Professional Documents
Culture Documents
Organizational Security Environment - Organizational Approaches
Organizational Security Environment - Organizational Approaches
Saini Das
Vinod Gupta School of Management, IIT Kharagpur
1
Security issues in iPremier.com
2
Organizational Security Environment
3
Comprehensive Approach to Organizational Security
4
Information Security Risk Assessment
• Risk assessment becomes the cornerstone of information security as
there are many sources of threats to information systems security in
an organization.
5
Information Security Risk Assessment (contd..)
6
Risk Identification
• Information assets/IT assets usually fit into one of the following broad
categories:
- hardware;
- software;
- data;
- documentation.
• Organizations must know which assets require protection and the extent to
which such assets are vulnerable (prioritize the assets based on vulnerabilities
and threats)
7
Risk Assessment
• IS specialists should try to determine the value of information assets, points of
vulnerability, the likelihood of a problem (discoverability and exploitability of a
vulnerability by a threat), and the potential impact.
• Once the risks have been assessed, management will concentrate on the
controlling points in assets with the greatest potential for loss/risk.
8
Risk Control
• Defend
• Transfer
• Mitigate
• Accept
• Terminate
9
Risk Control (contd..)
10
Security Policy
• Once the primary risks to the systems have been identified, the company
will need to develop a security policy for protecting the company’s assets.
11
DRP/BCP
12
DRP/BCP (contd…)
• DR and BCP together should be designed to provide for the continuity or rapid restoration of
business processes immediately following disaster.
13
Computer Emergency Response Team
• CERT is a group of information security experts in an organization responsible for the
protection against, detection of and response to cybersecurity incidents.
14
Computer Emergency Response Team (contd..)
• Duties during and after an emergency:
• Rescue any identified critical records if possible
• Make necessary reports about the incident to appropriate authorities
• Begin damage assessment as soon as possible
• Put people and resources in place to start the recovery process
• Engage in direct salvage efforts (Toll-free info hotlines; taking care of blogs, viral
videos; brand restoration activities such as promoting new web-pages dedicated to
reforms and changes)
• Notify insurance carriers if applicable
15
Security Audit
• Final step in the implementation of an organization’s security defenses. It is the process of testing and ensuring that the
organization’s assets are fully protected.
• Organizations need a security audit in order to ensure that their security systems and processes are working as intended
• A good security audit helps to point out gaps in an existing system of defenses against threats and risks.
• A thorough audit will even simulate an attack or disaster to test the response of the technology, information systems staff,
and business employees.
16
Security Audit (contd..)
. A resource to the board and management for making sure the InfoSec function has the resources,
systems and processes for operating an efficient and effective program.
. An assurance tool for management and the board to know all that should be done is being done
regarding InfoSec.
. An independent validation resource that the organization’s InfoSec program efforts are proactive and
effective against current and emerging threats. Internal audits also evaluate the organization’s efforts
to comply with laws and regulations – a critical activity in most organization these days and an ongoing
challenge.
17
Security Audit (contd..)
Organizational roles and responsibilities
• Management and the internal audit group in the organization, each have a significant role in ensuring that InfoSec
is effective.
• Role of Management:
• Management is responsible for designing and implementing an InfoSec program for protecting and enhancing the value of the
organization’s assets, including its information assets
• Managers within the various business units, who ‘own’ the information and the associated business processes, need to define their
security requirements based on the significance of the information.
• Executive management must also provide leadership to ensure that the organization’s InfoSec efforts are supported and understood
• The board provides an oversight, asks the right questions and encourages the right results.
18
Security Audit (contd..)
• Role of Auditor
Security audits designed by the auditor should be keeping in mind the need for basic internal
controls for PCs and local area networks (LANs):
• access controls;
• virus vulnerability, pests and spyware;
• data consistency;
• documentation;
• systems development;
• backup, recovery and contingency planning;
• copyright violations;
• home use of computers.
It is important for the auditor to determine the appropriate controls based on the risk of the
situation.
19
Types of Security Audits
• From the principle’s perspective, audits can be classified into four basic approaches:
1. Organizational audits:
• The objective of an organizational audit is to review the management processes and functions
existing in an organization for managing security and protecting vital assets.
• During this audit, the requisite controls also get reviewed.
2. Results-based audit:
• Under this approach, an auditor performs a review of security practices within the individual
business units and assesses the security understanding of the managers and staff .
• One of the key objectives of an effective security program is that the operating management
and staff take the responsibility for protecting the organization’s assets.
20
Types of Security Audits (contd..)
3. Point-in-time systems audit:
• This type of audit employs various diagnostic tools, many times the same tools used by an
organization’s IT staff , to gauge the effectiveness of a security maintenance program and probe
for weaknesses in the organization’s defences, typically ‘penetration testing’.
4. Extended-period audit:
• With this type of audit, the purpose is to assess the security program’s performance over a
period of time.
• It leverages the efforts of all the previously mentioned audit approaches and their results and
provides an overall assessment of the InfoSec program.
21
Resistance to Security Audits
22
Post breach initiative: Cyber/Computer Forensics
• Computer forensics is the scientific collection, examination, authentication,
preservation, and analysis of data held on or retrieved from computer storage
media in such a way that the information can be used as evidence in a court of law.
23