How To Ensure Information Security of An Organization Basing on Business Requirements

By Sergio Bertoni, The Leading Analyst at SearchInform

There is a global trend of strengthening the legislation related to the information security related issues. Besides the regulators’ requirements, due to the steep increase in the amount of information security related incidents, more and more people begin to understand the importance of ensuring appropriate level of information security safety. Organizations and businesses all over the world are motivated to ensure the safety of data they gather and process.

The first group of specialists who have to deal with more responsibilities and work are information security officers. It is especially true for the young experts in the field. And especially for those, who are employed in a company, which doesn’t have an advanced information security protection system. This isn’t a fantasy scenario, if this resonates with your case, this article is for you.

So, let’s start with some basics. If you work for a company, which doesn’t have a well-developed information security protection yet, you have two primary options:

  • Base on the business requirements.
  • Base on the regulator’s requirements.

The most efficient one is to complement regulator’s requirements with business’s needs. In this article, we will provide recommendations on how to do it.

The business way

Preliminary stage. Choose the protection paradigm.

Even if you are lucky enough to have a chief who really understands the importance of information security aspect, you should be initiative and proactive – offer some kind of a plan on how everything should be done. At least, prepare a plan, containing information on what should be done “at least”, starting with the inventory (hardware, software and content); explain measures how to identify the most significant risks and reveal methods of their mitigation.

In order to customize the plan it’s required to initiate interaction with employees of different departments. Conduct a survey of each department employees in the form of a round table or private conversations – choose the method you like more.

It’s required to find out answers to the following four questions:

  • What do specialists consider as the information asset?
  • What are the risks posed to these information assets?
  • What are the possible consequences of these risks for an organization in their opinion?
  • What they will consider as an incident and how do they assess its criticality?

It’s impossible to develop adequate organizational and technical measures for data protection if there are no precise answers to these 4 questions.

It’s very important is that not only the method of action, but also the penalties for not meeting the established standards should be discussed during the survey and conversations with other employees. The auditor, the employee, who is in charge of ensuring information security, has some tools with the help of which it’s possible to influence the violators. But it’s crucial to precisely develop the set of rules, which will be easy for understanding beforehand and only after it proceeds to discuss the penalties. By the violators, I mean the following types of employees:

  • Employees, who don’t comply with information security rules.
  • Managers, who don’t agree on a budget allocated to the information security needs in a timely manner.
  • IT specialists, who are in charge of ensuring IT systems uninterrupted work (in case something fails).

Proceeding to the realization

Below you can find the list of measures, aimed at protection of information and infrastructure. However, it’s important to notice, that actions, related to these processes should be iterated permanently.

I mean the real life inventory, not the nominal one. Perform the initial check of the infrastructure, as you have to understand what do you have:

  • Which hardware and software is used
  • What are the current versions of firmware
  • Which ports remain open
  • Which connections are there
  • Which data is kept in the Storage Area Network; is there any personal or confidential data; who has access to it.

It’s the ideal scenario if this process is automated, because inventory should be performed regularly. Typically, each time the inventory is performed, there are some unexpected findings. And the first time you perform the inventory, you’ll definitely find open ports and documents kept in inappropriate folders.

Just after you finish with the inventory it’s required to ensure crypto protection. If you have a node, which interacts with others or a data storage, containing crucial information, it’s required to protect them immediately. I’d like to remind that there are options for crypto protection for both data and channels and it’s required to protect both of them. Nothing should remind unprotected. And, of course, don’t lose your passwords/keys😊.

This requires, at least, appropriate distribution of access rights to folders and computers in Active Directory. However, in this case you can only implement attribute based access control (not based on the content, in other words, access control to a specific file or folder).

It’s better to implement content based access control. It can be done with the help of specific solutions, which analyze the file content. Depending on how confidential data in the file is, the solution allows or prohibits interaction with the file. For instance, advanced DCAP class solution deals with the task.

It should be total. It’s required to perform audit of all the existing sources (software and hardware). Bad news is that it’s impossible to analyze everything manually. Good news is that almost all the IT systems log actions, and, typically, in a quite detailed manner. Automated systems are capable of processing these logs, turning an event (or a link of interconnected events) into an incident. You can choose such a system for almost any budget allocated, what’s more, there are even free, open-source (ELK etc.) ones.

  • Editing security policies

As soon as the incidents are detected in the event flow, you may start to complement ready-made security policies with your own ones. Both ready-made and customized policies should be edited from time to time according to the current business-processes and infrastructure needs. In our case, policies stand for any settings in any data protection tools, ranging from antiviruses to NGFW.

  • Enhancing employees’ awareness in information security related issues

Numerous information security problems originate from the lack of knowledge and understanding. That’s why educating and training employees is so crucial and mustn’t be neglected. Large companies even develop specific educational portals, and organize education process in different forms, including the form of a game. In some organizations, for instance, governmental bodies, instead of gamification, the practice of development of regulations and organization of trainings is implemented. Regardless the exact methods used for organization of education process, plenty of free materials, which you may use in this process are available publicly. For instance, we regularly extend the list of useful materials, which can help to enhance the digital literacy.

This is the process, aimed at examination of existing vulnerabilities in the inventoried software, ports and hardware, performed manually or automatically.

You can manually check all the sources and reveal, whether there are unpatched versions, default passwords and access rights violations are present. Honestly, this is a laborious method. If you’re a beginner, but an inquisitive specialist, you’ll cope with the task. Nevertheless, a fair amount of skill is required to succeed. That’s why the best option is to hire a team of professionals which will perform the protection analysis once a year (the period is to be specified according to the organization’s peculiarities and requirements). Despite its expensiveness, this option is typically the most beneficial one.

Another option is the automated one – you can use the specific software, vulnerability scanner, which can be both commercial and open source.

This is an important stage and it’s great if you don’t neglect following the protective measures mentioned at this stage. If you’ll decide to deal with the issue on your own, here is he list of helpful resources:

 

At this stage the work processes, related to incident investigation, analysis and prevention starts. The main aim at this stage isn’t simply to fix all the critical events, but, what’s more, to make the corresponding conclusions: why, despite the security policies set, negative events happened, how is it possible to mitigate their outcomes and how to prevent such incidents occurrence in future. This isn’t a simple tuning of policies for elimination of incidents and false positives, but enhancing of the information security protection in general, not only with the help of technical measures, but with the help of organizational ones as well. What’s more, it may be a useful option to organize cyber trainings, aimed at practicing of respond to different types of threats.

Obviously, this is not the exhaustive list of all the actions. In order to ensure the information security protection it’s required to consider numerous issues and peculiarities of the corporate infrastructure. However, if you are have no idea what to start with or if you are thinking of what to do next and checking whether you haven’t missed something, this to do list should be helpful.

About the Author

How To Ensure Information Security of An Organization Basing on Business RequirementsSergio Bertoni, the Leading Analyst at SearchInform which is the global risk management tools developer.

Sergio has plenty of hands-on experience in the sphere of information security and has been contributing to the company’s success for years.  Sergio comments on different infosec topics, including information security trends and new methods of fraud (from simple phishing to deepfakes), provides advice on how to ensure security of communication channels and shares best practices for organizing information security protection of businesses.

Sergio can be reached at our company website https://searchinform.com/.

Credit: Source link

Comments are closed.