Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. It is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures and software and hardware functions. These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes.

The objectives outlined in ISO/IEC 17799:2005 provide general guidance on the commonly accepted goals of information security management and contain best practices controls in the following areas of information security management:

• information security policy
• asset management
• human resources security
• physical and environmental security
• communications and operations management
• access control
• information systems acquisition, development and maintenance
• information security incident management
• business continuity management
• compliance

The control objectives and controls in ISO/IEC 17799:2005 can be used by an organization to assess the risk of doing business with partners, customers and suppliers and are a good indicator or an another organization’s IT and business process maturity. 

No related posts.

CompTIA currently offers three security-related certifications that can be used to satisfy the US Department of Defense’s (DoD) established Directive 8570.1: Information Assurance Training, Certification and Workforce Management.

A+ Certification

The A+ certification is intended for computer service technicians and validates a their ability to perform tasks such as installation, configuration, diagnosing, preventive maintenance and basic networking. The exams also cover domains such as security, safety and environmental issues and communication and professionalism. With more than 700,000 technicians certified worldwide, CompTIA A+ is seen by the technology community as a solid baseline credential for entry into an IT career.

Network+ Certification

The Network+ certification builds upon the A+ certification as the computer technician or IT networking professional acquires more work experince. This certification tests a technician’s ability to describe the features and functions of networking components and to install, configure and troubleshoot basic networking hardware, protocols and services. Although not a prerequisite, it is recommended that CompTIA Network+ candidates have at least nine months of experience in network support or administration or adequate academic training, along with a CompTIA A+ certification.

Security+ Certification

The Security+ certification builds upon the Network+ certification and tests the individual’s knowledge of systems security, network infrastructure, access control, assessments and audits, cryptography and organizational security. Although not a prerequisite, it is recommended that CompTIA Security+ candidates have at least two years of on-the-job technical networking experience, with an emphasis on security. The CompTIA Network+ certification is also recommended.

Related posts:

1. Infosec Certification Guide: (ISC)2 Whether you’re interested in becoming an information security professional or...

CISSP

CISSP stands for Certified Information Systems Security Professional. Considered by many to be the gold standard in infosec certifications, the CISSP measures an individual’s knowledge as well as their experience, requiring at least 5 years of experience working in information security in two or more of the following areas:

• Access Control
• Application Security
• Business Continuity and Disaster Recovery Planning
• Cryptography, Information Security and Risk Management
• Legal, Regulations, Compliance and Investigations
• Operations Security
• Physical (Environmental) Security
• Security Architecture and Design
• Telecommunications and Network Security

To obtain a CISSP certification, individuals must go through a four step process that includes passing a CISSP certification exam, pass the exam with a score of 700 or more, and the submit an endorsement by another member of the ISC-squared that can attest to the candidates professional experience. Recertification is required every 3 years.

If you don’t have the required five years of professional experience, you can have one year waived if you possess another security certification recognized by the ISC-squared. Alternatively, you can take the CISSP certification exam early and obtain an associate of ISC-squared certification which will become a CISSP if you obtain the requisite professional experience in the following 6 years.  For more information, visit CISSP.

CAP

CAP stands for Certification and Accreditation Professional and measures measures the skill level of individuals responsible for defining processes used to assess risk and establish security requirements. The CAP credential is aimed at information assurance professionals who have a responsibility for adherence to NIST (National Institute of Standards and Technology) guidelines. It is recognized by civilian, state and local governments in the U.S., as well as commercial markets. It is designed for employees who perform  rights authorization, system owners, information owners, information system security officers, and senior system managers.

The CAP requires at least two years of professional experience in the following areas:

• Understanding the Purpose of Certification
• Initiation of the System Authorization Process
• Certification Phase
• Accreditation Phase
• Continuous Monitoring Phase

 Like the CISSP, CAP candidates need to pass an examination, obtain an endorsement to be certified, and remain in good standing by attending continuing professional education classes. For more information, visit CAP.

SSCP

SSCP stands for Systems Security Certified Practioner and only requires one year of professional infosec experience to apply for. It is designed for Network Security Engineers, Security Systems Analysts, and Security Administrators or other information technology and software development positions that require an understanding of security but do not have it as a primary part of their job description.

Although the SSCP is not as prestigious as the CISSP it is still a valuable certification to obtain if you are interested in an information security career. Organizations such as the US Department of Defense and the British Ministry of Defense require certifications for their information security personnel and the SSCP is an internationally recognized certification which can differentiate your resume.

For certification, your professional experience has to be in one of the following seven security domains: 

• Access Controls
• Analysis and Monitoring
• Cryptography 
• Malicious Code
• Networks and Telecommunications
• Risk, Response and Recovery
• Security Operations and Administration

Like the CISSP, SSCP candidates need to pass an examination, obtain an endorsement to be certified, and remain in good standing by attending continuing professional education classes. For more information, visit SSCP.

Related posts:

1. Infosec Certification Guide: CompTIA CompTIA stands for Computing Technology Industry Association. CompTia serves the...

Whether you’re a industry giant or a lean-and-mean one-person shop, here are some tips on conducting a data security audit to determine who data flows through your organization and who has access to it.

Related posts:

1. Data Security for Mobile Employees Take a look around you the next time you’re at...
2. Benefits of a Data Retention Policy Most businesses accumulate massive amounts of sensitive information, and like...
3. Data Classification Schemes Every company, no matter how big or small, should have...

Here are some tips about customizing your company’s incident response plan.

• Senior management sets the tone for any organization’s commitment to data security. That’s why drafting, coordinating, and implementing your company’s response plan isn’t a job for a newcomer. Designate a well-respected senior executive to head up your response team. Select someone with a reputation for working well with every part of your operation — sales, financial, personnel, information technology.
• Once you’ve put together your response team, have them draft contingency plans for how your business will respond to different kinds of security incidents. Some threats may come out of left field; others — a lost laptop or a root kit attack, to name just two — are unfortunate, but foreseeable.
• Experience sharpens intuition. If your staff suspects a breach, investigate it immediately.
• If you suspect a computer breach, immediately sever the compromised computer’s access to the Internet and to your network. To assess the impact, ask your IT staff to preserve any available network logs, file transfer logs, system logs, and access reports. Investigate if intruders opened files or placed new programs on your computer. Did they release viruses or other malware? By diagnosing the damage and retracing the fraudsters’ steps, you can help your company shore up unanticipated vulnerabilities.
• Consider whom to inform in the event of an incident, both inside and outside your company. You may need to notify consumers, law enforcement agencies, customers, credit bureaus, and other businesses that may be affected by the breach. In addition, about 40 states have laws addressing data breaches. Have that information on file before you need it.

No related posts.

So what does this mean for savvy marketers? Here are some tips on making your privacy policy have some teeth.

• Design your privacy policy with your customers in mind. Just like the rest of your website, your privacy policy should be clear, direct, and easy to understand. Keep technical jargon and legal terminology to a minimum.
• Some online retailers lace their privacy policies with lofty language about how careful they are with customers’ personal information, but don’t back their words up with tough security measures. Statements in your privacy policy are no different from any other advertising claim you make. You’ve got to back them up with solid proof.
• For security-minded consumers, your company’s information security practices are a key factor in their decision to do business with you. So if you decide to modify how you use personal information, it’s important to call customers’ attention to that change in policy. Just editing what you say on your website won’t alert them to your new procedures.
• A company’s privacy policy is only as strong as the staff that implements it. That’s why it’s important to train all employees — including your IT professionals, sales representatives, human resources specialists, and support staff — on how to protect sensitive data. 

Related posts:

1. Creating an Incident Response Plan Taking steps to protect personal information in your files and...

• Many companies have special passwords and access numbers for employees to use when they’re off-site. Avoid the temptation to jot them down on a scrap of paper you keep with your laptop. Don’t use shortcut keys to program passwords, access codes, or credit card numbers.
• Before leaving on business travel, check your briefcase, PDA, and laptop for data that shouldn’t go on the road with you. Sensitive information is best left locked in a file cabinet or burned to a CD or flash drive stored securely in your office.
• Ten percent of all laptop thefts occur in airports. Keep your eye on your electronic devices when going through airport screening. Don’t put your cell phone, PDA, or computer on the conveyor belt until the person directly ahead of you has made it through the metal detector.
• A survey of business travelers found that a third of them confessed to sneaking a peek at an airplane seatmate’s computer screen. Defer work on confidential client files until you’re away from prying eyes.
• Ever taken a look at the documents some travelers leave on the computer at the hotel business center? And just think of the sensitive information blurted out during loud cell phone conversations. Remind your employees to keep their guard up in public. You never know who might be listening.It’s a small, small world
• Information on home computers can be just as vulnerable to compromise. Require up-to-date firewall, anti-virus, and anti-spyware protection and the latest security patches on home computers used even occasionally for business. Establish company policies about off-site access to sensitive data.
• Business travelers often are the first in line for the latest electronic device, but need to take care before disposing of the old one. When getting rid of computers, cell phones, or PDAs, deleting files using keyboard commands may not be sufficient because data can remain on a device’s memory. Check with your IT staff to see if there is a “wipe” utility program that can overwrite the memory so data is no longer recoverable.

Related posts:

1. Conducting a Internal Data Security Audit Effective data security starts with assessing what information you have...

The best way to protect your business is to systematically identify what information you collect from customers or partners on web registration forms, contracts, service orders, sales and customer services records in both digital and non digital form.  This process should be driven by the creation of a data classification scheme which identifies the sensitivity of this data, the security controls that should be used to manage it, and how long it should be retained.

Going through this process will give you the opportunity to define what data, if any, should be retained for the long term, and what data can be disposed. By keeping only what’s necessary and safely disposing of the rest, you can protect your customers and employees by securing sensitive data in your possession. One tip: Scale down — Keep only what you need for business.

• If you don’t have a valid business reason to collect personal information, don’t ask for it in the first place. Review the forms you use to gather data — like credit applications and fill-in-the-blank web screens for potential customers — and revise them to eliminate requests for information you don’t need.
• Unless you have a legitimate business justification, don’t hold onto customers’ credit card information, including account numbers and expiration dates. Keeping sensitive data longer than necessary creates an unwarranted risk for fraud.
• Sometimes the software used to read credit card numbers and process transactions is preset to store information permanently. Check your settings to make sure you’re not inadvertently keeping more than you need.
• If you must keep information for business reasons or to comply with the law, develop a written records and data retention policy to identify what must be kept, how to secure it, how long to keep it, who’s authorized to access it, and how to dispose of it securely when you no longer need it.

Related posts:

1. Data Classification Schemes Every company, no matter how big or small, should have...
2. Conducting a Internal Data Security Audit Effective data security starts with assessing what information you have...
3. Data Security for Mobile Employees Take a look around you the next time you’re at...

From an information security standpoint, using shared passwords is a bad idea for several reasons:

• It will cause you to fail a security audit. Almost all state regulations on personally identifiable information and industry regulatory standards such as PCI DSS, HIPAA, Sarbanes Oxley, or Gramm-Leach-Bliley prohibit the use of shared user names and passwords.
• It causes more work for your IT group, particularly when an employee resigns or is terminated, because the shared password must be changed and everyone using it must be informed.
• If any information is inappropriately changed or stolen, you have no way of determining which individual is responsible.
• The use of shared passwords will likely increase your liability if you are sued for an information security breach.

Here’s what you have to do to:

1. Identify every internal or outsourced service that your company uses to manage information. This can be an eye opener: you may use a lot more systems for this purpose than your realize. 
2. Identify each individual who must have access to information in each internal or remote system. Your IT group should keep this information up to date in a matrix so that it can be easily referenced in the event of an employee termination, transfer or during an security incident investigation. 
3. When an new employee is hired, determine which information systems they need access to. Incorporate this into your new employee IT provisioning process. In addition, channel all new requests for information access through your IT group so that they can keep their records up to date.
4. Create an information systems acceptable use policy, distribute it to all of your employees, and have them sign it. Include provisions in this agreement that prohibit the sharing of user names and passwords between employees or 3rd parties.
5. Systematically create new user names and passwords for individuals who have been sharing them and distribute them.

No related posts.

Most businesses adopt a data classification scheme that categorizes information along the following four dimensions:

• Company confidential
• Private
• Sensitive
• Public

A simple scheme like this facilitates improved data security because it clearly identifies and communicates the levels of confidentiality required for all data and the people who should have access to it. For example, a presentation or patent application that is labeled “Company Confidential” is clearly not meant to be distributed outside of a company.

Good data classification schemes should also include a time element that lets data change it’s classification after a specified interval and an owner, who is responsible for maintaining and protecting a specified data type or source.

Neglecting to implement adequate security controls for sensitive information can lead to increased corporate liability and regulatory censure. Without a data classification scheme, a company may treat all information the same, greatly increasing the chance of accidental disclosure or security breaches.

Writing a data classification scheme is not that difficult and I’ve supplied a sample template below that can help you jump start the process. Getting it implemented however, may require a substantial degree of organizational change, so it is best to get the buy-in of senior management before you start that process.

A Data Classification Policy Template

Related posts:

1. Benefits of a Data Retention Policy Most businesses accumulate massive amounts of sensitive information, and like...