Professional Documents
Culture Documents
Physical security
Physical storage security encompasses where and how your data is stored. Different states and countries have very specific
data security compliance laws. If you’re operating in a different location than where your data is stored, the security laws
where you store your data might not align with your needs or legal commitments to your customers.
It’s important to ask where the project management software company stores its data and ensure the security standards at
the storage facility are up to date and independently validated. You should also ask about the physical protection of the
storage facilities. For instance, do they have 24/7 staffed security, power backup systems, physical access controls, smoke
and fire alarms, and digital surveillance systems?
Another aspect of physical security is how often your data is backed up. If a server crashes or a breach occurs, you want to
know your data won’t be lost.
Look for a project management software vendor that provides near real-time replication. This feature will ensure your data
is backed up and available on secure and geographically dispersed servers. A full backup should be performed daily, and
the data should be stored encrypted in an environment physically separate from the primary servers to ensure fault
tolerance.
User authentication
Your chosen project management software should support multiple methods of federated authentication, including Google
OpenID, Azure, Office 365, ADFS, SSO, and SAML2. This process enables employees to securely access your software
without using a second, separate login and password.
Other authentication features to look for are customizable password security settings and 2-step verification.
Within the password settings of your project management software, you should be able to customize the following:
Password strength settings, such as minimum password length, not allowing passwords to include the user’s first or last
name, the number and type of characters used, etc.
Password expiration settings dictating how often users need to change their password.
Password history settings specifying how often a user can reuse the same password after they’ve made a change.
2-step verification (also called two-factor authentication or 2FA) provides an additional layer of security to the sign-in
process. In addition to a username and password, you have to enter a time-sensitive verification code to gain access.
If some of your team members are using applications that do not natively support 2-step verification, make sure your
software supports using one-time passwords instead. Otherwise, those users will find themselves locked out.
Your project management software should also allow you to use network access policy settings to add approved IP
addresses and IP subnets for additional application security. With this feature enabled, users can only log in and access
your software from those locations. If you have remote users, make sure you select a tool that allows for mobile users and
other collaborators to login and access from any IP address.
Data encryption
Your project management software should use a minimum encryption of transport layer security (TLS) 1.2 with a preferred
AES 256-bit algorithm in CBC mode and 2048-bit server key length with industry-leading modern browsers.
While this sounds complex, all it means is when you access your software via a web browser, mobile applications, email
add-in, or browser extension, the TLS technology protects your information using server authentication and data
encryption.
This level of encryption security is equivalent to network security methods used in banking and leading e-commerce sites.
All users’ passwords, cookies, and sensitive information are reliably protected from electronic eavesdropping.
User files uploaded to servers via both web application and API are automatically encrypted with AES 256 using per-file
keys. The encryption keys should be stored by the vendor in a secure key vault, a separate database decoupled from the
file storage layer.
With this encryption, even if someone were to gain physical access to the file storage, your data would be impossible to
read.
Mobile applications
It’s important to have mobile access to your project management software so that your team can access it no matter
where they are. However, mobile apps come with their own security concerns.
Any mobile apps should have all the security functionality built into your project management software, such as password
and data sharing restrictions. Plus, mobile apps need additional security features such as encryption at rest, certificate
pinning, checking against rooted/jailbroken devices, and application-level protections using a PIN code or fingerprint.
Privacy
When contacting customer support, it’s important to know that your vendor has strict policies on how to verify your
identity and help you access your account, as well as how and when they can access your data.
Ask vendors to share their policies around escalation, management, knowledge sharing, risk management, and day-to-day
operations. They should have strict policies to limit access to customer data to employees with a job-related need.
Their policies should also allow you to dictate when and how they see your data if you find their basic policies don’t meet
your security requirements for sensitive information.
Compliance
There are security compliance standards that any reputable software vendor should adhere to. These include:
ISO/IEC 27001:2013 certification
SOC2 Type II
ISAE 3402 (Europe)
An ISO/IEC 27001:2013 certification demonstrates that the vendor has a complete security framework and a risk-based
approach to managing information security. ISO/IEC 27001 is the only internationally recognized standard for the
establishment and certification of an information security management system (ISMS).
Vendors should also be compliant with local regulations. If you have any locations, employees, customers, or other
stakeholders working in or from Europe, your software should be GDPR compliant.
Security Topics
Application & Platform Security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about
applications attacks, secure software development, patch management, OS security, virtualization, open source
security, API security, web app and server security and more.
Cloud security
The cloud offers improved efficiency, flexibility and scalability, but its benefits can be reversed if security isn't
top of mind. Read cloud security best practices, including tips on data protection and IaaS, PaaS and SaaS
security, as well as cloud-specific tools and services such as CASBs, CWPPs and CSPM.
