How to establish security requirements? It is essential that an organization identifies its security requirements. There are three main sources.
1. The first source is derived from security risk assessment to the organization. Through security risk assessment threats to assets are identified, vulnerability to and likelihood of occurrence is evaluated and potential impact is estimated.
2. The second source is the legal, statutory, regulatory and contractual requirements that an organization, its trading partners, contractors and service providers have to satisfy.
3. The third source is the particular set of principles, objectives and requirements for information processing that an organization has developed to support its operations.
Security risks assessment
Security requirements are identified by a methodical security risk assessment. Expenditure on controls needs to be balanced against the business harm likely to result from security failures. Security Risk assessment techniques can be applied to the whole organization, or only parts of it, as well as to individual information systems, specific system components or services where this is practicable, realistic and helpful.
Security Risk assessment is systematic consideration of:
1. The business harm likely to result from a security failure, taking into account the potential consequences of a loss of confidentiality, integrity or availability of the information and other assets;
2. The realistic likelihood of such a failure occurring in the light of prevailing threats and vulnerabilities, and the controls currently implemented.
The results of this security risk assessment will help guide and determine the appropriate management action and priorities for managing information security risks, and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems.
It is important to carry out periodic reviews of security risks assessment and implemented controls to:
1. Take account of changes to business requirements and priorities;
2. Consider new threats and vulnerabilities;
3. Confirm that controls remain effective and appropriate.
Reviews should be performed at different levels of depth depending on the results of previous security risk assessments and the changing levels of risk that management is prepared to accept. Security risk assessments are often carried out first at a high level, as a means of prioritizing resources in areas of high risk, and then at a more detailed level, to address specific risks.
Selecting controls
Once security requirements have been identified, controls should be selected and implemented to ensure security risks are reduced to an acceptable level. Controls can be selected from this document or from other control sets, or new controls can be designed to meet specific needs as appropriate. There are many different ways of managing risks and this document provides examples of common approaches. However, it is necessary to recognize that some of the controls are not applicable to every information system or environment, and might not be practicable for all organizations.
As an example, segregation of duties describes how duties may be segregated to prevent fraud and error. It may not be possible for smaller organizations to segregate all duties and other ways of achieving the same control objective may be necessary.
Segregation of duties is a method for reducing the risk of accidental or deliberate system misuse. Separating the management or execution of certain duties or areas of responsibility, in order to reduce opportunities for unauthorized modification or misuse of information or services, should be considered.
Small organizations may find this method of control difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. It is important that security audit remains independent.
Care should be taken that no single person can perpetrate fraud in areas of single responsibility without being detected. The initiation of an event should be separated from its authorization.
Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs. Non-monetary factors such as loss of reputation should also be taken into account.
Some of the controls in this document can be considered as guiding principles for information security management and applicable for most organizations. They are explained in more detail below under the heading “Information security starting point”.
Information security starting point
A number of controls can be considered as guiding principles providing a good starting point for implementing information security. They are either based on essential legislative requirements or considered to be common best practice for information security.
Controls considered to be essential to an organization from a legislative point of view include:
1. Data protection and privacy of personal information.
2. Safeguarding of organizational records
3. Intellectual property rights
4. Controls considered to be common best practice for information security include:
a. Information security policy document
b. Allocation of information security responsibilities
c. Information security education and training
d. Reporting security incidents
e. Business continuity management
These controls apply to most organizations and in most environments. It should be noted that although all controls in this document are important, the relevance of any control should be determined in the light of the specific risks an organization is facing. Hence, although the above approach is considered a good starting point, it does not replace selection of controls based on a security risk assessment.
Critical success factors
Experience has shown that the following factors are often critical to the successful implementation of information security within an organization:
1. Security policy, objectives and activities that reflect business objectives;
2. An approach to implementing security that is consistent with the organizational culture;
3. Visible support and commitment from management;
4. A good understanding of the security requirements, security risk assessment and security risk management;
5. Effective marketing of security to all managers and employees;
6. Distribution of guidance on information security policy and standards to all employees and contractors;
7. Providing appropriate training and education;
8. A comprehensive and balanced system of measurement which is used to evaluate performance in information security management and feedback suggestions for improvement.
See also:
- A case study about risk assessment
- Business continuity and disaster recovery system
- network security threats
- How to change the IP address
- Business firewalls
[...] university with the addition of MCS and CCNA certifications. Other related articles, please visit: Security risk assessment, and Disaster and recovery [...]
[...] university with the addition of MCS and CCNA certifications. Other related articles, please visit: Security risk assessment, and Disaster and recovery [...]