Information Security

by Andy Taylor

In a nutshell

1. What is information security?

Arguably, the only important definition of information or data is that if either is considered valuable to the organisation in some way – for example, it is expensive to obtain or replace, you are legally required to look after it, its loss would cause serious problems or embarrassment, or it gives access to other more valuable assets, such as stock, then it is worth considering how well you protect it.

  • We are going to look after information that matters to us, but the third party effect must also be considered
  • Internet and other methods of passing information rapidly around the world mean that any data loss incident involving an established company will be heard about elsewhere very quickly and have potentially devastating consequences
  • It is essential that the correct level of trust is employed, but the problem is often how to determine that right level. Over-protecting information can be expensive and sometimes causes even more problems than not protecting it at all.
  • Computer security is highly important, but the physical security of a site also comes into the equation.
  • The whole information security issue is a business issue, first and foremost. The technical side of security is very much the supporting side, to be used as and when necessary.


2. Is information security really a problem?

There is a view that the information ‘leaks’ of recent years, not just in the UK, but in the USA and other countries around the world, have been over-hyped for the benefit of information security specialists. This is an ill-founded belief, however, and the general awareness in the business population and the general public of information security is growing in importance.

  • Getting the balance right between security and availability can present real problems. Without data back-ups, companies can go bankrupt.
  • Undertaking a proper risk assessment, to make sure the problems that could happen are properly understood, is a first requirement. It also helps to ensure the final measures put in place to protect the information are appropriate for the risks that have been identified.
  • Ultimately, every information security professional will tell the business leader it is up to them to decide how much risk they are prepared to accept – this is commonly called the risk appetite.


3. Do small organisations need to bother?

By their very nature, smaller organisations usually have much less in the way of information to worry about:

  • With fewer staff, for example, the personnel records section will be significantly smaller than those of a large organisation
  • The level of trust is probably much higher and so the degree of security required is much reduced
  • But if a small company loses its information about customers, their payments, the cash-flow situation and other related information, the impact could be much more serious and could result in liquidation.


4. An overview of information security

The process for managing information and its security is essentially cyclic in nature.

  1. Identify the information assets held by the organisation.
  2. Determine the vulnerabilities, threats and hence risks to those assets.
  3. Calculate the business impact of those risks occurring.
  4. Consider the possible options for the treatment of those risks.
  5. Implement the best possible options for the treatment of those risks.
  6. Monitor the information assets, risks, impacts and treatments and refresh/review as necessary.


5. Step 1 – Identify the information assets

The identification of these assets must be undertaken by personnel within the business and it is critical that those with the real knowledge are directly involved.

  • The people who use the information assets on a daily basis will have the best idea of the criticality of the assets.
  • Assets will include key systems for the processing of information. It is no good having a super database of all the clients’ information if the system used to access it is unavailable.
  • One approach is to take each business division or department and define the information they need to do the job.


6. Step 2 – Determine the risks

A formal risk assessment can have a number of benefits to any organisation prepared to invest the time and effort required to carry it out effectively. To determine the risks appropriately, it is necessary to understand what the key threats are. From this start point, the vulnerabilities are then considered and it is a combination of these two aspects that provide the real risks. A risk comes in three parts:

  1. Firstly, there has to be a threat of some type
  2. Secondly, there has to be a vulnerability
  3. Thirdly, there has to be an effect – a consequence of the threat and the vulnerability combining to cause some unwanted result.

The risks to information can be brought down to a number of categories, albeit with many sub-categories within them. They are:

  • Theft (taking or unauthorised copying of information)
  • Intentional damage (deletion or corruption of information)
  • Unintentional damage (user error or system failures, fire and so on)
  • Inappropriate accessing (perhaps a variation of theft)
  • Lack of availability (as, where and when required).

The next stage then is to consider which of these risks might affect the various information types identified earlier.


7. Step 3 – Analyse the potential business impact

The next stage is a business impact assessment (BIA) of each identified risk.

  • Assessing how long the organisation can survive without a particular system or piece of information is often known as the Maximum Tolerable Period of Disruption (MTPD).
  • You also need to know how quickly it would be possible to get back to some semblance of normal operations (the Recovery Time Objective or RTO).
  • You will need to make a rough estimate, at least, of the potential financial cost.
  • The BIA is very much a business requirement. It is not a technical assessment of security or even a risk specialist’s assessment.


8. Step 4 – Consider your options

Having undertaken a full assessment of the potential risks and the impact, should these occur, the senior staff must make some hard decisions. It would be unrealistic to expect to be able to afford, manage and address all the risks and to cover all bases. The expense of such a course of action would be unbearable for most organisations, so the senior management must choose their priorities and decide where the money should be spent to best effect.

  • What is your risk appetite?
  • Can you remove or avoid the risk, reduce it, transfer or share it, or just accept it?
  • Does mitigating the risk create other risks?
  • If several risks have one root cause, will one single countermeasure handle all these risks?
  • Before final choices are made, the cost of each mitigating measure must be established.


9. Step 5 – Implement your control policy

How you implement your new security policy will depend very much on the types of control that have been selected. In some cases, it will simply be a case of writing a directive for the staff warning them of the consequences of using or accessing information inappropriately. In other cases, you may need to implement some form of technological control, such as a CCTV system or a firewall.


10. Step 6 – Monitor the situation

Some risks won’t change much over time and the review of them is little more than ensuring they are still relevant and the analysis of them in terms of their impact and likelihood is about right. There will, though, be some risks which change significantly.

