UNIT-5

5.1 ORGANIZATIONAL AND HUMAN SECURITY

5.1.1 Organizational Security

An organization, or organisation, is an entity – such as a company, an institution, or an

association – comprising one or more people and having a particular purpose. The word is
derived from the Greek word organon, which means tool or instrument, musical instrument,
and organ.

Operational Security

• Protection = Prevention + (Detection + Response).

• Prevention techniques are static barriers to the intruders.
• Detection and Response technologies are dynamic and an ongoing process.
• Systems, technologies and network constantly change with time, thus we have to monitor
the systems regularly.
• Monitoring the security infrastructure in the organization is an essential part of any
organization’s security program.
Security Framework

• An organization’s security framework is very important in implementing the security.

Security framework includes
• Policies
• Procedures
• Standards
• Guidelines
Policies
• Policies are high-level, broad statements of what the organization wants to accomplish.
• Policies are formulated by management when laying out organization's position on some
issue.
Procedures
• Procedures are the steps-by-step instructions on how to implement policies in the
organization.
• Procedures describe exactly how employees are expected to act in a given situation.

Standards
• Standards are mandatory elements regarding the implementation of a policy.
• They are accepted specifications providing specific details on how a policy is to be
enforced.
• Standards can be set by the organization or by an external agency.
Guidelines
• Guidelines are recommendations relating to a policy.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

• Guidelines are optional.
Operational Security Lifecycle
• The policies, procedures, standards and guidelines are dynamic.
• They must be revises periodically.
• The operational security lifecycle has 4 phases
• Plan (adjust)
• Implement
• Monitor
• Evaluate
Planning - In this stage, all the policies, procedures, standards and guidelines for your
organization’s security are developed and designed
Implement - In this stage you implement and enforce the policies, procedures, standards
and guidelines. All the employees affected by these new policies, procedures, standards
and guidelines will come to know about these changes.
Monitoring - In this stage, all the policies, procedures, standards, guidelines, hardware and
software are monitored to check the effectiveness of organization’s security.
Evaluate – In this stage, all the policies, procedures, standards and guidelines are again re-
evaluated to ensure that the security is adequate.
Operational Security Lifecycle

Fig Operational Security Life Cycle

The Security Perimeter

• The basic idea of a security perimeter is to provide a “complete” security to the corporate
network.
• Access by external entities to the corporate network (Internal) is controlled and
monitored via the security perimeter.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

Fig. Security Perimeter
Access Control
• The purpose of access controls is to restrict access to only those who are authorized to
have it.
• Common forms of physical access controls are the use of security guard and the lock
(including many new variations of the combination locks
Physical Security
• Physical security consist of all the mechanisms used to ensure that physical access to the
computers and the networks is restricted to only authorized users.
• Physical security adds an extra layer of security and protects the sensitive data.
Physical Barriers
• Physical barriers provide the outmost security.
• These barriers are highly visible to the public.
Biometrics
• Biometrics is a more sophisticated access control approach.
• Examples – fingerprint readers, retinal & iris scan, voice samples.
• Biometric solutions are very expensive to implement.
Social Engineering
• Social engineering is the process of convincing an authorized individual to provide
confidential information or access to an unauthorized individual.
• Social engineering exploits the weakest point in the security perimeter – humans.
• The ultimate goal of social engineering is to gradually obtain the pieces of information.
• The best way to stop social engineering is through training all the employees and
instructing not to give out any piece of information.
• Data Aggregation - Small and seemingly “unimportant” information may be combined
with other pieces of information to potentially divulge sensitive information.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

Fig Social Engineer
Environment
• Environmental issues deals with the general operating conditions, within which an
organization operates.
• Environmental issues include items like heating, ventilation, air conditioning, electrical
power and the “natural forces”.
• Environmental factors are used to maintain the comfort of an office environment.
• In case of electric power outage, UPS can be critical.
• If natural disasters are common, having a complete backup plan is must.
• In some cases, a separate off-site location can also be used.
Fire Suppression
• Fire is one of the most common reasons for the loss of data in an organization.
• Common ways of fighting the fire are:
• Water bases fire suppression systems
• Chemical based fire suppression systems
• Handheld fire suppression systems
• Fire detection systems
Water based Fire Suppression System
• Very commonly used systems.
• Can have adverse effects of computer and electrical systems.

