In the past few years, there have been several highly publicized security incidents ranging from fraud to terrorism. These events demonstrate the need for a comprehensive disaster recovery plans and checks either in an organization or a government. Threats present themselves in various forms, internal or external; in the form of disgruntled employees as a result of social engineering; human error and neglect.
There is a compelling need to address IT governance and compliance issues with a formal information security program through an annual audit and internal controls to mitigate threats and vulnerabilities.
Establishing a culture of information security is critical. An effective security program will reduce the high cost associated with unmanaged risk if it happens. However, the way an organisation approaches information security issue will depend on its appetite for risk.
Security controls are safeguards or counter-measures to avoid or minimize security risks relating to personal property, or computer software and can be classifi ed by several criteria:
Preventive controls intended to prevent an incident from occurring; Detective controls intended to identify and characterize an incident in progress
Corrective controls intended to limit the extent of any damage caused by the incident e.g. by recovering the organization to normal working status as effi ciently as possible.
Security controls can also be categorized according to their nature such as Physical controls; Procedural controls; Technical controls; legal and regulatory controls
Information security controls protect the confi dentiality, integrity and availability of information.
Risk-aware organisations may choose proactively to specify, design, implement, operate and maintain their security controls, usually by assessing the risks and implementing a comprehensive security management framework such as ISO/IEC 27002, the Information Security Forum's Standard of Good Practice for Information Security and NIST SP 800-53. Organizations may also opt to demonstrate the adequacy of their information security controls by being independently assessed against certifi cation standards such as ISO/IEC 27001.
In trying to implement the security controls, there are some P's you need to be conscious of. Although this set of ideas can be applied to most aspects of business, they're especially helpful in understanding the success or failure of a security program in a given organisation.
The most critical stage in performing risk assessments is the review of policies and procedures often called the P&P.
The P&P is an initial assessment to see whether an organization had laid the groundwork for a successful security program. Without them, chaos rules, and day-to-day operations are inconsistent and ineffective. Policies and procedures clarify what the organization wants to do, why it should be done, and how to do it.
Policies
The foundation of all security is strong policies. A policy is intent. It sets the expectations of performance as well as the standards of behaviour for an organization. A policy guides decisions, provides consistency, and defi nes the corporate culture. To be effective, a policy must be clear and well-written, leaving little open to interpretation.
Procedures
A policy is only a set of guidelines; it's implemented as a procedure. A procedure is a set of discrete steps outlined to accomplish a specifi c task. Procedures normally include step-by-step instructions and any useful or required forms. These instructions and forms are used to ensure compliance with all standards and policies.
Procedures can assume basic competency in the role of the person performing the task, but each procedure should be written in suffi cient detail that the task can be accomplished by someone that has never previously performed this task.
Practices
Practices can be either best practices or common practices. A best practice is a method or technique that has consistently shown results superior to those achieved by other means. Most organisations seek out related best practices as they develop their in-house practices to accomplish goals like these:
Many sources of best practice information and guidance are available for both IT professionals and security professionals. Microsoft even provides tools to check that critical server components are confi gured in accordance with best practices, with best practice analyzers for SQL Server, Exchange, and even Lync Server.
Common practices on the other hand come into place due to culture, habit, or even poorly defi ned policies and procedures. Certain common practices that violate security policies and procedures include sharing a common administrative password among all system administrators; administrators excluding themselves from password complexity and expiration requirements.
Clearly, information security is a strong factor to consider in the ever changing information technology landscape.
