How To Access and Treat IT Security Risks

Introduction

With the development of the Internet and the spread of IT technology, the value of information continues to increase. Therefore, the protection of information becomes very important. The business of many enterprises and institutions depends on the safe operation of information systems. Information has become an important resource in all enterprises and institutions, and an important "intangible wealth". Whoever gains information advantage in future competition will have the initiative to compete. Information security is a major key issue affecting national security, economic development, social stability, and personal interests. In this paper, we will talk about the types of information threats, how to evaluate and resolve information vulnerabilities. And how to create a secure information management environment.

Catalogue

1. Types of security risks
2. A method to assess and treat IT security risks
3. Methods to access security risks
4. Methods to treat security risks
5. Security procedures
6. Policies
7. Procedures
8. Benefits to implement network monitoring systems
9. The potential impact caused by an incorrect configuration of firewall policies and third-party VPNs
10. How to improve network security
11. A trusted network

Types of security risks

The company which runs in a traditional manner relaying on lots of labor and company information relies on human resources to operate and keep them, such as the employee information for the company, cost of materials purchased and unique technology information. But there are some risks to using this mode of operation. Because the company mainly relies on human resources to run its business, so it may cause Information disclosure, Information incompleteness ,information unavailable and even explosion and fire in the factory.Information security usually emphasizes the goals of the CIA triples. They are confidentiality, integrity and availability. The CIA concept is derived from the Information Technology Security Evaluation Criteria. It is also an essential element of information security and a basic principle to be followed in security construction.(Charles P. Pfleeger and Shari Lawrence Pfleeger 2016)

1. Confidentiality: Ensure that information is not leaked to unauthorized users or entities during storage, use, and transmission.
2. Integrity: Ensure that information is not tampered with by unauthorized users during storage, use, and transmission, and that unauthorized users are not allowed to tamper with the system and information to maintain consistency within and outside the information.
3. Availability: Ensure that authorized users or entities will not be abnormally denied access to information and resources, allowing them to access information and resources in a reliable and timely manner.

Different organizations have different emphasis on CIA principles because of different needs. If the organization is most concerned with the protection of private information, it will emphasize the principle of confidentiality. If the organization is most concerned with providing customers with the right information anytime and anywhere, it will highlight the integrity and availability requirements.The purpose of information security: Protecting information from threats to ensure business continuity, minimize business risk, maximize return on investment and business opportunities.

A method to assess and treat IT security risks

Methods to assess security risks

There are two types of methods for assessing information security. One is qualitative judgment and the other is quantitative judgment. Qualitative analysis assesses the approximate level of information security by combining equipment owned by the company and information threats that have occurred in the past. Quantitative analysis is an algorithm to assess the information security index.Quantitative analysis is used to judge the safety factor of the company:

1. Use index evaluation to evaluate factory equipment safety
2. The following flow chart shows how to use the algorithm to determine the probability of accidents in the factory. If using qualitative analysis to assess a company's information safety factor, it is general in the absence of complete and accurate historical data. First they will invite experts who are familiar with the economic business and market conditions of the company; analyze and judge according to their past experience, put forward preliminary opinions, and then convene. The survey will be revised and supplemented as a final basis for predictive analysis.(Yu yu lin 2010)

Common analytical method:

1. Manager - Building on the opinions and recommendations of top management, this approach relies on the team's experience, talent and intuition. But its disadvantage is that if managers are rarely in contact with employees and customers, the greater the risk of qualitative analysis.
2. Experts’ advise - This approach builds on the expertise of external consultants and provides highly specialized and valuable assistance to management.
3. Salesperson’s estimation - This source of information can bring great value because the salesperson is generally the closest to the customer. The main drawback of this approach is the potential bias, because they thought their estimation will be a standard that the manager will regard as a salary increasing mark.
4. Market survey - Customer surveys involve the use of market research techniques to collect information directly from customers. However, if the sampling is not representative or the questionnaire design is flawed, the results obtained may be extremely inaccurate.

Methods to treat security risks

In order to protect the information, there are three aspects need to be aware:

1. Data - The data of the company should be classified in different level., because some data do not need to be protected. And then, there should be a safe place to store data. The data must be backed up to prevent unrecoverable data when it is incomplete and tampered with.
2. Network - The network is vital to a company. Without a network, the company will not be able to continue operations. So the protection of a network is the most important one. We can maintain network security by setting a strong password, controlling MAC, shutting down the network in time, and setting up an effective firewall.
3. Operators - In addition to blocking external attacks, internal personnel also need to manage. Companies should establish a more systematic system to manage the operators of information systems. Ensure that operators are regularly tested for safety knowledge to improve their safety awareness.
4. Working environment - It is also important to keep the work environment clean, especially in the factory. If the employee misuses or the factory environment is dirty, there will be a possibility of fire. At the same time, in order to prevent this from happening, the fire exits and fire extinguishers in the working environment should be checked regularly.

Security procedures

Policy is a formal, brief and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives and acceptable procedures for a specified subject area.Procedures describe the process: who does what, when they do it and under what criteria. They can be text based or outlined in a process map. Represent implementation of Policy.The flow chart below shows the general content of a procedure.( Mohammed S. et al. Jan.7,2010)

Procedures are based on the policies, so the company needs policies first.MSW and MJ Data protection Policy:The data and its processingThe MSW and MJ hold data about employees, volunteers and donors. This policy applies to all data held about living identifiable individuals, regardless of the specific reason.The MSW and MJ are responsible for data processing and disclosure to third parties, only insofar as is necessary to provide services to employees, volunteers, customers and donors.