5.1.2 HUMAN SECURITY

Human security is an emerging paradigm for understanding global vulnerabilities whose

proponents challenge the traditional notion of national security through military security by
arguing that the proper referent for security should be at the human rather than national level.

Concept of Human Security as defined by the Commission on HumanSecurity

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

Why Human Security Now?

As argued by the Commission on Human Security2 (CHS), the need for a new
paradigm ofsecurity is associated with two sets of dynamics:

 First, human security is needed in response to the complexity and the

interrelatedness of both old and new security threats – from chronic and persistent
poverty to ethnic violence, human trafficking, climate change, health pandemics,
international terrorism, and sudden economic and financial downturns. Such threats
tend to acquire transnational dimensions and move beyond traditional notions of
security that focus on external military aggressions alone.

 Second, human security is required as a comprehensive approach that utilizes the

wide range of new opportunities to tackle such threats in an integrated manner.
Human security threats cannot be tackled through conventional mechanisms alone.
Instead, they require a new consensus that acknowledges the linkages and the
interdependencies between development, human rights and national security.

What is Human Security?

The CHS, in its final report Human Security Now, defines human security as:

“…to protect the vital core of all human lives in ways that enhance human
freedoms and human fulfillment. Human security means protecting
fundamental freedoms – freedoms that are the essence of life. It means
protecting people from critical (severe) and pervasive (widespread) threats
and situations. It means using processes that build on people’s strengths and
aspirations. It means creating political, social, environmental, economic,
military and cultural systems that together give people the building blocks
of survival, livelihood and dignity.” (CHS: 2003: 4)
Overall, the definition proposed by the CHS re-conceptualizes security in a fundamental way
by:
(i) moving away from traditional, state-centric conceptions of security that
focused primarily on the safety of states from military aggression, to one that
concentrates on the security of the individuals, their protection and
empowerment;
(ii) drawing attention to a multitude of threats that cut across different aspects of
human lifeand thus highlighting the interface between security, development
and human rights; and
(iii) promoting a new integrated, coordinated and people-centered approach to
advancingpeace, security and development within and across nations.

What are the main features of Human Security?

Human security brings together the ‘human elements’ of security, rights and
development. As such, it is an inter-disciplinary concept that displays the following
characteristics:

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

  people-centered
 multi-sectoral
 comprehensive
 context-specific
 prevention-oriented

As a people-centered concept, human security places the individual at the ‘centre of

analysis.’ Consequently, it considers a broad range of conditions which threaten
survival, livelihood and dignity, and identifies the threshold below which human life is
intolerably threatened.

Human security is also based on a multi-sectoral understanding of insecurities.

Therefore, human security entails a broadened understanding of threats and includes
causes of insecurity relating for instance to economic, food, health, environmental,
personal, community and political security.

Table I: Possible Types of Human Security Threats

Type of Security Examples of Main Threats

Economic security Persistent poverty, unemployment

Food security Hunger, famine
Health security Deadly infectious diseases, unsafe food, malnutrition, lack of
access to basic health care
Environmental security Environmental degradation, resource depletion, natural
disasters, pollution
Personal security Physical violence, crime, terrorism, domestic violence, child
labor
Community security Inter-ethnic, religious and other identity based tensions
Political security Political repression, human rights abuses

Moreover, human security emphasizes the interconnectedness of both threats and

responses when addressing these insecurities. That is, threats to human security are
mutually reinforcing and inter- connected in two ways. First, they are interlinked in a
domino effect in the sense that each threat feeds on the other. For example, violent
conflicts can lead to deprivation and poverty which in turn could lead to resource
depletion, infectious diseases, education deficits, etc. Second, threats within a given
country or area can spread into a wider region and have negative externalities for
regional and international security.

This interdependence has important implications for policy-making as it implies that

human insecurities cannot be tackled in isolation through fragmented stand-alone
responses. Instead, human security involves comprehensive approaches that stress the
need for cooperative and multi- sectoral responses that bring together the agendas of
those dealing with security, development and human rights. “With human security [as]
the objective, there must be a stronger and more integrated response from communities
and states around the globe” (CHS: 2003: 2).

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 In addition, as a context-specific concept, human security acknowledges that
insecurities vary considerably across different settings and as such advances
contextualized solutions that are responsive to the particular situations they seek to
address. Finally, in addressing risks and root causes of insecurities, human security is
prevention-oriented and introduces a dual focus on protection and empowerment.

