Tag Archives: IT Risk Management

Information Security Management – How to stay out of the news

Information Security and IT Operations have a good bit in common most notably that the #1 goal is to be invisible to the public. Unless your company is in CIO or Information Security magazines being touted as a leader in your field if your company is in the news it is probably bad news.  In IT Operations poor website uptime performance that causes a loss in sales is very visible much like an information security breach in the IT Security field. Dealing with an information breach is not only embarrassing but also has legal implications since there are notification requirements if sensitive employee or customer data is accessed inappropriately or potentially exposed to a breach. I regularly review these required breach notifications to see what information security lessons can be learned and here are the most common themes I regularly see:

Unencrypted laptops containing sensitive data are lost or stolen and information is exposed.

There are a number of information security lessons that can be learned from this but by far the biggest are to avoid putting this type of sensitive data on the laptops in the first place and to utilize encryption to protect laptops containing business information. It is also possible to install some laptop recovery devices to help track these devices down but often times the real value is in the information not in the cost of the lost laptop itself.

Information Security Test:

  • Are you securing your laptops with encryption?
  • Are you preventing sensitive information that could require a breach notification from ever being on a laptop in the first place?
  • Are you auditing compliance to make sure what you think is happening is based in fact and not blindly on what policy says should happen?

Company websites are hacked and sensitive data is disclosed.

The most common problems here are unpatched systems exposed to the Internet, default passwords, and cross site scripting attacks on vulnerable web applications.

Information Security Test:

  • Are you regularly patching your systems as new patches are released?
  • Are you performing web application security audits to validate that your sites are secure and compliant with company policy?
  • Are you managing your sites over secure networks using secure protocols to prevent credentials from being intercepted?

Online banking credentials are stolen and financial accounts are drained

Many different information security principles can come into play here but the most common thing is to avoid falling victim to phishing attacks or having your pc become infected with malware by visiting insecure websites.

Information Security Test:

  • Are you educating your employees about the danger of social engineering and online banking phishing scams?
  • Are you educating your employees about the danger of surfing to internet sites that are of dubious quality?
  • Have you considered the risks of online banking and taken¬† appropriate protection steps?

Follow these tips and audit your compliance versus them and hopefully your information security measures will help your company stay invisible from a required security notification perspective.