The Role and Purpose of Training & Awareness in Information Security

WHERE IS YOUR ORGANIZATION?

Do not be alarmed to find out your organization is somewhere in the first couple of levels on the diagram below. Awareness is the first step, and you have much to gain by simply educating your personnel or just yourself.

 

 

WHY IS AWARENESS & TRAINING IMPORTANT?

Enterprises and organizations cannot protect the confidentiality, integrity, and availability of information in today’s highly networked systems environment without ensuring that all people involved in using and managing IT:

  • Understand their roles and responsibilities related to the organizational mission;
  • Understand the organization’s IT security policy, procedures, and practices;
  • Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible.

As cited in audit reports, periodicals, conference presentations, and various other media, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks.

The “human factor” – not technology – is key to provide an adequate and appropriate level of security. If people are the key but are also a weak link, more and better attention must be paid to this “asset”.

A robust and enterprise-wide awareness and training program are paramount for ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.

DETERMINING THE NEEDS

A needs assessment is a process that can be used to determine an organization’s awareness and training needs. The results of a needs assessment can convince management to allocate adequate resources to meet the identified awareness and training needs.

In conducting a needs assessment, it is important that key personnel is involved. As a minimum, the following roles should be addressed in terms of any special training needs:

Executive Management – organizational leaders need to fully understand directives and laws that form the basis for the security program. They also need to comprehend their leadership roles in ensuring full compliance by users within their units.

Security Personnel (security program managers and security officers) – these individuals act as expert consultants for their organization and therefore must be well educated on security policy and accepted best practices.

System Owners – owners must have a broad understanding of security policy and a high degree of understanding regarding security controls and requirements applicable to the systems they manage.

System Administrators and IT Support Personnel – entrusted with a high degree of authority over support operations critical to a successful security program, these individuals need a higher degree of technical knowledge in effective security practices and implementation.

Operational Managers and System Users – these individuals need a high degree of security awareness and training on security controls and rules of behavior for systems they use to conduct business operations.

A variety of sources of information in an agency can be used to determine IT security awareness and training needs, and there are different ways to collect that information. Below is a sample list that suggests techniques for gathering information as part of a needs assessment:

  • Interviews with all key groups and organizations identified;
  • Organizational surveys;
  • Review and assessment of available resource material, such as current awareness and training material, training schedules, and lists of attendees;
  • Analysis of metrics related to awareness and training (e.g., a percentage of users completing required awareness session or exposure, percentage of users with significant security responsibilities who have been trained in a role-specific material);
  • Review of security plans for general support systems and major applications to identify system and application owners and appointed security representatives;
  • Review of system inventory and application user ID databases to determine all who have access;
  • Review of any findings and/or recommendations from oversight bodies (e.g., Congressional inquiry, inspector general, internal review/audit, and internal controls program) or program reviews regarding the IT security program;
  • Conversations and interviews with management, owners of general support systems and major applications, and other organization staff whose business functions rely on IT;
  • Analysis of events (such as denial of service attacks, website defacements, hijacking of systems used in subsequent attacks, successful virus attacks) might indicate the need for training (or additional training) of specific groups of people;
  • Review when technical or infrastructure changes are made;
  • The study of trends first identified in industry, academic, or government publications or by training/education organizations. The use of these “early warning systems” can provide insight into an issue within the organization that has yet to be seen as a problem.

THE INFORMATION SECURITY LEARNING CONTINUUM

 

 

Learning is a continuum; it starts with awareness, builds to training, and evolves into education. Security awareness efforts are designed to change behavior or reinforce good security practices.

Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

Training strives to produce relevant and needed security skills and competencies.

Education integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge and strives to produce IT security specialists and professionals capable of vision and response.

Team Development, Internal Audit & Control 101

The development of a company’s employees is of major importance. Ultimately, progress and growth are what everyone’s after, but in order for that to happen, processes, workflow, and ethnicity must be all under control.

In order to create a secure operations environment, an organization needs to build its structure and staff it in line with the proper approach to the human factor in Information Security. Failing to do so usually results in a lack of direction, misplaced responsibility, and ultimately, operational disruptions.

THE TOP-DOWN APPROACH

Information Security is never built from the bottom up. Do not assume that everyone in the organization is tuned in to what (and how) needs to be done regarding Information Security. The major roles are usually defined as:

Senior Management – creates information security program and ensures proper and adequate staffing and funding and has organizational priority. Responsible for ensuring organizational assets are protected.

Data Owner (aka information owner or business owner) – a management employee responsible for ensuring the protection of specific data. Data classification, sensitivity labels, and the frequency of data backup are determined by this role.

Custodian – a role responsible for the actual protection of assets, performing tasks such as data backups and restoration, patch systems, etc., under detailed orders – Custodians do not make critical decisions on how data is protected.

User – the largest in number, yet major information security role. Users follow rules. For Users, it is mandatory to comply with policies, procedures, standards, etc. Working to raise awareness you can tell people how to do the right things at times when their behavior can make a difference in the security of the company.

ADMINISTRATIVE PERSONNEL CONTROLS

These are fundamental operational security concepts that should be observed when organizing and structuring the staff of a company. These concepts are important because they do not only deal with personnel but permeate through multiple Information Security domains:

  • Least Privilege (aka Minimum Necessary Access) – dictates that all persons’ access is strictly bound to the minimum access required so they can perform their duties. This is the one, single, most important principle that administrative security controls revolve around.
  • Split-knowledge – a process in which certain portions of data have split access over multiple people, individually sharing no knowledge of the data in its entirety. Thus data can be subsequently inputted into, or output from, by the separate people to the extent they access to and can be combined to recreate the data in its entirety only by a person with access that would allow such actions.
  • Separation of duties – prescribes that multiple people are required to complete critical or sensitive transactions. The goal of separation of duties is to ensure that in order for someone to be able to abuse access to sensitive data or transactions, that person must convince another party to act in concert.
  • Rotation of duties/job rotation – a process in which staff members are required to perform the same duties interchangeably on a rotation schedule. By doing so, the company is more protected due to having varying people perform and review the work of their peers, who did the same job in the previous rotation. Rotation of duties helps mitigate a collision, where two or more people are in alliance to subvert the security of a system.
  • Mandatory leave/forced vacation – an additional operational control, closely related to a rotation of duties, with the primary security considerations being similar: reducing or detecting personnel single points of failure and the detection and deterrence of fraud. Forcing all employees to take leave can identify areas where the depth of coverage is lacking or can help reveal fraudulent or suspicious behavior.

TYPICAL STRUCTURE AND INTERACTIONS

 

While the diagram above provides a generic structure to illustrate how Information Security and Internal Audit are related both functionally and in terms of subordination and dependency, it is not to be applied blindly. When building one’s own structure, one should take into account the nature of the organization’s business, its existing structure as well as resource considerations. The Information Security Manager usually referred to as the Chief Information Security Officer (CISO) and their unit play a distinct role, which should not be confused with that of the Audit Committee (AKA The Internal Audit and Control Unit) as is further detailed below.

The CISO

The Chief Information Security Officer (CISO) is the highest-ranking executive responsible for the establishment and maintaining the fundamental business concept, the company’s strategy, and programs to ensure assets and information technology appropriately protected.

The CISO directs staff in the identification, development, implementation, and maintenance of processes across the organization to reduce the information and information technology (IT) risks.

The CISO, and its staff, respond to incidents, establish appropriate standards and controls, manage security technologies, and guide the development and implementation of policies and procedures.

The CISO is also usually responsible for compliance related to company information.

The Internal Audit & Control Unit

The Internal Audit & Control Unit holds an inextricably independent function. Otherwise, it can become dysfunctional with sub-standard performance. There are many degrees in the level of independence and effectiveness, so a clear understanding of the business needs and circumstances is required.

The unit’s function is to provide a third level of control in the organization, which should be independent of the control of the first level – that of the top management of the company and of other units, such as legal, human resources, financial control, etc.

The unit establishes appropriate policies and procedures to guide the internal audit function, and ensure the quality of the assurance services delivered – all aligned and are consistent with the company’s objectives and governance policies.

The Purpose of Intrusion Detection & Prevention Systems

Intrusion Detection System (IDS) is a detective device designed to detect malicious (including policy-violating) actions. An Intrusion Prevention System (IPS) is primarily a preventive device designed not only to detect but also to block malicious actions.

Depending on their physical location in the infrastructure, and the scope of protection required, the IDS and IPS fall into two basic types: network-based and host-based. Both have the same function and the specific type deployed depends on strategic considerations.

WHY ARE IDS and IPS necessary?

The IDS and IPS devices employ technology, which analyses traffic flows to the protected resource in order to detect and prevent exploits or other vulnerability issues.

These exploits can manifest themselves as ill-intended interactions with a targeted application or service. The goal is to interrupt and gain control of an application or a machine, thus enabling the attacker to disable the target causing a denial-of-service situation, or to gain access to rights and permissions available through the target.

EVENT TYPES

There are four types of IDS and IPS events: true positive, true negative, false positive, and false negative. The goal of implementing an IDS or IPS is to achieve only true positives and true negatives.

One should keep in mind that most implementations have false positives so monitoring engineers spend time investigating non-malicious events, and false negatives, which can lead to intrusions. Thus, a proper configuration of the system is of crucial importance as it must reflect the organization’s traffic patterns.

IDS are designed to provide readiness to prepare for and deal with cyber attacks. This is accomplished through information collected from a variety of systems and network sources, which is then analyzed for security problems. IDS are generally deployed with the purpose to monitor and analyze user and system activity, audit system configurations and vulnerabilities, assess the integrity of any critical system and data files, perform statistical analysis of activity patterns based on the matching to known attacks, detect abnormal activity and audit operating systems.

 

The IPS is generally deployed in-line and analyses network packet traffic as it flows through. Thus, it is similar in function to an IDS – both attempt to match packet data against a signature database or detect anomalies against what is pre-defined as “normal” traffic.

In addition to this IDS functionality, an IPS does more than log and alert – It is usually used to react to detected anomalies. This reaction ability of the detections is what makes IPS more desirable than IDS in general.

THE WHAT, WHERE AND WHO’S OF IDS and IPS DEPLOYMENT

These questions are to be answered taking into account the specifics of one’s environment. The most common locations for intrusion detection/protection sensor are between the network and extranet, in the Demilitarized Zone (DMZ), between the servers and the user community, on the remote access, intranet, and database environment, establishing network perimeter, and covering all possible points of entry should be possible.

Once placed, the sensors must be configured to report to the central management console, as dedicated administrators will manage the sensors, provide a new or updated signature, and review logs. In order to avoid data tampering, one must ensure the communication between the sensors and management console is secure.

The proper identification of mission-critical systems and points of entry requires the following roles in an organization to be involved in any IDS/IPS deployment:

  • Senior Management
  • Information Security Officers
  • Data owners
  • Network Administrators
  • Database Administrators
  • Operating System Administrators

If the key people representing these roles are not involved, the resources won’t be used efficiently and the resulting measure will be inadequate. It is strongly advisable to perform Vulnerability and Risk Assessment prior to implementing IDS or IPS.

Once the IDS is up and operational, logs must be reviewed, and traffic must be tailored to meet the specific needs of the company. Remember, traffic that may be perceived as abnormal by the IDS/IPS may be perfectly suitable for the environment. IDS/IPS must be properly maintained and configured.

WHY CHOOSE A VENDOR?

There are times when you may feel you lack the knowledgeable staff to deploy and administer the IDS/IPS. Here the vendors come in. Instead of spending a considerable amount of time and money trying to figure out the how’s and why’s, specialized teams can come to the aid, with the required expertise to get you started and train your personnel.

When choosing a vendor, look for a team that:

  • Eliminates false positives by systematic tuning of detection to meet the characteristics of the particular system;
  • Eliminates false negatives. Eliminating false positive alarms may result in incurring false negatives, and that must not happen;
  • Understands what constitutes a security-relevant event and develop proper reporting;
  • Installs and configures a complete solution;
  • Provides and devises methods to test IDS/IPS;
  • Determines the damage caused by a detected attack, limits further damage, and recovers from the attack;
  • Makes your systems scalable to the size required.

 

DPO Outsourcing and the GDPR

Protecting data, be it personal, sensitive, or even public, is extremely important, and having a competent Data Protection Officer will ensure successful implementation of all the regulations and proper compliance with the GDPR (General Data Protection Regulation) that is coming into force on May 25th 2018.

The DPO is responsible for overseeing the proper use of information technology and supplying staff with information and providing training. The DPO is an independent role, thus is not obliged to adhere to instructions issued by other members of staff in performing DPO role-related tasks.

WHO NEEDS A DPO?

Article 37 of the GDPR stipulates that a controller or a processor must appoint a DPO if:

  • You are a Public Authority processing data, or
  • You are a controller or a processor whose principal activities involve large-scale, regular, and systematic data processing, or
  • You are a controller or a processor whose principal activities involve large-scale processing of sensitive data (under Article 9) or data relating to criminal convictions/offenses (under Article 10)

IS DPO OUTSOURCING POSSIBLE?

In today’s competitive market, it may be hard to find a suitable DPO, or it may be more feasible to look for an outsourcing alternative. It would be wise to consider appointing an external Data Protection Officer for reasons of cost, training, skillset, qualifications, and assumed liability.

In general, outsourcing the role of the DPO will cost less and your organization will benefit from a team-held knowledge base and experience that is wider and deeper than that of any single person who may be suited for the role in your organization.

Develop Policies for an All-round Approach to Information Security

Taking risks is something we do every single minute, sometimes without even realizing it. A risk may be something as little as talking to somebody, let alone major decision-making or something life-defining. Taking risks also relates heavily to IT security, therefore a countermeasure is required – a policy.

Information Security Policies are an important administrative security control designed to avoid, counteract or minimize IT security risks. They are an integral and inseparable part of the multitude of possible security controls, without which one cannot claim an effective implementation of any meaningful security actions. Organizations need Security Policy, Standards, and Procedures to enforce Information Security in a structured way.

Defining corporate security policies, basing them on industry standards, measuring compliance, and outsourced services are keys to successful policy management.

THE RULES OF POLICIES DEVELOPMENT

Security policy and supporting documents must be not only developed but also implemented. The execution of all documents must be ensured.

A clear and understandable procedure should be developed and implemented for applying sanctions to those who fail to comply with the policy. So staff knows not only what is expected of them, but what are the consequences of non-compliance.

Policy –  Information Security Policy is a comprehensive statement made by the company’s senior management, indicating the role of security in the organization. The Policy is independent in terms of technology and solutions. It outlines the purpose and mission of security and achieves tasks such as defining the assets considered valuable, empowering the security group and its activities, serving as a basis in the process of security-related conflict resolution, capturing the goals and objectives relating to safety, outlining the personal responsibility of staff members, helping prevent unexplained events, defining the boundaries and functions of the security group, etc.

Standards – mandatory actions or rules. Standards help, support, and develop policies in certain areas. Standards may be internal or external (e.g. legislation). Standards can, for example, indicate how to use the software and hardware or how to deal with users. They can ensure the uniformity of technologies, applications, settings, and procedures throughout the company.

Procedures – detailed step-by-step descriptions of tasks performed to achieve a certain goal. Steps can be performed by users, IT professionals, security personnel, and other staff members dealing with specific tasks.

Procedures occupy the lowest level in the chain of policies, as they relate to computers and users and describe certain concrete steps and also how the policies will actually be implemented in the production environment. Procedures should be detailed enough to be understandable and useful.

 

Guidelines – describe the recommended actions and operating instructions for users, IT professionals, and other staff members, when the appropriate Standards do not apply. Recommendations may relate to technological methods, personnel, or physical security. Recommendations, as opposed to mandatory enforcement of strict Standards, show the basic approach of having some flexibility in unforeseen circumstances.

Baselines – uniform ways of implementing a given safeguard. The system must meet the baseline described by benchmarks. Baselines are discretionary; it is acceptable to implement a safeguard without following benchmarks, as long as it is implemented to poses a level of security at least as secure as if using benchmarks.

THE INFORMATION SECURITY POLICY FRAMEWORK

Each document listed above has a different target audience within the business and therefore, should never be combined into one document. Instead, there should be several documents, that together form the concept of an Information Security Policy framework.

This framework is illustrated in the diagram above, with each level of the framework supporting the levels above it. Some small organizations tend to define Security Policies from the bottom up, starting with the capabilities of the tools at hand. Medium and large enterprises know that sound Security Policies Development begins from the top down.

HOW TO START with the development of policies

Practice shows that without top management’s participation and visionary input, Information Security Policies Development is practically impossible.

Any endeavor in Information Security must, at least, be fully supported by top management. Ideally, the seniors of the company will initiate the changes in strategy and will be actively involved in the Information Security Policy development process.

No matter how talented and prepared the Information Security person you hire, they will not be able to affect the necessary changes.

Top management must be involved in the entire program development in order to ensure comprehensiveness, full compliance by staff, and sanctioning for non-compliance – it is only effective when supervised and executed under an autocratic approach.