5.2 ADOPTION OF INFORMATION SECURITY MANAGEMENT STANDARDS

Information Security Management, Standards:

Standards & Standardization Process

• Standardization bodies

– ISO (International Organization for Standardization) National bodies –

Technical Committees

• Processes

– Certification

– Accreditation

Why?

• Threat of legal liability

– Organizations and software vendors are being held to a higher degree of

accountability for security, if not in the courtroom, by their customers

• Business partners and stakeholders demanding security

– Organizations are challenged to prove they are managing security to a level

that will satisfy their business partners and stakeholders.

• Proliferation of standards, regulations and legislation

– Organizations face complex requirements to comply with a myriad of

regulations.

Comprehensive IS Management – Principles Based

• OECD Guidelines for the Security of Information Systems and Networks (2002): 9
pervasive principles for information security

• NIST (National Institute of Standards and Technology)

– SP 800-14 Generally Accepted Principles and Practices for Securing IT

Systems, 1996

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 – SP 800-18, Guide for Developing Security Plans for Federal Information
Systems,1998 (revised 2006)

– SP 800-30 Risk Management Guide for IT Systems, 2002

• IFAC International Guidelines on Information Technology Management—Managing

Information Technology Planning for Business Impact: International Federation of
Accountants, New York, 1999.

Comprehensive IS Management - Controls Based

• BS 7799 – Parts 1, 2 & 3 Code of Practice for Information Security Management

(British Standards Institute)

• ISO 27001: Information Technology – Information Security Management Systems -

Requirements

• ISO 27002: Information Technology – Code of Practice for Information Security

Management (former ISO 17799)

• ISO 27003: Information Technology – Information management system

implementation guidance

• ISO 27004: Information technology - Information security management -

Measurement

• ISO 27005: Information Technology– Information security risk management

• IT Baseline Protection Manual - BSI (Bundesamt für Sicherheit in der

Informationstechnik)

• NIST

– 800-53 - Recommended Security Controls for Federal Information Systems

– Several specific standards (e.g. Secure Web Services, PDA security,

Implementing HIPAA, Contingency planning, etc.)

Other categories

• Capability Maturity Model

– ISO 21827 System Security Engineering - Capability Maturity Model (SSE-

CMM)

• Product Security Models

– ISO 15408 Common Criteria

– TCSEC, ITSEC

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 • Business Continuity Management

– ISO24762: Information Technology – Guidelines for information and

communication technology disaster recovery services

– ISO27031: Information Technology – Security Techniques – Guidelines for

ICT readiness for Business Continuity

– BS25999: Business Continuity Management

– ISO18044 – Information technology – Information security incident

management

• Governance Guides

– ISO38500: Corporate guidance of IT

• COBIT – Control Objectives for Information and Related Technologies (ISACA)

– IT Governance Implementation Guide (ISACA)

OECD (Organisation for Economic Co-operation and Development )Guidelines -1-

“towards a culture of security”

1. Awareness

– Participants should be aware of the need for security of information systems

and networks and what they can do to enhance security.

2. Responsibility

– All participants are responsible for the security of information systems and
networks.

3. Response

– Participants should act in a timely and co-operative manner to prevent, detect

and respond to security incidents.

4. Ethics

– Participants should respect the legitimate interests of others.

5. Democracy

– The security of information systems and networks should be compatible with

essential values of a democratic society.

6. Risk assessment

– Participants should conduct risk assessments.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 7. Security design and implementation

– Participants should incorporate security as an essential element of information

systems and networks.

8. Security management

– Participants should adopt a comprehensive approach to security management.

9. Reassessment

– Participants should review and reassess the security of information systems

and networks, and make appropriate modifications to security policies,
practices, measures and procedures.

Information Security Standards

• TCSEC(Trusted Computer System Evaluation Criteria)- (Orange Book)

• ITSEC(Information Technology Security Evaluation Criteria)

• Common Criteria

Standards’ history -1-

• 1983: Trusted Computer System Evaluation Criteria (TCSEC) developed in the

United States.

• 1991: Information Technology Security Evaluation Criteria (ITSEC) version 1.2

published by the European Commission (joint development by France, Germany, the
Netherlands, and the UK).

