INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM

1 | P a g e
INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) SECURITY
MANAGEMENT PROGRAM
19th
May, 2016
CHRISTOPHER NANCHENGWA, BSC, MBA, ITIL, PRINCE2
ICT Security has grown to be one of the key areas in ICT management; this is as a result of the
growing threat to ICT resources and organizations at large. Highlighted in this document is a five
(5) step process for the management of organization ICT security. The process is iterative in
nature. One of the key principles that fosters the success of this approach is “defined roles and
responsibilities”. Key players in the management of organizational security include; the chief
information officer (CIO), chief information security officer (CISO), ICT auditors, ICT security
committee, business application administrators and the general users. To guarantee the success
implementation and management of ICT security, each of these user groups needs to have a clear
mandate.
STEP ONE: IDENTIFY THE ORGANIZATION’S BUSINESS OBJECTIVES
These will be highlighted in the organization’s mission statement of any other strategic
documentation; if no such documentation exists an interview with top management should
provide guidance on the same. The step should be handled by the CIO or delegated to the CISO
of security committee. A commercial bank for example would have an objective to provide low
cost banking solutions to its clients or to provide a service integrated payment platform. In this
time and age most business objectives are supported by technology and as such an organization
that embraces technology and its management stands a better chance of meeting its objectives.
STEP TWO: IDENTIFY ICT RESOURCES
In most organizations, the department of ICT exists to support operations attributed to the core
business; ICT resources and operations have to be aligned to forester the accomplishment of
organizational objectives. The CIO stands at a better position to identify ICT resources in this
context since he or she has an overall view of his unit. One tool ideal for alignment is COBIT’s
Goal Cascade; using this tool ICT goals also referred to as ICT Enabler goals are aligned with

2 | P a g e
organizational goals. In the context of security management the mandate of this step is to identify
the ICT resources that support the day to day operations of an organization; these include;
 Network Infrastructure, including phone lines
 Server Infrastructure
 User desktops
 Mobile devices, including laptops, mobile phones and tablets
 Other hardware devices, including projection tools, printers, scanners and imaging
devices
STEP THREE: IDENTIFICATION AND ASSESSMENT OF RISKS
The third step in our process encompasses the identification and quantification of risks that our
ICT resources may face. Risk may be defined as the chance or probability of expected result
being at desperate with planned results. In the context ICT security, risks to ICT resources
include situations or occurrences that may hinder these resources from supporting organizational
objectives. The CISO and security committee should play an active role in the identification and
validation of risks. Examples of these risks include;
 The risk of misuse
 The risk of theft of physical damage
 The risk of unlawful access and divulgence of confidential or classified information both
from internal and external parties
 The risk of litigation
 The risk as a result of natural disaster
 The risk as a result of wear and tear
Risks need to be identified and subsequently quantified. Identification of risks is an ongoing
process involving the review and audit of ICT equipment, procedures, processes and the
surrounding environment. This process can be automated through the use of software like
QualysGuard or AuditPro. In order to quantify the risk, there is need to calculate or estimate the
monetary loss in the case that the risk materializes; for example if ICT property was damaged or

3 | P a g e
stolen, the risk value would be the total cost of recovery or replacement and the monetary value
of business lost of revenue uncollected as a result of the absence of the equipment.
The risk assessor needs to go a step further by prioritizing the identified risks. This is achieved
by developing a matrix of risk cost against risk likelihood; In other words, the assessor needs
rank the likelihood of the risk occurring using an appropriate scale, e.g. 1 to 5, then multiply the
risk likelihood by the risk cost. Risks can then be arranged in either ascending or descending
order with the risks having the highest likelihood and cost product value being the most pressing
and in need of urgent attention.
STEP FOUR: RISK RESPONSE OR MITIGATION
This step includes the formulation of activities to be conducted in an effort at avert, avoid or
minimize the effect of the risk occurrence. This step requires the participation of all stakeholders
at various levels. To this effect I propose the adoption of the defense in depth of 7-layered
approach to ICT security. This approach proposes the implementation 7 layers of security to the
identified ICT resources, these layers include;
Stewardship: Top management including the CIO, CISO, ICT auditor and security committee
will handle most of the issues in this layer. This layer addresses a number of issues with regards
to the management and administration of ICT infrastructure. These issues include policies,
processes, procedures and the competence of staff with access to the said resources. Policies of
note may include internet access policy, ICT resource fair usage policy, ICT system change and
data migration policies. Processes and procedures dictate the logical flow of events in support of
organizational objectives; these are normally determined by the logical flow of business
processes in that particular industry or organization. The implementation of policies, processes
and procedures is born out of a desire to safeguard data, information and systems and also to
support the implementation of controls. In this layer of risk mitigation, the idea is to assess
whether appropriate policies and procedures are in place to safeguard ICT resources and whether
these resources are effective, furthermore ascertain the suitability of staff to work with ICT
resources.
Physical Security: This layer addresses the issue of unlawful physical access to ICT
infrastructure. Threats to ICT resources in this context include vandalism, theft and natural

4 | P a g e
disaster. Server, desktop and other immovable hardware are easy to secure via the installation of
burglarproof equipment or innovations at our sites of operation. Mobile and network equipment
on the other hand require an extra layer of sophistication; one possible measure is to supply your
laptop users with laptop cable locks which your users can use to secure their laptops to
immovable objects like office furniture. With network cables options range from burying your
cables at least 3 meters below ground level to laying concrete on top of them. Network cables are
quite susceptible to what has now come to be referred to as “manhole manipulation”, where
vandals and hackers target network infrastructure through manholes. One interesting measure
adopted by Zambia’s Copperbelt Energy Company is to run their fibre-optic cable along their
high tension power lines making it very dangerous for vandals to target. Physical security is
normally delegated to the chief security officer of the institution.
Perimeter Security: This layer addresses what you allow to enter your computer network;
implementation is normally handled by the institutions network administrators. The assumption
or working theory is that your local network is connected to the internet and traffic is able to
flow into and out of your network. Controls are implemented via the use of a firewall either
through software or hardware. The firework will be configured with rules that restrict the flow of
traffic. Traffic of concern may include spam and traffic from known pornographic sites and
servers. In the case of users with justifiable cause of access to restricted traffic, a “demilitarized
zone” can be set up away from the local network to allow them access.
Perimeter security should also address the issue of users accessing services from outside the local
network; this is normally achieved through the use of virtual private networks (VPNs) and public
Internet Protocol (IP) addresses. I strongly recommend the use of VPNs because public IPs make
your system and network visible to the entire internet.
Internal Network: This layer of security addresses the issue of resources that your network users
can access on the local network; the network and domain administrators undertake most of the
tasks in this layer. The idea is to only allow the necessary access to enable staff perform their
duties; this entails categories users, quantifying their level of access and allowing the minimum
access required. This can be achieved through the use of firewalls and access control lists. In a
windows environment access control is implemented using Active Directory.

