Healthcare and Concerns About the Third Party Assessment

This memo is in reference to the request raised for allowing a third party assessment of all our servers and applications that will contain Lunel employee record. The opportunity to serve Lunel as their primary health insurance provider is a great opportunity and their request for an onsite audit seems absolutely reasonable. However, following concerns are need to be addressed before accepting their request to undergo an external penetration test.

  • We won’t have any visibility into the information which will be shared, the third party auditor will have access to all the data in our servers, essential and non-essential to Lunel which might be in a direct contradiction to the HIPAA rules which are extremely critical and must be followed here at MWJ.
  • We don’t have any control over the fact which the third party will do the assessment, and won’t have any control over the information which is being shared with that third party. The question arises about who will select the auditor.
  • The protocols which the third party might be using when they are testing our systems might just contradict with the ones we are using. All the calibrations and tweaks needed for this might lead to a significant down time.
  • We won’t have any idea they might inject into our network as there have been increased instances of attacks like ransom wares or they can just sit in our system snooping the information.
  • We have to consider the credibility of the organization doing the audit, their security standards and their susceptibility to foreign attacks, as hackers and data thieves may try to use them as the backdoor to Critical data in our system.
  • We are currently using Software as a Service (SaaS) for storing patient’s medical and financial data. All this is in conformity with the provisions of the HIPPA security and privacy of patient data. Providing access to a third party would be a concern.

 

2.

An elementary knowledge of the law is a necessity when dealing with information security, as it influences the organization to a great extent but there is not just 1 law which reigns over others and we need to take care of. There are a lot of technicalities and small legalities that are needed to be taken care of. An input from legal and compliance team will be greatly useful, especially considering the request to access the system and do a penetration testing which will give them an unprecedented access to all the information on our system. The information which is especially critical to our clients and have rulings like HIPAA covering it. There are several Civil, Criminal, Private and Public Laws to be considered. InfoSec laws are also needed to be taken care of.

The law team needs to make sure that the demands by Lunel are not breaking the HIPAA law in any way, as we will end up providing access to a third party to our server which has sensitive information, such as SSN, medical records, insurance details of our customers.

Compliance will play an important role in defining the baseline for the audit and making sure that the third party accessor is actually following the security details themselves and their system don’t provide a weak spot which can be used as a backdoor to our system and can exploit a weakness to access the critical data. They also need to make sure that none of these permissions still ensures compliance with all applicable laws, rules and regulations. They will also need to monitor the activities, preventing conflicts of interest and ensuring compliance. (Vivian Tero, “Data Center Security & Compliance, Information Security Group, Symantec Corp”).

The law and compliance team will also need to draft the legalities of the contract between us and the third party, craft a non-disclosure agreement which should be iron clad and make sure that our interests are safeguarded. Also, it is required that the business partner reveals the health information as determined in its agreement to fulfill a secured commitment concerning people’s solicitations for copying of their secure healthcare data. It should be made sure that the conscripted agreement authorizes termination of the contract by us if the third party violates any term of the contract. All the data points including cloud services must be covered in this contract.

3.

Third Party assessment of a security especially InfoSec is fairly a usual deal like audits but, having no say about the person and team doing it is not advisable. Considering the fact that we have to deal with extra sensitive customer details and the rules such as The Health Insurance Portability and Accountability Act ensures extra caution that we need to take while involving any third party with the dealings of our company, let alone giving them an unrestricted access to our servers. Violations of the laws such as HIPAA may lead us to a loss of credibility as well as huge monetary fines of around $1.5 million (Chaput)

For any of the employees that will be used by the third party, we will need them to comply with the laws and make them sign an agreement. The rulings require us to make sure that, the contract between us and a business associate must: (1) establish the permitted and required uses and disclosures of protected health information by the business associate. (BUSINESS ASSOCIATE AGREEMENT PROVISIONS, “Secretary”, 2013). We need to make sure that the Third Party being involved is reliable and will uphold its word. It needs to be thoroughly audited and carefully selected and not just left on Lunel to be selected. A non-disclosure agreement must be signed by them to ensure that there is no breach of data even after the assessment is over.

