Information Security Management - Conclusion

Over the course of the last 12 weeks, my blogs covered a wide range of topics.  My topics tied into what interested me the most each week for the class.  I wanted to get the most out of this class and out of writing the blog so I picked things that interested me the most.

On the first week, I introduced myself in my blog and got into a silly list of “definitions” for the acronym COBOL.  In the course of my almost 26 years as a programmer, I have heard many times that COBOL is a verbose language that will “die” soon.  And guess what?  It has not “died” yet and will likely be around after I retire in another 20 years (give or take depending on when I am ready to move onto the next chapter of my life).  I have not programmed in COBOL since 1999 but I have never regretted the 10 years I did it.  I even taught COBOL for four years and still remember the silly joke I made about never missing a period when you code in COBOL.

My blog went onto cover various topics such as Agile, penetration testing, disaster recovery, information security policies and readability, best practices for information security, security risks, personal firewalls, and even got into security risks of terminating an employee.  Most of the topics I picked I had at least minimal understanding of before I took on the topic.  I have had exposure to most of these things I covered in my blog during my career.

In terms of my sources, they were quite varied for my blogs.  The only source that I lean to for research is Google.  By using Google searches for my topics each week, I ended up getting a wide variety of sources.  It is rare that I end up on the same site repeatedly for my sources.  I first find a bunch of links and then start reading a bit from each source that I find until I find a source that resonates with what I want to write about.  I then try to read from at least a couple of sources before I write my blog so I get a combination of viewpoints (including my own).  Then I can provide a more balanced opinion on my topic.

I feel blogging can be a very valuable tool for not only the reader but the author of the blog.  By writing the blog, it helped me to organize my thoughts.  It also pushed me to dive deeper into topics that I was learning for this class.  I don’t think that blogging is for everyone.  Some people hate writing.  I work in a field where documentation has huge value but is also something most technical people hate to do.  I think that some do well at documentation and others do poorly and should leave it to people who love doing it.

The biggest recommendation I have about an information security blog is that it is important that no sensitive information be included in the blog.  I always wrote my blog considering whether what I was writing was sensitive and would be inappropriate to write about.  A blog can be valuable to a company but it should also consider whether the information is OK to be publicly discussed.  Maybe a secure blog that only internal information security staff could get to would be a better option for an information security department.

Employee Termination & Security Concerns

Terminating an employee from a company is never an easy thing to do.  An employee may be terminated for lack of performance, breaking the rules, long term illness, or even being laid off due to a bad economy.  A manager who has to make that hard decision to terminate an employee needs to make sure that they keep security factored into the termination steps.

Every employee who works for a company has some form of access to the company and the company assets.  An employee may have only access to a building using a keycard.  An employee may have access to confidential information via a computer / network and/or paper files with confidential information.  An employee who has been terminated can cause problems for a company if the termination is not handled properly.

One key thing is to track what accesses each employee has including physical and access to computers.  If access is not tracked properly, it is much more difficult to make sure that all access is revoked upon termination.  A large amount of employees have remote access to company computers also.  All of this access must be tracked so that when an employee leaves a company voluntarily or otherwise that the access can be revoked.  If any of the employee’s access is not revoked upon ending their employment, this would allow them to do harm to the network or the people in the company.

How should a company handle terminating a potentially violent employee?  This is a tough situation because if a manager is concerned about a violent reaction from an employee, they may fear for their safety or the safety of other employees in the company.  If an employee is being terminated and there is worry about repercussions, the manager should have another person involved such as a security person.  The location of the termination may need to be a neutral area away from other employees.  Sometimes employees may not be given an opportunity to clear their own desks depending on the circumstances due to potential backlash due to anger at being terminated.  Extra security may be warranted after a termination of a volatile employee.  There has been an increase in workplace violence in recent years so all these steps are necessary to ensure the safety of employees in a company (Dimoff n.d.).

It is important that employee electronic and paper files be reviewed for important information for the company.  If all the files are deleted and/or thrown away, there may be important information that is lost.  Files may also be valuable if the employee is suspected of doing illegal activities while employed.

