Information Security Management - Conclusion

Over the course of the last 12 weeks, my blogs covered a wide range of topics.  My topics tied into what interested me the most each week for the class.  I wanted to get the most out of this class and out of writing the blog so I picked things that interested me the most.

On the first week, I introduced myself in my blog and got into a silly list of “definitions” for the acronym COBOL.  In the course of my almost 26 years as a programmer, I have heard many times that COBOL is a verbose language that will “die” soon.  And guess what?  It has not “died” yet and will likely be around after I retire in another 20 years (give or take depending on when I am ready to move onto the next chapter of my life).  I have not programmed in COBOL since 1999 but I have never regretted the 10 years I did it.  I even taught COBOL for four years and still remember the silly joke I made about never missing a period when you code in COBOL.

My blog went onto cover various topics such as Agile, penetration testing, disaster recovery, information security policies and readability, best practices for information security, security risks, personal firewalls, and even got into security risks of terminating an employee.  Most of the topics I picked I had at least minimal understanding of before I took on the topic.  I have had exposure to most of these things I covered in my blog during my career.

In terms of my sources, they were quite varied for my blogs.  The only source that I lean to for research is Google.  By using Google searches for my topics each week, I ended up getting a wide variety of sources.  It is rare that I end up on the same site repeatedly for my sources.  I first find a bunch of links and then start reading a bit from each source that I find until I find a source that resonates with what I want to write about.  I then try to read from at least a couple of sources before I write my blog so I get a combination of viewpoints (including my own).  Then I can provide a more balanced opinion on my topic.

I feel blogging can be a very valuable tool for not only the reader but the author of the blog.  By writing the blog, it helped me to organize my thoughts.  It also pushed me to dive deeper into topics that I was learning for this class.  I don’t think that blogging is for everyone.  Some people hate writing.  I work in a field where documentation has huge value but is also something most technical people hate to do.  I think that some do well at documentation and others do poorly and should leave it to people who love doing it.

The biggest recommendation I have about an information security blog is that it is important that no sensitive information be included in the blog.  I always wrote my blog considering whether what I was writing was sensitive and would be inappropriate to write about.  A blog can be valuable to a company but it should also consider whether the information is OK to be publicly discussed.  Maybe a secure blog that only internal information security staff could get to would be a better option for an information security department.

Employee Termination & Security Concerns

Terminating an employee from a company is never an easy thing to do.  An employee may be terminated for lack of performance, breaking the rules, long term illness, or even being laid off due to a bad economy.  A manager who has to make that hard decision to terminate an employee needs to make sure that they keep security factored into the termination steps.

Every employee who works for a company has some form of access to the company and the company assets.  An employee may have only access to a building using a keycard.  An employee may have access to confidential information via a computer / network and/or paper files with confidential information.  An employee who has been terminated can cause problems for a company if the termination is not handled properly.

One key thing is to track what accesses each employee has including physical and access to computers.  If access is not tracked properly, it is much more difficult to make sure that all access is revoked upon termination.  A large amount of employees have remote access to company computers also.  All of this access must be tracked so that when an employee leaves a company voluntarily or otherwise that the access can be revoked.  If any of the employee’s access is not revoked upon ending their employment, this would allow them to do harm to the network or the people in the company.

How should a company handle terminating a potentially violent employee?  This is a tough situation because if a manager is concerned about a violent reaction from an employee, they may fear for their safety or the safety of other employees in the company.  If an employee is being terminated and there is worry about repercussions, the manager should have another person involved such as a security person.  The location of the termination may need to be a neutral area away from other employees.  Sometimes employees may not be given an opportunity to clear their own desks depending on the circumstances due to potential backlash due to anger at being terminated.  Extra security may be warranted after a termination of a volatile employee.  There has been an increase in workplace violence in recent years so all these steps are necessary to ensure the safety of employees in a company (Dimoff n.d.).

It is important that employee electronic and paper files be reviewed for important information for the company.  If all the files are deleted and/or thrown away, there may be important information that is lost.  Files may also be valuable if the employee is suspected of doing illegal activities while employed.

It is also important to consider these things when an employee resigns because resignations may also be done by an angry employee.  It is important to monitor employee actions at all times and especially in the days or weeks after a resignation is submitted before the employee has their access revoked.  One thing that can be considered is to start revoking unnecessary access as soon as possible to limit the exposure to the company.

All these things are very important to consider when an employee is leaving a company whether voluntarily or not.

References:

• Dimoff, T. i-Sight (n.d.).  6 Tips to Lower Risk in High-Risk Employee Terminations.  Retrieved from  http://i-sight.com/employee-relations/6-tips-to-lower-risk-in-high-risk-employee-terminations/
• Jones, R. About Money (n.d.).  Employee Termination from an IT Perspective.  Retrieved from http://humanresources.about.com/od/whenemploymentends/a/it_termination.htm

Personal Firewall Benefits

First of all, it is important to understand what a firewall’s purpose is.  A firewall is meant to protect a private network from outside attacks (e.g. Internet).  A firewall can consist of software or hardware.  A firewall sits between a private network and a public network (Vicomsoft Learning Center 2011-2014).

