need to know principle
Limiting access: employees should be granted minimum level of privilege to perform the role assigned to them -> role based access
- e.g. warehouse worker may need to access stock records but should not have access to financial or personnel records
- based on classification of information assets (confidential, internal only, public)
- also a principle of GDPR -> information privacy
- administrators: critical accounts need to be controlled and safeguarded very well
Resilience and Redundancy
Resilience: ensuring that there are no single points of failure, no systems or services within the organizations infrastructure can bring the overall operation to a standstill
Redundancy: there is always a standby system or network connection that can take over if the active system or network connection fails
- back up
- grandfather father son approach ) maintaining at least three generations of back up data
Resilience and redundancy should apply in the context of the entire it infrastructure, including buildings, power supplies, etc.
Security Controls
Physical controls: locks secured buildings
technical controls: fingerprint locks, password protection
procedural controls: rules, policies, employee training)-> focus on user as the weakest link
technical controls
access control: (through biometrics, passwords, or physical access cards)
- authentication: confirming subjects identity
- authorization: deterring whether the person is allowed physical or logical access
- accountability: documenting activities of authorized person and system (log)
Firewalls
cryptography (e-mails, vpns)
information security policies
information security policy: written instructions provided by management that inform employees and others in the workplace about proper behavior regarding the use of information and information assets (no sticky notes with password e.g)
an information security policy defines:
- > its scope
- > its relevance
- > relevant legislation laws
- > responsibilities of employees
types of policies
- enterprise information security policy
- > assigns responsibilities for various areas of information security at a high level
- > drafted by CISO, CIO, and other executives
- > integrates an organizations mission and objectives concerning information security (philosophy on security)
- > Structure of information security organization, roles and responsibilities
-issues specific security policy: detailed guidance on a particular are of relevance e.g- end user behavior
-system specific security policy:
more detailed on procedures in systems, e.g- configuration of a firewall
end user code of practice
policy for end users that should be published to all users
- > should detail what is expected from users
- password policies
- no access to information areas equipment for unauthorized users
- logging-off from systems when leaving the computer
- locking away sensitive documents (clean desk policy)
- how personal devices may be used
- reporting of security incidents
->noncompliance: employee disciplinary process, termination of contracts, reporting to law enforcement (involvement of HR and legal departments necessary when developing policy)
end user code of practice
policy for end users that should be published to all users
- > should detail what is expected from users
- password policies
- no access to information areas equipment for unauthorized users
- logging-off from systems when leaving the computer
- locking away sensitive documents (clean desk policy)
- how personal devices may be used
- reporting of security incidents
->noncompliance: employee disciplinary process, termination of contracts, reporting to law enforcement (involvement of HR and legal departments necessary when developing policy)
Security Education, Training and Awareness and Goals
Information Security Education Training and Awareness program is a managerial program designed to improve the security of information assets by providing targeted knowledge, skills, and guidance for an organization’s employees
goals:
- > Reduce likelihood of security incidents
- > Improve awareness of the importance and -need to protect organizational resources
- > acquire necessary skills and know how to do jobs more securely
- > Implemented after security policies have been defined
->Responsibility of the CISO
they need to be revised over time
SETA Components Objectives
Education: Why? Understanding
THeoretical instruction
Seminar Literature study
Long term
Training: how? Skill
Practical Instruction
Workshops
Lecture
Hands on practice
Medium term
Awareness: What? Alert to risks in environment
Media
Videos
Newsletters
Posters
Short term
security culture
best case: security has become part of employees own value system -> long-term goal is to create a security culture in which people are security aware, skilled, and understand why
Culture needs to begin at the top of the organization
- > high level policy document signed by c level executive
- > leading by example
security controls need to fit the entire organizational culture to increase the chance of compliance
Gamification
is a process of enhancing a specific service by implementing game design elements in a non game context to enhance the users overall value creation and experience
-weekly 30 minute game or training that employees have to complete otherwise their score is reduced
- Progress and motivation tools
- > rewards: scores badges
- > competition: feedback, leader boards for comparison
but: gamification approach in conservative organization with strict hierarchies might fail
(CEO has lower score than lower management employee)
Downsides of Security Controls
- Physical, procedural and technical controls can reduce the likelihood of incidents occurring but
- can be too costly, compared to what should be protected
- can be too intrusive and prevent employees from carrying out their work efficiently -> can encourage workarounds
Policies dependency and compliance which is undermined by factors such as time pressure, ignorance, lack of awareness and understanding -> security still depends on employee behavior