• 1993: Canadian Trusted Computer Product Evaluation Criteria (CTCPEC)

version 3.0, published as a combination of the ITSEC and TCSEC approaches.

• 1990: the International Organization for Standardization (ISO) starts to develop

an international standard evaluation criteria for general use.

• June 1993: the sponsoring organizations of the CTCPEC, FC, TCSEC and ITSEC
began a joint activity to align their separate criteria into a single set of IT security
criteria that could be widely used. This activity was named the CC Project.

Common Criteria -1-

• Meant to be used as the basis for evaluation of security properties of IT products and
systems.

• Permits comparability between the results of independent security evaluations.

• Guide for the development of products or systems with IT security functions and for
the procurement of commercial products and systems with such functions.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 • Addresses protection of information from unauthorised disclosure,modification, or
loss of use (confidentiality, integrity, availability).

• It is applicable to IT security measures implemented in hardware, firmware or

software.

• Does not contain security evaluation criteria pertaining to administrative security

measures not related directly to the IT security measures.

• De facto standard in the US since 1998.

• Accepted as ISO 15408

• Includes

• CC documents

• CC Evaluation Methodology (CEM)

• CC National Scheme

• 7 Evaluation Assurance Levels

• [EAL1 to EAL7]

• 11 Functionality Requirements Classes

• 10 Assurance Requirements Classes

Evaluation Context

Fig : Evaluation Context

Common Criteria Target Group

• Consumers

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 They can use the results of evaluations to help decide whether an evaluated product or
system fulfils their security needs. They can also use the evaluation results to compare
different products or systems.

• Developers

CC can support developers in preparing for and assisting in the evaluation of their
products or systems and in identifying security requirements to be satisfied by each of
their products or systems.

• Evaluators

The CC contains criteria to be used by evaluators when forming judgments about the
conformance of TOEs to their security requirements.

• Others

Auditors, Security Officers

Common Criteria: Basic concepts

• Protection Profile (PP)

– An implementation-independent set of security requirements for a category of

TOEs that meet specific consumer needs.

• Target of Evaluation (TOE)

– An IT product or system and its associated administrator and user guidance

documentation that is the subject of an evaluation.

• Security Target (ST)

– A set of security requirements and specifications to be used as the basis for

evaluation of an identified TOE.

TOE Development Method

• Protection Profile (PP)

• Target of Evaluation (TOE)

• Security Target (ST)

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 Fig : TOE Development Method

ISO 27002 (former 17799)

• First edition: 2000. Current edition: 2005

• Prepared by the British Standards Institution (as BS 7799) and was adopted by Joint
Technical Committee ISO/IEC JTC 1, Information Technology, in parallel with its
approval by national bodies of ISO and IEC.

• “Information technology — Code of practice for information security

management”

ISO 27002 as a code of practice

• May be regarded as a starting point for developing organization specific guidance.

• Not all of the guidance and controls in this code of practice may be applicable.

• Furthermore, additional controls not included in this document may be required.

ISO 27002

• Gives recommendations for information security management for use by those who
are responsible for initiating, implementing or maintaining security in their
organization.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 • It is intended to provide a common basis for developing organizational security
standards and effective security management practice and to provide confidence in
inter-organizational dealings.

• Recommendations from this standard should be selected and used in accordance with
applicable laws and regulations.

ISO 27002: Information Security Policy

• Information security policy document

• Review and evaluation

ISO 27002: Organizational Security

• “Information security is a business responsibility shared by all members of the

management team.”

• Information security infrastructure

– management framework: management fora with management leadership

should be established to approve the information security policy, assign
security roles and co-ordinate the implementation of security across the
organization

– multi-disciplinary approach to information security: involving the co-

operation and collaboration of managers, users, administrators, application
designers, auditors and security staff, and specialist skills in areas such as
insurance and ``

ISO 27002: Asset classification and control

• Asset accountability

– Accountability should remain with the owner of the asset. Responsibility for
implementing controls may be delegated.

• Information classification

– Information should be classified to indicate the need, priorities and degree of

protection, depending on varying degrees of sensitivity and criticality.

ISO 27002: Personnel security

• Security in job definition and resourcing

• User training

– Users should be trained in security procedures and the correct use of

information processing facilities to minimize possible security risks.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 • Responding to security incidents and malfunctions

– Weaknesses, malfunctions

– Learning from incidents

– Disciplinary process

ISO 27002: Physical and environmental security

• Secure areas

– Security perimeter, entry controls

– Protection provided should be commensurate with the identified risks.

