As technology advances in leaps and bounds today, much attention is paid by companies, especially IT organizations to safeguard security. In spite of the advancement, security continues to be a vulnerable area in most organizations. This paper throws light on the important aspects of in-house controls, testing security controls, identifying penetration points, assessing security and the attributes of an effective security control.
Interest in in-house control has been highlighted by publicized penetrations of security and the increased importance of information systems and the data contained by those systems. The passage of the Sarbanes-Oxley Act in particular, highlighted interest in in-house control. The Sarbanes-Oxley Act, sometimes referred to as SOX, was passed in response to the numerous accounting scandals such as Enron and WorldCom. While much of the act relates to financial controls, there is a major section relating to in-house controls. Because misleading attestation statements is a criminal offense, top corporate executives take in-house control as a very important topic. Many of those controls are incorporated into information systems, and thus the need for testing those controls.
The following four key terms are used extensively in in-house control and security:
O Risk – The probability that an undesirable event will occur.
O Exposure – The amount of loss that would occur if an undesirable event occurred.
O Threat – A specific event that might cause an undesirable event to occur.
O Control – Anything that will reduce the impact of risk.
Let’s look at an example of these terms using a homeowner’s insurance policy. To that policy we will look at one risk, which is the risk of fire. The exposure associated with a risk of fire would be the value of your home. A threat that might cause that risk to turn into a loss might be an improper electrical connection or children playing with matches. Controls that would minimize the loss associated with risk would include such things as fire extinguishers, sprinkler systems, fire alarms and fire sprinklers. In looking at the same situation in IT, we might look at the risk of someone penetrating a banking system and improperly transferring funds to the perpetrators personal account. The risk obviously is the loss of funds in the case of a breach. The risk is also the loss of credibility and reputation with the customers if the bank fails to detect the attack and reports the attack as unauthorized. The risk is worst if the attackers manage to penetrate the banking system remotely.
Testing Security Controls
Security is too important to organizations for testing them to be ignored. The following tasks can add value to the security control testing:
1. Understand the points of risk.
2. Minimize the points of risk.
3. Assess the security awareness training program.
4. Understand the reporting requirements and deal with reporting deviation from policy.
5. Create an effective risk-based policy and training program.
6. Train employees
For example, as employees come to understand their new roles and responsibilities, they may be reluctant to perform some tasks or may question how closely management knows about their activities. However, if the new employees are adequately trained, they will be capable of carrying out the tasks needed by the organization and the best thing is, the employees will benefit from the education and training that is provided by the IT security testers.
Divergence – Between Risk and Assurance
The risks, when managed, can appear infinite. For example, if a bank is hacked and the attacker manages to get beyond the firewall, the attack may impact the assets and the reputation of the organization. On the other hand, if the bank uses an outdated firewall software, the assets may be exposed to the threat and the vulnerability. So, it is important to have a trend line to monitor the evolution of the controls and the threat.
Monitor the evolution of the controls and threat using the following techniques:
O Policies, Objectives and Accountabilityciples – formulate policies that define the riskomaly and lay out the expectations from the organization.
O Constraints – Define the limits of liability and policy with regards to risk.
O Divergence – Monitor the amount of risk associated with different acts or policies and schedule the risk for different intervals.
O Testing and Validation – Participate in testing activities and obtain reports to validate the efficiency of the risk management process.
O Reporting – Reporting is a vital part of the risk management process and must be documented to provide evidence to demonstrate that the risk management process is effective.
O Vendor Provisions – Make sure that the vendor is providing the services in a commercially reasonable way.
O Business Segregated Sensors (BSS) – Use remote sensors to assist the human operator in monitoring the building and assess the security levels.