Unit -5

How to Implement an Information Security Program in 9 Steps

A solid information security program is an essential component of running a business in the digital age—a time when the
number of data breaches and security incidents are increasing exponentially. Without a security program, you leave your
company, customers, and data at risk. Let’s explore the components of an information security program, and walk through
a step-by-step guide on how you can implement one at your organization.

What is an Information Security Program?

Think about your organization’s information security culture, policies, procedures, standards, and guidelines. Together,
these elements create a security program by outlining how your organization plans for and acts when it comes to security
management. 
The purpose of the program is to make certain the data and information you’re responsible for is safe. By safe, we mean
your organization ensures three vital principles: confidentiality (secured from unauthorized access), integrity (accurate and
free from tampering), and availability (accessible in a timely manner) of its data. 
Information security programs need to:
 Establish a benchmark for security;
 Measure against that benchmark;
 Enable informed decision making; and,
 Support the execution of decisions.

9 Steps on Implementing an Information Security Program

BARR Advisory’s experienced team has outlined the following nine steps you can take to establish a working, future-ready
information security program:

Step 1: Build an Information Security Team

Before you begin this journey, the first step in information security is to decide who needs a seat at the table. One side of
the table holds the executive team, made up of senior-level associates responsible for crafting the mission and goals of the
security program, setting security policies, risk limitations, and more. On the other side of the table sits the group of
individuals responsible for daily security operations. As a whole, this group designs and builds the framework of the
security program.

Step 2: Inventory and Manage Assets

The security team’s first job is to understand which assets exist, where those assets are located, ensure the assets are
tracked, and secure them properly. In other words, it’s time to conduct an inventory of everything that could contain
sensitive data, from hardware and devices to applications (both internally and third party developed) to databases, shared
folders, and more. Once you have your list, assign each asset an owner, then categorize them by importance and value to
your organization should a breach occur. 
Step 3: Assess Risk
To assess risk, you need to think about threats and vulnerabilities. Start by making a list of any potential threats to your
organization’s assets, then score these threats based on their likelihood and impact. From there, think about what
vulnerabilities exist within your organization, categorize and rank them based on potential impact. These vulnerabilities can
consist of people (employees, clients, third parties), processes or lack thereof, and technologies in place. 
Look at the two lists you’ve created and find where threats and vulnerabilities may intersect, showing you where your
greatest levels of risk exist. A high-impact threat with high vulnerability becomes a high risk.

Step 4: Manage Risk

Now that you have your risks ranked, decide whether you want to reduce, transfer, accept, or ignore each risk.
 Reduce the risk: Identify and apply fixes to counter the risk (e.g., setting up a firewall, establishing local and
backup locations, purchasing water leak detection systems for a data center).
 Transfer the risk: Purchase insurance for assets or bring on a third party to take on that risk. 
 Accept the risk: If the cost to apply a countermeasure outweighs the value of the loss, you can choose to do
nothing to mitigate that risk.
 Avoid the risk: This happens when you deny the existence or potential impact of a risk, which is not
recommended as it can lead to irreversible consequences.

Step 5: Develop an Incident Management and Disaster Recovery Plan

Without an Incident Management and Disaster Recovery Plan, you put your organization at risk should any security
incident or natural disaster occur. This includes things like power outages, IT system crashes, hacking, supply chain
problems, and even pandemics like COVID-19. A good plan identifies common incidents and outlines what needs to be
done—and by whom—in order to recover data and IT systems.

Step 6: Inventory and Manage Third Parties

Make a list of vendors, suppliers, and other third parties who have access to your organization’s data or systems, then
prioritize your list based on the sensitivity of the data. Once identified, find out what security measures high-risk third
parties have in place or mandate necessary controls. Be sure to consistently monitor and maintain an updated list of all
third-party vendors.

Step 7: Apply Security Controls

You’ve been busy identifying risks and deciding on how you’ll handle each one. For the risks you want to act on, it’s time to
implement controls. These controls will mitigate or eliminate risks. They can be technical (e.g., encryption, intrusion
detection software, antivirus, firewalls), or non-technical (e.g., policies, procedures, physical security, and personnel). One
non-technical control you’ll implement is a Security Policy, which serves as the umbrella over a number of other policies
such as a Backup Policy, Password Policy, Access Control Policy, and more. 

Step 8: Establish Security Awareness Training

Conduct frequent security awareness trainings to share your information security plan and how each employee plays a role
in it. After all, new security measures and policies do nothing if employees working with the data are not educated on how
to minimize risk. Any time an element of your security program changes, your employees need to be aware. And be sure to
document and retain evidence of trainings for future auditing purposes. 

Step 9: Audit, audit, audit

The best way to determine the effectiveness of your information security program is to hire a third-party auditor to offer
an unbiased assessment on security gaps. In some cases, this is mandatory to confirm compliance. Third-party assessors
can also perform vulnerability assessments, which include penetration tests to identify weaknesses in your organization’s
networks, systems, and applications, along with audits against criteria such as ISO 27001, PCI DSS, FedRAMP, and HITRUST;
as well as SOC 2® reports using the AICPA Trust Service Principles. Your company can also conduct internal audits to assess
controls, policies, procedures, risk management, and more. 

Why Should I Use Security Features in Project Management Software?

The level of security built into your project management software dictates how safe your project will be. This encompasses
the integrity and confidentiality of your data, as well as the security of the infrastructure and the stability of your network.
Too little security can open you up to hackers and scammers. But too much security can restrict your team from accessing
the information they need. In this Professional Services Survey Report, 60% of leaders agreed that data security concerns
keep their teams from being flexible and building better customer relationships.
Striking the right balance can be challenging, especially with the rising concerns around cybersecurity. According
to Verizon’s 2020 Data Breach Investigation Report, in 2020, there were 3,950 data breaches and 157,525 cybersecurity
incidents reported in 81 countries. These numbers are only expected to rise as time goes on.
These concerns make it critical that you select the appropriate project management software security.

Key features of project management software security

The best project management software includes security features that protect your data's safety and integrity without
making it onerous for approved users to gain access. The security settings should be flexible and customizable enough that
you can align them with your company’s security procedures, processes, and protocols, but robust enough to address
industry-recognized threats to your data.
There are five areas of security that you should assess when selecting project management software:
 Physical security
 Network & system security
 Application security
 Privacy
 Compliance

Physical security
Physical storage security encompasses where and how your data is stored. Different states and countries have very specific
data security compliance laws. If you’re operating in a different location than where your data is stored, the security laws
where you store your data might not align with your needs or legal commitments to your customers.
It’s important to ask where the project management software company stores its data and ensure the security standards at
the storage facility are up to date and independently validated. You should also ask about the physical protection of the
storage facilities. For instance, do they have 24/7 staffed security, power backup systems, physical access controls, smoke
and fire alarms, and digital surveillance systems?
Another aspect of physical security is how often your data is backed up. If a server crashes or a breach occurs, you want to
know your data won’t be lost.
Look for a project management software vendor that provides near real-time replication. This feature will ensure your data
is backed up and available on secure and geographically dispersed servers. A full backup should be performed daily, and
the data should be stored encrypted in an environment physically separate from the primary servers to ensure fault
tolerance.

Network & system security

Network protection procedures — such as network segregation using VLANs, firewall, router technologies, intrusion
detection, prevention systems, centralized log aggregation, and alert mechanisms — should be standard for your software
provider. All these systems should be overseen by dedicated and experienced security teams.
You also want a project management software provider that ensures secure connectivity, including secure channels and
multi-factor authorization schemes for systems operations group personnel. These precautions allow your provider to
prevent, detect, and promptly remediate the impact of some network attacks if they do occur.
Look for software that has a documented process of regular updates and patch management. You should also ask how
frequently the vendor performs internal network security audits to easily spot and fix dangers. When it comes to data
security, a quick and proven response is the difference between danger and disaster.
Uptime is the time during which a computer is operational, meaning that no key functions are unavailable, and it’s one of
many useful ways to assess a provider’s infrastructure security. High uptime means a company is stable, secure, and
experienced in the delivery of customer-facing services. Ask what the vendor’s uptime is to determine their security
reliability, and look for one with a historically proven record of 99.9% uptime or higher.
Application security
Application security encompasses all the features within the application that help ensure your project data stays safe.
These features fall into five categories:
 User authentication
 Data sharing & role-based access control
 Monitoring user activities
 Project management software data encryption
 Mobile applications

User authentication
Your chosen project management software should support multiple methods of federated authentication, including Google
OpenID, Azure, Office 365, ADFS, SSO, and SAML2. This process enables employees to securely access your software
without using a second, separate login and password.
Other authentication features to look for are customizable password security settings and 2-step verification.
Within the password settings of your project management software, you should be able to customize the following:
 Password strength settings, such as minimum password length, not allowing passwords to include the user’s first or last
name, the number and type of characters used, etc.
 Password expiration settings dictating how often users need to change their password.
  Password history settings specifying how often a user can reuse the same password after they’ve made a change.

