Week 11- Tactical principles in Security Planning

Business success can only be achieved when one can prove you are different than other. This is often called the competitive strategy of the organization. The accomplishment of the strategy can be measured by determining the process: tactics. Tactics helps business to understand how the goals can be accomplished. Tactics are the countermeasures which the organization will take if the certain situations arise. In order to implement the right tactics, the objectives have to be identified and principles are the identifier of the objectives.

In order to accomplish targeted objective of the organization, security strategic plan has to be strong and successfully implemented. These plans can only be successful with proper tactics and operational plan. Resource planning, time, and technology help to achieve the tactical objectives of the security strategic planning.  Observation, timeliness, and economy are the top principles of the security management as they provide insight on sufficient information, response time and balanced cost of technology with process. These principles drive the tactical implementation of the security framework. With observation principle we can collect enough information to secure the perimeter and provide strong wall against the security attack. Timeliness determines the proper communication during the incident and what kind of tactics should be implemented during any physical or logical attack. Security is one of the costlier businesses on the organization that involves the qualified manpower, technology and advance systems. Economy principle focused on balanced resource and technology along with the cost associated with it. So, these principles help in defining the effective and efficient tactics.

Work Cited:

Massachusetts Institute of Technology. (n.d.). BASIC PRINCIPLES OF INFORMATION PROTECTION. Retrieved October 06, 2015, from Web.mit.edu: http://web.mit.edu/Saltzer/www/publications/protection/Basic.html

MIT Technology Review. (2015, August 15). The 20 Most Infamous Cyberattacks of the 21st Century (Part II). Retrieved October 06, 2015, from MIT Technology Review: http://www.technologyreview.com/view/540791/the-20-most-infamous-cyberattacks-of-the-21st-century-part-ii/

Week 10- Why Security as part of SDLC?

Traditional software development believes security as Band-Aid or add-on features after the programming is completed. Modern day product development does incorporate security as part of the SDLC phases. In any business without the secure product, business cannot run as it creates much more risk and the loss in return of investment (ROI). So, incorporating security as part of software development life-cycle will help in identifying all associated risk to the product, potential integration challenges, framework necessary for the product or re-usability of the existing framework, and predetermines the work necessary for the parallel security integration with the software development and testing. Involvement of security team in each phases, Analysis to production support will lower any rework, cost associated to it and the maintenance will be easy and cost effective.

Most of the software development approached the risk based solution, meaning the risks are identified during the planning phase along with the stakeholders and the delivery team. Once we clearly identify the problem that we are trying to solve and the risk associated, it much easier to develop, integrate, test and deliver the validated and verified software application to the client. Hence, identifying the risk and system vulnerabilities at the early phase requires a proper system security planning process and it can be done in the early phases of the planning and requirement gathering process (Kissel, et al., 2008). Due to the market competition and the fast software delivery approach most of the organizations are surging to agile framework and it is much easier to integrate the security as part of the spring cycle rather than lengthy waterfall process. Security requirements can be captured as technical user stories along with the functional stories and it will be much easier and thorough testing in this methodology. In addition, the pair programming has grate essence in developing and testing the product security and function at the same time which will leverage the software quality and the delivery in the agile sprint cycle. Most important including security in SDLC requires lot of meetings, minutes, decisions and documentation that are helpful during the line at the time of production support and training vs integrating the security as an ad-hoc feature late in the game without proper documentation and alignment.

So what does it mean to include security in SDLC for different teams involved? For a stakeholder it means safe and successful product and how it can be achieved through integration, meaning stakeholder’s involvement in pre analysis and during the development phases is equally important and intact to communicate whether the standards are met or not. For the project managers, Chief Information Security Officer (CISO) it is the process of working together to identify the organizational vision, set the industry and organizational standards, provide strategies and program for secure and sound software and maintain the cost effective program. For Core development delivery team, it is all about understanding the problem that we are trying to solve and approaches to deliver the right product in right way. This involves the sound requirement gathering and deliver to the team so that they can understand both functional and security aspect of it. This can be done using the process modeling tools and techniques and map the functional requirement with the security integration. This will help the development team to develop and unite test as one product rather than separate entity. For testing it means testing the integrated application end to end than letting it go without any security features. Bugs identified for any security holes can be fixed and promoted to the production that has testing approval and stamp is much easier to handle within the SDLC than later. For implementation, training and production support integration security within SDLC means proper, process, less work, good documentation and quick fix and support.

In Conclusion, building security as part of every phases of the SDLC will be beneficial to the users and the organization.