Compliance
Compliance with corporate, government and industry standards and regulations is critical to meet business
goals, reduce risk, maintain trust and avoid fines. Get advice on audit planning and management; laws,
standards and regulations; and how to comply with GDPR, PCI DSS, HIPAA and more.
Network security
Enterprise cyberdefense strategies must include network security best practices. Get advice on essential
network security topics such as remote access, VPNs, zero-trust security, NDR, endpoint management, IoT
security, hybrid security, Secure Access Service Edge, mobile security and more.
Risk management
A successful risk management plan helps enterprises identify, plan for and mitigate potential risks. Learn about
the components of risk management programs, including penetration tests, vulnerability and risk assessments,
frameworks, security awareness training and more.
Security analytics and automation
Security analytics and automation provide enterprises the data needed to help defend against a barrage of
cyber threats. A toolkit combining threat intelligence sharing and services with SIEM and SOAR systems as well
as threat hunting is key to success.
Over the last 10 to 15 years, Infonnation Technology in general has evolved from a centralized
environment to a more decentralized environment, in which all types of networks (LANs, WANs, and
Internet) are used daily to connect systems, work stations etc. to each other.
Managing the security of these networks, i.e. ensuring that the existence and use of all types of networks, do not
impact on the confidentiality, integrity and availability of the organization’s electronic assets, has become a pivotal part
of more general information security governance. The more
recent security worries around wireless networks, emphasize the crucial importance of such network security
management. Figure 2 below indicates where network security management fits into the Information Security
Governance structure.
Physical Personnel
Security Security Etc.
Managemen Managemen
t t
Figure 2 Network Security Management within the Information Security Governance structure
Because of the pivotal role of network security management, this paper zooms into this specific part of Information
Security Governance, and defines 5 pillars (essentials) which must be in place to ensure proper network security
management. These 5 pillars have to do with the more non-technical aspects of network security management, in line
with the division made for Information Security Governance above.
Understanding the importance of these 5 pillars are vital to network security, as too often companies approach
network security from a purely technical viewpoint, and do not realize that if the non-technical aspects (pillars) are not
in place, huge risks will still exist as far as the use of their networks are concerned. Identifying and highlighting the
importance of these
5 pillars are not necessarily a novel idea, as they are discussed and mentioned in most internationally accepted best
practices for information and network security management. However, the purpose is to again stress their
importance, and to provide a simple way for a network security manager to do a fast high level evaluation to
determine the presence and level of implementation of these 5 pillars.
We start off by introducing and discussing each of these 5 (non- technical) pillars, and finish with a checklist that a
network security manager can use to see whether the relevant 5 (non-technical) pillars are in place.
2.4 Awareness
Information Security awareness is a widely publicized and talked-about issue in the business environment. The
reason for this is that Information Security awareness is mainly a human-related issue. It is important to realize that
“human issues” are the main cause of security breaches [11]. The most effective way to reduce Information Security
risks in an organization is to make employees more Information Security aware. This awareness also means that
employees must take responsibility for their own actions in the workplace.
Implementing an effective Information Security awareness programme helps all employees understand why they
need to take Information Security seriously, what they will gain from its implementation and how it will assist them in
completing their assigned tasks. An effective Information Security awareness programme could be the most cost-
effective initiative a company can take to protect its critical information assets [16]. This protection can only be
provided if there are effective programmes in place to make certain that employees are aware of their responsibilities.
It is the organization’s responsibility to make employees aware of Information Security policies and issues in the
organization. Without knowing the necessary security controls (and how to use them), users cannot be truly
accountable for their actions [15]. Organizations that have implemented strong protection mechanisms and have
educated their staff are in the best position to protect their information from unauthorized disclosure or modification.
According to the CCTA [2], the lnformation Security procedures must be integrated into normal everyday routine,
and staff should come to recognize security as an enabler rather than a barrier. The NIST handbook [15] also stresses
this “every day routine” by stating that Information Security is an ongoing process. This process of making employees
Information Security aware must continue after a candidate has been hired, which includes keeping employees up to
date with their IS duties and responsibilities.
Any general Information Security awareness program must, of course, include all aspects related to network usage
security, which must not be hidden amongst a lot of other security issues. Again, because of the importance of
networks, many companies are realizing that a network security awareness program, separate from the general
lnformation Security awareness program, has significant value. This is enforce by Lewis [14] that states if one can make
employees aware of the threats to the network and let them feel part of the network security team they may feel more
inclined to help out and point out potential problems before they get out of hand. Greater success is achieved in this
way, because employees are specifically exposed to the security risks related to the use of networks, and can therefore
evaluate network security as an aspect in its own right.
In the first part of this paper the 5 pillars for network security management were briefly introduced. Each of these
pillars can be summarized into a few high level actions that will enforce the role of that pillar.
