Friday, March 2, 2012

Secure Government Networks - 5 Points For Success in Gaining Compliance and Connection

"The world is changing around us at an incredible pace due to remarkable technological change. This process can either overwhelm us, or make our lives better and our country stronger. What we can't do is pretend it is not happening." Prime Minister Tony Blair on commissioning the Transformational Government strategy.
To survive in this era of accelerating technological change, and to implement the edicts of the Transformational Government strategy, every public sector organisation will have to undergo fundamental technology-enabled change. This article provides a five-point check list for senior managers responsible for developing and delivering a successful Transformational Government change programme.
Ensuring that an organisation can satisfy the necessary information security requirements to enable it to be a component part of joined-up government, requires consideration that will inform budget and strategy, reshape organisational process and procedures, and redefine culture and working practices.
As a guide to those responsible for their organisation's information assurance and implementation of the Transformation Government agenda, this article provides a five-point check list to provide a basis for ICT-enabled organisational change.
Point 1 - Be fully appraised of current Government policy and strategy
Current UK Government policy and strategy is leading public service organisations through a significant period of change to achieve efficiency gains through streamlined citizen-centric, ICT-enabled, secure shared services.
Understanding current UK Government policy and strategy will assist you in:
Understanding measures you should take to deliver ICT enabled business change
  • Identifying expected business benefits


  • Identifying costs


  • Identifying scope of change


  • Identifying risks.

    • A list of the key sources of UK Government policy and strategy can be found in the thought leadership section of the VEGA website.
    Point 2 - Ensure board level buy-in and understanding
    A board level information assurance champion should be appointed to act as Senior Information Risk Owner (SIRO) for your organisation. This recommendation meets mandatory requirement 3 from the HMG Security Policy Framework (SPF) V1.0.
    Your SIRO should agree to terms of reference which clearly define their role and responsibilities with regard to the information assurance of your organisation. Additionally, your SIRO should meet regularly with your organisation's security staff to discuss security policy and discuss a risk managed approach to information assurance. This ensures that information assurance and governance is a recognised board level responsibility which includes the protection and utilisation of all of your organisation's assets (information, personnel and physical).
    Point 3 - Manage your stakeholders
    Obtaining stakeholder buy-in to your organisation's information assurance strategy is critical to its success. Good stakeholder management creates awareness, provides the framework for supporting delivery and assists you secure budget where resource is scarce and competition is fierce.
    A communications plan should therefore be developed to identify:
  • Desired buy-in outcomes


  • Audience of stakeholders (internal and external)


  • How to best engage stakeholders


  • How messages are to be communicated


  • Ownership of responsibility for maintaining communications


  • Frequency of communications.

    • Stakeholders should subsequently be plotted on a stakeholder map prioritised by power and interest. This will assist you in grouping them. Your communications strategy can then focus on key stakeholders whilst ensuring other stakeholders are engaged to the level required.
    Failure to gain buy-in from key stakeholders has sealed the fate of many information assurance projects.
    Point 4 - Involve the experts
    When pursuing an information assurance strategy, you should seek advice from recognised Government and industry experts. These organisations have faced the same challenges as you and have valuable information and knowledge to share. This will save you time and money, whilst ensuring that the information assurance solutions you plan to implement are fit for purpose and proven across Government.
    The organisations you may wish to contact include:
  • Office Government and Commerce Buying Solutions (OGCBS)


  • Communications-Electronics Security Group (CESG)


  • Government Computer Emergency Response Team (GOVCERT)


  • Central Sponsor for Information Assurance (CSIA)


  • Centre for the Protection of National Infrastructure (CPNI)


  • Warning, Advice and Reporting Point (WARP)


  • Information Commissioners Office (ICO)


  • Public sector organisations similar to your own


  • Consultancies with expertise in enabling Transformational Government change programmes

    • Point 5 - Achieving and evidencing compliance
    Recent data losses across Government have placed an increased focus on information assurance. Public sector organisations must comply with centrally released security policy (e.g. HMG SPF) which defines mandatory minimum security measures.
    To connect to a secure network, your organisation must comply with mandatory security controls. Depending on the security impact level of the secure network, your organisation will either have to complete a Code of Connection (CoCo) or produce a Risk Management and Accreditation Document Set (RMADS).
    To answer the requirements of a CoCo you should treat each control like an exam question (answer the question with relevant evidence), and sell your strengths, if you comply with standards such as ISO/IEC27001:2005 or PCI DSS.
    The completion of a RMADS is much more involved. Unless your organisation has significant experience, you should involve a CESG Listed Advisor from the CESG Listed Advisor Scheme (CLAS).
    Connection to a secure network will only be permitted once the relevant governing security authority is content that your organisation meets the information assurance requirements of the network you wish to connect to. This ensures that the risk your organisation poses to other organisations on the network is managed.
    Once your organisation's connection is authorised, you should expect regular audits which ensure the level of information assurance your organisation has achieved is maintained and improved.
    These five points will hopefully act as an aide memoiré when your organisation starts to consider its connection to a secure government network. The most important thing to understand is that information security is not just about technology; it is the catalyst for organisational change that encompasses people, training, policy and procedures.
    VEGA is a member of the CESG Listed Advisor Scheme (CLAS), as well as a registered CHECK service provider. VEGA has an established track record of working across Government providing strategic advice and technological expertise to help secure public sector information through the implementation and use of secure Government networks.

