Importance of Access Control

Have you ever wondered why your colleague has different views of the same internal office website with extra menus and tabs which you don’t have access into? Wouldn’t it be nicer to have access to all the available menus, tabs and buttons in the website? Well, it would be nicer to have that access but remember that bigger power comes with bigger responsibility. In the fields of information security, access control is the selective restriction of access to resources and login credentials are analogous mechanisms of access control. Information security is the primary reason for having an access control system, although it can also be used for monitoring users’ access into the system. Access control is maintained by means of a collection of policies, programs to carry out those policies and technologies that enforce policies. Access control enables organizations to restrict access to information and assets.

Authentication is used to identity a user and the host that they are using. Whereas the goal of user authentication is to first verify that the user, either a person or system attempting to interact with the system is allowed to do so, there is also a second goal of authentication - which is to gather information regarding the way that the user is accessing your system. For example - Some company strict on their network security do not allow access for VPN connection is the staff user is using the internet from unsecured network such as free WI-FI in a coffee shop and so on. Authorization is the act of determining the level of access that an authorized user has to behavior and data. For example – HR manager has more access to view and update employee information than rest of the HR staffs.

The access control based on user roles is designed to prevent the situation of unauthorized access to data. In many business organizations, there are different user accounts scattered throughout various applications in the organization which may have a few different levels offering different privileges, but they are unlikely to reflect the complex combinations of privileges present in the hierarchy of employee roles. Without the account privileges, the network can open at the both side resulting attacks from external hackers and internal data breaches. There are different types of access controls, such as Mandatory access control (MAC), in which the system (and not the users) specifies which subjects can access specific data object, hence better suited in places such as a military institution. Discretionary Access Control (DAC) is another type of access control in which a user has complete control over all the programs it owns and executes, and also determines the permissions other users have those files and programs.  As it allows admins to control access for the users defined based on their job requirements, DAC can be beneficial in the businesses and corporations.

References:

Wambler, S (n.d.). Implementing Security Access Control (SAC). Retrieved April 24^th 2015 from http://www.agiledata.org/essays/accessControl.html

Bradburry, D (2007). How to implement role-based access control. Retrieved April 24^th 2015 from http://www.computerweekly.com/news/2240083532/How-to-implement-role-based-access-control

Network Security in a business organization

     Couple of weeks ago I had added a post on how you can secure the home network; this one is about securing the network within a business organization. The term ‘Network security’ consists of applications and software designed to protect your organization’s network. Effective network security targets a variety of threats and stops them from entering or spreading on the organization’s network.

     Most common threats to any computer networks are viruses, worms, spyware and adware, hacker attacks, data interception and identity thefts. Multiple layers of security need to be implemented to make sure if one fails, other stand within any computer network. Hardware and software need to be constantly updated and managed to protect you from emerging threats. The components such as Anti-virus and anti-spyware, Firewall to block unauthorized access to the network and Virtual Private Networks (VPNs), to provide secure remote access (for businesses) helps accomplishing the goals of network security. Keeping the network secured helps any business organization meet mandatory regulatory compliance and helps protect the customers' data, reducing the risk of legal action from data theft.

     In my opinion, the IT Security Policy is the principle document for network security and it should outline the rules for ensuring the security of organizational assets. Policy should clearly state that employees are supposed to install only the approved applications and software in their office PC or laptops. Analyzing all network traffic flows should be performed and should aim to preserve the confidentiality, integrity, and availability of all systems and information on the network.

The concept of defense in depth is observed as a best practice in network security, prescribing for the network to be secured in layers. These layers apply an assortment of security controls to sift out threats trying to enter the network:

·Access control
·Identification
·Authentication
·Malware detection
·Encryption
·File type filtering
·URL filtering
·Content filtering

     While monitoring the network traffic and user access to the network is an important task for network admin, auditing network use encourages continuous improvement by requiring organizations to reflect on the implementation of their policy on a consistent basis. The cost to implement better network security can turn out to be well spent money over the expenses to recover from the data breaches.

Reference:

Paloalto (n.d.). What is network security? Retrieved April 21^st 2015 from

https://www.paloaltonetworks.com/resources/learning-center/what-is-network-security.html

Promoting Information Security Awareness

 I have seen many flyers and posters in school and work place on what is right and what is wrong. Whenever I go to fill coffee in the office’s break room, there is a poster which reminds me to lock my PC when I am away from my desk. I believe awareness like this can be very informative. Those who have been victims of identity thefts in past surely agree with me on the needs of promoting info security awareness. Not only for the students in any university or the staffs of any business organization, it is important for every computer user to be aware of information security.

“The scope of any security awareness campaign is to persuade computer users to listen and act on measures to avoid,deter, detect, and defend against information security threats and/or data security breaches.”

          Information security awareness aims to prevent incidents related to cyber-attacks, identity thefts, online threats and loss or disclosure of data committed by unlawful hacking. The challenge is how to deliver this information to general public to make sure they are aware of these threats and able to protect their information. One of the best ways to promote information security awareness is by user training and education or through policies and procedures. Awareness training can give users tips on how to use anti viruses to protect the data, why it can be risky to give personal information online to malicious and not trusted site or person and why you need to think twice before opening any email and attachments from unknown source.  Users need to have good understanding on what is considered as cyber-crime and should be encouraged to report computer crimes to HR in companies, student affairs in universities or to local law officials in private or public sectors.  TV and radio are also good medium to promote security awareness among users. The power of the media is a tremendous asset when it comes to getting our message out to the public. Posters and flyers can be another great way to deliver message on info security awareness. Flyers with short informative message on security awareness can be distributed in public places, universities and business organizations. Posters just as warning users to take caution while sharing sensitive data online can be placed in office break rooms and university cafeteria which can catch users’ attentions and can turn out to be an effective medium to promote awareness. Requirements to take mandatory online security training every quarter, take quizzes on security awareness and messages via mass emails can also be good promotional steps in larger organizations.
          The internet continues to grow each year and with that the cyber threats multiply every year. It becomes important for computer users to protect themselves and understand at least the basic steps that can help sure their sensitive information. Info security awareness can be promoted by various means but in order to make it a successful campaign, the users need to follow the steps mentioned in it properly and get united against the cyber-crime.

References:

McDonough, M (2010). Ideas to Promote Information Security Awareness. Retrieved April 14th 2015 from http://www.brighthub.com/computing/enterprise-security/articles/75233.aspx

Ray, R. (n.d.). Promote Security Awareness In Your Company. Retrieved April 15th 2015 from http://www.allbusiness.com/promote-security-awareness-in-your-company-11694831-1.html  

Things to consider while developing Information Security Policy

Have you ever looked into information security policy of the company you worked for? It is a security policy document that states in writing how a company plans to protect the company's physical and information technology assets. Most of the organizations usually have these documents available for their employees to review in the company's internal websites or notice boards. The purpose is to have employee read, understand and follow them. I was wondering how hard it can be to write these policies, so I decided to do some research on things you need to consider while developing Information Security Policy in the first place.

The policy maker should know that the objectives of the policy are to reduce risk, compliance with laws and regulations, assurance of operational continuity, information integrity and confidentiality. The policy maker should realize that the success of an information resources protection program depends on the policy generated and on the attitude of management toward securing information on automated systems. The policy can provide vital support to security professionals as they strive to reduce the risk profile of a business and fend off both internal and external threats. If an employee is terminated for some wrong doing (example: stealing and sharing sensitive data with outsiders) and if the organization cannot verify that the policy was not properly implemented about it; then the employee could sue the organization accusing for wrongful termination. By having everything stated clearly on the policy about what is right thing to do; the organization can have employees follow the rules for acceptable behavior.

“Information security policies are supposed to be read, understood and followed by all staff in the organization”.

Knowing your audience is one of the important steps while developing the information security policy. The policy maker should understand the purpose the policy is meant to serve and align the policy with any subsequent information governance training to be delivered. Policy needs to be aligned to the business objectives of the organization and should be delivered in the best format to the audiences. By thinking from user’s point of view, the policy maker can cull polices to fewer pages with absolute minimum information which are needed and key message to retain.

As a user, I would like to see policy information in fewer pages but should be brief and to the point about the user’s responsibilities towards the information they collect, use and access. It is also my responsibility to read, understand and follow the policy with all respect towards the organization I work for.

References:

Computer Weekly (n.d.). How to create a good information security policy. Retrieved April 9^th, 2015 from http://www.computerweekly.com/feature/How-to-create-a-good-information-security-policy

Whitman, M., & Mattord, H. (2014). Management of information security (4th ed.). Cengage Learning

Importance of Incident Response Plans

Have you ever imagined what will happen if something unexpected happens at your work place such as virus attacks to the entire computer network and suddenly you do not have resources available to perform your daily tasks? Well, I was thinking about this today and it will be very hard for me if my laptop crashes and I loss the access to all my emails and documents in it.

Incident response (IR) plans are essential in disaster recovery and business continuity as they give added protection to sensitive company data. However, many companies lack these features of having the step-by-step process of responding to data security breaches. Many business organizations may think that the IR plan doesn't serve any significant purpose and hence, they give major focus on recovering from disasters and keeping critical business systems and processes running during a disaster.

The complexity and targeted nature of attacks has continued to increase, the number of compromised records is rising, and organized crime is surfacing more often. Hence, having a solid data breach response plan in place can make the threat of a security breach less intimidating. Incident response plan, if utilized correctly, will outline who, what, when, where and how to respond to data security breaches. Imagine how useful and time saving effort it can be to troubleshoot some incident which had occurred in past we have all the documents available along with the name and contacts of the each individual who were involved to find a fix.

I do not know if the company I work for has listed incident response procedures in the information security policy, probably this is because I did not give more attention reading the paragraphs in tiny fonts of the big paper works they gave me to read and sign when I was hired. Well, I should definitely review that section of the policy and to find out if there are plans and procedures related to incident response with management buy-in to effectively protect the organization against incidents and cyber security attacks.

An Incident Response Plan (IRP) is needed because attacks frequently compromise data within organizations. The goals of an Incident Response Plan include:

• Verify that an incident has occurred

• Maintain or restore Business Continuity

• Reduce the impact of the incident

• Determine attack vectors and how the incident occurred

• Prevent future attacks/incidents

• Improve the organization’s security posture

• Keep managementinformed and follow proper chain of command procedures

By having a successful Incident Response Plan in place, organization can proactively mitigate incidents before occurring and can react quickly and effectively when incidents occur. Without an adequate Incident Response plan, organization can face massive loss of time and cost, valuable data and more importantly loss of customers’ trust to cyber security attacks without methods to mitigate, contain, eradicate, and remediate incidents.

References:

Beaver, K (n.d.). The importance of incident response plans in disaster recovery. Retrieved April 1, 2015 from http://searchdisasterrecovery.techtarget.com/tip/The-importance-of-incident-response-plans-in-disaster-recovery  

Enterprise Risk Management (2012). Building a Successful Incident Response Plan. Retrieved April 2, 2015 from http://www.emrisk.com/knowledge-center/newsletters/building-successful-incident-response-plan