SlideShare a Scribd company logo

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM

C
Christopher Nanchengwa

This document outlines a 5-step process for managing organizational ICT security: 1. Identify the organization's business objectives to ensure ICT resources support them. 2. Identify all ICT resources, including network infrastructure, servers, user devices, and hardware. 3. Identify and assess risks to ICT resources, such as theft, damage, and unauthorized access, and prioritize them based on likelihood and cost. 4. Develop activities to mitigate risks through a 7-layered approach involving policies, physical security, perimeter controls, internal access management, host protection, and application hardening. 5. Implement and monitor the security program with roles for the CIO, CISO, ICT

1 of 8
Download to read offline
1
2
3
4
5
6
7
8
1 | P a g e INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) SECURITY MANAGEMENT PROGRAM 19th May, 2016 CHRISTOPHER NANCHENGWA, BSC, MBA, ITIL, PRINCE2 ICT Security has grown to be one of the key areas in ICT management; this is as a result of the growing threat to ICT resources and organizations at large. Highlighted in this document is a five (5) step process for the management of organization ICT security. The process is iterative in nature. One of the key principles that fosters the success of this approach is “defined roles and responsibilities”. Key players in the management of organizational security include; the chief information officer (CIO), chief information security officer (CISO), ICT auditors, ICT security committee, business application administrators and the general users. To guarantee the success implementation and management of ICT security, each of these user groups needs to have a clear mandate. STEP ONE: IDENTIFY THE ORGANIZATION’S BUSINESS OBJECTIVES These will be highlighted in the organization’s mission statement of any other strategic documentation; if no such documentation exists an interview with top management should provide guidance on the same. The step should be handled by the CIO or delegated to the CISO of security committee. A commercial bank for example would have an objective to provide low cost banking solutions to its clients or to provide a service integrated payment platform. In this time and age most business objectives are supported by technology and as such an organization that embraces technology and its management stands a better chance of meeting its objectives. STEP TWO: IDENTIFY ICT RESOURCES In most organizations, the department of ICT exists to support operations attributed to the core business; ICT resources and operations have to be aligned to forester the accomplishment of organizational objectives. The CIO stands at a better position to identify ICT resources in this context since he or she has an overall view of his unit. One tool ideal for alignment is COBIT’s Goal Cascade; using this tool ICT goals also referred to as ICT Enabler goals are aligned with
2 | P a g e organizational goals. In the context of security management the mandate of this step is to identify the ICT resources that support the day to day operations of an organization; these include;  Network Infrastructure, including phone lines  Server Infrastructure  User desktops  Mobile devices, including laptops, mobile phones and tablets  Other hardware devices, including projection tools, printers, scanners and imaging devices STEP THREE: IDENTIFICATION AND ASSESSMENT OF RISKS The third step in our process encompasses the identification and quantification of risks that our ICT resources may face. Risk may be defined as the chance or probability of expected result being at desperate with planned results. In the context ICT security, risks to ICT resources include situations or occurrences that may hinder these resources from supporting organizational objectives. The CISO and security committee should play an active role in the identification and validation of risks. Examples of these risks include;  The risk of misuse  The risk of theft of physical damage  The risk of unlawful access and divulgence of confidential or classified information both from internal and external parties  The risk of litigation  The risk as a result of natural disaster  The risk as a result of wear and tear Risks need to be identified and subsequently quantified. Identification of risks is an ongoing process involving the review and audit of ICT equipment, procedures, processes and the surrounding environment. This process can be automated through the use of software like QualysGuard or AuditPro. In order to quantify the risk, there is need to calculate or estimate the monetary loss in the case that the risk materializes; for example if ICT property was damaged or
3 | P a g e stolen, the risk value would be the total cost of recovery or replacement and the monetary value of business lost of revenue uncollected as a result of the absence of the equipment. The risk assessor needs to go a step further by prioritizing the identified risks. This is achieved by developing a matrix of risk cost against risk likelihood; In other words, the assessor needs rank the likelihood of the risk occurring using an appropriate scale, e.g. 1 to 5, then multiply the risk likelihood by the risk cost. Risks can then be arranged in either ascending or descending order with the risks having the highest likelihood and cost product value being the most pressing and in need of urgent attention. STEP FOUR: RISK RESPONSE OR MITIGATION This step includes the formulation of activities to be conducted in an effort at avert, avoid or minimize the effect of the risk occurrence. This step requires the participation of all stakeholders at various levels. To this effect I propose the adoption of the defense in depth of 7-layered approach to ICT security. This approach proposes the implementation 7 layers of security to the identified ICT resources, these layers include; Stewardship: Top management including the CIO, CISO, ICT auditor and security committee will handle most of the issues in this layer. This layer addresses a number of issues with regards to the management and administration of ICT infrastructure. These issues include policies, processes, procedures and the competence of staff with access to the said resources. Policies of note may include internet access policy, ICT resource fair usage policy, ICT system change and data migration policies. Processes and procedures dictate the logical flow of events in support of organizational objectives; these are normally determined by the logical flow of business processes in that particular industry or organization. The implementation of policies, processes and procedures is born out of a desire to safeguard data, information and systems and also to support the implementation of controls. In this layer of risk mitigation, the idea is to assess whether appropriate policies and procedures are in place to safeguard ICT resources and whether these resources are effective, furthermore ascertain the suitability of staff to work with ICT resources. Physical Security: This layer addresses the issue of unlawful physical access to ICT infrastructure. Threats to ICT resources in this context include vandalism, theft and natural
4 | P a g e disaster. Server, desktop and other immovable hardware are easy to secure via the installation of burglarproof equipment or innovations at our sites of operation. Mobile and network equipment on the other hand require an extra layer of sophistication; one possible measure is to supply your laptop users with laptop cable locks which your users can use to secure their laptops to immovable objects like office furniture. With network cables options range from burying your cables at least 3 meters below ground level to laying concrete on top of them. Network cables are quite susceptible to what has now come to be referred to as “manhole manipulation”, where vandals and hackers target network infrastructure through manholes. One interesting measure adopted by Zambia’s Copperbelt Energy Company is to run their fibre-optic cable along their high tension power lines making it very dangerous for vandals to target. Physical security is normally delegated to the chief security officer of the institution. Perimeter Security: This layer addresses what you allow to enter your computer network; implementation is normally handled by the institutions network administrators. The assumption or working theory is that your local network is connected to the internet and traffic is able to flow into and out of your network. Controls are implemented via the use of a firewall either through software or hardware. The firework will be configured with rules that restrict the flow of traffic. Traffic of concern may include spam and traffic from known pornographic sites and servers. In the case of users with justifiable cause of access to restricted traffic, a “demilitarized zone” can be set up away from the local network to allow them access. Perimeter security should also address the issue of users accessing services from outside the local network; this is normally achieved through the use of virtual private networks (VPNs) and public Internet Protocol (IP) addresses. I strongly recommend the use of VPNs because public IPs make your system and network visible to the entire internet. Internal Network: This layer of security addresses the issue of resources that your network users can access on the local network; the network and domain administrators undertake most of the tasks in this layer. The idea is to only allow the necessary access to enable staff perform their duties; this entails categories users, quantifying their level of access and allowing the minimum access required. This can be achieved through the use of firewalls and access control lists. In a windows environment access control is implemented using Active Directory.
5 | P a g e Host Security: A host is any device or computer on your network; activities in this layer are shared among network administrators, domain administrators and the office of the chief security officer. These devices include routers, switches, servers, desktops, laptops, mobile phones, printers, etc. Security for these devices is a combination of the layers discussed earlier including; policy, physical security, access control and firewalls. Application Security: This layer encompasses measures or steps taken throughout the application or system’s life-cycle to prevent gaps in the security policy through flaws in the design, development, deployment, upgrade, or maintenance of the application or system. Application security cuts across all the roles defined earlier. Hackers look for vulnerabilities in software to gain access to systems and networks; it is therefore prudent that software code is fully tested before deployment in the live or production environment. A number of commercially available tools provide relief in this scenario; the testing occurs at various levels, from source code, to machine and binary code. One such application is IDA Pro which has the capacity to test software at all levels. Please note that not all organizations are in the software development business but simply rely on software developed by other firms, in this case the duty to test the software lies with the development firms. Organizations on the other hand have to ensure that they only use software that is certified secure and malware free; therefore organizations should by all means acquire software from reputable sources. Data Security: At the very bottom of our process is the data layer. As with the application layer, all other layers come into play and as such all players or stakeholders play a key role. Specific to data security, the organization can adopt an encryption scheme that ensures that even if the data is accessed, it cannot be read. Most application software provide some level of encryption, the organization has only to decide whether or not it is sufficient. Industry best practices of ICT security recommend that organizations implement organization wide antivirus software to protect data against viruses, malware, spyware and other unwanted and malicious applications. There is currently a rise in malware referred to as “Ransom-ware” which hackers use to encrypt your files and then demand for a ransom in return for a decryption key, this ransom-ware is normally distributed or propagated through emails as attachments. I strongly advise against opening such emails as decryption without the aid of the hacker has proven to be almost impossible. On a
6 | P a g e happier note, most antivirus developers are working on solutions to detect such malware, so please keep your antivirus software up to date. The measures proposed by the 7-layered suffice for most of the time; however, as indicated in Murphy’s Law, sometimes things go wrong. In the event that something goes wrong, you need to have an up to date or almost up to date backup to recover from. This entails that your organization implements and maintains a business continuity program. Information to be backed up should include not only the data but configuration files to ensure speedy recovery. Unless your organization is a new one, implementation of ICT security will not start from scratch; you will need to define the current state of your ICT program and the state you would love it to be in. A comparison or gap analysis of the two states will reveal short comings in your current setup; you can then formulate an actionable plan to raise your current status to a desired one. STEP FIVE: REVIEW The world we live in is dynamic and ever changing with new threats and opportunities developing every single day, our approach to security should also take a dynamic projectile. This step entails that we undertake reviews of our ICT security program; this review can be automated and run actively using audit and compliance software or can be scheduled to run on a period basis either through software or hardware. Depending on your organizational setup, the review can be conducted and spearheaded by the ICT auditor, CISO or the ICT security committee. Generally two tests should be run in this context; these include vulnerability and penetration tests. Vulnerability tests check the conformance of hardware and software configurations against manufacturer specifications or industry best practices, differences in configurations are normally treated as vulnerabilities. However, assessors need to take extra steps to determine whether the vulnerability exists or not. Penetration tests attempt to gain access to your systems and network with the objective of revealing weak security points. This can be done internally or may require the engagement of external parties in the form of “Ethical Hackers” of “Grey Hat Hackers”.
7 | P a g e The review of systems and networks needs to be conducted in a well structured and coordinated manner with the sole objective of maintaining a secure status of your resources. CONCLUSION The 7-layered approach to security covers most issues of the subject. There is however a need to constantly review your approach in response to an ever evolving environment.
8 | P a g e FURTHER READING Einwechter, Nathan. Preventing and Detecting Insider Attacks Using IDS. March 20, 2002. http://www.securityfocus.com/infocus/1558 Kenneth R. Straub, “Information Security Managing Risk with Defense in Depth”, The SANS Institute , August 12, 2003, http://www.incidents.org Kurt Garbars, “Implementing an effective IT Security Program”, The SANS Institute, 2002, http://www.incidents.org Lee A. Kadel, “Designing and Implementing an Effective Information Security Program: Protecting the Data Assets of Individuals, Small and Large Businesses”, The SANS Institute, March 24, 2004, http://www.incidents.org Peltier, Tom. “Security Awareness Program.” Information Security Management Handbook 4th Edition. Ed. Harold F. Tipton and Micki Krause. Boca Raton: Auerbach, 1999. Todd McGuiness, “Defense in Depth”, The SANS Institute, October 29, 2001. http://www.incidents.org

More Related Content

PPTX
DEVELOPING AN ICT RISK REGISTER
Christopher Nanchengwa
 
PPT
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
PPTX
Microsoft Risk Management
Ulukman Mamytov
 
PPT
Review of Enterprise Security Risk Management
Rand W. Hirt
 
PPTX
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPT
Risk Based Security and Self Protection Powerpoint
randalje86
 
PDF
Information Security Risk Management
Ersoy AKSOY
 
DOCX
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 
DEVELOPING AN ICT RISK REGISTER
Christopher Nanchengwa
 
Information Serurity Risk Assessment Basics
Vidyalankar Institute of Technology
 
Microsoft Risk Management
Ulukman Mamytov
 
Review of Enterprise Security Risk Management
Rand W. Hirt
 
Information systems risk assessment frame workisraf 130215042410-phpapp01
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Risk Based Security and Self Protection Powerpoint
randalje86
 
Information Security Risk Management
Ersoy AKSOY
 
The Significance of IT Security Management & Risk Assessment
Bradley Susser
 

What's hot (20)

PPTX
Security risk management
Prachi Gulihar
 
PDF
Practical approach to security risk management
G3 intelligence Ltd
 
PDF
A Practical Approach to Managing Information System Risk
amiable_indian
 
PPTX
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
PPT
Risk Assessment Process NIST 800-30
timmcguinness
 
PPTX
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
PPT
Chapter 1 risk management (3)
rafeeqameen
 
PPTX
Information Security Risk Management
Nikhil Soni
 
PDF
Threat Based Risk Assessment
Michael Lines
 
PDF
Risk Assessments
JoAnna Cheshire
 
PDF
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
PDF
Dj24712716
IJERA Editor
 
PPTX
Risk management in Software Industry
Rehan Akhtar
 
PDF
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Dean Evans
 
PPT
Risk Management 101
Barry Caplin
 
PPTX
The Economics of Cyber Security
John Gilligan
 
PDF
Risk Based Security Management
Luis Martins
 
PPTX
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
PPTX
Information Secuirty Vulnerability Management
tschraider
 
DOCX
case studies on risk management in IT enabled organisation(vadodara)
ishan parikh production
 
Security risk management
Prachi Gulihar
 
Practical approach to security risk management
G3 intelligence Ltd
 
A Practical Approach to Managing Information System Risk
amiable_indian
 
Step by-step for risk analysis and management-yaser aljohani
Yaser Alrefai
 
Risk Assessment Process NIST 800-30
timmcguinness
 
NIST 800 30 revision Sep 2012
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
Chapter 1 risk management (3)
rafeeqameen
 
Information Security Risk Management
Nikhil Soni
 
Threat Based Risk Assessment
Michael Lines
 
Risk Assessments
JoAnna Cheshire
 
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
jbasney
 
Dj24712716
IJERA Editor
 
Risk management in Software Industry
Rehan Akhtar
 
Satori Whitepaper: Threat Intelligence - a path to taming digital threats
Dean Evans
 
Risk Management 101
Barry Caplin
 
The Economics of Cyber Security
John Gilligan
 
Risk Based Security Management
Luis Martins
 
Risk Management Methodology - Copy
Rabah Odeh ITIL 5.0-OCP-CISA-PMP-OCP..etc
 
Information Secuirty Vulnerability Management
tschraider
 
case studies on risk management in IT enabled organisation(vadodara)
ishan parikh production
 
Ad

Viewers also liked (18)

