This document outlines a 5-step process for managing organizational ICT security:
1. Identify the organization's business objectives to ensure ICT resources support them.
2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware.
3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost.
4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening.
5. Implement and monitor the security program with roles for the CIO, CISO, ICT
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
The Significance of IT Security Management & Risk AssessmentBradley Susser
The Significance of IT Security Management & Risk Assessment
An overview of IT Security Management, which is comprised of standards, policies, plans, and procedures as well as risk assessment and the various techniques and approaches to minimize an organization’s financial impact due to the exploitation of numerous organizational assets.
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
An overview of how to structure a threat based assessment of risk that is relevant to the business and which clearly ties risk mitigation to the threats being mitigated in a way that business leaders can easily understand.
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructurejbasney
Presented Nov 11 2017
http://www.stem-trek.org/news-events/urisc/
“Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure”
Risk assessment provides valuable insights to the cyberinfrastructure security program, but launching a risk assessment process can seem daunting for all but the largest projects. Jim Basney will present risk assessment tools (checklists, spreadsheets, templates) developed by CTSC (trustedci.org) for getting started on a lightweight risk assessment for cyberinfrastructure projects of varying types and sizes.
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
Threat management continues to be a hot topic within cybersecurity, and rightfully so.
Understanding the evolving technical and behavioral threat landscape and adapting
mitigation controls is the key to proactive risk management. Actionable threat intelligence is critical to enabling effective threat management. It provides visibility into the temperature within the threat actor community, what they are doing and how they are doing it (tactics techniques and procedures (TTPs)). The challenge is sorting through the volumes of threat data to identify what’s relevant and actionable.
This document is intended to communicate how threat intelligence can be used to reduce business risk. The audience is security, compliance and IT professionals interested in
proactive risk management.
Risk Management Strategy is an approach to dealing with global risks focused to anticipate the events, designing and implementing procedures to minimize the occurrence of the event or its impact if it occurs.
In era of globalization and interconnected world the task to protect the company from global risks became complicated. Any kind of internally or externally risk can cause distortion to its usual business activities. The source of potential risk can be human being, technology failure, sabotage or Mother Nature. All the risks must be considered individually since they overlap to a large degree. Then our Global Risk Management consulting focuses on: terrorism, internal sabotage, external espionage, technology failure.
An overview of how to structure a threat based assessment of risk that is relevant to the business and which clearly ties risk mitigation to the threats being mitigated in a way that business leaders can easily understand.
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructurejbasney
Presented Nov 11 2017
http://www.stem-trek.org/news-events/urisc/
“Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure”
Risk assessment provides valuable insights to the cyberinfrastructure security program, but launching a risk assessment process can seem daunting for all but the largest projects. Jim Basney will present risk assessment tools (checklists, spreadsheets, templates) developed by CTSC (trustedci.org) for getting started on a lightweight risk assessment for cyberinfrastructure projects of varying types and sizes.
Satori Whitepaper: Threat Intelligence - a path to taming digital threatsDean Evans
Threat management continues to be a hot topic within cybersecurity, and rightfully so.
Understanding the evolving technical and behavioral threat landscape and adapting
mitigation controls is the key to proactive risk management. Actionable threat intelligence is critical to enabling effective threat management. It provides visibility into the temperature within the threat actor community, what they are doing and how they are doing it (tactics techniques and procedures (TTPs)). The challenge is sorting through the volumes of threat data to identify what’s relevant and actionable.
This document is intended to communicate how threat intelligence can be used to reduce business risk. The audience is security, compliance and IT professionals interested in
proactive risk management.
Webscience is an affiliate project of Sciencetutors. All Slideshare presentation by sciencetutors + Webscience. Please for more resources visit: www.sciencetutors.zoomshare.com or www.slideshare.net/sciencetutors.
Thanks Ivan for Sciencetutors
Information security focuses on protecting valuable information that will help businesses to succeed in their strategies. Confidentiality, integrity and availability are the three basic objectives of Information Security.