Next, it is important to understand what a firewall does.  It checks all traffic between private and public networks and checks to make sure the traffic meets a specific criteria.  The firewall will prevent traffic from entering the private network if it does not meet this criteria.  A firewall can include logging and/or triggering alerts when someone attempts to enter the private network with hostile intentions (Vicomsoft Learning Center 2011-2014).

Following are just some of the benefits of installing a personal firewall (Hooper n.d.):

• Monitors Traffic:  This feature monitors not only incoming traffic to a private network but also monitors outbound traffic.  This helps ensure that bad traffic neither enters nor exists a private network.
• Blocks Trojans:  A Trojan horse virus is where computer files have the virus attach to them.  Then when the files are sent out, this can end up impacting others who open those files.  A firewall prevents the Trojans from attaching themselves to files on the private network in the first place.
• Stops Hackers:  A firewall prevents someone from using a private network and/or computer to spread viruses.  An attack can not only come from a hacker but can also come from a neighbor if there is no protection against intrusions.
• Stops Keyloggers:  Keyloggers are spyware software that are placed onto a computer to capture keystrokes.  This type of attack allows attackers to access private accounts because the attacker gains access to user ID’s and passwords.  This is why a multifactor authentication to sensitive sites is so important to prevent this type of attack in addition to a personal firewall.

Another important way to protect a computer is securing wireless routers.  An unsecure router is like an open invitation for someone to try to attack a personal computer or network.  When a person is using a public WiFi, the best and first defense against an attack is a firewall.

Reference:

• Hooper, B. Demand Media (n.d.) What Are the Benefits of Firewall Security?  Retrieved from http://science.opposingviews.com/benefits-firewall-security-3806.html
• Vicomsoft Learning Center (2011 - 2014). Firewalls.  Retrieved from http://www.vicomsoft.com/learning-center/firewalls/

Information Security Risk Control Strategies

All companies are vulnerable to attacks on their data if they have any networks that are exposed outside of their company.  Even if networks are only internal, a company is still at risk of an internal attack from an employee who wants to gain by the attack or is possibly disgruntled at the company.

There are many strategies that a company can take to mitigate risk to assets.  Some companies are required by law to protect their assets such as financial institutions and medical practices.  There are many regulations that have to be complied with in terms of protecting personal information of customers and patients of these organizations.  In that case, defense is the only option for these businesses.

The following are five strategies that can be used in information asset risk control in an organization (Whitman 2014): 

• Defense:  Defense is when additional safeguards are implemented to eliminate or reduce risk that is not being controlled.
• Transferal:  Having the risk transferred to outside organizations or areas to handle the risk.
• Mitigation:  Decrease the impacts of a successful attack on assets.
• Acceptance:  Do nothing but document that the risk is not being controlled and that the risk is being accepted.
• Termination:  Completely remove the asset from the organization.

Another viewpoint on risk control strategies indicated the following four strategies (Gillette n.d.):

• Avoidance:
• The most popular strategy
• Tries to avoid risks and threats completely
• Countering threats
• Remove assets that are vulnerable
• Limit who can access the asset
• Add safeguards to protect asset
• Methods to avoid risk
• Policy
• Training
• Technology
• Transference: 
• Move the risk to other assets, processes, or organizations
• Transfer risk through the following methods:
• Reengineering services
• Changing development methodologies
• Outsourcing
• Advantages:  Leverage another company’s expertise & allow the primary company to concentrate on what they know
• Disadvantages:  Costs are likely to be high and the contracts can be very complex to keep both companies safe from liability
• Larger organizations are more likely to use this method

• Migration: 
• Limit the impacts that would happen if an asset was successfully attacked
• Use planning and preparation to reduce the impacts
• Planning includes:  disaster recovery plan, incident response plan, and business continuity plan
• Early detection is key to limiting risks

• Acceptance: 
• Do nothing and accept the results of any attacks
• This method requires determine how much risk there is, what the likelihood of an attack is, how much harm would an attack cause, how feasible would it be to add additional controls, what is the cost benefit of adding controls to prevent an attack, and are measures to prevent an attack justifiable.

How a risk is handled is largely up to an organization.  An organization that is governed by regulations can chose not to mitigate their risks in an appropriate fashion but they can face penalties and fines if they are out of compliance.  If an employee of a company that is governed by regulations willfully disregards the laws, they could face fines, termination, or even jail time.

Reference:

• Gillette, W. (n.d.).  Risk Control Strategies And Physical Security.  Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&sqi=2&ved=0CDgQFjAB&url=http%3A%2F%2Fwww.cs.uwlax.edu%2F~riley%2FCS419%2FRiskControl.ppt&ei=k9JKVJvuEsr-8AHSmYH4Aw&usg=AFQjCNF2pMwz8zCK_L0_NxbDx-Ca6KFIGw&sig2=qg5bE4b6H3aix0_-dupP_w
• Whitman, M. and Mattord, H. Management of Information Security, 4^th edition. 2014, 2010 Cengage Learning

Identify Information Security Risks

In information security management, it is important to not only identify the risks to company assets but it is also important to identify assets that are at risk in the first place.