PPTX
4.3.1. controlling confounding matching
A M
 
PPTX
Dependent-Independent Variables edmodo
shumwayc
 
PPTX
Single group design
Eunice Laserna
 
PPT
Threats to Internal and External Validity
Muhammad Salman Rao
 
PPT
Internal Validity
Dwi Firli Ashari
 
PPSX
Experimental Design
Thiyagu K
 
PDF
Experimental design
BP KOIRALA INSTITUTE OF HELATH SCIENCS,, NEPAL
 
PPT
Experimental research sd
Chandra Mohan Gaddam
 
PPT
Internal and external validity factors
Amir Mahmoud
 
PPT
Types of experimental design
Mary Christine Tienda
 
PPT
DEPENDENT & INDEPENDENT VARIABLES
ScienceTutors
 
PPTX
Threats to internal and external validity
rodsazon
 
PPT
Experimental research
Joseph Sanopao
 
PPTX
Experimental research design
jasleenbrar03
 
PPTX
Experimental design
Dr.D.Kavitha Prabakar
 
PPT
Experimental Research
Jo Balucanag - Bitonio
 
PPT
Experimental research
Shafqat Wattoo
 
PPSX
Experimental research design
Nursing Path
 
4.3.1. controlling confounding matching
A M
 
Dependent-Independent Variables edmodo
shumwayc
 
Single group design
Eunice Laserna
 
Threats to Internal and External Validity
Muhammad Salman Rao
 
Internal Validity
Dwi Firli Ashari
 
Experimental Design
Thiyagu K
 
Experimental design
BP KOIRALA INSTITUTE OF HELATH SCIENCS,, NEPAL
 
Experimental research sd
Chandra Mohan Gaddam
 
Internal and external validity factors
Amir Mahmoud
 
Types of experimental design
Mary Christine Tienda
 
DEPENDENT & INDEPENDENT VARIABLES
ScienceTutors
 
Threats to internal and external validity
rodsazon
 
Experimental research
Joseph Sanopao
 
Experimental research design
jasleenbrar03
 
Experimental design
Dr.D.Kavitha Prabakar
 
Experimental Research
Jo Balucanag - Bitonio
 
Experimental research
Shafqat Wattoo
 
Experimental research design
Nursing Path
 
Ad

Similar to INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM (20)

PDF
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
PDF
Risk Management
ijtsrd
 
DOCX
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
PDF
Fundamentals of-information-security
madunix
 
PDF
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
PDF
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
Protected Harbor
 
DOCX
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
toltonkendal
 
PDF
Application security Best Practices Framework
Sujata Raskar
 
DOCX
11What is Security 1.1 Introduction The central role of co.docx
moggdede
 
DOC
report on Mobile security
JAYANT RAJURKAR
 
PDF
Cyber Security
IRJET Journal
 
PDF
Risk Mitigation Plan Based On Inputs Provided
Tiffany Graham
 
DOCX
Discuss how a successful organization should have the followin.docx
cuddietheresa
 
DOCX
Discuss how a successful organization should have the followin.docx
salmonpybus
 
PDF
Intrusion Detection System using Data Mining
IRJET Journal
 
PDF
Chapter 6 Security of Information and Cyber Security(FASS)
Md Shaifullar Rabbi
 
DOCX
Cat21:Development Mangement Information Systems
Simeon Ogao
 
PDF
network security.pdf
JeganathanJayaran
 
PDF
Safeguarding the Enterprise
ADGP, Public Grivences, Bangalore
 
PPTX
Cyber risks in supply chains
Aparajita Banerjee
 
Information Security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 
Risk Management
ijtsrd
 
Running Head SECURITY AWARENESSSecurity Awareness .docx
toltonkendal
 
Fundamentals of-information-security
madunix
 
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
The 7 Steps to Prevent IT-Caused Outages- A Comprehensive Approach
Protected Harbor
 
Running Head NETWORK INFRASTRUCTURE VULNERABILITIES1NETWORK .docx
toltonkendal
 
Application security Best Practices Framework
Sujata Raskar
 
11What is Security 1.1 Introduction The central role of co.docx
moggdede
 
report on Mobile security
JAYANT RAJURKAR
 
Cyber Security
IRJET Journal
 
Risk Mitigation Plan Based On Inputs Provided
Tiffany Graham
 
Discuss how a successful organization should have the followin.docx
cuddietheresa
 