2-step verification (also called two-factor authentication or 2FA) provides an additional layer of security to the sign-in
process. In addition to a username and password, you have to enter a time-sensitive verification code to gain access.
If some of your team members are using applications that do not natively support 2-step verification, make sure your
software supports using one-time passwords instead. Otherwise, those users will find themselves locked out.
Your project management software should also allow you to use network access policy settings to add approved IP
addresses and IP subnets for additional application security. With this feature enabled, users can only log in and access
your software from those locations. If you have remote users, make sure you select a tool that allows for mobile users and
other collaborators to login and access from any IP address.

Data sharing & role-based access control

Data sharing and role-based access specify who can access what data within project management software. A project
administrator should be able to assign different roles and permission levels to each user to control what they can read and
edit.
These features allow you to set up selective sharing within the software. This ability ensures that sensitive information is
only accessible by those who need it and not everyone who has software access.
With discrete role-based permissions, you can segment project data and manage who sees what within the software. Plus,
you can control how people interact with a project. For instance, team members can be granted full editing powers, only
be able to change certain things like titles, or be allowed to view but not edit.
You can also offer guest reviewer capabilities that allow external stakeholders to provide feedback and approvals. The
benefit of this is that feedback on client submissions can be provided directly on the document, while you maintain control
of third-party visibility and permissions.
Another data sharing security feature is invitation settings. Invitation settings allow you to control who can invite new users
to use your software. You can also limit who can be sent an invite. For instance, you can require that invitees have a
specific email domain. Plus, you can determine what type of licenses users can grant when they invite someone.

Monitoring user activities and reporting

Even with user authentication and restricted data sharing, it’s important that you can monitor what is occurring within the
software regularly. Look for project management software that provides full reporting functions with up-to-date account
activity information, including authentication events, changes in authorization and access controls, shared folders and
tasks, and other security activities.
Access reports enable you to see which users have access to folders, projects, and tasks. They can also show you any tasks
with attachments that external guest users have been invited to review.

Data encryption
Your project management software should use a minimum encryption of transport layer security (TLS) 1.2 with a preferred
AES 256-bit algorithm in CBC mode and 2048-bit server key length with industry-leading modern browsers.
While this sounds complex, all it means is when you access your software via a web browser, mobile applications, email
add-in, or browser extension, the TLS technology protects your information using server authentication and data
encryption.
This level of encryption security is equivalent to network security methods used in banking and leading e-commerce sites.
All users’ passwords, cookies, and sensitive information are reliably protected from electronic eavesdropping.
User files uploaded to servers via both web application and API are automatically encrypted with AES 256 using per-file
keys. The encryption keys should be stored by the vendor in a secure key vault, a separate database decoupled from the
file storage layer.
With this encryption, even if someone were to gain physical access to the file storage, your data would be impossible to
read.

Mobile applications
It’s important to have mobile access to your project management software so that your team can access it no matter
where they are. However, mobile apps come with their own security concerns.
Any mobile apps should have all the security functionality built into your project management software, such as password
and data sharing restrictions. Plus, mobile apps need additional security features such as encryption at rest, certificate
pinning, checking against rooted/jailbroken devices, and application-level protections using a PIN code or fingerprint.

Privacy
When contacting customer support, it’s important to know that your vendor has strict policies on how to verify your
identity and help you access your account, as well as how and when they can access your data.
Ask vendors to share their policies around escalation, management, knowledge sharing, risk management, and day-to-day
operations. They should have strict policies to limit access to customer data to employees with a job-related need.
Their policies should also allow you to dictate when and how they see your data if you find their basic policies don’t meet
your security requirements for sensitive information.

Compliance
There are security compliance standards that any reputable software vendor should adhere to. These include:
 ISO/IEC 27001:2013 certification
 SOC2 Type II
 ISAE 3402 (Europe)
An ISO/IEC 27001:2013 certification demonstrates that the vendor has a complete security framework and a risk-based
approach to managing information security. ISO/IEC 27001 is the only internationally recognized standard for the
establishment and certification of an information security management system (ISMS).
Vendors should also be compliant with local regulations. If you have any locations, employees, customers, or other
stakeholders working in or from Europe, your software should be GDPR compliant.

Security Topics
Application & Platform Security
Applications and platform security is the basis of preventing vulnerabilities and attacks. Learn the latest about
applications attacks, secure software development, patch management, OS security, virtualization, open source
security, API security, web app and server security and more. 

Careers and certifications

Security admins, pen testers and CISOs are a few of many potential cybersecurity careers. Get advice on making
a career choice and finding the trainings and certifications -- such as Security+, CISSP and CCSK -- needed to land
an infosec job, along with guidance on succeeding in a security profession. 

Cloud security
The cloud offers improved efficiency, flexibility and scalability, but its benefits can be reversed if security isn't
top of mind. Read cloud security best practices, including tips on data protection and IaaS, PaaS and SaaS
security, as well as cloud-specific tools and services such as CASBs, CWPPs and CSPM. 

Compliance
Compliance with corporate, government and industry standards and regulations is critical to meet business
goals, reduce risk, maintain trust and avoid fines. Get advice on audit planning and management; laws,
standards and regulations; and how to comply with GDPR, PCI DSS, HIPAA and more. 

Data security and privacy

Secure data storage, data loss prevention and encryption are must-have components of any enterprise security
strategy, especially as data threats and breaches become increasingly common. Get advice on these topics,
along with the latest data security strategies, data backup and recovery info, and more.

Identity and access management

Identity is often considered the perimeter in infosec, especially as traditional enterprise perimeters dissolve.
Identity and access management is critical to maintain data security. From passwords to multifactor
authentication, SSO to biometrics, get the latest advice on IAM here.

Network security
Enterprise cyberdefense strategies must include network security best practices. Get advice on essential
network security topics such as remote access, VPNs, zero-trust security, NDR, endpoint management, IoT
security, hybrid security, Secure Access Service Edge, mobile security and more. 
Risk management
A successful risk management plan helps enterprises identify, plan for and mitigate potential risks. Learn about
the components of risk management programs, including penetration tests, vulnerability and risk assessments,
frameworks, security awareness training and more.
Security analytics and automation
Security analytics and automation provide enterprises the data needed to help defend against a barrage of
cyber threats. A toolkit combining threat intelligence sharing and services with SIEM and SOAR systems as well
as threat hunting is key to success.

Security operations and management

Cybersecurity operations and management are vital to protect enterprises against cyber threats. Learn how to
create and manage infosec programs and SOCs, perform incident response and automate security processes.
Also read up on security laws and regulations, best practices for CISOs and more.

Threat detection and response

Just as malicious actors' threats and attack techniques evolve, so too must enterprise threat detection and
response tools and procedures. From real-time monitoring and network forensics to IDS/IPS, NDR and XDR,
SIEM and SOAR, read up on detection and response tools, systems and services. 

Threats and vulnerabilities

Keeping up with the latest threats and vulnerabilities is a battle for any security pro. Get up-to-date information
on email threats, nation-state attacks, phishing techniques, ransomware and malware, DDoS attacks, APTs,
application vulnerabilities, zero-day exploits, malicious insiders and more.

FIVE NON-TECHNICAL PILLARS OF NETWORK INFORMATION SECURITY

MANAGEMENT
1. INTRODUCTION
In an increasingly competitive world, the company with the best information on which to base management
decisions is the most likely to win and prosper [4]. Organizations must understand that information is a very valuable
resource and must be protected and managed accordingly. Security must be considered as an integral part of whole IT
governance environment, and must be dealt with in a proactive manner in order to be effective.
This means that information security is fundamental to the survival of any organization which uses electronic
information resources. Information security is a discipline which can be divided into technical and non-technical
aspects. This division is also reflected in the following definition of Information Security Governance [17}:
lnformation Security Governance consists of the leadership, organizational structures, policies, procedures,
compliance enforcement mechanisms and technologies needed to ensure that the confidentiality, integrity and
availability of the organization’s electronic information assets are maintained at all times.’
 Aspects like the leadership, organizational structures, policies, procedures and some of the compliance
enforcement mechanisms can be seen as the non-technical aspects, while the specific technologies (firewalls,
encryption, access control lists etc) can be seeri as the technical aspects. The authors do agree that some of these
aspects overlap, and therefore fall into the grey area of being technical as well as non-technical. Nevertheless, the
major aspects can be categorized as technical or non-technical.
Real lnformation Security Governance therefore consists of ensuring that both these technical as well as the non-technical
aspects are implemented and coordinated in a holistic way. Figure l below indicates where Information Security
Governance fits into the wider Corporate Governance structure

Over the last 10 to 15 years, Infonnation Technology in general has evolved from a centralized
environment to a more decentralized environment, in which all types of networks (LANs, WANs, and
Internet) are used daily to connect systems, work stations etc. to each other.
Managing the security of these networks, i.e. ensuring that the existence and use of all types of networks, do not
impact on the confidentiality, integrity and availability of the organization’s electronic assets, has become a pivotal part
of more general information security governance. The more
recent security worries around wireless networks, emphasize the crucial importance of such network security
management. Figure 2 below indicates where network security management fits into the Information Security
Governance structure.