This section will use an incremental approach to illustrate how these actions can be used to implement (or
evaluate the presence of} these pillars in a network security management environment.
Each of these pillars contains one ore more actions that is vital to that pillar. If there is compliance with an action
one can move on to the next action. If compliance with one action within a pillar is not complied with, a counter action
must be taken (indicated as a “No” in Figure 3). After a counter action is completed, the process starts again at the first
action in the specified pillar (or block). If all the actions are complied with within the pillar, one can progress to the
next pillar (block).
The order in which the pillars will be addressed is the same order as introduced in section 2. The order of the pillars
is very important to follow, for example one cannot monitor a policy or procedures if such a policy or procedure does
not exist in the first place. Therefore, the pillars must be kept in the correct order. The action and counter actions for
each pillar can be depicted in Figure 3.
1.1 Checklist
This section uses the actions and pillars depicted in Figure 3 to create a checklist for network security management.
This checklist comprises each of the 13 decision questions from figure 3, and indicates the network security
management approach for non-technical network aspects. Before starting to work through the checklist it is important
to know that technical aspects such as firewalls protect an organization for outside attacks but leave the organization
open to attacks from inside the organization. Insider threats are most often incidental in nature due to the fact that
many employees do not know that they are compromising the confidentially, integrity or availability of information.
With this check list in place an organization can try to minimize the “incidental” threats by employees.
2. CONCLUSION
This paper introduced the importance of the non-technical aspects of network security management. Five vital pillars
were identified and briefly described. Different actions for each of these pillars were also identified. These five pillars,
together with the individual actions can be depicted in a checklist with a preset order that must be followed. The
importance of this checklist is to ensure that organizations are aware of the different non- technical aspects related to
network security management and how to implement and monitor these in an organization.
What is certification and accreditation and how does it relate to security engineering?
Certification and accreditation (CnA or C&A) is a procedure that can be used to implement any formal
process. The process can be looked at as a systematic process of carrying out the evaluation, testing, and
authorization of systems (or the activities of systems) after (or prior to) a system has become operational.
The C&A procedure gets used abundantly around the world.
Attaining the CISSP certification separates an information security expert from their competition and awards
them a badge of credibility. C&A is an integral part of the CISSP CBK and the aspirants need to be
theoretically and practically well-versed with the subject to be able to ace the exam. In simple terms,
certification in itself can be defined as the complete evaluation of a product, system, process, event, or a
skill that’s normally measured against an existing benchmark, norm, or standard.
Most trade organizations and industries prepare carefully concocted certification models (and programs)
that can then be used for testing and evaluating the skills of the people performing jobs falling under the
specific interest area of the organization. However, testing laboratories can also pass certifications for
products (that meet the pre-established norms and standards) and government bodies have also historically
certified companies that are meeting the laid-out regulations (e.g., emission limits).
Accreditation, on the other hand, is a formal declaration by a third party (neutral) that the certification was
carried out in a way that accords with the relevant standards and/or norms of the certification program
(e.g., IEC 17024). In most countries around the world, there are specific bodies that operate nationwide and
enforce these regulations. In the US, the United States Accreditation Service (UKAS) is the country’s
accepted accreditation organization.
There are many ways of building and implementing a certification and accreditation program at the
enterprise level. Predominantly, it’s composed of people, technologies, and processes of different types. All
of the constituent entities are important, but there are some special program components that can be
referred to as being absolutely essential to the program’s success. If these pertinent components don’t
function as they should, the program’s implementation can be severely hampered and the repercussions
won’t be desirable. Following are some of the most important elements that are critical to the success of a
C&A program at an enterprise:
Security Manager
Accountable for day-to-day operation of information security program
Accomplish objectives as identified by CISO
Typical qualifications: not uncommon to have accreditation; ability to draft middle and lower level policies, standards and
guidelines; budgeting, project management, and hiring and firing; manage technicians
Employment Policies and Practices
Management community of interest should integrate solid information security concepts into organization’s employment
policies and practices
Organization should make information security a documented part of every employee’s job description
From information security perspective, hiring of employees is a responsibility laden with potential security pitfalls
CISO and information security manager should provide human resources with information security input to personnel
hiring guidelines
Termination
When employee leaves organization, there are a number of security-related issues
Key is protection of all information to which employee had access
Once cleared, the former employee should be escorted from premises
Many organizations use an exit interview to remind former employee of contractual obligations and to obtain feedback
Hostile departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting
Before employee is aware, all logical and keycard access is terminated
Employee collects all belongings and surrenders all keys, keycards, and other company property
Employee is then escorted out of the building
Friendly departures include resignation, retirement, promotion, or relocation
Employee may be notified well in advance of departure date
More difficult for security to maintain positive control over employee’s access and information usage
Employee access usually continues with new expiration date
Employees come and go at will, collect their own belongings, and leave on their own
Offices and information used by the employee must be inventoried; files stored or destroyed; and property returned to
organizational stores
Possible that employees foresee departure well in advance and begin collecting organizational information for their future
employment
Only by scrutinizing systems logs after employee has departed can organization determine if there has been a breach of
policy or a loss of information
If information has been copied or stolen, action should be declared an incident and the appropriate policy
followed
Many nongovernment organizations do not need the same type of background checks as the federal government does.
