IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

IT Strategy for Business© Oxford University Press 2008 All rights reserved

Chapter 12

IT Security Strategies


Chapter Objectives Understand IT Security issues Study IT security strategies for the

organization Study methods for risk assessment Study how to formulate security

strategies Study of framework for secure

information management Study of legal and business aspects of IT

security


Introduction• Information security is a technical and business

problem. • Security is about availability, integrity, privacy,

non-repudiation, authenticity and confidentiality• Availability: Network and information availabilities

make it possible to have systems available to users on timely basis and in required form

• Integrity: Integrity is the quality or the property of the system that guarantees that data are not changed arbitrarily

• Privacy: Protection of personal information• Non-repudiation: This is the guarantee that something

came from a company or individual or the source it claims.

• Authenticity: This means that the source as well as the information is authentic


Security strategy framework

Security compliance and auditing

Security architecture - processes, people, technology and technical specifications

Controls, gaps, vulnerabilities,infrastructure and points of exposure

Information Technologygovernance

Businessobjective

Security

Availability Confidentiality


Security strategy framework

The business objective occupies the apex of the pyramid, while security forms the foundation.

Availability and confidentiality support the pyramid from both sides.

These exposures are controlled by security architecture formed by people, processes, and technologies


Objectives of Security strategies Secure the information: Let information be available

to those who are authorized to access it. Use of security of information for competitive

advantage: The assured information security helps in building the competitive advantage.

Use of security to minimize risks: The security strategy should asses the risks. The risks are minimized by insuring or by taking different measures to protect

Balancing availability and security: The availability and security need to be balanced to meet the business objectives without loosing any competitive advantage


Security Strategies: Factors and Measures Security needs at various stages: During various stages of

an organization and its knowledge life cycle, there are different security needs.

Information and its classification: The security strategy should seek to strike a balance between availability and security.

Continuous exposure analysis: Analysis of various points of exposure of the system. Study of the possibility of threat from the points of exposure.

Identification of threats and sources: The identification of threats is important. Once the threat is identified, the strategic decision of protection can be taken.

Preventive measures: The preventive measures are typically technical measures, business measures, and financial measures.


Security Strategies: Factors and Measures

Insurance policy: The organization needs to decide its insurance policy as a part of its security strategy .

Legal aspects of exposure and security: Attacks from a particular point of exposure can be tracked and the possibility of taking legal actions against the culprit is very high.

Technical measure to enhance the security: The different technical measures such as the use of latest encryption algorithms and the use of advanced authentication algorithms should support the overall security strategy.


Threat Identification: Steps

Do threat exist? What are the types of threats? Analysis of Impact of the threat on the

system and the overall business objective

Classification of threat Prioritisation and action plan


Threats

Intrusion Hacking Energy variations Viruses Unhappy employees Denial of Service Destructive attacks


Outsourcing and off shoring related security challenges

Information transfer: The security has a challenge to make sure seamless and secured information transfer.

Information Sharing: Make sure of security in distributed environment

IP Protection: IP protection in distributed environment and in different legal infrastructures

Decision about information sharing


Security ThreatsLAN

- Abuse of controls

- Denial of services- Viruses

Databases-

Unauthorized access- Theft- Copy

deletion

Hardware and software

- Protection mechanism

failure- Information

leakage- Contribution to various types of

failures- Unauthorized

installations

Other- Insecure

environment- Viruses- intrusion- Physical

threat


Defense Strategies

Prevention and deterrence: Properly designed controls may prevent errors from occurring, deter criminals from attacking the system, and deny access to unauthorized people. .

Detection Minimizing the damage and forecasting the risk Recovery and reinitiating the system in normal

way Correcting and fixing fundamental problem Awareness and compliance (Dealing with soft-

aspects)


Defence mechanism

Defense control

General- Physical

security, physical measures

- Premisesbiometric, access card,

security

- Accessbiometric, password, login,

access-card

- Web accessencryption, authentication,

biometric firewalls, IDS, virus protection

- Data security- Communication

Application- input, access,

output, processing, authentication,

service and availability


Business Continuity and Recovery Plan

Risk analysis

Analysis of threats

Initiation of process

Design

Review

Implement

Test

Strategy and aligned plan

Business continuity policy


Security Initiatives and Control DecisionsAssessment of recourses and IT

property/ assets: databases, intellectual property, documents,

hardware, software

Cost benefit analysis, data from insuring agencies, etc.

Analysis of available controls, protection systems, cost of the

same

Analysis and forecasting of probable losses in case of

security breach

Analysis of the risks and the vulnerability of the assets

against the current protection


Risk Management ModelRisk management initiatives

Evaluation, analysis and feedback for improvement

Risk analysis and monitoring

Manage and analyze project risk profile

Plan for risk management and implementation


Cyber Laws and Other Legal Aspects

• Selection of insuring agency: The insuring agency should have covered all important security aspects in insurance. .

• IP protection and strategic initiatives: The IP-strategic initiatives include selection of employees, access control, and legally protecting the IP

• Patenting: Patenting the important inventions and business processes give legal protection to the organization.

• Getting non-disclosure agreements signed: The non-disclosure agreements should be signed by the employees, customers, and all extended organizations that come into contact with the organization.


Cyber Laws and Other Legal Aspects• Deciding the clauses and the legalities about the non-disclosure agreements: The clauses of the non-disclosure agreements should be legally valid across the countries the organization operates

• Deciding insurance-related strategies with all aspects of insurance (fire insurance, flood insurance, theft insurance, etc.): The insurance strategies should consider all possible threats and prioritisation of the threats for the insurance

• Legalities of responsibilities of employees: There are certain responsibilities of the employees and from security perspective the legalities of the same should be considered. For instance, cheating the employer may be illegal and organization should have guidelines for such conduct and behaviour.


Security Policy Checklist

(1) Creation of security culture (2) Up-to-date security policies (3) Calculate return on investment (ROI) on security

spending (4) Procedures to ensure compliance requirements(5) Have contingency plan to respond to emergency (6) Regular security audits(7) Insurance


Summary Appropriate use and security of information can make

or break a business. The information may also include important IP of the

organization, newly developed algorithms, important business policies, business strategy document, confidential letters, or the customers’ data that could enable someone to access his bank account.

To make a business successful in this environment, customer also needs to access information all the time.

Security is about Availability, Privacy, non-repudiation, integrity and confidentiality

The IT security strategy is all legal and technical positioning and planned actions to protect this information.


End of Chapter 12

IT Strategy for Business © Oxford University Press 2008 All rights reserved Chapter 12 IT Security Strategies.

Documents