References

Kissel, R., Stine, K., Scholl, M., Rossman, H., Fahlsing, J., & Gulick, J. (2008, October). Security Considerations in the System Development Life Cycle. Retrieved from National Institute of Standards and Technology: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

Week-9: Security policy implementation techniques

Implementing the new or updated policies in the companies can be hectic and troublesome as the outcomes cannot be predicted easily. Due to the failure in implementation plans, lack of involvement of responsible stakeholders, employees lack of understanding might be some of the causes of the failure. This week I am going to talk about the ways we can better implement the security policies in the organization:

Better Communication: 

Communicating the new policies to the employees is very important for the company. So these can be done using different techniques:

• Email communication (use features like “read” response back) 

• Town hall meeting for all current employees

• New hire orientation for all the new employees

• Awareness campaign and training sessions

• Involve executive directors for departmental visits and group conversation 

Involvement of Key stakeholders:

Involvement of the human resources and executive management can led to the smooth implementation of the security plans as these stakeholders are authoritative . HR and managers plays important role in implementing the new policies. One can have them involved in policy framework implementation plan  during every phase; review and approvals, publishing, awareness and training. Having their input makes the new policies more insightful and detailed as the new policies have to be in complying with some HR policies. Executives can play the roles of the gatekeeper as sometimes it is easier to implement the new policies when executives are involved. Executives and manager can enforce the policies to their respective department by sending the circulars and emails directly and this is more effective to implement and if they do not follow, managers can take action on those scenarios. 

Incorporate Security Awareness and Fun Training:

Security awareness and training cannot be more fun by lecturing and pointing hard to comply with the employees. Rather it should be make more fun, real time demonstration, make all the participants to participate by breaking the training sessions into smaller segments, smaller group, using audio video communication, and games. Providing the refreshments (food/drinks) helps attracting more participants. Games can be more interesting and adding the prizes will certainly add more participants to the training and also from compliance perspective it is efficient.  

Release a Monthly Organization Wide Newsletter for All:

A monthly newsletter will be beneficial for reaching out to the employees. In order to make the newsletter succinct only important messages will be included based on the executive’s approval. Make the newsletter interesting by using photographs, background colors, include some security quizzes and reward the employees who answers correct (movie ticket) by lucky draw. 

 Implement Security Reminders on System Login Screens for All:

This can be implemented using group policy formations. Group the employees based on the department and send the remainders as the first login, create screen savers and display the policies on active screens.

Incorporate On-Going Security Policy Maintenance for All:

When policies are updated or new changes are made they have to be reviewed and based on the feedback needs the upgrade and changes. Employees survey, HR and executive decision, interviewing the users are some techniques that can be used for review and feedback from employees. Logs and software can be used to track the compliance of the policies and progress can be measured every quarter by creating some metrics.

Obtain Employee Questions or Feedback for Policy Board:

For better auditing third party vendors could be employed to conduct the anonymous surveys. 

Week 8 - Increasing Mobile Cyber threats

These days there are barely some people who do not have smartphones and personal digital assistants (PDAs). These handy devices are more likable than carrying laptops as one can easily check emails, connect to social media, take photographs and communicate to the world. Also the devices are easy to carry in people’s pocket, handbags, and purses without any worries of weight and size. With lots of advantages and likelihood mobile devices are possessing growing threats to the personal data. Research shows that the number of vulnerabilities in mobile operating system (OS) increased in relative numbers since 2009 ( Ruggiero & Foote, 2011). The constant exposure to the public network, lack of security infrastructure, unnecessary apps download, Bluetooth connectivity, lack of encryption, connecting to the private network are some of the growing issues with the mobile devices and threats has been detected in growing numbers. Some of the data breaches shows following trends in mobile security vulnerabilities: 

1) Operating System and application Vulnerabilities (Crimeware): The costliest cybercrimes are caused by the faulty system and the use of the back doors and SQL injection by exploiting the weakness in the operating system, hardware, firmware, protocol, or services to access data or to access other networks.

2)Denial of Service: Another form of the system attack is Denial of the service (DoS) which is caused by the weakness in the transit node commonly called “Ping of Death” or malfunction sending data into black hole. 

3)Cyberespionage (Phishing): Phishing is a firm of the fraud in which the attacker tries to learn sensitive information such as username, password, account information by impersonating a business or person in email, IM or other form of communication. 

4)Weak Security Controls: With the growing apps and websites the security has been vulnerable and proper testing techniques has been limited enforcing the manual testing as primary testing techniques. Sometime security is treated as separate entity and through validation is not made. 

5)Acts of human error of failure: Inexperience, improper training, mistake of incorrect assumption, sending the information to the wrong recipient, not understanding the security controls, policies an standards are common accidental human error that happens every day in the work environment and it is causing the big percentage of cyber-attacks. Connecting the devices with the organization network, sharing network password and connecting the personal phones to the network are common mistakes the employee make. 

In conclusion, modern day cybercrimes have diverse motives and are carried over different business domains including mobile operating systems. These enterprise systems and data are being targeted in various ways; Crimeware, Cyberespionage, denial of services, human errors, weak security control. Since it is impacting everyone we must tackle against it by raising the awareness, patching  systems properly, creating new security innovations, using firewalls for the VPN connections and using encrypted file and email system, preventing public Wi-Fi connections.

References

Ruggiero , P., & Foote, J. (2011). Cyber Threats to Mobile Phones. (C. M. University, Producer) Retrieved February 07, 2016, from US-CERT: https://www.us-cert.gov/sites/default/files/publications/cyber_threats-to_mobile_phones.pdf