Main data risks:

The main data risks identified are: Unauthorized disclosure of data due to the diverse spread of users. Unauthorized access to internet-based data from hacking. Data becoming out of dateData privacy, security and protectionMSW and MJ will ensure that data is kept secure by application of relevant procedures and training. Data deletion - Data will be deleted when no longer required as specified in the relevant procedure. Subject access requests. An individual can request to the data held by MSW and MJ about them, subject to certain conditions specified in the relevant procedure. Data disclosureWe only share volunteers’ data with other volunteers as is necessary for the proper operation of the MSW and MJ and its activities. Direct marketing - Consent will be sought for data collection for marketing purposes e.g. new updates, fundraising etc. in accordance with the relevant procedure.

Procedures

1. Subject Access Request Procedure
2. If an individual requests to see the data that the MWS or MJ holds on them, this request must be made to the Data Protection Officer, whose details will be displayed prominently on the companies’ websites.
3. The DPO is responsible for ensuring that this request is answered fully and in the legal timeframe.
4. Requests for personal data will be refused if to do so would directly or indirectly disclose information about another person or would reveal commercially sensitive information.In such circumstances, MWS and MJ will attempt to disclose as much data as it can without such breaches.
5. All requests must be made by the individual concerned or their legally appointed representative and MWS and MJ may make any enquiries it considers necessary to confirm the identity of the requesting individual.

Data Deletion Procedure

Data is deleted in accordance with the following guidelines:

1. On notification of death of a member or volunteer, when a member leaves MWS or MJ (by notification or by lapsing),when a volunteer leaves MWS or MJ (by notification or by lapsing) their data record is altered to remove their contact details.
2. Subscribers to marketing lists will be dealt with as in the section below on Direct Marketing.
3. Names and contact details of customers will be retained for a period of at least seven years in order to meet any legal needs following and as a result of their purchase.

Benefits to implement network monitoring systems

A network monitoring system which operates on computers can monitor activities on a network.( Aki et al. Apr. 1, 2008) A network monitoring system can optimize use of licenses in a shared license pool.Since nowadays more personal computers appear, and every PC can access to every application at the same time. So the requirements and costs of license are increased by multi-tasking operating systems. Therefore, a networking system which can reduce cost of license is needed. A network monitoring system can purchase additional license copies.

A certain quantity of users are available to access an application at one time, but if there is a large number of users trying to access an application at the same time, then problems occur. Therefore, a networking monitoring system which can deal with these problems is needed.(Christopher W. et al. Feb.10,1998 ) A network monitoring system can feedback the anomaly detection in time. If an unauthorized person is trying to access the company’s information system in order to steal the protected data and publish it online. Operators can not mention this situation immediately but a network monitoring system can aware this state as soon as the hacker is invading the system. Therefore, a network monitoring system is needed.

The potential impact caused by incorrect configuration of firewall policies and third-party VPNs

Firewall policy rules decide the firewall how to manage network by judging which network traffic can income or outcome.(K.Golnabi et al. 3-7 April 2006)The firewall involves a series of firewall policies stated in network security administrator in-depth knowledge of its organization’s security policy.If firewall policies’ configuration is incorrect, there will occur some problems when the management tool is deploying firewall policies.(Charles C.Zhang et al. 20-23 MAY 2007) Inaccuracy - If the configuration of firewall policies is incorrect, the firewall equipment’s operating policy will not be replaced by the target policy configured through the GUI. So the deployment will not be successful.·

Disclosure

Because of the role that the firewalls play, if the configuration of the firewall policies is incorrect, the communication’s content between a management tool and its managed firewalls will be disclosed. An attacker will succeed in eavesdropping on any sensitive content. And this will have a potential impact on the network security. Insecurity - The incorrect configuration of the firewall policies will cause the firewall to drop legal traffic or allow illegal traffic during deployment , and this will directly cause the deployment is unsafe. So that an unsophisticated deployment access can cause traffic break or a security hole for the moment. Lower speed - Normally, if a time-critical deployment is slow, the change of a firewall policy should be deployed in time to avoid the illegal access or to open access for some important communication. But if the configuration of firewall policies is incorrect, firewalls will not take any action.

It will harm the network’s security.VPN is an abbreviation of virtual private network which establishes over a telecommunications network. So if the configuration of the third-part VPNs is incorrect, it will break the communication between system administrators for each site.(Larson V. et al. Apr.24,2007) Thus, the sensitive content between administrators may disclose to the attacker, and a serious security problem occurs.

How to improve Network Security

DMZ is an abbreviation of ‘demilitarized zone’. It is a buffer which can solve the problem that the outside user cannot invite the internal internet server after installing the firewall. The graph above shows the location that the DMZ deploys.(The graph is from Xin Ming O. et al., 2005-05-10) On the other hand, it can protect the internal network effectively through DMZ. Because this kind of firewall deployment adds another level for the external network attacker. Static IP is the address that is distributed to a computer or network devices to use for a long time. Only a computer with a dedicated line can have a fixed IP address. So it improves the security of the network.Network Address Translation(NAT) can transform the private IP address into a global IP address. On one hand, it can deal with the lack of IP address, on the other hand, it can avoid attack from the external network and hide and protect the internal computers.

A trusted network

Trusted network can control the information between the resources, thus, it can provide security limit access to network resources. Protecting the sensitive information of a company is very important. A trusted network can provide a safe environment to protect the secret files.Firewalls are one of the most general forms of security. It is a system or structure that could screen which information may flow. The firewall port only allows the specified protocols to a certain machine on the trusted network.Middleware is also used constantly. General protocols are replaced by middleware with application-specific protocols.(Alegre et al. Mar.6,2001)