It is also important to consider these things when an employee resigns because resignations may also be done by an angry employee.  It is important to monitor employee actions at all times and especially in the days or weeks after a resignation is submitted before the employee has their access revoked.  One thing that can be considered is to start revoking unnecessary access as soon as possible to limit the exposure to the company.

All these things are very important to consider when an employee is leaving a company whether voluntarily or not.

References:

• Dimoff, T. i-Sight (n.d.).  6 Tips to Lower Risk in High-Risk Employee Terminations.  Retrieved from  http://i-sight.com/employee-relations/6-tips-to-lower-risk-in-high-risk-employee-terminations/
• Jones, R. About Money (n.d.).  Employee Termination from an IT Perspective.  Retrieved from http://humanresources.about.com/od/whenemploymentends/a/it_termination.htm

Personal Firewall Benefits

First of all, it is important to understand what a firewall’s purpose is.  A firewall is meant to protect a private network from outside attacks (e.g. Internet).  A firewall can consist of software or hardware.  A firewall sits between a private network and a public network (Vicomsoft Learning Center 2011-2014).

Next, it is important to understand what a firewall does.  It checks all traffic between private and public networks and checks to make sure the traffic meets a specific criteria.  The firewall will prevent traffic from entering the private network if it does not meet this criteria.  A firewall can include logging and/or triggering alerts when someone attempts to enter the private network with hostile intentions (Vicomsoft Learning Center 2011-2014).

Following are just some of the benefits of installing a personal firewall (Hooper n.d.):

• Monitors Traffic:  This feature monitors not only incoming traffic to a private network but also monitors outbound traffic.  This helps ensure that bad traffic neither enters nor exists a private network.
• Blocks Trojans:  A Trojan horse virus is where computer files have the virus attach to them.  Then when the files are sent out, this can end up impacting others who open those files.  A firewall prevents the Trojans from attaching themselves to files on the private network in the first place.
• Stops Hackers:  A firewall prevents someone from using a private network and/or computer to spread viruses.  An attack can not only come from a hacker but can also come from a neighbor if there is no protection against intrusions.
• Stops Keyloggers:  Keyloggers are spyware software that are placed onto a computer to capture keystrokes.  This type of attack allows attackers to access private accounts because the attacker gains access to user ID’s and passwords.  This is why a multifactor authentication to sensitive sites is so important to prevent this type of attack in addition to a personal firewall.

Another important way to protect a computer is securing wireless routers.  An unsecure router is like an open invitation for someone to try to attack a personal computer or network.  When a person is using a public WiFi, the best and first defense against an attack is a firewall.

Reference:

• Hooper, B. Demand Media (n.d.) What Are the Benefits of Firewall Security?  Retrieved from http://science.opposingviews.com/benefits-firewall-security-3806.html
• Vicomsoft Learning Center (2011 - 2014). Firewalls.  Retrieved from http://www.vicomsoft.com/learning-center/firewalls/

Information Security Risk Control Strategies

All companies are vulnerable to attacks on their data if they have any networks that are exposed outside of their company.  Even if networks are only internal, a company is still at risk of an internal attack from an employee who wants to gain by the attack or is possibly disgruntled at the company.

There are many strategies that a company can take to mitigate risk to assets.  Some companies are required by law to protect their assets such as financial institutions and medical practices.  There are many regulations that have to be complied with in terms of protecting personal information of customers and patients of these organizations.  In that case, defense is the only option for these businesses.

The following are five strategies that can be used in information asset risk control in an organization (Whitman 2014): 

• Defense:  Defense is when additional safeguards are implemented to eliminate or reduce risk that is not being controlled.
• Transferal:  Having the risk transferred to outside organizations or areas to handle the risk.
• Mitigation:  Decrease the impacts of a successful attack on assets.
• Acceptance:  Do nothing but document that the risk is not being controlled and that the risk is being accepted.
• Termination:  Completely remove the asset from the organization.

