January 27, 2014

2.2.6 Implement policies and procedures to prevent data loss or theft

Implement policies and procedures to prevent data loss or theft

There is no “one size fits all” solution to information security. The security controls should be designed to fit the risk and should be backed up by a robust set of policies and procedures and a well-trained user and staff base.

The threat of data loss or theft is a risk to the organization. The organization typically will respond by conducting a risk analysis and then employ appropriate risk management strategies.

A risk analysis is the identification of the risk and planning of a mitigation technique to manage the risk. Risk identification involves a systematic identification of all assets and a cataloging of vulnerabilities and threats against each asset. For example, the company’s Internet facing web site is vulnerable if it is not secured effectively in a DMZ and if the backend database is not stored on a redundant storage array. The associated threats include hackers modifying the web pages and data loss from disk failure.

Vulnerabilities can range from a lack of physical security to inadequate deployment of system and security updates. Threats can include hackers and malicious insiders, system failures, fraud, improper configuration and settings, improper exposure of private information, etc.

After the threat has been identified and analyzed, the next step is to analyze the impact of the threat to the organization. The impact to the organization could include: company reputation, financial, compliance, productivity, revenue, safety, employee morale.

Once the threats have been identified and analyzed for their impact to the organization, the next step is to prioritize the threats based on their impact and probability of occurrence. The loss of specific types of data is more impactful than others, for example client financial information and other personally identifiable information (PII) should have more stringent protections than posts in a public distribution list.

The next step involves choosing and deploying an appropriate risk mitigation technique to combat the threat, in this case, of data loss or theft. The risk mitigation technique will be based on the impact of the threat and focused on data loss and theft. For example, the ISO/IEC 27001 certification standard provides controls to manage and protect the organization’s valuable information assets.

“ISO/IEC 27001 is a management framework for protection of business-critical information.”

There are protections, screenings and defenses on ingress. I.e. a user entering your organization is challenged with firewalls, anti-virus programs and passwords. Similar measures should be taken on egress. When a user leaves, security controls should be in place to ensure that data is not compromised including:
  • encryption and passcode  – protect the data so that even if it stolen it cannot be (easily) accessed
  • physical security – employ security guards, security monitors, badges and coded keypad entry
  • secure removable media – laptops, flash drives and other removable media should be secured so they are not used to transport data from the organization inappropriately
  • backup solution – in case of data loss and/or corruption, it is important to have a known good source for restoration
  • training and education – incent users and staff to be part of the solution to data theft and loss prevention

2.2.5 Perform routine audits

Perform routine audits

An audit is a formal and systematic assessment of how closely the organization's policies and procedures are being deployed against the organization’s assets. There are various types of audits including information security and financial audits.

With respect to information security, it is important to perform routine audits periodically in order to maintain a secure environment. An information security audit is the formal review of how the confidentiality, availability and integrity of the organization’s information is secured.

Formal security audits are typically conducted by outside agents with the full permission and cooperation of the organization. Security audits are formal and systematic. The scope of the security audit should be pre-defined and include all assets related to the organization’s information security including:
  • personnel
  • databases
  • email
  • servers
  • cloud
  • passwords
  • storage
  • access control lists
  • security policy
  • network
  • industry and government regulations
  • log files
As the user base and security threats are constantly evolving, security audits should be considered a process (not an event) and should be carried out on a periodic basis. The security auditor’s toolbox includes penetration tests and vulnerability scans, one-on-one interviews, event log reviews, analysis of configuration settings, review of security policy and procedure documents, etc.

2.2.4 User rights and permissions reviews

User rights and permissions reviews

A privilege is a property of an agent, such as a user while a permission is a property of an object, such as a file. A privilege lets the agent do things that are not ordinarily allowed while permission says which agents are permitted to use the object, and what they are permitted to do (e.g. read it, modify it).

A privilege is an ability or activity that a user account is granted permission to perform.
Privileges or rights are something you are allowed to do based on who you are. One or more privileges are bundled together to form a role. A role is a predefined set of privileges. Roles provide a way to aggregate all the individual privileges that are required to perform a higher-level task.
A privilege is a permission to perform an action.

Permissions grant users the right to perform the activities specified by the role on the object to which the role is assigned.

Users are assigned privileges based on their roles or work activities. The principle of least privilege states that people or processes should have the lowest level of user rights necessary to perform a task and they should retain those privileges for the shortest necessary period.

Privilege escalation is the malicious acquisition or exercise of higher privilege levels than was intended for the user or application. Privilege escalation is a security violation and is enabled by a flaw in the policy, configuration, service or application and can occur when administrators fail to audit assigned privileges.

Administrators and security personnel should audit overall organizational policies and procedures as well as the assignment and use of privileges by individual users and groups. “Knowing what users are doing and how often they do it may assist administrators in assigning and managing privileges.”††

Auditing is the process of ensuring that an organization’s security policies are implemented effectively and consistently and where they are not, corrective measures can be taken. For audits to be effective, they require the cooperation of various departments in the organization. For example the human resources department should proactively inform the information security department when employees leave the organization or they change jobs or roles.

User, group and role management involves understanding the rights, privileges and users required to complete specific work tasks and monitoring these over time to ensure that the right users maintain the right privileges for their specific roles. As users change roles, or leave the organization, their privileges and permissions must be adjusted promptly.

For audits to be effective, they should be done periodically and should cover areas such as:
  • Privileges – to ensure that accounts and roles are assigned and followed appropriately
  • Escalation – ensure that the process of gaining privileges is not compromised
  • Usage – ensure that system resources are used commensurate with the organization’s policies
  • Administration – involves documenting policies and procedures, tracking assets and responsibilities and managing event log files.
The output of an audit should include an outline of the findings listing and explaining any violations and should make recommendations for improvement.

User education is an important component to effective user and privilege management. Users should be familiar both with the security policy and the resulting risk to the organization if the policy is not implemented effectively.

2.2.1 Implement security controls based on risk

Implement security controls based on risk

Assets like data have intrinsic value and as such an associated risk of misuse. Misuse in this case is a euphemism for falling into the wrong hands, lost, fraudulently modified, etc. Security controls are the measures that can be taken to protect assets from misuse. Risk is the potential that a specific action (or lack of action) will lead to a loss; where “loss” is an undesirable outcome.

Where the risk is low, security controls aimed at protecting the asset can be minimum. Where the risk is high, security control measures should be elevated appropriately. The organization will decide what measures or security controls to implement based on likelihood of risk. The controls the organization will undertake can range from minimal to elevated.  Depending on the cost of mitigating the risk, the organization can decide to follow one of the following risk management approaches:
  • Risk Acceptance – is being fully aware of the risk and its effects and deliberately choosing to do nothing about it
  • Risk Avoidance – an informed decision to deviate from actions that could lead to the risk
  • Risk Mitigation – accomplished anytime you take steps to reduce the risk
  • Risk Deterrence – adopting policies and procedures that deploys consequences for the attacker
  • Risk Transference – risk mitigation through a partnership
In risk acceptance if the cost of mitigation exceeds the cost of the asset or resulting harm then a cost/benefit risk calculation could be undertaken that informs the organization to accept the risk and do nothing.

Risk calculation or risk analysis deals with threats, vulnerabilities, and the impact of a loss. Even after a risk calculation has been done and the appropriate security controls have been implemented, it is advisable to conduct an audit of the risk.

A risk calculation weighs the potential threat against the likelihood of the threat occurring. A risk calculation identifies both the asset you want to protect and the threat or potential harm to the asset. An example of such a calculation likely kept the EMV chip technology (known as Chip and PIN in the United Kingdom) off of credit cards in the US. Credit cards with the embedded chips are more secure than those with magnetic stripes however they are also more costly to produce. Until the potential threat (e.g. liability of stolen credit card numbers) exceeded the cost of conversion, the conversion did not make sense.