Professional Documents
Culture Documents
Operational Security
Standards
• Standards are mandatory elements regarding the implementation of a policy.
• They are accepted specifications providing specific details on how a policy is to be
enforced.
• Standards can be set by the organization or by an external agency.
Guidelines
• Guidelines are recommendations relating to a policy.
As argued by the Commission on Human Security2 (CHS), the need for a new
paradigm ofsecurity is associated with two sets of dynamics:
The CHS, in its final report Human Security Now, defines human security as:
“…to protect the vital core of all human lives in ways that enhance human
freedoms and human fulfillment. Human security means protecting
fundamental freedoms – freedoms that are the essence of life. It means
protecting people from critical (severe) and pervasive (widespread) threats
and situations. It means using processes that build on people’s strengths and
aspirations. It means creating political, social, environmental, economic,
military and cultural systems that together give people the building blocks
of survival, livelihood and dignity.” (CHS: 2003: 4)
Overall, the definition proposed by the CHS re-conceptualizes security in a fundamental way
by:
(i) moving away from traditional, state-centric conceptions of security that
focused primarily on the safety of states from military aggression, to one that
concentrates on the security of the individuals, their protection and
empowerment;
(ii) drawing attention to a multitude of threats that cut across different aspects of
human lifeand thus highlighting the interface between security, development
and human rights; and
(iii) promoting a new integrated, coordinated and people-centered approach to
advancingpeace, security and development within and across nations.
Human security brings together the ‘human elements’ of security, rights and
development. As such, it is an inter-disciplinary concept that displays the following
characteristics:
• Standardization bodies
• Processes
– Certification
– Accreditation
Why?
• OECD Guidelines for the Security of Information Systems and Networks (2002): 9
pervasive principles for information security
• NIST
Other categories
– TCSEC, ITSEC
• Governance Guides
1. Awareness
2. Responsibility
– All participants are responsible for the security of information systems and
networks.
3. Response
4. Ethics
5. Democracy
6. Risk assessment
8. Security management
9. Reassessment
• Common Criteria
• June 1993: the sponsoring organizations of the CTCPEC, FC, TCSEC and ITSEC
began a joint activity to align their separate criteria into a single set of IT security
criteria that could be widely used. This activity was named the CC Project.
• Meant to be used as the basis for evaluation of security properties of IT products and
systems.
• Guide for the development of products or systems with IT security functions and for
the procurement of commercial products and systems with such functions.
• Includes
• CC documents
• CC National Scheme
• [EAL1 to EAL7]
Evaluation Context
• Consumers
• Developers
CC can support developers in preparing for and assisting in the evaluation of their
products or systems and in identifying security requirements to be satisfied by each of
their products or systems.
• Evaluators
The CC contains criteria to be used by evaluators when forming judgments about the
conformance of TOEs to their security requirements.
• Others
• Prepared by the British Standards Institution (as BS 7799) and was adopted by Joint
Technical Committee ISO/IEC JTC 1, Information Technology, in parallel with its
approval by national bodies of ISO and IEC.
• Not all of the guidance and controls in this code of practice may be applicable.
ISO 27002
• Gives recommendations for information security management for use by those who
are responsible for initiating, implementing or maintaining security in their
organization.
• Recommendations from this standard should be selected and used in accordance with
applicable laws and regulations.
• Asset accountability
– Accountability should remain with the owner of the asset. Responsibility for
implementing controls may be delegated.
• Information classification
• User training
– Weaknesses, malfunctions
– Disciplinary process
• Secure areas
• Equipment security
– Safety
– Segregation of duties
• Network management
• Media handling
– Policy on Email
• User responsibilities
– Network segregation
– “built-in” security
• Cryptographic controls
• Business continuity management should include controls to identify and reduce risks,
limit the consequences of damaging incidents, and ensure the timely resumption of
essential operations.
• 39 control objectives
• 133 controls
• The Business,
• The Organization,
• Its Location,
• Assets,
• Technology,
2. takes into account business and legal or regulatory requirements, and contractual
security obligations;
3. aligns with the organization’s strategic risk management context in which the
establishment and maintenance of the ISMS will take place;
Risk assessment is the process of combining risk identification, risk analysis and risk
evaluation.
The results of the risk assessment will help to guide and determine the appropriate
management action and priorities for managing information security risks, and for
implementing controls selected to protect against these risks.
• Identify a risk assessment methodology that is suited to the ISMS, and the identified
business information security, legal and regulatory requirements.
• Develop criteria for accepting risks and identify the acceptable levels of risk.
• Analyze and evaluate the risks (estimation of level of risks and evaluation whether
they are acceptable or require treatment).
– Risk identification
– Risk estimation
• the control objectives and controls selected and the reasons for their selection
• the exclusion of any control objectives and controls in Annex A and the justification
for their exclusion.
• Implement the risk treatment plan in order to achieve the identified control objectives.
• Implement the risk treatment plan in order to achieve the identified control objectives.
• Determine whether the actions taken to resolve a breach of security were effective.
• Measure the effectiveness of controls to verify that security requirements have been
met.
• Update security plans to take into account the findings of monitoring and reviewing
activities.
• Record actions and events that could have an impact on the effectiveness or
performance of the ISMS.
• Apply the lessons learnt from the security experiences of other organizations and
those of the organization itself.
Required documentation
In Figure 1, we can also notice the discrepancy between the economic ranking of the
countries and the number of certifications. We will discuss this in the end of next section.
Aiming at obtaining insights on the unexpectedly low and surprisingly uneven diffusion of
the ISO/IEC 27001 standard, in the following section we examine successively the drivers for
adoption of information security management standards, the success factors and the specific
cases of employees' adoption. Finally, we explore the barriers and the limitations affecting
the adoption of ISMS, and solutions and recommendations to foster this adoption.
Sometimes personnel may take cyber security requirements too lightly, leading to dramatic
consequences for the organizations they work for.
In the recent WannaCry ransomware epidemic, the human factor played a major role in
making businesses worldwide vulnerable. Two months after the disclosed vulnerabilities had
been patched with a new update from Microsoft, many companies around the world still
hadn’t updated their systems. Several cases followed — with non-IT personnel being the
So, what role do employees play in a business’s fight against cybercrime? To answer this
question Kaspersky Lab and B2B International have undertaken a study into over 5,000
businesses around the globe.
The results have been astounding. We’ve found that just over half of businesses (52%)
believe they are at risk from within. Their staff, whether intentionally or through their own
carelessness or lack of knowledge, are putting the businesses they work for at risk.
The following report investigates how and why this is happening – and what businesses can
do to help protect themselves from their own employees.
Against the backdrop of a complex and growing cyber threat landscape, where 57% of
businesses now assume their IT security will become compromised, businesses are also
waking up to the fact that one of the biggest chinks in their armor against cyberattack is their
own employees. In fact, 52% of businesses admit that employees are their biggest weakness
in IT security, with their careless actions putting business IT security strategy at risk.
The fear of being put at risk from within can be seen clearly in the fact that for businesses, the
top three cybersecurity fears are all related to human factors and employee behavior. The
table below shows that businesses are aware of how easy it is for employee/human error to
impact their company’s security. They worry most about employees sharing inappropriate
data via mobile devices (47%), the physical loss of mobile devices exposing their company to
risk (46%) and the use of inappropriate IT resources by employees (44%).
Taking a closer look at these findings, concerns about the inappropriate use of IT by
employees vary considerably according to company size, with very small businesses (with 1-
49 employees) feeling more at risk from this threat than enterprises with more than 1000
staff. This could be due to a number of factors including enterprises potentially having
stricter policies in place, and more thorough training for staff on best practice. In addition,
very small businesses possibly bestow employees with a greater degree of flexibility in terms
of how they use business IT resources.
The findings of our study show us that businesses do indeed have good reason to be worried
about employees contributing to cybersecurity risks. Staff may make mistakes that put their
company’s data or systems at risk – either because they are careless and accidently slip up –
or even because they do not have the required training to teach them how to behave
appropriately and to protect the business they work for.
Careless or uninformed staff, for example, are the second most likely cause of a serious
security breach, second only to malware. In addition, in 46% of cybersecurity incidents in the
last year, careless/ uniformed staff have contributed to the attack.
Human error on the part of staff is not the only ‘attack vector’ that businesses are falling
victim to. In the last year internal staff have also caused security issues through malicious
actions of their own, with 30% of security events in the last 12 months reportedly involving
staff working against their own employers.
Employee carelessness and phishing/social engineering were major contributing factors for
malware and targeted attacks; attack types, which, incidentally, have also demonstrated the
largest increase in the last year.
As many as 49% of businesses worldwide reported being attacked by viruses and malware
this year, an 11% increase compared to 2016 results. And, of those that experienced virus and
malware incidents, just over half (53%) of these consider careless/ uninformed employees to
be a top contributing factor and over a third (36%) consider phishing/ social engineering to
have contributed to the threat.
Likewise, more than one-in-four (27%) businesses have experienced targeted attacks this
year, a 6% increase on last year. Of these attacked businesses, over a quarter (28%) believe
phishing/ social engineering contributed to the attack.
The main use for IT Security and the main role for an IT Security specialist is to:
Protect computer systems by creating barriers deterring external access to them. Recognise
problems within systems by identifying uncharacteristic activity. Assess current situations
with the network security and carry out audits.
What is IT Security?
IT Security is the information security which is applied to technology and computer systems.
It focuses on protecting computers, networks, programs and data from unauthorised access or
damage. IT Security can also be referred to as Cyber Security. IT Security plays a vital role
within the government, military, finance companies, hospitals and many private businesses as
they store a large amount of data and information on their computer systems that need to be
kept secure.
The main use for IT Security and the main role for an IT Security specialist is to:
The general working hours of an IT Security specialist will be the normal 37 or 40 hours a
week. However, you will likely have the responsibility of being on call 24/7 in case of any
security breaches. You will need to be aware of this.
Areas in IT security
There are many different areas within IT Security itself. You can specialise in one of these
areas or a number of these areas if you wish. They include:
Network Troubleshooting
System Administration
Firewall Administration
Information Security Policies
Penetration testing
Ethical Hacking
Security Analyst
The salary can vary depending on the area of IT Security, the qualification level and the
location of your work. The salary can vary from £25,000 to £85,000. To give you a more
specific idea of salary ranges, an IT Security Officer can earn around £34,000, an IT Security
Engineer can earn around £58,000 and Head of IT Security can earn around £85,000 or
higher in certain sectors and large businesses. Ethical hacking is also a growth sector and
specialised consultants in this area can earn high incomes.
Required skills
If you are looking to work in the IT Security sector it would be beneficial for you to have the
following skillset:
Analytical
Logical
Ability to prioritise work load
Aware of developments in Cyber Security
Understanding of Database, Networking and Systems
Understanding of applicable UK law and regulations in relation to IT Security
Experience with Antivirus software and web proxy management
An IT Security / Computer Science related degree or certification
IT Security Qualifications
Having a lot of experience within the IT Security field is really important, however there are
many qualifications and certifications that can be seen as vital in this field due to how fast the
industry is growing. Below are just a small selection of IT Security qualifications and
certifications you can obtain: