Incident Response Management And Disaster Recovery

Published Date: 02 Nov 2017

Abstract

Human are now living in the era of information explosion. With the help of internet, information can be easily transferred, gathered and analyzed. The traditional businesses which only rely on human can no longer survival in today’s business environment. To catch up with others, traditional business change to implement information technology to speed up their business life cycle. However, with the passage of time, enterprises start to encounter some security issue due to information technology such as internet virus attack, data lost from system crash. In this research I am going to talk about the need of information security for small and medium enterprises and how to implement information security.

Introduction

The knowledge of information technology to each staff in an enterprise is always insufficient to prevent attacks from external or internal threats. In today’s business environment, enterprises have to rely on technologies to assist them keep these threats to the minimum.

With information security management implemented by enterprise, small and medium enterprises always find it redundant or the benefit is too small to their organization. So they are not willing to spend too much on information security management. As an outcome, their information system is not always updated and the staffs are lacking of trainings on information security.

The top management in some small and medium enterprises only has little knowledge on the importance of information security. So they are expecting immediate effect on the current business after implement information security. However it is not easy to see big improvement from the surface. After certain period, the top management will lose confidence to continue the investment on information security.

Information security management is not only about information technology but also to include some information technology policy, process and procedural to the enterprises. It will protect enterprises by both digital security and physical security. For example, planning a disaster recovery plan and business continuity plan allows businesses to continue operate and function when their business is affected by unexpected circumstances.

Information system and technology are widely used in Small and Medium Enterprises. The information systems and technology will also introduce security problem to enterprises at same time, the leader in a SME have to engage, comprehend and implement information security management, failing which the enterprise maybe severely impacted by threats on information systems that could ultimately lead to their business failure.

In order to be competitive, Romanian SMEs need a strategy that should ensure the steady increase of business efficiency, production costs reduction and product quality improvement. Since the financial power of small organizations is limited, compromise solutions must be found, that should satisfy technological needs with the resources available (Gramma, A., & Fotache, D, 2007). Small and Medium-size Enterprise represent the spinal cord of most European Union countries’ economies (Gramma, A., & Fotache, D, 2007). We can understand that our economy would be affected if without functions of these enterprises. So implementation of information security management is required to help these enterprises to be more efficient and less susceptible to threats which could affect the business functions.

Justifying the need for sound information security management in SMEs

Sound information security management doesn’t mean just standards compliance.

Information security is very important to sound management. Not only Information but also IT systems are critical assets which can support the mission of an enterprise. To protect them is as important as to protect other enterprise resources like money, employees or physical assets. (Marianne Swanson, B. G, 1995)

As the management from small and medium enterprises (SMEs) is starting to involve newer generations, more enterprises are now willing to implement information security management. However some of the management still has a misconception which to implement information security would cost an incredible amount or either lack the means to secure it appropriately due to financial restriction, limited resources and adequate know-how (Park, J.-Y., Robles, R. J., Hong, C.-H., Yeo, S.-S., & Kim, T.-H. ,2008).

Security is applied in many environment and areas such as install firewall and anti-virus software to prevent unauthorized access to personal computers. An enterprise without information security solution will easily expose its information secret or business strategy which could result in the loss of competition, earnings and employee’s loyalty. Especially in small and medium enterprises where only selected employees are allowed to access their business information because these enterprises does not have any preventive solution in place. This kind of situation would happen when lacking of resources with IT background or advice from security experts

Implementing information security management has a few ways. The scope will be different according to different type of enterprises. Enterprises which have less sophisticated infrastructure would requires less implementation of information security management and those with complex infrastructure would then requires more detailed solution for information security management. The process to minimize risks associated with information security management includes the compilation of a structured and detailed information security policy. The policy can among other things define problems like threats and corresponding countermeasures in addition to defining roles and responsibilities of employees. (MICHAEL, K., Waweru, M., & Stephen, K, 2010) An information security policy used to protect the enterprise’s important information must always be included regardless complexity of the enterprise’s infrastructure.

Incident response management and disaster recovery

Incident response is a structured and detailed solution to indicate and manage the effect of a security incident or issue. The purpose is to solve the security problem in a way that minimizes the damage and recovery costs. Incident response plan includes a detailed procedure which must be followed in case of an incident take place.

The completed incident response management requires positive commitment from the management of an enterprise. Without support from senior management, no matter how well the incident response management is, it is still possible to fail recover from a disaster.