A baseline must be determined before any kind of assessment starts, it is a must to identify how the servers will be tested, when will they be tested, the type of testing which is going to be dome. A contract must be planned to ensure that no data is lost, any vulnerabilities, if found, must be fully disclosed and not revealed to any other person except the party being involved. It must be made a requirement that the TPA will return or destroy all protected health information received from, or created or accessed by them during the assessment. Following plan must be followed to ensure a smooth transition during this process if it is decided that TPA is going to happen. Each of the steps must be thoroughly documented.

4.

As per the agreement with Amazon’s cloud web services we reserve a right to conduct penetration testing. However, we need to fill out a form using the root credentials associated with the instances that are to be tested and specify that it is going to be a third party assessment for penetration testing to AWS resources. Once we get the approval we will have to notify the third party anointed by Lunel that the approval has been granted. However, only EC2 and RDS instances can be tested. However, we need to make sure that m1.small or t1.micro EC2 are not tested as it is against Amazon’s policy.

We need to make sure that the third party provides us an exact start date and time from which the testing will begin and how long will it last the exact end date and time to ensure compliance with the Amazon’s policy. It needs to be cleared to TPA that the end date of all the tests that they can conduct cannot extend more than 90 days from the start date. The third needs to provide us with

  1. Name of the third party
  2. Contact person
  3. Email address
  4. Phone Number
  5. Target DNS
  6. Features that they will be testing
  7. From where will the test be launched? (IP address of hosts)
  8. open source/ commercial tool that will be used

It must be made a point that the specifications given by the third party will be treated as a request and will need an approval from both MWJ and Amazon which hosts the cloud platform for MWJ Healthcare.

5.

The USA PATRIOT act (“Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”) was set to expire at the end of 2005, however, it was reauthorized in 2005 and then again by President Obama in 2011. This sunset act expired in 2015 due to lack of support. However, a new act called USA Freedom Act was passed in June 2015 which restored the expired parts of USA PATRIOT act till 2019(Jaeger, en  et. al).

The titles of the patriot act which augmented the Secret Service’s role in probing fraud and other illegal activities related to computers are, Title I: Enhancing domestic security against terrorism and Title II: Surveillance procedures. As title 1 deals with the domestic aspect and title 2 with enhanced surveillance it increased the involvement of Secret Service in the unlawful activities related to computers. Section 105 also speaks about the U.S. Secret Service’s National Electronic Crime Task Force Initiative. They actively work towards blocking online attacks such as DDOs, DOS attacks on companies.

All these have increased the amount of information that is received by the government and provide a greater transparency. This, in turn, provides a greater capability to check on the frauds and help them keep an eye fraudsters that are aiming to harm the nation’s security either monetarily or by stealing the secret information which can be equally critical and may cause even more damage in the longer run. This act provides a security against the looming threat of critical data getting into wrong hands at least to some extent although some concerns about privacy might appear, as the government agencies end up having an access to a lot of personal information.

 

References:

  1. Chaput, B. (n.d.). HIPAA Compliance Now Even More Critical for Third Party Administrators. Retrieved April 30, 2016, from https://clearwatercompliance.com/wp-content/uploads/2013/08/Whitepaper-HIPAA-TPA.pdf
  2. Secretary, H. O. (n.d.). Business Associate Contracts. Retrieved May 01, 2016, from http://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
  3. Third Party Risk Assessment – Anitian. (n.d.). Retrieved May 01, 2016, from https://www.anitian.com/third-party-risk-assessment
  4. IT security auditing: Best practices for conducting audits. (n.d.). Retrieved May 01, 2016, from http://searchsecurity.techtarget.com/IT-security-auditing-Best-practices-for-conducting-audits
  5. Compliance Department Definition | Investopedia. (2003). Retrieved May 01, 2016, from http://www.investopedia.com/terms/c/compliancedepartment.asp
  6. Penetration Testing – Amazon Web Services (AWS). (n.d.). Retrieved April 30, 2016, from https://aws.amazon.com/security/penetration-testing/
  7. Yeh, B. T., & Doyle, C. (2006, December 21). USA PATRIOT Improvement and Reauthorization Act of 2005: A Legal Analysis. Retrieved May 1, 2016, from https://www.fas.org/sgp/crs/intel/RL33332.pdf
  8. Third-Party Vendor Risk Assessment: Why It Matters? (n.d.). Retrieved April 29, 2016, from http://www.symantec.com/connect/blogs/third-party-vendor-risk-assessment-why-it-matters
  9. Paul T. Jaeger, John Carlo Bertot, Charles R. McClure (2003). “The impact of the USA Patriot Act on collection and analysis of personal information under the Foreign Intelligence Surveillance Act” (PDF). Government Information Quarterly 20 (3): 295–314.
  10. Professor LeRoy Foster, Slides for Class, University of Illinois, Chicago, IL: IDS 520 Course Slides
  11. Whitman, M. E., & Mattord, H. J. (2004). Management of information security. Boston, MA: Thomson Course Technology.
  12. (n.d.). Cyber security Student Book. http://www.isaca.org/cyber.

Deep Blue Robotics and Info Security

Types of threats DBR may be facing:

  • Backup of data is being sent by a courier service, this might lead to loss in information as couriers can misplace the backups which contain very sensitive information for Deep Blue Robotics.
  • Malware attacks – DBR currently uses a local antivirus which is alright for a small scale company, but they should use antivirus with web protection which gets regular updates to make them secure from ever evolving threats. Since, DBR is moving forwards and most of it’s progress depends upon the new technology that has been developed, it needs to be made sure that their intellectual property is secured against evolving level of threats. Firewalls are also needed they need to avoid attacks such as Phishing, attempts to hack and malware attacks.
  • Advanced persistent threat – using simple VPN connection opens up the organization to APT (is a network attack in which an unsanctioned individual gains access to a network and stays there undetected for a long period of time). Which can lead to theft of Intellectual property which is one of the most important asset for DBR
  • Social Engineering Attack – They are a “con game” which basically exploits resources of the organization. DBR having only 40 employees is a small company, so it is safe to assume that these types of attacks pose a serious threats. Their passwords can be stolen and access to any one’s account may lead to loads of information. Attacks such as Spear Phishing, Baiting, Pre-texting or Scarewares can be used.
  • Hacktivist threat- as DBR is improving its strength as a provider of off shore oil drilling robotics, there is an open discontent among Environmental activists and they can cause real trouble, if they can bypass simple security protocols being used at DBR. These activists can leak critical information to public and cause harm to company by taking advantage of the vulnerabilities that DBR has using the methods mentioned.
  • Leaking of information by internal sources always remain a looming threat in companies with sensitive data and research.

 

Ans 2. Capabilities and intent of these threats:

The threats mentioned above can be cause serious misfortune for DBR, if they actually materialize. The capabilities of these attack depend mostly the attacker and his actual knowledge of how well to execute them, but it can be assumed that if a hacker is executing a certain attack he has a skill set to actually execute it:

  • Malware attacks can be generic, or specifically targeted. In any case, they are advanced level of breaches. Usually antiviruses can handle them but malicious software’s also keep on evolving over time and get more advance. They can corrupt important files, make copies of unwanted files, leave folders inaccessible, record keystrokes that users are typing to figure out the passwords, keep transmitting the data from the systems. Their intent is usually to disrupt the normal workings of companies such as DBR and sometimes can lead to leaking of actual information which might be critical for the organization.
  • APT attacks require high level expertise on the part of the perpetrator, as they are highly sophisticated, targeting confidential information, blue prints, plans and intellectual properties. The main intent of these attacks is to find useful information which can be traded for money. Ransom attacks for the information can also be made through this way, demanding large sums of money for the information. Competitors can use these types of attacks to gain the Critical information about the DBR’s advanced systems and use that to improve their own programs.
  • Social Engineering attacks require a dedicated hacker, who is determined to harm the organization. It requires a lot of preparation, elaborate planning and profiling the company employees. These types of target the human aspect of the organization and try to exploit the weaknesses of people. They may lead to unauthorized access to companies sensitive files, sometimes even physical access to the server which is in the main building of DBR, which means the attacker will have unlimited access to all the data they need. Although, the probability of them happening is less, their intent is mostly to gain access to the critical information and technology.
  • Hacktivists can employee multiple methods to gain access to critical in information and leak them to the public. Capability of such attacks depends mostly on how advanced the attacker is if they are just “script-kiddies” (most commonly they are), they don’t pose that big of threat and generally are intended to challenge authority. More sophisticated attackers’ intent to damage companies’ reputation and gain from it financially and stop all operations of the company.
  • Loss of backup data during transfer and leaking of information by the employees, might just happen on accident but it does pose a serious threat. Sometimes, this might happen on purpose and cause important information to be leaked and damage company’s reputation.

 

Ans 3. Threat that poses the most risk:

Going through the case, understanding DBR’s security and the threats which loom over them, company is most worried about Intellectual property theft and environmental hacktivists. Intellectual property theft will be more damaging to the organization, as DBR’s main asset and the differentiating factor from it’s competition is the advanced robotics that they have and the protocols which are being used for it. Hacktivists do pose a threat but they generally consists of “script-kiddies” and can be handled by antiviruses and secure VPN. The one threat which poses most risk for Intellectual Property theft, threat is APT. Advanced persistence threat or APT utilize multiple intrusion techniques. While individual constituents of the attack may not be categorized as advanced but the fact that these threats utilize multiple tools together make them more advanced.

The attack is done through incessant observing and interaction in order to accomplish the hack and access the information, the attacker gives priority to the goal rather than immediate gain, thus, they can attack when the organization is most vulnerable. They just wait their lay low and persistently watch the systems.

Threat is posed by the human aspect of these kinds of attack as they are not just a pre-written piece of code designed to act and work in a specific way. Thus, making them more harmful and more of a menace than any other kind of threat currently being faced by DBR.

APT breaches can be done by external malware, internal and physical access to the system. The attackers use wide variety of techniques to gain access to system. Thus, to safeguard DBR they need to employee sophisticated monitoring tools, assessment tools, keep physical check on their systems and make sure that they always stay updated on the security protocols by checking for advanced threats across Endpoints, Networks, and Email Gateways.

 

Ans 4. Approaching the vulnerability assessment:

Following approaches can be used to analyze and assess threats and vulnerability:

Threat based assessment – To identify the major threats to the organization, such as malware attacks, hackticvists, loss of backup, APT etc. This is always the first assessment which should be done. They can be Defined, Credible, Potential and minimal.

Asset Based assessment– This will be done by looking at the internal structure of the DBR, which can cause threats and may lead to further vulnerability and which of them can be used as an advantage to the organization.

Vulnerability based assessment – This happens after all the plausible threats are determined and the internal structure is identified. They also assess the potential impact of the attack, defines the rating of the threat. They can be Devastating, Severe, Noticeable and minor. Vulnerability is a combination of the appeal of DBR as a target and the amount of defense delivered by the current countermeasures. Vulnerability rating can be Very High, High, Moderate or Low.

 

 

Identification of vulnerabilities for an organization is one of the most important task in maintaining the security, because if you don’t know what your weaknesses is are you cannot improve them. Placing vulnerability scanners will reveal that to us, next step will be to rank these vulnerabilities in order of the threat level they pose to DBR, based on the ratings of the threats an action plan must be made and acted upon, covering the most important and most easily fixable vulnerability areas first. Then, implementing the overall holistic solution to the entire organization.

The system must be evolved continuously in order to keep it up-to-date and on par with newer technologies hackers might try to use to exploit DBR’s intellectual property, information, financial data or other important facets.

Re-evaluation of risks must be done at the end find out the improved areas and to identify which threats still needs to be addressed.