    Posted by at No comments:

    IS Systems Security Degrees - Accreditation and Curriculum Info

    Obtaining an IS systems security degree may lead to a worthwhile career in state, federal, and local government departments, finance and banking, insurance, software publishing, or computer systems design. Aspiring IS experts may earn a degree at any number of schools ranging from business colleges to technical schools to traditional colleges and universities. These degrees are also offered at most levels including associate, bachelors, masters, and first professional. A number of community colleges, career schools, and technical schools also offer certificate programs in IS systems security.
    An associate or certificate in IS systems security will prepare students for entry into a bachelor's degree program or for entry-level or support positions in the field. For most IS systems security positions, employer's prefer a bachelor's degree or higher from an accredited technical school, college, or university.
    To get started on your career, you should enroll in an accredited IS systems security program, computer science or business program with a technology focus. You may choose the traditional format (on campus), blended format (online and on-campus), or you may choose to complete your IS systems security degree entirely online. If you currently work full-time or your current schedule won't allow for commuting and attending classes at set times, the online IS systems security degree is probably the best option.
    Before enrolling in any IS systems security degree program, whether traditional, blended, or online, you should check to make sure the program is accredited by an agency recognized by the U.S. Department of Education.The top accrediting bodies for technical, business and traditional schools include:
    -Association to Advance Collegiate Schools of Business (AACSB)
    -Association of Collegiate Business Schools and Programs (ACBSP)
    -Council for Higher Education Accreditation (CHEA)
    -Distance Education and Training Council (DETC)
    -The National Association of Schools of Art and Design (NASAD)
    -Middle States Association of Colleges and Schools (regional)
    -New England Association of Schools and Colleges (regional)
    -North Central Association of Colleges and Schools (regional)
    -Northwest Commission on Colleges and Universities (regional)
    -Southern Association of Colleges and Schools (regional)
    -Western Association of Schools and Colleges (regional)
    In addition verifying accreditation, spend some time reviewing curriculum and admissions requirements. IS security degree program curriculum should mirror the curriculum of top accredited traditional programs. If you are considering an online IS systems security program, you should keep in mind that the traditional IS curriculum is still the standard in the academic world. Course listings should be similar to the following:
    -Introduction to Programming
    -Introduction to Networking
    -Information, Technology, and Society
    -Introduction to Web Page Development
    -Introduction to Database
    -Network Installation and Maintenance
    -Network Maintenance Laboratory
    -Technical and Professional Communication
    -Introduction to UNIX/Linux
    -Programming II
    -Network Administration
    -International Field Experience Elective
    -Fundamentals of Information Security
    -System Analysis
    -Fundamentals of Cryptography
    -Elementary Statistics with Computer Applications
    -Ethical Hacking and Penetration Testing
    -Information Security Policy
    -Legal Issues in Information Security Management
    -Science, Technology, and Society
    -IAS Information Assurance and Security Elective
    -IAS Information Assurance and Security Elective
    -Organizational Management and Behavior
    -Capstone: Secure Systems Administrator
    -Capstone: Secure System Auditing
    -Risk Analyst Capstone
    -Information Security Forensics and Incident Response
    -Advanced Topics in Information Assurance and Security

    Posted by at No comments:

    Jack S. Lee Information Assurance - The Availability Attribute

    Information Assurance assigns systems to shield data and the computer systems they reside on, and the transmission approaches processed to transmit the data. Availability is certified by requiring an impeccable and prompt avenue to information services and information only for entrusted users. By achieving consistency of the material and data structures of the operating system, hardware, software and filed material and analytical accuracy, entirety and dependability, integrity is guaranteed. Integrity can also assure against unauthorized deletion of information. Information assurance also certifies acceptance by guaranteeing the certainty of a communication or a document and its producer, and also by substantiating an individual's approval to accept explicit data from the architecture. Confidentiality is preserved by only exposing information to trusted organizations or systems. Non-repudiation is included, which is ensuring evidence of delivery to the transmitter of material and supporting validation of identity to the receiver, to require neither recipient can afterwards debate having processed the data. Information Assurance also accounts for additional fundamentals to include reconstruction of information systems by assembling protection, detection, and reaction qualifications.
    Information Assurance furnishes availability by furnishing up-to-date and impeccable access to information and information services for entrusted users. The users need have reliable avenue to all hardware, software, services and information. Often availability is also assessed in terms of what is attainable to just mission-critical processes, but it need also be evaluated for the comprehensive system.
    Design theories that promote availability can be incorporated into the system. Elements and subsystems need be able to be gracefully restarted at will. Subsystems and elements have to be independent of each other and adhere to an open architecture. Subordinately critical missions or functions should be uncoupled from more crucial ones, as well as more risky functions from those that are less risky. Networks, processes, and information assembly can also be optimized for mission availability. The architecture can be securely executed for increased availability so that platforms, software and architecture are produced as services such as cloud computing. Cloud computing can support additional availability owing to proficient usage of assets and making individual disruptions imperceptible to the user. The redundance of services like these make the architecture more tolerable of failures and unavailabilities.
    Timeliness, connected to Quality of Service (QoS), is notable since belated might be equally as bad as not at all. Resource allotment could be changed to adhere to timeliness requirements. There are repeatedly tradeoffs between QoS attributes and Information Assurance specifications.
    Measurement and metrics ought help describe the objects of availability problems and must also incorporate process errors. If the administration and end users are not pursuing a right process, this might alter end-to-end availability even if the hardware, software and services may be available. Processes must also be examined in the measurement of availability as it could describe for a remarkably considerable part of system interruption. There are lots of metrics that may be used for availability, comprising of:
    • How long and frequently each subsystem was down
    • How many authorized users there are and their access level
    • Portion the system is suspended or information is not reachable
    • Percent the system is down or information is not obtainable due to Security errors
    • Portion of CPU used for Security measures
    • Mean Time Between Failure (MTBF)
    • Mean Time to Repair (MTTR)

    Posted by at No comments:

    The Importance of Information Security to Your Company

    Every organization requires having some closely guarded secrets if they hope to do better than their competitors. One cannot also risk having their information accessed by anyone. The information we receive is also not free of risks. The only way to determine this is by having in place information assurance protocols, which can help determine that what we receive is safe for us to download and store. A company needs to invest heavily in the best security measures for its organization to thrive.
    Instances of insecurity have caused a lot of strife in many companies. Data security is especially important because most information is stored electronically. It is important that when one is signing up with an internet service provider or when an organization is deploying wide area networks, they ensure that security comes first. Ensure that the information in your server is not easy for hackers to access. This is especially risky if you are running on public networks. Network security is available from your information security consultants if you especially go for private networks. It will reduce the chances of anyone logging in to your server and picking up important information. It will also ensure that people do not make use of your services that you are paying highly for. Some people never really pay for internet connection but always prey upon open networks.
    The best thing is for the customer to ensure that they have passwords to avoid losing out on the strength of their networks due to excessive usage. Data security should be ensured by granting access to sensitive information to a few concerned members. An organization needs to have restricted information at all times that is only open to a few individuals. Granting access to all and sundry could prove to be a risk because some employees might easily breach the privacy of the organization and send out sensitive information to clients. One can prevent this by getting information security consultancy that makes use of passwords and ensures that during storage, information is segmented and has a multi-level access procedure so that the right person can access the right information. Information security is not only threatened by unauthorized people but by viruses as well. The life of your software and hardware depends on how well it is protected. Endpoint security is probably one of the most important tools because if one overlooks it slightly, they may lose equipment and sensitive data.
    The rate at which viruses spread is alarming. You can get them from emails as attachments, certain websites and even from the different storage facilities such as flash-disks and CDs. It is also possible to get such viruses on your phone because of access to the Internet thus mobile security is a must-have. Make use of antivirus and firewalls to protect your information. This is because the mails could be from untrustworthy sources, which could easily carry viruses. Spam mails also overload your email and could result in loss of important emails. Information security consultants can provide you with different levels of security depending on what your company needs.

    Posted by at No comments:

