Week 11- Tactical principles in Security Planning

Business success can only be achieved when one can prove you are different than other. This is often called the competitive strategy of the organization. The accomplishment of the strategy can be measured by determining the process: tactics. Tactics helps business to understand how the goals can be accomplished. Tactics are the countermeasures which the organization will take if the certain situations arise. In order to implement the right tactics, the objectives have to be identified and principles are the identifier of the objectives.

In order to accomplish targeted objective of the organization, security strategic plan has to be strong and successfully implemented. These plans can only be successful with proper tactics and operational plan. Resource planning, time, and technology help to achieve the tactical objectives of the security strategic planning.  Observation, timeliness, and economy are the top principles of the security management as they provide insight on sufficient information, response time and balanced cost of technology with process. These principles drive the tactical implementation of the security framework. With observation principle we can collect enough information to secure the perimeter and provide strong wall against the security attack. Timeliness determines the proper communication during the incident and what kind of tactics should be implemented during any physical or logical attack. Security is one of the costlier businesses on the organization that involves the qualified manpower, technology and advance systems. Economy principle focused on balanced resource and technology along with the cost associated with it. So, these principles help in defining the effective and efficient tactics.

Work Cited:

Massachusetts Institute of Technology. (n.d.). BASIC PRINCIPLES OF INFORMATION PROTECTION. Retrieved October 06, 2015, from Web.mit.edu: http://web.mit.edu/Saltzer/www/publications/protection/Basic.html

MIT Technology Review. (2015, August 15). The 20 Most Infamous Cyberattacks of the 21st Century (Part II). Retrieved October 06, 2015, from MIT Technology Review: http://www.technologyreview.com/view/540791/the-20-most-infamous-cyberattacks-of-the-21st-century-part-ii/

Week 10- Why Security as part of SDLC?

Traditional software development believes security as Band-Aid or add-on features after the programming is completed. Modern day product development does incorporate security as part of the SDLC phases. In any business without the secure product, business cannot run as it creates much more risk and the loss in return of investment (ROI). So, incorporating security as part of software development life-cycle will help in identifying all associated risk to the product, potential integration challenges, framework necessary for the product or re-usability of the existing framework, and predetermines the work necessary for the parallel security integration with the software development and testing. Involvement of security team in each phases, Analysis to production support will lower any rework, cost associated to it and the maintenance will be easy and cost effective.

Most of the software development approached the risk based solution, meaning the risks are identified during the planning phase along with the stakeholders and the delivery team. Once we clearly identify the problem that we are trying to solve and the risk associated, it much easier to develop, integrate, test and deliver the validated and verified software application to the client. Hence, identifying the risk and system vulnerabilities at the early phase requires a proper system security planning process and it can be done in the early phases of the planning and requirement gathering process (Kissel, et al., 2008). Due to the market competition and the fast software delivery approach most of the organizations are surging to agile framework and it is much easier to integrate the security as part of the spring cycle rather than lengthy waterfall process. Security requirements can be captured as technical user stories along with the functional stories and it will be much easier and thorough testing in this methodology. In addition, the pair programming has grate essence in developing and testing the product security and function at the same time which will leverage the software quality and the delivery in the agile sprint cycle. Most important including security in SDLC requires lot of meetings, minutes, decisions and documentation that are helpful during the line at the time of production support and training vs integrating the security as an ad-hoc feature late in the game without proper documentation and alignment.

So what does it mean to include security in SDLC for different teams involved? For a stakeholder it means safe and successful product and how it can be achieved through integration, meaning stakeholder’s involvement in pre analysis and during the development phases is equally important and intact to communicate whether the standards are met or not. For the project managers, Chief Information Security Officer (CISO) it is the process of working together to identify the organizational vision, set the industry and organizational standards, provide strategies and program for secure and sound software and maintain the cost effective program. For Core development delivery team, it is all about understanding the problem that we are trying to solve and approaches to deliver the right product in right way. This involves the sound requirement gathering and deliver to the team so that they can understand both functional and security aspect of it. This can be done using the process modeling tools and techniques and map the functional requirement with the security integration. This will help the development team to develop and unite test as one product rather than separate entity. For testing it means testing the integrated application end to end than letting it go without any security features. Bugs identified for any security holes can be fixed and promoted to the production that has testing approval and stamp is much easier to handle within the SDLC than later. For implementation, training and production support integration security within SDLC means proper, process, less work, good documentation and quick fix and support.