Another viewpoint on risk control strategies indicated the following four strategies (Gillette n.d.):

• Avoidance:
• The most popular strategy
• Tries to avoid risks and threats completely
• Countering threats
• Remove assets that are vulnerable
• Limit who can access the asset
• Add safeguards to protect asset
• Methods to avoid risk
• Policy
• Training
• Technology
• Transference: 
• Move the risk to other assets, processes, or organizations
• Transfer risk through the following methods:
• Reengineering services
• Changing development methodologies
• Outsourcing
• Advantages:  Leverage another company’s expertise & allow the primary company to concentrate on what they know
• Disadvantages:  Costs are likely to be high and the contracts can be very complex to keep both companies safe from liability
• Larger organizations are more likely to use this method

• Migration: 
• Limit the impacts that would happen if an asset was successfully attacked
• Use planning and preparation to reduce the impacts
• Planning includes:  disaster recovery plan, incident response plan, and business continuity plan
• Early detection is key to limiting risks

• Acceptance: 
• Do nothing and accept the results of any attacks
• This method requires determine how much risk there is, what the likelihood of an attack is, how much harm would an attack cause, how feasible would it be to add additional controls, what is the cost benefit of adding controls to prevent an attack, and are measures to prevent an attack justifiable.

How a risk is handled is largely up to an organization.  An organization that is governed by regulations can chose not to mitigate their risks in an appropriate fashion but they can face penalties and fines if they are out of compliance.  If an employee of a company that is governed by regulations willfully disregards the laws, they could face fines, termination, or even jail time.

Reference:

• Gillette, W. (n.d.).  Risk Control Strategies And Physical Security.  Retrieved from https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&sqi=2&ved=0CDgQFjAB&url=http%3A%2F%2Fwww.cs.uwlax.edu%2F~riley%2FCS419%2FRiskControl.ppt&ei=k9JKVJvuEsr-8AHSmYH4Aw&usg=AFQjCNF2pMwz8zCK_L0_NxbDx-Ca6KFIGw&sig2=qg5bE4b6H3aix0_-dupP_w
• Whitman, M. and Mattord, H. Management of Information Security, 4^th edition. 2014, 2010 Cengage Learning

Identify Information Security Risks

In information security management, it is important to not only identify the risks to company assets but it is also important to identify assets that are at risk in the first place.

Is it better to identify what assets need to be protected first?  Or is it better to identify what threats there are and then identify what assets are at risk due to those threats?  A lot depends on the size of the company and how labor intensive it will be to do either of these things.  Ideally, both angles should be considered when protecting company assets.

Another key point to protecting company assets is to assess the priority of protecting the asset.  Once assets that are at risk are identified, then a priority should be placed on each asset to determine what is the most at risk and will cause the most damage if compromised.

Risks do not just include breaches.  Risks can also include natural disasters, accidents, mistakes, etc.  The assets need to be protected from all risks.

Also to be considered is the cost of having an asset damaged, destroyed, or breached.  If the cost is high due to loss of this asset, the priority of protecting this asset will be higher.

Another point to managing risks are the inherit risks that employees bring into the company due to their ability to access company information anywhere and from their own devices.  How should a company address this risk?  Should a company prevent employees from accessing company information outside of the network?  What would that do to the work/home balance that employees need to stay happy working for a company?

Another consideration to risks is how quickly a company can assess the risk level to a company.  The percentage of companies that know what their risk level is at any point in time is very low.  This means that a lot of companies do not even know that they are at risk. 

A way to make it more likely that a company is able to assess risk levels quickly is by automating the process.  There is a lot of technical solutions that will monitor the network, personal devices, email usage, etc. that can determine if an employee is inadvertently or purposely introducing risk to the company.

All these things need to be considered when assessing risk to company assets.

Reference:

·          Hurley, J. TechWorld (Jan 2011).  Identify enterprise security risks.  What color is your information risk today?  Retrieved from http://features.techworld.com/security/3258042/identifying-enterprise-security-risks/

·         Borysowich, C. (Jul 2009).  Identifying Security Threats.  Retrieved from http://it.toolbox.com/blogs/enterprise-solutions/identifying-security-threats-33182

Security Best Practices

Once an organization has determined where the security risks are, some fundamental best practices should be implemented to avoid security breaches.

