Question 1
Information is an important asset. The core goal of information security is to protect the availability, confidentiality, and integrity of the information. To build a secure organization, it is important to build a security program that protects the information assets of the organization. An important part of the security program is the risk analysis. The objective of a security program is to mitigate risks, which does not mean eliminating them but reducing them to an acceptable level. To ensure that the right kind of security controls are in place and controlling the risks effectively, it is necessary to anticipate the kinds of incidents that may occur. It is also important to identify the assets that have to be protected, which is the important function of risk analysis, threat definition, and vulnerability analysis. A vulnerability is a weakness that can allow an undesirable event to happen and can be caused by either the lack or the weakness of a countermeasure that is in place. A threat can exploit the vulnerabilities to damage or disclose the information. A risk to an asset is a function of threats exploiting vulnerabilities of those assets. An exposure is an instance of being exposed to losses. The organization is exposed to possible damages by a vulnerability. Countermeasures or control can mitigate these potential risks. Figure 1 shows the relationship between these. Eliminating the threats or threat agents may not be feasible for the organization, so they would have to apply the right countermeasure so that the vulnerability is eliminated. This will prevent the threat agent from exploiting the vulnerability and reduces the exposure, thereby reducing the risk.
Figure 1: Relationships between different security concepts
Source:
They look at the assets that have to be protected, the threats against which they have to be protected, and the weaknesses that may be exploited. It is not prudent to spend more on protecting an asset than what it is worth just as not spending any money on protecting it. The goal of a risk analysis is to find the optimal balance between the business risks associated with technologies and processes and the cost of security controls that address those risks. The organization starts by completing asset identification and valuation of the identified assets. This is followed by threat definition and risk analysis. The processes and mechanisms to protect these assets are then applied. The risk to an asset can be defined by the following formula.
Risk = Probability (Threat + Exploit of Vulnerability) * Cost of Asset Damage
Evaluating threats is an important part of risk analysis, which gives the security strategy focus and reduces the chances of missing important risks. A threat vector is how a threat originates and the path it takes to reach a target. A phishing e-mail message is an example of a threat vector. To identify the threat vectors, it might be prudent to create a table, which lists out all possible sources, threats, and targets such as the table 1 in the appendix. It also helps to subscribe to different online sources that publish an analysis of the latest threat vectors and using that information decide if they apply to the organization’s assets. Understanding threat vectors are important for designing security controls so that the possible routes of attack for the various threats to fashion the control mechanisms. The control mechanisms can be logically grouped into several categories. Preventative controls prevent security threats before they can exploit a vulnerability and detective controls detect the attacks when they happen. Deterrent controls deter the outside attacks and insider policy violation. Corrective controls restore the asset or data. Recovery controls restore the availability of a service and compensative controls are used in a layered security strategy to cover for the failure of another control. Each of these can be either physical control in the sense that they are physically present in the real world. Administrative controls which are enforced through policies and management orders. Logical/Technical controls are those that are performed by machines. Operational controls are those that are performed by people and virtual controls are those that are triggered based on the circumstances. Table 2 in appendix gives examples of some of these controls.
Question 2
There are different factors that affect the implementation of a security program in an organization by the leaders and security professionals of that organization. The perception of the employees is that security gets in the way and interferes with their ability to accomplish tasks. This is one of the reasons for information security being ignored by management and employees alike. As the complexity of the organization increases, to encourage the secure use of hardware and software as well as employee behavior, organizations formulate information security policies. The information security policy identifies the organization's vital assets and lays down rules about the acceptable, unacceptable, and reasonable behaviors from the employees in order to ensure the security of information. Adoption of an information security policy is the initial and necessary measure that must be in place to minimize the threat of unacceptable use of any of the organization’s information resources, but it is not sufficient requirement for the security of organizational information. The security policy will be successful when the implementation is effective, it gains acceptance from employees, and the rules are strictly implemented and not manipulated. The policy should also be straightforward and clear. The policy enforcement ensures that the policies are understood by all, identifies if the policies are violated, and ensures availability of well-defined procedures or guidelines to deal with incidents of violation. The policy must fit the organizational culture, use language that is consistent with the organization’s general communication style, be simple and not a technical document, be effective and dynamic, and explain what activity is acceptable and what is not. Otherwise, the policy may fail.
When considering the technology, the organization's systems remain vulnerable, as setting up security is costly and difficult to sustain. Another factor is that while external threats pose a problem for organizations, more organizations are affected by internal threats such as installation or use of unauthorized hardware, peripherals, and software; misuse of computing resources and theft; human mistake; sabotage by disgruntled employees and such. It can be concluded that information security is mostly a managerial problem and not a technical problem. The management support is very important for the success of an information security program, but most top management is unaware of the security issues and hence depends on the Information Technology department completely for implementing the program. Procuring the budget for implementing the security controls becomes an issue, as the management needs to be educated about the need for the technology required to keep the information of the organization secure. This is all the more a problem because the threat vectors and the threats are constantly changing. The hackers, who would penetrate the organization’s network or the insider who might sabotage the network, have tools that get better with time and the organization has to keep up.
It is the belief of the leaders and security professionals that security awareness and training can result in information security. However, the awareness and training program must be ongoing as the employees have to deal with the ever-changing arena. However, there is no proof that awareness programs reduce insecure behavior or that it ensures compliance with information security policies. These are not very effective against insider threats and they are the reasons for most of the information security threats. However, threats such as email phishing and other social engineering threats can only be countered by security awareness and training, for want of better controls. This is because humans are the weakest link in the security chain. Employee failings can weaken even the strongest security measures. Therefore, even if the technical controls are comprehensive and the policies are strong, there is still the possibility that they will be broken simply because someone subverts them. Training and educating the employees is needed, as they are the ones who are going to need to comply with the information security mechanisms and norms. The training and awareness program must be implemented for employees at all levels in the organization, but it should be tailored based on the job type or the environment they work in or else they might face some issues.
References
Al-Awadi, M., & Renaud, K. (2007). Success factors in information security implementation in organizations. IADIS International Conference e-Society.
Harris, S. (2013). All-in-one CISSP exam guide. New York, NY: McGraw-Hill Companies.
Rhodes-Ousley, M. (2013). Information security; the complete reference. New York, NY: McGraw-Hill Education.
Appendix
Source:
Source: