Some of the biggest threats to information security occurred in 2003 Slammer, SoBig, and Blaster these three computer worms attacked public and private networks and spread across the globe disrupting computer services for millions of individuals and companies. These three malicious programs all functioned in differing manners each exploiting security flaws in the system. On average once the security vulnerability has been announced an exploit for that vulnerability will be created and distributed within six and a half days, and this number is only going to get smaller. Just a little over ten years ago, it took 6 months on average for a malicious program to be created based off discovered security flaws, the time between announcement and release is rapidly shrinking. Threats like the ones above, as well as threats from inside the company are what make having an effective well thought-out procedure in place to minimize risk from these threats and eliminate the miss-management of an attack or disaster.
Over the past decade or so, the federal government has established many laws and regulations concerning information security such as the HIPPA Act in 1996, concerning the health care industry and the distribution of patient information; as well as the financial industry with the Sarbanes-Oxley Act in 2002 and the Graham-Leach-Bliley Act which act to ensure that financial record databases are secure as well as the protection and safeguarding of customer information. These regulations come with severe financial penalties for violating them, which is another reason why an effective security policy should be a key concern for any company in these industries or related industries.
Security Policy Purpose
The purpose of security policies and procedures are to create a set of instructions for the organization to follow outlining how to best prevent unauthorized data/systems access. The policy should also dictate the steps for containing an attack should one occur and how to backup before and restore the system after an attack occurs. Senior management and the information security team should work together to ensure that the policy illustrates the companies requirements for securing data in both hard and soft copy, and how it will integrate with employee and systems functionality, as well as environmental guidelines. A proper security policy should also include consequences should any violations of the policies contained within. A properly crafted security policy allows the security team and management to accurately manage the system. Some of the benefits of a security policy are:
Establish a baseline for system functionality
Provide a scalable basis for product deployment / system management enterprise wide Heighten security awareness by all employees
Provide a basis for legal defense should a breach occur
An effective security policy is a living idea, ever changing and adapting to the business requirements of the organization. A security policy should be developed after careful consideration and analysis of company risks and vulnerability assessments. After these tasks are performed and reviewed a policy framework should be drafted outlining the findings and resolutions for any perceived issues. A security policy should address a number of areas:
Acceptable use of the system
Access control roles
Anti-Malware (Viruses, worms, Trojan horses)
Vulnerability assessment procedures
Email usage policies
Wireless security (2007, Realtime Publishers)
“Information security is a business issue, not just a technology issue. The reason organizations want to protect information should be for sound business purposes. Corporate knowledge and data are arguably the most important assets of any organization. Corporations must ensure the confidentiality, integrity and availability of their data. These three security objectives answer the questions: “Who sees the data?”, “Has the data been corrupted?” and “Can I access the server or data when I need it?”” (2010, Symantec) Role Based Access Control (RBAC)
Role Based Access Control or RBAC is a method of controlling how users access and interact with the network. If implemented correctly RBAC allows the user to access areas of the system they need to perform daily functions in regard to their individual position and prevents them from accessing areas where sensitive information could be stored. “A properly-administered RBAC system enables users to carry out a broad range of authorized operations, and provides great flexibility and breadth of application. System administrators can control access at a level of abstraction that is natural to the way that enterprises typically conduct business.” (Ferraiolo, Kuhn, 1995 p. 3)
Role based access control can also have an economic impact on a company as well, according to NIST’s research in RBAC an economic value of 1.1 billion dollars was estimated to be saved due to a reduced level of down-time, efficient provisioning, and a more efficient method of access control to system administrators. This method of access control is becoming the standard operating procedure of many international tech companies such as IBM, Siemens, Sybase, and Secure Computing. As previously discussed it is an effective cost-savings simplified way to manage access to organizations computer systems.
Employee’s Role in Information Security
The everyday user is the eyes and ears of an organizations security team. “As an example, last year when the “Here You Have” worm hit the internet, the employees at Intel immediately recognized this as malicious and provided the central IT/InfoSec departments a heads-up so they could take immediate actions to prevent exploitation in their organization.” (Reck, 2011). For a security policy to be effective it has to be understood and conducted by all employees of the organization. Information security and management cannot do the job alone. An effective system should be distributed, taught, tested, and reinforced to ensure that all employees understand the importance of information security and their role in the company in maintaining the security level required by the organization. “Employees need to clearly understand their role as it pertains to each security policy.
If employees understand the importance of their role in keeping the organization’s data secure they are more likely to alter their behavior and think twice about opening a questionable email attachment.” (Navarro, 2007) Employees are both an asset and a liability in the information security world, proper training as well as a system of consequences and bonuses for security policies and procedures can be an effective way to improve security behavior. The better an organization focuses on increasing the knowledge base for employees in the realm of information security the more secure the organizations information will be.
“Organizations need security policies, standards and procedures to enforce information security in a structured way. The choice of policies needed by the organization should be acquired through a thorough risk analysis, which includes security vulnerability assessments. The assessment results, combined with a proper policy framework and standards, should determine which policies are needed for your organization.” (Symantec, 2010) Information security needs are ever changing and evolving, it is critical to the success of an organization that they have a well-documented and distributed security policy addressing the risks and actions associated with those risks through-out the organization.
Realtime Publishers. Developing and Maintaining Policies Retrieved 3/10/2014 from http://searchsecurity.techtarget.com/feature/Developing-and-Maintaining-PoliciesSymantec (2010) Importance of Corporate Security Policy Retrieved 3/10/2014 from http://securityresponse.symantec.com/avcenter/security/Content/security.articles/corp.security.policy.htmlReck, R. (2011, May 18) Every Employee is a Security Partner. Retrieved 3/10/2014 from http://www.infosecisland.com/blogview/13849-Every-Employee-is-a-Security-Partner.htmlNavarro, L. (2007, February 21) Train Employees – your best defense – for security awareness. Retrieved 3/10/2014 from http://www.scmagazine.com/train-employees—your-best-defense—for-security-awareness/printarticle/34589/