• Equipment security

– Safety

ISO 27002: Communications and operations management

• Operational procedures and responsibilities

– Incident management procedures

– Segregation of duties

– Separation of development and operational facilities

• System planning and acceptance

– Capacity planning, performance requirements, system acceptance

• Protection against malicious software

• Back ups, logging

• Network management

• Media handling

– tapes, disks, cassettes

• Information exchange between organizations

– Policy on Email

– Electronic commerce security

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

ISO 27002: Access control

• Access control policy

• User access management

– Access rights, passwords

• User responsibilities

• Network access control

– Network segregation

• Operating system access control

• Application access control

• Monitoring system access and use

• Mobile computing and teleworking

ISO 27002: Systems development and maintenance

• Security requirements of systems

– “built-in” security

• Security in application systems

– Message authentication, hash algorithms, cryptography

• Cryptographic controls

– To protect the confidentiality, authenticity or integrity of information

(encryption, digital signatures, key management)

ISO 27002: Business continuity management -1-

• “To counteract interruptions to business activities and to protect critical business

processes from the effects of major failures or disasters.”

• A business continuity management process should be implemented to reduce the

disruption caused by disasters and security failures (which may be the result of, for
example, natural disasters, accidents, equipment failures, and deliberate actions) to an
acceptable level through a combination of preventative and recovery controls.

• The consequences of disasters, security failures and loss of service should be

analyzed. Contingency plans should be developed and implemented to ensure that
business processes can be restored within the required time-scales. Such plans

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 should be maintained and practiced to become an integral part of all other
management processes.

• Business continuity management should include controls to identify and reduce risks,
limit the consequences of damaging incidents, and ensure the timely resumption of
essential operations.

ISO 27002: Compliance

• Compliance with legal requirements

– Data protection and privacy of personal information

– Intellectual property rights (IPR)

– Regulation of cryptographic controls

• Compliance with security policy

ISO/IEC 27001: 2005

• Specifies the requirements for establishing, implementing, operating, monitoring,

reviewing, maintaining and improving a documented Information Security
Management System (ISMS) within the context of the organization’s overall business
risks.

• May serve as a suitable basis for ISMS certification.

• Contains requirements for the implementation of security controls customized to the

needs of individual organizations or parts of them.

• Contains requirements in a structure of:

• 11 control clauses that include

• 39 control objectives

• 133 controls

The PDCA model of ISO/IEC 27001

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

PLAN: Establish the ISMS

Define the scope of ISMS (a.)

Definition of the boundaries of the ISMS in terms of the characteristics:

• The Business,

• The Organization,

• Its Location,

• Assets,

• Technology,

• Justified Details Of Any Exclusions From The Scope.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 Define an ISMS policy (b.)

Definition of an ISMS policy that:

1. includes a framework for setting objectives and establishes an overall sense of

direction and principles for action with regard to information security;

2. takes into account business and legal or regulatory requirements, and contractual
security obligations;

3. aligns with the organization’s strategic risk management context in which the
establishment and maintenance of the ISMS will take place;

4. establishes criteria against which risk will be evaluated, and

5. has been approved by management.

Risk assessment (c.-d.-e.)

Risk assessment is the process of combining risk identification, risk analysis and risk
evaluation.

ISO/IEC 13335-1: 2004

The results of the risk assessment will help to guide and determine the appropriate
management action and priorities for managing information security risks, and for
implementing controls selected to protect against these risks.

ISO/IEC 27002: 2005

The three stages are risk assessment execution:

• Identify a risk assessment methodology that is suited to the ISMS, and the identified
business information security, legal and regulatory requirements.

• Develop criteria for accepting risks and identify the acceptable levels of risk.

• Identify the risks (assets, threats, vulnerabilities, impacts)

• Analyze and evaluate the risks (estimation of level of risks and evaluation whether
they are acceptable or require treatment).

Risk Assessment activities

Risk assessment consists of the following activities:

• Risk analysis which comprises:

– Risk identification

– Risk estimation

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 • Risk evaluation

Prepare Statement of Applicability (j.)

The Statement of Applicability shall include the following:

• the control objectives and controls selected and the reasons for their selection

• the control objectives and controls currently implemented, and

• the exclusion of any control objectives and controls in Annex A and the justification
for their exclusion.

