Sunday, May 26, 2013

Who pulls this all together...


Proper resourcing and role and responsibility definition is a major step in an effective information security program.

The sample structure below from ISACA shows the relationship of the major security functions and the high level role support required including:

  • CIO - Vision and strategy for information support for business strategy
Not included in this visual but no less important are role and responsibilities defined for these roles as well
  • CISO - Vision and strategy for security of information and it's support for the business strategy.
  • Security Manager - Day to day operations manager of information security functions
  • Security Administrator - Administration of security policies and technology.
  • Security Technician - Technical specialist for various technology groups (e.g. firewalls, servers, software, etc)
  • Security Officer - Physical security staff and environmental protection.


Sunday, May 19, 2013

Layers of protection

Now to focus on the tools and technology behind the protection mechanisms....

Just as there are many facets of information security there are many layers or nets of protection that should be employed to create the most secure environment


Beyond the multiple technologies we should be aware of the 4 key concepts for security of information:
  1. Identification- The mechanism that provides basic information about an unknown entity to the known entity that it wants to communicate with.
  2. Authentication - The validation of a user's identity. Authentication devices can depend on one or more of four factors: what you know, what you have, what you are, and what you produce.
  3. Authorization - The process of determining which actions an authenticated entity can perform in a particular physical or logical area.
  4. Accountability - Do not forget the importance of documentation of actions on a system and the tracing of those actions to a user, who can then be held responsible for those actions. Accountability is performed using system logs and auditing.

Sunday, May 12, 2013

Controlling risk



Now that we have identified risk - how do we control it? How do we know what risks should be addressed and what should not be addressed?

There are four main strategies for controlling risk...


  1. Avoid - Do not engage in the activity that incurs risk or create an environment where there is no risk for the activity.
  2. Reduce or mitigate - Develop controls to reduce the risk to an acceptable level.
  3. Transfer- Move the risk to another entity, for example, outsourced vendor.
  4. Accept - Choose to not address the risk based on completion of due diligence.
What helps an organization understand which strategy to use? Ultimately feasibility and cost benefit analysis tools will create the picture for an organization to weigh the strategy to pursue. For example, if the cost is too high in comparison to the benefit maybe this risk is a candidate for acceptance or mitigation strategy.
There are several standard methodologies for risk management and risk control. These include templates and tools for calculating risk.

Saturday, May 4, 2013

Information security = Organizational risk

Ultimately information security is about risk. What is an organization's risk tolerance to information security breaches? How does an organization know what their tolerance may be without understanding what the outcome of a breach is before it happens?

So what really is risk?...simply put:  Risk = Probability + Severity

Seems simple how does an organization really understand their risk so it can identify, assess and prioritize what needs attention? Answer --> Risk Management

Risk Management:

Risk management has specific process divided into risk identification and assessment and risk control.

Reference for great visuals:
Vlajic, N.. "Security Risk Management."CSE 4482 Computer Security Management: Assessment and Forensics. N.p., n.d. Web. 4 May 2013. http://www.cse.yorku.ca/course_archive/2010-11/F/4482/CSE4482_03_SecurityRiskManagement_Part1.pdf