In Conclusion, building security as part of every phases of the SDLC will be beneficial to the users and the organization.

References

Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., & Gulick, J. (2008, October). Security Considerations in the System Development Life Cycle. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

Week-9: Security policy implementation techniques

Implementing the new or updated policies in the companies can be hectic and troublesome as the outcomes cannot be predicted easily. Due to the failure in implementation plans, lack of involvement of responsible stakeholders, employees lack of understanding might be some of the causes of the failure. This week I am going to talk about the ways we can better implement the security policies in the organization:

Better Communication: 

Communicating the new policies to the employees is very important for the company. So these can be done using different techniques:

• Email communication (use features like “read” response back) 

• Town hall meeting for all current employees

• New hire orientation for all the new employees

• Awareness campaign and training sessions

• Involve executive directors for departmental visits and group conversation 

Involvement of Key stakeholders:

Involvement of the human resources and executive management can led to the smooth implementation of the security plans as these stakeholders are authoritative . HR and managers plays important role in implementing the new policies. One can have them involved in policy framework implementation plan  during every phase; review and approvals, publishing, awareness and training. Having their input makes the new policies more insightful and detailed as the new policies have to be in complying with some HR policies. Executives can play the roles of the gatekeeper as sometimes it is easier to implement the new policies when executives are involved. Executives and manager can enforce the policies to their respective department by sending the circulars and emails directly and this is more effective to implement and if they do not follow, managers can take action on those scenarios. 

Incorporate Security Awareness and Fun Training:

Security awareness and training cannot be more fun by lecturing and pointing hard to comply with the employees. Rather it should be make more fun, real time demonstration, make all the participants to participate by breaking the training sessions into smaller segments, smaller group, using audio video communication, and games. Providing the refreshments (food/drinks) helps attracting more participants. Games can be more interesting and adding the prizes will certainly add more participants to the training and also from compliance perspective it is efficient.  

Release a Monthly Organization Wide Newsletter for All:

A monthly newsletter will be beneficial for reaching out to the employees. In order to make the newsletter succinct only important messages will be included based on the executive’s approval. Make the newsletter interesting by using photographs, background colors, include some security quizzes and reward the employees who answers correct (movie ticket) by lucky draw. 

 Implement Security Reminders on System Login Screens for All:

This can be implemented using group policy formations. Group the employees based on the department and send the remainders as the first login, create screen savers and display the policies on active screens.

Incorporate On-Going Security Policy Maintenance for All:

When policies are updated or new changes are made they have to be reviewed and based on the feedback needs the upgrade and changes. Employees survey, HR and executive decision, interviewing the users are some techniques that can be used for review and feedback from employees. Logs and software can be used to track the compliance of the policies and progress can be measured every quarter by creating some metrics.

Obtain Employee Questions or Feedback for Policy Board:

For better auditing third party vendors could be employed to conduct the anonymous surveys. 

Week 8 - Increasing Mobile Cyber threats

These days there are barely some people who do not have smartphones and personal digital assistants (PDAs). These handy devices are more likable than carrying laptops as one can easily check emails, connect to social media, take photographs and communicate to the world. Also the devices are easy to carry in people’s pocket, handbags, and purses without any worries of weight and size. With lots of advantages and likelihood mobile devices are possessing growing threats to the personal data. Research shows that the number of vulnerabilities in mobile operating system (OS) increased in relative numbers since 2009 ( Ruggiero & Foote, 2011). The constant exposure to the public network, lack of security infrastructure, unnecessary apps download, Bluetooth connectivity, lack of encryption, connecting to the private network are some of the growing issues with the mobile devices and threats has been detected in growing numbers. Some of the data breaches shows following trends in mobile security vulnerabilities: 

1) Operating System and application Vulnerabilities (Crimeware): The costliest cybercrimes are caused by the faulty system and the use of the back doors and SQL injection by exploiting the weakness in the operating system, hardware, firmware, protocol, or services to access data or to access other networks.

2)Denial of Service: Another form of the system attack is Denial of the service (DoS) which is caused by the weakness in the transit node commonly called “Ping of Death” or malfunction sending data into black hole. 

3)Cyberespionage (Phishing): Phishing is a firm of the fraud in which the attacker tries to learn sensitive information such as username, password, account information by impersonating a business or person in email, IM or other form of communication. 

4)Weak Security Controls: With the growing apps and websites the security has been vulnerable and proper testing techniques has been limited enforcing the manual testing as primary testing techniques. Sometime security is treated as separate entity and through validation is not made. 