Discuss how a successful organization should have the followin.docx
salmonpybus
 
Intrusion Detection System using Data Mining
IRJET Journal
 
Chapter 6 Security of Information and Cyber Security(FASS)
Md Shaifullar Rabbi
 
Cat21:Development Mangement Information Systems
Simeon Ogao
 
network security.pdf
JeganathanJayaran
 
Safeguarding the Enterprise
ADGP, Public Grivences, Bangalore
 
Cyber risks in supply chains
Aparajita Banerjee
 

INFORMATION AND COMMUNICATIONS TECHNOLOGY PROGRAM

  • 1. 1 | P a g e INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) SECURITY MANAGEMENT PROGRAM 19th May, 2016 CHRISTOPHER NANCHENGWA, BSC, MBA, ITIL, PRINCE2 ICT Security has grown to be one of the key areas in ICT management; this is as a result of the growing threat to ICT resources and organizations at large. Highlighted in this document is a five (5) step process for the management of organization ICT security. The process is iterative in nature. One of the key principles that fosters the success of this approach is “defined roles and responsibilities”. Key players in the management of organizational security include; the chief information officer (CIO), chief information security officer (CISO), ICT auditors, ICT security committee, business application administrators and the general users. To guarantee the success implementation and management of ICT security, each of these user groups needs to have a clear mandate. STEP ONE: IDENTIFY THE ORGANIZATION’S BUSINESS OBJECTIVES These will be highlighted in the organization’s mission statement of any other strategic documentation; if no such documentation exists an interview with top management should provide guidance on the same. The step should be handled by the CIO or delegated to the CISO of security committee. A commercial bank for example would have an objective to provide low cost banking solutions to its clients or to provide a service integrated payment platform. In this time and age most business objectives are supported by technology and as such an organization that embraces technology and its management stands a better chance of meeting its objectives. STEP TWO: IDENTIFY ICT RESOURCES In most organizations, the department of ICT exists to support operations attributed to the core business; ICT resources and operations have to be aligned to forester the accomplishment of organizational objectives. The CIO stands at a better position to identify ICT resources in this context since he or she has an overall view of his unit. One tool ideal for alignment is COBIT’s Goal Cascade; using this tool ICT goals also referred to as ICT Enabler goals are aligned with
  • 2. 2 | P a g e organizational goals. In the context of security management the mandate of this step is to identify the ICT resources that support the day to day operations of an organization; these include;  Network Infrastructure, including phone lines  Server Infrastructure  User desktops  Mobile devices, including laptops, mobile phones and tablets  Other hardware devices, including projection tools, printers, scanners and imaging devices STEP THREE: IDENTIFICATION AND ASSESSMENT OF RISKS The third step in our process encompasses the identification and quantification of risks that our ICT resources may face. Risk may be defined as the chance or probability of expected result being at desperate with planned results. In the context ICT security, risks to ICT resources include situations or occurrences that may hinder these resources from supporting organizational objectives. The CISO and security committee should play an active role in the identification and validation of risks. Examples of these risks include;  The risk of misuse  The risk of theft of physical damage  The risk of unlawful access and divulgence of confidential or classified information both from internal and external parties  The risk of litigation  The risk as a result of natural disaster  The risk as a result of wear and tear Risks need to be identified and subsequently quantified. Identification of risks is an ongoing process involving the review and audit of ICT equipment, procedures, processes and the surrounding environment. This process can be automated through the use of software like QualysGuard or AuditPro. In order to quantify the risk, there is need to calculate or estimate the monetary loss in the case that the risk materializes; for example if ICT property was damaged or
  • 3. 3 | P a g e stolen, the risk value would be the total cost of recovery or replacement and the monetary value of business lost of revenue uncollected as a result of the absence of the equipment. The risk assessor needs to go a step further by prioritizing the identified risks. This is achieved by developing a matrix of risk cost against risk likelihood; In other words, the assessor needs rank the likelihood of the risk occurring using an appropriate scale, e.g. 1 to 5, then multiply the risk likelihood by the risk cost. Risks can then be arranged in either ascending or descending order with the risks having the highest likelihood and cost product value being the most pressing and in need of urgent attention. STEP FOUR: RISK RESPONSE OR MITIGATION This step includes the formulation of activities to be conducted in an effort at