A very important thing to do to protect customer and employee information is to use encryption.  All sensitive data should be encrypted when it is stored and when it is being transmitted.  There are many government regulations that will impose fines against companies who cannot prove that they have followed this very important step of keeping sensitive information safe.  Encryption should use the strongest possible algorithm to keep sensitive information secure.  OWASP has a top 10 security vulnerabilities list published annually and provides information about encryption when transporting data (OWASP 2014) and when storing sensitive data (OWASP Apr 2014).

Other things that should be done to keep customer information secure include (Hess 2013): 

• Use digital certificates to sign all sites
• Do not allow removable media to be used on company computers (e.g. USB drives, external hard drives, etc.)
• Install a spam filter on the email system
• Install a device that scrubs all email coming in and out of a company to prevent PCI data from going out and malware links from coming into the company network
• Always maintain security patches on all applications
• Make sure users are trained on security concerns since information security is everyone’s responsibility

Reference:

• Hess, K. ZDNet (Mar 2013).  10 security best practice guidelines for businesses.  Retrieved from http://www.zdnet.com/10-security-best-practice-guidelines-for-businesses-7000012088/
• OWASP (2014). Top 10 2014-I4 Lack of Transport Encryption.  Retrieved from https://www.owasp.org/index.php/Top_10_2014-I4_Lack_of_Transport_Encryption
• OWASP (Apr 2014).  Cryptographic Storage Cheat Sheet.  Retrieved from https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet

Security Education, Training, and Awareness

In the last several years, more and more of my employee security training comes with a link to an online course.  Some of the courses are minimal and take a matter of minutes to read and to take the final quiz to confirm that I read and comprehended the material.  Other training materials takes hours and days to complete.

Who has time to do all that training and also get their jobs done?  Why does my company keep on insisting that I take the same training over and over each year?  What is the point?

Well, the point is that people tend to forget things if they are not reminded.  The use it or lose it mentality is very true.  If I don’t have those reminders every once in a while, I am very likely to forget some important aspects of keeping things secure at work and even at home on my personal computer.  Also, things change and if this material is not kept up-to-date, I am not likely to find out about new security threats to me and my company.

About a year ago my company started having pop-ups with security hints come up each day when I logged onto the network.  At first I read each one because it interested me.  Now, I cannot even tell you if those pop-ups come up anymore.  After a while I found them irritating.  Soon, I stopped reading them altogether.  Now I cannot even tell you if I get them anymore.  I compare this to being deep in thought and driving home and realizing that I traveled a great distance without consciously thinking about where I was.  Because I am focused on starting work when I log on in the morning, I don’t notice the detail of whether I closed a pop-up when I first logged on.  Tomorrow morning I am definitely going to pay attention and see if that pop-up appears when I log on.

The information security department is also sending out periodic newsletters with interesting relevant topics that include things that I can do at home as well as at work to protect my information.  I always read those and always get a lot from doing so.

So, next time you are annoyed by having to do that training at work, realize that it is to protect you and the company from security risks. 

Information security is everyone’s business!

Importance of Information Security Policies

Have you ever read a company policy and felt like you were reading Greek?  Have you ever gotten a policy sent to you and then been required to take a test to prove that you read and understood the policy?  Have you ever felt aggravated that you had to take time out of your day to read a policy and not see the point to it?

Information security policies are very important to protect the company from many things including viruses, email systems being used for illegal activities, passwords not being strong enough, sensitive documents left out on desks after hours when cleaning staff can access it, etc.  Without policies, employees have no way of knowing what they can and cannot do on company time and with company equipment.

Most policies are only as useful as they are understandable.  If a policy is written in a way that makes it hard to understand, an employee who inadvertently broke a policy may have a case against the company due to the incomprehensible nature of the policy.  Another factor into creating good policies is that they should be written at the level that the reader is able to comprehend.  There are many tools available to determine if a policy is written at the right level for the audience including Microsoft Office, read-able.com, and Readability-Score.com.  If the audience is factory workers with high school educations or maybe less, the policy should be written at a level that they would understand. 

Policies are important and the next time you are asked to read a policy, consider that it is protecting you as much as it is protecting your company.  If you don’t understand expectations as an employee, how can you hope to do the right thing?