DO: Implement and Operate the ISMS (1)

• Formulate a risk treatment plan, that shall contain:

– The method selected for treating the risk

– What controls are in place

– What additional controls are proposed

– Time frame for controls’ implementation

– Identified acceptable level of risk (and residual risk)

• Implement the risk treatment plan in order to achieve the identified control objectives.

• Implement controls selected to meet the control objectives.

• Define how to measure the effectiveness of the selected controls.

• Implement training and awareness programs.

• Manage operation of the ISMS.

• Manage resources for the ISMS.

• Implement procedures and other controls capable of enabling prompt detection of

security events and response to security incidents.

CHECK: Monitor and review

• Implement controls selected to meet the control objectives.

• Define how to measure the effectiveness of the selected controls.

• Implement training and awareness programs.

• Manage operation of the ISMS.

• Manage resources for the ISMS.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 • Implement procedures and other controls capable of enabling prompt detection of
security events and response to security incidents.

DO: Implement and Operate the ISMS

• Formulate a risk treatment plan, that shall contain:

– The method selected for treating the risk

– What controls are in place

– What additional controls are proposed

– Time frame for controls’ implementation

– Identified acceptable level of risk (and residual risk)

• Implement the risk treatment plan in order to achieve the identified control objectives.

• Implement controls selected to meet the control objectives.

• Define how to measure the effectiveness of the selected controls.

• Implement training and awareness programs.

• Manage operation of the ISMS.

• Manage resources for the ISMS.

• Implement procedures and other controls capable of enabling prompt detection of

security events and response to security incidents.

CHECK: Monitor and review

Execute monitoring and reviewing procedures and other controls to:

• promptly detect errors

• promptly identify attempted and successful security breaches and incidents

• enable management to determine whether the security activities delegated to people or

implemented by information technology are performing as expected,

• help detect security events by the use of indicators, and

• Determine whether the actions taken to resolve a breach of security were effective.

• Undertake regular reviews of the effectiveness of the ISMS.

• Measure the effectiveness of controls to verify that security requirements have been
met.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 • Review risk assessments at planned intervals and review the residual risks and the
identified acceptable levels of risks, taking into account potential changes.

• Conduct internal ISMS audits at planned intervals.

• Update security plans to take into account the findings of monitoring and reviewing
activities.

• Record actions and events that could have an impact on the effectiveness or
performance of the ISMS.

ACT: Maintain and Improve the ISMS

The organization shall regularly:

• Implement the identified improvements in the ISMS.

• Take appropriate corrective and preventive actions

• Apply the lessons learnt from the security experiences of other organizations and
those of the organization itself.

• Communicate the actions and improvements to all interested parties

• Ensure that the improvements achieve their intended objectives.

Required documentation

• Documented statements of the ISMS policy and objectives

• The scope of the ISMS

• Procedures and controls in support of the ISMS

• A description of the risk assessment methodology

• The risk assessment report

• The risk treatment plan

• Documented procedures needed by the organization to ensure the effective planning,

operation and control of its information security processes and describe how to
measure the effectiveness of controls

• Records required by the ISO/IEC 27001:2005, and

• The Statement of Applicability (SOA).

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 For a standard which was preceded by two widely used successful global management
system standards, ISO 9001 and ISO 14001, the worldwide adoption of ISO/IEC 27001 is
surprisingly low (see Figure 1). Two years after its publication, the number of ISO/IEC
27001 certifications is well under that of its two predecessors ISO 9001, quality management,
and ISO 14001, environmental management system standards, during the same period
(Fomin et al., 2008). What explains so low adoption, given the importance of information
security management as compared to that of quality and environmental issues?

In Figure 1, we can also notice the discrepancy between the economic ranking of the
countries and the number of certifications. We will discuss this in the end of next section.
Aiming at obtaining insights on the unexpectedly low and surprisingly uneven diffusion of
the ISO/IEC 27001 standard, in the following section we examine successively the drivers for
adoption of information security management standards, the success factors and the specific
cases of employees' adoption. Finally, we explore the barriers and the limitations affecting
the adoption of ISMS, and solutions and recommendations to foster this adoption.

5.2 HUMAN FACTORS IN SECURITY: THE ROLE OF

INFORMATION SECURITY

HUMAN FACTORS IN SECURITY

Sometimes personnel may take cyber security requirements too lightly, leading to dramatic
consequences for the organizations they work for.

