Information is the most valued possession of a company these days. In fact, the changes in the modern concept have shifted the focus from the typical assets to the information. Now wonder therefore, that the companies, irrelevant of size, are giving a lot of importance to the information security.
The Facts
In general this security protects the corporate data that are considered to be the main lifeline of the modern companies. It is one of the most sensitive things that a company poses. Naturally, they care for it very much. This is the reason why the integrity in the information security has become such a crucial factor. In fact, the management give more stress on this aspect of security than the security of the rest of the corporate assets.
One can understand the need of it while considering the threats that exist on a company’s corporate information. Each and every day, the threats are increasing in number, nature, and complexity. Hackers are becoming more technologically advanced. This, in turn, is increasing the threat every single moment. Freeware and commercial tools like Metasploit Framework, Nmap, Security Forest, Ettercap, Yersinia, DSniff and Cain & Abel make the process of breaking into a network even more easier. Even script Kiddies, as they call them, without any strong hacking knowledge can use them. Today hackers are becoming more organized. They use web sites and IRC forums to exchange their ideas and exploit code. Searching on the Internet one can easily identify auction sites where hackers sell their exploit code and identified vulnerabilities. All these make the task of corporate governance even more difficult.
The organizers can hardly take any chance. If the hackers managed to crack through the security, they can create sever damage to the legal compliance as well as the management and reputation of the company. The impact of it will be felt both in the long and short run. So, each and every organization should take proper steps to secure their information.
However, a casual approach to it will not serve the purpose. It will be a mistake to identify the breaches in an ad-hoc basis. Rather, one needs a regular systematic approach to the risk identification and resolution. The legislations have made an effort to bring that through the protocols. This makes the firms liable criminally to implement and maintain the security measures regarding information. Sometimes, the regulations also make the directors liable for it.
All this has conferred some added responsibilities to the organizations. They have to document the security measures taken by them. This need to prove the proper functioning of their security system actually helps the companies to develop a better systematic outlook to the potential threats. It makes them more organized in terms of costs management, as well as the network security.
The Standards
The development of ISMS (Information Security Management System) is a necessity for modern enterprises. The ISMS ensures that the appropriate security controls will not only be implemented but will be also correctly managed as well. However, deploying such a mnagament infrastructure is not an easy task. The company has to identify the necessary employees that will participate in the ISMS, and then develop the appropriate Security Policies, Procedures and Corporate Guidelines. One of the best guides towards developing an ISMS system is the ISO27001:2005 standard. This ISO standard is widely accepted worldwide and describes the necessary security controls that must be in place to mitigate security risks. Please note that these standards will not propose specific technologies to be applied. They will just discuss the necessary mechanisms that need to exist. Examples of such mechanisms include:
• Allocation of Security Responsibilities
• Independent Review of Information Security
• Inventory of Assets
• Segregation of Duties
• Information Classification
• Physical Perimeter Security
• Cabling Security
• Controls against malicious code
• Network Connection Control
• Segregation in Networks
Gaining an ISO certification will not bring you out of the legal obligations, the ISO certification will help you get the legal defense after any breach in the security takes place.
Along with the ISO27001 a number of other International Accepted Security certifications exist examples of which are the SOX, the HIPAA,athe PCI DSS and the WLA. Each standard usually targets specific industries or type of business. Depending on the country and the local laws, some corporations are obliged to gain some of these certifications in order to be able and operate.
The standard assists organisations by providing a structured and a proactive approach to information security, by making sure the right people, processes, procedures and technology are in place to protect information assets and thus minimise possible harm to organisations that can be caused by deliberate or accidental acts.
Being compliant with a standard, means that a company has implemented the necessary security controls that the standards proposes. Corporations which have gained a security certification use it as a marketing tool, and have gained a competitive advantage over their competitors. Such certifications usually increase customer trust by reassuring them that the corporate management team is committed in protecting their confidential information.
To receive certificate third party auditors will need investigate the corporate environment and ensure that these controls have applied correctly.
The Risk Assessment Process
To ensure that corporate information remain secure, Security Officers, use Risk Assessment methodologies to estimate the actual risks that exists on the corporate systems and the corporate procedures. The Risk Assessment process enables corporate managers to identify the risks associated with running the day to day corporate processes and also identify the necessary controls to mitigate them. Today a number of widely accepted Risk Assessment Methodologies exists that can be used by corporations to develop an assessment process. Examples of such are the NIST Risk Assessment methodology (SP800-30), the ISACA Risk Assessment and the ISO13335.
Companies must ensure that such a Risk Assessment process is regularly executed within the corporation. Assessors will use special questionnaires to interview managers and administrators, and also special tools to scan the corporate systems, network equipment and databases for vulnerabilities. Assessors must also check on the network architecture and identify potential flaws which may allow adversaries to access confidential data.
To assist them in this task, many vendors have produced software applications that automate many of the Risk Assessment process tasks (i.e. developing questionnaires, statistical analysis of results, performing interviews). An example of such a tool is the vsRisk.
