Information Security Landscape

By: Brett Tarr, eMag Solutions

Information data security is a critical topic in the current environment of ever-growing technology and information overload. Data security is much more than just a compliance mechanism; it protects organizational data, helps ensure the survival of business entities, and provides the tools for building and sharpening a competitive edge in the marketplace. ISO 27001 represents a new standard in data security that not only maps directly to multiple regulatory compliance controls but also provides a framework for organizations to build an effective information security program. ISO 27001 standard help organizations to create a secure data infrastructure that is scalable, and more importantly, drive a management standard to ensure the confidentiality, integrity, and availability of data and services.

Organizational data consists of many layers of information, many of which are considered confidential, necessitating the installation of controls that are secure and adaptable. Key examples of confidential data that requires protection include: Intellectual property, trade secrets, internal communications, customer lists, strategic plans, financial plans/information, and client information. Clearly, certain compliance standards exist for the protection of certain types of confidential information, but for the organization's competitive survival, data security needs to be much more than a mechanism to ensure compliance, as this information is the lifeblood of the organization. For most organizations, the ability to protect proprietary and confidential information ensures the very survival of the organization and its ability to compete the local, regional, national, or global arena.

ISO 27001 represents the only auditable international standard to define the requirements for Information Security Management Systems, and ISO 27001 certification is achievable only by companies that demonstrate the highest competency in information security management.

ISO 27001 is a guideline for management system that identifies, manages and minimizes a range of threats to business information. It provides guidelines for implementing a constructive risk management process, setting up policies, and ensuring a secure infrastructure is in place. This standard shows that a business has taken preventative measures to protect clients' data, and demonstrates to customers and prospects that the business is observing a duty of care.

Some of the key government regulations and fiduciary requirements around corporate governance that can be tied into ISO27001 include: the Health Insurance Portability and Accountability Act (HIPAA), Sarbannes-Oxley, Visa Cardholder Information Security Program/Payment Card Industry Security Standard (VISA CISP/PCI), The Fair and Accurate Credit Transactions Act (FACT), Gramm-Leach-Bliley Act (GLBA), FISMA/NIST, The UK Data Protection Act, the EU Directive on Protection of Personal Data, and the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).

A Growing Problem

The regulatory standards listed above were created and implemented in response to an ever-growing number of corporate mishaps and high-impact security breaches, with the intention of instilling corporate accountability and minimizing future information security breaches. In 2005 alone, there were over 200 documented, high-profile security breaches that made national headlines in the US, drawing attention to a trend that gave industry groups and regulators great cause for concern about the protection of personally identifiable information that could be linked back to customers, business partners, or an organization's employees.

These high-profile security breaches represented a fundamental shift in organizational risk management, as senior corporate executives, industry watchdog groups, and legislators began to realize that data security issues were not just IT issues, but were enterprise-wide business concerns. As Cybercrime becomes more widespread and perpetrators become more sophisticated, organizations have to not only play catch-up against existing threats but need to actually break ahead of the curve to take proactive measures to avoid future breaches. Software vendors such as McAfee, Symantec, and Microsoft have repeatedly stated that organizations cannot rely on technology software alone in hopes of protecting themselves against an ever-growing range of threats.

Sources of Data Breaches

During the course of an investigation it is critical that pertinent facts surrounding a data compromise be determined as soon as is feasible. One of the more important determinations involves uncovering the source (or sources) of the breach.

For many, the phrase "data breach" carries the connotation of criminal intent on the part of some external entity. This is not always the case; security incidents result from deliberate and unintentional actions as well as malicious and non-malicious actors both within and outside the organization.

Although nearly endless sub-categorizations are possible, at a high level information security incidents originate from one or a combination of the following threat sources:

External
Intuitively, external threats originate from sources outside the organization. Examples include hackers, organized crime groups, and government entities but also environmental events such as typhoons and earthquakes. Typically, no trust or privilege is implied for external entities.

Internal
Internal threat sources are those originating from within the organization. This encompasses human assets-company executives, employees, and interns as well as other assets such as physical facilities and information systems. Most insiders are trusted to a certain degree and some individuals, IT administrators in particular, have higher levels of access and privilege.