  • Having decided on the controls to be used and implemented them, this must be recorded appropriately in the risk register and an owner identified.
  • Some risks will disappear and new ones will arise.
  • A risk’s priority may also change, becoming more or less important in the business’s view and so get more or less resource to manage it.


11. Other key planning aspects

There are two other areas of business planning that are not confined to information security planning, but which must include it: business continuity planning (BCP) and disaster recovery (DR) planning.

  • BCP concerns planning for a short-term problem for which a short-term fix may be all that you require.
  • If the disruption is serious (notably in a financial sense) or is likely to last more than, say, 24 hours, then DR comes into play.
  • There will almost certainly be information security aspects to both BCP and DR – how long can you afford to be denied access to information before clients or your business suffer significantly?


12. An acceptable usage policy

If you employ people or otherwise allow other people to access your information, then it is very prudent to ensure you have made it absolutely clear to them what they can and (more importantly) cannot do.

  • It makes it very much easier to prosecute or dismiss those who choose to break the rules.
  • Workers know what they are allowed to do and where they stand, which reduces their stress levels.
  • It should reduce the temptation to try to access certain information.
  • A well-written policy can help with the promotion of best practice.
  • The policy should include a statement concerning the importance attached to information security, clear instructions on acceptable usage and details concerning business continuity plans and disaster recovery instructions; it should be made plain that everyone is involved in information security, and the policy should not be so restrictive that employees feel the need to find ways around it.


13. Legal aspects

The Data Protection Act is one of many pieces of UK legislation which is principally about information security. If an organisation chooses to become compliant with the international information security standard ISO27001, then the standard will largely cover dealing with the relevant legislation as well. Other areas to consider include

  • Employment contracts
  • Contracts with third parties, such as outside computer repairers
  • Specialists brought in to test the system by trying to hack into it


14. Getting rid of information

It is foolish to think that just because you have finished with a piece of information there is no longer any value in it. It is also foolish to think that no one else would be interested in the information you are throwing away.

  • You may need to supply staff with good quality shredders for paper, CDs and other plastic items.
  • Deleting files on a computer does not actually remove the data that file contains. Encrypting information on computers makes it more difficult to recover and, for more sensitive or valuable information, this may be the best option.
  • Other devices, such as facsimile machines, photocopiers, printers and the commonplace multi-function devices (MFD), often contain hard drives that store the information put into them.


15. Internet attacks

Defence against internet attacks requires specialist advice, but it helps to at least know the most common forms:

  • Malware (or malicious software) ranges from the simple virus infection that damages data (known as a payload virus) through to those that duplicate themselves and automatically send themselves on to all your email addresses
  • Spyware tracks the user’s actions on a computer screen or keyboard and then transmits information, such as the logon to internet banks, to a third-party rogue site
  • Emails claiming to originate from trusted sources but actually coming from a crook searching for valuable information are called phishing attacks
  • A Trojan is a seemingly innocent piece of programming which contains some dangerous malware, such as a worm, which not only infects your system, but duplicates itself and sends itself to addressees in your email or contact address book
  • DDOS attacks, often achieved through a Robot Network (botnet), can take several different forms, but the end result is similar – the system under attack becomes unavailable and suffers financially or through a loss of reputation.


16. What is layered security and do I need it?

‘Layered security’ means putting up several types of defence against the threat to security.

  • The types of defence fall into one of the three main categories – physical (the locks, doors, fences and similar physical barriers used); technological (the firewall, CCTV, electronic accesses systems and the like); people or procedural (policies, rules, best practice, training and similar people-based measures.)
  • If the only threat is from staff in whom the senior management have implicit trust, the number of layers could be very few; if it is the full force of the threats from the World Wide Web that are a concern, it would be sensible to use many layers of different types and several different mechanisms.
  • Variety is often classed as one of the layers and it may well be that a physical barrier, followed by some technical protection, with the ultimate protection of the threat of dismissal for staff who do what they know they should not do, is the best possible combination.
  • Disguising information in transit through encryption techniques might be advisable and is not always expensive.


17. Get buy-in from staff at all levels

Top down is the only effective way to ensure that effective information security measures are installed and used. The senior management must be the first to emphasise the importance of security and must not only ‘talk the talk’ but also ‘walk the walk’.

  • Explain to senior managers that they could end up in prison if they fail to comply with information security legislation and that the company could go bankrupt or suffer a damaging loss of reputation.
  • All new staff should attend an induction course on information security matters.
  • Refresher courses will be needed.
  • Staff can be kept involved through such things as a monthly quiz.


18. What about training?

There are two aspects to this: the training you might need if you decide to specialise in information security, and then the training staff should have if your information security plans and policies are to work in practice.

  • Much of the work is business based, rather than specialist, so you may not need a qualification.
  • If you decide to specialise, there are several qualifications to pursue.
  • Your staff will need three types of training: an initial induction, training that is specific to certain roles and refresher training.


19. What happens if something goes wrong?

In reality, there will always be incidents and these need to be handled appropriately. Therefore, success should be measured according to how well those issues are handled and the degree of disruption they cause.

  • One of the most important measures you can take is to ensure that you learn from the mistakes or errors so they don’t happen again.
  • For organisations where financial considerations are paramount, the financial impacts of incidents can be measured.
  • A forensic readiness plan helps to address incidents where a criminal act is involved.
  • Forensic preparedness will require specialist advice and training.