Elements Of Information Security Strategy

Published Date: 02 Nov 2017

Abstract

This paper provides key elements which should be included in any organization’s Information Security Strategy to ensure proactive and reactive information security controls. An organization’s information security strategy should provide governance for information security management, direction and support within the organization. Therefore, the paper provides basic aspects of information security strategy that should be instituted to ensure both proactive and reactive mechanisms for any event of a security threat in information systems.

Introduction

Elements of security policy described in this paper are designed to help security professionals develop a strategy to protect the availability, integrity, and confidentiality of data in an organization's information technology (IT) system. It will be of interest to information resource managers, computer security officials and administrators and of particular value to those trying to establish computer security policies. The elements offer a systematic approach to this important task and as a final precaution, also involves establishing contingency plans in case of a disaster as part of the reactive elements (Laudon, & Laudon, 2006).

An IT system may need protection for one or more of the following aspects of data:

Confidentiality. The system contains information that requires protection from unauthorized disclosure. Examples: Timed dissemination information (for example, crop report information), personal information, and proprietary business information.

Integrity. The system contains information that must be protected from unauthorized, unanticipated, or unintentional modification. Examples: Census information, economic indicators, or financial transactions systems.

Availability. The system contains information or provides services that must be available on a timely basis to meet mission requirements or to avoid substantial losses. Examples: Systems critical to safety, life support, and hurricane forecasting.

Although a security policy can save the organization valuable time and provide important reminders of what needs to be done, security is not a one-time activity. It is an integral part of the system lifecycle. The activities described in this document generally require either periodic updating or appropriate revision. For that case, the paper provides elements of an information security policy that covers both proactive and reactive measures.

PROACTIVE STRATEGY

The proactive strategy is a set of predefined steps that should be taken to prevent attacks before they occur. The steps include looking at how an attack could possibly affect or damage the computer system and the vulnerabilities it exploits (steps 1 and 2). The knowledge gained in these assessments can help in implementing security policies that will control or minimize the attacks. These are the three steps of the proactive strategy:

Determine the damage that the attack will cause.

Determine the vulnerabilities and weaknesses that the attack will exploit.

Minimize the vulnerabilities and weaknesses that are determined to be weak points in the system for that specific type of attack.

Following these steps to analyze each type of attack has a side benefit; a pattern will begin to emerge, because many factors will overlap for different attacks (Anderson, 2001). This pattern can be helpful in determining the areas of vulnerability that pose the greatest risk to the enterprise. It is also necessary to take note of the cost of losing data versus the cost of implementing security controls.

Security policies and controls will not in every case, be completely effective in eliminating attacks. For this reason it is necessary to develop contingency and recovery plans in the event that security controls are penetrated.

Determine Possible Damage Resulting from an Attack

Possible damages can range from minor computer glitches to catastrophic data loss. The damage caused to the system will depend on the type of attack. Use a test or lab environment to clarify the damages resulting from different types of attacks, if possible (Yhan, 2005). This will enable security personnel to see the physical damage caused by an experimental attack. Not all attacks cause the same damage. Here are some examples of tests to run:

Simulate an e-mail virus attack on the lab system and see what damage was caused and how to recover from the situation.

Use social engineering to acquire a username and password from an unsuspecting employee and observe whether he or she complies.

Simulate what would happen if the server room burned down. Measure the production time lost and the time taken to recover.

Simulate a malicious virus attack. Note the time required to recover one computer and multiply that by the number of computers infected in the system to ascertain the amount of downtime or loss of productivity.

It is also a good idea to involve the incident response team because a team is more likely than an individual to spot all of the different types of damage that have occurred.

Determine the Vulnerabilities or Weaknesses That an Attack Can Exploit

If the vulnerabilities that a specific attack exploits can be discovered, current security policies and controls can be altered or new ones implemented to minimize these vulnerabilities (Kenneth & Jane, 2006). Determining the type of attack, threat and method makes it easier to discover existing vulnerabilities. This can be proved by an actual test.

The following is a list of possible vulnerabilities. These represent just a few of the many that exist and include examples in the areas of physical data, and network security.

Physical Security:

Are there locks and entry procedures to gain access to servers?

Is there sufficient air conditioning and are air filters being cleaned out regularly? Are air conditioning ducts safeguarded against break-ins?

Are there uninterruptible power supplies and generators and are they being checked through maintenance procedures?

Is there fire suppression and pumping equipment and proper maintenance procedures for the equipment?

Is there protection against hardware and software theft? Are software packages and licenses and backups kept in safes?

Are there procedures for storing data, backups and licensed software off-site and onsite?

Data Security:

What access controls, integrity controls and backup procedures are in place to limit attacks?

Are there privacy policies and procedures that users must comply to?

What data access controls (authorization, authentication, and implementation) are there?

What user responsibilities exist for management of data and applications?

Have direct access storage device management techniques been defined? What is their impact on user file integrity?

Are there procedures for handling sensitive data?

Network Security:

What kinds of access controls (Internet, wide area network connections, etc.) are in place?

Are there authentication procedures? What authentication protocols are used for local area networks, wide area networks and dialup servers? Who has the responsibility for security administration?

What type of network media, for example, cables, switches, and routers, are used? What type of security do they have?

Is security implemented on file and print servers?