Information Security Governance

Physical Personnel
Security Security Etc.
Managemen Managemen
t t
 Figure 2 Network Security Management within the Information Security Governance structure

Because of the pivotal role of network security management, this paper zooms into this specific part of Information
Security Governance, and defines 5 pillars (essentials) which must be in place to ensure proper network security
management. These 5 pillars have to do with the more non-technical aspects of network security management, in line
with the division made for Information Security Governance above.
Understanding the importance of these 5 pillars are vital to network security, as too often companies approach
network security from a purely technical viewpoint, and do not realize that if the non-technical aspects (pillars) are not
in place, huge risks will still exist as far as the use of their networks are concerned. Identifying and highlighting the
importance of these
5 pillars are not necessarily a novel idea, as they are discussed and mentioned in most internationally accepted best
practices for information and network security management. However, the purpose is to again stress their
importance, and to provide a simple way for a network security manager to do a fast high level evaluation to
determine the presence and level of implementation of these 5 pillars.
We start off by introducing and discussing each of these 5 (non- technical) pillars, and finish with a checklist that a
network security manager can use to see whether the relevant 5 (non-technical) pillars are in place.

2. NETWORK SECURITY MANAGEMENT PILLARS

The five main pillars (building blocks) that the authors claim to be essential for network security
management can be defined as.
• Having Top Management’s commitment and buy-in for network security
• Having a proper Network Security Policy
• Having a proper Organizational structure for network security
• Having a proper User awareness program for network security
• Having a proper Compliance monitoring system for network security Combined these five pillars will have a
significant positive effect on
implementing and maintaining a good network security management program.
Each of these five pillars will now be discussed briefly.

2.1 Having Top Management’s commitment and buy-in

for network security
In the last decade, boards of directors have experienced many new challenges and demands (such as
rapid developments in technology and market conditions) [6]. The document referred to, goes on to state
that information possessed by an organization is among its most valuable assets and is critical to its success.
The board of directors, which is ultimately accountable for the organization’s success, is therefore
responsible for the protection of its information. The protection of this information can only be achieved
through effective management and corporate governance.
 According to Nicholas Durlacher [10], senior executives do not have to take responsibility for all the actions of their
employees. However, organizations have the right to require senior executives to justify their conduct and competence
formally in the event of any serious management failure that threatens the future of the firm. It is clear that senior
managers in many large organizations are now expressing a much greater interest in Information Security than their
counterparts of five to ten years ago.
Another author who has addressed the importance of senior management is Lewis [11]. Lewis states that the
business should take responsibility for Information Security and appoint an officer whose key responsibility is the
integrity of the organization’s information. Given that the directors of the company are ultimately liable for business
continuity, it is clear that the responsibility for Information Security cannot be removed from the boardroom.
This clearly shows that it is vital to involve top management in all Information Security management procedures
and decisions within the
organization. The reason being, that they are ultimately responsible for the security of all information in the
organization. Because of the increased risks in using networks, Top Management must specifically be aware of the
increased risk exposure of the company by using such networks, based on the underlying risks of the Internet, remote
dial-ins, wireless networks etc. Without such commitment and buy-in, proper corporate governance will be affected.

2.2 Having a proper Network Security Policy

A Corporate Information security policy may be defined as “compiled documentation of computer security
decisions”[15]. These security decisions can be made with regard to hardware, software, networks and information.
Such a Corporate Information Security policy must be a maximum of 2 to 3 pages, very generic, and non-technical, and
must be signed by the most senior official in the company.
Because of the pivotal role of networks in most companies, and the increased risks arising from implementing and
using such networks, a separate Network Security Policy, flowing from the Corporate Information Security policy, must
exist. Such a policy must explain the reason why the company uses networks, the risks involved in using these
networks, and the responsibilities of employees in limiting these risks whenever using such networks.
This can be a single policy document, but because of the growing importance and risks related to network usage,
trying to cover all aspects related to network security in one document, results in a document which is too big and
unwieldy. Increasingly companies are creating a set of policies related to network security, including:
• An Internet Usage Security Policy
• An Email Usage Security Policy
• An Encryption Policy
• A Wireless Network Security Policy
• A Malicious Software Security Policy
• Etc.
Such a Network Security Policy, or rather set of Network Security Policies, highlights the importance of security
when using networks and makes it easier to enforce proper network security management.
2.3 Organization
According to the International Guidelines for Managing Risk of lnformation and Communications Statement #1 [8], one of the six
major activities involved in Information Security is Roles and Responsibilities. This includes ensuring that individual roles,
responsibilities and authority are clearly communicated and understood by all [7]. Therefore, all security responsibilities, roles and
ownership must be defined and assigned to all the users in the organization who work with any information resource.
Again, because of the increased use of networks, a clear organizational structure, with a supporting set of roles and
responsibilities must exist for network usage in all its forms. This structure must clearly indicate which organizational positions in the
company can use which network services, for example, remote login from wired and wireless networks, home access, dial- in
modems etc., and what their roles and responsibilities are.

2.4 Awareness
Information Security awareness is a widely publicized and talked-about issue in the business environment. The
reason for this is that Information Security awareness is mainly a human-related issue. It is important to realize that
“human issues” are the main cause of security breaches [11]. The most effective way to reduce Information Security
risks in an organization is to make employees more Information Security aware. This awareness also means that
employees must take responsibility for their own actions in the workplace.
Implementing an effective Information Security awareness programme helps all employees understand why they
need to take Information Security seriously, what they will gain from its implementation and how it will assist them in
completing their assigned tasks. An effective Information Security awareness programme could be the most cost-
effective initiative a company can take to protect its critical information assets [16]. This protection can only be
provided if there are effective programmes in place to make certain that employees are aware of their responsibilities.
It is the organization’s responsibility to make employees aware of Information Security policies and issues in the
organization. Without knowing the necessary security controls (and how to use them), users cannot be truly
accountable for their actions [15]. Organizations that have implemented strong protection mechanisms and have
educated their staff are in the best position to protect their information from unauthorized disclosure or modification.
According to the CCTA [2], the lnformation Security procedures must be integrated into normal everyday routine,
and staff should come to recognize security as an enabler rather than a barrier. The NIST handbook [15] also stresses
this “every day routine” by stating that Information Security is an ongoing process. This process of making employees
Information Security aware must continue after a candidate has been hired, which includes keeping employees up to
date with their IS duties and responsibilities.
Any general Information Security awareness program must, of course, include all aspects related to network usage
security, which must not be hidden amongst a lot of other security issues. Again, because of the importance of
networks, many companies are realizing that a network security awareness program, separate from the general
lnformation Security awareness program, has significant value. This is enforce by Lewis [14] that states if one can make
employees aware of the threats to the network and let them feel part of the network security team they may feel more
inclined to help out and point out potential problems before they get out of hand. Greater success is achieved in this
way, because employees are specifically exposed to the security risks related to the use of networks, and can therefore
evaluate network security as an aspect in its own right.

2.5 Compliance Monitor (CM)

Compliance monitoring (measuring) is about finding out if procedures and processes that should be implemented
in an organization are working as they should, and are being complied with. The objects that are monitored can differ
from organization to organization; and include products, systems, processes, security program effectiveness and
personal competence [9].
Network security in itself can be compromised if there are no mechanisms in place, apart from some annual
audits, to ensure that it is enforced and complied with on a continuous basis. GMITS [5] states that Information
Security compliance checking (which includes network security) has to occur on an annual basis. A setback with
annual audits is that lnformation Security problems are only identified annually and the organization is open to
security attacks daily. In today’s business environment, organizations cannot afford to find out, 6 to 12 months later,
that an employee has resigned from the organization but still has access to some of the servers. These problems can be
avoided by continuously monitoring the network security in the organization.
A comprehensive compliance monitoring environment, to ensure compliance to the policies and procedures
mentioned in 2.2 above, is therefore essential. Although many of these compliance measuring and
monitoring mechanisms will be technical, the results must be used to check compliance to policies, and to update
aspects like the awareness programs. Therefore this pillar is handled as one of the non-technical pillars, as discussed in
section 1.
The compliance measuring and monitoring must not only produce technical low level results for operational
purposes, but must also be able to produce high level reports which can be used to inform top management, in an
easily understandable way, about the risks related to the use of networks in the company.
Such compliance monitoring is essential, because ‘you can only manage something if you can measure it’. This
specifically holds true for computer networks.

3. THE ‘5 PILLARED’ APPROACH

3.1 Network security management Processes

In the first part of this paper the 5 pillars for network security management were briefly introduced. Each of these
pillars can be summarized into a few high level actions that will enforce the role of that pillar.
This section will use an incremental approach to illustrate how these actions can be used to implement (or
evaluate the presence of} these pillars in a network security management environment.
Each of these pillars contains one ore more actions that is vital to that pillar. If there is compliance with an action
one can move on to the next action. If compliance with one action within a pillar is not complied with, a counter action
must be taken (indicated as a “No” in Figure 3). After a counter action is completed, the process starts again at the first
action in the specified pillar (or block). If all the actions are complied with within the pillar, one can progress to the
next pillar (block).
The order in which the pillars will be addressed is the same order as introduced in section 2. The order of the pillars
is very important to follow, for example one cannot monitor a policy or procedures if such a policy or procedure does
not exist in the first place. Therefore, the pillars must be kept in the correct order. The action and counter actions for
each pillar can be depicted in Figure 3.
1.1 Checklist
This section uses the actions and pillars depicted in Figure 3 to create a checklist for network security management.
This checklist comprises each of the 13 decision questions from figure 3, and indicates the network security
management approach for non-technical network aspects. Before starting to work through the checklist it is important
to know that technical aspects such as firewalls protect an organization for outside attacks but leave the organization
open to attacks from inside the organization. Insider threats are most often incidental in nature due to the fact that
many employees do not know that they are compromising the confidentially, integrity or availability of information.
With this check list in place an organization can try to minimize the “incidental” threats by employees.

2. CONCLUSION
 This paper introduced the importance of the non-technical aspects of network security management. Five vital pillars
were identified and briefly described. Different actions for each of these pillars were also identified. These five pillars,
together with the individual actions can be depicted in a checklist with a preset order that must be followed. The
importance of this checklist is to ensure that organizations are aware of the different non- technical aspects related to
network security management and how to implement and monitor these in an organization.

Security certification and accreditation

What is certification and accreditation and how does it relate to security engineering?
Certification and accreditation (CnA or C&A) is a procedure that can be used to implement any formal
process. The process can be looked at as a systematic process of carrying out the evaluation, testing, and
authorization of systems (or the activities of systems) after (or prior to) a system has become operational.
The C&A procedure gets used abundantly around the world.

Attaining the CISSP certification separates an information security expert from their competition and awards
them a badge of credibility. C&A is an integral part of the CISSP CBK and the aspirants need to be
theoretically and practically well-versed with the subject to be able to ace the exam. In simple terms,
certification in itself can be defined as the complete evaluation of a product, system, process, event, or a
skill that’s normally measured against an existing benchmark, norm, or standard.

Most trade organizations and industries prepare carefully concocted certification models (and programs)
that can then be used for testing and evaluating the skills of the people performing jobs falling under the
specific interest area of the organization. However, testing laboratories can also pass certifications for
products (that meet the pre-established norms and standards) and government bodies have also historically
certified companies that are meeting the laid-out regulations (e.g., emission limits).
Accreditation, on the other hand, is a formal declaration by a third party (neutral) that the certification was
carried out in a way that accords with the relevant standards and/or norms of the certification program
(e.g., IEC 17024). In most countries around the world, there are specific bodies that operate nationwide and
enforce these regulations. In the US, the United  States  Accreditation Service (UKAS)  is the country’s
accepted accreditation organization.

There are many ways of building and implementing a certification and accreditation  program at the
enterprise level. Predominantly, it’s composed of people, technologies, and processes of different types. All
of the constituent entities are important, but there are some special program components that can be
referred to as being absolutely essential to the program’s success. If these pertinent components don’t
function as they should, the program’s implementation can be severely hampered and the repercussions
won’t be desirable. Following are some of the most important elements that are critical to the success of a
C&A program at an enterprise:

The C&A business case

An enterprise certification and accreditation program can only flourish if it has been based on a solid
business case that lists the key benefits that the company will reap from it. Via the business case, the
company is able to figure out exactly why the program is going to be beneficial to the company; the benefits
can include:
 Diligence: A C&A program provides a way to exercise due diligence within an organization. Via such a
program, management can ensure that adequate levels of security have been implemented
throughout the organization.
 Accountability: Via this program, the organization gets provided with a way to make managers,
executive and even employees accountable for the security and integrity of the systems that they
are either in interaction with or possess the responsibility for.
 Transparency: The program also affords visibility and transparency to the IT security across the
enterprise by addressing the different levels of security.
 Cost-Effectiveness: Because the C&A program ensures the sound running and management of
different processes within an organization, researchers have shown that it has proved to be
substantially cost-effective in the longer run.

The C&A goal setting

Once the formalized documents of the business plan have been laid out, an organization also has to set the
goals that it expects to achieve via the implementation of the C&A program. The goals laid out should be (at
the very least):
 Comprehensive: The program can’t leave any stone unturned; every system, service (and personnel)
running in the organization should be affected by its implementation. The greatest advantage of the
program is that it provides standardization of requirements, outcomes, and processes; if there is a
failure in complying with the requirements of the program, this can result in the loss of the desired
standardization.
 Integrated: The program must also incorporate integrations of the various components of the
systems that are running across the enterprise.
 Timely: The set goals should have a rigorous timeline that would have to be abided by. Review and
assessment cycles should be evenly divided across the timeline before the deadline.
 Achievable: Lastly, the goals set out need to be achievable. There is no benefit that an enterprise
can reap from penning down extravagant goals that are unachievable. To set achievable goals, it’s
necessary for the enterprise to be “self-aware” more than anything else.
Establishing tasks and milestones
A typical C&A program is huge and it can only be conceived if it gets divided into small tasks and milestones.
This is a very important stage because it lays out the implementation plan that would then need to be
carried out with care. Separation of duties should be enforced at this stage to ensure that everybody is
aware of the duties that they are required to perform. Milestone setting always proves to be beneficial in
the implementation of a certification and accreditation  program because this allows top-level management
to maintain the levels of efficiency and accountability that will lead to the successful implementation of the
program.

Scrutinizing program execution

The success of the program depends most on its execution. It’s always recommended to hire an expert who
knows how to carry out the C&A implementation at the enterprise level. The careful scrutinizing of the
program’s execution should involve holding people accountable for the milestones and/or tasks they were
assigned to complete within specific periods of time. Maintaining a watchful eye also ensures that all the
standards and norms are complied with during the implementation.

Stages of a C&A program

Predominantly, C&A programs can be divided into four vast stages. Different activities are performed at
these different stages.
1. Initiation and planning
At this stage, the administration initiates and plans the implementation of the program. A C&A
implementation expert lays out the documentation (including the business case and requirement
documents) and presents it to the administration in the form of a comprehensive C&A package.
2. Certification
At this stage, an external auditing team analyzes the C&A package and the information security systems of
the organization. The audits will include running vulnerability scans, conducting interviews, and checking if
everything complies with the accepted standards and norms.
3. Accreditation
In the accreditation stage, the certifying authority will review the compiled C&A package and will also go
through the recommendations put forward by the auditing team. Before granting the accreditation, the
authority will make its examination and see if there is a possibility of accepting non-remedied risks in the
system.
4. Periodic monitoring
The system, the personnel, and the whole organization, in general, will be monitored periodically by a team
whose sole responsibility is to ensure that the program stays operational as it should. Any risks,
vulnerabilities, or threats that might arise during the monitoring stage will also have to be dealt with by the
security enforcers of the organization.
Final word
Certification and accreditation programs provide a framework for enterprises to ensure security,
accountability, and, at times, efficiency. An information security expert should be well aware of all the
concepts, theories, and practices that make C&P programs what they are.
This article presented a brief overview of the fundamentals of the program and candidates looking to pass
the CISSP exam should consider other resources while preparing as well.

Security & Personnel :

Why personnel security matters
Personnel security protects your people, information, and assets by enabling your organisation to:
 reduce the risk of harm to your people, customers and partners
 reduce the risk of your information or assets being lost, damaged, or compromised
 have greater trust in people who access your official or important information and assets
 deliver services and operate more effectively.
Insider threats come from our past or present employees, contractors or business partners. They can misuse their inside
knowledge or access to harm our people, our customers, our assets or our reputation. Personnel security focusses on
reducing the risks associated with insider threats.
An ‘insider threat’, or ‘insider’, is any person who exploits, or intends to exploit, their legitimate access to an organisation’s
assets to harm the security of their organisation or New Zealand, either wittingly or unwittingly, through espionage,
terrorism, unauthorised disclosure of information or loss or degradation of a resource (or capability).
Common insider acts include:
 unauthorised disclosure of official, private, or proprietary information
 fraud or process corruption
 unauthorised access to ICT systems
 economic or industrial espionage
 theft
 violence or physical harm to others.
Many security breaches are unintentional and result from a lack of awareness or attention to security practices, being
distracted or being fooled into unwittingly assisting a third party.