5)Acts of human error of failure: Inexperience, improper training, mistake of incorrect assumption, sending the information to the wrong recipient, not understanding the security controls, policies an standards are common accidental human error that happens every day in the work environment and it is causing the big percentage of cyber-attacks. Connecting the devices with the organization network, sharing network password and connecting the personal phones to the network are common mistakes the employee make. 

In conclusion, modern day cybercrimes have diverse motives and are carried over different business domains including mobile operating systems. These enterprise systems and data are being targeted in various ways; Crimeware, Cyberespionage, denial of services, human errors, weak security control. Since it is impacting everyone we must tackle against it by raising the awareness, patching  systems properly, creating new security innovations, using firewalls for the VPN connections and using encrypted file and email system, preventing public Wi-Fi connections.

References

Ruggiero , P., & Foote, J. (2011). Cyber Threats to Mobile Phones. (C. M. University, Producer) Retrieved February 07, 2016, from US-CERT: https://www.us-cert.gov/sites/default/files/publications/cyber_threats-to_mobile_phones.pdf

Week 7 - Risk Analysis and Management in IT Industries

For week 7 we are learning the Risk Management life-cycle, I choose to research more on the current trends of risk management in IT Industries. Risk analysis and management are very essential topics in the IT industry as risk determines the implementation approach and timelines.  A risk assessment helps organizations ensure they are compliant with regulatory mandates. With baseline risk management standards, risk analysis helps to determine the implementation of the safeguards contained in the security rule; we can say that risk analysis is one of the important processes of security management process. 

A risk analysis process includes, but is not limited to, the following activities:

1) Calculate the possibilities and impact of the potential risks to important personal health information (Risk Score Calculation).

2) Identify the appropriate security framework to address the risks identified during risk analysis

3) Document the security framework and compliance of the infrastructure

4) Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to systems and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to information.  With the secure system and environment, the organizations can achieve their business goal. All the applications that are used to communicate with the secured information needs to be protected with strong security plan. Following are some of the security rules that organizations can include to safeguard the systems and assets:

•Implement Security Management Process:  Organizations has to perform the risk analysis and implement the security measures that reduce the risks and vulnerability to organization assets and the infrastructure.

•Assign security personnel: security official who is responsible for developing and implementing organizational security policies and procedures has to be assigned.

•Information Access Management: Secured measures have to be implemented in order to safeguard the accessibility of the information. Policies and standards helps in maintaining the access management to the employees, external partners and other sectors. 

•Workforce Training and Management: Organizations must train all workforce members regarding its security policies and procedures and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.

•Evaluation: A periodic assessment of how well security policies and procedures meet the requirements of the Security Rule has to be evaluated and necessary updates have to be documented.

• Facility Access and Control. Authorized access has to be maintained to access the physical facilities.

•Workstation and Device Security: Organization must implement policies and procedures to specify proper use of and access to workstations and electronic media. Enterprise also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information.

•Access Control: Organization must implement technical policies and procedures that allow only authorized persons to access electronic protected health information. Access to the software and system has to be the role based access.

•Audit Controls: Organizations must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use personal information. Internal and External audit help to maintain the reliability and compliance of the organization with standard laws.

Works Cited

American Medical Association. (n.d.). Security Standards and Risk Analysis. Retrieved September 24, 2015, from http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/security-standards.page?

Cornell University Law School. (n.d.). 42 U.S. Code § 1320d–5 - General penalty for failure to comply with requirements and standards. Retrieved September 24, 2015, from Legal Information Institute: https://www.law.cornell.edu/uscode/text/42/1320d-5

Health IT.gov. (n.d.). Security Risk Assessment. Retrieved September 24, 2015, from http://www.healthit.gov/providers-professionals/security-risk-assessment-tool

Week 6- Security Risk of Using Personal Devices while travelling in public transportation

Research conducted by PublicTransportation.org concluded, "In the year 2013 Americans took 10.7 billion trips in the public transportation" proving the record high ridership. In the world, of all trips made to and from work  35% use public transportation and underdeveloped countries are at high end of using public transportation, Whether the intent is to commute to work or non work related, most of commuters use mobile devices for communication, browsing, listening music, taking photographs, playing games etc. While using these devices some way or other these devices use the public networks which are unsecured and posses high risk of security. Public transportation commuters are even accessing the company data on the unsecured and unknown networks. Unsecured data can easily be exploited by the elite hackers using the public Wi-Fi networks and use them against the company security data networks. Some travelers even use the public network for the company task while travelling and or talking to the colleague regarding important work related data posses threats in company privacy policy. 

