In 2008-2009 the number of severe attacks on companies' assets associated with data security breaches in the United States alone; were in excess of 287 million cases and the amount of value defrauded from companies as a result of inadequate Data Security were in excess of $6.6 million USD an increase of 52% over the same period the previous year. The above data shows that the need for adequate security in a firm cannot be over stated.
The number of companies using Information and Communication Technology (ICT) in critical areas of their operation has spawned an industry with an increasing demand for the skills, technology and ultimately solutions to continually cope with these ever evolving threats.
The main focus of this paper is, through carefully chosen examples and case studies from a number of organisations, to investigate the methodology and implementation of security risk assessments that can help achieve the desired level of measurable Data Security.
'Risk assessments, whether they pertain to information security or other types of risk, are a means of providing decision makers with information needed to understand factors that can negatively influence operations and outcomes and make informed judgments concerning the extent of actions needed to reduce risk'. (GAO/AIMD-00-33 Information Security Risk Assessment)
Market demands have seen the rise to several types of attacks to organisations data which has increased its vulnerability to hackers in different aspects for an array of reasons. The need for effective data protection strategy cannot be emphasized. The responsibility of initializing and implementing risk assessments resides in the company's management. Risk assessments may be conducted by different business units but should be directed by management objectives and vision. This will promote assessment across the spectrum of the organisation and analysis costs could be reduced.
Organisations need to understand the risks that exist to implement the best countermeasures to protect their assets. A comprehensive study of the operations, policies, procedures, standards, current and potential, internally and externally threats to the company are of paramount importance. Business unit managers lead this task with assistance from the organisations operations and ICT staff. A summary report of the investigation and ranked threats is submitted to management to direct the risk assessment analysis.
'Building a solid and manageable data protection strategy must address the basic fundamental issues affect the business .These issues include external threats and malware, complying with policies, preventing data loss and securing mobile data' Jonathan Tait, (2009) How to protect your critical information easily.
Within an organisation there may be several areas of potential risk. They include financial, fraud, market, credit, customer, security, information technology and project risks to name a few. Use of the company's Strengths, Weaknesses, Opportunities, and Threats (SWOT) and identification of Business Units Critical Success Factors (CSF's).could assist management in developing the scope for the risk assessment..
Sopohs white paper, How to protect your critical information easily (November 2009) states, 'today's malware targets any data that can be soldfrom financial information to blueprints. If it's valuable, the bad guys want it.' Implementing effective risk assessment processes and stringent control measure assist in maintaining a secure network for organisations' operations. Effective control measures must detect and control attacks before they cause harm to a system thus improving a company's productivity and promoting to the business success.
Risk assessment should be qualitative, yielding a quantitative analysis of the risk and develop a cost analysis based on the risk factor. Refer to appendix Table 2. 'The best approach should be determined based on a cost/benefit analysis of the process for enabling timely and relevant discussion of risks, monitoring predictive indicators, escalating information on increased risk exposures, and making risk-informed decisions in an integrated manner' Joe Atkinson Catherine Jourdan (November 2009) How to protect your critical information easily A practical guide to risk assessment p. .
Results from the risk assessment would propel the development of a security plan developed by the ICT team and management to address "open issues. The security plan should guide the organisation on methods of safe operation in its environment defined by risk assessment. The security plan will outline the Minimum Security Requirements (MSR) in an organisation for its safe operation and the Policy Implementation Tools (PIT) required ensuring compliance. (Asad Syed 2004 Role of Security-Charter in the success of your organization).Some examples of minimum security requirements are access control to buildings, access level control and visible policies for securing and disposing of sensitive data. The security plan will also guide on acceptable risk and how they will be addressed in the schema.
The Board of Directors responsibility is to review the security plan and approve after they understand the risks and measures to address them. The threats to the organisation will be discussed with the board, the effects if measures are not implemented and the financial impact on the organization. Approval of the security plan will illustrate incorporation into the companies' practices endorsed by management and policy enforcement to ensure effective measurable protection of the data assets of the organisation. Refer to appendix Figure 1
Sharing of Information
Organisation form conglomerates and share data. In cases where these arrangements exist, customers may be at risk. Attackers may not have to access your network due to the controls in place but may have access to your partners system. Vital information such as credit card numbers and social security numbers may be vulnerable. A method of securing your data is a hash or a numbering system referencing the customers' data in a separate database in a secured location. Securing your client data and securing your business will ensure financial stability and security of the organisation. Analysing your partners' policies and procedures to ensure access control and data protection packages are employed in his business is useful but may be expensive and a time consuming exercise. Ensuring your partner has basic controls in place illustrated in figure 3 of the appendix may be vital to your success.