SECURITY AND PERSONNEL

 
Introduction
 
When implementing information security, there are many human resource issues that must be addressed
 Positioning and naming
Staffing
Evaluating impact of information security across every role in IT function
 Integrating solid information security concepts into personnel practices
 Employees often feel threatened when organization is creating or enhancing overall information security program
 
Positioning and Staffing the Security Function
The security function can be placed within:
 IT function
 Physical security function
 Administrative services function
 Insurance and risk management function
Legal department
 Organizations balance needs of enforcement with needs for education, training, awareness, and customer service
  
Staffing The Information Security Function
 
Selecting personnel is based on many criteria, including supply and demand
 Many professionals enter security market by gaining skills, experience, and credentials
At present, information security industry is in period of high demand
 
Qualifications and Requirements
 The following factors must be addressed:
 Management should learn more about position requirements and qualifications
 Upper management should learn about budgetary needs of information security function
 IT and management must learn more about level of influence and prestige the information security function should be
given to be effective
 
Organizations typically look for technically qualified information security generalist
 Organizations look for information security professionals who understand:
 How an organization operates at all levels
 Information security usually a management problem, not a technical problem
Strong communications and writing skills
 The role of policy in guiding security efforts
 Organizations look for (continued):
 Most mainstream IT technologies
 The terminology of IT and information security
 Threats facing an organization and how they can become attacks
 How to protect organization’s assets from information security attacks
 How business solutions can be applied to solve specific information security problems
 
Entry into the Information Security Profession
 Many information security professionals enter the field through one of two career paths:
 Law enforcement and military
 Technical, working on security applications and processes
 Today, students select and tailor degree programs to prepare for work in information security
 Organizations can foster greater professionalism by matching candidates to clearly defined expectations and position
descriptions
 
Information Security Positions
 Use of standard job descriptions can increase degree of professionalism and improve the consistency of roles and
responsibilities between organizations
 Charles Cresson Wood’s book Information Security Roles and Responsibilities Made Easy offers set of model job
descriptions
 Chief Information Security Officer (CISO or CSO)
 -        Top   information security       position;     frequently   reports        to
 Chief Information Officer
 Manages the overall information security program
 Drafts or approves information security policies
 Works with the CIO on strategic plans
 Chief Information Security Officer (CISO or CSO) (continued)
 Develops information security budgets
Sets priorities for information security projects and technology
 Makes recruiting, hiring, and firing decisions or recommendations
 Acts as spokesperson for information security team
 Typical qualifications: accreditation; graduate degree; experience

 Security Manager
 Accountable for day-to-day operation of information security program
 Accomplish objectives as identified by CISO
 
Typical qualifications: not uncommon to have accreditation; ability to draft middle and lower level policies, standards and
guidelines; budgeting, project management, and hiring and firing; manage technicians
 
Employment Policies and Practices
 
Management community of interest should integrate solid information security concepts into organization’s employment
policies and practices
 Organization should make information security a documented part of every employee’s job description
From information security perspective, hiring of employees is a responsibility laden with potential security pitfalls
CISO and information security manager should provide human resources with information security input to personnel
hiring guidelines
 
Termination
 When employee leaves organization, there are a number of security-related issues
 Key is protection of all information to which employee had access
 Once cleared, the former employee should be escorted from premises
 Many organizations use an exit interview to remind former employee of contractual obligations and to obtain feedback
 Hostile departures include termination for cause, permanent downsizing, temporary lay-off, or some instances of quitting
 Before employee is aware, all logical and keycard access is terminated
 Employee collects all belongings and surrenders all keys, keycards, and other company property
 Employee is then escorted out of the building
 Friendly departures include resignation, retirement, promotion, or relocation
 Employee may be notified well in advance of departure date
 More difficult for security to maintain positive control over employee’s access and information usage
 Employee access usually continues with new expiration date
 Employees come and go at will, collect their own belongings, and leave on their own
 Offices and information used by the employee must be inventoried; files stored or destroyed; and property returned to
organizational stores
 Possible that employees foresee departure well in advance and begin collecting organizational information for their future
employment
 Only by scrutinizing systems logs after employee has departed can organization determine if there has been a breach of
policy or a loss of information

If information has been copied or stolen, action should be declared an incident and the appropriate policy
followed

Employment Policies and Practices

Determine how employment policies and practices are used to enhance information security in your organization.
Although the first concern of management might be employees and employment policies, these seem to be the last
concerns of information security management. Although various research groups say that most of the threats to
information assets are from internal users, employment policies can be used to protect information security assets by
setting guidelines for the following:
 Background checks and security clearances
 Employment agreements and hiring and termination practices
 Setting and monitoring of job descriptions
 Enforcement of job rotation
Background Checks and Security Clearances
Those who work for the federal government, whether as an employee or a contractor, know the rigors that go into
background checks and security clearances. If you work for an agency or the military where a national security clearance is
required, you probably had to fill out an extensive questionnaire that could have been verified through interviews and
polygraphs. Despite some high-profile cases of personnel security lapses, the federal government does try to check
everyone with access to sensitive information.

Many nongovernment organizations do not need the same type of background checks as the federal government does.
However, having some type of background check should be part of the application process. Minimally, the organization
should verify previous employment and other basic information provided as part of the application. For those in more
sensitive positions, such as administrators and information security professionals, a further check into someone's
background might be a consideration. As long as the checks are disclosed, an organization can request access to credit and
criminal records to verify the applicant's suitability for her position. Organizations can even hire an outside firm that
performs these checks as well as those that examine other public records to determine whether the potential for a
problem or a conflict of interest exists.

Regardless of the checks your organization performs, the policies and guidelines must be disclosed to the applicant and
employee. Although the government has policies for recertification security clearances, if your organization wants to do
the same, that has to be disclosed to the employee. Many aspects of this are covered by federal, state, and local statues
and civil rights laws and should be cleared with an attorney before implementing.

Employment Agreements, Hiring, and Termination

In nearly every job I have had, there has been at least one employment agreement that says I will not violate policies and
will maintain the integrity of the information for which I am being trusted. Other policies have included nondisclosure and
intellectual property agreements. Whatever makes sense for your organization, these agreements should be presented to
the new employee when he first arrives for work.

Employment agreements are used to protect the organization from something the employee can do. It is a protection from
the insider threat. Agreements can also provide the organization a means by which to discipline employees if an
enforcement action is necessary. By having the employee sign the agreements, the organization has the ability to enforce
the policies behind them by showing that the employee was notified of what was expected from him.

The Acceptable Usage Policy

The acceptable usage policy (AUP) is a document that summarizes the overall information security policy for the users. The
AUP can contain parts of the organization's policies outlining the user's security responsibilities. Most of the time, they are
highlighted components and written in plain language. A successful AUP is short and to the point. Ideally, the AUP should
be only a few pages long.

Usually, the AUP is a signed document that acts as an agreement to abide by the information security policies it represents.
It can be given to the new employee, contractor, or vendor with access to the network to ensure he knows his
responsibilities. The purpose is to draw attention to the policy documents without requiring the new user to read them.
The AUP should say that the users will abide by the policies, but the AUP can be seen as a "quick start" document to allow
users to read the full policy later.
Termination
There will come a time when an employee or a contractor is no longer associated with the organization. Regardless of
whether the termination is from voluntary or involuntary means, administrators must have procedures in place to revoke
access to the organization's resources. Keeping a user's identification active might leave the network open for attack, and
just deleting the user's information can destroy potential information assets.

Regardless of the procedures used, they should consider immediate revocation of access to the networks. Additionally,
personnel policies should be adjusted to ensure employees do not have the type of access to the systems, network, and
physical facilities to do damage. Even for contractors whose contracts have expired or been terminated, it might be a good
idea to have a manager or security guard escort the former employee out of the building. During the process, someone
should collect the employee's identification badges, keys, and other access control devices; disconnect his phone; turn off
his email; lock his intranet account; and so on.

As part of the procedures, everyone must work together. If those responsible for terminating network access are not told
that an employee was terminated, the network can be left open to attack by a disgruntled former employee. An improperly
executed procedure makes everyone responsible for an adverse reaction.

Job Descriptions
Job descriptions are usually associated with requisitions and advertisements used to fill jobs within the organization. In the
information security context, job descriptions define the roles and responsibilities for each employee. Within those roles
and responsibilities, procedures are used to set the various access controls to ensure that the user can get access only to
the resources he is allowed to access.

During periodic audits and monitoring, a user who might be accessing information beyond his job description might be an
indication of a problem. For example, a contractor working on the development of the new Web system should not be able
to access accounting data. The danger to this is when the job descriptions are not properly maintained. If a job description
is informally changed without changing the official job description, there can be problems trying to enforce policies. It
would help if there were a policy to change job descriptions before changing access control lists.

Job Rotation
Job rotation is the concept of not having one person in one position for a long period of time. The purpose is to prevent a
single individual from having too much control. Allowing someone to have total control over certain assets can result in the
misuse of information, the possible modification of data, and fraud. By enforcing job rotation, one person might not have
the time to build the control that could place information assets at risk.

Another part of job rotation should be to require those working in sensitive areas to take their vacations. By having some
of the employees leave the work place, others can step in and provide another measure of oversight. Some companies,
such as financial organizations, require their employees to take their vacations during the calendar or fiscal year.
Internal Controls and Data Security: How to Develop Controls That
Meet Your IT Security Needs

An introduction to internal controls

Businesses today are constantly facing new IT risks, and it can be challenging to keep up with the changes in technology
and best practices for protecting your business and the valuable data in your possession. For example, since most workers
have began to work from home due to the global coronavirus health crisis, organizations have become more vulnerable to
cyber attacks and other types of operational disruptions. 

One of the most effective ways to ensure your organization is taking the correct steps to mitigate risks is to develop a set of
internal controls that ensure your processes, policies, and procedures are designed to protect your valuable corporate
assets and keep your company secure and intact. Internal controls help your employees carry out their jobs in a way that
protects your organization, your clients, and your bottom line.
Related: 40+ Compliance Statistics to Inform Your 2020 Strategy

What Are Internal Controls?