    The DTIC and the IATAC - Valuable Resources For the War on Cyber Terrorism

    The Defense Technical Information Center (DTIC) serves the DoD community as the largest central resource for DoD and government-funded scientific, technical, engineering, and business related information available today. Originally developed in World War II as a resource on enemy technology, the DTIC has morphed into a valuable, if underutilized tool, for understanding the technology bases for enemy attacks.
    Publicly Accessible Information
    Authorized visitors can search DTIC's publicly accessible collections and read or download scientific and technical information, using DTIC Online service. DTIC also makes available sensitive and classified information to eligible users who register for DTIC services.
    The DTIC consists of a large relational data base coupled with convenient and powerful Information Analysis Centers (IAC's) that mange issue related searches and updates/maintenance to the database. An Information Assurance/Cyber security Information Analysis Center (IATAC) is one of the more recent efforts and offers valuable information and tools for researchers.
    Scientific and Technical Information Network - The Heart of DTIC
    The Scientific and Technical Information Network (STINET) is a database that contains data and information for various defense-related research reports. The database raw material contains reports on a topics ranging from science and engineering to Information Assurance/Cyber Security from a large number of sources. Users can research the latest cyber security technology, laws and standards, new products and a wealth of relevant, timely information.
    There are various levels of access to STINET.
    · The public database is available to the general public regarding unclassified documents with an unlimited distribution.
    · A private database has a private URL that allows for searches to be made for unclassified material with limited distribution.
    · The classified database contains Confidential and Secret documents, in addition to the unclassified material.
    · Finally, there is a hard copy DVD that contains material only for unclassified, confidential, and secret documents.
    All levels of STINET access contain material from the 1900s to present but potential users are security screened as part of the user qualification process.
    Information Analysis Centers - The Front End for Researchers of Scientific and Technical Information (STI)
    DTIC Information Analysis Centers, or IACs, are organizations that are charted by the DoD and operated by DTIC with the mission of helping researchers and other interested parties. IACs provide free answers to simple questions and projects, while also allowing their services to be utilized for extended projects and Technical Area Tasks (TATs).
    The Information Assurance Technology Analysis Center (IATAC), an IAC that focuses on Cyber Security issues, provides the Department of Defense (DoD) and related agencies with existing, historic and emerging scientific and technical information (STI) to support Cyber Security/information assurance (IA) and defensive information operations.
    This information includes technologies, tools, and associated techniques for detection of, protection against, reaction to, and recovery from information warfare and cyber attacks that target information, information-based processes, information systems (IS), and information technology (IT) in the DOD and related agencies.
    The STI products and services resulting from IATAC efforts are intended to increase the productivity of Cyber Security researchers, as well asother concerned Cyber Security participants. This is accomplished through timely dissemination of authoritative, accurate, and high quality reports and answers to subject matter inquiries through the IATAC.
    Underutilization - A Marketing Issue
    As valuable as the database and services are to the Cyber Security community, the DTIC is relatively unknown. As a result, the IATAC is a valuable if underutilized resource. Although any party interested in the scientific or technical developments that underlie Cyber attacks or defenses can significantly benefit from the information developed, qualified and analyzed by DTIC and IATAC, awareness of the value of this asset is limited.
    As an organization DTIC can benefit from better promotion and modern marketing to the DOD and related agencies. But the task, given the size of the community is daunting and will take significant effort in the coming years.

    Posted by at No comments:

    What Do Managers Need to Know About Information Security?

    Managers need to know how to secure their information assets for a very good reason. The manager is the one who is responsible for maintaining the confidentiality, integrity and availability of information assets in his or her organization.
    Very few people in the organization would, otherwise, be able to take up the slack if there were an absence of leadership when it came to protecting digital assets. Managers who fail to accept responsibility for information assurance are failing to fulfill their fiduciary responsibilities and are putting the organization's survival at risk.
    Many organizations are without security policies in the first place and an organization without security policies is "rudderless" when it comes to providing for information assurance. The technical IT people are the only defense against malicious attacks and they are without the expressed authority to create and implement an effective information security plan. The manager's job in this circumstance is to see to it that a plan is created. The company would, otherwise, be without a coherent way to provide for information security and would be risking its very existence.
    Managers are the only ones who have direct authority to supervise information security policies for an organization. Managers can do so, however, without having to become computer nerds. People who run organizations simply must be aware of the need for systematically protecting information assets and make sure that their IT people understand how to implement computer and network security measures.
    The following items are included in the manager's responsibility for computer security:
    1. All of the assets of the organization must be identified, described and itemized.
    By inventorying all information assets it becomes possible to provide for an appropriate level of security for each set of information. Stated differently, if an organization is without explicit knowledge of what information assets are possessed they can't be protected.
    2. Each of the information assets must be classified as to its level of criticality.
    "Criticality" relates to how important any given information asset is to the mission of the company. For example, accounts receivable, rather than a back-up copy of a public web site, is more critical to the organization. Therefore, accounts receivable would have a higher level of criticality.
    3. Policies and procedures must be developed on how information is to be processed in the organization.
    Appropriate levels of access, based upon need to know, must be determined. General employees, for example, are without a need to process payroll information.
    4. Managers must create and implement an information security awareness plan.
    An information security awareness plan must include all personnel and be followed through upon. The employees take their lead from the manager and must be supportive of developing a culture of security if they are aware that the manager wants it.
    5. Managers must audit the organization's information security plan to be sure that each component is being implemented.
    A manager's job includes being aware of the success of on-going business processes. Information assurance is a business process that must be monitored.
    6. Managers are directly responsible for any adjustments that must be made to make the security plan more effective.
    Managers are the leaders for employees of an organization. Employees take their cue from what their organizational leader does. The attitude that the manager projects, as well as his or her unspoken actions, set the tone of the information security culture. Should the manager be lax about security practices, the entire organization is going to behave in the same manner

    Posted by at No comments:

