Category Archives: Information Security Management

Are you protecting your most important information assets?

Information security sometimes feels like a never ending challenge. There are a thousand different things that need to be done from patching systems to educating employees and any one hole can mean big problems. Smart companies have realized the impossibility of securing every asset and have changed the theatre of the information security battlefield.

Effective information security management is no longer about trying to stop every little problem that can go wrong that is an impossible task with failure guaranteed. Leading businesses are now focused on securing the intellectual property and operations that are most critical to their competitive advantage. This new approach is more advanced than previous information security approaches that attempted to throw information security controls against the wall in hopes that enough stuck to keep bad things from happening.

What are the advantages to approaching information security based on a critical asset protection model?

  • Helps focus your information security investment towards protecting the most important assets that matter.
  • Makes information security more manageable and makes realistic assumptions vs. assuming you can protect everything.
  • Allows you to be more specific about your information security objectives vs. operating in a more abstract manner.
  • Increases security oversight over important assets/business processes and enables customized monitoring specific to those resources

What are the challenges in implementing a risk based critical asset information security model?

  • Initially many organizations will struggle with answering the question about which assets are truly critical.
  • Requires a more collaborative model of information security with deeper level of engagement needed with key business partners. Many information security organization struggle with understanding which assets are truly critical because there is an insufficient understanding of how the business really works.
  • Requires a change in mindset from trying to secure the perimeter and keep the bad guys out to assuming they are already inside and layering your controls to focus efforts on protecting critical assets. This is not to say that firewalls and other perimeter based control mechanisms are obsolete only that they have proven ineffective as the primary mechanism of protecting an organizations critical intellectual property.
  • New security tools will be needed to help protect down to the data layer and assist in blocking advanced threats.

If your information security organization is still operating with a secure the perimeter mentality as your primary focus you risk becoming obsolete. More is expected of an information security organization in our knowledge based economy. You are expected to understand the business at a sufficient level to know what intellectual property and business processes are critical to ongoing success of your company. This requires deeper business knowledge and business relationships to help validate that you are focusing on the right things.

Information security issues can lead to bankruptcy

Information security is often an after thought at best for many small to midsize businesses. DigiNotar, a Dutch certificate authority, is a great case study on what can go wrong when adequate information security controls are not put in place. DigiNotar was severely compromised leading to the undermining of the very core that their business was built on, trust and authority. The end result was an information security related bankruptcy that was preventable. What went wrong at DigiNotar and what can you learn from their experience?

Lessons learned from DigiNotar information security incident

The more your business relies on trust the greater your information security risk and the more controls you need

Trust is based on your reputation and when you are in a business requiring a high degree of trust it can be game over when a big incident occurs that hits to the core of your model. There is a direct relationship to how much your business relies on trust and how much information security you need. The final straw was when the Dutch government lost confidence after inadequate disclosure and revoked their trusted status.

Full prompt disclosure is the best way to recover your reputation

DigiNotar detected a problem with their certificate authority infrastructure nearly a month before the incident blew their business out of the water. They failed to make adequate disclosure causing their customer to question the trust they had placed in DigiNotar. What if DigiNotar came clean in the beginning? Perhaps they would have been able to salvage the company.

Full security audit needs to be conducted after their is reasonable cause to believe a serious security event has occured

The primary goal should be to determine the method of attack and seek to eliminate sources of vulnerability and to clean affected systems. The security review should be conducted by professionals and it could get quite expensive but it is necessary to prevent worse events such as total implosion of the business. If a full audit and full disclosure occurred the company would be likely still exist.

Are you auditing and controlling the right high risk business activities?

DigiNotar’s compromise led to the creation of 531 unauthorized certificates. If this control was reviewed closer and followed up on with quick terminations and the actions described above the company would still be in business.

Effective information security controls can make the difference between prosperity and bankruptcy. The choice is yours. To help make sure your business is taking information security seriously be sure to review our information security essentials for small and mid size businesses

Information Security Insurance

Information security insurance is designed to protect an individual or business against the risk of possible loss due to information security incidents. Similar to other forms of insurance the policy holder pays a monthly/annual premium to the policy issuer for the agreed to insurance plan.

Why might you need information security insurance?

