Monitoring
The assumption that the network is not under threat
is normally a perception created by a lack of adequate
monitoring. The information security manager within
the government must ensure that there are ongoing and
measurable information security incident monitoring
processes in place at both the internal and national level.
The key watch words of monitoring are: who, when,
where and what.
At an internal level, incident reporting resources and
tools should be deployed at all times. Surveillance of all
networks and data repositories is critical. Automated alerting
mechanisms and escalation procedures should be designed
and implemented. Exception reports should be reviewed daily.
Extra storage for log files should be identified, and all access
logging should be activated. A corporate logging strategy
should be implemented that includes, but is not limited to, log
rotation strategy, archiving and remote journaling.
Internal information security monitoring can be the
responsibility of the network group or the help desk, and most
of it can be automated.
At the external or national level, the information security
manager within the government should be actively involved
in running a national computer security incident response
team (CSIRT).
Assistance in setting up a national CSIRT is readily
available from the Inter-American Committee Against
Terrorism (CICTE). 2 The national CSIRT team should
comprise members from a cross-section of the society.
Education, military, critical industry and the private business
sector should all be actively involved. The national CSIRT
should be closely linked with other regional CSIRTs and
should have a direct escalation path to the government
executive responsible for national security.
Risk Assessment
In the case of information security, risk assessment consists
of a number of techniques used to identify and report
weaknesses and to recommend mitigating controls. This
is an ongoing process of checking for existing risks and
recommending mitigation.
A cycle to identify information security risks should be
established. This includes identification of both IT system
and process vulnerabilities. For example, is it possible for the
network administrator to create user accounts anonymously
without trace or approval? These tests should be conducted
by independent, third-party security specialists. It is best
practice to alternate among the contracted third parties on an
annual basis, thus ensuring that any biases are avoided and a
wider spread of results is achieved.
The resulting threat analysis reports should be used to
determine levels of risk and to apply priorities in budgets
and remedial activity. Generally, information security risk
(R) can be approximated by determining the measurement
of the probability (P) of an event occurring, the value (V)
of the asset that may be at risk and the threat (T) itself. In
mathematical terms, the rough equation is: R = PVT.
All recommended mitigation should be submitted to senior
management. The enterprise may be willing to accept the
risk regardless of the cost of mitigation because the risk may
have a low impact or its likelihood may be low. It is up to
the senior management team to determine the enterprise risk
tolerance level and to inform
the information security
manager as to whether the
recommended mitigation
should be implemented.
The cost of implementing
the countermeasure
equals the cost of the
asset multiplied by the value percentage of the overall
infrastructure, which is then multiplied by the annualized rate
of occurrence (ARO).
The exercise of achieving accurate calculations of risk in
this manner can be time-consuming and highly subjective.
For smaller information security departments, it is probably
more worthwhile to outsource the threat analysis and address
the identified weaknesses, in order of criticality, as soon
as possible. For the organization that determines that it is
worthwhile to measure risk, The Risk IT Practitioner Guide
from ISACA and ISO 27005:2008, Information technology—
Security techniques—Information security risk management,
can be used for guidance.
”
“It is best practice to alternate among the contracted third parties
on an annual basis.