    What Are the National Requirements for Information Governance in Healthcare

    Information governance, or IG, relates to ensuring appropriate security and safeguards are in place when dealing with personal and patient information. This can be in relation to anything from patient scan results, birth certificates or personnel data such as home addresses; and applies to all information held within an organisation or transferred out of or into an organisation,for example in the form of patient referrals or consultation notes. In order to demonstrate that healthcare providers are meeting the appropriate IG standards, NHS Connecting for Health requires all healthcare providers, both within the NHS and Independent, to demonstrate robust policies and practices by declaring compliance against their Information Governance standards.
    The way in which healthcare providers make their declaration of compliance is via the completion of an online assessment form known as the IG Toolkit. This self assessment needs to be carried out annually before the end of each financial year. In addition to completing the online form, providers are required to attach certain pieces of supporting documentation, such as a security policy, to evidence the level of compliance that they are declaring. Furthermore, as part of their review and audit process, NHS Connecting for Health can request any item of evidence they wish to support the healthcare provider's compliance declaration. This means that healthcare providers must have all of the required evidence and documentation in place prior to submitting their online compliance form.
    The information governance requirements and standards vary depending on the type of organisation and the services that they deliver, for example whether it is an acute trust, a pharmacy or a commercial third party. There is a maximum of 21 Information Governance standards which cover a variety of areas including; Confidentiality and Data Protection Assurance, Clinical Information Assurance and Corporate Information Assurance. The type of evidence required for each includes:
    • IT specific policies
    • Logs on Caldicott breaches, security breaches, etc
    • Registers; such as a Risk Register
    • Job Descriptions for individuals who have responsibility for IG as part of their role
    • Structure charts to demonstrate how instances of Information Governance risks are communicated throughout an organisation
    • Minutes from meetings, or planned meeting frameworks for meetings that have not yet taken place (that relate to information Governance Standards, such as Caldicott, Risk, Security, etc)
    • Patient-facing information that explains to patients how their personal information is used
    • Staff-facing documentation to provide training on Information Governance issues
    • Details of contracts with third party suppliers, demonstrating that Information Governance is thought about when contracts are written and signed.

    Article Source: http://EzineArticles.com/5871988
    Posted by at No comments:

    The Tiger & The Elephant - The 21st Century Posture for Information Assurance

    In Complete Darkness - The Genesis of a New Vision:
    In just one night, 50 million people sitting in the dark dramatically changed the future of computer security for the 21st century. On August 14, 2003 America witnessed the largest power outage in its history. In less than two minutes, cities from New York to Cleveland, Detroit to Toronto had been disconnected from their electrical grids and plunged into sudden blackness.
    After four months of sifting through factual and anecdotal evidence, findings would show that improperly pruned trees and bugs in alarming software were ultimately responsible for the power surge that took 100 power plants offline. A previously unknown software bug in a power plant alarm system made itself known, taking the power grids offline, forcing countless businesses to close and dramatically impacting the productivity of a large area of the United States and Canada.
    To the information security industry, the most notable result of this accident had nothing to do with the 50 million people directly affected by the outage or the wide swath of the country immobilized by this event, but rather with what the rest of the nation did as they watched. Commerce in California and Colorado continued to function while people in Boston worked and shopped, one eye on the news, but barely effected. The rest of the country's power supply grids held and remained completely unaffected by the massive blackout.
    A Dramatic Epiphany for Change:
    An epiphany of profound import resulted as the rest of the country went about its business, an epiphany that dramatically changed how corporations and the nation secure their computing infrastructures. The ability of the rest of the country to carry on despite the loss of several key hubs caused some in the security industry to take notice and action.
    What happened that day, laid the foundation for what is the perfect security solution: one that ensures that the compromise of a single system will not take down the entire computing network of which it is a part. A robust approach that eliminates the spread of any viral intrusion between systems and preemptively defends against both known and as of yet unknown forms of intrusion in the presence of escalating attacks.
    The Tipping Point:
    For computer users, 2003 would turn out to be a very bad year and the precursor to an even more ominous 2004. In 2003 the Blaster and SoBig viruses hit the Internet causing millions of systems to become infected only to be followed by the introduction of the Sasser virus in the spring of 2004. Clearly the war on computer viruses was being lost. The capabilities and abilities of hackers' intrusion efforts were outpacing existing security technology and businesses were the sacrificial lambs.
    Since the dramatic increase in malicious attacks begun in 2003, the security industry has fought to redefine itself and regain an edge. Every day corporations live with the fact that the scales are "severely tipped" in favor of an information security event that could significantly impede day-to-day operations. Such an event could negatively impact corporate revenues, generate customer-eroding press coverage, contaminate precious compliance standing, and eat into profits at record rates. Security personnel live with the knowledge that they will never work in an environment where software is free of flaws, employees will comply with their security training and mandates, and where hackers can't buy the same software their businesses rely on.
    Technology has created this environment of insecurity through the very benefits it sought to provide. The resulting chaos of this viral epidemic has forced corporations and government agencies to demand new solutions to combat an invisible enemy with very good technology skills, excellent intelligence, and far too much time on their hands. These attackers, hackers and "script kiddies" attack a corporations' perimeters, infrastructures and employees with nothing more than "paparazzi and profit" on their minds. The trick is how to break them of this "habit" and effectively take away their edge. The solution, much like the power outage of 2003, lays in examining the whole not the parts.
    Much has been written about the motivation behind hackers but to be honest does it really matter? Universally they are persona non grata no matter what intent they have or attack vector they use. What all companies want is for the problem to go away.
    The Elephant and the Tiger: The New Security Stance
    On extremely rare occasions, there have been documented cases where a starving tiger will attack an elephant. If desperate enough, the tiger will leap on the back of the elephant only to be shaken off time after time with little or no effect on the elephant. After a few attempts the tiger, now exhausted and sensing futility, will leave the elephant alone and seek easier prey. It is this same sense of absolute futility that must be created in order to deter electronic attackers.
    Like the elephant, our corporations typically take a defensive posture to protect their infrastructures. This stance gives the more agile, technically savvy and offensively minded attackers (the tigers) an upper hand but only if allowed. In order to break the nefarious habits of cyber attackers and reverse the escalating tide of viral threats, new approaches must be put into place that do not rely on prior knowledge (rules or heuristics) or sacrificial reactions (inoculations and patches) to prevent these attacks. Solutions are needed that are designed to preemptively undermine and directly inhibit the attacker's techniques.
    If attackers, regardless of their methods, see little or no effect resulting from their best efforts, "the tiger" will gradually grow tired of attacking "the elephant" and move onto other prey. Over time, the great effort and expense associated with achieving such minimal results will leave the attackers unmotivated and ultimately broken of their habit while corporations continue to deliver the goods and services that fuel their success. It is this basic premise that sets the foundation for the future of information security, a future based upon the principles of continuity and survivability.
    Effective security solutions must move away from attempting to stop intrusion by guessing what the next attack vector will be and focus on creating environments (elephants) that will show no visible manifestations of intrusion regardless of some unforeseen or exposed weakness. If the tiger (hacker), with all of its stealth, cunning and speed cannot bring down its prey, the prey has won before the battle has even begun.
    From Analogy to Reality:
    Only recently are information assurance professionals starting to heed the lessons of 2003 and accept the reality of what the Internet has brought to our doorsteps. Armed with the knowledge that code will always be flawed, people will always be "socially engineered", and that hackers are consumers, computer scientists are starting to look at solutions that provide viral containment, delivering systemic continuity and control. Forward-thinking corporations are beginning to realize and accept that there are no 100% security solutions but that 95% can be nirvana if their computing infrastructures continue to perform through any kind of cyber-weather.
    Both private corporations and public organizations are moving toward preemptive command and control solutions and away from reactionary approaches. These solutions not only reduce the threat of enterprise-wide disruption but support compliance efforts, licensing, and the governance of corporate resources. Armed with flexible technologies that concentrate on system cleanliness and data marshalling, companies are reclaiming their resources and becoming the elephants that tigers fear so much.
    s
    Ken Steinberg is the founder and CEO of Savant Protection. He brings a track record of over two decades in computing and high technology. As founder of the company in 2004, Steinberg has responsibility for its day-to-day operations, overall direction, as well as its technological and business strategies. Prior to Savant, he held senior positions with DEC, Hughes, Hitachi, Softbank and at the John Von Neumann Super Computing Center for the National Science Foundation.
    A thought leader in the security/encryption field, Steinberg has addressed national tradeshows including Networld + Interop and HDI. He has also been a radio personality, columnist and contributing author to several regional newspapers and technology publications.

    Posted by at No comments:

    How Familiar Are You With the Information Security Requirements of HIPAA, EPHI and the HITECH Act?