However, having some type of background check should be part of the application process. Minimally, the organization
should verify previous employment and other basic information provided as part of the application. For those in more
sensitive positions, such as administrators and information security professionals, a further check into someone's
background might be a consideration. As long as the checks are disclosed, an organization can request access to credit and
criminal records to verify the applicant's suitability for her position. Organizations can even hire an outside firm that
performs these checks as well as those that examine other public records to determine whether the potential for a
problem or a conflict of interest exists.
Regardless of the checks your organization performs, the policies and guidelines must be disclosed to the applicant and
employee. Although the government has policies for recertification security clearances, if your organization wants to do
the same, that has to be disclosed to the employee. Many aspects of this are covered by federal, state, and local statues
and civil rights laws and should be cleared with an attorney before implementing.
Employment agreements are used to protect the organization from something the employee can do. It is a protection from
the insider threat. Agreements can also provide the organization a means by which to discipline employees if an
enforcement action is necessary. By having the employee sign the agreements, the organization has the ability to enforce
the policies behind them by showing that the employee was notified of what was expected from him.
Usually, the AUP is a signed document that acts as an agreement to abide by the information security policies it represents.
It can be given to the new employee, contractor, or vendor with access to the network to ensure he knows his
responsibilities. The purpose is to draw attention to the policy documents without requiring the new user to read them.
The AUP should say that the users will abide by the policies, but the AUP can be seen as a "quick start" document to allow
users to read the full policy later.
Termination
There will come a time when an employee or a contractor is no longer associated with the organization. Regardless of
whether the termination is from voluntary or involuntary means, administrators must have procedures in place to revoke
access to the organization's resources. Keeping a user's identification active might leave the network open for attack, and
just deleting the user's information can destroy potential information assets.
Regardless of the procedures used, they should consider immediate revocation of access to the networks. Additionally,
personnel policies should be adjusted to ensure employees do not have the type of access to the systems, network, and
physical facilities to do damage. Even for contractors whose contracts have expired or been terminated, it might be a good
idea to have a manager or security guard escort the former employee out of the building. During the process, someone
should collect the employee's identification badges, keys, and other access control devices; disconnect his phone; turn off
his email; lock his intranet account; and so on.
As part of the procedures, everyone must work together. If those responsible for terminating network access are not told
that an employee was terminated, the network can be left open to attack by a disgruntled former employee. An improperly
executed procedure makes everyone responsible for an adverse reaction.
Job Descriptions
Job descriptions are usually associated with requisitions and advertisements used to fill jobs within the organization. In the
information security context, job descriptions define the roles and responsibilities for each employee. Within those roles
and responsibilities, procedures are used to set the various access controls to ensure that the user can get access only to
the resources he is allowed to access.
During periodic audits and monitoring, a user who might be accessing information beyond his job description might be an
indication of a problem. For example, a contractor working on the development of the new Web system should not be able
to access accounting data. The danger to this is when the job descriptions are not properly maintained. If a job description
is informally changed without changing the official job description, there can be problems trying to enforce policies. It
would help if there were a policy to change job descriptions before changing access control lists.
Job Rotation
Job rotation is the concept of not having one person in one position for a long period of time. The purpose is to prevent a
single individual from having too much control. Allowing someone to have total control over certain assets can result in the
misuse of information, the possible modification of data, and fraud. By enforcing job rotation, one person might not have
the time to build the control that could place information assets at risk.
Another part of job rotation should be to require those working in sensitive areas to take their vacations. By having some
of the employees leave the work place, others can step in and provide another measure of oversight. Some companies,
such as financial organizations, require their employees to take their vacations during the calendar or fiscal year.
Internal Controls and Data Security: How to Develop Controls That
Meet Your IT Security Needs
Businesses today are constantly facing new IT risks, and it can be challenging to keep up with the changes in technology
and best practices for protecting your business and the valuable data in your possession. For example, since most workers
have began to work from home due to the global coronavirus health crisis, organizations have become more vulnerable to
cyber attacks and other types of operational disruptions.
One of the most effective ways to ensure your organization is taking the correct steps to mitigate risks is to develop a set of
internal controls that ensure your processes, policies, and procedures are designed to protect your valuable corporate
assets and keep your company secure and intact. Internal controls help your employees carry out their jobs in a way that
protects your organization, your clients, and your bottom line.