avert, avoid or minimize the effect of the risk occurrence. This step requires the participation of all stakeholders at various levels. To this effect I propose the adoption of the defense in depth of 7-layered approach to ICT security. This approach proposes the implementation 7 layers of security to the identified ICT resources, these layers include; Stewardship: Top management including the CIO, CISO, ICT auditor and security committee will handle most of the issues in this layer. This layer addresses a number of issues with regards to the management and administration of ICT infrastructure. These issues include policies, processes, procedures and the competence of staff with access to the said resources. Policies of note may include internet access policy, ICT resource fair usage policy, ICT system change and data migration policies. Processes and procedures dictate the logical flow of events in support of organizational objectives; these are normally determined by the logical flow of business processes in that particular industry or organization. The implementation of policies, processes and procedures is born out of a desire to safeguard data, information and systems and also to support the implementation of controls. In this layer of risk mitigation, the idea is to assess whether appropriate policies and procedures are in place to safeguard ICT resources and whether these resources are effective, furthermore ascertain the suitability of staff to work with ICT resources. Physical Security: This layer addresses the issue of unlawful physical access to ICT infrastructure. Threats to ICT resources in this context include vandalism, theft and natural
  • 4. 4 | P a g e disaster. Server, desktop and other immovable hardware are easy to secure via the installation of burglarproof equipment or innovations at our sites of operation. Mobile and network equipment on the other hand require an extra layer of sophistication; one possible measure is to supply your laptop users with laptop cable locks which your users can use to secure their laptops to immovable objects like office furniture. With network cables options range from burying your cables at least 3 meters below ground level to laying concrete on top of them. Network cables are quite susceptible to what has now come to be referred to as “manhole manipulation”, where vandals and hackers target network infrastructure through manholes. One interesting measure adopted by Zambia’s Copperbelt Energy Company is to run their fibre-optic cable along their high tension power lines making it very dangerous for vandals to target. Physical security is normally delegated to the chief security officer of the institution. Perimeter Security: This layer addresses what you allow to enter your computer network; implementation is normally handled by the institutions network administrators. The assumption or working theory is that your local network is connected to the internet and traffic is able to flow into and out of your network. Controls are implemented via the use of a firewall either through software or hardware. The firework will be configured with rules that restrict the flow of traffic. Traffic of concern may include spam and traffic from known pornographic sites and servers. In the case of users with justifiable cause of access to restricted traffic, a “demilitarized zone” can be set up away from the local network to allow them access. Perimeter security should also address the issue of users accessing services from outside the local network; this is normally achieved through the use of virtual private networks (VPNs) and public Internet Protocol (IP) addresses. I strongly recommend the use of VPNs because public IPs make your system and network visible to the entire internet. Internal Network: This layer of security addresses the issue of resources that your network users can access on the local network; the network and domain administrators undertake most of the tasks in this layer. The idea is to only allow the necessary access to enable staff perform their duties; this entails categories users, quantifying their level of access and allowing the minimum access required. This can be achieved through the use of firewalls and access control lists. In a windows environment access control is implemented using Active Directory.
  • 5. 5 | P a g e Host Security: A host is any device or computer on your network; activities in this layer are shared among network administrators, domain administrators and the office of the chief security officer. These devices include routers, switches, servers, desktops, laptops, mobile phones, printers, etc. Security for these devices is a combination of the layers discussed earlier including; policy, physical security, access control and firewalls. Application Security: This layer encompasses measures or steps taken throughout the application or system’s life-cycle to prevent gaps in the security policy through flaws in the design, development, deployment, upgrade, or maintenance of the application or system. Application security cuts across all the roles defined earlier. Hackers look for vulnerabilities in software to gain access to systems and networks; it is therefore prudent that software code is fully tested before