The more your business relies on information systems to operate the more at risk you are if a catastrophic incident affects critical systems.To help manage risk to more acceptable levels information security controls are implemented to protect against various threats. Information security audits are another risk reducing measure a company can take to help validate the effectiveness of their information security controls and document any weaknesses for prioritization and correction. Many companies choose to self insure and pay any information security incident expenses out of pocket vs. pursuing direct insurance although the number of companies obtaining insurance is increasing at a dramatic rate. If you are under the impression that your traditional insurance policies will cover you for technology related risks now is a good time to validate that assumption. Lastly, if you are involved with a start-up it is sometimes a requirement for VC providers that information protection insurance be active to protect their future investment in your company.

Examples of events that can be insured with information security insurance

  • Unauthorized system or network access
  • Theft of sensitive intellectual property
  • Fraudulent ebusiness or online banking activity
  • Lack of availability of systems
  • Disaster Recovery
  • Technology errors and omissions

What are typical costs from an information security incident?

  • Cost of investigating source of incident and scope of systems breached – Expert investigators are very expensive so expect to pay mid to upper 5 figures or even into the 6 figures to investigate and clean up a security incident
  • Cost of loss business – Business that is lost especially if it is not recoverable could amount to significant costs.
  • Cost of lost employee productivity – If your employees can not do their job you still have to meet payroll and other financial obligations
  • Cost of breach disclosure notifications and customer protection measures – If sensitive customer or employee data is lost while under your care you are likely financially obligated to notify and offer credit protection measures to minimize their risk of identity theft.
  • Worst case scenario is inability to recover from an incident leading to failure of the company

Final tips on information security insurance

If you desire information security insurance your first stop should be to try add the coverage via your existing insurer. If they do not offer the service or the cost is too high you should shop around to get the coverage you are looking for. It should be noted that the information security insurance industry is very immature and there is a lack of standardized offerings. When comparing different insurance options be sure to get everything in writing and validate that you are comparing equal coverages when assessing different companies.

Information Security Management – How to stay out of the news

Information Security and IT Operations have a good bit in common most notably that the #1 goal is to be invisible to the public. Unless your company is in CIO or Information Security magazines being touted as a leader in your field if your company is in the news it is probably bad news.  In IT Operations poor website uptime performance that causes a loss in sales is very visible much like an information security breach in the IT Security field. Dealing with an information breach is not only embarrassing but also has legal implications since there are notification requirements if sensitive employee or customer data is accessed inappropriately or potentially exposed to a breach. I regularly review these required breach notifications to see what information security lessons can be learned and here are the most common themes I regularly see:

Unencrypted laptops containing sensitive data are lost or stolen and information is exposed.

There are a number of information security lessons that can be learned from this but by far the biggest are to avoid putting this type of sensitive data on the laptops in the first place and to utilize encryption to protect laptops containing business information. It is also possible to install some laptop recovery devices to help track these devices down but often times the real value is in the information not in the cost of the lost laptop itself.

Information Security Test:

  • Are you securing your laptops with encryption?
  • Are you preventing sensitive information that could require a breach notification from ever being on a laptop in the first place?
  • Are you auditing compliance to make sure what you think is happening is based in fact and not blindly on what policy says should happen?

Company websites are hacked and sensitive data is disclosed.

The most common problems here are unpatched systems exposed to the Internet, default passwords, and cross site scripting attacks on vulnerable web applications.

Information Security Test:

  • Are you regularly patching your systems as new patches are released?
  • Are you performing web application security audits to validate that your sites are secure and compliant with company policy?
  • Are you managing your sites over secure networks using secure protocols to prevent credentials from being intercepted?

Online banking credentials are stolen and financial accounts are drained

Many different information security principles can come into play here but the most common thing is to avoid falling victim to phishing attacks or having your pc become infected with malware by visiting insecure websites.

Information Security Test:

  • Are you educating your employees about the danger of social engineering and online banking phishing scams?
  • Are you educating your employees about the danger of surfing to internet sites that are of dubious quality?
  • Have you considered the risks of online banking and taken¬† appropriate protection steps?

Follow these tips and audit your compliance versus them and hopefully your information security measures will help your company stay invisible from a required security notification perspective.