Partner
Partners include any third party sharing a business relationship with the organization. This value chain of partners, vendors, suppliers, contractors, and customers is known as the extended enterprise. Information is the lifeblood of an extended enterprise and it flows far beyond the boundaries of any single organization. For this reason, some level of trust and privilege is usually implied between business partners.

Generalized findings indicate that data compromises are considerably more likely to result from external attacks than from any other source. Nearly three out of four cases yielded evidence pointing outside the victim organization. The relative infrequency of publicized data breaches attributed to insiders may be somewhat surprising. It is widely believed and commonly reported that insider incidents outnumber those caused by other sources. While this is certainly true for the broad range of security incidents, internal investigations culled for this article proved otherwise for incidents resulting in data compromise. This finding, of course, should be considered in light of the fact that insiders are adept at keeping their activities secret.

For others, the real surprise may be that the ratio of external to internal data breaches is so slim. In days long past when mainframes ruled the computing world, internal threats were the predominant concern since the use of private networks limited outside intrusion. Since the adoption of public networking, however, external attacks (not incidents) have vastly outnumbered those from insiders. The fact that the rate of external and internal compromise is even remotely similar speaks to the higher success rate of insider attacks. These threats are exceedingly difficult to control and, as will be shown later in this section, their consequences far greater.

One interesting observation, in those examples studied, is more than a quarter of the cases in the study involved multiple sources. Though this sometimes indicated collusion, more commonly one party was an unsuspecting participant to the crime. A common scenario involves a remote vendor's credentials being compromised, allowing an external attacker to gain high levels of access to the victim's systems.

External Breach Sources
The process of determining the specific source of an external attack is rife with difficulties. The authenticity of the source IP address, the primary means of making this determination, is often questionable. This is especially true for cases resulting from nefarious activity as those responsible are prone to cover their tracks. Many IP addresses discovered during an investigation are either spoofed or tie back to anonymous "zombie" machines (also known as botnets; a collection of compromised computers). Furthermore, a crime scene devoid of any network and system logs, a key resource for computer forensics, is a disturbingly common occurrence.

That said, methods do exist for corroborating IP addresses, and this information is by no means worthless evidence. Commonalities between cases, correlative fraud patterns, cooperation with law enforcement agencies, and collaboration from third party monitoring labs lend credibility to related findings.

Internal Breach Sources
Examination of insiders engaged in security breaches is best served by focusing on the individual's role within the organization. Several broad classifications of internal sources are considered. As one might suspect, IT administrators were responsible for more data compromises than any other insider role. The privileges entrusted to this group provide a much larger opportunity to abuse corporate information systems. However, organizations will often find that there is not a significant difference between breaches caused by typical employees and IT administrators. These findings are a reminder that high levels of access are not necessary in order to compromise data.

Partner Breach Sources
Partner-side information assets and connections were compromised and used by an external entity to attack the victim's systems in a majority of breaches involving a business partner. Though not a willing accomplice, the partner's lax security practices-often outside the victim's control-undeniably allow such attacks to take place. Exacerbating this situation, the victim organization frequently lacks measures to provide accountability for partner-facing systems. This contributes to a number of breaches in which partner involvement was evident but the specific perpetrators may not be identifiable.

A glance at recent headlines is enough to illustrate the wide-ranging threats facing enterprise data. From network Intrusion, to laptop theft, to administrative errors, sensitive data continues to be compromised from unwilling and often unwitting enterprises all over the world. For organizations trying to avoid such incidents, obvious questions arise around how breaches occur and what threats are most common.

Most data breaches result from a series of distinct yet related events. Though very specific threat and attack details are recorded during an investigation, all possibilities fall within several broad threat categories. Among those investigated, most incidents resulted from multiple "intra-category" events (i.e., utilized several types of hacking) and many encompassed several threat categories.

Errors
Loosely defined, error is a contributing factor in nearly all data breaches. Poor decisions, misconfigurations, omissions, non-compliance, process breakdowns, and the like undoubtedly occur somewhere in the chain of events leading to the incident. Because error is so incredibly prevalent, this loose definition tends to lose its meaning in the greater picture. For this reason, only those errors which directly or significantly contributed to the compromise were considered by investigators.

