|
 It has been almost a month since the last posting, as I have taken a longer summer vacation. Back from Vacation. Here is something which would be useful for the visitors to tighten their environment and comply with the statuary authorities. This posting is in continuation of the earlier postings PeopleSoft Security SOX/HIPAA Part 1 & 2.
There is NO silver bullet for IT security. The more an organization is prepared to mitigate risk, the lesser chances of damage. Especially for the companies whose applications are exposed to outside world, the constant risk of security breach is very high.
Every big organization has security policy guidelines of its own. Going through your company security policy and ensuring the area you are responsible would be a good start to make sure that the applications or procedures are secured.
Information Security Alliance organization, recommends to have a Security Model and design and implement the security policy according to the model which is chosen by your company. In many organizations, that I have interacted with did have security policy that they drafter more than 10 or 20 years ago and they never got updated.
I feel the security policy should be revisited and evaluated at least once a year and updated according to the latest trends and requirements of changes in IT world and also with the changes recommended by the compliance authorities. According to Internet Security Alliance Organization's "Annual Privacy Report 2008", the privacy landscape has changed significantly over the past year. Many new laws and regulatory requirements are creating new risks and compliance requirements which impact operations in numerous ways. In addition, the U.S. has a number of privacy laws pending at the federal level, and the Federal Trade Commission has continued its enforcement role in the privacy arena. The main reason that corporations do not change policies often is that it is very difficult, time consuming and incurs cost for implementing changes in security policy especially for the corporations which have global existence.
There are six categories of security needs to be addressed, Hardware, Software, Networks, Automation, Humans and Suppliers. Equal importance should be given to all six of them. Not covering one of them would lead to break the security precaution taken in other areas.
Generally, the cyber security is described in terms of a "Risk Triangle". The triangle consists of Threats, Consequences and Vulnerabilities.
Most of the security policies cover areas like "Guarding Physical Equipments", "Protecting Electronic Access Ports" but they would be silent on "Tracking Physical Equipments" in the Hardware vulnerabilities. In case of Software Access Vulnerabilities, most of the policies cover extensively on "Management of Password and Biometrics", "Authentication Policies" , "Management of Document Authenticity" and they normally ignore or do not cover "Monitoring of Access or Access Attempts" and "Management of Encryption keys and Digital Certificates".
In case of Automation Vulnerabilities, they only cover "Backup Procedure and Security" but not on "Remote Sensors and Control Systems".
There are many security models followed by the organizations, like traditional "CIA Model" [CIA stands for Confidentiality, Integrity and Availability] , "VEN Model" developed by Burton Group [VEN stands for Virtual Extended Network]
When analyzing security threats the risks which would impact the company's financial, reputation, market share and productivity are to be addressed first and prioritized in that order. If you are interested in knowing more about IT security checklist issued by U.S. Cyber Consequences Unit click here . [More to come..]
 Add as favourites (3) |  Quote this article on your site | Views: 1552 | Print
Copy Right: AKOComments v.1.4.6 |
