The Role of Information Security

The role of Information Security is to ensure the Confidentiality, Integrity and Availability of the company’s information for three purposes:

·   to ensure legality by ensuring compliance with all appropriate national and international legislation, thus reducing potential liability

·   to ensure business continuity and minimize business damage by preventing and lessening the impact of security incidents.

·  as an enabling mechanism for information technology, not only underpinning the current IT infrastructure, but also allowing the use of innovative technology for competitive advantage without increasing risks.

To be effective, Information Security must be:

Pro-active: involved early in the business process from top to bottom, with business requirements for security identified, and built into new systems.

Consistent: the appropriate security level maintained from end-to-end, covering IT and business areas, across locations, and if appropriate, across companies, to cover all participants in the information supply chain.

Efficient: encouraging the common adoption of reusable processes to address control issues across projects and IT platforms

Secure: promoting current best practice across the company through the principle of baselines security. Starting from best practice means starting from a position of strength, starting from scratch is a much weaker standpoint.

The Information Security Architecture

Components of an Information Security Architecture (it will not normal include detailed security procedures):

• Threats and Risk Analysis

• Company Information Security Policy.

• Definition of responsibilities but not names of individuals.

• The framework for agreeing, implementing and revising Information Security Guidelines and Standards (both Basle and UK).

• Individual platform guidelines.

• Multi-vendor security guidelines covering points-of-interface (common level of security across platforms (baseline, matrix))

• Means of covering new technologies as they arise (imaging, multi-media, voicemail, palmtops, etc.)

• Long-term Information Security Plan, aligned with business.

• Implementation Strategies

• Compliance Auditing of adherence to standards:

• Specific audit criteria

• Reporting and Action Programme monitoring

• Enforcement mechanism

• Products: no single vendor has a sufficiently wide product set to cover all platforms.  Therefore complex environments will need to be covered by a menu of security solutions, all conforming to the baseline requirements.

Positioning a Company against Threats to its Information Systems

All organisations face threats to their information systems from both internal and external sources through accidents, errors or malicious acts, and will implement security measures according to its assessment of those threats and the sector in which it operates.  Measures implemented to protect the company's business information against these threats should aim to place them at the high end of their respective sector in terms of their overall security cover.  This is in order to leverage increased security into competitive advantage. A company with better security can do things its competitors can't!

Risk Management within the Organisation

Information Security Organisation within the Company

It is essential in a global information-sharing organisation that Information Security attains a standard level world-wide. To enable this, there is a world-wide network of Information Security representatives, guided from the centre by Corporate Information Security, as a part of the process to ensure that Information Security throughout the company is implemented to appropriate common levels.

Business Benefits of Information Security

Information Security should never be seen as a cost on the business, but as a fundamental support process and a potential profit centre.  Expenditure on Information Security can be leveraged into both cost savings and increased earnings for the business, because of its potential as an enabler for information technology.  It is also an essential enabler of Quality, because it ensures the confidentiality, integrity and availability of the information required to support the essential business processes, all of which today are computerized.  The development of Information Security is therefore a fundamental business imperative.

"Information Security is not a new concept: it is simply the application of sound business practices to a new domain."

The purpose of Information Security is threefold:

• to ensure legality by ensuring compliance with national and international legislation covering company law, copyright, data protection and privacy legislation, etc., as well as specific computer misuse legislation, thus reducing potential liability in criminal or civil law suits.

• to ensure business continuity and minimize business damage by preventing and lessening the impact of security incidents.

• as an enabling mechanism for information technology, not only underpinning the current IT infrastructure, but also allowing the business to use innovative technology for competitive advantage without increasing risks, for example by facilitating secure electronic commerce with business partners.

The priority role of Information Security is support for the duty of the company to meet local, national, and international legal requirements in terms of protection of assets (information being in general a company’s second most important asset), respect for data protection and privacy, submission of reliable statutory reports, compliance with copyright laws, etc., as well as support for the company in legal proceedings. (This is especially true in the USA, where the litigacious nature of society and the high cost of awards means that the avoidance of legal problems over-rides any other consideration.)

Information Security helps the business by ensuring the protection of information and computing assets whilst enabling information sharing between authorised users.  Information Security protects the information assets against the threats facing them in three ways:

·  Confidentiality:     protecting sensitive information from unauthorised disclosure.

·  Integrity:       safeguarding the accuracy and completeness of information and computer software and data.

·  Availability:     ensuring that information and vital services are available to users when required.

This means applying protection right across the company - in computers, across networks, and through our people.  Security mechanisms are significantly cheaper if incorporated into IT systems and services at the requirements specification and design stages.  Installing new computer systems with the ultimately required security features is significantly easier than introducing them after applications have been implemented and users set up.  Studies have shown that designing security measures and controls into a new application costs about one-tenth as much as retro-fitting them.