Error is split into 2 sub-categories: errors that directly led to the data compromise and errors that significantly contributed to it in some way. Significant omissions contribute to a huge number of data breaches. This often entails standard security procedures or configurations that were believed to have been implemented but in actuality were not. Misconfiguration, usually manifested in the form of erroneous system, device, network, and software settings, can often contribute to data breaches. Though accidental disclosure, user blunders, and technical glitches occur frequently, they are only a portion of errors leading to data compromise. Because so many hacking scenarios exploit the configuration (or lack thereof) of systems, these two categories share a kind of symbiotic relationship.

Hacking
In terms of deliberate action against information systems, hacking leads to more data breaches by a margin of almost two to one. Hacking is relatively free from the constraints that limit other methods (i.e. physical proximity, human interaction, system privileges), a fact making it a favored technique among the cyber underworld. Additionally, many tools are available to help automate and accelerate the attack process.

Attacks targeting applications, software, and services appear to be the most common technique, representing a sizeable share of all hacking activity leading to data compromise. Far from passe, operating system, platform, and server-level attacks accounted for a sizable portion of breaches. In some cases, evidence of re-entry via backdoors, which enable prolonged access to and control of compromised systems, was found as well. The attractiveness of this approach to criminals desiring large quantities of information is obvious.

For the overwhelming majority of attacks exploiting known vulnerabilities, a patch that would have closed the vulnerability had been available for months prior to the breach. Rarely do breaches seem to be caused by exploiting vulnerabilities patched within a month or less of the attack. This strongly suggests that a patch deployment strategy focusing on coverage and consistency is far more effective at preventing data breaches than "fire drills" attempting to patch particular systems as soon as patches are released.

Malicious Code
Malicious code, or malcode, contributes to data breaches as well. In many cases, malcode was found on compromised systems but its role in the breach was not confirmed. In this sense, it was an indicator of the general security health of the system rather than an accessory to the crime. In years past, most malcode was delivered in the form of self-replicating e-mail and network worms. The original objective of malcode creators was massive and rapid propagation. More recent trends emphasize stealth and smaller, more directed distribution. The modus operandi of the cyber underground has without question shifted away from "hacking for fame" to "hacking for fortune," and malcode mirrors this paradigm.

Far more common than any other delivery method was malcode pushed to a compromised system by a remote attacker. The goal of this action, from the criminal's perspective, centers on capture and control. These programs either capture information to be harvested later, capture and then send information to a remote entity, or enable the attacker to access and control the system. Among malcode observed during data breach investigations, the ratio of these functions was roughly equal and often seen in combination.

Another noticeable trend is an increase in customized malcode. Much of the time, this involved a simple repacking or slight modification of existing code in order to avoid detection by anti-virus scanners. However, there may also be some instances where the actual functionality was customized specifically for the victim's systems.

Misuse

Misuse refers to the use of organizational resources and/or privileges for any purpose other than for what or how they were intended to be used. For this reason, the category is particular to insiders and partners, as they are trusted by the organization. It is also very difficult to control. There are two broad classifications of misuse: malicious and non-malicious.

Malicious forms include abusing access privileges to steal information or sabotage systems, while the installation of personal software and surfing questionable sites are examples of non-malicious misuse. Malicious misuse of access or privilege is a factor in a notable percentage of data breaches, and while non-malicious misuse contributed to relatively few incidents, it is a reminder that such activities can and do damage the company in question.

Physical
The nature of many physical events precludes the need for investigation. Moreover, many disclosures related to physical incidents are not actually data compromises. For instance, information on a lost laptop is considered "data at risk" and must be disclosed whether or not the data actually fell into the hands of criminals or was used for fraudulent purposes.

Deceit
This category refers to any deliberate misrepresentation and deceit using both technical and non-technical means. Examples of deceit encountered during data breach investigations include phishing scams, spoofing and masquerading, and social engineering.

