Sunday, October 27, 2019

Information Security Management Plan

Information Security Management Plan Cyber security is about protecting your computer-based equipment and information from unintended or unauthorised access, change, theft or destruction HM Governement (2015), you can manage the risks by Planning, Implementing and Reviewing your Information Security Management System. The following are the key points of Information and Security Management Plan. Risk Assessment and Analysis The company should assess the security risks or damages that could be caused to the system, personal data, valuables or confidential information if there was a security breach. There are number of measures that can be used to prevent security breaches or limit the damage if they do occur. â€Å"There is no single product that can provide 100% protections to your business as indicated by ICO (2012) but the key approach is to have a layered approach by combining different tools and techniques. If one layer fails then others are there to prevent the threat†. Organizations that do not perform a threat and risk analysis are leaving themselves open to situations that could disrupt, damage or destroy their ability to conduct business. It is the responsibility of staff and management to educate and train themselves in ‘Risk Analysis’ to prevent their business from threats. A report published by HM Government (2015) indicates that in 2014, 60 % of small businesses experienced a Cyber breach. Security and Intrusion – Ensure that anti-virus and anti-malware software are installed on your server or PC’s and the network is regularly scanned to prevent or detect threats. The threats could be Human (Hackers, Theft, Accidental, DDOS (Distributed Denial of Service), untrained Staff and so on) or Non-Human (floods, Lightning strikes, Viruses, Fire, Electrical fault. Earthquakes etc). Use IDS (Intrusion Detection System). Ensure that Firewall and windows defender programmes are installed to prevent intrusion into the network. Also ensure that they are kept up-to-date. Access Controls – Ensure that these access controls are adopted. There are two types of Access controls CISSP (2012) Logical Physical. Logical access control method is done via access control lists (ACL’s), group policies, passwords and account restrictions. ACL provides detailed access control for objects (spread sheets, accounts or data). Group policies allow system administrator to configure user accounts (permissions, privileges etc). Passwords are â€Å"the most common logical access control sometimes referred to as a logical token† (Ciampa, 2009). Password protection should be used to protect PC’s, access to confidential data or sensitive information. Encryption is another means of ensuring that data can only be accessed by authorised users. Password Control – Create a strong password and remember it Microsoft (n.d). A limit to the number of failed login attempts should be introduced. A regular password changes should be enforced. If a member of staff is absent for a long time or has left and the account is unused, the account should be disabled or deleted. Any unauthorised access to objects or resources should be reported to the management. Physical access control is intended for using physical barriers to prevent unauthorised users from accessing computer or server room/ premises or building. This type of control include video surveillance with CCTV, Smart Card access with password for authentication, mantraps and biometrics and so on. Employee awareness and training- All employees should be trained to recognise threats such as phishing, emails and other malware. Also staff should be trained to identify unauthorised personal trying to access entry into restricted areas. Such incidence should be reported to the security manager. Segmentation Prevent or limit the severity of data breaches by separating and limiting access between your network components ICO(2012). For example, your web server should be separate from your main file server. This means that if your website was compromised the attacker would not have direct access to your central data store. Device hardening- Ensure that unused software and services are removed from your devices ICO (2012). If you don’t use it, then it is much easier to remove it than try to keep it up-to-date. Make sure you have changed any default passwords used by software or hardware – these are well known by attackers. Policies- A policy will enable you to make sure you address the risks in a consistent manner. Well written policies should integrate well with business processes. Check that the existing policies, procedures and protection items in place are adequate otherwise there is risk of vulnerabilities. A review of the existing and planned safeguards should be performed to determine if the previously known and discovered risks and threats have been mitigated. Remote Access Control If the company internal network is accessed over the Internet then the company should employ a secure Virtual Private Network (VPN) system accompanied by strong two-factor authentication, using either hardware or software tokens FCC(n.d). Data Backup – The data must be backed up regularly, the backup media should be stored in a fire proof safe or on a remote site. Backup policy should be created to include the storage location, data restoration process and backup schedule. One person should be nominated for looking after the backup system. Data Loss Recovery Plan- A plan for restoring the unexpected loss of data (either due to human or natural disaster) should be put into place. Data loss can expose business to significant litigation risk FCC (n.d) and hurt your business brand and customer confidence. Cloud based Services- Cloud based services gives lot of benefits to organisations and according to Hutchings et al (2013) these services like any other network services are vulnerable to threats such as ‘Authentication issues, DoS, Network/ packet sniffing, Malware and so on. There are technologies like VPN, Encryption, Packet filtering and Firewall that can be used to secure data from such threats. It is believed that data is secure if encrypted before it is transferred to cloud storage. NDIS (Network Intrusion Detection System) such as SNORT has also been employed by the network managers for protecting data against external attacks. Similar provision is still needed to protect infrastructure when moved to cloud. Once data is stored on to cloud storage you have lost control over it. So an agreement has to be reached with the vendor at the time of hiring their services as to how the data will be protected from external vulnerabilities. References Rubens P (2013) 6 Emerging Security Threats, and How to Fight Them  Available at: http://www.esecurityplanet.com/network-security/6-emerging-security-threats-and-how-to-fight-them.html  (Accessed 26 Mar 2015) ICO (2012) A Practical Guide to IT Security [Online]  Available at: https://ico.org.uk/media/for-organisations/documents/1575/it_security_practical_guide.pdf  (Accessed 25 Mar 2015) Ciampa (2009) Access Control Models and Methods [Online]  Available at: http://resources.infosecinstitute.com/access-control-models-and-methods/  (Accessed 25 Marr 2015) Hutchings et al (2013) Cloud computing for small business: Criminal and security threats and prevention measures [Online]  Available at:http://aic.gov.au/publications/current series/tandi/441-460/tandi456.html  (Accessed 25 Marc 2015).   CISSP (2012) Access Control Models and Methods [Online]  Available at: http://resources.infosecinstitute.com/access-control-models-and-methods/  (Accessed 25 Mar 2015). HM Government (2015) Small Business: What you need to know about cyber security [Online] Available at: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/412017/BIS-15-147-small-businesses-cyber-guide-March-2015.pdf  (Accessed 23 Mar 2015)   FCC (n.d) Cyber Security Planning Guide [Online]  Available at: http://transition.fcc.gov/cyber/cyberplanner.pdf  (Accessed 23 Mar 2015) Microsoft (n.d) Safety and Security Centre [Online]  Available at: http://www.microsoft.com/en-gb/security/online-privacy/passwords-create aspx.  Ã‚  (Accessed 24 Mar 2015)

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.