Overview of InfoSec Program Development

In the last posts we have been speaking about Information Security Governance and Risk Management while in this new post I want to highlight what is an Information Security Program which is a main part of a good information security management.

Many organizations actually put in place of Information Security Program by starting out doing a Risk Assessment and then, based on that assessment, either qualitative or quantitative or a combination of both, they deliver some type of risk mitigation strategy.

The problem is we need to go further to balance strategic alignment. In other words, our risk assessment, in the information security program, has to align with the business needs. Also, we have to include other areas like resource management, integration, performance measurement, value delivery, etc. Therefore. all of those key important components that we have been speaking in the last posts should be part of the information security program.

The goal of the information security program is to implement a security strategic but basically what a program tell us is to meet some type of guide and step by step process. One of the advantages that we have if we use a standardized methodology like CMMI (Capability Maturity Model Integration) or ISO/IEC 27001 is their standardized methods that it costs any money. The problem is each organization is really unique and the changes in technologies and the rapid growth of communications in global business make us to really need some type of program that it has the ability to be more specialized and customized. If we want to be a successful information security manager we have to have the creativity, the adaptability and the skill sets to go beyond the standardized solutions to provide more customized real world solution for our customers, for our company and for our organization. If we have to try to do this with a limited budget, we need to find a way to implement a security strategic using the best available methods and the available resources. In other words, we have to do as much as we can with what is already existing in the business or the organization.

The program development should always be defined in business terms, no techno-speak or info-speak. It has to be in solid business terms in order that non-technical stakeholders, shareholders and executives can participate because the board of directors typically are not technical. Many stakeholders have financial expertise instead of technical expertise so we have to be able to position everything and communicate everything in real business terms and measurable business terms.

If we speak the same “language” as the board of directors they are going to give us a better feedback, they are going to want to participate, we will get a commitment of the board of directors and their solidarity, and if we have these things we are going to have a successful comprehensive information security program.

Best regards my friend and remember, develop your information security program along with your board of directors.

Threats and Vulnerabilities

In the Risk Management Process we have to identify the threats and vulnerabilities of our organization to find out what threats and vulnerabilities can potentially impact the business. Once we know the threats and vulnerabilities we have to treat these risks, which can be avoidance, mitigating them, transferring them or retaining them. Finally, we will have to communicate the risks to stakeholders and senior management, and monitoring them to avoid they are above the allowed risk.

A threat is any event or circumstance that has the potential to cause damage to information resource and it does this by exploiting a vulnerability in our system, in our design or in our infrastructure. Basically, vulnerabilities lead to threats if they are exploited.

Threats are typically categorize in four categories:

• Natural: They will be tornado, hail damage, earthquakes, biological plagues, fire, flood, etc.
• Unintentional: They will be accidents like the loss of utilities services, equipment failure, a damage to a building, unintentional water damage, unintentional fire damage, etc.
• Intentional physical threats: They will be terrorist acts, a bomb, vandalism, etc.
• Intentional non-physical threats: They will be injecting malicious code or malware into our systems, email phishing attacks, a denial of service attack for example against our perimeter routers, fraud, corporate espionage, malicious hacking, identity theft, social engineering, etc.

Once we have identified the threats, we need to look at what the underlying vulnerabilities can be in our systems using scanning technologies that it should be done by expert teams. However, the process vulnerability analysis is a tough task than the actual technological vulnerability but this may need a more careful analysis to uncover, for example the periodic audit is a valuable tool to identify process vulnerabilities. Next some example of vulnerabilities:

• Bad software: Poor written code without secure mechanism built-in into the code.
• Misconfiguration: Bad configurations on servers or networking devices like routers, or even configuration stored in others servers without cryptography techniques like encrypted configuration files.
• Non-compliance: For example, non-compliance to government regulations like LOPD, LSSI, etc.
• Poor network design: For example a switch network using VLAN is a more secure environment than a flat network without Virtual LAN which is vulnerable to a packet sniffing.
• Defective processes: For example the process of firing or terminating an employee can have a defective flow process allowing the employee to cause problems to the company before leaving the facility or allowing him to connect remotely to the organization after firing him.
• Poor management, insufficient staff, lack of end user support, inadequate security functionality, etc.