Is it better to identify what assets need to be protected first?  Or is it better to identify what threats there are and then identify what assets are at risk due to those threats?  A lot depends on the size of the company and how labor intensive it will be to do either of these things.  Ideally, both angles should be considered when protecting company assets.

Another key point to protecting company assets is to assess the priority of protecting the asset.  Once assets that are at risk are identified, then a priority should be placed on each asset to determine what is the most at risk and will cause the most damage if compromised.

Risks do not just include breaches.  Risks can also include natural disasters, accidents, mistakes, etc.  The assets need to be protected from all risks.

Also to be considered is the cost of having an asset damaged, destroyed, or breached.  If the cost is high due to loss of this asset, the priority of protecting this asset will be higher.

Another point to managing risks are the inherit risks that employees bring into the company due to their ability to access company information anywhere and from their own devices.  How should a company address this risk?  Should a company prevent employees from accessing company information outside of the network?  What would that do to the work/home balance that employees need to stay happy working for a company?

Another consideration to risks is how quickly a company can assess the risk level to a company.  The percentage of companies that know what their risk level is at any point in time is very low.  This means that a lot of companies do not even know that they are at risk. 

A way to make it more likely that a company is able to assess risk levels quickly is by automating the process.  There is a lot of technical solutions that will monitor the network, personal devices, email usage, etc. that can determine if an employee is inadvertently or purposely introducing risk to the company.

All these things need to be considered when assessing risk to company assets.

Reference:

·          Hurley, J. TechWorld (Jan 2011).  Identify enterprise security risks.  What color is your information risk today?  Retrieved from http://features.techworld.com/security/3258042/identifying-enterprise-security-risks/

·         Borysowich, C. (Jul 2009).  Identifying Security Threats.  Retrieved from http://it.toolbox.com/blogs/enterprise-solutions/identifying-security-threats-33182

Security Best Practices

Once an organization has determined where the security risks are, some fundamental best practices should be implemented to avoid security breaches.

A very important thing to do to protect customer and employee information is to use encryption.  All sensitive data should be encrypted when it is stored and when it is being transmitted.  There are many government regulations that will impose fines against companies who cannot prove that they have followed this very important step of keeping sensitive information safe.  Encryption should use the strongest possible algorithm to keep sensitive information secure.  OWASP has a top 10 security vulnerabilities list published annually and provides information about encryption when transporting data (OWASP 2014) and when storing sensitive data (OWASP Apr 2014).

Other things that should be done to keep customer information secure include (Hess 2013): 

• Use digital certificates to sign all sites
• Do not allow removable media to be used on company computers (e.g. USB drives, external hard drives, etc.)
• Install a spam filter on the email system
• Install a device that scrubs all email coming in and out of a company to prevent PCI data from going out and malware links from coming into the company network
• Always maintain security patches on all applications
• Make sure users are trained on security concerns since information security is everyone’s responsibility

Reference:

• Hess, K. ZDNet (Mar 2013).  10 security best practice guidelines for businesses.  Retrieved from http://www.zdnet.com/10-security-best-practice-guidelines-for-businesses-7000012088/
• OWASP (2014). Top 10 2014-I4 Lack of Transport Encryption.  Retrieved from https://www.owasp.org/index.php/Top_10_2014-I4_Lack_of_Transport_Encryption
• OWASP (Apr 2014).  Cryptographic Storage Cheat Sheet.  Retrieved from https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

Security Education, Training, and Awareness

In the last several years, more and more of my employee security training comes with a link to an online course.  Some of the courses are minimal and take a matter of minutes to read and to take the final quiz to confirm that I read and comprehended the material.  Other training materials takes hours and days to complete.

Who has time to do all that training and also get their jobs done?  Why does my company keep on insisting that I take the same training over and over each year?  What is the point?

Well, the point is that people tend to forget things if they are not reminded.  The use it or lose it mentality is very true.  If I don’t have those reminders every once in a while, I am very likely to forget some important aspects of keeping things secure at work and even at home on my personal computer.  Also, things change and if this material is not kept up-to-date, I am not likely to find out about new security threats to me and my company.

About a year ago my company started having pop-ups with security hints come up each day when I logged onto the network.  At first I read each one because it interested me.  Now, I cannot even tell you if those pop-ups come up anymore.  After a while I found them irritating.  Soon, I stopped reading them altogether.  Now I cannot even tell you if I get them anymore.  I compare this to being deep in thought and driving home and realizing that I traveled a great distance without consciously thinking about where I was.  Because I am focused on starting work when I log on in the morning, I don’t notice the detail of whether I closed a pop-up when I first logged on.  Tomorrow morning I am definitely going to pay attention and see if that pop-up appears when I log on.

The information security department is also sending out periodic newsletters with interesting relevant topics that include things that I can do at home as well as at work to protect my information.  I always read those and always get a lot from doing so.

So, next time you are annoyed by having to do that training at work, realize that it is to protect you and the company from security risks. 

Information security is everyone’s business!