Jonathan Marks, a well-known professional in the forensics, audit, and internal control space, defines internal controls as,
“…a process of interlocking activities designed to support the policies and procedures detailing the specific preventive,
detective, corrective, directive, and corroborative actions required to achieve the desired process outcomes of the
objective(s).”
Internal controls are processes that mitigate risk and reduce the chance of an unwanted risk outcome. Your organization
may choose to create certain internal controls. And you may be obligated to have others in place because you’re subject to
regulations such as the Sarbanes-Oxley Act of 2002 (SOX), a law created to restore faith in financial accounting systems and
procedures and audits after several major public companies, including Enron, Worldcom, and Tyco International,
defrauded investors.
While we will discuss specific types of internal controls later, it’s important to understand that internal controls will be
somewhat unique to your business depending on what risks are most probable given the type of your business, your
industry, and so on. The process of defining and implementing internal controls is often iterative and will take time, but it
will ultimately make your company stronger and more resilient to risk.

Why Are Internal Controls Important?

Internal controls are used by management, IT security, financial, accounting, and operational teams to achieve the
following goals:
1. Ensure the reliability and accuracy of financial information – Internal controls ensure that accurate, up to date and
complete information is reflected in accounting systems and financial reports. 
For example, the Sarbanes-Oxley Act of 2002 (SOX) requires annual proof that 
 A business accurately reports their financials
 Their procedures effectively prevent fraud, and
 They have addressed any uncertainties. 
2.Prevent fraudulent business activity – Internal controls create a reliable system for managing business operations and
keeping a check on potential business fraud. Businesses subject to SOX are required to have a process for identifying fraud
that is acceptable to regulators.

3. Safeguard sensitive, confidential and valuable information – Internal controls are designed to protect
information from being lost or stolen and to reduce the costs an organization may incur when it suffers from a
security incidents.

4. Ensure compliance – Internal controls help ensure that a business is in compliance with the federal, state and
local laws, industry-specific regulations and voluntary cybersecurity frameworks such as SOC 2 or ISO 27001.
 5. Improve the efficiency and effectiveness of business operations – Internal controls help companies reduce
complexity, standardize and consolidate their operational and financial processes and eliminate manual
effort.  This often results in more efficient, more consistent, and more effective services and operations. 

Internal Controls and Data Security

Having internal controls as a built-in part of your information security programs is the key to ensuring you have effective
programs in place. It’s important that you know how your security compliance program is performing; if there is a cyber
security incident, outside regulators examining your program will quickly be able to tell if your business is making an actual
effort at compliance or if you are simply going through the motions.
Five Kinds of Internal Controls

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides five types of internal control to
help companies develop their own unique and effective internal controls.
Control environment: This comprises the framework and basis of your internal controls program, including the processes
and structures that create the foundation of the internal controls your business carries out. The control environment also
includes:
 The integrity and ethical values of your organization
 Parameters for how and when the board carries out their responsibilities, and 
 Incentives and rewards. 

Simply put, the control environment is the culture your company creates around internal controls. The executives, upper
management, and team leads must all communicate the importance of internal controls downward and every process
must take place within the parameters of the control environment.
Risk assessment: To build effective internal controls, a business must first understand what risks they are controlling for
and what their business is up against in terms of internal and external risks. A proper risk assessment means identifying
risks in all areas of your business, both inside your organization and outside, and then identifying ways to mitigate those
risks or bring them down to an acceptable level. 
Below, are some questions to consider to make sure your risk assessment is comprehensive:  
 Does your risk strategy include a comprehensive view that considers both existing and emerging risks? 
  How are risk tolerance levels defined?
 Are key stakeholders involved in setting risk tolerance levels?
 How effectively does the design of the control mitigate the risk? 
For more details on how to conduct a thorough security risk assessment, check out this blog post Conducting an
Information Security Risk Assessment: a Primer

Control activities: Control activities are where the rubber meets the road. They are how your risk management strategies
are actually carried out in the policies and procedures that govern the day-to-day activities of your employees. These
activities are embedded throughout your entire company, and they are designed to identify, monitor, and, ultimately,
prevent risks from manifesting. 

Information and communication: In many ways, communication is the most important part of the internal
controls your organization puts in place. If an internal control shows that a process isn’t working, and that isn’t
communicated upwards to those who can fix it, what’s the point of having the internal control in the first place?
How will your organization benefit from the internal control if a manager doesn’t have a channel for
communicating with control owners and policymakers within the company? 
There must be an open channel of communication regarding internal controls, and robust reporting and
information gathering is key to reaping the benefits of all the work and time that go into internal controls. 
Yet, too often, compliance teams don’t have a comprehensive view into all risk areas and internal controls
within their organization. Without such information, compliance teams are unable to see the gaps in their
control environment and miss the opportunity to make timely adjustments to shore up controls and mitigate
risks.
Monitoring: To gauge the effectiveness of your internal controls, and to ensure you’re addressing any gaps in
the controls you’ve developed, you need to continuously monitor your controls and conduct tests to make sure
your processes are working as designed. Ideally, these tests are automated, not manual. This reduces the
chance of human error that can leave your assets vulnerable. For example, forgetting to revoke access privileges
to critical systems when an employee quits will leave your organization open to threats. But it’s easy to forget
to remove a departing employees’ access to certain systems if it is a manual process. Automating this process
removes that risk from the equation. 
Additionally, having open communication and a dedicated channel for people who have concerns or have
experienced issues is an important practice to ensure the continued success of your internal controls.
Further, conducting internal controls audits will also give you insight into how your internal controls are
performing.
Conducting an internal control audit: An internal controls audit simply tests the effectiveness of your internal
controls. When it comes to financial internal controls, the Sarbanes Oxley Act made businesses legally
responsible for ensuring their financial statements are accurate, and the Public Company Accounting Oversight
Board developed the standard that used to evaluate internal controls in their Auditing Standard No. 5. 
Financial internal controls audits are performed by CPAs and require an organization to provide proof of the
process your organization uses to evaluate your controls and financial statements. This can require a lot of
documentation, but if your organization has been monitoring your internal controls and creating regular and
thorough reports, and consolidating all of that information in one place, producing it should be relatively
simple.
Related: The Value of Internal Audits (and How to Conduct One)

Creating Internal Controls To Minimize Security Risk

Security controls are safeguards designed to avoid, detect, or minimize security risks to physical property, digital
information (e.g. sensitive customer data or a company’s IP), computer systems, mobile devices, servers and other assets.
Security controls could fall into one of the following categories: 
 Physical controls: doors, locks, security cameras 
 Procedure controls: incident response processes, management oversight, security awareness and training,
background checks for personnel who handle critical systems  
 Technical controls: user authentication (login) and logical access controls, antivirus software, firealls
 Legal and regulatory controls: policies, standards, etc. 
Security controls can also be classified according to the time that they act, relative to a security incident: 
 Before the event: preventative controls are intended to stop an incident from occurring, e.g. by locking out
unauthorized users
 During the event: detective controls are intended to identify and characterize an incident in progress, e.g. by
sounding the intruder alarm and alerting the appropriate personnel such as system administrators, security guards or
police
 After the event: corrective controls are intended to limit the extent of damage caused by an incident, e.g. restoring a
system to normal working status as fast as possible 

As we mentioned earlier, internal controls need to be tailored to the specific risks you want to mitigate. Having said that,
here are the key considerations for creating effective controls for protecting your data assets and information systems:
Understand what your risks are: Before you can take steps to protect your electronic assets, you need to understand what
you’re protecting them against and how to effectively guard them. Performing an information security risk assessment will
give you a detailed look at your risks and help you decide how to best mitigate them.

Take both physical and electronic threats into consideration: When it comes to information security, it’s not just about
who has electronic access to data or email policies. In the course of their jobs, many employees come into contact with
hard copies of sensitive information or have access to places where assets are stored, and your business needs to have
policies and controls that protect physical assets as well as electronic threats.
Work on your compliance processes: Going through a thorough compliance process will give you the opportunity to
uncover gaps in your security program. When we talk about a compliance process, we are really talking about identifying a
cybersecurity framework (e.g., SOC 2, NIST 800-53, ISO 27001) you want to implement, understanding the requirements
and controls outlined in the framework, taking inventory of your own internal controls and security measures to
understand the gaps in your program, and then putting measures in place to fix or refine deficient controls and processes. 
When you decide to become compliant with a cybersecurity framework, you will go through a process that forces you to
inventory your strengths and weaknesses. You will educate yourself on modern security best practices, and the exercise
can serve as a springboard to put in place or refine deficient controls and processes.

Have a data breach response policy in place: Even if you’ve implemented strong security controls and have regular
security training with employees, you won’t be able to completely avoid the possibility of a data breach. The best way to
handle a data breach correctly is to plan your response ahead of time and test early and often. A tried and tested plan set
up before an incident ensures you won’t forget important actions when a crisis strikes.