 

Ans 5. Suggestions based on the information in the case analysis:

Based on the case it is clear that even DBR is aware that it is progressing fast and the current process in place might not be able to keep up with the growth and increased number of threats that it poses. The major steps that DBR should take to deflect/deter the inevitable attacks and remain its integrity and safeguard the intellectual property are –

  • Secure powered-down switches – they can be utilized to lock down the unused ports making sure that they are not misused by potential hackers.
  • Improve on VPN Security – Use strong encryptions in their VPN for internal communications like EAP-TLS, use layer two tunneling for access to VPN.
  • Implement Better Firewalls and Network based antivirus, instead of using local antivirus. This will provide a better overall security, safeguard them from online attacks, provides a better control over the employees browsing activities which might open up a vulnerabilty.
  • Change the current method of backup – Currently they are using courier to transfer their backup to a secure location. Although, taking it offline is a good idea but instead of courier a more sophisticated must be devised for backup.
  • IDS implementation- Intrusion Detection systems will be able to monitor the resources and keep an eye on attacks on attempt to steal the intellectual property and APT attacks. It will help them take pre-emptive steps to avoid these kind of attacks.
  • User education – Workshops must be held for the employees to educate them against threats such as Social Engineering, physical access attacks, baiting, phishing and other attacks that focus on them, which help to enhance security at DBR.

Pharm Universe and Info Sec

  1. What are the most important business issues and goals for Pharm Universe?

Ans. Pharm Universe was founded nine years ago and is a relative newcomer to the pharmacy industry. It basically is just like a kid trying to make big in the Major league and is learning the rules of the games as it evolves and has a lot to learn. In the case of Information Security, Pharm Universe has a lot of ground to cover, especially when Industrial espionage is common in the pharmaceutical industry.

Having its main focus on research, they have a very casual attitude towards Information Security and they mostly take it for granted their ‘wait and see’ attitude might just harm them in the long term. Their key goal is to safeguard their Intellectual Property, identifying other risk areas and educating their resources about the criticality of threats, their impacts and how to avoid these threats, especially when they have some formulas which are not even patented. FDA approvals play a major role in the field and many other government rules also regulate this area and dictate the operational aspect of this business.

The biggest impediment to doing so is the current attitude of the company and its officials, without their proper understanding and involvement achieving an active state of heightened information security will be an extremely difficult job for the company. Another major issue for the company is the way their employees are leaving the companies, important research work, and intellectual properties can be misused by the leaving employees and this needs to be handled on a more personal level.

All the security testing is irregular and only done just meet compliance, which needs to be made a regular policy, in order to keep up-to-date with any security loopholes as newer threats keep on emerging on the daily basis. It is prevalent that the current controls in place are inadequate and a lot of revamping is needed.

 

  1. What are the managerial, organizational and technological issues and resources related to this case?

Ans. Pharm Universe is growing rapidly and is facing multiple issues, especially in the case of information security. These issues aren’t just limited to the business part they span over multiple aspects of the organization.

Managerial

  • The funding for information security is not regulated, threats of cutting down the budget by management can be detrimental in the long term.
  • Management is ignorant towards the wrong practices which are prevalent in the organization and are Skeptical towards the changes which can improve them.
  • Senior management scarcely knows about necessary and basic security methods like virtual private networks (VPNs) and file permissions and are uninclined to use these also because doing so would be troublesome that would slow their research progress.

 

 

 

Organizational

  • The organization lacks an ‘Information-centric’ security structure which may hamper its chances to implement a good security policy throughout the information.
  • Pharm Universe has several researchers under a pressure to produce, which may cause negativity amongst the resources and can cause destructive attitudes or outbreaks from within the organization.
  • ‘Wait and see’ attitude towards information security is just like a welcome sign for future threats because if they are not being attacked now, it doesn’t mean that they can’t be attacked in the future.
  • Their business is all about Intellectual Property and research which has final output as formulas patented formulas are safer to use, but having Non-patented formulas expands the company’s risk and chances of loss.
  • Most of their employees are scientists who usually prefer working in an environment where free exchange is the norm, so convincing them about security is a major issue.

 

Technological

  • Vulnerability analysis and penetration testing have been done only at the time of audits which exposes the company to newer threats which keep on evolving and loom as a constant threat to the security of the entire industry
  • The current IT security function is focused mostly on firewalls and intrusion prevention systems (IPSs) is very minimal and isn’t actually a long term solution if the company expands at the same rate.
  • Cloud services are frequently criticized for the security but research division now uses them for data storage which makes the technology under development more prone to leaks.

 

Resources:

  • COBIT 5, ISO/IEC 15504, Six Sigma Quality Indicators, US National Institute of Standards and Technology [NIST] Special Publication [SP] 800-053 can be referred to while making policies.
  • Managerial employees including Ben Dorian, Sudha Patel and other C-level executives will be major resources who will work on drafting the policies as per the recommendations of CIO
  • Security team present in Boston will play a key role in maintaining the decided security protocols
  • Researchers are the key resources since they are the one who will have to follow the rules and implement them, also the researchers who are leaving the organization can pose a major security threat.

 

  1. What role do different decision makers play in the overall planning, implementing and managing of the information technology/security applications?

Ans. All the major stakeholders for the company’s success have to play their part in order to implement a well-rounded Information security based governance in the company. Involvement of management in the process policy drafting is necessary from the start to develop it in a way that it is well aligned to the organizational goals. Assets security, resource usage and information flow are continuous processes which are needed to be monitored and controlled from the starting.

 

Role of decision-makers:

The role of decision-makers and security system is essential and indispensable one. The three main tasks are Planning, Implementation and managing, the decision-makers will be in charge of and responsible for protecting the online operations of a corporate network from threats of random cyber-attacks. They need to determine the overall plan for security in the organization, security application’s plan is a cyclic process and involves:

–           Gap analysis

–           Risk assessment

–           Organizational security policy

–           Security risks controlling process

–           Security monitoring and auditing process.

–           Incident response plan

 

Key decision makers will include:

  • CEO and Board members: They will decide on which of the suggestion made by CISO will actually be implemented in the organization.
  • Chief Information Security Officer (CISO): CISO will be in charge of surveying, overseeing and realizing of the Information Security program which will keep the organization’s data secure.
  • Security Team: They guarantee whether the security innovation is executed correctly in the organization with frameworks and in accordance with directions of CISO. They assume a part in arranging firewalls, execute, analyze and investigate security issues.

 

  1. What are some of the emerging IT security technologies that should be considered in solving the problem related to the case?

Ans.  As per COBIT information, 97% of all the security breaches are avoidable through simple or intermediate controls and as per a report by PWC 31.8% of the breaches are Intellectual Property Theft impacting business. So, it is abundantly clear that when Pharm Universe is playing in pharmacy field which is completely relying on intellectual property they need to take care and stay updated in maintaining security at their organization. Security Protocols such as Access Controls and Firewalls are basic necessities for any organization. Currently, PU has firewalls and intrusion prevention systems (IPSs) in place but they are just like check marks. The fact that they only test their systems near audits is a major Red flag. As threats keep on evolving and sometimes they just sit there in the systems and wait for a right opportunity, making the lack of these controls all the riskier and an increase of extortion threats (7.1%) is a major indicator to that. Newer threats span mobile devices and network exploitations e.g. Blue snarking, blue bugging, RFID tag thieving. Besides the basic controls some newer methodologies can also be implemented, they include but are not limited to:

  • Honeypots- Honeypots are additional systems or levels which act as decoy servers or systems setup to gather information regarding an attacker or intruder which is trying to get access to PU’s system. Thus, exposing their major threats.
  • Honeynets- Several honeypots can be used together to form a network further enhancing a security, although at current level it is not necessary to be implemented but further down the road can be put into action
  • Kerberos (protocol) – uses symmetric key encryption to validate an individual user to various network resources. It makes use of tickets to enable communication across non-secure channels for the users.
  • A centralized user access control system must be developed in the lines of RADIUS, TACACS or DIAMETER systems

 

 

  • Cloud security and software-defined security (SDS) can also be of great help especially considering the usage of the cloud to save important research, there are a host of security offerings that are specifically designed to protect cloud-based resources, particularly in a virtual environment like the one used in PU.

Other important tools which also are easy to implement and will provide an enhanced monitoring solution, in order to step up the security for PU are Packet Sniffers, Vulnerability Scanners and OS Detection tools. Tracking Firewall logs and system logs is an important aspect of enhanced security.

 

  1. How can the chief information security officer (CISO) in this scenario most effectively communicate the risk to senior management?

Ans. CISO will be in charge of surveying, overseeing and realizing of the Information Security program which will keep the organization’s data secure. He is the one responsible for managing user expectations ranging from those of CEO’s to employees. For their understanding and security CISO will need to effectively communicate the level of vulnerability and the risk that PU is currently under, which can be a daunting task considering the skeptical attitude of the higher management especially the CEO towards the criticality of this operation.

  • The first order of operations is to convince all the major stakeholders the importance of the security operations, the fact that any information breach can cause severe loss in the form of revenue, profit and negative publicity will harm the company even more.
  • Secondly, a step-wise plan must be made and shown to the Senior Management, with the first year focusing mostly on strengthening the existing system and implementing cost effective solutions. Showing an incremental trend and thus, will be instrumental in demonstrating the importance of security investments and solidifying the trust of the managerial
  • The most vital division of Pharm Universe is its research division which persistently creates intellectual property which is the significant zone of worry from the prospects of security. Since the scientists and researchers in the group are accustomed to talking about the thoughts inside and even outside the examination groups, this represents a major point of data break and must be conveyed to Senior Management to trigger appropriate changes in the organization.
  • Monthly meetings in the company at least in the early stages of implementations of this project must have discussions for this in the project.
  • A companywide memo must be circulated amongst all the employees at PU regarding the basics of security.
  • A policy limiting BYOD must be asked for, from Senior Management which will be the first step towards a more secure organization.
  • Regular Brainstorming sessions with the management to better understand their expectations and regular newsletter and bulletins can be helpful. They can be the key achieving and effectively implementing security with clear communication with Management and other key stakeholders.

 

P.S. – A special screening of Mr. Robot (a popular T.V. series from Netflix about how hackers work and how they get information security and its consequences) might act as a catalyst towards strong and favorable decision making for Information Security policy.

 

 

 

References:

 

  1. Whitman, M. E., & Mattord, H. J. (2004). Management of information security. Boston, MA: Thomson Course Technology.
  2. IDFAQ: What is a Honeypot? (n.d.). Retrieved April 03, 2016, from https://www.sans.org/security-resources/idfaq/what-is-a-honeypot/1/9
  3. 5 emerging security technologies are waiting for you. (2015). Retrieved April 03, 2016, from https://networkingexchangeblog.att.com/enterprise-business/5-emerging-security-technologies-are-waiting-for-you/#fbid=ICaJpUOb5L6
  4. Drapeau, P. (2002). Designing Secure IT Environments for Pharmaceutical Clinical Trial Data Systems. Retrieved April 2, 2016, from https://www.sans.org/reading-room/whitepapers/casestudies/designing-secure-environments-pharmaceutical-clinical-trial-data-systems-708
  5. Trust In, and Value From, Information Systems. (n.d.). Retrieved April 03, 2016, from http://www.isaca.org/
  6. Cybersecurity: The new business priority. (n.d.). Retrieved April 03, 2016, from http://www.pwc.com/us/en/view/issue-15/cybersecurity-business-priority.html
  7. The never ending battle of keeping information safe. (n.d.). Retrieved April 3, 2016, from http://www.isaca.org/COBIT/Documents/COBIT-5-InfoSec-Infographic.pdf
  8. Professor LeRoy Foster, Slides for Class, University of Illinois, Chicago, IL: IDS 520 Course Slides

Management of Information Security

Discuss what types of security should be considered when dealing with information security as a whole. Which areas of security might be more critical than others?

Ans. Information Security means ensuring that the data (information) and data frameworks are prevented from unapproved access, use, exposure, interruption, alteration, or destruction. In some cases this information can be extremely critical and the access provided from to different levels of professional varies on the basis of the organization needs and the criticalness of the information. Securing this information involves preserving the CIA triad i.e.:
• Confidentially,
• Integrity and
• Availability

Information security activities should be coordinated throughout any organization to ensure consistent application of the security principles, rules and policy statements. Security is often achieved by means of these strategies undertaken simultaneously or used in combination with one another, Main activities being –

• Physical: Physical Access Control for Physical Assets which can give access to Information.
• Communications security – Protecting contents and messages within the organization
• Technical/Network : Logical Access Control for External/Internal devices to the Information Systems
• Administrative: Policy-Based Control, which manage the access levels for different users.