Reference:

·         Microsoft Office (2014).  Test your document’s readability.  Retrieved on September 23, 2014, from http://office.microsoft.com/en-us/word-help/test-your-document-s-readability-HP010354286.aspx?CTT=1

·         Read-able.com (2009 – 2014).  The Readability Test Tool.  Retrieved on September 23, 2014, from http://read-able.com/check.php

·         Readability-Score.com (2011 – 2014).  Reading Ease.  Retrieved on September 23, 2014, from https://readability-score.com/

No Disaster Recovery Plan – Lose Business – Lose Jobs

What would happen if your company had a massive fire that destroyed the building that you worked in?  Would your company know what to do?  Would your company have a plan for restoring critical systems quickly to avoid customer impact and thus avoid loss of customers?  Would you still have a job a month or a year later?

Disaster recovery planning is critical for all companies small and large.  About 80% of companies without disaster recovery plans will fail in approximately one year after a disaster (Hatter 2004).  If a company has a significant loss of data, they will likely be out of business within five years (Hatter 2004).  And with those statistics, there is an alarming 30% of companies who say they do not have a disaster recovery plan.  An equally bad thing is that 40% of companies indicated that they have never tested the disaster recovery plans that they have created (Hatter 2004).  Testing a DR plan is a critical component to the plan because issues will not be discerned without testing.

Large companies are more likely to have a disaster recovery plan than small and medium sized companies.  Part of the problem is that these smaller companies do not feel they have the money to put into a disaster recovery plan.  Although most probably do not ever experience a true disaster, the losses can be large if a disaster occurs.  Maybe a company feels that is what insurance is for.  If a company has insurance and a fire destroys their business, will they survive?  Chances are they will not survive because they will have lost their customers during the time that they are restoring operations.

Overall, disaster recovery planning is critical to a business surviving the unthinkable.

Reference:    

• Hatter, D. Cincinnati Business Courier (Aug 2004).  Without a disaster recovery plan, your business is at risk.  Retrieved on September 20, 2014, from http://www.bizjournals.com/cincinnati/stories/2004/08/09/focus5.html?page=all  

Information Security Planning & Penetration Testing

Information security does not just happen in an organization.  Information security takes a lot of planning and proactive work to keep customer information secure.  Security of customer data cannot rely on one person or group to make it happen.  Everyone needs to be involved.

Our information security department has to take a very proactive approach to keeping our data secure.  At least once a year penetration testing is done against all of our Web sites to make sure they stay secure.  Our information security department plans out the testing of all of our Web sites and communicates with each area to coordinate this test.  They then will write up a report detailing all security risks and the developers will be assigned the task of fixing those issues.  The issues reported are categorized as low, medium, or high.  The high issues must be fixed as soon as possible.  The medium risks are also remediated as soon as possible.  The low risks usually just require that we have a plan in place to remediate the issue as soon as we can.

Occasionally, a risk is low and the cost to remediate it is high so the risk is “signed off on” by the business unit.  They have the ability to accept the risk once they know all the information.  This type of risk has to be low or they would not have the option of accepting the risk.

What does penetration testing do?  It is an authorized attempt to circumvent the security of a Web site.  The main purpose of a penetration test is to get past the safeguards in an application.  These allowed “attacks” of a Web site are planned and coordinated with all areas impacted by the test.  This is the only time it is legal to attack a Web site in this manner.  A company will often pay another company that specializes in this kind of testing to find all vulnerabilities.  It is much better to find and fix any weaknesses before a customer is impacted by a breach.  For more information on penetration testing, the link below has some great information on what penetration testing is, why penetration testing is done, how often it should be done, and who benefits from doing a penetration test (Core Security n.d.).

Reference:

• Core Security (n.d.).  Penetration Testing Overview.  Retrieved on September 14, 2014, from http://www.coresecurity.com/penetration-testing-overview

Project Management, Information Security & Agile

The purpose of my ongoing blog is to tie in what I am learning in my Information Security Management course at Bellevue University.

This week we have tied in project management to information security management.  I have been involved in many projects in my 25 years in IT and honestly it seems to me that a lot of those projects have not focused on security concerns.  It is very important that information security be factored in for all projects to determine if there are risks being introduced to a company as part of a project.  It is also important that the information security department manage corporate security concerns as projects so key points are addressed.

