policy has come up for review, all comments from this drop box should be examined and management then will be approved whether to implement it or not.
In designing the new security policy management also have to look for the standard in the industry. ISO 27003: 2010 focuses on the critical aspects neded for successful design and implementation of an information security management system(ISMS) in accordance with ISO 27001 which describes the process of ISMS specification and design from inception to the production of implementation plans (ISO, 2010)
By following above steps and follow ISO standard we could implement new security policies that will makes the enterprise secure against new security risk and threats.
5. Conclusion
12
Information is very important assets to most organisations and because of the life or wealth of the enterprise will depend on it, it is imperative that this information is protected by all means. This report explored the main issues in deciding enterprise security decision. Enterprise around the world choose different ways in securing their information data, Medium to large enterprise is usually take decision to employ Chief Information Security Officer because by employing Chief Information Security officer, Enterprise will gain advantage in long term in because CISO can increase the level of IT security in enterprise therefore reduce IT threat to the minimum and will reduce their fraud lost and therefore will increase value to the company, Small to medium enterprise tend to outsource its security to reduce their expense so that their company can grow as fast as possible, outsourcing will give high level of security as long as the company keep oversee the outsource company.
As Information security in enterprise keeps getting better and better, companies must not forget against threat from traditional attack or social engineering. Precaution and defence against this attack have to be implemented for security to be effective. As Kevin Mitnick said “You could spend a fortune purchasing technology and services from every exhibitor, speaker and sponsor at the RSA Conference, and your network infrastructure could still remain vulnerable to old-fashioned manipulation”(Mills, Elinor, 2008). Designing, Implementing security policies will also help the company to increase their information security because security policies is the foundation of IT security. As security policies in companies become obsolete, we can keep the effectiveness of the policy by updating it. By following steps and ISO standard we can implement new security policies that will makes the enterprise secure against new security risk and threats.
13
References
Slater, Derek 2011, ‘What is a Chief Security Officer?"’, retrieved 2nd January 2012, <http://www.csoonline.com/article/221739/what-is-a-chief-security-offibkcandracer->
Symantec Corporation 2010,‘How a CISO Can Enhance Your Competitive Advantage’, retrieved 2nd January 2012, <http://www.symantec.com/business/resources/articles/article.jsp?aid=20100416_ciso_can_enhance_competitive_advantage>
TechTarget 2001, ‘Social Engineering’, retrieved 3rd January 2012, <http://searchsecurity.techtarget.com/definition/social-engineering>
Granger, Sarah 2001,‘Social Engineering Fundamentals Part I: Hacker Tactics.’, retrieved 3rd
January 2012, <http://online.securityfocus.com/infocus/1527>
Granger, Sarah 2001,‘Social Engineering Fundamentals Part II: Combat Strategies.’, retrieved 3rd
January 2012, <http://online.securityfocus.com/infocus/1533>
Mitnick, Kevin 2001, ‘My first RSA Conference’ retrieved 14 th January 2012,<http://www.securityfocus.com/news/199>
Bycroft, Andrew 2002, ‘The advantages of outsourcing information security management’, retrieved 5th January 2012, <http://www.windowsecurity.com/whitepapers/The_Advantages_of_Outsourcing_Information_Security_Management_.html>
PhysOrg 2011, ‘Cybercrime against businesses 'explodes’’, retrieved 4th January 2012, < http://www.physorg.com/news/2011-11-cybercrime-businesses.html>
McLendon, Jim 2011, ‘Cybercrime against businesses 'explodes’’, retrieved 4th January 2012, <http://outsourcing.technologyevaluation.com/articles/outsourcing-security-part-1-noting-the-benefits-20-1539.html >
Information Shield Incorporated, 2011, ‘How often should we update information security policies?’, retrieved 5th January 2012, <http://www.informationshield.com/security-policy/2011/01/how-often-should-we-update-information-security-policies/>
ISO, 2010, ‘ISO/IEC 27003:2010’, retrieved 5th January 2012, <http://www.iso.org/iso/catalogue_detail?csnumber=42105> Gragg, David 2002, ‘A Multi-Level Defense Against Social Engineering’, SANS Institue, retrieved 14th January 2011, ‹ http://sans.org/reading_room/whitepapers/engineering/multi-level-defense-social- engineering_920 ›.
Mills, Elinor, 2008, ‘Social Engineering 101: Mitnick and other hackers show how it's done’, retrieved 14th January 2012, < http://news.cnet.com/8301-1009_3-9995253-83.html > Fitzsimmons, J & Fitzsimmons, M, 2004, Service Management - Operations, Strategy, Information Technology, 6th Ed, McGraw Hill.
14
