An important key to establishing any kind of security policy or regime is to assess and manage potential risks, and associated responses. Here, risk management fundamentals include
Understanding the true monetary value of information (and hence, associated risks).
Understanding how information security relates to potential business problems (an important aspect of risk management).
Understanding that the ramifications of an attack on computer systems or networks can include destruction or alteration of data, financial loss, misuse of resources, and damage to public confidence.
Understanding how to perform a risk assessment, as described in Step by Step FF1 (which appears later in this section).
Understanding the four options involved in handling risks, as shown in Table 2 (which appears later in this section).
Option | Explanation |
---|---|
Eliminate the risk | Getting rid of the root cause of the risk. |
Minimize the risk | Reducing the risk to an acceptable level of loss, damage, or harm. |
Accept the risk | Recognizing the potential impact of a risk, and deliberately choosing to make no amelioration. |
Transfer the risk | Taking out an insurance policy to transfer the potential impact of a risk in exchange for a fixed cost or premium. |
Understanding risk analysis, which is the process of reviewing all aspects of a resource you seek to protect, to determine possible risks to which that resource is subject. Develop appropriate countermeasures to eliminate or reduce the risk as needed. It depends either on quantitative analysis (measuring risk or loss in specific numerical terms) or qualitative analysis (measuring risk or loss in subjective terms before assessing cost or value).
Understanding data classification, which consists of classifying data according to its value as part of risk assessment, is also essential. Table 3 (which appears later in this section) covers numerous important potential classification criteria.
Criterion | Explanation |
---|---|
Sensitivity | Although it may not do irreparable harm to an organization if everyone learned its payroll details, most organizations restrict that information on a need-to-know basis. It's a good idea to consider the implications of making data or some related resource public knowledge when assessing its sensitivity. The more sensitive a resource, the tighter its access controls should be. |
Proprietariness | Some data related to practices, procedures, processes, or trade secrets that could blunt an organization's competitive edge if disclosed to outsiders can rightfully be viewed as valuable and private property. Here, the more private and/or valuable this property, the tighter its access controls should be. |
Confidentiality | Some information is meant to be kept secret, restricted to only a small circle of authorized individuals. This includes financial plans or reports, upcoming sales or advertising campaigns, or other information that could adversely affect an organization if made public prematurely (or at all). Again, the more confidential and/or valuable such information, the tighter its access controls must be. |
Privacy | Certain information may be obtained during interviews, research, investigation, or through privileged relationships that should never be made public. This could relate to doctor-patient or attorney-client privilege, or to reasonable or legal expectations of privacy. This helps explain why privacy policies are becoming so prevalent on Web sites and in customer-vendor interactions of all kinds. The more private such information, the tighter its access controls must be. |
Potential liability | Beyond privacy concerns, legal agreements, such as nondisclosure, employee, copyrights, or other contracts, may require an individual or organization to preserve information provided by or through a third party. Given that unauthorized disclosure can lead to legal and financial penalties in many cases, information held in trust for or on behalf of others must also be subject to tight access controls. |
Intelligence value | Seemingly innocuous documents such as telephone lists, discarded paperwork, purchase orders, and the like can often reveal valuable information to competitors or malefactors. When tempted to assume that a document or resource has no value and therefore needs no access controls, ask “What's the worst that could happen if our competitors got this?” or “How could this information be used to subvert or bypass security measures?” Very few documents require no access controls at all, unless specifically designed for public use. |
Likewise, basic tenets of security involve
Identifying and classifying sensitive data.
Understanding the need for access controls, and how they may be applied.
Ways to protect data and systems, including passwords, encryption, access controls, and backups.
Avoiding common security errors, such as top vulnerabilities identified by SANS (these are covered in Chapter 1, “Information Security Essentials”).
Assigning trained people to maintain security.
Dealing directly and adequately with operational aspects of security.
Ensuring that the overall security infrastructure is appropriate, so that it is not necessary to rely on firewalls or other boundary devices to provide security.
Developing a proactive and aggressive stance toward dealing with security problems (rather than avoiding them).
Understanding that computer information security is an ongoing process, not something easily satisfied by installing antivirus software or applying a few patches to a computer operating system.
The three cornerstones of information security are data availability, data integrity, and data confidentiality.
Data availability means that information is available whenever it's needed. This requires planning to avoid or mitigate denial-of-service attacks.
Data integrity means that once stored, data remains pristine and unaltered. Achieving data integrity requires establishing correct access controls, installing active checks on integrity to detect potential compromise (such as one-way hash functions or checksum databases), and maintaining backups to restore possibly compromised data.
Data confidentiality means that information is available only to those with a valid need to know. Here, correct access controls and active means to protect data in storage or in transit, including encryption, help ensure proper confidentiality.
Understanding what kinds of attackers perpetrate them, as described in Table 4 (included later in this section).
Understanding what motivates hackers is essential to protecting your information assets. Possible motives include money, personal grievance, curiosity, mischief, peer and public attention, and competitive advantage.
Recognize and understand categories into which security attacks may fall, as described in Table 5 (included later in this section).
Understanding how and why to develop a security policy, which is a set of rules and guidelines that dictate how an organization should protect, manage, and enforce controls over its assets. See Table 6 later in this section for categories of coverage in a security policy.
A clear definition and understanding of user authentication, the method whereby users prove their identities to a system, and the various methods by which authentication may be performed.
An understanding of security administration, which defines the practices and procedures whereby a security policy is implemented, audited, maintained, and enforced.
An appreciation for the importance of and methods for establishing physical security arrangements is another cornerstone of best security practices. This topic is covered in its own section under this general heading.
The extent of your physical security arrangements depends upon the sensitivity of your data and the level of perceived threat. A physical security plan may include some or all of the following measures:
Access Control Devices. Range from a simple lock on the door to sophisticated biometric devices that use fingerprints, retinal scans, or voiceprint patterns to identify personnel before granting access to sensitive facilities.
Surveillance Devices. Permit active monitoring of sensitive areas 24 hours a day. Where 24-hour security is maintained, you may have your devices monitored by a security guard. If a building is unmanned during evening hours, you may attach motion detectors to a system that pages responsible personnel if an alarm is triggered. Be sure to comply with local laws if using surveillance devices.
Environmental Monitors. Provide relatively inexpensive early warnings of physical threats and may even provide insurance discounts. Don't neglect the devastating effects that fire, flood, or other disasters (natural or man-made) might inflict on your systems.
3.149.29.112