Because it protects the integrity, and therefore the quality, of information, Information Security is a Quality component, and an enabling mechanism assisting IT to support business processes.  It is vital that the implementation (or absence) of security controls in the IT infrastructure does not present any major obstacles to achieving efficient business processes.

2              Risk Management

2.1       Risk management aims to reduce the vulnerability through the adoption of counter measures.  The counter measures may reduce the risk of a threat occurring, reduce the impact of an occurrence, detect it or enable recovery from it.  The costs of such counter measures, even if only of the time involves in their implementation, has often militated against their existence.  The acceptance of a risk or the decision on what safeguards to adopt, bearing the costs in mind must lie with senior line management of the organisation. However, computer specialists must ensure that the decision makers are fully aware of all the facts, and the possible consequences of their decisions.

2.2       There are four types of loss to be considered, depending upon whether the loss is of high or low value, or of high or low frequency

2.2.1          Low Value, Low Frequency

The occurrences for which this is truly the assessment can be ignored.

2.2.2          Low Value, High Frequency

These are events on which most Information Security time and effort should be expended because, taken together, they are seriously damaging to a company.  They will be prevented by physical security, logical security, and procedures.

2.2.3          High Value, Low Frequency

These events are much more usually covered by insurance than specific precautions, although detailed contingency plans will need to be prepared.  Events like fires and floods come into this class.

2.2.4          High Value, High Frequency

No business will continue to exist if it suffers from such losses!  Measures must be taken immediately to eliminate them, or move them to another category.  For example, a company in an inner-city location that suffers from repeated burglaries must either install comprehensive physical security measures or move to a less hazardous area.

2.3           Risk Management Checklist

2.3.1          The risks to the organisation's assets must be covered by:

·       frequent audits

·       identification and valuation of the organisation's assets

·       assessment of the potential threats to, and vulnerabilities of, these assets

·       identification of appropriate measures to counter the identified risks

2.3.2          The approach adopted for risk assessment must be:

·       compatible with the business and feasible in management terms within the organisation

·       endorsed by top management

·       sufficient to provide enough information to justify the costs of security measures

·       comprehensive enough for management to be confident that all major risks have been identified

·       consistent across all systems

·       consistent across all reviews

·       used to compare the results of a number of reviews

·       documented in a comprehensive and up-to-date manner

2.3.3          The risk assessment must be carried out:

·       as documented in the Information Security Policy

·       by a team with an understanding of the priorities and business objectives of the organisation, but also with Information Security expertise and a commitment to Information Security

·       in a way that will transfer Information Security skills to all team members

2.3.4          The selected security measures must achieve a balance between:

·       avoiding the risk

·       transferring the risk

·       reducing the threat

·       reducing the vulnerability

·       detecting an incident which have occurred

·       reducing the impact of an incident

·       recovering from the impact of an incident

2.3.5          All security measures must be introduced through the risk management process

2.3.6          The risk management process must not be cumbersome.

4              Risk Analysis

In many companies (for example those outside the financial sector and who do not need national security clearance) formal Risk Analysis need only be used for special risks identified as requiring measures greater than those implemented via the baseline security approach of risk management (about 10% in practice).

4.1        It is generally accepted that no system can be made 100% secure if it is to be operationally viable and a decision has to be made on what security measures must be adopted.  The baseline approach is that the selection must be based on generally accepted safeguards and practices, particularly those used by other well-run organisations in similar fields of business activity and circumstances.

4.2        A number of methodologies and techniques for assessing risks and deciding on appropriate safeguards have been developed for formal Risk Analysis, and now may can be acquired in the form of, or utilise, software packages to be run on personal computers (PCs).

4.3       Risk Analysis involves the identification and valuation of both physical and data assets, the identification and determination of the levels of threats to the assets and their probable vulnerability to those threats.

4.4       There are three main methods of Risk Analysis: Quantitative, Qualitative, and Checklist.

4.4.1          Quantitative

In order to calculate how much expenditure should be made on computer security in a given year, the expected loss for the year is calculated from the following variables:

FREQUENCY:    The likely frequency of each weakness and vulnerability occurring, expressed in number of times per year.  E.g. if a major fire is expected only once in 30 years, the frequency is 0.033.  If operator error is expected to occur 10 times per working day and there are 300 working days per year, the frequency is 3000.

IMPACT:    The impact in cash terms of such an event.  A price is given to each and every system asset, including hardware, software and data, and also any consequential losses.  For example, the loss of the computer centre through a fire could be estimated at £2 million, with a consequential loss of business of £1 million.  The total expected loss is therefore £3 million.  The cost of an operator error could be estimated at £10 to discover and correct.