It is equally important to protect the personal information while using these mobile devices because you never know who you are travelling with and using the cellular phones or laptops or tablets openly gives opportunity to the criminals. Openly texting, entering personally identifiable information, entering banking information, displaying work related information while  travelling in the public transportation should strictly be  considered as vulnerable. On the other hand, if  any suspicion is occurred that someone is watching your messages, works then you should confront the individual asking the intent and report the issue to concerned authority if unusual behavior is noticed. If you feel company data is shared then the action should be notified to the security team as soon as possible. 

With increasing Security risk, companies are moving towards "Bring Your Own Device (BOYD)" policies  which will force security team to conquer mobile device management in order to maintain the company data and network security. 

To conclude, using mobile device in public transportation should be strictly be monitored and using company data in public networks should strictly prohibited. If any suspicious activities are noticed, confront them to ask the privacy of the usage and if in any case company data is compromised then notify  to the IT security team as soon as possible. 

References:

http://www.worldmapper.org/posters/worldmapper_map142_ver5.pdf

http://www.publictransportation.org/news/facts/Pages/default.aspx

Week 5 :Business Internet/email use policies- Legal and ethical issues of an employer being able to monitor the computer use/emails of employees-

Since we are deep diving the security policies this week, I would like to discuss the business internet/email policies. Some organizations keep an eye on it's employee, what they are doing during and off work.Monitoring has both benefits and impact to the organization and employee. I am discussing some legan and ethical issues of an employer being able to monitor the computer use or email use of an employee.

As we all know, the Company owns the rights to all data and files in any computer, network, or other information system used in the Company. It also reserves the power of retrieving the data sent or received by the employee using the company internet access or company’s property. The company has always closed monitored in its employees and to all data and files sent or received either personal or professional. Employees must be fully aware of the discipline of the company. They must know that the electronic mail, messages which are sent or received though the company’s internet or web base application can be traced and view by the company officials at any time without any notice. There is no expectation of privacy in any information or activity conducted, sent, performed, or viewed on or with Company equipment or Internet access (www.twc.state.tx.us). It is completely clear that using of the internet at office by the employees during the working hour is totally unacceptable, however I believe that there is always a pros and cons for such kind of cases.

Employers has started to put close monitoring on their employee due to excess increase in cyber loafing and lawsuits through the new inventive technologies. At the same time both parties are clear regarding the ethical implications of constant monitoring. The company does monitoring on its employee’s action to closely monitor the work productivity and the efficacy. At the same time monitoring also helps to track the actual amount of time they spend on the work and or sitting idle.

Computer monitoring also allows the employer to keep records of the employees’ performance, and provides the information required to set the company’s performance standard and helps in the appraisal review process. Not only this it also allows the employer to keep closer look on the employees’ access to information about their own level of performance and also give an access to employees to judge their own level of performance. It also helps to create the flexibility in work location by allowing the employee to telecommute or" flex time".

On the contrary, Employer feels the pressure of working under the hostile environment and feeling of invasion in their territory. Because of the unfriendly environment the productivity of the company might not meet the company’s standard. Monitoring is intrusive and has a high potential risk for abuse in the companies’ employer (Mishra & Crampton, 1998). Since the employees can have direct access to track of each and everything they can use it against the employee. The monitored employees are also likely to have less control over their jobs, monitor work load pressures, more arguable interaction with the customers and less fairness of their work. With the major increase in stress it has also been found employee reporting the psychological and physical health issues.

Works Cited

Department of Health and Human Services. (n.d.). Security Standards: Technical Safeguards. Retrieved October 06, 2015, from http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf

Mishra, ,. J., & Crampton, S. M. (1998). EMPLOYEE MONITORING: PRIVACY IN THE WORKPLACE? Retrieved from http://faculty.bus.olemiss.edu/breithel/final%20backup%20of%20bus620%20summer%202000%20from%20mba%20server/frankie_gulledge/employee_workplace_monitoring/employee_monitoring_privacy_in_the_workplace.htm

www.twc.state.tx.us. (n.d.). INTERNET, E-MAIL, AND COMPUTER USE POLICY. Retrieved from http://www.twc.state.tx.us/news/efte/internetpolicy.html