Reflections

For my first blog and dive into the world of information security I choose to use my blog to summarize the week of learning's for each of our 10 weeks. Because I am not a cybersecurity student but pursuing a masters focusing on healthcare and technology I choose a more broad and high level approach for this blog. My weekly blogging helped me solidify each week by focusing on:

1. Security and Project Management
2. Strategic Planning and Governance
3. Contingency and Incident Planning
4. Information Security Policy Development
5. Security Training and Awareness
6. Metrics and Process Measurement
7. Risk Management Cycle
8. Tools and Strategy to Control Risk
9. Technology Strategy for Information Security
10. Roles in Information Security

I did rely heavily on three sources for information: our text book, SANS.org and NIST documentation. I also supplemented that with Google images to find appropriate graphs and pictures as I truly believe that a picture is worth a thousand words.

I think this blog could be very interesting to someone like me looking for a broad base and understanding of information security methodologies and how to apply these to the broader information technology arena.

Who pulls this all together...

Proper resourcing and role and responsibility definition is a major step in an effective information security program.

The sample structure below from ISACA shows the relationship of the major security functions and the high level role support required including:

• CIO - Vision and strategy for information support for business strategy

Not included in this visual but no less important are role and responsibilities defined for these roles as well

• CISO - Vision and strategy for security of information and it's support for the business strategy.
• Security Manager - Day to day operations manager of information security functions
• Security Administrator - Administration of security policies and technology.
• Security Technician - Technical specialist for various technology groups (e.g. firewalls, servers, software, etc)
• Security Officer - Physical security staff and environmental protection.

Layers of protection

Now to focus on the tools and technology behind the protection mechanisms....

Just as there are many facets of information security there are many layers or nets of protection that should be employed to create the most secure environment

Beyond the multiple technologies we should be aware of the 4 key concepts for security of information:

1. Identification- The mechanism that provides basic information about an unknown entity to the known entity that it wants to communicate with.
2. Authentication - The validation of a user's identity. Authentication devices can depend on one or more of four factors: what you know, what you have, what you are, and what you produce.
3. Authorization - The process of determining which actions an authenticated entity can perform in a particular physical or logical area.
4. Accountability - Do not forget the importance of documentation of actions on a system and the tracing of those actions to a user, who can then be held responsible for those actions. Accountability is performed using system logs and auditing.

Controlling risk

Now that we have identified risk - how do we control it? How do we know what risks should be addressed and what should not be addressed?

There are four main strategies for controlling risk...

1. Avoid - Do not engage in the activity that incurs risk or create an environment where there is no risk for the activity.
2. Reduce or mitigate - Develop controls to reduce the risk to an acceptable level.
3. Transfer- Move the risk to another entity, for example, outsourced vendor.
4. Accept - Choose to not address the risk based on completion of due diligence.

What helps an organization understand which strategy to use? Ultimately feasibility and cost benefit analysis tools will create the picture for an organization to weigh the strategy to pursue. For example, if the cost is too high in comparison to the benefit maybe this risk is a candidate for acceptance or mitigation strategy.

There are several standard methodologies for risk management and risk control. These include templates and tools for calculating risk.

Delphi - http://www.projectsmart.co.uk/delphi-technique-a-step-by-step-guide.html

OCTAVE - http://www.cert.org/octave/

Microsoft - http://technet.microsoft.com/en-us/library/cc163143.aspx

FAIR - http://fairwiki.riskmanagementinsight.com/

Information security = Organizational risk

Ultimately information security is about risk. What is an organization's risk tolerance to information security breaches? How does an organization know what their tolerance may be without understanding what the outcome of a breach is before it happens?

So what really is risk?...simply put:  Risk = Probability + Severity

Seems simple how does an organization really understand their risk so it can identify, assess and prioritize what needs attention? Answer --> Risk Management

Risk Management:

Risk management has specific process divided into risk identification and assessment and risk control.

Reference for great visuals:

Vlajic, N.. "Security Risk Management."CSE 4482 Computer Security Management: Assessment and Forensics. N.p., n.d. Web. 4 May 2013. http://www.cse.yorku.ca/course_archive/2010-11/F/4482/CSE4482_03_SecurityRiskManagement_Part1.pdf

Is my ISMS working?

So we now understand where our risk is from an information security perspective, we have created policies and procedures to support our organizational goals and best practice and we have educated our information system user base on these standards to support best practice.

Has this created the desired outcome? Are we more secure with our information?

Now the real hard work starts....

Without measures and metrics and continued diligence and redefinition the process and implementation will not be as successful - period. This work is very hard difficult but ultimately allows us to continually improve our system, understand where the opportunities are and effectiveness of the solutions we have implemented.




"What gets measured, gets managed" - Peter Drucker

Security Education, Training and Awareness

Policy is only part of information security - there are two other critical aspects to a complete security program and plan: training and awareness.

Per SANS (www.sans.org):


• Policy tells the user what to do
• Training provides the skills for performing it
• Awareness changes their behavior

If users do not know what they are suppose to do it is a policy issue. If the users do not have the skills for
performing it, then it becomes a training issue.

Quite often the user does not understand why it is important and this is a behavioral issue that needs to be changed.

It is also very important to understand that security awareness is not just a single event but a process where  the approach is reviewed continuously and improved and sustained by metrics and success measures.

Source: SANS - Securing The Human