Managing Security of Information Systems

One of the most important tasks of the CIO is to manage the security of an organization’s information systems (IS). The security policies, practices, and the choice of technology all have to be designed and implemented in a manner that ensures security. This section examines the different decision-making issues a modern manager faces regarding IS security.

Features of Infrastructure in Organisation

On the question of what facilities and features have to be managed to enable a secure IS infrastructure in an organization, the following four features are important:

• Confidentiality
  
• Authentication
  
• Message Integrity
  
• Access and Availability

Confidentiality

One role of security is to ensure confidentiality – each message is accessed and read by only the intended recipient(s), not by anyone else. Message confidentiality entails many things: (a) Only the sender should know that the message has been sent; (b) only the sender/receiver should know if a message has been sent and when and how; and (c) only the sender/receiver should have access to the content as well as the meta-details about the content of the message.

Authentication

Authentication entails confirming the identity of both the sender and the receiver of the message. Security within systems has to ensure that authentication is provided and guaranteed.

Message Integrity

Both the sender and the receiver should know if the contents of the message are intact. The contents should not have been tampered with, corrupted, or altered in any manner. If there is any alteration, the sender/receiver should be informed about this.

Access and Availability

Secure systems should also ensure they are accessible and available to designated users at all times. Disabled access or inefficient access is a security failure.

---

Securing the Network

• Perimeter Security
  
• Two-factor Authentication

Perimeter Security

Of the servers in an organization, those most prone to be attacked by crackers are the email, web, and DNS servers. These are widely used servers that provide internal users access to many services on the internet and are typically the first to be attacked.

To secure these servers, they are often isolated from the rest of the organization’s network into a separate virtual network called the demilitarized zone (DMZ). This DMZ is then protected by a firewall, and extra care is taken to manage its security. The advantage of a DMZ is that even if one of the servers in the DMZ is compromised, the rest of the network is isolated and not threatened.

When users of the organization have to access services from outside, say through a VPN, then the VPN server is maintained within the DMZ. The DMZ thus acts as a buffer to allow users to enter and after their authentication permit them to access other services.

Two-factor Authentication

Many services that have to be accessed from outside the organization require special security management. When employees access corporate databases from the field or access corporate services from home, they must have more than a single form of authentication. This is to ensure that person actors or crackers are not able to copy their keystrokes and gain illegal access.

A special type of authentication process is referred to as two-factor authentication (TFA). Usually, authentication, such as logging into an email account, is based on single-factor authentication. The user types in a login name and a password. The password is the single secret known only to the user that allows this authentication to proceed. In TFA, two factors are used – such as a password and a physical token.

For example, for most bank debit cards (the cards used to withdraw cash from ATMs), TFA is used. The first factor is the card itself, which belongs to the user, and the second factor is the password the user types in to access his/her account. The double security is ensured by a unique card that belongs to the user and also a unique password known only to the user. Either one by itself will not help authenticate the account.

TFA is being used by organizations quite widely now. The second factor is usually a card, a mobile phone, or a unique number device (an electronic device that displays a unique number every few seconds), or a biometric scan (such as that of a fingerprint) where the first factor is usually a password. TFA allows CIOs to maintain strong security and facilitates easier detection when a breach has occurred.

---

Securing the Client

• Desktop Firewalls
  
• Password Policy

Desktop Firewalls

With strong protection at the network, it is also important to maintain security at the level of the end systems. Desktops and laptops have also to be covered with security technology. Most modern operating systems now provide a personal firewall or a desktop firewall. (Personal firewalls can eve purchased as independent software packages.)

Such firewalls monitor traffic at the network interface of the personal computer. They are especially useful for those desktops that are left connected to the internet continuously, especially at home, and use a fixed IP address. Such desktops are susceptible to attack and capture by crackers for using them as zombies in DoS attacks. Desktop firewalls monitor packet traffic into and out of the computer and filter out suspicious ones.

Password Policy

Many client computers or desktops are not configured to have password protection. This means that they can be booted up and all their services accessed immediately without any authentication. Although most modern operating systems now disallow this practice, it is still quite common for personal computers in offices and homes. This constitutes a serious threat to the security of the individual computer and through that to the entire organization of which it is a part.

Every organization has to insist upon and maintain a strict password policy that mandates that every personal computer is password-protected (many current systems can also allow TFA through biometric technology). Furthermore, passwords must be updated frequently and should follow a pattern that is not easily detected. Some rules that many organizations use for password management are as follows:

• Passwords must consist of letters and numbers (such as ‘xptillgp6’ or ‘*ppefgrv8’) and should not resemble dictionary words. Furthermore, passwords should not be based on the names of family members (‘bbosy56’ is better than ‘latha23’, where Latha is a family member).
  
  
• Passwords should be changed frequently, every week, or every month.
  
  
• Passwords should not be written down, shared, or spoken out loudly in office settings.

Another security policy that is advisable for personal computers is not to allow users to work with them in Administrator mode. The PC operating system allows an Administrator mode, which has all privileges for changing settings and configuring the core functionality of the computer.

Most users operate the PC in a User mode, which is their ‘account’ that has their login name, and that has lower privileges for making changes to the system. Running the system in the Administrator mode is insecure, as worms and viruses can wreak a lot of damage from within this mode, as the malware has all the privileges to do so.

---

Creating a Secure Environment

Security within an organization is maintained and sustained through an active culture of security (people), having the right tools (technology), and having the right procedures and practices (process) in place. A secure environment can be initiated and achieved as a start, however, it takes active involvement of people, technology, and processes to sustain it.

Users have to be informed of security priorities and principles, and also trained in using security software. People are often the weakest link in the security chain as they do not follow basic security rules such as:

• They do not change their passwords regularly or use dictionary words as passwords.
  
  
• They use computers at public kiosks and use insecure channels to communicate.
  
  
• Many of them use storage media (such as USB sticks) at public kiosks and then use the same in their offices, thus, increasing their exposure to viruses and worms.
  
  
• Many office users in India share their passwords with secretaries or co-workers. Overcoming these problems requires creating a culture of security where users are both aware of and competent with security policies and practices.

Security practices to have to be developed carefully to meet the needs of the organization. High security does imply higher costs of doing business, as every process will have to be secured before it is initiated and completed. However, reducing security policies entails costs of damage from virus and worm attacks.

At the very least, an organization’s security practices should include:

• Regular updates of anti-virus software for all personal computers and servers.
  
  
• Reminders to users for updating passwords, and also forcing updates.
  
  
• Disabling, as far as possible, the use of storage devices that have been used outside.
  
  
• Strict policies for control of guest access to organizational networks.
  
  
• Having a fair use policy for all employees and members that outlines what is considered appropriate use of information technology resources.

Security technology within the organization has to be acquired and upgraded according to the needs of the organization. The technology has to suit the nature of the business or activity the organization is engaged in and the relative exposure to risk this entails. Educational institutions, for instance, maintain open networks and an open environment for students to experiment with and use their IT.

Their security needs will be very different from those of a bank, which has to maintain very high levels of security. The choice of technology will largely be determined by the perceived and historical incidences of security violations within organizations. The CIO will have to decide on the high-priority areas for security, and focus on those with an understanding that the low-priority areas will be prone to violations. The technology should be such as to contain the damage security violations can incur.

---

Security Audit and Risk Assessment

A security audit is a process by which the security features, technologies, and practices of an organization are scrutinized. The object is to find vulnerabilities, identify any risks, and conform to regulatory and contractual requirements.

A typical audit will include examining log files on servers, testing known security weaknesses in software, examing data, and server access rights, and interviewing users and system administrators about security practices, among other tasks. Auditing is done by security experts who base the checks on the established security policies and objectives of the organization. Successful audits will verify that the organization conforms to its security objectives and policies. However, an unsuccessful audit will imply that the organization has to re-engineer its security policies and practices, and fix the problems that have been identified.

Security audits help a firm achieve its security goals, particularly concerning compliance. In the Indian situation, the Indian IT Act 2000 has specified compliance norms for organizations. If an organization is found violative of these norms, it could face stiff penalties, including jail terms for its executives.

For example, if a malicious email, with terrorist connections, originates on the premises of an organization, the organization is obliged to isolate and inform authorities about the author of the email. If the organization is unable to find the source of the message, it could face dire legal consequences. To prevent such a fate, organizations have to run audits to ensure their security procedures are adequate.

An important aspect of the security audit is risk assessment. Risk assessment implies computing a rupee or dollar value for the possibility of a particular security failure. For example, the risk of a virus breaching a firewall and spreading across an organization has to be assessed in terms of the money lost owing to loss of work, loss of data, and expenses incurred for finding, isolating, and eliminating the virus.

With such a value, management can decide how much to spend on the security infrastructure. If the risk assessment is Rs X for a particular threat, management would be hard-pressed to spend much more than Rs X for preventing the risk.

Risk assessment is difficult as it requires estimating potential losses, all of which may not have direct monetary implications. For instance, the loss of data at a bank may have intangible costs such as loss of client confidence that will be hard to quantify. However, risk assessment is required to complete a security audit and cannot be ignored.

---

Disaster Recovery Planning

Physical structures of all organizations are susceptible to natural disasters such as fires, earthquakes, flooding, and (for those in coastal areas) tsunamis. Furthermore, man-made disasters such as terrorist attacks or arson are also possibilities that organizations have to account for. In the internet age, another threat arises from attacks from malware or targeted DoS attacks. A challenge that many CIOs face is that of recovering from a disaster.

Some questions they have to face are:

• How soon can the IT infrastructure be resurrected to full functionality?
  
  
• How much will it cost to recover from a disaster?
  
  
• How can it be minimized by planning?
  
  
• Can a partial recovery work, and if so, what parts have to be recovered first?

The terms disaster recovery (DR) planning and business continuity planning (BCP) are often used interchangeably or together. They refer to the idea of having a plan in place that will lead to the resumption of normal business with the IT infrastructure after a disruption caused by a natural or man-made disaster. Organizations have evolved many different strategies for DR/BCP based on their needs and available resources.

One strategy many organizations follow is that of mirroring their data centers. Mirroring entails creating an exact copy of the entire database of the organization. Mirrors can take backup copies of data even as they are created through business transactions at the organization.

Mirrors thus have an exact copy of the data and if the original database fails or is harmed, the mirror can be used to recover whatever data is missing. Mirrors can also be created by scheduled backups, those that are not done in real-time but at specific intervals such as after every few hours, or daily or weekly.

Mirrors are often referred to as redundant facilities and are used to create copies of the original data. For example, Kuoni Travel India provides outsourcing services for travel to various clients across the world. One of its requirements was that of ensuring business continuity and high uptime for its servers, which were maintained in Mumbai and London. Kuoni decided to create redundancy by duplicating its servers and VPN connectivity. This ensured not only highly reliable and scalable infrastructure for Kuoni but also enabled a sound disaster recovery plan.

As real-time mirroring is very expensive, some organizations rely on periodic backups. However, the backups are stored at highly secure facilities that are not on the campus or building of the organization. Such backup facilities are known as co-location facilities.

Co-location facilities have temperature and humidity-controlled rooms where data servers are located, and highly reliable power supply, their buildings are designed specially to resist fire and withstand earthquakes and are secured against water flooding.

Such facilities often have extra fuel for their backup power supply ready on the premises, to ensure that the power supply can last for as long as needed. In India, many such co-location facilities are in Chennai, as Chennai has the lowest risk of several possible natural disasters. In the USA, many co-location facilities are located in the Arizona desert where the risk of sudden natural disasters is also low.