Related: 40+ Compliance Statistics to Inform Your 2020 Strategy
Internal controls are used by management, IT security, financial, accounting, and operational teams to achieve the
following goals:
1. Ensure the reliability and accuracy of financial information – Internal controls ensure that accurate, up to date and
complete information is reflected in accounting systems and financial reports.
For example, the Sarbanes-Oxley Act of 2002 (SOX) requires annual proof that
A business accurately reports their financials
Their procedures effectively prevent fraud, and
They have addressed any uncertainties.
2.Prevent fraudulent business activity – Internal controls create a reliable system for managing business operations and
keeping a check on potential business fraud. Businesses subject to SOX are required to have a process for identifying fraud
that is acceptable to regulators.
3. Safeguard sensitive, confidential and valuable information – Internal controls are designed to protect
information from being lost or stolen and to reduce the costs an organization may incur when it suffers from a
security incidents.
4. Ensure compliance – Internal controls help ensure that a business is in compliance with the federal, state and
local laws, industry-specific regulations and voluntary cybersecurity frameworks such as SOC 2 or ISO 27001.
5. Improve the efficiency and effectiveness of business operations – Internal controls help companies reduce
complexity, standardize and consolidate their operational and financial processes and eliminate manual
effort. This often results in more efficient, more consistent, and more effective services and operations.
Having internal controls as a built-in part of your information security programs is the key to ensuring you have effective
programs in place. It’s important that you know how your security compliance program is performing; if there is a cyber
security incident, outside regulators examining your program will quickly be able to tell if your business is making an actual
effort at compliance or if you are simply going through the motions.
Five Kinds of Internal Controls
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides five types of internal control to
help companies develop their own unique and effective internal controls.
Control environment: This comprises the framework and basis of your internal controls program, including the processes
and structures that create the foundation of the internal controls your business carries out. The control environment also
includes:
The integrity and ethical values of your organization
Parameters for how and when the board carries out their responsibilities, and
Incentives and rewards.
Simply put, the control environment is the culture your company creates around internal controls. The executives, upper
management, and team leads must all communicate the importance of internal controls downward and every process
must take place within the parameters of the control environment.
Risk assessment: To build effective internal controls, a business must first understand what risks they are controlling for
and what their business is up against in terms of internal and external risks. A proper risk assessment means identifying
risks in all areas of your business, both inside your organization and outside, and then identifying ways to mitigate those
risks or bring them down to an acceptable level.
Below, are some questions to consider to make sure your risk assessment is comprehensive:
Does your risk strategy include a comprehensive view that considers both existing and emerging risks?
How are risk tolerance levels defined?
Are key stakeholders involved in setting risk tolerance levels?
How effectively does the design of the control mitigate the risk?
For more details on how to conduct a thorough security risk assessment, check out this blog post Conducting an
Information Security Risk Assessment: a Primer
Control activities: Control activities are where the rubber meets the road. They are how your risk management strategies
are actually carried out in the policies and procedures that govern the day-to-day activities of your employees. These
activities are embedded throughout your entire company, and they are designed to identify, monitor, and, ultimately,
prevent risks from manifesting.
Information and communication: In many ways, communication is the most important part of the internal
controls your organization puts in place. If an internal control shows that a process isn’t working, and that isn’t
communicated upwards to those who can fix it, what’s the point of having the internal control in the first place?
How will your organization benefit from the internal control if a manager doesn’t have a channel for
communicating with control owners and policymakers within the company?
There must be an open channel of communication regarding internal controls, and robust reporting and
information gathering is key to reaping the benefits of all the work and time that go into internal controls.
Yet, too often, compliance teams don’t have a comprehensive view into all risk areas and internal controls
within their organization. Without such information, compliance teams are unable to see the gaps in their
control environment and miss the opportunity to make timely adjustments to shore up controls and mitigate
risks.
Monitoring: To gauge the effectiveness of your internal controls, and to ensure you’re addressing any gaps in
the controls you’ve developed, you need to continuously monitor your controls and conduct tests to make sure
your processes are working as designed. Ideally, these tests are automated, not manual. This reduces the
chance of human error that can leave your assets vulnerable. For example, forgetting to revoke access privileges
to critical systems when an employee quits will leave your organization open to threats. But it’s easy to forget
to remove a departing employees’ access to certain systems if it is a manual process. Automating this process
removes that risk from the equation.
Additionally, having open communication and a dedicated channel for people who have concerns or have
experienced issues is an important practice to ensure the continued success of your internal controls.
Further, conducting internal controls audits will also give you insight into how your internal controls are
performing.