The Importance of Keeping Internal Controls Up to Date

Even if you’ve developed the most comprehensive set of security controls, they
are effective only as long as your environment stays static.

As soon as change happens within your environment, you will need to re-evaluate your internal controls. When your
organization rolls out a new process, technology or operating procedures (e.g. allowing employees to work from home due
to COVID-19 on their own personal laptops), you’ll need to assess whether the inherent risk that your business faces has
increased and update your internal controls accordingly.
To mitigate risk effectively on an ongoing basis, you need to build a sustainable compliance program, one that can monitor
new risks effectively, test and document controls as necessary, and guide remediation efforts.

How Can Automation Enhance IT Security?

The more compliance processes you can automate, the better your security posture will be. For instance, you can
automate reminders that go to line managers to test or execute a certain control, and automate alerts to you or other
compliance officers when that work isn’t done in a timely manner. Reports of those tests can be fed into standard reports
or risk dashboards to let you see and report security compliance quickly.
When you focus on automating the mundane, repetitive tasks, it frees up your employees to use their skills and expertise
to solve more complex problems and evaluate the success or failures of your internal controls.

Moving Forward With Internal Controls

While keeping internal controls up-to-date will ultimately help your company minimize IT risks, it is a lot to take on and
manage. The burden tends to grow as your business grows, as you adopt new software, hire new contractors and work
with new vendors. Utilizing a compliance operations software solution like Hyperproof can help you make this process
much easier and more effective.

Hyperproof is built to help security assurance professionals efficiently scale up multiple security and privacy programs and
get through all the important tasks required to maintain a strong security program. These tasks include identifying risks,
creating internal controls to address specific risks, mapping controls to evidence requests from auditors and following
schedules to review controls, gather evidence and remind people to complete tasks on time.

Hyperproof also has pre-built frameworks for the most common information security compliance standards like SOC 2, ISO
27001 and NIST SP 80-53 so you can easily see what you need to do to maintain good cyber hygiene and safeguard your
data. 

Information security maintenance

SECURITY SYSTEM MAINTENANCE. WHY IS IT SO IMPORTANT?

In any installation that we need to protect, we can never forget the importance of carrying out
security system maintenance. In this post we will explain what is the maintenance of a security
system. We will talk about what each of the different types of existing maintenance are – corrective
maintenance and preventive maintenance – and the differences between them.
The maintenance of the security system involves periodic checks of all the elements that make up the
installation (cameras, detectors, computers, circuits, lighting systems, etc.) to verify that they work
well. This would be preventive maintenance. Next, systems that are not functioning properly would
be corrected or repaired (corrective maintenance).
Maintenance Plan
Any place that has a security system connected to an alarm receiver or with its own control center
must have a written document that establishes the review deadlines and the scope of periodic
reviews. This preventive maintenance plan must be known by the organization, especially those
responsible for security. And it must allow to know at all times what elements were reviewed in each
inspection and what were the results, as well as the corrective measures that were adopted.
The list of items to be checked in preventive maintenance is detailed in Order INT / 316/2011, of February 1, on the
operation of alarm systems in the field of private security, in addition to adding a field of observations with the results
obtained, as well as date and signature of those responsible for the maintenance plan.
If we prevent possible failures of the security system, we are anticipating unwanted situations that may have a dramatic
reach. For example, if one of the cameras or detectors of the security perimeter does not work, we have an important gap
that can be used by intruders to enter our facilities without our knowledge.
Maintenance of computer systems
In any productive system we have in our company, computer equipment plays an important role. The equipment is
controlled by computers and software. This also happens in security systems. We have to know at all times that the
computer equipment works correctly. And we must make the necessary backups following a strict program, to prevent
possible loss of information such as video recordings with a maximum expiration of 30 days, detected alert logs, security
system failures, etc.
You must also have a good antivirus and antimalware system. The malfunction of computer equipment because they
introduce us to a virus or malware can be a security breach of our system. The attack on our facilities can start physically,
but also by a computer intrusion.
A computer attack can cause parts of the security system to stop working, but it can also be used to erase or steal vital
information.
Corrective maintenance of the security system
Corrective maintenance is aimed at repairing or replacing security system elements that are not working properly. It is a
reactive system: something does not work and is repaired or replaced until it works well. Only what is broken is repaired.
Until that moment nothing is done. It is an unexpected cost for the company and is not done in a planned way. It is
corrected without more when it occurs.

Preventive maintenance of the security system

In preventive maintenance, however, we do not act reactively, but instead try to anticipate the possible failures of the
security system and prevent the failure from appearing. It would be something similar to the changes of oils and filters that
we make in our cars: they serve to prevent major breakdowns.
Together with preventive maintenance, predictive maintenance is becoming stronger every day. The security team issues
certain alerts so that we know that a breakdown is about to happen, so that we can correct it and avoid a greater evil.
Predictive maintenance is ahead of the system breakdown. It tells us that we have to make small corrections or
adjustments, such as cleaning or replacing small parts to avoid a more expensive and expensive breakdown.
We must be proactive with our security system
For the maintenance of a security system, we must carry out a proactive strategy. We should not only maintain
preventively and correctively. In addition, we have to try to carry out a strategy of joint improvement so that the
installation increases its security levels. All this so that we can rely more on our system.
If we track the most recurring failures, we can re-engineer the system to avoid more expenses and more errors in the
security installation.
All this can be framed in the definition of the security projects that our installation company makes us.
Some measures of security system maintenance
In a industrial safety maitenance, a series of concrete and basic measures that we analyze are usually carried out.
 Maintenance of security cameras. We have to check perimeter cameras and internal cameras frequently. The
cameras are the eyes of our security system. Within this maintenance we have to include the revision of the fiber
optic cabling, the IP connections of the cameras if necessary, the power supply systems, and the lighting for night
vision if necessary.

 Review of computer servers and video storage systems, as well as the control and monitoring center. It is the central part of
our security system. There can be no failure to record images because they are possible tests and they help us analyze possible
failures in security systems. Nor can there be communication failures between security elements (cameras, detectors, etc.) and
the control center.
The maintenance of the security system is as important as its engineering and installation phase. These are complex systems with
different technological equipment that have to be 100% operational if we want them to fulfill their function. We have to be demanding
with the company that designs and installs our security system, but also with the one that deals with its maintenance. Only then we
guarantee the security of our facilities.
Security Management Models in Information Technology

A Strategic Approach For Building a More Secure Organization

In many organizations, security efforts are focused exclusively on deploying technologies, implementing “best
practices,” or responding to a continuous stream of alerts and issues. The result is a reactive security
organization busy with activity and unable to answer the question, “Are we becoming more secure?” This
creates distrust between business leaders and the security organization. Security efforts are seen as expensive
—doing more to slow rather than secure the business.

A more strategic approach is necessary—acknowledging the reality that security needs will always exceed
security capacity, optimizing security resource allocations, and demonstrating progress toward a more secure
organization. This requires the security organization to transition from security operators to security leaders by:
 Changing focus from information security and physical security controls to security risks. Risk is the basis for all
security decision-making and performance management
 Transitioning ownership of security risks. The security organization does not own security risk decisions—the
business does
 Providing security leadership. Establish priorities, expectations, and oversight of risks and efforts to address them
 
 Security Organization Priorities

The security organization’s priority is to identify risks, recommend responses to these risks, facilitate the appropriate
tradeoff decisions related to these risks, and provide a line of sight to the execution and performance of these risk
responses.
A security operating model enables this approach. It governs and oversees security for the entire organization, where the
business is not only a recipient of the security services but is also instrumental in the collaboration, implementation, and
sustainability of security efforts. The operating model utilizes a risk-based approach to identify and prioritize risk mitigation
efforts to secure the enterprise’s mission. The core of a security operating model is a collaborative, continuous
improvement process designed to sustain the controls that secure the enterprise.
A comprehensive security operating model includes the following components:
 

The enterprise security governance model ensures collaboration with the business. An executive committee with a
CSO/CISO and senior leadership from across the organization balances the organization’s security risks with the overall
costs. Through the operating model, the security leadership provides a clear vision of desired security capabilities and
corresponding people, process, and technology enablers.
Control Framework
A security policy based on an industry-accepted controls framework provides the structure and guidance to apply best
practices and target gaps in potential security coverage. This ensures the enterprise is thinking holistically about its security
performance. The controls framework cascades throughout the enterprise to ensure alignment across assets and operating
areas. Alignment and collaboration are the keys to providing continuous and efficient operations.
Utilizing an industry-accepted framework ensures alignment with industry expectations and provides a method for
regular capability assessment to track and measure progress.

