Information Security Framework, Essay Example

The first question will be the reason of establishing an information security management framework within the organization. One of the questions will incorporate whether the organization is maintaining customer data or whether the organization is maintaining high sensitive information i.e. credit card numbers etc. After answering to all the questions, information security framework must be established. However, the initial requirement is to identify risks associated with critical information assets, tangible or intangible, within the organizations. Likewise, after identification of all critical assets, all the stakeholders of systems and applications must be taken onboard for establishing system and data owners. Similarly, for securing information assets, a comprehensive description in terms of factors is demonstrated below:

The objective is to make the system secure from threats and vulnerabilities. The methodology will illustrate decisions as outputs for each stage. The first factor will be to analyze borders of the network and information system resources and exchange of information within the enterprise network. The first factor is to gather information which lays the foundation for conducting risk analysis. The system related information includes hardware, software, data, IT support staff, processes performed on the network, mission critical systems, data sensitivity. The operational environment of the enterprise network includes network design and topology, security architecture, system users, functionality of the network, methodologies for protecting the data in parallel with availability, confidentiality and integrity, input and outputs of the network, management controls, security controls, physical security, and environmental security controls (Purser, n.d). The outputs for this stage are system boundaries, System functionality, Criticality of the system and data, Sensitivity of the system and data.

The second factor is to analyze any potential threats for the network. While analyzing threats, is it essential to consider all possible, potential threats and sources which may disrupt or harm the network and information systems. The common threats related to natural disasters are floods, tornadoes, earthquakes etc. The common threats related to human includes hacking, cybercrime, viruses, malicious software attack, un authorized access to organization’s critical data, and deliberate actions. The environmental threats include substantial power failure, any chemical leakage, liquid spilled on any computing component etc. The output of this factor is the identification of potential threats, which may disrupt the network and information systems in the future.

The third factor is to analyze any possible vulnerability within the network. This factor concludes the weaknesses and flaws which are currently present in the network security architecture. The assessment of possible vulnerabilities is not an easy task as some previous history is required to perform vulnerability assessment. If the network is operational, a thorough analysis of the network security features and controls is conducted. It will also include technical and procedural elements for protecting the network. The previous reports of risk assessment, audit reports, system anomaly reports, network evaluation reports, network testing reports are considered. Some support is also considered from the vendor advisories, vulnerability bulletins from military networks and also by reviewing the history of previous security breaches within the network. Other methods are also used to breach the security infrastructure including penetration testing, which is an attempt to breach the network compromising the current security infrastructure. The method is used to test the current security measured for any possible vulnerability. This process is conducted by network security professionals for identifying any vulnerability which may become a gateway for the hackers in the future. The output of this factor is the list including possible identified potential vulnerabilities.

The fourth factor is to identify and evaluate controls along with the likelihood against these controls of the network that are implemented by the organization. The controls are divided in to two categories. Technical control consists of software or hardware for protecting the network. For example, intrusion detection system, firewall, identification and authentication software etc. Technical controls require technical expertise. However on the other hand, non-technical controls consist of management and security controls. For example, security policies, management policies, personal and physical security. The output of this factor is the list of current and planned controls. The list is used to validate security compliance and non-compliance. It is constructed by the security requirement check list. It is essential to update the list of technical and non-technical controls to ensure the validity of current and planned controls.

The fifth factor is to rate the probability of potential vulnerability by evaluating the source and capability of threats, nature of vulnerability and efficiency of current controls. The rating is categorized in high, medium and low priorities. High priority means, that the threat is highly capable and the current controls are not sufficient. Medium priority means, that the threat is highly capable and current controls are implemented to eliminate the vulnerability. Low priority means, that the threat is incapable and lacks capability. Controls are implemented to eliminate the threat from exercising the network. The outputs of this factor include the likelihoods of vulnerabilities on three levels i.e. high, medium, and low.

The sixth factor is the undesirable impact which is the output of successful threat analysis of potential vulnerabilities. The impact analysis is conducted by considering current processes of the enterprise network, mission critical data and systems, data and system sensitivity. The information can be extracted from previously impact analysis reports or existing documentation of the enterprise network. Impact analysis prioritizes the impact levels linked with the conciliation of the organizations assets. The impact analysis is based on the assessment of data integrity, availability and confidentiality. The outputs of this stage are the ratings and prioritization of impacts. The threats of impact analysis are

• Loss of data integrity
• Loss of data availability
• Loss of data confidentiality

The seventh factor is to establish the risk for each specific threat and vulnerability. The process involves the likelihood of a threat source challenging to exercise a specific vulnerability, degree of the impact of vulnerability and the sufficient planning of current security controls for minimizing risks. The output of this factor involves likelihood of threats, degree of impact and sufficient planning of current controls. The result is the associated risk along with risk levels, which can be prioritized by severity and criticality of their impact on the network and systems.