Implementing an incident response plan is not easy for small and medium enterprises as lacking of resources with IT background and security experts who can help to decide what types of data security breaches should include into the incident response management. (Beaver, K, 2010) As these small and medium enterprises which do not have any plan for disaster recovery and incident response, they don’t know the way to address if the situation is an incident or a disaster. For large enterprises they may assess the severity of the event and likelihood of it ending quickly. An incident may be defined as an event that may be, or may lead to, a business interruption, disruption, loss and/or crisis (Kirvan, P, 2010).

Disaster recovery provides enterprises the ability to recover from a disaster which is usually natural or human-induced. With the help of disaster recovery, enterprises can bring their business back online and keep their previous functions.

The incident response team in a large enterprise normally formed by both internal staff and external observers like security experts. These security experts from third party vendor will give the enterprises high level advices. However, to come out with a specific plan which suitable for individual enterprise needs combination with the knowledge from the internal staffs also. Other organizations like small and medium enterprises may not follow the same structure since them may encounter budget and headcount constraints. Employees who are taking the reasonability must try to resolve the incident within the internal team.

For small and medium enterprises, incident response team normally formed by staffs from their senior management level. They have to identify the severity when there is an incident in place and thereafter take appropriate actions according to the severity. For example, a virus outbreak may trigger the first level which only selected members have to look into it while a broken down of whole infrastructure may trigger the highest level which require everybody be involved.

Mobile device security management

Mobile devices can provide enterprises efficiencies, competitive and productivity by having access to business information quickly while it is needed.

As the usage of mobile device expand in today’s business environment. The number of employees who would use laptops instead of desktops continues to grow quickly. This pattern requires an additional effort to protect the data which stored in these devices (Justin K, 2010). Enterprises running applications on mobile devices for their business can be attacked by network and server technologies. Small and medium enterprises faced a big challenge to protect their information against the attack through mobile devices as they often lack of security, encryption and proper training.

The delivered security controls in a mobile device often lack of rigor of those provided by a centralized mobile device management application. For example, a mobile device only supports short password for authentication which may not support strong encryption. Enterprises have to install and maintain security controls which provide the missing functionality from third party vendors. (Murugiah S & Karen S, 2012).

Since most of the mobile device providers would choose to use standard operating system and programming language, the threats from the operating and programming level will not be a major concern for enterprises. The mobile device operating system makers will release updates or patches in order to improve security vulnerabilities. Small and medium enterprises have to come out with a plan to apply those updates and patches for mobile devices. But for large enterprises which may have specific operating system and maintain by the internal development team will not suffer from this level.

Mobile devices provide tremendous productivity advantage for today’s business. However, enterprises have to give consideration on the deployment of mobile device security policies. These policies provide enterprises the level of security which required in their daily business. (Motorola, 2007). Other than mobile security on system and application level, it is also necessary to have mobile security policies in order to minimize the potential security risk to the enterprises.

Enterprises are strongly encouraged to have risk assessment to identify the potential risk from the mobile device environment. For example, if an unauthorized device connect to the enterprise’s network by using an authorized ID. The device can be used as a host for more unauthorized devices to connect to the network (Booz, A, & Hamilton, 2009).

Linking business objective with security

The first step of linking business objective with security is persuading top managements by provide them the value of return on investment. Most of the top management in small and medium enterprises is concentrating on profitability of each investment. It is necessary to provide top management the benefit to each single point of business life cycle after implement security management. For example, in a business to consumer transaction, consumers may change their minds after they made the orders. They would like to claim which they never ordered merchandise. Nonrepudiation mechanisms keep consumers honest and protect businesses in these situations (Christian B. F & Paul E. P, 2002).

When analyzing the need of security for business, large enterprises always faced some problem to gather the information since the sources are scattered across multiple location. But small and medium enterprises will be easier in this aspect than large enterprises.

A research for adoption of e-commerce by SMEs in South Africa, found that most of the factors influence adoption are within the enterprises itself (Courtney, S, Cloete, E & Fintz, J 2002). Lack of software, low e-commerce use by supply chain partners, low knowledge level of both management and employees, low knowledge level of both management and employees, lack of access to computers and unclear benefits from e-commerce, were found to be major factors that inhibit adoption (Wole O & Mogotetsi K, 2010).

Security management has to always rely on the business objective of an enterprise. Each policy, process and procedure of security management needs to properly suit the need in order to achieve the business objective. When business objective happen to be changed, security management has to be review and amend to satisfy the new requirement also.

Biometric security device and their use

Biometric security device is used to identify people based on unique biological personality. Biometric security device is widely used in business areas like airports, government buildings and bank. The major functionality is identification, verification and retrieving personal information.

Privacy issue is the major concern when enterprises want to implement biometric security device. Personal information for both internal staff and external visitor will be captured by biometric device. Unauthorized people will have access to this sensitive information if it is not protected correctly.