Project management leads to development methodologies used to complete projects.  Agile is a newer methodology used on many projects currently.  But is agile the best way to do things and is agile factoring in information security concerns?

I looked for information on what’s next after agile.  Is there something that has been created that is “better” than agile?  Mike Gualtieri wrote a thought provoking article in 2011 that said agile is not that great and that there are better ways to manage projects.  He had some very interesting points on whether having “working software” is a measure of progress or is it narcissistic?  He also indicated that having the business unit involved at every step can be perceived as the developers being “lazy” by having the business unit tell the developers what needs to be done (Gualtieri 2011).

From my experience with agile, the business units do not always get involved very much if at all in projects.  A lot depends on the project.  When doing BAU work, agile is not necessarily the best fit.  For larger projects, agile makes more sense because you can break up projects into smaller pieces and see measurable achievements as you go.  Agile can factor in security concerns as tasks that need to be complete as part of the project.

Does agile address security concerns while working on projects?  In my experience, the agile methodology really doesn’t get into details on what should be included in projects and does not ensure that security concerns are factored in.  Should the methodology include security concerns as a milestone?  Security concerns should be a primary factor in all projects in an environment where more and more people are successfully attacking web sites and gaining access to sensitive information.

I look forward to continuing posting to this blog as I progress through this course.  I am also taking a project management course this term so this week’s chapter for my information security management course tied heavily into that course.

Reference:

·         Gualtieri, M. (Oct 2011).  Agile Software Is a Cop-Out; Here’s What’s Next.  Retrieved on September 5, 2014, from http://blogs.forrester.com/mike_gualtieri/11-10-12-agile_software_is_a_cop_out_heres_whats_next

Information Security Management - Introduction

Hi, my name is Margaret.  I have been a programmer for over 25 years.  I started out as a COBOL programmer and have worked on various programming languages in my career.  Currently, I work primarily in Java.  The transition from COBOL to Java was a huge leap.  As a COBOL programmer, all of the programs I worked on were batch programs and not outward facing.  This meant that we did not have to spend any of our time making sure our programs were secure.  Back when I started, my company did not have any Internet facing applications (1989).  As a Java programmer, a lot of my job is to make sure I write secure code since most of what I work on is outside facing applications on the Internet.  I also work on some internal applications on the Intranet but it is still critical that they are secure because security threats can often be from within a company.

I work for a large privately owned bank in Nebraska and have worked there for over 30 years.  At a bank, it is critical that we adhere to the safest possible practices for storing and transmitting customer information.  My company is very active in doing penetration testing of all of our web sites annually.  The penetration testing is also done when we have any major changes done to existing applications.  I have been involved more than once in remediation work for our Web sites. 

As people get more and more adventuresome in how they attack web sites, we have to become better at protecting our customer’s information.  A breach of a financial institution's data would cause a huge amount of financial and reputational harm to my company.  We take keeping our customer's information safe as a top priority.  There are also lots of regulations that dictate how we keep our customer’s information safe and we make every attempt to adhere to all of them.

All developers at my company who work on Web applications or Mobile apps are required to take annual training for the top ten OWASP security threats.  The training goes into the top ten threats each year and also gets into how to prevent applications from them.  The training is meant to keep all the developers focused on good programming practices throughout the year.

Information security takes a “tribe” not just a person.  There are many areas that are involved in keeping our information secure including our networking staff, our application server support staff, our web server support staff, our developers, and our information security staff.  Without diligence from all members of our IT team, we would not ensure the security of our sites. 

On a side note, my son asked me what COBOL meant while I was writing this blog and I didn’t know despite teaching COBOL for four years on top of programming in it for ten.  I looked it up and there were some humorous definitions given:  http://acronyms.thefreedictionary.com/COBOL.  I am guessing the first one was the correct definition:

COBOL	Common Business-Oriented Language
COBOL	Completely Obsolete Business-Oriented Language :-)
COBOL	Completely Over and Beyond Obvious Logic :-)
COBOL	Compiles Only By Odd Luck :-)
COBOL	Completely Obsolete Burdensome Old Language :-)