5 | P a g e
Host Security: A host is any device or computer on your network; activities in this layer are
shared among network administrators, domain administrators and the office of the chief security
officer. These devices include routers, switches, servers, desktops, laptops, mobile phones,
printers, etc. Security for these devices is a combination of the layers discussed earlier including;
policy, physical security, access control and firewalls.
Application Security: This layer encompasses measures or steps taken throughout the application
or system’s life-cycle to prevent gaps in the security policy through flaws in the design,
development, deployment, upgrade, or maintenance of the application or system. Application
security cuts across all the roles defined earlier. Hackers look for vulnerabilities in software to
gain access to systems and networks; it is therefore prudent that software code is fully tested
before deployment in the live or production environment. A number of commercially available
tools provide relief in this scenario; the testing occurs at various levels, from source code, to
machine and binary code. One such application is IDA Pro which has the capacity to test
software at all levels. Please note that not all organizations are in the software development
business but simply rely on software developed by other firms, in this case the duty to test the
software lies with the development firms. Organizations on the other hand have to ensure that
they only use software that is certified secure and malware free; therefore organizations should
by all means acquire software from reputable sources.
Data Security: At the very bottom of our process is the data layer. As with the application layer,
all other layers come into play and as such all players or stakeholders play a key role. Specific to
data security, the organization can adopt an encryption scheme that ensures that even if the data
is accessed, it cannot be read. Most application software provide some level of encryption, the
organization has only to decide whether or not it is sufficient. Industry best practices of ICT
security recommend that organizations implement organization wide antivirus software to protect
data against viruses, malware, spyware and other unwanted and malicious applications. There is
currently a rise in malware referred to as “Ransom-ware” which hackers use to encrypt your files
and then demand for a ransom in return for a decryption key, this ransom-ware is normally
distributed or propagated through emails as attachments. I strongly advise against opening such
emails as decryption without the aid of the hacker has proven to be almost impossible. On a

6 | P a g e
happier note, most antivirus developers are working on solutions to detect such malware, so
please keep your antivirus software up to date.
The measures proposed by the 7-layered suffice for most of the time; however, as indicated in
Murphy’s Law, sometimes things go wrong. In the event that something goes wrong, you need to
have an up to date or almost up to date backup to recover from. This entails that your
organization implements and maintains a business continuity program. Information to be backed
up should include not only the data but configuration files to ensure speedy recovery.
Unless your organization is a new one, implementation of ICT security will not start from
scratch; you will need to define the current state of your ICT program and the state you would
love it to be in. A comparison or gap analysis of the two states will reveal short comings in your
current setup; you can then formulate an actionable plan to raise your current status to a desired
one.
STEP FIVE: REVIEW
The world we live in is dynamic and ever changing with new threats and opportunities
developing every single day, our approach to security should also take a dynamic projectile. This
step entails that we undertake reviews of our ICT security program; this review can be automated
and run actively using audit and compliance software or can be scheduled to run on a period
basis either through software or hardware. Depending on your organizational setup, the review
can be conducted and spearheaded by the ICT auditor, CISO or the ICT security committee.
Generally two tests should be run in this context; these include vulnerability and penetration
tests.
Vulnerability tests check the conformance of hardware and software configurations against
manufacturer specifications or industry best practices, differences in configurations are normally
treated as vulnerabilities. However, assessors need to take extra steps to determine whether the
vulnerability exists or not.
Penetration tests attempt to gain access to your systems and network with the objective of
revealing weak security points. This can be done internally or may require the engagement of
external parties in the form of “Ethical Hackers” of “Grey Hat Hackers”.

7 | P a g e
The review of systems and networks needs to be conducted in a well structured and coordinated
manner with the sole objective of maintaining a secure status of your resources.
CONCLUSION
The 7-layered approach to security covers most issues of the subject. There is however a need to
constantly review your approach in response to an ever evolving environment.

8 | P a g e
FURTHER READING
Einwechter, Nathan. Preventing and Detecting Insider Attacks Using IDS. March 20, 2002.
http://www.securityfocus.com/infocus/1558
Kenneth R. Straub, “Information Security Managing Risk with Defense in Depth”, The SANS
Institute , August 12, 2003, http://www.incidents.org
Kurt Garbars, “Implementing an effective IT Security Program”, The SANS Institute, 2002,
http://www.incidents.org
Lee A. Kadel, “Designing and Implementing an Effective Information Security Program:
Protecting the Data Assets of Individuals, Small and Large Businesses”, The SANS Institute,
March 24, 2004, http://www.incidents.org
Peltier, Tom. “Security Awareness Program.” Information Security Management Handbook 4th
Edition. Ed. Harold F. Tipton and Micki Krause. Boca Raton: Auerbach, 1999.
Todd McGuiness, “Defense in Depth”, The SANS Institute, October 29, 2001.
http://www.incidents.org

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (18)

Similar to INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM

Similar to INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM (20)

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM