Victor Font Consulting Group, LLC

The DEX Intranet Specialists

Cybersecurity

The 8 Foundation Stones of Information Security

By

There are eight foundation stones in Information Security:

  1. Information Security supports the mission of the organization.
  2. Information Security is an integral element of sound management.1
  3. Information Security protections are implemented so as to be commensurate with risk.
  4. Information Security roles and responsibilities are explicit.
  5. Information Security responsibilities for system owners go beyond their own organization.
  6. Information Security requires a comprehensive and integrated approach.
  7. Information Security is assessed and monitored regularly.
  8. Information Security is constrained by societal and cultural factors.

Information Security Supports the Mission of the Organization

Management personnel are ultimately responsible for determining the level of acceptable risk for a specific system and the organization as a whole, while considering the cost of security controls. Since Information Security risk cannot be completely eliminated, the objective is to find the optimal balance between protecting the information or system and utilizing available resources. It is vital for systems and related processes to have the ability to protect information, financial assets, physical assets, and employees, while also taking resource availability into consideration.

Information Security Protections Are Implemented So as To Be Commensurate with Risk

Risk to a system can never be completely eliminated. Therefore, it is crucial to manage risk by striking a balance between usability and the implementation of security protections. The primary objective of risk management is to implement security protections that are commensurate with risk. Applying unnecessary protections may waste resources and make systems more difficult to use and maintain. Conversely, not applying measures needed to protect the system may leave it and its information vulnerable to breaches in confidentiality, integrity, and availability, all of which could impede or even halt the mission of the organization.

Information Security Roles and Responsibilities Are Explicit

The roles and responsibilities of system owners, common control providers, authorizing officials, system security officers, users, and others are clear and documented. If the responsibilities are not made explicit, management may find it difficult to hold personnel accountable for future outcomes.

Information Security Responsibilities for System Owners Go Beyond Their Own Organization

Users of a system are not always located within the boundary of the system they use or have access to. For example, when an interconnection between two or more systems is in place, Information Security responsibilities might be shared among the participating organizations. When such is the case, the system owners are responsible for sharing the security measures used by the organization to provide confidence to the user that the system is adequately secure and capable of meeting security requirements. In addition to sharing security-related information, the incident response team has a duty to respond to security incidents in a timely fashion in order to prevent damage to the organization, personnel, and other organizations.

Information Security Requires A Comprehensive and Integrated Approach

Providing effective Information Security requires a comprehensive approach that considers a variety of areas both within and outside of the Information Security field. This approach applies throughout the entire system life cycle.

Security controls are seldom put in place as stand-alone solutions to a problem. They are typically more effective when paired with another control or set of controls. Security controls, when selected properly, can have a synergistic effect on the overall security of a system. Each security control has a related controls section listing security control(s) that compliment that specific control. If users do not understand these interdependencies, the results can be detrimental to the system.

Interdependencies between and amongst security controls are not the only factor that can influence the effectiveness of security controls. System management, legal constraints, quality assurance, privacy concerns, and internal and management controls can also affect the functionality of the selected controls. System managers must be able to recognize how Information Security relates to other security disciplines like physical and environmental security.

Information Security Is Assessed and Monitored Regularly

Information Security is not a static process and requires continuous monitoring and management to protect the confidentiality, integrity, and availability of information as well as to ensure that new vulnerabilities and evolving threats are quickly identified and responded to accordingly. In the presence of a constantly evolving workforce and technological environment it is essential that organizations provide timely and accurate information while operating at an acceptable level of risk.

Information Security Is Constrained by Societal and Cultural Factors

Societal factors influence how individuals understand and use systems which consequently impacts the Information Security of the system and organization. Individuals perceive, reason, and make risk-based decisions in different ways. To address this, organizations make Information Security functions transparent, easy to use, and understandable. Additionally, providing regularly scheduled security awareness training mitigates individual differences of risk perception.

As with societal factors, how an organization conducts business can serve as a cultural factor worth considering when dealing with Information Security. An organization’s own culture can impact its response to Information Security. Careful explanation of the risks associated with the business practices can help in the transparency and acceptance of the recommended Information Security practices.

To  learn more, download our free Cybersecurity eBook.

1 sound management refers to due diligence in taking all practical steps to ensure that Information Security management decisions are made in such a way that they not only protect the information stored, processed, and transmitted by an organization, but also the systems that fall under the purview of the organization.

What You Need to Know About Cybersecurity

By

Organizations rely heavily on the use of Information Technology (IT) products and services to run their day-to-day activities. Ensuring the security of these products and services is of the utmost importance for the success of the organization.

Today, Information Technology products and services face insidious threats from advanced malware and vulnerabilities that, if left unchecked, are designed to penetrate government, corporate, and infrastructure systems to gain control over those systems, rob unsuspecting victims, steal identities, damage reputations, hold us hostage, or worse.

Globally, Cybercrime damages are set to exceed $6 trillion each year by 2021.

Despite the growing threat of Cyberattacks, more than half of businesses that suffered an attack didn’t anticipate any changes to their security measures.

Ensuring the security of your IT assets is of the utmost importance for the success of your organization. So how exactly do you prepare for the dismal future these statistics suggest?

Cybersecurity vs. Information Security

The difference between Information Security and Cybersecurity is a debate that rages on with as many different answers provided as the experts you query.

The terms “Cybersecurity” and “Information Security” are generally thought of as synonyms, but they create a lot of confusion even among security professionals. Some believe that Cybersecurity is a subset of Information Security while others think the opposite.

Yet, some banking regulators like the Reserve Bank of India, Hong Kong Monetary Authority, Monetary Authority of Singapore, etc., all require banks to have separate Cybersecurity and Information Security policies. These regulatory agencies view Cybersecurity and Information Security as two distinctly different objectives.For the purposes of this eBook, we’ll embrace the meanings of Cybersecurity and Information Security as defined by the National Institute of Standards and Technology (NIST)1:

Cybersecurity: The ability to protect or defend the use of cyberspace from cyberattacks.

Information Security: Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide:

  1. confidentiality, which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information;
  2. integrity, which means guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity; and
  3. availability, which means ensuring timely and reliable access to and use of information.

Information ≠ Data

To throw another log onto the fire, let’s consider data security. Data security is all about securing data, but not every bit of data is information. So, what’s the difference between data and information? Data can be called information when it is interpreted within a context that gives it meaning.

For example, “123-45-6789” is data because it's simply a string of alpha-numeric characters. If this data is found on a HR system record, then we know this is someone’s social security number. Now it is information. Why? Because, it has context.

In fact, it’s personally identifiable information or PII, and that opens up a whole new can of worms. PII must be cybersecure. Significant fines and penalties can result when PII has been cyber-breached, especially in view of the new data privacy laws coming into effect.

To summarize:

  • Information is data which has some meaning.
  • Information Security is all about protecting the information, which generally focuses on its confidentiality, integrity, and availability (CIA).
  • Cybersecurity is about protecting information from being launched into cyberspace through cyberattacks and breaches.

To learn more, download our Free Cybersecurity eBook.

1 [Source: https://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf]


Have You Been Pwned?

By

Yes, “pwned” is spelled correctly. According to the Urban Dictionary, the word “pwned” is:

A corruption of the word “Owned.” This originated in an online game called Warcraft, where a map designer misspelled “owned.” When the computer beat a player, it was supposed to say, so-and-so “has been owned.” Instead, it said, so-and-so “has been pwned”.

Rivera, Daniel. Urban Dictionary. Retrieved August 3, 2018

Has your email account or password ever been compromised? Do you even know?

You have personal computers, smart phones, social network accounts, and family members with the same, maybe even more than you. All of these devices and accounts are up for grabs if you don’t protect yourself and your loved ones. You are probably at greater risk of having your personal systems compromised than your company’s. You are vulnerable. Your account may have already been compromised. In today's parlance, having your account compromised is called getting pwned. Why don’t you check to see if you’ve been pwned?

You can check whether you’ve been pwned and have an account that has been compromised in a data breach at https://haveibeenpwned.com/. At the time of this writing, Have I Been Pwned has details on 297 pwned websites, 5,369,804,192 pwned accounts, 75,653 pastes, and 82,644,754 paste accounts.

Let's explain pastes. According to the Have I Been Pwned FAQs:

Often when online services are compromised, the first signs of it appear on “paste” sites like Pastebin. Attackers frequently publish either samples or complete dumps of compromised data on these services.

A word to the wise—when you check if you have pwned accounts, try not to have anyone looking over your shoulder unless you are absolutely certain you won’t be embarrassed by the search results. The website displays a list of every breach where your email has been compromised.

U.S. Federal Data Privacy Law is Coming…

By

Over the past month, the U.S. Department of Commerce met with representatives from Facebook and Google, consumer advocates, and Internet providers like AT&T and Comcast to draft a proposal to protect web users’ privacy on a national level.

The meetings are focused on developing a data privacy framework at the Federal level that could serve as a blueprint for Congress to pass sweeping legislation similar to the European Union's General Data Privacy Regulation (GDPR). In June, Governor Jerry Brown enacted The California Consumer Privacy Act of 2018, which takes effect in 2020. California's law is modeled after the GDPR.
​
According to the National Telecommunications and Information Administration, 22 meetings with more than 80 companies have been held on this topic over the last month. A draft proposal from the Chamber of Commerce calls on Congress to adopt a law that preempts states so that local legislatures don’t try to pass their own more restrictive privacy laws as California has done.

“Through the White House National Economic Council, the Trump Administration aims to craft a consumer privacy protection policy that is the appropriate balance between privacy and prosperity,” Lindsay Walters, the President's Deputy Press Secretary, told the Washington Post. “We look forward to working with Congress on a legislative solution consistent with our overarching policy.”

What does this all mean for us? ​It means that every website that collects personally identifiable information of any kind from another human being will be subject to the fines and penalties imposed by these new laws. It also means that we'll be keeping business, intellectual property, and data privacy attorneys busy drafting new data privacy policies and procedures for data breach notifications for our online businesses, whether breaches occur or not.

And if the U.S. law is anything like the GDPR, we'll have to obtain consent before we can even send anyone an email and provide a way for consumers to control their own data and remove it from our sites, if they so desire.​​ It's only a matter of time until these new laws impact us. Start planning now to invest into the updates that will become necessary to protect your online business.