Environmental
Events of this category are a much greater threat to system availability than the confidentiality of information. Examples of activities in this category include circumstances such as a storm that leads to a power outage, causing a system to reboot. As a result of the reboot, the system may lose all security settings and then be vulnerable to compromise. Thus, business continuity procedures are in some rare instances also helpful in preventing data breaches.

Targeted vs. Opportunistic Attacks
Standard convention in the security industry classifies types of attacks into two broad categories: opportunistic and targeted. Due to significant grey area in this distinction, it may be useful to separate opportunistic attacks into two subgroups. The definitions are provided below:

Opportunistic (Random)

Attacker(s) identified the victim while searching randomly or widely for weaknesses (i.e., scanning large address spaces) then exploited the weakness.

Opportunistic (Directed)
Although the victim was specifically selected, it was because they were known to
have a particular weakness the attacker(s) could exploit.

Targeted
The victim was first chosen as the target and then the attacker(s) figured a way to exploit them.

The mere mention of the phrase "targeted attack" is enough to generate concern among organizations the world over. As alluded to in the previous section, an organization singled out by an attacker with sufficient resources will find it difficult to mount an adequate defense. Significant investments are made toward initiatives focused on mitigating targeted attacks but questions exist as to whether such expenditures are warranted, though a better question is calculating the likelihood that one's organization will be targeted.

Based on data collected by our Investigative Response team, targeted attacks were not found to be a significant percentage of known data breaches. Targeted breaches may be more likely in certain industries, such as the financial sector, given the nature of the data in question. Another observation was that these attacks often utilized different methods than opportunistic attacks. Random opportunistic attacks, a much larger segment of identified data breaches, lend themselves to less sophisticated and more automated methods.

Types of Information Assets Being Compromised in Data Breaches

Having discussed the methods and vectors utilized by attackers to gain access to corporate resources, a logical next step is to examine various types of information assets which are actually being compromised in data security breaches.

Online Data
The type of asset most frequently compromised is without doubt online data. Compromises to online data repositories were seen in more cases than all other asset classes combined, by a ratio of nearly five to one. Offline data, networks, and end-user devices were all closely grouped. An alternative method of analyzing these results is to examine the number of records of sensitive data compromised for each asset.

Offline Data

This fact may be surprising to some given the frequent public reports of massive amounts of data at risk from lost or stolen laptops, back-up tapes, and other media. To that point, it is noteworthy that the average number of records compromised per incident was higher when offline data repositories were involved than with online data.

Fraudulent Use of Stolen Information
Related findings support this statement, as fraudulent use of stolen information was detected following the overwhelming majority of breaches. Additionally, many cases involved one of the many types of personally identifiable information (PII) being utilized. This is likely attributable to the usefulness of this type of data for committing fraud and other criminal activities.

Non-Sensitive Data
Non-sensitive data was compromised in a few cases, but this is most likely the by-product of a breach in which more sensitive information was targeted. Authentication credentials may be desired by attackers because they allow the prospect of increased privileges and access for subsequent illicit activities. In reality, intellectual property and corporate financial data breaches were relatively rare, likely due to the difficulty of quickly and easily converting this type of information into cash.

Data Breach Discovery Methods
The protracted length of time during which a breach goes unnoticed by the victim begs the question as to how organizations finally become aware of their circumstances. There is no shortage of technologies, processes, or services available to alert customers of such events. In cases handled during the four-year period of this study, investigators made it a point to ascertain how the compromise was discovered.

By a substantial margin, the most common way in which organizations became aware of data breaches was through notification by a third party. Often, this involved the third party detecting suspicious activity or fraudulent use of compromised data that was later traced back to the victim. Interestingly, the organization's own employees were second on the list, catching breaches during the course of their daily work activities. All other methods fell well below any statistically significant mark.

Perhaps the most notable statistic is that virtually no incidents were detected through event monitoring and other forms of analytic technologies. Intuitively, these controls should detect a large proportion of data compromise events, yet the findings strongly contradict this position. Are these technologies not deployed? Are they inherently ineffective? Has the evolution of cyber attacks rendered these measures obsolete? The answer to each of these appears to be no. These are not new technologies and adoption rates have been high for some time. ICSA Labs, an independent division of Verizon Business, has tested many of these devices over the years and certified their effectiveness. Furthermore, most information security guidelines contain provisions for log monitoring, routine audits, and incident response procedures.

