Information Security & Risk Management

Saini Das
Vinod Gupta School of Management, IIT Kharagpur

Session 8: Organizational Approaches to Cybersecurity Management

1
 Security issues in iPremier.com

• Out-of-date comprehensive crisis management procedures

• Lack of Business continuity/disaster recovery planning/auditing
• Lack of Incident Response Team
• Absence of mock crisis incident drills
• Detailed logging option not enabled
• Lack of technology for defense, monitoring
• Dependence on Q-data
• Absence of a CISO

2
Organizational Security Environment

3
Comprehensive Approach to Organizational Security

4
 Information Security Risk Assessment
• Risk assessment becomes the cornerstone of information security as
there are many sources of threats to information systems security in
an organization.

5
 Information Security Risk Assessment (contd..)

• Risk assessment is just a step in risk management process.

• Risk management is “the process of identifying risks and taking steps
to reduce it to an acceptable level”.
• The three main stages in risk management are:
- Risk identification (identify and prioritize assets and threats);
- Risk assessment (quantify asset exposure)
- Risk control (select strategy, implement and monitor control) .

6
 Risk Identification
• Information assets/IT assets usually fit into one of the following broad
categories:
- hardware;
- software;
- data;
- documentation.

• Organizations must know which assets require protection and the extent to
which such assets are vulnerable (prioritize the assets based on vulnerabilities
and threats)

7
 Risk Assessment
• IS specialists should try to determine the value of information assets, points of
vulnerability, the likelihood of a problem (discoverability and exploitability of a
vulnerability by a threat), and the potential impact.

• The expected annual loss/risk for each exposure can be determined by

multiplying the likelihood of a breach, and the potential impact.

• Once the risks have been assessed, management will concentrate on the
controlling points in assets with the greatest potential for loss/risk.

8
 Risk Control

• There are five risk-control strategies:

• Defend
• Transfer
• Mitigate
• Accept
• Terminate

9
Risk Control (contd..)

10
 Security Policy
• Once the primary risks to the systems have been identified, the company
will need to develop a security policy for protecting the company’s assets.

•A security policy consists of statements ranking

information risks, identifying acceptable security
objectives, and identifying the mechanisms for achieving them.

• It drives guidelines determining acceptable use of the firm’s information

resources and which members of the company have access to those.
• Examples: Biometric policy, clean-desk policy etc.

11
DRP/BCP

12
 DRP/BCP (contd…)

• DR and BCP together should be designed to provide for the continuity or rapid restoration of
business processes immediately following disaster.

13
 Computer Emergency Response Team
• CERT is a group of information security experts in an organization responsible for the
protection against, detection of and response to cybersecurity incidents.

• Routine duties of CERT include:

• Conducting security related periodic drills and trainings for employees
• Training employees to recognize and report possible breaches
• Creating a directory with updated phone numbers of all employees
• Posting emergency phone numbers in prominent locations in the office as well as in the intranet.

14
Computer Emergency Response Team (contd..)
• Duties during and after an emergency:
• Rescue any identified critical records if possible
• Make necessary reports about the incident to appropriate authorities
• Begin damage assessment as soon as possible
• Put people and resources in place to start the recovery process
• Engage in direct salvage efforts (Toll-free info hotlines; taking care of blogs, viral
videos; brand restoration activities such as promoting new web-pages dedicated to
reforms and changes)
• Notify insurance carriers if applicable

15
 Security Audit
• Final step in the implementation of an organization’s security defenses. It is the process of testing and ensuring that the
organization’s assets are fully protected.

• Security audits review technologies, procedures, documentation, training, and personnel

• Organizations need a security audit in order to ensure that their security systems and processes are working as intended

• A good security audit helps to point out gaps in an existing system of defenses against threats and risks.

• A thorough audit will even simulate an attack or disaster to test the response of the technology, information systems staff,
and business employees.

16
 Security Audit (contd..)

• Security audit can serve as:

. A resource to the board and management for making sure the InfoSec function has the resources,
systems and processes for operating an efficient and effective program.

. An assurance tool for management and the board to know all that should be done is being done
regarding InfoSec.

. An independent validation resource that the organization’s InfoSec program efforts are proactive and
effective against current and emerging threats. Internal audits also evaluate the organization’s efforts
to comply with laws and regulations – a critical activity in most organization these days and an ongoing
challenge.

17
 Security Audit (contd..)
Organizational roles and responsibilities
• Management and the internal audit group in the organization, each have a significant role in ensuring that InfoSec
is effective.

• Role of Management:

• Management is responsible for designing and implementing an InfoSec program for protecting and enhancing the value of the
organization’s assets, including its information assets
• Managers within the various business units, who ‘own’ the information and the associated business processes, need to define their
security requirements based on the significance of the information.
• Executive management must also provide leadership to ensure that the organization’s InfoSec efforts are supported and understood
• The board provides an oversight, asks the right questions and encourages the right results.

18
 Security Audit (contd..)
• Role of Auditor

Security audits designed by the auditor should be keeping in mind the need for basic internal
controls for PCs and local area networks (LANs):

• access controls;
• virus vulnerability, pests and spyware;
• data consistency;
• documentation;
• systems development;
• backup, recovery and contingency planning;
• copyright violations;
• home use of computers.

It is important for the auditor to determine the appropriate controls based on the risk of the
situation.

19
 Types of Security Audits
• From the principle’s perspective, audits can be classified into four basic approaches:

1. Organizational audits:
• The objective of an organizational audit is to review the management processes and functions
existing in an organization for managing security and protecting vital assets.
• During this audit, the requisite controls also get reviewed.

2. Results-based audit:
• Under this approach, an auditor performs a review of security practices within the individual
business units and assesses the security understanding of the managers and staff .
• One of the key objectives of an effective security program is that the operating management
and staff take the responsibility for protecting the organization’s assets.

20
 Types of Security Audits (contd..)
3. Point-in-time systems audit:
• This type of audit employs various diagnostic tools, many times the same tools used by an
organization’s IT staff , to gauge the effectiveness of a security maintenance program and probe
for weaknesses in the organization’s defences, typically ‘penetration testing’.

4. Extended-period audit:
• With this type of audit, the purpose is to assess the security program’s performance over a
period of time.
• It leverages the efforts of all the previously mentioned audit approaches and their results and
provides an overall assessment of the InfoSec program.

21
Resistance to Security Audits

22
Post breach initiative: Cyber/Computer Forensics
• Computer forensics is the scientific collection, examination, authentication,
preservation, and analysis of data held on or retrieved from computer storage
media in such a way that the information can be used as evidence in a court of law.

• It deals with the following problems:

• Recovering data from computers while preserving evidential integrity
• Securely storing and handling recovered electronic data
• Finding significant information in a large volume of electronic data
• Presenting the information to a court of law

23