For more such innovative content on management studies, join WeSchool PGDM-DLP Program: http://bit.ly/ZEcPAc
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
Running Head SECURITY AWARENESSSecurity Awareness .docxtoltonkendal
Running Head: SECURITY AWARENESS
Security Awareness 2
Final Project Security Awareness
Terri Y. Hudson
Southern New Hampshire University – IT 552
December 20, 2016
Agency-wide security awareness Program Proposal
Introduction
For the organization to comply with the current PCT DSS requirement version 12,6, a security awareness program must be in place. The CISCO of the organization has an immediate requirement of creating an agency-wide security awareness program. As a means of implementing security awareness program the organization has conducted a security gap analysis which is one of the component of security awareness program which showed the 10 security findings. As one of the means of conducting the program, I will submit awareness program proposal.
Objective
This SOW (Statement of Work) is being done on behalf of the senior information officer. He has requested for the creation of an agency-wide security awareness program by handing over the security gap analysis which was done prior to this process. Hence the major aim of this document is to set a security awareness program which shows ten major key security findings. The document will also include a risk assessment of the current security awareness practices, processes and practices. By having this document, the organization will be able to have a well-organized maintenance plan. It is also important in maintaining and establishing an information-security awareness program (United States, 2000).
Background
The mission of the organization is to provide efficient IT services with the best security program in place with an aim of protecting organizations assets.
1. Technical infrastructure
The organization is engaged in short-term effort aiming at modernizing its information-processing infrastructure. These efforts have incorporated software enhancements, installation of firewalls and high end network systems for an improved communication. The senior information officer is the one who is responsible top oversee modernization effort. He has of late completed conducting a security awareness program and deployment of the organization’s LAN (Local area Network). The hardware being used is of CISCO products.
2. Computing Environment
The organization’s desktop computers are of Windows 2007/ 98 and 95. The servers are of Pentium with over 1 GB RAM. The current NOS (Network operating system) are window based.
3. Security Posture of the Organization
The organization has a basic network structure with only one router which acts as a firewall. It has several working stations and switches to this working stations. In addition the organization has installed Kasperky’s antivirus in of their desktop machines with a motive of reducing external threats. The data server is highly secured with Kaspersky’s antivirus. The organization physical sec ...
Secrets to managing your Duty of Care in an ever- changing world.
How well do you know your risks?
Are you keeping up with your responsibilities to provide Duty of Care?
How well are you prioritising Cybersecurity initiatives?
Liability for Cybersecurity attacks sits with Executives and Board members who may not have the right level of technical security knowledge. This session will outline what practical steps executives can take to implement a Cybersecurity Roadmap that is aligned with its strategic objectives.
Led by Krist Davood, who has spent over 28 years implementing secure mission critical systems for executives. Krist is an expert in protecting the interconnectedness of technology, intellectual property and information systems, as evidenced through his roles at The Good Guys, Court Services Victoria and Schiavello.
The seminar will cover:
• Fiduciary responsibility
• How to efficiently deal with personal liability and the threat of court action
• The role of a Cybersecurity Executive Dashboard and its ability to simplify risk and amplify informed decision making
• How to identify and bridge the gap between your Cybersecurity Compliance Rating and the threat of court action
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive ApproachProtected Harbor
Discover a comprehensive roadmap to fortify your IT operations against unexpected downtime through systematic risk assessment, strategic redundancy planning, and the implementation of cutting-edge monitoring and response protocols. Our whitepaper outlines seven crucial steps to safeguard your IT infrastructure, helping you proactively identify and address potential weak points, ensuring robust resilience and reducing the risk of disruptive outages. By adopting our proven methodology, organizations can enhance its ability to withstand IT-caused outages, ensuring uninterrupted services, improved customer satisfaction, and safeguarding your reputation in today's highly competitive digital landscape.
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docxtoltonkendal
Running Head: NETWORK INFRASTRUCTURE VULNERABILITIES1
NETWORK INFRASTRUCTURE VULNERABILITIES3
Project Paper: Network Infrastructure vulnerabilities
Name
Institutional Affiliations
Section 1: Infrastructure Document
Computer networks have increasingly become ubiquitous and synonymous especially with the organizations that thrive on excellence, as well as, those who would want to adopt cloud technology and virtualization within their companies. Today, most organizations that set up their businesses ensure that they have incorporated an efficient computer network infrastructure that will connect the business to the outside world through Internets. This is because, research has shown that the present business depend heavily on network infrastructure platforms that make communication easy, efficient, available, as well as, accessible. Consequently, despite the fact that robust computers networks have made it easier by providing a basis of interactivity and bringing a whole lot of people and businesses together, all these at one point have amounted to growing security concerns over the past years across various sectors and industries. This paper will therefore identify some of the possible network infrastructure vulnerabilities, as well as, describing a comprehensive security policy that helps in protecting the company infrastructure and assets by applying the principle of CIA.
