PART III

Logically, the first strategy in managing risk is to try to prevent threats from exploiting existing vulnerabilities. Although we cannot reduce all risk, there is no doubt a well-implemented risk management strategy will reduce the probability of most of the risks occurring.

Part III discusses preventive controls that an organization should consider when developing protection strategies to minimize risks. It begins with Chapter 15, which highlights the importance of incorporating security considerations in system development and how this could be achieved. Chapter 16 discusses the more often trivialized issue of physical and environmental security controls and their importance as the first layer of defense.

A successful information assurance program can be achieved by the correct emphasis on people, process, and technology.

Chapter 17 highlights the importance of awareness, training, and education as a proactive strategy in trying to prevent a security incident. Finally, Chapters 18 and 19 discuss the technical aspects of preventive tools and techniques with special focus on access control.

Quick Answers

Q:   How do I make sure that the access control implemented in my organization a year ago still meets my current requirements?

A:   In today’s world of changing technology, nothing is perfect. The best way to deal with this situation is to conduct an information security access control audit. An audit is an effective way to determine the level of compliance that the organization has with its access control policies and procedures. Taking into consideration the imperfect world we live in, organizations are encouraged to prepare for preventing information security incidents rather than reacting to them. An information security access control audit is a good method to ensure organizations comply with its access control policies and procedures. Furthermore, it is a relatively inexpensive method and far more cost effective compared to recovering from damages of an information security incident. Moreover, it provides an objective assessment to evaluate how secure an organization actually is.

Q:   What should one bear in mind when developing awareness or training materials?

A:   Training should always be customized to the needs of the organization and the type of industry the organization is in. Thus, it is crucial that the training materials be developed in a customized manner, taking into consideration the organization, the industry, and, most importantly, the type of audience attending the training.

Q:   What should be the contents of awareness programs and training programs?

A:   Any development program should be targeted to improve behavior, skills, and knowledge. Awareness contents for the targeted improvisation and changes in behavior of the participant should focus on elements such as password usage and management, protection from viruses, web usage, and laptop information assurance practices, whereas training program contents should be based on what skills the trainer wants the audience to learn and apply, such as how to conduct an information assurance audit.

Q:   Usually, awareness sessions tend to be so boring; how can I make awareness sessions more fun?

A:   It is a common perception that awareness sessions can be uninteresting; thus, there is a need to ensure the training materials are interesting. In addition, the trainer should be someone who is capable of captivating the audience not only with knowledge and materials but also by communicating in a clear and interesting manner. Training materials should be interactive and require participation from the learners. Thus, video, multimedia presentation, role-playing, and case studies are often used to make the training materials more appealing to the audience.

Q:   Rather than just encrypting important files, why don’t I encrypt all information on my computer?

A:   Whole drive and whole device encryption is the best approach; however, the processes of encryption and decryption are time consuming and can cause incompatibility with software. Careful testing is necessary to ensure software remains operational and performance is not impacted by the encryption.

Q:   Which is of more importance: network information security or physical and environmental security?

A:   Physical and environmental security is as important as network information security. Physically securing information resources should be an organization’s first line of defense in securing its business. If physical security is not properly addressed, all the other information assurance controls would be void. Thousands of dollars can be spent on implementing the most current information assurance technologies on company servers, but if the servers are not physically secured, this may prove to be a costly lesson. Physical and environmental security safeguards organizations against physical damage, physical theft, unauthorized disclosure of information, and other threats.

Q:   Why do I need to practice proper media disposal?

A:   Proper disposal of media is essential to ensure that the security of sensitive information, such as personnel records, financial data, and proposals, is not compromised. It is a false impression that deleting a file or a record deletes it forever. Unfortunately, such deletion does not permanently destroy information. Media should be properly sanitized using multiple erasure techniques before disposal to prevent unauthorized retrieval and use of information. Merely formatting a disk does not protect you.