With issues around security and compliance being launched to the forefront of businesses' minds, our team decided it was time to not only evaluate our practice, but also the process around the practice. Thankfully one of our all-star engineers, Kailyn, has an extensive background in the study.
Pulling from her experience working with teams small and large on high-profile financial data security projects among others, she lays out how to take this process from the back to the driver's seat. Organizations of all sizes have the imperative to shore up their systems, but it does not need to be mysterious or agonizing...read on!
For any party—a business, family, or yourself—information security is the goal of protecting important information. Important information can be anything including (but not limited to): birth dates, invoices, contracts, social security numbers, credit card numbers, and trade secrets.
Information Security is a broad term and is formally defined as: “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability."
To protect information, then, is the reduction of vulnerable avenues through which information can be taken, damaged, or destroyed. Vulnerabilities are weaknesses in six categories, through which this can happen:
- Cybersecurity: Security of computer systems, networks, digital storage
- Physical Security: Security of physical perimeters, data centers, office spaces
- Personnel security: Protecting against people, employees, contractors, maintenance staff
- Incident response and Disaster Recovery: Effectiveness of planned responses, policies, recovery procedures, backups
- Operational Security: Protecting business plans and processes
- Privacy: Protecting personal information, social security information, reputation
In today’s world we often store, process, and move information or data, through computer systems. For that reason, Cybersecurity is often seen as synonymous with Information Security, though it’s only one part of the puzzle.
Cybersecurity is formally defined as: “Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.”
In regards to information security there is an acronym often used to remember the important aspects of protecting information, C.I.A.—Confidentiality, Integrity, and Availability. If the main goal of information security is to protect information, then the golden pillars for achieving that goal are protection of the confidentiality, integrity, and availability of information.
- Confidentiality: Keeping information away from those who are not meant to see it. Consider what would happen if a bad-actor stole your email account password.
- Integrity: Protecting data from being modified in unwanted ways. Consider what would happen if your payroll information was changed.
- Availability: Keeping information useful and accessible. Consider what would happen if customers couldn’t log into your application.
Why Information Security is Important
Information security is important to any size company, even individuals, in any industry. Every company has information that helps drive their business forward. It may be information about their employees, it may be secret recipes for their soft drink, or it may be the payment information of their customers. Think about the information that is critical to your business and consider the consequences if it were stolen, damaged, or erased. If an incident were to occur, there are typically two types of costs that will be incurred on your business.
The first cost, direct cost, is the tangible loss a business experiences as the result of a security incident. This loss may be realized in several forms such as loss of time due to investigation effort, actual capital loss, like cash or physical product, or the time and effort it takes for the company to recover and get back to a place equivalent to that of prior to the security incident. Once it’s discovered that a security incident has occurred, the time and effort to mount an investigation can be critical to the survival of the company.
An investigation can slow or even halt forward progress on software features and infrastructure engineering because attention will be turned to finding the culprit vulnerability in the system and determining what information was affected. Capital loss can occur as a result of the actual incident or in a number of other ways. Software source or physical product units could be stolen and potentially reproduced or reused. Recovery can incur cost as the business makes efforts to patch any discovered vulnerabilities, train employees on the incident, and work to replace any lost information or product.
The second cost, indirect cost, is the intangible loss a business experiences as the result of a security incident. Indirect costs are slightly different in that they aren’t realized immediately, like losing money from a bank account. Indirect costs are realized over some time as the situation unfolds to outside elements like investors, banks, and customers.
Things like sales can be affected due to a decrease in trust from potential customers. Existing customers may consider moving to a different provider. Stock prices may drop as a result of less faith in the markets. Reputation with existing and prospective stakeholders and lenders may be tarnished making it difficult to continue along the path with them.
The process and tools to defend yourself and your business against loss are fortunately well documented and can be broken down into formulas. Generally it’s recommended to adopt a risk based approach to better align the business attention to any event that threatens information security. This approach is called risk management and it works in two phases.
The first phase of risk management is to identify important information and determine what sorts of events could threaten that information. For example, a customer’s payment information is important and it could get stolen, modified, or erased. Be sure to account for events such as 3rd-party service outages, natural disasters, or upset employees.
The second phase of risk management is to estimate the importance of each risk. Risk is often calculated as Risk = Impact * Likelihood. Impact is a loosely quantified loss to the business in terms of money, time, effort, etc. Likelihood is the probability that such an event would occur, which can be based off of past experience, or 3rd-party studies. An earthquake that destroys a datacenter might be a very high impact, however it has a low likelihood of occurring. Given the impact and likelihood of an event, risk can be assigned a distilled value, usually low, medium, high. The Earthquake in the previous example may be categorized as a medium risk.
Decide Which Risks to Mitigate
Using calculated risks a business can determine which risks to attempt to mitigate and which mitigations to prioritize. Because it is impossible to cover all risks to an organization, especially risks it fails to, or is unable to, identify, due to finite resources and time, risks must be prioritized in accordance with their calculated value. High risk mitigations should be discussed and planned in the immediate future. Medium risk mitigations should be discussed and planned for the intermediate future. Low value risks can be left unmitigated or a business may choose to only partially mitigate them.
Actual mitigations will vary for each risk and effort to implement the appropriate mitigations will vary similarly. This is where documents like NIST SP 800, ISO 27000, and other information security guidelines can come in handy. These documents are used as references to determine what sorts of security controls can help mitigate certain classes of risk.
Applying Risk Management
The process of applying risk management findings to information security can be broken down into five distinct steps:
- Identify: Gather information on all the items and data that are important to the business, its customers, or it’s stakeholders.
- Protect: Enact processes and controls to protect items and data from threat actors, natural disasters, etc.
- Detect: Monitor items, data, and their surroundings to determine if an intrusion, or other incident has occurred.
- Respond: Follow procedures, policies, and plans to react accordingly when an incident is detected.
- Recover: Repair and replace lost items and data that are crucial to the operation of the business.
All five of these steps consist of some amount of planning and information gathering. It is absolutely imperative to plan ahead and to create maps, processes, procedures, and policies to guide the business as it grows and to guide individual employees if an incident should occur. This information gathering and planning process will look different for people who play different roles in the company. The process for engineers may focus more so on the technology, infrastructure, architecture and service provider choices they make:
- Identify what technologies the company uses and which are aligned with what level of risk.
- Protect data with encryption, configure application firewalls, reduce the exposure of unnecessary ports, create backups of critical data.
- Detect incidents with intrusion detection systems, antivirus, log analysis, and system baseline comparisons.
- Respond to alerts from detection methods, communicate to management and security personnel, and follow procedures to quarantine vulnerable systems.
- Recover systems by restoring backups, patching software vulnerabilities, and updating 3rd-party applications.
The same process can be used for other non-technical roles within the company but each step is adapted so that it’s relevant to the role:
- Identify places where important information or products are stored and determine at what level these items are at risk.
- Protect data and products with strong passwords, multi-factor authentication, lockpick resistant physical locks, backup digital storage, store paper copies in separate locales, keep your desk clean of PII when not in use.
- Detect incidents by monitoring the office space with cameras, keeping documents organized so that missing documents are easily recognized, etc.
- Respond to suspected incidents by following procedures to communicate with management, security personnel, and authorities if appropriate.
- Recover from data loss by restoring digital storage backups, restoring original documents from copies, etc.
Some of the above examples can apply to both non-technical and technical roles. All roles should actively engage in protecting company and personal data.
In summary, security can often be a mysterious, difficult, or even frightening topic, but it can be broken down into pieces and steps just like any clearly defined goal. Risk management is a common way to frame information security into a context that makes sense for all types of security not just cybersecurity. Risk management can be broken down into three easy steps: identify risks, calculate their severity, and prioritize mitigation.
Once a business has completed these steps they can use them as a guide to apply information security controls in five steps: identify, protect, detect, respond, recover. The key is that while a company can never mitigate every risk, they can plan to prioritize mitigations for some and develop procedures to respond to the unknown.If a business is competent in information security management, then it can prove it’s competence to potential partners and customers via third-party attestations. Attestations are awarded by auditing firms and attest that a business conforms to information security standards like SOC 2, ISO, PCI-DSS, HIPAA, etc. Interfaces between clients, and third-party service providers can often open up vulnerabilities to both partners, so information security is often at least of moderate concern before working with another business. Proving competence is a great way to reduce tension and generate trust.
Information security and risk management are not singular efforts, in that they are not completed just once. The process for ensuring information security is iterative. Just as new risks may be identified, the business may produce new products or intellectual property that it wishes to protect. Threat actors also change. Global warming is increasing the likelihood of flooding and extreme weather, hackers have shifted their attention to lower hanging fruit, nation states have become more active in the cyberwarfare space.
The best course of action is to learn from incidents and mistakes and to iterate on information security practices, policies, and procedures on a regular basis.