Companies are being subjected to Intellectual Property (IP) Rights theft. In the complex environment of information technology no one solution could address this risk. Developers have products example Identity Manager, government agencies have developed laws and guidelines in an attempt to control these risks example BS7799 security requirements established by the British Government; and standards developed by authorities (IEC) to control these threat example ISO/IEC TR 13335-5:2001 Information technology - Part 5: Management guidance on network security; but they have had little success individually. Technology has employed packages to control and track data movement on networks and prevent data from being copied to external media outside of the operating environment of the system e.g. Sun Microsystems Inc.'s Identity Manager. This method of control has little success due to the need for availability, accessibility and portability of developers. As a standalone solution these products could not meet the market challenges and several layered products were required to meet the requirements. This has proven as high cost measures that could be controlled with policies and staff education. Education of the work force of the threats and development of procedures to work on system are also effective method of controls.
Security in today's business is of paramount importance for business success. The implementation of Risk assessment in the industry has displayed an important role. Management has seen the approach to security from new angles and have viewed it as avenues for increasing profitability. Business have accomplished this by understanding risks at all levels in the organizations and addressing the holistically.
Risk assessment have been assisting management in striking the balance of implementing no actions and investing in control measures and application to enhance its organisations profitability. Several organisations have engaged with single source providers to address organisations vulnerabilities. This has lead to organisation reducing their cost of implementation and the training and development of in-house capabilities of addressing issues for several specialized areas. In accomplishing this organisations enjoy reduced maintaince cost and eliminate logistic issues when actions are required immediately for security of the company. Implementation of effective security measures and having reliable resource to support the organisation could save millions of dollars as illustrated by studies done in 2007-2008 by Ponemon Institute.
- Executive Guide: Information Security Management: Learning from Leading Organisations (GAO/AIMD-98-68, May 1998)
- Business Process Reengineering Assessment Guide (GAO/AIMD-10.1.15, April 1997 Version 3)
- Assessing Risks and Returns: A guide for evaluating Federal Agencies IT Investment decision making (GAO/AIMD-10.1.13, Feb 1997)
- Sources: Each of the above papers supplied from the GAO were very informative and gave information from the areas of Information Security management, Business and Risk Assessment in Federal IT. All of these sources were used as they gave an insight to the procedures carried out, based on case studies, through examples of companies.
- Newman C. and Strojan C (1998), Risk Assessment: logic and Measurement, Library of Congress Cataloguing-in Publication Data.
- Source: This book was used to address the general aspects of risk assessment in IT and also give some examples .It was a broad spectrum of information and gave a rounded view and understanding of what risk assessment entails and area of focus.
- Shoniregun C (2005), Impacts and risk assessment of technology for Internet security, Springer Science and Business Media.
- Source: This book was also used as a good referencing guide towards risk assessment and with examples similar in other industries.
- Source: http://www.RSA.com (Information Risk Assessment)
- This site was used to understand security solutions available to the industry for the areas threats to data theft exist. The source gave an understanding of the market challenges and the level of support it and products available to the market.
- Source: Landoll D (2006), The Security Risk Assessment Book, Auerbach Publications.
- This source illustrated how organisations could reduce the time and money required in conducting risk assessments, steps to perform, and how to perform them. It also give examples and illustrated how to enhance your studies of risk assessments and enhance organisation profits. It also assisted development of the understanding of how to select quality risk assessment auditors.
- Source: Sophos white paper, How to protect your critical information easily
- This source gave an indication of some of the financial implication organisations face with information technology. It highlighted the risks associated with employees and their devices for good and bad reasons with organisations data. It also gave an indication of malware attacks and what it does in today's environment. It emphasized the need for
- Source: http://www.protiviti.com/en-US/Solutions/Documents/Data Security and Social Networking Protiviti.pdf
- This site gave an overview of organisations approach to Risk assessment, development in securing networks and approaches to implementation. It was instrumental in developing the essay as it gave an understanding of the aspects of risk assessment in data security.
- Source: Price Waterhouse Coopers, Model risk mitigation and cost reduction through effective design.
- This source was instrumental in understanding how to implement risk assessments into an organisation design phase. It was instrumental in giving examples of model risk and how to combat these, model production design with examples and validation procedures. It also displayed how effective risk assessment and employment of countermeasure could increase profit.
- Source: Ward and Peppard, Strategic Planning for Information System
- As the recommended text for the course it outlined the areas of focus in risk assessments. It was also instrumental in displaying countermeasures and how they should be used. The text gave the base line for future reference for the essay.