After the probable attacks and ways to protect the systems, we will learn more about several risks related concepts and their Control types, principle of least privilege, Security Implications of Integrating Systems, the Risk Mitigation strategies, the Importance of Security and Environmental Control, and the Risk Management Best Practices.
Control Types: Increase Control to prevent data leakage.
The National Institute of Standards and Technology is a federal organization in the United States that introduced the security standards to be used not only nationally but worldwide. There are also some special type of families that each class is associated with.
We can possess, control with the help of a hardware or a software and hence enforce a policy. It is a solution after application of which everything will fall in place and enforce the policy. Some organizations are only able to implement the policy, but not enforce it. For the Control features, the best practice is that you may implement a policy, but it is essential to enforce it.
Strong Technical Control
The technical control types are the first type of control categorized in the NIST special publications. It applies when we wish to have the access control, authentication of different resources on one’s computer or network. We have technical control that is the logical controls like setting passwords. Example: Setting a password encryption.
Flawless Management Control
When we are unsure of how one can manage different aspects of risk in one’s environment, we need to have management control. It will deal into the security assessment and authorization, planning, risk assessment, and service acquisition.Security is not only about the firewall configurations, but is also about proper management and control like policies, practices and procedures.
Efficient Operational Control
There should be some operations and activities that companies would pick to maintain security in their environment. Under the operational control, we have policies and procedures that lead to the effective working of the organizations. All of these are to implement and enforce the directive of managements. The users should be aware of the facts they should do when any incidence occurs.
When you put controls in place, it is possible that your control is too relaxed or too tight and this gives room to False Positive and False Negative.
False Positive:
Your security control says that there is a problem, but in reality there is no problem. The case of False Positive is very much common in Intrusion Detection System.The user can access a facility and the user is authorized to access it. But the system indicates the alarm that there is an intruder. This situation is referred to as a False Positive where the system indicates an alert even when the user is authorized to reach the system.
Working on the security systems, we realize that at times, then we come across the False Positive Concept. It is the case when something that is reported, but has not really happened. In case of such a situation, one should double check what the Intrusion Detection System indicates and can that be actually linked to a threat.
At times, the False Positives can cause problems with the operating systems. If there is a possibility of the virus attack, the users should immediately run their files on the anti virus system.
False Negative:
Your security control says that there is no problem when there actually is. For Example: When you visit a store, pick an item and do not pay for it. The moment you cross the security check and if the system doesn’t raise the alarm, it is the situation when something was wrong but the security did not raise the alert. It does not observe that something is going wrong and the items leave the store.
Policies that helps to reduce the risks:
In today’s time the availability of the policies is really important as each member in an organization know how to work and what is their domain of work. As the level of threats is assumed to rise, the introduction and the documentation of the policies begin at the right time. Without the policies in place, there are no rules and that way the risk could be very high within the enterprise. We will look at the types of policies:
Keep everything Safe. Privacy Policy: The privacy policy will dictate how privacy will be carried out in the organization. There are many people that relate within the organization for their work and it is important to safeguard their personal information. PCIDSS dictates the standards to be followed if we collect credit card information on how to stock and how to save data on our networks. If we do not follow the standard practices, the organization can suffer financial indirect loss of information like lawsuits. It may happen when the information of the credit card saved on the network is misused by the people. The leakage of information can cause indirect financial loss.
Permissions and Acceptable Use:
This policy gives the regulations on how employees and people in an organization use its assets such as computers, mobile phones, telephones and even the internet. Applying this level of security, the employee mishandling the important information can easily be caught and prosecuted.
Keep a Check with Security Policy:
The security arrangement has a wide point of view in reference to the association. To begin with, comes the physical security that clarifies what ought to be done to the entryways without locks. Everyone ought to know about how the guests ought to be taken care of and how the representatives who enter the workplace without the identification ought to be taken care of.
Other than the physical security, the organization should also look into the technical aspect of the security. This will take the virus attack into consideration.
Offer a Mandatory Vacation
The big organizations have a serious threat to the integrity and security. How about enforcing some policies that enforce mandatory vacations for the employees. You should not wait to tell your employees to go on a vacation. As soon as the employees go on a vacation, it becomes easy to identify the misconducts going on in the organization.
Regulate the Job Rotation
Do not allow one employee to stay in one role for a long time as activities in the organization should run continuously even when the employees are not there.Job Rotation is a basic security rule that saves work even when an employee is absent.
Due to the fear of rotation any employee will not easily dare to commit any fraud since any new person working in that position will identify it. Though this no one holds a control over a single job for over a long period of time.
Separation of Duties
This is also another important factor that is important for the security of the organization. This is to ensure that not everyone knows everything, simple. It involves the engagement of two people for the same task, so that it can work. This is called as the dual control over an assignment.
Least Privilege
It is another set of policy named as Least Privilege which allows only one to have the right to access the information that is necessary for one’s task. It is essential that if one has the right of accessing the server, it should restrict to only read and not write.