Question

The major Technology security risks associated with the creation of an organization. Summarize the importance of the Information Security Triad.

Answer 1

There are many security risks we have to consider while creation of an organization. Few of them are mentioned below

1.    Overreliance on security monitoring software: The good news is that many organizations are beginning to actively monitor their networks in response to all the data breaches. Third-party vendors offer Security Event and Incident Management (SEIM) software that you may purchase, install, and use to seemingly monitor the entire network with one tool. The bad news is that these tools require considerable customization and management to work effectively. Your network devices all need to be able to connect and communicate with the software. One tool may not do it all, so be careful of putting all your eggs in one basket. Mitigation strategy: Understand and use a diverse portfolio of monitoring tools.

2.    Inadequate system logging: Software and network devices allow for incident and event logging. However, people often do not enable the logging option. If enabled, the logs are frequently not saved or reviewed by management. Yes, logging can be a tedious process. When not configured correctly, logs can bog down your email inbox. Mitigation strategy: Consider third-party software that allows you to refine the logging process and alert your personnel to significant incidents and events. Combined with a well-managed SEIM tool (see caveat above), strong logging practices can help diversify your system defenses.

3.    Technology innovations that outpace security: Consumer demand for the latest and greatest software package often drives developers to take shortcuts, use outdated code, or not fully test new products in order to get the product to the market. This can result in software put into production before it has been sufficiently vetted against security vulnerabilities or system compatibility. Organizations that use the most recent version of a product should test it extensively before installing it into production systems. Mitigation strategy: Follow a “non-first adopter” policy and allow the software to prove itself for six months to a year before using the product. For organizations that develop software, we encourage you to keep a specific focus on security from the start of the development process.

4.    Outdated operating systems: Related to #3 above, older versions of software do eventually become unsupported by the vendor. Vulnerabilities may go unpatched, and they’re often the first spot hackers will focus on when trying to obtain access to your systems. One such vulnerability is the continued use of Windows XP. It went into unsupported status in April 2014, yet an unsettling number of businesses still rely on XP as their main workstation operating system. Similarly, Windows Server 2003 is scheduled to go into unsupported status starting July 2015; it is also heavily used in the business segment. Mitigation strategy: Track and plan for these major system changes to prevent systems from running unsupported software.

5.    Lack of encryption: The first line of defense for preventing unauthorized access to your data is to protect it while at rest and while in transit. Removable media (USB thumb drives, CDs, etc.) should not allow data to be placed on them without requiring the user to create an encrypted folder on the device or encrypt the entire device. Mitigation strategy: Use third-party software tools to aid with encryption. These tools can scan outbound emails for sensitive data and require the sender to use a secure file load site or to encrypt the data before transmission. Laptop hard drives should have hard-drive encryption that only unlocks the data after a user successfully logs into the device.

6.    Data on user-owned mobile devices: The battle between company-owned devices and user-owned devices will continue in 2015. Employees increasingly want to use their own mobile devices such as tablets and smart phones to gain access to your systems through the Internet. Mitigation strategy: Third-party applications allow for each user to have a “sandbox” of data (a secured segment of your organization’s information accessible to your mobile device), including email and files stored in a secure directory on your organization’s system. Employees should only be allowed to achieve access through usernames, passwords, and possibly two-factor authentication. If the mobile device is lost or stolen, your organizational data would remain sitting on your network and not the device, reducing the risk of lost or breached data.

7.    IT “diplomatic immunity” within your organization: We often see members of IT management and System Administrators who feel exempt from the system access requirements detailed within their organization’s policies (non-expiring passwords, for example). These IT employees may reason that they’re vetted. But these employees’ accounts may also have high levels of access and permissions, which makes them high-value targets for hackers. Mitigation strategy: Complete user reviews of accounts and settings at least twice per year. To run this review, use a member of the security or audit team, or another qualified person outside of IT, to help verify that all personnel comply with IT policies.

8.    Lack of management support: The values that create a strong security environment should come from management and be considered a part of the organization’s culture. Investing in IT security early on will reduce the costs to both your organization’s finances and reputation if a breach were to occur. Mitigation strategy: Educate and encourage members of management who understand the need to protect systems and are able to communicate that need throughout the organization.

9.    Challenges recruiting and retaining qualified IT staff: Finding and keeping qualified security professionals is becoming difficult with the increased demand for dedicated IT security departments within companies and organizations. We have seen aggressive recruiting by competing companies within the same geographic area. Heavy turnover in IT security diminishes an IT team’s effectiveness as new personnel must learn systems, organizational culture, and business processes to fully grasp the risks of the organization. Mitigation strategy: Focus on capabilities, training, and retention to reduce turnover and develop a strong IT security team.

10.       Segregation of duties: In accounting, the proper segregation of duties is a cornerstone concept. Our IT auditors see a strong need for the same concept to be embedded into IT departments. The umbrella IT security strategy and responsibility should not fall solely to a Systems Administrator or Chief Information Officer with many other duties and potentially conflicting interests. Mitigation strategy: Security should belong to a dedicated role, such as a Security Analyst or Chief Information Security Officer. In some situations, IT security is independent of the IT department and reports directly to a board or Chief Executive Officer, much as an internal audit department would do, to allow for independent assessments, objective monitoring of systems, and the ability to report without prejudice

CIA Triad of Information Security

The CIA (Confidentiality, Integrity, and Availability) triad of information security is an information security benchmark model used to evaluate the information security of an organization. The CIA triad of information security implements security using three key areas related to information systems including confidentiality, integrity and availability.

The CIA triad of information security was created to provide a baseline standard for evaluating and implementing information security regardless of the underlying system and/or organization. The three core goals have distinct requirements and processes within each other.

·         Confidentiality: Ensures that data or an information system is accessed by only an authorized person. User Id’s and passwords, access control lists (ACL) and policy based security are some of the methods through which confidentiality is achieved

·         Integrity: Integrity assures that the data or information system can be trusted. Ensures that it is edited by only authorized persons and remains in its original state when at rest. Data encryption and hashing algorithms are key processes in providing integrity

·         Availability: Data and information systems are available when required. Hardware maintenance, software patching/upgrading and network optimization ensures availability