Biometric security device is the most secured device in information security management (Krause, M., & Tipton, H, 2003). However the cost to implement biometric security device is quite high which have to be taken into consideration when small and medium enterprises want to deploy. It is also important for small and medium enterprises to decide whether access to such facilities provide by a biometric device is justifiable. If answer is no, they should choose other security method other than biometric device.

Ethical issues in information security management

Some organization enables their staff to access internet with no limitations. The common problem of ethical issue is misuse of organization’s computer to surf internet which is not related to their assignment. For example, staff may access Facebook or YouTube during office hour. Small and medium enterprises have to take precaution to observe the ethical issues involved in security management. Some companies may block certain domain of the URL to disable access to some website or place a CCTV camera to monitor their staff.

Security training and education

Security training and education can be defined as a program which is designed to reduce security breaches due to lack of employee security awareness. It includes the expectations which the enterprises have for the employees.

Security training is not just review policy with employees, the most important part is explaining why they are exist and what will happen if someone not following the standard. For example, after the demo to employees about how quickly the simple password can be cracked, it is much easier for employees to accept the policy to create password as a combination of number and characters. While we can create policies, if we fail to communicate and gain acceptance of the policies they will be ineffective (Stephanie D. H, CCNA, 2005).

A well designed security plan requires involving everyone in the enterprises. A proper training must be conducted during implementing security management in order to achieve a standard understanding all around the enterprises. On the other hand, it is also impartment for management to gather opinions from employees in different level of the enterprise’s hierarchy about the current security implementation. Both management and employee have to learn from each other in order to implement a good security management.

Before a new staff starting on their work, enterprises may ask them participate in a training program which introduce the structure of the enterprises, responsibility of each department and their business objectives. It is also important to include security education in this training program which focuses on policies, processes, and how to handle external customer during conversation. Other than training for new employees, security training can be also considered when there is a revised security plan according to the business needs.

Defending against Internet-based attacks

Since more system and software are relied on internet, the number of attacks from internet is increasing. Internet-based attack is one of the major concerns to enterprises in today’s business environment. All enterprises who are maintaining a web presence are at risk to be attacked. But the level of risk is different for each enterprise. Factors which can be included into consideration when determining the risk level is intellectual property or personally information maintain by the enterprises (Justin C, 2007).

Before the discussing for enterprise security, the first thing is to understand that enterprises are not homogeneous entities. Varied information systems located in their divisions are interconnected with each other as well as to the Internet. Some of their divisions may not value their information assets as highly as others.

As attacks from the internet are unavoidable, a security management plan has to include the solution in order to protect the enterprise’s asset. In small and medium enterprises, the security management team has to propose a plan on how to make use of internet without compromising the valuable information. For example, the management can split their business network into business layer, application layer, and database layer (Gergory, P.H, 2003). This arrangement makes system more difficult to be broken into and reach the valuable information. Through these layers, security applications like firewall and anti-virus can be used to identify and reject attacks at the same time.

Industrial espionage and business intelligence gathering

Business intelligence helps enterprise gather and analyze usefully information. In order to be more competitive in today’s business environment, especially small and medium enterprises would use business intelligence to gain information from their competitors which can help them improve decision making for their business. The common practice such as website search engine for public posted information, customer services analyzing and data mining are usefully method when making use of business intelligence. But those methods are all time consuming, so some of the small and medium enterprises choose industrial espionage to gain information from their competitors.

Industrial espionage is sometimes illegal but very covert practice of investigating competitors to gain business advantages (Margaret R, 2012). The target of an industrial espionage may be confidential information like a product specification, business plans, or maximum budget for a tender. Normally, an industrial spy is simply broking into the enterprises and seeking any information which is valuable.

Wireless devices and smart mobiles are widely used in the enterprises. Since data is transferring through wireless network, information is more susceptible to be intercepted (Hedieh, N, 2005). With the more advance technology, it is more difficult to detect an industrial espionage

It is important for small and medium enterprises to understand about their competitors, their drivers for committing such acts in order to know how and where to defend. The key prevention for an industrial espionage is understood the enterprise’s forte and interlink with possible drivers.

Governance issues in information security management

Information security governance is the responsibility of senior management, directors and executives (IT Governance Institute, n.d.). It is an integral and transparent part of an organization. Senior management team in an enterprise will take the responsibility to consider the concerns raised by security department and make decision to solve security related issues.

Information security governance in small and medium enterprises ensures employees’ responsibilities are clearly addressed, business threats are correctly identified and security policies are created based on business needs.