Benefits of a Security Control Framework

 Quantifies and codifies desired security behaviors into a universal language
 Provides a way to consistently educate and communicate with stakeholders in a language everyone understands
 Provides universal communication tools to external customers for compliance and benchmarking
 Demonstrates progress of efforts and investments
 
Risk-based Business Plan
The business plan’s objective is to allocate security resources appropriately based on the risks to the organization. The plan
provides a bridge from a security strategy to a portfolio of cybersecurity and physical security projects and programs.
The risk-based business plan operationalizes your security strategy by translating enterprise security strategies and
concepts into a set of practical plans and actions. The successful business plan aligns with the overall corporate business
model and integrates with stakeholder plans and objectives. The four critical building blocks of the business plan include:
1. 1
Security risk assessment and treatment plan: allows an organization to understand the residual security risk the
organization is accepting based on the implementation of a security controls framework, core function
performance, and control compliance metrics
2. 2
Capability maturity: utilizes a consistent and industry-based maturity model assessment to help identify the
maturity level of cybersecurity and physical security capabilities and define target achievement levels. You can
also benchmark your capabilities with similar organizations with the results of these assessments
3. 3
Performance gaps: utilizes performance metrics to provide the security organization and their stakeholders with a
good understanding of their control performance and desired targets to support individual strategic objectives
4. 4
Scope control: uses the respective risk to the organization to determine required changes. Security may look to
improve functionality or efficiency of cyber security or physical security controls based on risk. Additionally, the
scope of the controls could evolve to apply to a larger subset of assets like infrastructure control systems or the
cloud
The business plan is the most powerful tool to ensure alignment across the entire operating model based on risk to the
organization.
The desired end state is a security program that aligns with the industry-accepted controls framework and your chosen
level of maturity.
Critical Security Functions
Critical security functions establish clear ownership and accountability and codify decisions on how the organization will
run its business. Management uses them to drive performance, continuous improvement, and innovation. Core functions
are where the rubber meets the road. When properly established, security functions have the power to:
 Provide a clear vision of desired security capabilities and corresponding people, process, and technology enablers
 Drive security change and improvements
 Drive performance, continuous improvement, and innovation
 Simplify, standardize, and secure processes

Functional management provides the accountability model necessary to drive security performance.

Tiered Security Metrics

“What gets measured gets improved”—security metrics are critical to understanding the health of the function
and provide a transparent picture of the security organization. A comprehensive security metrics
program serves to unite the operating model with clearly defined goals and measurements to provide a line of
sight to performance and enterprise security risk reduction. The key to evaluating the performance is measuring
something impactful, then continuously challenging and improving upon it.
 A simple place to start is with the level of adoption of security controls compared to the organization’s security
scope of responsibility. Evaluating control adoption versus the scope of assets by priority will provide a logical
understanding of what is being secured and how deeply the security permeates the organization. Inversely, this
compliance metric also illustrates the risk the organization is accepting by clearly defining what is not secured
 These metrics serve as a barometer for the security risk threshold of the organization and the foundation for
improvement initiatives within the business plan across all information and physical assets
 Investigating how deeply security permeates the organization and discussing risk tolerance will help set the stage
for alignment among leaders
Security metrics are critical to understanding the health of the core function and provide a transparent picture of the
organization’s security.

Security Metrics Program Example Goals

A tiered security metrics program is designed from the top down and developed to support the strategic
security goals and objectives. Broader operational performance metrics serve as the foundational day-to-day
tactical metrics that can be aggregated at the functional and strategic levels to support enterprise security risk
reduction goals.
 

 Metrics are designed from the top down and developed to support organizational goals and objectives
 Metrics must provide for greater visibility and transparency into goal attainment instead of meaningless “stick
counts”
 Security goals must be specific, limited, meaningful, and have context

Oversight & Management Controls

Oversight and management controls ensure performance meets expectations. Management oversight ensures
everything ties together within a continuous improvement loop. The results provide transparency on the
adoption of the controls framework, inform the governance structure, challenge the scope, and lead to gap-
based and risk-informed initiatives for inclusion in the business plan.
Management controls ensure the organization is readily able to check performance and adjust direction as needed.
Key Components:
 

Performance Metrics/Goals – Developing, implementing, and monitoring a comprehensive set of core function
performance metrics will set expectations and identify gaps or adverse trends

Self-Assessments – Self-assessments answer the question, “How are we doing?” Self-assessments evaluate core function
performance in each area by determining current performance, identifying gaps between current and desired
performance, and defining strengths and deficiencies. A self-assessments plan is developed and reviewed at the beginning
of each year

Management Review Meetings – Review meetings ensure leadership is effectively informed and engaged in driving their
respective areas’ performance. These meetings are regularly scheduled to provide management oversight of organizational
performance, identify learning opportunities, and support continuous improvement. These should include security
stakeholders from throughout the enterprise
Corrective Action Program – CAP is a standard approach for issue resolution that provides a formal list of risk-based
prioritized issues, a consistent process to investigate and resolve issues, and a mechanism to track all corrective actions

Peer Groups – Peer groups communicate frequently and meet regularly to collectively analyze/monitor core function
performance metrics, identify gaps, and drive continuous improvement and core function oversight and support

Conclusion
This security operating model defines the organization’s agreed-upon approach for responding to security risks and
establishes expectations for who is responsible for what. This becomes the baseline against which security performance is
monitored.
Organizations too often go directly from strategies, concepts, and objectives to projects, technologies, and procedures,
but do not achieve their desired results and struggle to explain why they are doing what they are doing.
The security operating model operationalizes your security strategy—translating broad visions of enterprise security into a
set of practical and realistic plans and actions. Security leaders can provide a clear picture of desired security capabilities
and corresponding people/process/technology enablers through the operating model.
A security operating model balances risks to the organization within industry expectations and drives decisions about
where to invest security resources.
 
No two operating models are the same, and each organization faces its own unique set of challenges.
Keep in mind, the success of any operating model relies on the following:
 It is aligned with the organization’s security stakeholders
 It is grounded in securing high-risk areas, using the most effective method of mitigating risk tailored to the
organization’s risk tolerance
 It provides oversight that paints an objective picture of the organization’s security risk posture
 
Ultimately, security leaders should operate as a conductor in an orchestra, leading multiple instruments in unison around a
common piece of music (i.e., the operating model). A deliberate effort must be made to blend their melodies and
harmonies to orchestrate the symphony that is successfully securing the enterprise’s mission.
Security professionals seeking to enhance trust with business leaders and demonstrate progress toward a more secure
organization with a strategic, rather than reactive, approach to reach security goals should adopt this proven security
operating model.
 
What is digital forensics in information security?
Digital forensics is the overall science of recovery and investigation of material found on all types of digital devices.
Computer forensics is a branch of digital forensics that focuses on evidence found on computers and digital storage media
such as hard drives or usb drives. Typically these branches are used during investigations that involve cybercrime or regular
crimes that have evidence stored on some type of device. With the increased popularity of laptops, smartphones,
embedded systems and other internet of things devices, almost all crime involves some type of computer system.
Therefore, being able to extract evidence from computers while following all of the required procedures that makes that
evidence admissible in court is a very unique and important skillset for law enforcement, military and private
investigations.
Types of Digital Forensics

Disk Forensics
This area focuses on extracting data from storage media such as a hard drives by searching for active, modified or deleted
files. For example this would recover deleted files that could be used as evidence or prove that a file was created and
modified at a certain time.

Network Forensics
This is related to monitoring and analyzing traffic between different computers on a network. You can think of it as
eavesdropping on a conversation, the goal is to collect the information being transmitted and use it as evidence. 

Memory Forensics
This niche focuses on recovering data from system memory (system registers, RAM or cache). This is important because
many times data or malware is only found in memory and never saved to the hard drive (disk), so it’s important to be able
to extract this information directly from memory. 

Mobile Device Forensics 

As the name suggests this area focuses on examining, extracting and analyzing evidence found on mobile devices such as
smartphones, iPads etc. Some of things that professionals extract are phone contacts, call logs, audio and video. 

Automotive Forensics
This branch focuses on the recovery of digital evidence or data stored in automotive modules, networks and messages sent
to automotive systems. This can include things like gps locations, paired devices, user addresses etc. As cars become more
advanced, integrate with more devices like people’s smartphones and become more autonomous, this area could become
much more popular. 

Database forensics
This branch studies and examines databases and their related metadata. This would involve trying to prove when records
were created, who accessed the information and when . 

Drone Forensics (UAV Forensics)

Drone forensics focuses on the processing and forensics analysis of unmanned air vehicles (UAV’s). This is particularly
useful for military use as drone’s can contain a lot of useful information such as flight path data, geo-location of important
areas (launch and landing sites), metadata, wifi data and bluetooth/paired devices.
Where is Digital forensics used?

Digital forensics primarily has three main use cases. 

Firstly, it is used in criminal investigations. So if a crime has been committed many times people may have video, text
messages or files stored on their smartphones and computers that contain valuable evidence. Sometimes people will try to
hide or delete that information before getting arrested. This is where digital forensics comes into play in helping to get that
information off the device, prove its validity and help the police get a conviction. 

Secondly, it can be used in corporate/private investigations. This can be investigating employee misconduct. For example if
an employee is suspected of stealing intellectual property from the company, digital forensics may be used to see if that
employee accessed the file, downloaded it, emailed it or put it on a USB drive. 

Thirdly, it is used following a cyberattack. When a company is hacked, digital forensics is important to uncover exactly how
the hack happened, what the hacker did on the systems and confirming that the hacker’s access has been removed once all
of the security work has been completed.