deployment in the live or production environment. A number of commercially available tools provide relief in this scenario; the testing occurs at various levels, from source code, to machine and binary code. One such application is IDA Pro which has the capacity to test software at all levels. Please note that not all organizations are in the software development business but simply rely on software developed by other firms, in this case the duty to test the software lies with the development firms. Organizations on the other hand have to ensure that they only use software that is certified secure and malware free; therefore organizations should by all means acquire software from reputable sources. Data Security: At the very bottom of our process is the data layer. As with the application layer, all other layers come into play and as such all players or stakeholders play a key role. Specific to data security, the organization can adopt an encryption scheme that ensures that even if the data is accessed, it cannot be read. Most application software provide some level of encryption, the organization has only to decide whether or not it is sufficient. Industry best practices of ICT security recommend that organizations implement organization wide antivirus software to protect data against viruses, malware, spyware and other unwanted and malicious applications. There is currently a rise in malware referred to as “Ransom-ware” which hackers use to encrypt your files and then demand for a ransom in return for a decryption key, this ransom-ware is normally distributed or propagated through emails as attachments. I strongly advise against opening such emails as decryption without the aid of the hacker has proven to be almost impossible. On a
  • 6. 6 | P a g e happier note, most antivirus developers are working on solutions to detect such malware, so please keep your antivirus software up to date. The measures proposed by the 7-layered suffice for most of the time; however, as indicated in Murphy’s Law, sometimes things go wrong. In the event that something goes wrong, you need to have an up to date or almost up to date backup to recover from. This entails that your organization implements and maintains a business continuity program. Information to be backed up should include not only the data but configuration files to ensure speedy recovery. Unless your organization is a new one, implementation of ICT security will not start from scratch; you will need to define the current state of your ICT program and the state you would love it to be in. A comparison or gap analysis of the two states will reveal short comings in your current setup; you can then formulate an actionable plan to raise your current status to a desired one. STEP FIVE: REVIEW The world we live in is dynamic and ever changing with new threats and opportunities developing every single day, our approach to security should also take a dynamic projectile. This step entails that we undertake reviews of our ICT security program; this review can be automated and run actively using audit and compliance software or can be scheduled to run on a period basis either through software or hardware. Depending on your organizational setup, the review can be conducted and spearheaded by the ICT auditor, CISO or the ICT security committee. Generally two tests should be run in this context; these include vulnerability and penetration tests. Vulnerability tests check the conformance of hardware and software configurations against manufacturer specifications or industry best practices, differences in configurations are normally treated as vulnerabilities. However, assessors need to take extra steps to determine whether the vulnerability exists or not. Penetration tests attempt to gain access to your systems and network with the objective of revealing weak security points. This can be done internally or may require the engagement of external parties in the form of “Ethical Hackers” of “Grey Hat Hackers”.
  • 7. 7 | P a g e The review of systems and networks needs to be conducted in a well structured and coordinated manner with the sole objective of maintaining a secure status of your resources. CONCLUSION The 7-layered approach to security covers most issues of the subject. There is however a need to constantly review your approach in response to an ever evolving environment.
  • 8. 8 | P a g e FURTHER READING Einwechter, Nathan. Preventing and Detecting Insider Attacks Using IDS. March 20, 2002. http://www.securityfocus.com/infocus/1558 Kenneth R. Straub, “Information Security Managing Risk with Defense in Depth”, The SANS Institute , August 12, 2003, http://www.incidents.org Kurt Garbars, “Implementing an effective IT Security Program”, The SANS Institute, 2002, http://www.incidents.org Lee A. Kadel, “Designing and Implementing an Effective Information Security Program: Protecting the Data Assets of Individuals, Small and Large Businesses”, The SANS Institute, March 24, 2004, http://www.incidents.org Peltier, Tom. “Security Awareness Program.” Information Security Management Handbook 4th Edition. Ed. Harold F. Tipton and Micki Krause. Boca Raton: Auerbach, 1999. Todd McGuiness, “Defense in Depth”, The SANS Institute, October 29, 2001. http://www.incidents.org