16 Jan The importance of information security in organizations
Security is becoming increasingly important as a necessary ingredient in any field of activity and has evolved over the past 10 years as a response to the problems of globalization (Via Big Brother). Changes in the paradigm and the subsequent evolution of technologies have brought new concepts such as: borderless security, cloud computing, big data, mobility, etc. Information is perishable, volatile and often uncertified by multiple sources, which is why the processing power for filtering and analyzing large volumes of data is steadily increasing. Any security system must ensure confidentiality, integrity and information availability.
It is estimated that over 80% of relevant information comes from open sources (mass media, the Internet) and more than 80% of incidents come from within the organization.
Today there are two approaches to business security:
• The first linked to the public and / or governmental area (managed by the official/ security structure and regulated by Law 182/2002, GD 585/2002, GD 781/2002, orders, directives and instructions ORNISS as ANS),
• The second linked to the private area (managed by the SMSI responsible and regulated by the criminal code, copyright law, electronic archiving, etc.).
From a formal point of view, these two approaches target the same security requirements and measures and aim to optimize the use of resources (people, processes, technologies). It is worth mentioning that an information security management system (SMSI) targets the information system (information flows). The Information and Communication System (SIC) is only part of the SMSI.
Two basic security strategies are used:
• everything that is not prohibited is allowed;
• anything that is not allowed is forbidden.
In order to protect the special information, two implementation tactics are used:
• discretionary access control;
• legal access control.
Security organization
Organization security culture is a lengthy process that can be developed by imposing security measures and / or mechanisms that minimize the risks that may arise in the business process. Each activity is governed by threats, vulnerabilities and risks. When a risk exceeds a certain acceptable level, we are dealing with a security incident that needs to be resolved (treating the risk until it falls below the accepted level).
Security organization solves at least two basic issues:
- Classifies critical information / resources;
- Establishes security responsibilities and top management involvement for managing security incidents and business continuity planning in the event of disasters.
- Depending on the size, the business processes and the specifics of the activity carried out, the internal organization of the security is a continuous and complex activity.
Risk management
All real-world entities are governed by two states:
- the basic state – uncertainty and
- transient state – certainty.
From this point of view we can say that risk can be defined as a certainty with a higher ambiguity. In the ISO 27001: 2013 certification process, the first internal security procedure documents the risk management (ISO 31000: 2009) and the resources (human, material) that were analyzed in the implementation of security mechanisms imposed (maximum 114 compared to 133 of ISO 27001: 2006).
Physical security
It is an important security area that can be equipped with dedicated surveillance systems (CATV, access control systems, perimeter systems, burglary, fire, earthquake, etc.) that can be incorporated into an integrated security system (SIS).
Documents security
Aims the documents security in electronic format and in printed format. In most organizations, documents that enter or leave the organization are marked and recorded by the assistant manager at the registry / secretariat. To automate the information classification process in electronic format (documents, messages, archives, etc.), it is recommended to use specific applications (eg Titus).
SIC security
For the SIC / private networks of the organization, you can indicate a variety of professional security solutions: AV / AS / AM solutions, disaster recovery solutions, DLP, SIEM, IAM, forensic. These solutions solve much of the information exchange with the outside (mail, messaging, social networks). An acute problem for network administrators is the secure integration of personal devices into the network, a requirement that was not allowed 5-7 years ago. Telephone calls and environmental discussions are directions where monitoring is insufficient (respecting the right to privacy) and become the main channels of leakage of confidential information.
Staff security
Employees are the most important resource in an organization that can generate over 80% of all security events.
Recruiting, interviewing, testing, hiring, and securing resources in line with job-specific requirements are key issues for any organization. Discontents among employees are often difficult to manage and can cause significant damage. Personnel issues are pursued when hiring, during and after leaving.
Legal security
It is an area that has to find the legal ways in which security records can be used in the process. In recent years, national legislation has been aligned with the European one for which computer crimes are punished. In the context of the terrorist threat monitoring of cyberspace becomes a necessity. There are discussions about finding mechanisms, techniques and procedures that do not violate the rights of the person.
Industrial security
It refers to how information and documents are managed in the case of national, NATO, EU and / or equivalent contracts. Inspections for completing the security appendix and checks to gain access to classified information are performed by designated Security Authorities (ADS) with the support and coordination of ORNISS as National Security Authority (NSA).
Lessons Learned
- there is no total security, it is necessary to establish an acceptable level of security depending on the specific activity developed
- over 80% of security events / incidents are generated within the organization
- analyzing, designing, selling and configuring a security solution must always be addressed with Top Management
- the successful management of an SMSI in an organization is dependent on the involvement and participation of all employees in solving security events / incidents and in ensuring business continuity
- the transition to the new ISO 27001: 2013 standard brings the following news:
- securitatea informatiilor in managementul de proiecte pe baza obiectivelor bine definite (SMART) ale organiztiei
- software installation restrictions
- development policies in safe conditions
- principles of system-safe engineering
- development environment and safe systems testing
- policies in relation to suppliers, communication with third parties
- evaluating decisions, responding to security incidents
- the availability of information processing facilities
Constantin Caliman,
Product Manager & Chief Security Officer,
IT Infrastructure Solutions Business Unit,
CRESCENDO
No Comments