    Virtually everyone has heard of HIPAA (the Health Insurance Portability and Accountability Act of 1996). The original act required that organizations use information security mechanisms to protect healthcare information that is processed and stored. HIPAA has had a pervasive impact on health-care organizations as well as insurers, universities and self-insured employee health care programs. Failure to comply with HIPAA could result in a fine of up to $250,000.00 or 10 years in prison for misusing client information.
    Fewer people, however, are aware of the implications of the Security Rule for Electronic Protected Healthcare Information that is associated with HIPAA and what is known as the HITECH Act.
    All components of the Security Rule for Electronic Protected Healthcare Information, (EPHI), became effective for all covered entities or CE'son April 20, 2006. The security rule for Electronic Protected Healthcare Information was deliberately designed to reflect the requirements of the original HIPAA Privacy Rule. Entities covered by the Electronic Protected Healthcare Information Security Rule must be able to document that the required organizational processes and procedures in place are reasonably implemented for appropriate administrative, physical, and technical safeguards ("HIPAA Security Rules", 2004).
    The implications of the EPHI Security Rule are staggering for those who are responsible for providing information assurance. The EPHI rule applies to all covered entities who conduct business with CE's regardless of the industry. The EPHI rule also adds to the expanding list of information assurance laws and regulations (e.g. Sarbanes-Oxley, Graham Leach Bliely and FERPA) with which affected organizations must comply.
    The original portion of the security rule for HIPAA was to address a full scope of security standards for the administrative, physical and technical safeguards to shield Protected Healthcare Information (PHI) from disclosure. The adoption of the new EPHI Security Rule now requires the covered entity to:
    1. Ensure the confidentiality, integrity and availability of all electronically protected health information that the covered entity creates, receives, maintains or transmits
    2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information
    3. Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by law
    4. Ensure workforce compliance
    The follow-on to the security rule of HIPAA is the HITECH (Health Information Technology for Economic and Clinical Health) Act. It was created as part of the American Recovery and Reinvestment Act of 2009. The Act encourages providers to expand the use of EMR or Electronic Medical Records. A variety of financial incentives was included to encourage covered entities to move toward adopting electronic medical records. The assumption was that cost savings would be realized. The HITECH Act set to take effect in 2011 also provides for stricter enforcement and more severe penalties for failure to comply with PHI security rules. In addition to being responsible for the storage and transmission of PHI, covered entities would be required to report data breaches under the HITECH Act.
    The information assurance challenges included in HIPAA, EPHI and the HITECH Act are extensive. You need to be technically "on-the-ball" with information security as it relates to the healthcare industry. You now stand to lose a substantial amount of money for being out of compliance, for failing to qualify for incentives and/or damages awarded by juries for loss of confidential patient information.
    Learn more about computer security by downloading Dr. William Perry's FREE ebook, "How to Secure Your Computer".
    Dr. Perry is the owner of Alliant Digital Services which publishes the Computer Security Glossary. Alliant Digital Services provide high quality information security guidance to individuals and organizations that must plan for the protection of mission critical information in an asymmetric threat environment while complying with industrial- strength information security standards (i.e. COBIT, ISO 27000, FISMA, HIPAA, EPHI and the new HITECH Act).
    Dr. Perry is an information security specialist with significant experience as a university professor, author and service provider to various federal agencies including the Office of the Director of National Intelligence, the Department of Defense and the Federal Bureau of Investigation.

    Posted by at No comments:

    What Is an EMP and How Does It Affect Information Assurance?

    A vast majority of the nation's critical infrastructure (more than 80%) is privately owned and depends upon a maze of interconnected digital processing technology. We can't afford to lose the integrity of our country's information infrastructure because our way of life would grind to a halt. Providing for the assurance of our modern digital processing infrastructure is, therefore, crucial.
    A variety of threats routinely arise against computer systems, including cybercriminals, cyberterrorists and state sponsored cyberwarfare as well as crackers and hackers. Each damaging threat vector places the security of your business and ultimately our country at risk. The federal government now acknowledges the challenge but you must also do so at an individual level.
    What is the worse case scenario that threatens our vast digital processing infrastructure?
    One overarching threat to our information infrastructure would be the detonation of a nuclear weapon above the earth's atmosphere which would result in an electromagnetic pulse (EMP) wave that would cascade over the surface of the earth below. The resulting high-voltage surge would do damage on a continental scale.
    Gamma rays and X-rays generated by the detonation would interact with the exo-atmosphere and strip-off electrons from atoms in the atmosphere. The electrons that are generated from the collisions would propagate throughout the upper atmosphere and downward, spreading out until they impact with the surface.
    The pulse wave that strikes the ground would travel a conductive path of least resistance. Delicate in-line or "connected" equipment that contains sensitive electronic computer circuits (central processing units of computers, digital signal processors and programmable logic units) would be significantly damaged or destroyed. Any dependent infrastructure would cease to function.
    The likelihood that most of the unprotected digital processing devices would be destroyed in a successful EMP attack is very high. The integrity and availability of any unprotected and vital information infrastructure would be instantly lost.
    Telecommunications (land lines, cell phones, etc.), emergency services, radio, television, transportation and distribution would come to a grinding halt. The critical national infrastructure would be thrust back into the 18th century. Modern businesses would lose their continuity and cease to function. Day-to-day life as we know it in America would cease to function. We would have failed to provide for information assurance.
    The time it would take to recover from a successful EMP attack, if ever, is unknown. Key equipment that is needed to generate electricity would need to be replaced but is, reportedly, only manufactured overseas.
    An EMP attack can also be scaled down. That is, electromagnetic pulse weapons of varying sizes can be built. Any college senior majoring in electronics has the knowledge to build a soda-can-sized electromagnetic weapon that could be directed against smaller targets of opportunity and discharged without a sound.

    Posted by at No comments:

    What Is Information Assurance?