Factor eight provides the processes and controls to eliminate the threats which are vulnerable to the organizations operations. The objective is to eliminate the levels of risks to the network and systems to an adequate level. The elements, which are involved for eliminating risks, are;

• Efficiency of recommended options
• Legislation and regulation
• Policies of organizations
• Impact of organization
• Dependability and safety

The output of this factor is the recommended controls. The recommended controls must be implemented in order to secure the network and systems for any possible potential threats and vulnerabilities.

Information Security Risk Management

Here the procedure is define as, the multi stage process that is support by different form templates. As, a result it is simple and easy to use once it has become understandable. The stages are defined below:

• Select and scope the information assets to include.
• Gather some basic information about each asset selected.
• Identify areas of risk with the help of questionnaire.
• Formulate and record specific details of risk.
• Record the risk in the risk log.
• Periodically review the risk log and manage risks.

Initially, risk can be identified with the help of a variety forms mentioned here. Moreover, risk can be carried out as a team exercise. This is equally important for risk identification certain forms and stages can be avoided or excluded. For instance, a new risk that is related to the previously evaluated asset can be added to the risk log without undergoing the previous risk review and other forms. Moreover, it is important to use questionnaires and other procedures while evaluating the assets for the first time.

Scoping and Selection of Incorporated Information Assets

In first stage, the risks regarding information assets are identified and scheduled for evaluation. Furthermore, the team should acknowledge and agrees on the assets that are important for business. (Micki Krause Nozaki & Tipton,) The level of granularity is to be selected wisely in order to work more efficiently. Hence, the total number of assets can be concluded for additional assessment. It is also possible to evaluate similar assets of information systems in form of a group rather than to asses each component individually. Therefore, by satisfying team leader proceed to stage 2 and collect basic information about each asset.

Information Gathering for Each Identified Asset

The basic information regarding the each asset can be illustrated as below:

• Indicate and illustrate the purpose of evaluation of assets.
• Describe the physical presence of the asset. For example name of a building etc.
• Explain the type of information that is gathered for example stored, transferred or processed.
• The personal or sensitive data related to the living people is also recorded. However, with the help of Data Protection Act the above mentioned information can be used to guarantee compliance.
• The information systems externally provided by another department must be recorded.
• Unavailability of assets or group of assets under consideration can be recorded as ‘Maximum Tolerable Time’

Risk Identification via Questionnaires

This stage is the center of the InfoSec Risk Management procedure. To inform your assessment very little or no probability of threats are considered here. However, by predicting the threats that can arise are less important hence, it could be considered systematically through the points mentioned below:

• How a wide range of threats might affect an information asset.
• The measures in place to help avoid problems happening.
• How recovery would be achieved should a threat be realized.

The purpose of these questions is to highlight those areas that might undergo through risk. By considering the above mentioned questions a team can decide about the significant risk or threats that could negatively affect the information system from being assessed.

Specific Risk Saving and Formulation

At this stage specific details are added and recorded in the risk log regarding specified areas of risk. A brief description of the Risks Identified and the details related to the risk are recorded. The estimation related to the asset life and the planned actions were also mentioned at this stage.

Managing the Risk Log

To manage the risk thoroughly a risk journal can became a helpful aid. At stage 4 the identified risks were recorded in this journal. Hence, with the help of this record journal the previous risks can also be revised time to time.

Periodic Risk Management and Log Review

At times these risk logs that include the identified risks can be reviewed in this presence of senior management. However the risk log can be revised or reviewed by considering below points:

• Recent issues or risks must be highlighted.
• The risk logs that exist previously must be verified.
• The controls and possibility of risks must be reviewed.
• Measures related to the planned mitigation and its effects must be reviewed.
• New planned mitigation details must be recorded.
• Proposed mitigation must be recorded and considered.
• Estimate regarding risks, likelihood and its impacts must be revised.
• Risk management must be handed over to the right owner.
• The risks that have been accepted, ceased, covered or transferred must be added in the risk log.
• Summary and history events must be updated in the risk log.

References

Purser, n.d S. A practical guide to managing information security (artech house technology management library) Artech House Publishers.

Micki Krause Nozaki, & Tipton, H. F. Information security management handbook, sixth edition, volume 5 Auerbach Publications.