In the recent WannaCry ransomware epidemic, the human factor played a major role in
making businesses worldwide vulnerable. Two months after the disclosed vulnerabilities had
been patched with a new update from Microsoft, many companies around the world still
hadn’t updated their systems. Several cases followed — with non-IT personnel being the

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

weakest link: for example, employees with local administrator rights who disabled security
solutions on their computers and let the infection spread from their computer onto the entire
corporate network.

So, what role do employees play in a business’s fight against cybercrime? To answer this
question Kaspersky Lab and B2B International have undertaken a study into over 5,000
businesses around the globe.

The results have been astounding. We’ve found that just over half of businesses (52%)
believe they are at risk from within. Their staff, whether intentionally or through their own
carelessness or lack of knowledge, are putting the businesses they work for at risk.

The following report investigates how and why this is happening – and what businesses can
do to help protect themselves from their own employees.

The dangers of irresponsible and uninformed employees

At risk from within

Against the backdrop of a complex and growing cyber threat landscape, where 57% of
businesses now assume their IT security will become compromised, businesses are also
waking up to the fact that one of the biggest chinks in their armor against cyberattack is their
own employees. In fact, 52% of businesses admit that employees are their biggest weakness
in IT security, with their careless actions putting business IT security strategy at risk.

The fear of being put at risk from within can be seen clearly in the fact that for businesses, the
top three cybersecurity fears are all related to human factors and employee behavior. The
table below shows that businesses are aware of how easy it is for employee/human error to
impact their company’s security. They worry most about employees sharing inappropriate
data via mobile devices (47%), the physical loss of mobile devices exposing their company to
risk (46%) and the use of inappropriate IT resources by employees (44%).

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

Source: IT Security Risks Survey 2017, global data

Taking a closer look at these findings, concerns about the inappropriate use of IT by
employees vary considerably according to company size, with very small businesses (with 1-
49 employees) feeling more at risk from this threat than enterprises with more than 1000
staff. This could be due to a number of factors including enterprises potentially having
stricter policies in place, and more thorough training for staff on best practice. In addition,
very small businesses possibly bestow employees with a greater degree of flexibility in terms
of how they use business IT resources.

Source: IT Security Risks Survey 2017, global data

Employee actions lead to cybersecurity incidents

The findings of our study show us that businesses do indeed have good reason to be worried
about employees contributing to cybersecurity risks. Staff may make mistakes that put their
company’s data or systems at risk – either because they are careless and accidently slip up –
or even because they do not have the required training to teach them how to behave
appropriately and to protect the business they work for.

Careless or uninformed staff, for example, are the second most likely cause of a serious
security breach, second only to malware. In addition, in 46% of cybersecurity incidents in the
last year, careless/ uniformed staff have contributed to the attack.

Human error on the part of staff is not the only ‘attack vector’ that businesses are falling
victim to. In the last year internal staff have also caused security issues through malicious
actions of their own, with 30% of security events in the last 12 months reportedly involving
staff working against their own employers.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

Among the businesses that faced cybersecurity incidents in the past 12 months, one-in-ten
(11%) the most serious types of incidents involved careless employees.

Source: IT Security Risks Survey 2017, global data

Employee carelessness and phishing/social engineering were major contributing factors for
malware and targeted attacks; attack types, which, incidentally, have also demonstrated the
largest increase in the last year.

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

Source: IT Security Risks Survey 2017, global data

As many as 49% of businesses worldwide reported being attacked by viruses and malware
this year, an 11% increase compared to 2016 results. And, of those that experienced virus and
malware incidents, just over half (53%) of these consider careless/ uninformed employees to
be a top contributing factor and over a third (36%) consider phishing/ social engineering to
have contributed to the threat.

Viruses & malware

2017 (Y2Y dynamics)

% of businesses that reported incidents 49 (11% increase from
2016)
Top contributing factors 1. Careless/ uninformed
employees (53%)
2. Accidental loss of
hardware (38%)
3. Phishing/ social
engineering (36%)

Source: IT Security Risks Survey 2017, global data

Likewise, more than one-in-four (27%) businesses have experienced targeted attacks this
year, a 6% increase on last year. Of these attacked businesses, over a quarter (28%) believe
phishing/ social engineering contributed to the attack.