Conducting an internal control audit: An internal controls audit simply tests the effectiveness of your internal
controls. When it comes to financial internal controls, the Sarbanes Oxley Act made businesses legally
responsible for ensuring their financial statements are accurate, and the Public Company Accounting Oversight
Board developed the standard that used to evaluate internal controls in their Auditing Standard No. 5.
Financial internal controls audits are performed by CPAs and require an organization to provide proof of the
process your organization uses to evaluate your controls and financial statements. This can require a lot of
documentation, but if your organization has been monitoring your internal controls and creating regular and
thorough reports, and consolidating all of that information in one place, producing it should be relatively
simple.
Related: The Value of Internal Audits (and How to Conduct One)
Security controls are safeguards designed to avoid, detect, or minimize security risks to physical property, digital
information (e.g. sensitive customer data or a company’s IP), computer systems, mobile devices, servers and other assets.
Security controls could fall into one of the following categories:
Physical controls: doors, locks, security cameras
Procedure controls: incident response processes, management oversight, security awareness and training,
background checks for personnel who handle critical systems
Technical controls: user authentication (login) and logical access controls, antivirus software, firealls
Legal and regulatory controls: policies, standards, etc.
Security controls can also be classified according to the time that they act, relative to a security incident:
Before the event: preventative controls are intended to stop an incident from occurring, e.g. by locking out
unauthorized users
During the event: detective controls are intended to identify and characterize an incident in progress, e.g. by
sounding the intruder alarm and alerting the appropriate personnel such as system administrators, security guards or
police
After the event: corrective controls are intended to limit the extent of damage caused by an incident, e.g. restoring a
system to normal working status as fast as possible
As we mentioned earlier, internal controls need to be tailored to the specific risks you want to mitigate. Having said that,
here are the key considerations for creating effective controls for protecting your data assets and information systems:
Understand what your risks are: Before you can take steps to protect your electronic assets, you need to understand what
you’re protecting them against and how to effectively guard them. Performing an information security risk assessment will
give you a detailed look at your risks and help you decide how to best mitigate them.
Take both physical and electronic threats into consideration: When it comes to information security, it’s not just about
who has electronic access to data or email policies. In the course of their jobs, many employees come into contact with
hard copies of sensitive information or have access to places where assets are stored, and your business needs to have
policies and controls that protect physical assets as well as electronic threats.
Work on your compliance processes: Going through a thorough compliance process will give you the opportunity to
uncover gaps in your security program. When we talk about a compliance process, we are really talking about identifying a
cybersecurity framework (e.g., SOC 2, NIST 800-53, ISO 27001) you want to implement, understanding the requirements
and controls outlined in the framework, taking inventory of your own internal controls and security measures to
understand the gaps in your program, and then putting measures in place to fix or refine deficient controls and processes.
When you decide to become compliant with a cybersecurity framework, you will go through a process that forces you to
inventory your strengths and weaknesses. You will educate yourself on modern security best practices, and the exercise
can serve as a springboard to put in place or refine deficient controls and processes.
Have a data breach response policy in place: Even if you’ve implemented strong security controls and have regular
security training with employees, you won’t be able to completely avoid the possibility of a data breach. The best way to
handle a data breach correctly is to plan your response ahead of time and test early and often. A tried and tested plan set
up before an incident ensures you won’t forget important actions when a crisis strikes.
As soon as change happens within your environment, you will need to re-evaluate your internal controls. When your
organization rolls out a new process, technology or operating procedures (e.g. allowing employees to work from home due
to COVID-19 on their own personal laptops), you’ll need to assess whether the inherent risk that your business faces has
increased and update your internal controls accordingly.
To mitigate risk effectively on an ongoing basis, you need to build a sustainable compliance program, one that can monitor
new risks effectively, test and document controls as necessary, and guide remediation efforts.
Hyperproof is built to help security assurance professionals efficiently scale up multiple security and privacy programs and
get through all the important tasks required to maintain a strong security program. These tasks include identifying risks,
creating internal controls to address specific risks, mapping controls to evidence requests from auditors and following
schedules to review controls, gather evidence and remind people to complete tasks on time.
Hyperproof also has pre-built frameworks for the most common information security compliance standards like SOC 2, ISO
27001 and NIST SP 80-53 so you can easily see what you need to do to maintain good cyber hygiene and safeguard your
data.
In any installation that we need to protect, we can never forget the importance of carrying out
security system maintenance. In this post we will explain what is the maintenance of a security
system. We will talk about what each of the different types of existing maintenance are – corrective
maintenance and preventive maintenance – and the differences between them.
The maintenance of the security system involves periodic checks of all the elements that make up the
installation (cameras, detectors, computers, circuits, lighting systems, etc.) to verify that they work
well. This would be preventive maintenance. Next, systems that are not functioning properly would
be corrected or repaired (corrective maintenance).
