If you work for a company with ~50+ employees, you may start to wonder why your IT team is so busy and unable to respond to support requests more quickly. Well, not only are they chipping away at a mountain of user requests, but they're also working to safeguard the organization’s information from many threats.
To most organizations, private information is extremely valuable and must be secure. Some think, “Oh I’m safe, I have the most up-to-date anti-virus software on my laptop”, but this is a fallacious assumption. Protecting against internal / external threats, maintaining the integrity of information, and implementing control systems based on in-depth risk assessment requires a well-structured security program. This article will outline the different functional branches of a sound information security program, and perhaps shed some light on why your IT friends are so busy (and in some cases, angry).
Ideals of Information Security
According to NIST (National Institute of Standards and Technology), there are 8 major concepts that any well-developed information security program will follow as guidelines. Each concept addresses a different aspect of how information security policies and controls are set in place to support overall organizational operations.
- supports the mission of the organization
- an integral element of sound management
- protections are implemented so as to be commensurate with risk
- roles and responsibilities are made explicit
- responsibilities for system owners to go beyond their own organization
- requires a comprehensive and integrated approach
- is assessed and monitored regularly
- is constrained by societal and cultural factors
A common theme can be found throughout these guidelines, a need for customization. Each program must consider threats & vulnerabilities specific to the work (field) of the organization it is designed to support.
In the world of Information Technology & Security, there exists a plethora of variable threats. For this reason, it is important to identify and understand which threats exist in your organization’s realm. A few of many possible threats to information security are explained below:
- Fraud and Theft – Can be committed by insiders and outsiders, often motivated by financial gain, hence often targeting financial systems. Often applied through social media, automating traditional (advertising) fraud methods, or more advanced intrusion methods.
- Insider Threat – Rogue employees that intend to sabotage their organization pose a serious threat to information security. Methods often include crashing systems, planting malicious code, as well as holding/deleting/falsifying data.
- Malicious Code – Viruses, Trojan horses, worms, any software created to infiltrate a platform.
- Malicious Hackers – Individual or group utilizing their understanding of programming to illegally infiltrate systems with the intent to cause damage or steal information.
- Non-Adversarial Threats / Events – Errors & omission of data, loss of hardware, considerations and restrictions regarding personal privacy of information sharing.
Tools to Combat Threats
Information Security Policy
According to NIST SP 800-95, policies are “statements, rules or assertions that specify the correct or expected behavior of an entity”. In terms of information security, policies can have multiple meanings or roles, so to speak. Policies may range from access control rules for software components to managerial decisions that back an organization’s user policies, such as email privacy or access security. With the need for implementation of these policies, comes a need for a hierarchy of roles and responsibilities within a security program (this is further explained in the referenced NIST article). Overall, information security policies provide the framework and guidance for the program.
Information Security Risk Assessment/Management
One of the most crucial aspects of information security, risk assessment/management allows the program to be customized based on specific threats to the organization at hand. A company with invaluable information to protect, such as a federal organization, will perform an in-depth risk assessment to assure every threat is considered, monitored & controlled at virtually any monetary cost. Looking at it another way, you aren’t going to spend thousands of dollars on advanced anti-theft software unless you have thousands more in assets to protect. The NIST provides a diagram of their procedure for organization-wide risk management below:
Security System Support
As with any organizational system, support and maintenance is crucial when it comes to an information security system. This involves a variety of controls that need to be managed by our IT friends, such as user/software support, configuration management, backups, documentation, risk monitoring, and overall maintenance.
Encryption is a tool for information security developed from an underlying branch of mathematics called, Cryptography. These mathematical algorithms, designed for the transformation of data, are extremely useful in protection of information. Some examples of encryption/cryptography commonly utilized in information security include:
- Data Encryption
- Electronic Signatures
- Integrity (assuring non-alteration of original data)
- User Authentication
Possibly the most important of all tools for information security are control families. FIPS 200 from the NIST specifies minimum security control requirements in multiple areas (for federal organizations). Various security control families that address management, operational, and technical aspects can be found listed below. For more controls and detailed descriptions, refer to NIST SP 800-53.
Controls are variably important and serve at different levels of an organization’s information security program. An example hierarchy of information security controls is displayed in the pyramid below:
A Group Effort
Maintaining the security and integrity of your organization’s information is a group effort shared by all users and support staff. Developing a strong information security program involves constructing/complying with policies, clearly defining roles & responsibilities, meticulous risk management, and implementing proper security controls. So just remember, not only is your IT team dealing with the day-to-day support requests, but also serving as the organization’s main defense against threats to information by building & managing a sound security program.
For a more detailed description of threats, check out the NIST document referenced by this article.