Security Risk Analysis and Disaster recovery plan
Last two decades have seen the explosion of organizations using Internet as a medium for interfacing with their customers. There have been formation of new organizations which invented new business models like Business to business (B2B), Business to customer (B2C) etc, to start their business using internet. These startups did not need any physical location to start their business and hence it was cheaper to start and continue their business. Many successful internet based organizations like Ebay. com sell their products only through internet.
Additionally, other organizations which already have a physical setup use internet as one of the channel to market and sell their products. As Internet becomes the medium of choice for more and more organizations, the parallel increasing risk to the organization’s Information System through external attacks needs to be focused. Any external threat capable of bringing down the information systems of an organization, partially or fully, has the potential to severely impact the business capability of any organization which has limited or full-scale usage of Internet as the marketing or selling media.
International Standards organization (ISO) came up with guidelines to start, implement and manage the Information Security Management in an organization. The latest version of the standard is known as the ISO/IEC 17799:2005. This paper takes up the case of a hypothetical Internet-based organization that sells children’s audio-video media (DVD’s, videos, CD’s, tapes, games, and software) for designing and implementing a Security Risk Analysis and Disaster Recovery Plan (in the context of information security). Brief Overview – Cybersell (Hypothetical) Inc
Cybersell Inc is a, 100 employees, Internet based trading organization which sources its products like DVD’s, videos, CD’s, tapes, games, and software from the Original equipment manufacturers (OEMs) and sells it to the customers using the medium of Internet. Recently, the organization’s management got concerned with the risks of various types of attacks on the Information Systems of the organizations like virus/spyware attacks, Threat to Systems from within the organization, compromising of Customer data, leakage of business critical information to competitors by the employee’s of the organization having access to such information.
The organization’s Management wants to mitigate the above mentioned risks by implementing a standard Information security process as any loss in business to the organization due to the compromise with the Information Security systems would be detrimental. The organization has Internet as the sole selling media and hence any threat having potential to bring down the selling media, fully or partially, can result in inventory pile up and customer dissatisfaction. The organization is looking for the design and implementation of a Security Risk Analysis and Disaster Recovery Plan from the perspective of information security.
The organization wants the plan to source its information from the existing relevant ISO standards and focus the plan on Threat assessment, Vulnerability assessment, Risk assessment, Measurement parameters and to secure against all types of failures to promote uninterrupted business continuity. Threat Assessment The threat assessment is executed with three principles in mind. They are – Availability of the relevant information at the right time, Integrity of the information available and the desired Confidentiality of the information i.
e. only the relevant people must have the access to the information. The Threat assessment is done in a as a step by step process which consist of, in the order given, defining a security policy, scope of the Information Security Management System (ISMS), Undertaking of Risk Assessment, Managing/mitigating the risk, Selection of Control Objectives and identifying the ones to be implemented and finally preparing the statement of applicability. The following pages explain in detail, the Threat assessment conducted for Cybersell Inc.
Security Policy Cybersell Inc has adopted a security policy to proactively protect its information systems against any external or internal threats, analysis of any and mitigation before it develops into a potential threat and an effective disaster recovery plan with an objective to ensure business continuity. The Security Policy of the Cybersell is designed to identify the domain within which the Information Security principles would be applied so that the application of the principles is effective and focused.
Scope of the Information Security Management System (ISMS) The objective of the ISMS is to prevent any external threats from the virus, spywares/malwares, web crawlers, Internal threats from organization employees who may compromise the customer data or leak the product data to the competitor and Ensuring availability of the relevant information at all time without any disturbance.
The scope would include the Security organization, classification of assets and control, security of personnel, Physical and Environmental security, Operations and communications management, controlling the access, Developing and maintaining the relevant systems, design and implementation of business continuity and finally the compliance to all the above items in scope. Risks Assessment and mitigation The Information system of Cybersell is subjected to various risks which are internal as well as external and people as well as environmental. The risks and the mitigation plan of the identified risks are described below.
Risks from External threats like Virus, web crawlers, malwares and spywares Threat: The improvements in the Information systems world have seen a parallel development of the threats to it. These threats include the software programs which install self into the victim software systems and infect the systems to hamper the regular operations. The spywares and malwares are the recent threats from the internet. These are programs which get automatically downloaded to the victim system as soon as the victim clicks on the spoofed link (The visible information is different from what is obtained after the clicking).
Web crawlers are another variety of threats which are designed by the web sites with a purpose to browse through the content of the victim sites. Web crawlers or spiders are usually “harmless” but in certain cases they may be harmful to the security as well because they capture the user id and password of the user to compromise the information accessible to that user. Risk mitigation: The above mentioned risks can be mitigated by installing an effective anti-virus system with continuous upgrade to it.
The security firewall can be installed to prevent any threats due to web crawlers, spywares and other malwares. The firewall can be used to prevent access to any known websites which propagate this kind of software. Employees can also be educated to proactively take actions so that such attacks are not triggered due to their direct or indirect actions. Risks from Internal threats Threat: This threat is associated with the Employees sharing or leaking the business critical information to the external sources which may or may not be company’s competitors.
There have been many scenarios in the recent past where the Employees of an organization compromised the data of customers with the third party resulting in the loss of revenue and the legal implications. As Cybersell Inc also stores the Customer Information which is available to Employees as per their access levels to carry out their duties, there is a threat for the compromise with the data. Risk mitigation: The risks of internal threat can be mitigated by installing firewall in the email which can prevent any email any email beyond certain size to out.
Access to any external emails must be controlled by suitable firewall. Any external storage media must not be allowed to be used in the organization’s systems. This check can be done by relevant software while if required, the data can be downloaded only for Company’s work by an authorized officer of the organization. Physical checks must be performed at the company’s security gates for any storage media being taken out of the organization’s premises. If any storage media is required to be taken out of the organization’s premises, it must be permitted and the permission must be obtained beforehand.
Surprise audits can be conducted to check for compliance. Vulnerability assessment Cybersell Inc is an internet based organization and hence it is exposed to all threats which are coming through internet or from within the organization. Unless a suitable Information policy is put in place, the organization would remain exposed to such threats which have the potential to bring down the business. In addition to the above mentioned threats, the organization is also vulnerable to the limitation in the software systems designed to handle the Internet based selling business of the organisation.
There should be continuous review of the capability of the system against the business needs to ensure that the business and the Information technology strategies are aligned together. Measurement Parameters The objective of measurement parameters for the new security system would be the prevention of any attack on the Cybersell’s Information System. The compliance percentage in the surprise audit would be one of the measuring criteria while no downtime because of Information Security issues would be other criteria of measurement.
Version control and the availability of the latest version of the control documents would be the criteria to measure the effective document controls. One more aspect to measure in document control would be the access levels and their effective control. The ease of access to the employees with required access level and no access to the Employees who do not have the required access would determine the success of this measurement parameter. One more aspect of the Measurement would be to measure the number of trainings conducted on Information Security (IS) and the total number of Employees covered for the IS training.
All the employees must be covered for the Information Security training and hence this should be made part of the induction for new employees while existing employees can be covered through separate training program. Plan to secure against all types of Information failures The Information Security Management System (ISMS) plan is developed in accordance with ISO 17799 Information security policy document to secure the Cybersell against all types of failures and to install an effective disaster recovery plan to ensure and uninterrupted business continuity.
The plan is developed with the following framework provided by ISO 17799. Security Policy This is already covered as part of Threat assessment in earlier section. The only aspect organization needs to ensure is that the Security Policy is accessible to all at every time so that the employees do not lose sight of it. The implementation of Information Security is the responsibility of all and hence all Employees must be aware of it. In order to implement it, a framed copy of the security policy can be made available in all departments as well as providing a wallet card to employees with the IS policy written in it.
This is in additional to the training which would be conducted for all employees. Organization of Information security The Information security department needs to be formed in Cybersell as there is no such department existing currently. The department would have personnel who would have the responsibility to ensure that all the Information security standards are in place and are audited on a regular basis. The department would also come up with the documents, control and procedures which are required to be implemented as part of Information Security management.
Essentially, this department would be the central governing body to ensure that the Information Security standards are implemented as laid down in the ISO 17799. The department head would be reporting to the Operations head of the Cybersell to ensure that all the suggested improvements are implemented with the speed and any non-conformity is addressed immediately. The third party accesses would be limited and the accesses would be subjected to scrutiny by this department. The accesses would be revoked as soon as an employee leaves the organization or if the third party contract is over or gets revoked.
Any outsourcing to the third party would need to be approved by the Information Security department which would cross check the credentials of the organization before permitting the outsourcing of the task. Classification of Assets & Control The Asset classification is defined as the categorization of organization’s assets so that the accountability of the same can be established clearly. The assets are documented and the responsibility is assigned to a particular department or the designation in the organization. This helps in ensuring the security of the asset and to identify the root cause in case the asset security is compromised.
For example, the responsibility of the desktop computers used by the employee’s of the firm lies with the individual employee and any breach of security identified with the particular computer would be the responsibility of the employee on whose name the computer is assigned to. Another feature of the ISMS policy in terms of Asset classification is the categorization of the Information available in the organization. The categorization helps to identify the sensitivity and the importance of the Information. Employees having the required access level would only be allowed to access the information of their level.
For example, Information can be classified as general, restricted use, and confidential. The general use information is available to all while restricted use is available to only to the identified group while the confidential information is only available to the named people. All types of information is labeled on the front page to identify it’s security level while any communication on the email is labeled in the subject line to designate the security of the information to the intended audience. Human resources security
This implies the security related to the personnel in the organization. As already mentioned earlier, the requirement of the job is defined to clarify the security associated with it. For example, as person working in the call center to address Customer Query has access to Customer data. Hence the Call center employee would be asked to sign a disclosure form where he would be given provided information on the level of security access he has and the threat & vulnerability to the organizations business if the person knowingly or unknowingly passes the customer information to the third party.
The disclosure form would also contain the legal repercussions in case the customer data is compromised. The other aspect which would be focused in this category would be the user training provided to all existing and new employees on the Information security. Existing employees would be required to undergo a training specifically designed to address the Information Security awareness while the new Employees would be covered for the same awareness during the Induction procedure.
Human resources security also covers the response required by the employees in case of Information Security Incidents and Malfunctioning of any system. Usually, the employee who is witness to any such incident would be required to report the same to the Information Security department for an immediate action. A software system would be developed to raise an incident which would be assigned to the representative if Information Security (IS) department. The IS department would be required to take appropriate actions within the time limit as per the severity of the incidence. Physical and environmental security
This aspect of ISMS covers the general security associated with the area of operations, equipments and generic controls. This means that the operational area must be a restricted area allowing only the intended people to enter. Communications and operations management This is an important part of ISMS system as this becomes critical if the efficient communication is not conducted. The media handling and the security becomes important especially during the crisis situation. The operational procedures must be documented clearly so that it is easy to understand and implement.
The documentation control must ensure that all the documents are controlled and reviewed. The documents must have a draft and revision number along with the issue status. The document must have the issue date, author, and change history, be available at all usage points, available only to the people with required access levels. The document should be withdrawn from the central repository as soon as it is obsolete and the sources in the document must be clearly identified when the origin is external to the organization. Access control
The access control would be exercised by allowing the access only to the authorized personnel to the work area, folders in the common drives and the server areas. Information systems acquisition, development and maintenance Any new Information system would be acquired only after passing it through the Information security checks like system files security, controls in the cryptograph procedures, application systems security. The new systems in the organization would be developed by following the Information security principles.
The application system’s source code would be made available only to the restricted developers while only the load of the application program would be available to testers for facilitating the System and User Acceptance testing (UAT). Information security incident management Information Security incidents would be managed by a system where the incident would be generated by the person getting affected by the incident while the handling of the incident is done by the Information security department. Business continuity management
Business continuity from the perspective of Information Security is a very important aspect in ensuring that the business does not get impacted and continues to operate Business-As-Usual (BAU) in the adverse situation like the failure of existing system or and untoward incident. Design of Disaster Recovery Plan The disaster recovery plan must consist of following aspects – • Recovery of lost data • Alternate site to shift the load • Create the Business continuity plan (BCP) for each area and project team • Three types of measures should be there in the disaster recovery plan which are preventive, control and corrective measures
• All Employees must be aware of their role in case the organization needs to shift into the disaster recovery mode Implementation of Disaster Recovery Plan The disaster recovery plan can be implemented by developing an alternate site which can function similar to the usual site. There should be checks on a regular basis for some employees on rotation to check their preparedness level as well for the system in case a disaster occurs. An efficient disaster recovery plan would involve implementing the recovery time and point objective for the various critical processes in place.
This means the time required in re-instating and the point from which recovery happens for the critical processes. Compliance The compliance is to ensure that the ISMS system is designed in a way such that it complies with the existing legal requirement. Compliance is also to ensure that ISMS is implemented as per the plan. Compliance to ISMS is ensured by system audits on a regular basis by the Information security department which also conducts review of security policy and technical compliance.
The Information Security department designs the considerations required to do the system audits and personnel audits so that the organization complies with the designed ISMS system and hence ensuring a uninterrupted business continuity. Conclusions Information security is an important concern for an internet based organization like Cybersell Inc. In order to have an uninterrupted business, the Cybersell Inc needs to have an Information Security Management System which would take care of adherence to all Information Policy standards as per ISO 17799.
Cybersell Inc also needs to have an effective disaster recovery plan to ensure that in an unfortunate event of Information System crashing down (Comair 2005), customers are not affected and the business continues as usual. References • Calder, Alan and Jan Van Bon, Implementing Information Security Based on ISO 27001/ISO 17799(2006), Van Haren Publishing • Fundamental of third- party security Management (2009), [Internet], Available from: http://msevents. microsoft. com/CUI/WebCastEventDetails. aspx? culture=en-US&EventID=1032416152&CountryCode=US>, accessed oSample Essay of Eduzaurus.com