Maintenance Plan
Any place that has a security system connected to an alarm receiver or with its own control center
must have a written document that establishes the review deadlines and the scope of periodic
reviews. This preventive maintenance plan must be known by the organization, especially those
responsible for security. And it must allow to know at all times what elements were reviewed in each
inspection and what were the results, as well as the corrective measures that were adopted.
The list of items to be checked in preventive maintenance is detailed in Order INT / 316/2011, of February 1, on the
operation of alarm systems in the field of private security, in addition to adding a field of observations with the results
obtained, as well as date and signature of those responsible for the maintenance plan.
If we prevent possible failures of the security system, we are anticipating unwanted situations that may have a dramatic
reach. For example, if one of the cameras or detectors of the security perimeter does not work, we have an important gap
that can be used by intruders to enter our facilities without our knowledge.
Maintenance of computer systems
In any productive system we have in our company, computer equipment plays an important role. The equipment is
controlled by computers and software. This also happens in security systems. We have to know at all times that the
computer equipment works correctly. And we must make the necessary backups following a strict program, to prevent
possible loss of information such as video recordings with a maximum expiration of 30 days, detected alert logs, security
system failures, etc.
You must also have a good antivirus and antimalware system. The malfunction of computer equipment because they
introduce us to a virus or malware can be a security breach of our system. The attack on our facilities can start physically,
but also by a computer intrusion.
A computer attack can cause parts of the security system to stop working, but it can also be used to erase or steal vital
information.
Corrective maintenance of the security system
Corrective maintenance is aimed at repairing or replacing security system elements that are not working properly. It is a
reactive system: something does not work and is repaired or replaced until it works well. Only what is broken is repaired.
Until that moment nothing is done. It is an unexpected cost for the company and is not done in a planned way. It is
corrected without more when it occurs.
Review of computer servers and video storage systems, as well as the control and monitoring center. It is the central part of
our security system. There can be no failure to record images because they are possible tests and they help us analyze possible
failures in security systems. Nor can there be communication failures between security elements (cameras, detectors, etc.) and
the control center.
The maintenance of the security system is as important as its engineering and installation phase. These are complex systems with
different technological equipment that have to be 100% operational if we want them to fulfill their function. We have to be demanding
with the company that designs and installs our security system, but also with the one that deals with its maintenance. Only then we
guarantee the security of our facilities.
Security Management Models in Information Technology
In many organizations, security efforts are focused exclusively on deploying technologies, implementing “best
practices,” or responding to a continuous stream of alerts and issues. The result is a reactive security
organization busy with activity and unable to answer the question, “Are we becoming more secure?” This
creates distrust between business leaders and the security organization. Security efforts are seen as expensive
—doing more to slow rather than secure the business.
A more strategic approach is necessary—acknowledging the reality that security needs will always exceed
security capacity, optimizing security resource allocations, and demonstrating progress toward a more secure
organization. This requires the security organization to transition from security operators to security leaders by:
Changing focus from information security and physical security controls to security risks. Risk is the basis for all
security decision-making and performance management
Transitioning ownership of security risks. The security organization does not own security risk decisions—the
business does
Providing security leadership. Establish priorities, expectations, and oversight of risks and efforts to address them
Security Organization Priorities
The security organization’s priority is to identify risks, recommend responses to these risks, facilitate the appropriate
tradeoff decisions related to these risks, and provide a line of sight to the execution and performance of these risk
responses.
A security operating model enables this approach. It governs and oversees security for the entire organization, where the
business is not only a recipient of the security services but is also instrumental in the collaboration, implementation, and
sustainability of security efforts. The operating model utilizes a risk-based approach to identify and prioritize risk mitigation
efforts to secure the enterprise’s mission. The core of a security operating model is a collaborative, continuous
improvement process designed to sustain the controls that secure the enterprise.
A comprehensive security operating model includes the following components:
The enterprise security governance model ensures collaboration with the business. An executive committee with a
CSO/CISO and senior leadership from across the organization balances the organization’s security risks with the overall
costs. Through the operating model, the security leadership provides a clear vision of desired security capabilities and
corresponding people, process, and technology enablers.
Control Framework
A security policy based on an industry-accepted controls framework provides the structure and guidance to apply best
practices and target gaps in potential security coverage. This ensures the enterprise is thinking holistically about its security
performance. The controls framework cascades throughout the enterprise to ensure alignment across assets and operating
areas. Alignment and collaboration are the keys to providing continuous and efficient operations.
Utilizing an industry-accepted framework ensures alignment with industry expectations and provides a method for
regular capability assessment to track and measure progress.
Functional management provides the accountability model necessary to drive security performance.