The product of these two figures, frequency and impact, is the value of the expected annual loss.  For the fire the Annual Loss Expectancy (ALE) would be 0.033 x £3 million or £ 99,000. For operator error the ALE would be 3000 x £10 or £30,000.  This method therefore yields that up to £99,000 per year should be spent on fire prevention, and up to £30,000 per year should be spent on operator error prevention.  If measures costing £10,000 per year could be implemented to reduce operator error to 5 times per day then they would be cost-justified, because they would reduce the ALE by £15,000.

There are two main drawbacks with this approach, the first is that it is very time-consuming to identify every weakness and cost out its impact, and the second is the estimating the likely frequency of the occurrence of a weakness can be very subjective.

4.4.2          Qualitative or Subjective

This method of risk analysis views the risks to a computer installation completely subjectively within the environment of the computer operations themselves.  Staff familiar with the operation of the installation over a number of years can provide from their experience and judgement a wealth of information about the risks and the amount and nature of effort required to prevent them.  This method can require even more resources to achieve than the quantitative method, but the more mature results will provide a sounder basis for planning the security policy.  A considerable amount of common sense is involved, and the best results are obtained by involving as many staff as possible.  The Baseline Security concept is a formal methodology for achieving similar results to this method of risk analysis by using already implemented measures from a wide range of companies rather than conducting the exercise anew for every installation.

4.4.3          Checklists

This method is a mixture of the above two methods, and usually involves a computerised checklist of risks and dangers which is completed by a person or team, together with subjective assessments of risks and consequential costs.  The program then calculates the most effective measures required for the installation, together with costings and cost justifications.  A typical example is the computerised CCTA Risk Analysis and Management Methodology (CRAMM) which is now widely used in Government and is also available commercially.  A paper-based example for smaller installations is contained in the Elsevier publication "Security for Small Computer Systems", which enables a computer manager to carry out his or her own risk analysis by the checklist method manually.

4.5        In some cases the process of risk assessment and analysis may be carried out by in-house personnel after self study, instruction or a training course: but in others specialist assistance is desirable and the wisdom of employing a specialist consultancy can be considered.  User staff and management must be involved in the exercise.

4.6       The fundamental guidelines are:

4.6.1          Proper weight must be given to security issues and an assessment of the risks must be made.

4.6.2          The implications for the business of these risks must be clearly understood.

·       Involve users.

·       It is the ultimate responsibility of senior management, usually line management, to decide what safeguards to adopt or risks to accept, and what to spend on counter measures.

·       Security features are easier to include as a system is specified and developed ‑ later consideration may be costly.

4.6.3          Security measures must be realistic.

4.6.4          Responsibilities and procedures for security must be allocated to management and other personnel.

4.6.5          The counter measures, particularly recovery, must be tested.

4.6.6          Security considerations must be continually borne in mind and regular security reviews undertaken to take account of new perceived threats, new technology or software packages.  In other words, the risk analysis exercise may need to be redone at regular intervals.

What Can We Do?

Jana Information Systems Services Limited offer a six-stage Security Review for a fixed price:

1    Culture

We report on security culture within your organisation, including staff awareness, policies in place, and supporting documentation and procedures.

2    Threat and Risk Assessment

What needs to be protected? Who or what does it need protecting from? What can be used to provide protection? How can this be done at a reasonable cost?

3    Review of Security in Place

A review of the management of your networks, systems, applications, back-ups and business continuity planning. This also covers physical security. We can assess your organisation against ISO-17799, either manually or using the Proteus software from Patron Global Ltd. we investigate incident handling and reporting, intrusion detection, legal compliance (e.g. Data Protection Act). We can review previous audits and the actions taken.

4    Technology

We review products in place for client, server, LAN, WAN and Internet protection (firewalls, Internal mail gateways), also the standard of implementation and maintenance. We can give advice on encryption and anti-virus measures.

5    Penetration Testing

We have links to ethical companies (not ex-hackers) that can test access to your system without any supplied knowledge, or by using information provided by you to simulate "social engineering" (tricking your employees into providing information) to carry out informed attacks. These tests can simulate attacks both from outside and within your organisation. (No attempt is ever made to bring systems down, disrupt traffic, amend information, or cause other damage.)

6    Evaluation

We provide comprehensive management-orientated reports on the state of your security, with a recommended programme for improvement.

The advice given on this and other pages is for general information only, as a starting point for ideas rather than solutions to specific problems. Jana Information Systems Services Limited will not accept legal liability for any consequences for any individual or company of following any advice on this page except as part of a legally-binding contract between this company and a customer, with appropriate professional liability insurance in place.

© Jana Information Systems Services Limited, 2006