Does your organization make use of encryption and cryptography for use over the Internet, Virtual Private Networks (VPNs), e-mail systems, and remote access?

Does the organization conform to networking standards?

Minimize Vulnerabilities and Weaknesses Exploited by a Possible Attack

Minimizing the security system's vulnerabilities and weaknesses that were determined in the previous assessment is the first step in developing effective security policies and controls. This is the payoff of the proactive strategy (Bishop, 2003). By minimizing vulnerabilities, security personnel can minimize both the likelihood of an attack and its effectiveness if one does occur. Be careful not to implement too stringent controls because the availability of information could then become a problem. There must be a careful balance between security controls and access to information. Information should be as freely available as possible to authorized users.

Make Contingency Plans

A contingency plan is an alternative plan that should be developed in case an attack penetrates the system and damages data or any other assets with the result of halting normal business operations and hurting productivity. The plan is followed if the system cannot be restored in a timely manner. Its ultimate goal is to maintain the availability, integrity and confidentiality of data—it is the proverbial "Plan B."

There should be a plan per type of attack and per type of threat. Each plan consists of a set of steps to be taken in the event that an attack breaks through the security policies. The contingency plan should:

Address who must do what, when and where to keep the organization functional.

Be rehearsed periodically to keep staff up-to-date with current contingency steps.

Cover restoring from backups.

Discuss updating virus software.

Cover moving production to another location or site.

The following points outline the various evaluation tasks that should be evaluated to develop a contingency plan:

Evaluate the organization's security policies and controls to accommodate any opportunities found for minimizing vulnerabilities. The evaluation should address the organization's current emergency plan and procedures, and their integration into the contingency plan.

Evaluate current emergency response procedures and their effect on the continuous operation of business.

Develop planned responses to attacks and integrate them into the contingency plan, noting the extent to which they are adequate to limit damage and minimize the attack's impact on data processing operations.

Evaluate backup procedures, including the most recent documentation and disaster recovery tests, to assess their adequacy and include them in the contingency plan.

Evaluate disaster recovery plans to determine their adequacy in providing a temporary or longer term operating environment. Disaster recovery plans should include testing the required levels of security so that security personnel can see if they continue to enforce security throughout the process of recovery, temporary operations and the organization's move back to its original processing site or to a new processing site.

Draw up a detailed document outlining the various findings in the above tasks. The document should list:

Any scenarios to test the contingency plan.

The impact that any dependencies, planned-for assistance from outside the organization and difficulties in obtaining essential resources will have on the plan.

A list of priorities observed in the recovery operations and the rationale in establishing those priorities.

REACTIVE STRATEGY

A reactive strategy is implemented when the proactive strategy for the attack has failed. The reactive strategy defines the steps that must be taken after or during an attack. It helps to identify the damage that was caused and the vulnerabilities that were exploited in the attack, determine why it took place, repair the damage that was caused by it and implement a contingency plan if one exists (Bishop, 2003). Both the reactive and proactive strategies work together to develop security policies and controls to minimize attacks and the damage caused during them.

The incident response team should be included in the steps taken during or after the attack to help assess it and to document and learn from the event.

Assess the Damage

Determine the damage that was caused during the attack. This should be done as swiftly as possible so that restore operations can begin. If it is not possible to assess the damage in a timely manner, a contingency plan should be implemented so that normal business operations and productivity can continue.

Determine the Cause of the Damage

To determine the cause of the damage it is necessary to understand what resources the attack was aimed at and what vulnerabilities were exploited to gain access or disrupt services. Review system logs, audit logs, and audit trails. These reviews often help in discovering where the attack originated in the system and what other resources were affected.

Repair the Damage

It is very important that the damage be repaired as quickly as possible in order to restore normal business operations and any data lost during the attack. The organization's disaster recovery plans and procedures (discussed in "Security Planning") should cover the restore strategy. The incident response team should also be available to handle the restore and recovery process and to provide guidance on the recovery process.

Document and Learn

It is important that once the attack has taken place, it is documented. Documentation should cover all aspects of the attack that are known, including: the damage that is caused (hardware, software, data loss, loss in productivity), the vulnerabilities and weaknesses that were exploited during the attack, the amount of production time lost and the procedures taken to repair the damage. Documentation will help to modify proactive strategies for preventing future attacks or minimizing damages.

Implement Contingency Plan

If a contingency plan already exists, it can be implemented to save time and to keep business operations functioning correctly. If no contingency plan exists, develop an appropriate plan based on the documentation from the previous step.

Review Outcome / Do Simulations

The other major step in the security strategy is to review the findings established in the first step (Predicting the Attack). After the attack or after defending against it, review the attack's outcome with respect to the system (Laudon, & Laudon, 2006). The review should include: loss in productivity, data or hardware lost, and time taken to recover. Also document the attack and if possible, track where the attack originated from, what methods were used to launch the attack and what vulnerabilities were exploited. Do simulations in a test environment to gain the best results.

Conclusion

To wind up, it is an important fact to acknowledge that information systems are exposed to various security threats and challenges which if not well checked can result to complete halt of services offered. As such, it is imperative that measures must be put in place to ensure that such threats are prevented, minimized and dealt with whenever there is a breach in security. For that matter, it is relatively important that both proactive and reactive measures should form part of the security strategy in the management of the any information system.