Organizations need an information security strategy, regardless of industry or annual revenue, but where do you start? And once you start, how do you ensure the security strategy is implemented correctly and maintained over time? This blog discusses a practical approach, from start to finish, on planning, building, implementing, and maintaining an information security program for the modern-day enterprise.
Knowledge is power. It is self-evident that computing technology has permeated every aspect of our lives. We use computers at work, and we play on them at home; we watch movies on tablets, check email from our watches, make credit card purchases with our mobile phones, and adjust our Internet of Things (IoT) home appliances over the Internet.
These technological advances allow us to be more productive and entertained but also create many security risks. If we can gain knowledge about information security concepts and how to apply them, we will have the ability (or the power) to evolve alongside the ever-changing technology landscape.
What is information security? According to US law 44 USC, Sec. 3542, information security is defined as [the process of] “protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.”
In short, information security means protecting our IT assets. The way we protect our assets from opposing forces will vary greatly. Natural disasters, power failures, disgruntled employees, and malicious threat actors against our network are all potential dangers.
Our information assets, such as data, are equal to, if not more valuable than, our physical assets. We must also protect our people physically and from a productivity perspective. People are our most valuable assets; without them, the wheels of commerce come to a grinding halt.
There is typically an inverse relationship between productivity and security – as one increases, the other decreases. For example, we can place high-security levels around every asset we control, but at what cost to budget and productivity? Suppose we place razor wire fencing, double-door biometrics, fingerprint controls, and ten layers of firewalls to prevent unauthorized access to a server containing publicly accessible information. Is this a useful trade-off for employee productivity? Is this a compelling return on investment from the information security budget? We must negotiate an effective balance.
CIA Triad
By definition, information security means protecting our assets, and more specifically, our information assets. In practice, information security means applying the principles of confidentiality, integrity, and availability in balanced measures such that each has overlapping coverage. In a Venn diagram, information security is the region where these principles overlap.
Confidentiality – We must ask, what happens if the wrong person gains access to the data? To address this element, we must put controls or mechanisms in place that ensure only authorized people can access the data. An example would be multi-factor authentication. This uses more than one of the following categories to authenticate yourself: something you have (token), something you know (password), or something you are (biometrics). Another example would be data encryption. For further reading on confidentiality and its role in information security, see our CIA Triad – Confidentiality blog.
Integrity – We must ask, what happens if someone unauthorized changes the data? To address this element, we put mechanisms or controls in place that ensure data remains unchanged from its original state– at rest, in transit, or in use. An example would be using a hashing algorithm to create a hash (or fingerprint) of the file and then later running that algorithm again to create another hash. If the hashes match, then we can ensure the file has not been altered or changed. For further reading on integrity and its role in information security, see our CIA Triad – Integrity blog.
Availability – We must ask, what happens if someone unauthorized deletes the data or makes it unavailable? To address this element, we put mechanisms or controls in place to ensure that resources are available for authorized people when needed. A few examples would be fault-tolerant disk systems (such as arrays) or redundant power supplies for those systems. For further reading on availability and its role in information security, see our CIA Triad – Availability blog.
The CIA triad is the foundation on which we build our information security program, and there are two leading schools of thought on how to accomplish that – using a compliance-based approach or a risk-based approach.
Compliance-based information security programs focus on satisfying the legal and/or regulatory requirements of the industry in which the organization is operating. A compliance-based information security approach is usually more palatable for smaller organizations, for those with fewer security resources or a less mature security program. Compliance-based information security programs tend towards a “checking the box” mentality to satisfy auditors and various regulatory requirements to which they are subject. While meeting compliance requirements and passing audits are certainly paramount, remember that these requirements exist to set minimum standards for protecting the customers we serve.
Compliance requirements are not meant to take the place of intentionally developing a sound foundation for information security based on the organization’s specific needs. If we allow our information security program to develop organically, we wind up tacking things on in a reactive way as we encounter specific issues, audit findings, and other such drivers. As a result, we will likely end up with an unbalanced security program.
Risk-based security programs represent the more planned and intentional methodology for constructing a security program because it is based on the actual risks that pertain to the organization, not generic requirements. The risk-based approach usually results in a stronger information security program and accomplishes compliance as a by-product. However, a risk-based approach is also more resource-intensive and may not apply well to all organizations, particularly those that are very small in size or with tight resource constraints. If given the option, a risk-based approach is recommended and will be discussed in greater detail. A risk-based approach does not mean we disregard compliance; it simply means that compliance becomes one factor in our decision-making rather than the driving force.
The risk-based approach embodies an iterative process of Identifying information assets, identifying the threats to those information assets, assessing vulnerabilities, assessing the risks of those vulnerabilities, and finally mitigating the risks. This process of asset identification, threat identification, vulnerability assessment, risk assessment, and remediation, as depicted in the figure below, is continuously repeated as the organization changes and as new threats emerge.
Vulnerabilities are a weakness that lacks protective countermeasures. A threat is the danger of something or someone taking advantage of a vulnerability. Risk is how likely it is that a threat will exploit a vulnerability. We install or perform a control in the environment to mitigate risk.
In the next blog in this series, we will discuss using a risk-based approach to plan out our information security strategy in greater detail.
BlueAlly consultants have a long history of working with clients in regulated industries such as utilities, healthcare, and the financial sector. We can work with your teams to identify and mitigate the risks your Firm faces in a cost-effective and comprehensive manner.
To learn more, contact us about the assessments we can perform to address any concerns and improve your security.