Due to the conflict between information security implementation and cost, both security officer and finance officer are not the best personal to make decision. It is required for other people in higher management level who are able to consider across both side to take over the responsibility and make correct decision.

Personnel issues in information security

Nobody would like to deal with employee’s problems, but as a security management, this situation will definitely exist. The key is resolving the problem in a way which has as little impact on the rest of the employees and , ideally, have possibility to retain the employee in question (Tech Republic, 2006).

The best way to minimize the impact on information security is resolving the existing personnel issue. The cost and potential risk to the enterprise in much lower than terminating and rehiring a replacement.

The first step is identifying the problem and understanding the reasons behind it. Employees are more productive with a positive attitude which can be improved by a supportive working environment. Sometimes the problem is caused by obstacle which is not under the employee's control. In this case, management should try to find middle way to solve problem which suit for both parties.

The second step is monitoring after applied the solution. The problematic employee’s behavior can be considered as a signal which the problem maybe pervasive in the enterprise.

After went through all of the possible solutions, if there is no change to the employee’s behavior, the last step is triggering dismissal procedures.

Small and medium enterprises have a big concern on recruitment where security infrastructure may mature at the stage. When an enterprise in the case of terminating an employee, it is better to confirm that the employee will not trigger any illegal issue. The contract between employee and enterprise has to clearly mention that the employee cannot disclosure information which is sensitive to the enterprise during or even after the period of employment. Accounts and access rights which belong to a terminated employee must be inactivated once the employee left the enterprise.

When hiring new employees, small and medium enterprises must have a standard procedure like prepare terms and condition of employment, and provide proper training to educate employee the information security policy of the enterprise.

Physical security issues in information security

Physical security management protects the physical assets of an enterprise such as the hardware of the product line, computer and document. In the way of restricting physical access and permission to sensitive document, enterprise can gain benefit to prevent computer service interruptions, physical damage to hardware and theft (Marianne S & Barbara G, 1996).

Physical security is used to ensure the confidentiality, availability and integrity of assets as well as personal safety which is most important object. It is the responsibility of all employees within the enterprise to make sure that it is well prepared for any physical interruptions. Enterprise can be more effectively overcome interruptions after identifying the threats to physical security, thereby minimize the risk to potential threats (Justin K, 2010).

Small and medium enterprises are under high risk having physical security issues where mobile device is popular. For example, a CEO who lost a notebook which he works on and use to store business related document may jeopardize the enterprise.

One more example, a computer which belongs to a database administrator used to maintain backup files is stolen; the enterprise will lose the ability to recover in any emergency situation.

Physical security management can be split into external and internal. Internal threats can be avoid by physical access control, CCTV camera monitoring, and company visibility to temporary staffs. External threats can be managed by protection of perimeters of the enterprise such as entrances and outside power source.

Different department in an enterprise may spans across different floor of the building. Physical access to different floor or different location of the enterprise has to be classified into different permission based on the sensitiveness within the certain area. With the access control, enterprise can prevent espionage, theft and intentional damages to the enterprise’s assets.

Cyber forensic incident response

Forensics is a process which by using scientific technology for information collecting, analyzing and presenting to the courts. Computer forensics is very important because it can help small and medium enterprises minimize the cost when involved in legal case. From a technical point of view, the purpose to have computer forensics is to identify, collect, and analyze information in such way which preserves the integrity of the evidence collected and effectively used in legal case (US CERT, 2008).

Cyber forensic incident response can be classified as three steps. The first step is acquiring evidences from site of scene. The second step is preserving evidences. And the last step is examining the resources.

The immediately action following a scene which need forensic is to secure the scene. Both physical and logical access must be restricted to the affected devices, network, computer and system. Then make sure there is no change to device’s running state. If the devices are turn off, do not switch on, and take photos for future evidence.

In small and medium enterprises, the common practice is to allocate forensic responsibilities to IT team which is not recommended. The reason is the forensic team should not have direct relationship and command with internal IT resources as it should be impartial to internal organization.

Conclusion

Information security management is an important part in small and medium enterprises as it provides the enterprises a secured way to manage and make use of their information. Small and medium enterprises are concentrating on resource planning because they often encounter budget constraints and limitations, the same strategy will be followed also when dealing security issues. While there are some aspects which small and medium enterprises have to scale down in security management when compared to large enterprise, in certain area small and medium enterprise have done better than large enterprises.

Enterprises have to firstly understand what is required to be protected, and then apply specific method according to the requirement. Even though there is no immediately effect after implement security management, is it still have to be treated carefully and seriously. After implement information security management, enterprises will be able to stay efficiencies, competitive and productivity in today’s business environment.