A network consists of devices such as routers, firewalls, generic and hosts which include servers and workstations. Equally, there are thousands of network vulnerabilities; therefore, organizations should ensure that they focus on tests that will produce a good overall assessment of the network especially when they store their data in the cloud, however, there may be risk of non-compliance and regulation, due to lack of control over where data is stored. The possible network infrastructure vulnerabilities include; improper system configuration, poor firewall deployment, poor anti-virus implementation, weak password implementation, lack of efficient physical security, lack of appropriate security policies and many others. Vulnerabilities can be successfully contained by putting measure in place, for example, the Network Administrator should be in position to gather information about viruses and worms, as well as, identifying network vulnerabilities by getting information that helps in preventing security problems. Security measures for Network vulnerabilities can be accessed through three main stages which involve planning, conducting and inference (Markluec, 2010). In planning stage, there is an official agreement that is signed between the concerned parties. The document signed is important because it will contain both legal and non-disclosure causes that serve to protect the ethical hacker against possible law suit. Conducting stage involves the evaluation of technical reports prepared based on testing potential vulnerabilities. Lastly, in inference stage, the ...
Application security Best Practices FrameworkSujata Raskar
“Making web applications safe is in the best interest of all organizations and the general economy. Providing a clearly defined set of web application security best practices will advance security professionals’ ability to anticipate and rapidly address potential threats to their enterprise.” -Yuval Ben-Itzhak, CTO and Co-Founder KaVaDo
11What is Security 1.1 Introduction The central role of co.docxmoggdede
1
1
What is Security? 1.1 Introduction
The central role of computer security for the working of the economy, the defense of the country, and the protection of our individual privacy is universally acknowledged today. This is a relatively recent development; it has resulted from the rapid deployment of Internet technologies in all fields of human endeavor and throughout the world that started at the beginning of the 1990s. Mainframe computers have handled secret military information and personal computers have stored private data from the very beginning of their existence in the mid-1940s and 1980s, respectively. However, security was not a crucial issue in either case: the information could mostly be protected in the old-fashioned way, by physically locking up the computer and checking the trustworthiness of the people who worked on it through background checks and screening procedures. What has radically changed and made the physical and administrative approaches to computer security insufficient is the interconnectedness of computers and information systems. Highly sensitive economic, financial, military, and personal information is stored and processed in a global network that spans countries, governments, businesses, organizations, and individuals. Securing this cyberspace is synonymous with securing the normal functioning of our daily lives.
Secure information systems must work reliably despite random errors, disturbances, and malicious attacks. Mechanisms incorporating security measures are not just hard to design and implement but can also backfire by decreasing efficiency, sometimes to the point of making the system unusable. This is why some programmers used to look at security mechanisms as an unfortunate nuisance; they require more work, do not add new functionality, and slow down the application and thus decrease usability. The situation is similar when adding security at the hardware, network, or organizational level: increased security makes the system clumsier and less fun to use; just think of the current airport security checks and contrast them to the happy (and now so distant) pre–September 11, 2001 memories of buying your ticket right before boarding the plane. Nonetheless, systems must work, and they must be secure; thus, there is a fine balance to maintain between the level of security on one side and the efficiency and usability of the system on the other. One can argue that there are three key attributes of information systems:
Processing capacity—speed
Convenience—user friendliness
Secure—reliable operation
The process of securing these systems is finding an acceptable balance of these attributes. 1.2 The Subject of Security
Security is a word used to refer to many things, so its use has become somewhat ambiguous. Here we will try to clarify just what security focuses on. Over the years, the subject of information security has been considered from a number of perspectives, as a concept, a function, and ...
Discuss how a successful organization should have the followin.docxcuddietheresa
Discuss how a successful organization should have the following layers of security in place for the protection of its operations: information security management, data security, and network security.
Multiple Layers of Security
Marlowe Rooks posted Mar 13, 2020 9:54 AM
Looking at Vacca”s book chapter 1, “Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing (John R. Vacca, 2014)”. It is the organization responsibility to protect its business and its client information at all times. With that said I’m going to break down why companies need to have multiple layers of security and what types they should implement below.
The first layer is Information security management which can be from Physical Security, or Personnel Security. Physical Security can range from physical items, objects, or areas from unauthorized access and misuse. Personnel Security is to protect the individual or group of individuals who are authorized to access the organization and its operations. Some of the reason to implement Information Security is as follow:
· Decrease in downtime of IT systems
· Decrease in security related incidents
· Increase in meeting an organization's compliance requirements and standards
· Increase in customer satisfaction, demonstrating that security issues are tackled in the most appropriate manner
· Increase in quality of service
· Process approach adoption, which helps account for all legal and regulatory requirements
· More easily identifiable and managed risks
· Also covers information security (IS) (in addition to IT information security)
· Provides a competitive edge to an organization with the help of tackling risks and managing resources/processes
The second layer would be Data Security which can be refers to the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Data security includes data encryption, tokenization, and key management practices that protect data across all applications and platforms. Some of the reason to implement Data Security is as follow:
· Cloud access security – Protection platform that allows you to move to the cloud securely while protecting data in cloud applications.
· Data encryption – Data-centric and tokenization security solutions that protect data across enterprise, cloud, mobile and big data environments.
· Web Browser Security - Protects sensitive data captured at the browser, from the point the customer enters cardholder or personal data, and keeps it protected through the ecosystem to the trusted host destination.
· Mobile App Security - Protecting sensitive data in native mobile apps while safeguarding the data end-to-end.
· eMai ...
Discuss how a successful organization should have the followin.docxsalmonpybus
Discuss how a successful organization should have the following layers of security in place for the protection of its operations: information security management, data security, and network security.
Multiple Layers of Security
Marlowe Rooks posted Mar 13, 2020 9:54 AM
Looking at Vacca”s book chapter 1, “Information security management as a field is ever increasing in demand and responsibility because most organizations spend increasingly larger percentages of their IT budgets in attempting to manage risk and mitigate intrusions, not to mention the trend in many enterprises of moving all IT operations to an Internet-connected infrastructure, known as enterprise cloud computing (John R. Vacca, 2014)”. It is the organization responsibility to protect its business and its client information at all times. With that said I’m going to break down why companies need to have multiple layers of security and what types they should implement below.
The first layer is Information security management which can be from Physical Security, or Personnel Security. Physical Security can range from physical items, objects, or areas from unauthorized access and misuse. Personnel Security is to protect the individual or group of individuals who are authorized to access the organization and its operations. Some of the reason to implement Information Security is as follow:
· Decrease in downtime of IT systems
· Decrease in security related incidents
· Increase in meeting an organization's compliance requirements and standards
· Increase in customer satisfaction, demonstrating that security issues are tackled in the most appropriate manner
· Increase in quality of service
· Process approach adoption, which helps account for all legal and regulatory requirements
· More easily identifiable and managed risks
· Also covers information security (IS) (in addition to IT information security)
· Provides a competitive edge to an organization with the help of tackling risks and managing resources/processes
The second layer would be Data Security which can be refers to the process of protecting data from unauthorized access and data corruption throughout its lifecycle. Data security includes data encryption, tokenization, and key management practices that protect data across all applications and platforms. Some of the reason to implement Data Security is as follow:
· Cloud access security – Protection platform that allows you to move to the cloud securely while protecting data in cloud applications.
· Data encryption – Data-centric and tokenization security solutions that protect data across enterprise, cloud, mobile and big data environments.
· Web Browser Security - Protects sensitive data captured at the browser, from the point the customer enters cardholder or personal data, and keeps it protected through the ecosystem to the trusted host destination.
· Mobile App Security - Protecting sensitive data in native mobile apps while safeguarding the data end-to-end.
· eMai.
Attacks on the enterprise are getting increasingly sophisticated. Current solutions available do not seem to be adequate given the innovativeness, precision and persistence of these attacks in different forms and of different dimensions. Organisations thus want to increase the sophistication of their employees and also of the solutions to be deployed given this backdrop.
This primary focus of study was to investigate how cyber risks in ICT infrastructures of supply chains are managed. As its theoretical base, the study used the Adaptive Security Architecture framework that has been employed by most IT security specialists. Five experienced IT experts participated in a semi-structured interview to provide practical insights on the state of cybersecurity in supply chains operations from various industries. Their responses were analyzed based on the four stages of prediction, prevention, detection and response.
This study offers a new framework that suggests cybersecurity requires anticipatory vigilance, profiling malevolence, instantaneous response and uncompromised recovery to dealing with the cyber threats posing disruptions to supply chains.
Similar to INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM (20)
1. 1 | P a g e
INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) SECURITY
MANAGEMENT PROGRAM
19th
May, 2016
CHRISTOPHER NANCHENGWA, BSC, MBA, ITIL, PRINCE2
ICT Security has grown to be one of the key areas in ICT management; this is as a result of the
growing threat to ICT resources and organizations at large. Highlighted in this document is a five
(5) step process for the management of organization ICT security. The process is iterative in
nature. One of the key principles that fosters the success of this approach is “defined roles and
responsibilities”. Key players in the management of organizational security include; the chief
information officer (CIO), chief information security officer (CISO), ICT auditors, ICT security
committee, business application administrators and the general users. To guarantee the success
implementation and management of ICT security, each of these user groups needs to have a clear
mandate.
STEP ONE: IDENTIFY THE ORGANIZATION’S BUSINESS OBJECTIVES
These will be highlighted in the organization’s mission statement of any other strategic
documentation; if no such documentation exists an interview with top management should
provide guidance on the same. The step should be handled by the CIO or delegated to the CISO
of security committee. A commercial bank for example would have an objective to provide low
cost banking solutions to its clients or to provide a service integrated payment platform. In this
time and age most business objectives are supported by technology and as such an organization
that embraces technology and its management stands a better chance of meeting its objectives.
STEP TWO: IDENTIFY ICT RESOURCES
In most organizations, the department of ICT exists to support operations attributed to the core
business; ICT resources and operations have to be aligned to forester the accomplishment of
organizational objectives. The CIO stands at a better position to identify ICT resources in this
context since he or she has an overall view of his unit. One tool ideal for alignment is COBIT’s
Goal Cascade; using this tool ICT goals also referred to as ICT Enabler goals are aligned with
2. 2 | P a g e
organizational goals. In the context of security management the mandate of this step is to identify
the ICT resources that support the day to day operations of an organization; these include;
Network Infrastructure, including phone lines
Server Infrastructure
User desktops
Mobile devices, including laptops, mobile phones and tablets
Other hardware devices, including projection tools, printers, scanners and imaging
devices
STEP THREE: IDENTIFICATION AND ASSESSMENT OF RISKS
The third step in our process encompasses the identification and quantification of risks that our
ICT resources may face. Risk may be defined as the chance or probability of expected result
being at desperate with planned results. In the context ICT security, risks to ICT resources
include situations or occurrences that may hinder these resources from supporting organizational
objectives. The CISO and security committee should play an active role in the identification and
validation of risks. Examples of these risks include;
The risk of misuse
The risk of theft of physical damage
The risk of unlawful access and divulgence of confidential or classified information both
from internal and external parties
The risk of litigation
The risk as a result of natural disaster
The risk as a result of wear and tear
Risks need to be identified and subsequently quantified. Identification of risks is an ongoing
process involving the review and audit of ICT equipment, procedures, processes and the
surrounding environment. This process can be automated through the use of software like
QualysGuard or AuditPro. In order to quantify the risk, there is need to calculate or estimate the
monetary loss in the case that the risk materializes; for example if ICT property was damaged or
3. 3 | P a g e
stolen, the risk value would be the total cost of recovery or replacement and the monetary value
of business lost of revenue uncollected as a result of the absence of the equipment.
The risk assessor needs to go a step further by prioritizing the identified risks. This is achieved
by developing a matrix of risk cost against risk likelihood; In other words, the assessor needs
rank the likelihood of the risk occurring using an appropriate scale, e.g. 1 to 5, then multiply the
risk likelihood by the risk cost. Risks can then be arranged in either ascending or descending
order with the risks having the highest likelihood and cost product value being the most pressing
and in need of urgent attention.
STEP FOUR: RISK RESPONSE OR MITIGATION
This step includes the formulation of activities to be conducted in an effort at avert, avoid or
minimize the effect of the risk occurrence. This step requires the participation of all stakeholders
at various levels. To this effect I propose the adoption of the defense in depth of 7-layered
approach to ICT security. This approach proposes the implementation 7 layers of security to the
identified ICT resources, these layers include;
Stewardship: Top management including the CIO, CISO, ICT auditor and security committee
will handle most of the issues in this layer. This layer addresses a number of issues with regards
to the management and administration of ICT infrastructure. These issues include policies,
processes, procedures and the competence of staff with access to the said resources. Policies of
note may include internet access policy, ICT resource fair usage policy, ICT system change and
data migration policies. Processes and procedures dictate the logical flow of events in support of
organizational objectives; these are normally determined by the logical flow of business
processes in that particular industry or organization. The implementation of policies, processes
and procedures is born out of a desire to safeguard data, information and systems and also to
support the implementation of controls. In this layer of risk mitigation, the idea is to assess
whether appropriate policies and procedures are in place to safeguard ICT resources and whether
these resources are effective, furthermore ascertain the suitability of staff to work with ICT
resources.
Physical Security: This layer addresses the issue of unlawful physical access to ICT
infrastructure. Threats to ICT resources in this context include vandalism, theft and natural
4. 4 | P a g e
disaster. Server, desktop and other immovable hardware are easy to secure via the installation of
burglarproof equipment or innovations at our sites of operation. Mobile and network equipment
on the other hand require an extra layer of sophistication; one possible measure is to supply your
laptop users with laptop cable locks which your users can use to secure their laptops to
immovable objects like office furniture. With network cables options range from burying your
cables at least 3 meters below ground level to laying concrete on top of them. Network cables are
quite susceptible to what has now come to be referred to as “manhole manipulation”, where
vandals and hackers target network infrastructure through manholes. One interesting measure
adopted by Zambia’s Copperbelt Energy Company is to run their fibre-optic cable along their
high tension power lines making it very dangerous for vandals to target. Physical security is
normally delegated to the chief security officer of the institution.
Perimeter Security: This layer addresses what you allow to enter your computer network;
implementation is normally handled by the institutions network administrators. The assumption
or working theory is that your local network is connected to the internet and traffic is able to
flow into and out of your network. Controls are implemented via the use of a firewall either
through software or hardware. The firework will be configured with rules that restrict the flow of
traffic. Traffic of concern may include spam and traffic from known pornographic sites and
servers. In the case of users with justifiable cause of access to restricted traffic, a “demilitarized
zone” can be set up away from the local network to allow them access.
Perimeter security should also address the issue of users accessing services from outside the local
network; this is normally achieved through the use of virtual private networks (VPNs) and public
Internet Protocol (IP) addresses. I strongly recommend the use of VPNs because public IPs make
your system and network visible to the entire internet.
Internal Network: This layer of security addresses the issue of resources that your network users
can access on the local network; the network and domain administrators undertake most of the
tasks in this layer. The idea is to only allow the necessary access to enable staff perform their
duties; this entails categories users, quantifying their level of access and allowing the minimum
access required. This can be achieved through the use of firewalls and access control lists. In a
windows environment access control is implemented using Active Directory.
5. 5 | P a g e
Host Security: A host is any device or computer on your network; activities in this layer are
shared among network administrators, domain administrators and the office of the chief security
officer. These devices include routers, switches, servers, desktops, laptops, mobile phones,
printers, etc. Security for these devices is a combination of the layers discussed earlier including;
policy, physical security, access control and firewalls.
Application Security: This layer encompasses measures or steps taken throughout the application
or system’s life-cycle to prevent gaps in the security policy through flaws in the design,
development, deployment, upgrade, or maintenance of the application or system. Application
security cuts across all the roles defined earlier. Hackers look for vulnerabilities in software to
gain access to systems and networks; it is therefore prudent that software code is fully tested
before deployment in the live or production environment. A number of commercially available
tools provide relief in this scenario; the testing occurs at various levels, from source code, to
machine and binary code. One such application is IDA Pro which has the capacity to test
software at all levels. Please note that not all organizations are in the software development
business but simply rely on software developed by other firms, in this case the duty to test the
software lies with the development firms. Organizations on the other hand have to ensure that
they only use software that is certified secure and malware free; therefore organizations should
by all means acquire software from reputable sources.
Data Security: At the very bottom of our process is the data layer. As with the application layer,
all other layers come into play and as such all players or stakeholders play a key role. Specific to
data security, the organization can adopt an encryption scheme that ensures that even if the data
is accessed, it cannot be read. Most application software provide some level of encryption, the
organization has only to decide whether or not it is sufficient. Industry best practices of ICT
security recommend that organizations implement organization wide antivirus software to protect
data against viruses, malware, spyware and other unwanted and malicious applications. There is
currently a rise in malware referred to as “Ransom-ware” which hackers use to encrypt your files
and then demand for a ransom in return for a decryption key, this ransom-ware is normally
distributed or propagated through emails as attachments. I strongly advise against opening such
emails as decryption without the aid of the hacker has proven to be almost impossible. On a
6. 6 | P a g e
happier note, most antivirus developers are working on solutions to detect such malware, so
please keep your antivirus software up to date.
The measures proposed by the 7-layered suffice for most of the time; however, as indicated in
Murphy’s Law, sometimes things go wrong. In the event that something goes wrong, you need to
have an up to date or almost up to date backup to recover from. This entails that your
organization implements and maintains a business continuity program. Information to be backed
up should include not only the data but configuration files to ensure speedy recovery.
Unless your organization is a new one, implementation of ICT security will not start from
scratch; you will need to define the current state of your ICT program and the state you would
love it to be in. A comparison or gap analysis of the two states will reveal short comings in your
current setup; you can then formulate an actionable plan to raise your current status to a desired
one.
STEP FIVE: REVIEW
The world we live in is dynamic and ever changing with new threats and opportunities
developing every single day, our approach to security should also take a dynamic projectile. This
step entails that we undertake reviews of our ICT security program; this review can be automated
and run actively using audit and compliance software or can be scheduled to run on a period
basis either through software or hardware. Depending on your organizational setup, the review
can be conducted and spearheaded by the ICT auditor, CISO or the ICT security committee.
Generally two tests should be run in this context; these include vulnerability and penetration
tests.
Vulnerability tests check the conformance of hardware and software configurations against
manufacturer specifications or industry best practices, differences in configurations are normally
treated as vulnerabilities. However, assessors need to take extra steps to determine whether the
vulnerability exists or not.
Penetration tests attempt to gain access to your systems and network with the objective of
revealing weak security points. This can be done internally or may require the engagement of
external parties in the form of “Ethical Hackers” of “Grey Hat Hackers”.
7. 7 | P a g e
The review of systems and networks needs to be conducted in a well structured and coordinated
manner with the sole objective of maintaining a secure status of your resources.
CONCLUSION
The 7-layered approach to security covers most issues of the subject. There is however a need to
constantly review your approach in response to an ever evolving environment.
8. 8 | P a g e
FURTHER READING
Einwechter, Nathan. Preventing and Detecting Insider Attacks Using IDS. March 20, 2002.
http://www.securityfocus.com/infocus/1558
Kenneth R. Straub, “Information Security Managing Risk with Defense in Depth”, The SANS
Institute , August 12, 2003, http://www.incidents.org
Kurt Garbars, “Implementing an effective IT Security Program”, The SANS Institute, 2002,
http://www.incidents.org
Lee A. Kadel, “Designing and Implementing an Effective Information Security Program:
Protecting the Data Assets of Individuals, Small and Large Businesses”, The SANS Institute,
March 24, 2004, http://www.incidents.org
Peltier, Tom. “Security Awareness Program.” Information Security Management Handbook 4th
Edition. Ed. Harold F. Tipton and Micki Krause. Boca Raton: Auerbach, 1999.
Todd McGuiness, “Defense in Depth”, The SANS Institute, October 29, 2001.
http://www.incidents.org