The fact of the matter is that though most organizations have the technologies, people, and know-how required to detect and respond to data compromise events, they seldom do so. In an overwhelming majority of cases, investigators noted that the victim possessed the ability to discover the breach had they been more diligent in monitoring and analyzing event-related information available to them at the time of the incident. The breakdown is in the process. What these organizations seem to lack is a fully proceduralized regimen for collecting, analyzing, and reporting on anomalous log activity.

Anti-Forensics
The term "anti-forensics" is used to describe any and all actions taken by an unauthorized intruder to conceal evidence of their actions and make ensuing investigations difficult. Although anti-forensics often involves sophisticated software and techniques, it can also take the form of simple hacks and workarounds that mask an intruder's digital footprint. Securely deleting critical log files such that they cannot be easily recovered, for example, would be a considered an anti-forensic technique.

Unfortunately for investigators, many anti-forensic tools are readily available and operationally intuitive. What's more, these tools are becoming ever smarter. Some newer proof-of-concepts directly attack the very tools used by investigators to examine evidence. In practice, however, anti-forensic techniques are not perfect; intruders often remove some traces of their actions but leave investigators plenty of evidence to examine.

Collecting and analyzing statistical data surrounding the use of anti-forensic techniques presents an intrinsic challenge. That is to say, the use of truly effective anti-forensic measures should ostensibly leave no trace that they were used at all. With that in mind, the Investigative Response team discovered signs pointing to the use of anti-forensics in almost half of all cases.

Unknown Unknowns
Throughout hundreds of investigations over the last four years, one theme emerges as perhaps the most consistent and widespread trend of our entire caseload. Nine out of 10 data breaches involved one of the following:

A system unknown to the organization (or business group affected)
A system storing data that the organization did not know existed on that system

A system that had unknown network connections or accessibility
A system that had unknown accounts or privileges

These recurring situations are referred to as "unknown unknowns" and they appear to be the Achilles heel in the data protection efforts of every organization-regardless of industry, size, location, or overall security posture. For this reason, investigators make a special point of determining whether any of these scenarios contributed to a data compromise incident.

Two-thirds of the breaches in this organization's internal findings involved data that the organization did not know was present on the system. This may be due to the common practice of establishing security requirements for a system commensurate with the sensitivity of the information stored within it. While certainly logical, this approach fails when the organization is unaware that sensitive data exists on a system with less stringent security requirements. Less stringent controls are prescribed for the system, leaving the data inadequately protected. As information is propagated and replicated throughout the organization, it invariably makes its way to places where it was not intended to be. Criminals, ever vigilant for easy prey, often exploit such circumstances.

Due largely to integration within the extended enterprise, unknown network connections were a factor in almost one third of breaches, while unknown privileges contributed to 10 percent. Business needs often require that partner-facing connections and accounts be provisioned quickly. Unfortunately, proper management and eventual de-provisioning of these assets is overlooked in many cases. Though not as common as other unknowns, almost 10 percent of breaches did involve an asset the victim did not know was under control of their business group. Organizational silos, poor governance, unclear ownership, and poor communication exacerbate these issues.

Costs of Information Security Breach

The recent wave of high-profile security breaches has indicated to a number of corporations the need to have a Statement on Auditing Standards (SAS) No. 70 audit and/or an International Organization for Standardization (ISO) certification to strengthen network
security. The US continues to lead other nations in occurrences of loss of critical data. The number of records lost or stolen has steadily increased each year (see figure 1*). When an organization suffers a data breach, it costs approximately US $197 per lost record. That means if a company loses 100,000 records, the cost to the company would be close to approximately US $20 million.

Figure 1-Increase in Lost/Stolen Data 2002-07
Year Records Lost/Stolen
2007 162,563,703
2006 49,679,333
2005 55,986,942
2004 31,895,900
2003 6,405,000
2002 4,960
*Figure, courtesy of Taiye Lambo, Founder of eFortresses, Inc. and the HISP Institute

Fees to correct data breaches continue to be excessive when losses occur, as organizations
must strengthen internal controls, educate the consumer on the impact of data loss. In addition to the tangible, quantifiable costs associated with information security breaches, other fallout from data security breaches includes: loss of customer confidence, damage to the organization's reputation, increased regulatory scrutiny, diminished market share, and even criminal or civil litigation.

In more than half of data breaches, the organization had security policies and procedures
established but they had not been implemented through actual processes. Stated differently, victims knew what they needed to do, fully intended to do it, but did not follow through. For this reason, controls focused on accountability and ensuring that policies are carried out can be extremely effective in mitigating the risk of data compromise. Checks and re-checks are certainly not a novel recommendation and they lack the panache of new technology tools, but their value within security programs has been demonstrated time and again.

Organizations are increasingly learning that the balancing act of weighing the costs of protection against the costs of repair are tipping towards implementing preventative actions. While fines and reparative actions hit an organization's wallet in a very visible way, it is the longer term, less obvious costs that are ultimately steering them towards enacting systemic change and prevention measures.

ISO 27001 & Remedial Actions

Unlike other standards that merely represent a "code of practice", ISO 27001 is a certifiable standard specifically focused on Information Security, designed to provide a foundation for third-party audit and able to be integrated with existing management systems within the organization.

ISO 27001 certification allows an organization to clearly demonstrate that its information security programs are effective and are regularly reviewed to ensure they are up-to-date across the key components of performance, effectiveness monitoring and review, and continuous improvement.

Some of the key benefits of ISO 27001 Certification include:

Mitigating risk of Information Security breaches
Minimize the impact of Information Security breaches when they DO occur
When security breaches occur, penalties imposed by regulatory bodies should be reduced based on demonstrated efforts at proactive prevention according to industry-accepted best practices
Demonstrating due diligence to shareholders, customers, and business partners
Demonstrating proactive compliance with legal, regulatory, and contract requirements, rather than taking a reactive approach
Providing independent third-party validation of an organizations Information Security infrastructure
Adherence to the most-widely accepted international Information Security standard

Create a data retention plan
Many breaches involved data that the victim did not know was on the system. Clearly, knowing what information is present within the organization, its purpose within the business model, where it flows, and where it resides is foundational to its protection. The purpose of an official data retention plan is to provide very specific policies and procedures regarding an organization's management of sensitive data. Organizations should identify and quantify the types of data retained during business activities and then work to categorize data based on risk and liability. In doing so, they should determine what data absolutely cannot suffer compromise and prioritize accordingly. Where not necessitated by valid business need, a strong effort should be made to minimize the retention and replication of data. The creation of a data retention plan should force an organization to discover unknown information, where it lives, who touches it, and what controls are in place to protect it.

Control data with transaction zones
Once an organization has created a strategy for data retention, the next step is to define an approach to securing that data. In so doing, the creation of specific "transaction zones" should be considered. Transaction zones serve as the foundation for IT security which enables organizations to establish granular controls as well as additional layers of accountability (logging). On this platform, organizations can deploy measures such as two-factor authentication or one-time passwords for contractors, etc. Events out of compliance with data control standards are prime candidates for alerts which can be acted upon by the organization. These non-compliance alerts may allow the organization to identify and react to events taking place between the point of entry and compromise.

Monitor event logs

Evidence of events leading up to most data breaches was available to organizations prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: information regarding the attack was neither noticed nor acted upon. Processes that ensure timely, efficient, and effective monitoring and response to network events are critical to the goal of protecting data. Such procedures are not new-but they are needed.

Create an incident response plan
If and when a breach is suspected to have occurred, the victim organization must be ready to respond. An effective incident response plan helps ensure that a breach can be closed prior to data being compromised, and that evidence is collected in such a manner that enables the business to pursue prosecution when necessary. The incident response plan should also address the organization's freeze points-the circumstances which exceed local resources' knowledge and capabilities. A proper incident response plan also details established relationships with law enforcement, third-party counsel, and investigative support. As victim organizations may be required to inform the impacted customer about the breach and data compromise situation, policies and procedures detailing that process should be included in the incident response plan as well.

Increase awareness
More data breaches were discovered by employees of the victim organization than any other means of internal discovery observed during investigations. By implementing a required awareness program, an organization can effectively educate employees about the risks of data compromise, their role in preventing it, and how to respond when incidents do occur. If delivered effectively, and with proper incentives, this training can provide a blanket of basic knowledge across the organization on issues pertinent to data protection.

Engage in mock incident testing
In order to operate efficiently, organizations should undergo routine training in the area of incident response. Attendance at this training should be required as mandatory by policy and cover response strategies, threat identification, threat classification, process definition, proper evidence handling, and mock scenarios. Mock scenario training addresses several key facets of the incident response process and is designed to specifically articulate the step-by-step procedural elements presented within documentation. These training scenarios should provide a complete walkthrough of the incident response and investigative process and specific "discussion points" that represent key learning opportunities.

Change Management / CAPA
In order to protect critical client information and meet business commitments companies must successfully meet the service delivery requirements of their clients.

Service delivery impacting incidents and changes must be successfully managed to ensure that service delivery commitments are met. Accordingly, companies will meet incident management and change management requirements by utilizing a Change Management procedure.

The Change Management procedure is a high level procedure which includes an incident management process as well as a control process. The incident management process is a process by which service impacting incidents are identified, documented and assigned to responsible individuals for investigation and resolution. Incident resolutions generally involve changes to the service delivery process.

The change management process is a process by which changes are proposed, documented, blackout plans identified, user approvals obtained, management approval obtained, an implementation window identified and user certification documented. Change Management is the methodology by which service impacting incidents are resolved.

The Change Management procedure maintains a history of incidents and changes and their relationship. Additionally, the Change Management procedure is the vehicle by which corrective actions and preventative actions are identified, documented and implemented.

Capacity Management
With increasing demand for information processing facility resources, an organization becomes vulnerable to loss of service due to inadequate resources. These resources may include facilities as well as staff. Loss of service risk may be mitigated by system performance monitoring and tuning as well as by forecasting future resource requirements. Controls designed to detect service affecting capacity issues will assist in the implementation of timely action to identify and address resource limitations.

Detecting service affecting capacity issues is especially important in communication networks where load increases can be sudden and quickly result in poor network performance, missed commitments and loss of productivity.

Forecasting of basic operational needs is often overlooked and organizations should develop a process to forecast resource requirements.

Basic system and network requirements should be identified and monitoring methods established to monitor areas critical to meeting requirements. Procedures should be put in place to take actions based on monitoring results. Capacity bottlenecks should be identified and resolved.

Conclusion

It is clear from our finding that ensuring the confidentiality, integrity and availability of information and information systems is a journey rather than a destination and that a successful information security strategy requires a top-down executive support. In the ever-changing world of electronic information, all organizations must take every precaution to secure data and minimize data compromising situations.

Information security should be rightly perceived as a business problem rather than an IT problem and safeguards need to consists of people, process and technology. Establishing a plan of action and adhering to this plan to reduce the risk of data compromise will ultimately save money and build a more secure data infrastructure. This security is essential in the current environment of ever-growing technology and information overload.

Implementing an ISO 27001 plan is a critical piece of any organization's information security framework. With an established course of action, businesses can minimize the risks associated with internal, external and unknown threats. ISO 27001 certification offers prospects, clients, partners the necessary comfort measures to secure current and future relationships, as well as, sustain and cultivate your organization's strategic position in the marketplace. An information security management system (ISMS) based on ISO 27001 also ensures a process of continuous improvement and a balance between cost and benefit from a risk management perspective.

Reprinted with permission of the authors and the Association of Corporate Counsel as it originally appeared: Author names, "Article Title," ACC Docket volume Number, issue Number (Month Year): Page Range. Copyright © Year, the Association of Corporate Counsel. All rights reserved. If you are interested in joining ACC, please go to www.acc.com, call 202.293.4103 x360, or email membership@acc.com.

Recent News

Please use the following link to view our recent news stories.

View our recent news articles.

Top of Page