These are some of the threats and vulnerabilities that we can find in our organization and this is an important step to know and control the risks that can impact seriously the business. Therefore, if you want to manage properly the risk of your business, you should know what threats and vulnerabilities can destroy your business.

Best regards my friend and remember, measure, control and manage your risks.

Risk Management Process

In the last post we saw an Overview of Risk Management. We saw the importance of Business Impact Analysis (BIA) to know the nature and the extent of risks to our organization, without this analysis, and the proper classification of assets, is very difficult to know where we have to invest and spend the money to protect our assets. In this new posts we'll see the five step process of Risk Management.

Definition of Scope: It's basically the first initial process. This is where we establish our global perimeters for the performance of our risk management process. This is going to be to our entire organization of our business. We have to take in account internal factors, external factors, structured factors, which are things like plan the task or structured recognizance from competitors, and unstructured actions, or in other words accidents. Once we have defined the scope we have to perform the Risk Assessment.

Risk Assessment: It's a scientifically based process, it's also going to use technology and it really involves three things or three steps. First of all, we are going to identify risks, second we are going to analyse risks and finally we are going to evaluate risks.

Risk Treatment: In the third process we are going to consider the action plan. We are going to select and implement the measure that we are going to use to modify our risks or mitigate them or countermeasure against these risks. This include things like avoidance, optimization, transfer the risk, for example to insurance, or retain risk. In other words, if our company determines to take and allow a certain amount of risks then retain that risks. For example, accepting a certain amount of denial service attacks against the perimeter of our organization, perhaps adding more bandwidth or putting in quality of service or traffic policing techniques, we are never really going to remove that risk but retaining that risk we can allow in it at certain levels.

Risk Communication: Once we have assessed the risk by identifying, analysing and evaluating it and putting our action plan, which involve one of four things of avoidance, optimising our systems, transferring the risk to insurances or retaining the actual risk, we have to communicate the results and we have to exchange and share the information about these risks between stakeholders, shareholders, decision makers and people inside and outside of our organization like internal departments and outsources.

Monitoring and Review: This process is also referred to as an audit or auditing. It's where we measure the efficiency and the effectiveness of the overall risk management strategy. It's basically establishing an on going perpetual monitoring and review process. Making certain that decided management action plan are going to be relevant and are going to be updated in regular basis. This process also brings into the place control activities and compliance.

Best regards my friend and remember, measure your risks to protect properly your assets.

Overview of Risk Management

As a risk manager, what is the most concerned? First of all, risks and the threat of risks must have little impact on the business processes as possible. This is really our underlying mission.

We want to achieve for officer of our organization, for executive management, for stakeholders and shareholders, what we want is to give back to them, as a risk manager, is an acceptable level of predictability on the day to day basis. An a level of assurance or reliability, the threat and attack of our organization and other vulnerabilities are going to bring it down to our needs or impede the operations of our business or organization to a point what substantial of loss as seen.

The process of risk management is often going to be combined with the Business Impact Analysis (BIA). In other words, how can we do a relevant risk management program if we don't really understand the nature and the extent of risks to our information resources, to our data resources, to our physical and logical resources and the individual potential impacts on our activities? Without this impact analysis, we are not going to be able truly manage risks in an effective way.

The Business Impact Analysis (BIA) isn't going to be possible without information asset classification or identify our assets, classify our assets and setting the value of our assets, and that's really the main aspects of risk management and risk assessment. If our company can't do a full BIA, we can do another kind of less desirable option that it's called Business Dependency Evaluation (BDE) which basically determines overall macro criticality and sensitivity of our organization information resources.

The result of this would drive management to weigh the risk exposure with the costs to mitigate those risks as well as all of the financial, personal and time overhead it takes to implement countermeasures and controls in the organization.

Now just other disciplines that relate to information security. They are that risk assessment can be quantitative or qualitative. If it's quantitative basically means we got a mathematical formula involved, for example ALE, which is the Annual Loss Expectancy, that would be the value of an asset multiply by exposure factor multiply by the annualized rate of occurrence. On the other hand, a qualitative risk assessment is going to be a little more hypothetical. This is based on human judgement, intuitions and the experience of the people who assess the risk.

Of course, from all of this, several positive outcomes should result that we'll see in next posts.

Best regards my friend and remember, if you have any question, go ahead!!