Information Security can be implemented while keeping in mind that it has both: Preventive and corrective measures. Preventive is more critical while dealing with security.
Access should be provided only to the authorized users and to the relevant parts of the data. Data encryption, masking are important to prevent any kind of information loss and Backups are necessary in the case of any data loss. Latest hardware and software technologies are important measure in order to prevent data hacks and losses, Corrective measures also should not be ignored, as I most of the cases, however, strong the security measures are data breaches and loss can still happen. The organization must always have measures for always having a contingency plan in case of such events and must have corrective policies and measures ready to be implemented. With that in mind a balanced and well-measured approach while devising the policies and their strict implementation in the company also play a major role in the Information Security.

References:
NCBI: http://www.ncbi.nlm.nih.gov/pmc/articles/PMC4299037/

Stopping By Woods On A Snowy Evening

This is poem by robert frost it inspires me alot hope it does you to

Whose woods these are I think I know.
His house is in the village though;
He will not see me stopping here
To watch his woods fill up with snow.
My little horse must think it queer
To stop without a farmhouse near
Between the woods and frozen lake
The darkest evening of the year.
He gives his harness bells a shake
To ask if there is some mistake.
The only other sound’s the sweep
Of easy wind and downy flake.

The woods are lovely, dark and deep.
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep.

not-a-good-thing

I saw an extremely touching thing yesterday. It was one of my friends birthday he got a Retriever(puppy) as  a gift from his parents that they bought in 7000 bucks. He was awesomely cute well built and all the things a nice animal should be and was clothed in sweaters and all but thing that was touching was not that while going to his home I experienced something which didn’t let me sleep entire night. In front of a petrol station i spotted a person lying on the ground barely dressed in tattered clothes in this season (temperature 5 degrees) i approached to him and found that he was no more a living thing.

I rushed to the nearest police station and reported the incident station was barely 10 meters away the cop said “Arrey Bhaiya (LISTEN BRO) why are you so much concerned ye toh yahaan roj koi na ko mara mil jaata h(HERE WE FOUND DAILY ONE TO TWO DEAD BODIES DAILY LIKE THAT)”…

That shook me entirely how can be one so casual about death..

And more importantly are ANIMALS more precious than humans…Or some humans are born to die like ANIMALS

I am sad about it

New Year New Life

As the new  decade dawns upon us in few hours we would have left a part of our life behind……..

Numerous wars, terrorist attacks, communal clashes and what not have been experienced by people in this decade. But we are still alive!!!

So Cheers every one..

I now make new year resolution to post a blog a week in 2011 and hope continuing it till eternity Its my first new year resolution and hope it won’t be broken.

Happy New Year Every one

The proposal

Saw you walkin from d door

like an angel flying above the floor

i dont know what happend to me

but suddenly everything seemed upside down

my heart was thumping

then it missed a beat or two

i dont know what happened to me

but it seemed i want you by my side

you suddenly looked straight to me

i seemed like I just cried

Exactly then butterflies tided all over me

Then I noticed i was sweatin all over.

the mist around you disspeared

I guess ur my first crush my swyt lil clover.

spent many sleepless nights over the days

just tried to think over the ways

in which you could be made mine…

and everything will be so damn fine…

i was movin all around

lookin for the ups and down

whenever i closed my eye

it was your eye gazing at mine.

i moved far away from sanity

may be love took the best of me

You were my sun and you were moon

you totaly took over my mood

today is the day you will hear this song

and will know i was yearning for you from so long

i dont know wat will happen to me

but this time ma heart is missin more then a beats or two

its all upto you

you can be my princess in either way

if u say yes I’ll be yours too

feelings are endless but word are few

i know i love you and may be you love me too.

but now its all upto you…..

hi every one

Well i was thinking to write something since a very long time.. I am not a professional just a student who wants to express his feelings hope this blog will suffice my need and hope that I’ll not dissapoint any one especially my self….