    When we look around us today, we see computer systems all around us. Almost everything uses technology, whether it is a mode of communication, transportation, manufacturing or even banking. However, just like humans, they are not perfect. For humans, we are vulnerable to diseases and hazards, but for computer systems, they are vulnerable to threats like viruses, worms, hackers, and information thieves. Thus, businesses and government agencies are looking for ways to minimize such threats towards these systems to ensure that their information is safe and intact. While viruses and worms can cost time and money, the outcome of information theft can bring painful consequences like identity theft, exposure of trade secrets, or even manipulation of governmental secrets. Thus, this is why assurance of information is important.
    Information assurance is to do with everything that protects information, such as the people, hardware, software, policies, and procedures. In this field, the emphasis is on making sure that information is available when required, the integrity of the information is kept and is able to be proofed, the authenticity of the information can be verified and kept confidential, as well as the origin of the data can be provided. Although the missions of this field has been around for decades, the increasing number of computer and the reliance on them has made information assurance one of the fastest growing fields around. Furthermore, people are now looking at the protection of sensitive information as both businesses and personal use rely heavily on computers to transfer and store information.
    Although one can find employment with a Bachelor's degree in Computer Science and some relevant experience, most specialized jobs in this area will need a deeper understanding of the computer systems, which can be proven with the qualification of a Master's degree in Information Assurance. Especially since this field deals with assuring people's information, employers expect you to be well-qualified for this position.

    Posted by at No comments:

    Information Assurance Training

    Why Would You Benefit From Information Assurance Training?
    All military IT personnel are now required to become certified according to the DoD 8570 guidelines. As of December 31, 2010 all military IT personnel must be compliant. However, since that deadline has passed many are awaiting updated information on possible extensions or acceptations.
    Additionally, the DOD has not relaxed its high standards for personnel training across all Information Assurance levels and functions: all training providers must still be ANSI certified.
    IT professionals looking to expand their information security knowledge to qualify for more lucrative government jobs handling IA would benefit from specialized training as well.
    Over the next decade, certified information systems managers will experience more job opportunities, greater job security and higher earnings, according to the Bureau of Labor Statistics.
    Another benefit from becoming certified is that certified information systems managers can command salaries about 10% to 15% higher than non-certified individuals in comparable roles. Contributing factors to the increased need will be from technology growth, competition and greed.
    As technologies grow more competitive with one another, the need for certified cyber-security professionals will increase. These professionals must be able to adopt the most efficient software systems for their clients' safety. Troubleshooting unforeseen breeches and attacks will be important as well.
    These professionals have no further goal than to protect critical information from cyber-attacks and information loss.
    Not all IA jobs are in the Department of Defense (DoD) sector, but a great deal of them are - all of which require information assurance training and certification by 2011.
    Information Assurance Explained
    Information security is often misinterpreted as information assurance and vice versa. These areas of data protection are related, but there are fundamental differences.
    Information assurance (IA) protects data, software and hardware and also provides protection against hacking and malicious code attacks. IA covers a broad area of governmental duties which can range from fraud examination to forensic science, criminology to disaster recovery, and much more.
    The DoD defines IA as the practice of managing information related-risks. Security professionals who specialize in information assurance seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability and non-repudiation.

    Posted by at No comments:

    Information Assurance - The Availability Attribute

    Information Assurance assigns systems to shield data and the computer systems they reside on, and the transmission approaches processed to transmit the data. Availability is certified by requiring an impeccable and prompt avenue to information services and information only for entrusted users. By achieving consistency of the material and data structures of the operating system, hardware, software and filed material and analytical accuracy, entirety and dependability, integrity is guaranteed. Integrity can also assure against unauthorized deletion of information. Information assurance also certifies acceptance by guaranteeing the certainty of a communication or a document and its producer, and also by substantiating an individual's approval to accept explicit data from the architecture. Confidentiality is preserved by only exposing information to trusted organizations or systems. Non-repudiation is included, which is ensuring evidence of delivery to the transmitter of material and supporting validation of identity to the receiver, to require neither recipient can afterwards debate having processed the data. Information Assurance also accounts for additional fundamentals to include reconstruction of information systems by assembling protection, detection, and reaction qualifications.
    Information Assurance furnishes availability by furnishing up-to-date and impeccable access to information and information services for entrusted users. The users need have reliable avenue to all hardware, software, services and information. Often availability is also assessed in terms of what is attainable to just mission-critical processes, but it need also be evaluated for the comprehensive system.
    Design theories that promote availability can be incorporated into the system. Elements and subsystems need be able to be gracefully restarted at will. Subsystems and elements have to be independent of each other and adhere to an open architecture. Subordinately critical missions or functions should be uncoupled from more crucial ones, as well as more risky functions from those that are less risky. Networks, processes, and information assembly can also be optimized for mission availability. The architecture can be securely executed for increased availability so that platforms, software and architecture are produced as services such as cloud computing. Cloud computing can support additional availability owing to proficient usage of assets and making individual disruptions imperceptible to the user. The redundance of services like these make the architecture more tolerable of failures and unavailabilities.

    Posted by at No comments:
    Subscribe to: Posts (Atom)