Metrics are designed from the top down and developed to support organizational goals and objectives
Metrics must provide for greater visibility and transparency into goal attainment instead of meaningless “stick
counts”
Security goals must be specific, limited, meaningful, and have context
Performance Metrics/Goals – Developing, implementing, and monitoring a comprehensive set of core function
performance metrics will set expectations and identify gaps or adverse trends
Self-Assessments – Self-assessments answer the question, “How are we doing?” Self-assessments evaluate core function
performance in each area by determining current performance, identifying gaps between current and desired
performance, and defining strengths and deficiencies. A self-assessments plan is developed and reviewed at the beginning
of each year
Management Review Meetings – Review meetings ensure leadership is effectively informed and engaged in driving their
respective areas’ performance. These meetings are regularly scheduled to provide management oversight of organizational
performance, identify learning opportunities, and support continuous improvement. These should include security
stakeholders from throughout the enterprise
Corrective Action Program – CAP is a standard approach for issue resolution that provides a formal list of risk-based
prioritized issues, a consistent process to investigate and resolve issues, and a mechanism to track all corrective actions
Peer Groups – Peer groups communicate frequently and meet regularly to collectively analyze/monitor core function
performance metrics, identify gaps, and drive continuous improvement and core function oversight and support
Conclusion
This security operating model defines the organization’s agreed-upon approach for responding to security risks and
establishes expectations for who is responsible for what. This becomes the baseline against which security performance is
monitored.
Organizations too often go directly from strategies, concepts, and objectives to projects, technologies, and procedures,
but do not achieve their desired results and struggle to explain why they are doing what they are doing.
The security operating model operationalizes your security strategy—translating broad visions of enterprise security into a
set of practical and realistic plans and actions. Security leaders can provide a clear picture of desired security capabilities
and corresponding people/process/technology enablers through the operating model.
A security operating model balances risks to the organization within industry expectations and drives decisions about
where to invest security resources.
No two operating models are the same, and each organization faces its own unique set of challenges.
Keep in mind, the success of any operating model relies on the following:
It is aligned with the organization’s security stakeholders
It is grounded in securing high-risk areas, using the most effective method of mitigating risk tailored to the
organization’s risk tolerance
It provides oversight that paints an objective picture of the organization’s security risk posture
Ultimately, security leaders should operate as a conductor in an orchestra, leading multiple instruments in unison around a
common piece of music (i.e., the operating model). A deliberate effort must be made to blend their melodies and
harmonies to orchestrate the symphony that is successfully securing the enterprise’s mission.
Security professionals seeking to enhance trust with business leaders and demonstrate progress toward a more secure
organization with a strategic, rather than reactive, approach to reach security goals should adopt this proven security
operating model.
What is digital forensics in information security?
Digital forensics is the overall science of recovery and investigation of material found on all types of digital devices.
Computer forensics is a branch of digital forensics that focuses on evidence found on computers and digital storage media
such as hard drives or usb drives. Typically these branches are used during investigations that involve cybercrime or regular
crimes that have evidence stored on some type of device. With the increased popularity of laptops, smartphones,
embedded systems and other internet of things devices, almost all crime involves some type of computer system.
Therefore, being able to extract evidence from computers while following all of the required procedures that makes that
evidence admissible in court is a very unique and important skillset for law enforcement, military and private
investigations.
Types of Digital Forensics
Disk Forensics
This area focuses on extracting data from storage media such as a hard drives by searching for active, modified or deleted
files. For example this would recover deleted files that could be used as evidence or prove that a file was created and
modified at a certain time.
Network Forensics
This is related to monitoring and analyzing traffic between different computers on a network. You can think of it as
eavesdropping on a conversation, the goal is to collect the information being transmitted and use it as evidence.
Memory Forensics
This niche focuses on recovering data from system memory (system registers, RAM or cache). This is important because
many times data or malware is only found in memory and never saved to the hard drive (disk), so it’s important to be able
to extract this information directly from memory.
Automotive Forensics
This branch focuses on the recovery of digital evidence or data stored in automotive modules, networks and messages sent
to automotive systems. This can include things like gps locations, paired devices, user addresses etc. As cars become more
advanced, integrate with more devices like people’s smartphones and become more autonomous, this area could become
much more popular.
Database forensics
This branch studies and examines databases and their related metadata. This would involve trying to prove when records
were created, who accessed the information and when .
Secondly, it can be used in corporate/private investigations. This can be investigating employee misconduct. For example if
an employee is suspected of stealing intellectual property from the company, digital forensics may be used to see if that
employee accessed the file, downloaded it, emailed it or put it on a USB drive.
Thirdly, it is used following a cyberattack. When a company is hacked, digital forensics is important to uncover exactly how
the hack happened, what the hacker did on the systems and confirming that the hacker’s access has been removed once all
of the security work has been completed.