With the growing incidents of data breaches and strict government regulation being introduced in certain geographic regions, it has become important for us to bring in a culture of information security within our organization. It is often believed that information security is the responsibility of the IT department and end-users hardly have any role to play, but the reality is quite different. The IT team is responsible to put in place the systems and controls that enable the implementation and measurement of an information security management system, but beyond that the
responsibility lies with each one of us to comply with the rules set in the framework and ensure that we report any shortcomings and share any lessons learned.
We, in our individual capacity can make a difference when we understand the threats and consequences that can be faced. As information creators, handlers and disseminators, we have access to large amounts of company and customer data that has been entrusted to us. Any unintended alteration, denial of access or disclosure will have direct effect on the reputation of the company and also leads to loss of goodwill and business. Indirectly, it may affect our employment and growth within the company and have an adverse effect on our careers. No matter what role we play in the organization we must put efforts to understand and imbibe the information security culture.
Given below are some basic definitions and examples that help in understanding
What is Information?
Information is a business asset and adds value to an organization. Information exists in many forms. It may be printed or written on paper, stored in electronic media, transmitted by electronic means, or spoken in conversations. Information and its associated infrastructure are accessed and used in business by employees, third-party users or by automated processes.
What is an Information Asset?
Information Assets can be tangible, that is, perceptible by vision or touch. An example of a tangible asset could be a desktop computer, laptop or electronic files on a storage medium. Assets can be intangible, that is, not have physical presence. An example of an intangible asset could be a corporate image or an intellectual property, such as patents.
What is an Information security breach?
If< an asset is compromised, for example, stolen or modified, and the data or a secret information is disclosed, it will have an impact that could lead to monetary loss, customer dissatisfaction, or legal and regulatory non-compliance.
What is an Information Security Management System?
Assets require protection from threats and vulnerabilities which can be achieved by
implementing an Information Security Management System. An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization’s sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.
To understand information security management, we have to first understand the CIA triad.
What is CIA Triad?
It is a model designed to guide policies for information security within an organization. The elements of this triad are (C)onfidentiality, (I)ntegrity and (A)vailability.
Confidentiality: Information needs to be disclosed to authorized entities for
business processes, for example, an authorized employee accessing information about the prototype under development on the server. Confidentiality is to ensure that the information is not disclosed to unauthorized entities. Although strong passwords and access control measures ensure enough confidentiality, major data breaches have occurred due to Social Engineering. Social Engineering are methods used to gain access to confidential data that relies heavily on human interaction and often involves manipulating people into breaking normal security procedures and best practices in order to gain access to systems, networks or physical locations, or for financial gain. An example of breach of confidentiality would be, you sharing
your password with your colleague to get things done and forget to change it later; your colleague then uses it to gain access to resources that he/she is not authorized to view, can disclose information resulting in you being held responsible for the breach.
Integrity: Information has to be consistent and not altered or modified without
established approval policies or procedures. Integrity is to maintain the consistency of the information internally as well as externally. This is to prevent unauthorized modification by authorized entities, for example, an update to the database record is made without approval. Integrity is also to prevent authorized modification by unauthorized entities, for example, when malicious code is inserted in a web application by an unethical hacker. In this scenario, a hacker (an unauthorized entity) may modify an application through an established procedure (authorized update). We as individuals, should develop practices within our teams to ensure that controls are in place that allow us to keep track of changes done to our work products and prevent any unauthorized changes.
Availability: Availability is to ensure that information and associated services
are available to authorized entities as and when required. For example, in an attack on the network through Denial-of-Service (DoS). Sometimes, an authorized update to an application may stop certain essential services and will constitute a breach in availability requirements, for example, inadvertently tripping over a server power cable may constitute as an availability breach. We as end-users should ensure that any data that has importance to our services or work products is backed up ensuring safe retrieval when needed.
What are Threats, vulnerabilities, and attacks?
Threat is an event that could compromise the information security by causing loss or damage to assets. The threat is predominantly external to an organization. Examples of threats are fire, flood, hacking, and so on.
Vulnerability is a hole or a weakness in the system. Threat can exploit
vulnerabilities through its agents called threat agents. For example, having no antivirus software is a vulnerability, which a threat agent like a virus could exploit. Similarly, hacking is a threat that could exploit a weakness in the system through its agent, for instance, a hacker.
A threat event exploiting a vulnerability is called as an attack. The end result of an
attack can lead to a security violation. An attack either compromises a security control or lack of it and can affect the CIA requirements of the asset.
Risk is an exposure to loss or damage due to threats, vulnerabilities, and attacks.
Hence, risk analysis is used to estimate the probability of an attack, identify prevailing controls and their effectiveness in combating the attacks, and estimate the consequence of such an attack in terms of potential loss.
Risk has to be understood from the following perspectives:
Risk to what?
Risks are generally to assets. Assets can be tangible or intangible
Risk from what?
Risks are from threat sources, such as earthquakes, floods, hacking, fires, viruses,
disgruntled employees, and so on.
Risk of what?
When an asset is compromised by a threat, it may result in a security violation. Hence, there could be loss or damage. The damage can be monetary loss, image loss, customer loss, or legal issues.
Hence, there is a risk of losing money, a risk of losing customers, or a risk of facing legal/regulatory consequences due to the security breach.
The damage caused due to a security violation is called as an impact. The magnitude of such an impact is the potential loss or, in other words, risk.
If the magnitude of an impact can be calculated in monetary terms, then the risk is
defined in quantitative terms. If the magnitude cannot be determined in terms of monetary value, but can be measured in relative terms (such as high, medium, or low), then the risk is defined in qualitative terms.
Risk management provides a mechanism to the organization to ensure that executive management knows current risks, and informed decisions can be made to use one of the risk management principles: risk avoidance, risk transfer, risk mitigation, or risk acceptance.
Reducing risk through discontinuation of the activity related to the risk.
Transferring the potential loss associated with a risk to a third party, such as an insurance company.
Reducing risk to a level that’s acceptable to an organization.
Accepting a risk as-is, without mitigating or transferring it.