5.3 ROLE OF INFORMATION SECURITY PROFESSIONALS

The main use for IT Security and the main role for an IT Security specialist is to:
Protect computer systems by creating barriers deterring external access to them. Recognise
problems within systems by identifying uncharacteristic activity. Assess current situations
with the network security and carry out audits.

An IT Security Professional is someone responsible for protecting the networks,

infrastructure and systems for a business or organisation.

What is IT Security?

IT Security is the information security which is applied to technology and computer systems.
It focuses on protecting computers, networks, programs and data from unauthorised access or
damage. IT Security can also be referred to as Cyber Security. IT Security plays a vital role
within the government, military, finance companies, hospitals and many private businesses as
they store a large amount of data and information on their computer systems that need to be
kept secure.

What does it entail?

The main use for IT Security and the main role for an IT Security specialist is to:

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 Protect computer systems by creating barriers deterring external access to them
 Recognise problems within systems by identifying uncharacteristic activity
 Assess current situations with the network security and carry out audits
 Implement improvements where needed and keep the users informed by completing
performance reports on a regular basis to communicate the status of the system security.

The general working hours of an IT Security specialist will be the normal 37 or 40 hours a
week. However, you will likely have the responsibility of being on call 24/7 in case of any
security breaches. You will need to be aware of this.

Areas in IT security

There are many different areas within IT Security itself. You can specialise in one of these
areas or a number of these areas if you wish. They include:

 Network Troubleshooting
 System Administration
 Firewall Administration
 Information Security Policies
 Penetration testing
 Ethical Hacking
 Security Analyst

The salary can vary depending on the area of IT Security, the qualification level and the
location of your work. The salary can vary from £25,000 to £85,000. To give you a more
specific idea of salary ranges, an IT Security Officer can earn around £34,000, an IT Security
Engineer can earn around £58,000 and Head of IT Security can earn around £85,000 or
higher in certain sectors and large businesses. Ethical hacking is also a growth sector and
specialised consultants in this area can earn high incomes.

Required skills

If you are looking to work in the IT Security sector it would be beneficial for you to have the
following skillset:

 Analytical
 Logical
 Ability to prioritise work load
 Aware of developments in Cyber Security
 Understanding of Database, Networking and Systems
 Understanding of applicable UK law and regulations in relation to IT Security
 Experience with Antivirus software and web proxy management
 An IT Security / Computer Science related degree or certification

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS

 A strong background in IT

IT Security Qualifications

Having a lot of experience within the IT Security field is really important, however there are
many qualifications and certifications that can be seen as vital in this field due to how fast the
industry is growing. Below are just a small selection of IT Security qualifications and
certifications you can obtain:

 SANS Institute- GIAC (Global Information Assurance Certification)

 CISA
 CISSP
 BSI Group- ISO 27001 Registered Auditor, ISEB Practitioner in IRM, ISEB Risk
Management Principles
 EC Council- Certified Ethical Hacker
 EC Council- EC- Council Certified Security Specialist

Many professionals will have a strong background in IT before specialising in IT Security.

This could include IT Support, Software Development, Systems Administration, Testing etc.

Roles and Responsibilities of IT security professionals

The job of IT security professionals is to ensure that the networks, infrastructure, and
computer systems within organizations are properly and adequately secure by protecting
information assets, such as customer data, financial information and critical network
infrastructures. Information security refers to the process of protecting information,
specifically its availability, confidentiality and integrity. On the other hand, information
technology security refers to the process of controlling the technology that allows access to
information making it accessible only to those who are legitimately allowed to do so. As
stated by Belsis et al. (2005), IT Security refers to the set of principles, regulations,
methodologies, measures, techniques, and tools we use to protect an information system from
potential threats. The IT security professionals are the ones in charge of the selection,
acquisition, design, development, adaptation, implementation, deployment, training/
education, support, management and documentation related to IT security of an information
system within the network. All these strategies are now a subsection of the organization’s
strategic policy (Layton, 2007). This includes, but is not limited to, security threat and risk
analysis; security technologies; detection techniques; policies, laws, and regulations
governing the procedures used by the IT staff; end user and client user policies for Web
access and e-mail; design and implementation of system analysis; and controlling traffic flow
through the network. Network security is defined as the protection of networks

DEPARTMENT OF ECE CS6202OE - CYBER LAW & ETHICS