What are the security requirements of our organisation? How many different requirements are there? Are we clear about the latest threats endangering our flow of information? And what classification system do we utilise for our information? You must ask yourself these immensely important questions continually or risk being overtaken by reality. A harsh reality. With Consulting Services from Crypto AG, customers can critically check for any gaps that may exist in their human resources, technologies and internal processes and obtain advice on implementing an information security system in line with best practice standards.
Casha Frigo Schmidiger, Publicist
Security Services & Solutions: Situation Analysis and Consulting / Assessment
First, we want to be crystal clear about the significance of strictly applied information security. The object of these efforts is to identify, classify and adequately protect all the information in an organisation that is deemed worthy of protection, and to do so throughout the entire lifecycle of that information, from its creation and transfer to its storage and destruction. These tasks have to be performed while the information is being saved, whether it is deposited in a data storage medium, a notebook, a file or an e-mail. The communication also has to be adequately protected when being transferred, whether by wireless means, a network, radio or satellite. A crucial factor for mobile users, in particular, is that they have remote access only to the data they need for their specific task. Moreover, it is important not to lose sight of the legal aspects. Institutions are subject to national and international privacy and data protection law.
In a government context, these regulations pertain in particular to information from embassies and to information on national and international threats aggregated from the reports of secret services and other sources. Another type of data warranting protection is information collected by national or international law enforcement authorities. Personal data of citizens or civil servants also deserves appropriate protection. This aspect is paramount, especially in e-government.
At the same time, it is in government organisations that global networking is becoming increasingly complex. Data is kept in joint storage systems, thanks to technologies such as cloud computing and outsourcing, and is accessible via global networks. Employees working from home make use of organisation networks. The number of home or mobile offices is steadily growing in government organisations, too. In short, data streams are becoming more continuous and permeable. Yet security awareness is declining just as steadily. It is important to stay on the ball when it comes to security. Technology is constantly changing and hacking activities are on the rise. So, too, is organised crime, which makes cybercrime available as a service model for interested and well-off customers. In complex and net- worked environments, humans are notably still the biggest source of incidents by far - intentionally or unintentionally.
In planning the protection of sensitive information, customers must consider a wide variety of aspects. Structured analysis and implementation are especially crucial with respect to the confidentiality, integrity and authenticity of information. Data confidentiality is indispensible in processing and communicating data as securely and effectively as possible. Information is made accessible to duly authorised persons only. Non- authorised individuals are not allowed access to transmitted messages or stored information. Integrity is an- other goal of protection in information security. This term means that data should remain complete and correct over their entire life cycle. And the term authenticity refers to the fact that information must have a trustworthy source to ensure that it is genuine, reliable and credible. Customers are fully protected if they keep all the above aspects in mind and take adequate security measures based on an analysis of human, process and technology risks.
Which type of information losses would hurt our organisation most?
The biggest risks occur where an internal, self-contained system interfaces with an external connection that can extend to the involvement of external recipients. Data can be lost or tampered with in these areas. That is why each institution always has to ask itself a number of fundamental core questions:
- Which type of information losses would hurt our organisation most?
- What protection is required and what classification categories do we have?
- How does information flow within our organisation?
- Are we aware of the latest threats?
- How effective and comprehensive are the protective actions we have implemented?
Homo hominis lupus est
Security is only as effective as the weakest link in the chain. Human beings are still that weakest link. Information security does not stop with physical and logical security. That must be said with all clarity. Everything must be done to ensure that data do not end up on the wrong track. All members of an organisation should be privy to processes and have access to facilities and systems only to the extent necessary for them to perform their assigned tasks. This arrangement includes clear rules on access rights as well as stringent key rules and guidelines on data storage and data destruction. Basically, the need-to-know principle applies in this con- text. Employees all know only as much as they need to perform their given duties in an optimum manner. In addition, differently classified data networks should be effectively separated from each other.
Consulting powered by Crypto AG
As mentioned in the last issue of Crypto Magazine, the implementation of information security has long en- tailed far more than mere hardware installation. It also includes numerous services such as status-quo analysis, holistic design and professional implementation as well as continuous auditing, comprehensive post-installation support and lifecycle management. Information security warrants special attention in every project phase. After all, protective measures cannot simply be tagged on at the end. They have to be integrated into the project from the outset.
The strategy of Crypto AG is to play in the top league of information security. Extreme climbing is a good analogy for the notion of top security. Climbing a summit 4'000 meters high is undoubtedly a huge challenge. It is incredibly strenuous. It requires you to be in good shape and to have appropriate gear and a great deal of practice. Mount Everest and K2 at over 8'000 meters above sea level are in a league of their own. Ascending these summits requires a different class of mountain guides and gear. Only a handful succeed. The air there is extremely thin. But that is exactly where we want to take you and your organisation's security.
Consulting Services from Crypto AG assist you in analysing the status quo of your organisation's information security as well as security goal attainment and the major areas where action is needed. The analysis covers the formalised roles and responsibilities of persons in charge of information security, the organisational processes and the technology used. You can use the findings to justify your investment projects and budget requests. Crypto AG always aims to achieve maximum security. It is guided in its recommendations by the latest, globally valid best-practice standards coupled with years of experience and a thorough knowledge of how government customers work. The outcome is a security methodology which Crypto has developed itself. These methods focus on government clients with the toughest security requirements.
The object is to reach an ideal state. That state does not remain valid forever, however. It has to be constantly adapted because information security is a continuously evolving process.
Consulting from Crypto goes through four phases:
- Phase 1: Inventory - assessment
- Phase 2: Goal definition and planning of an ICT security architecture
- Phase 3: Realisation - implementation to remedy essential deviations between the desired situation and the actual situation
- Phase 4: Assure and verify - continuous monitoring of the effectiveness of the actions being taken
The first phase, security assessment, is similar to a SWOT analysis. In it, the assessors evaluate the strengths and weaknesses of your existing information security strategy as well as the opportunities and threats associated with that strategy. To this end, they draw up an inventory of the people, processes and technology involved. A strictly technological assessment is not sufficient and does not show the whole picture. All aspects are thoroughly examined, based on the theory that a chain is only as strong as its weakest link.
People in defined roles and with specific responsibilities bring information security to life. When evaluating the technology used, the Crypto assessors check which technical security actions are employed (security zones, firewalls, encryption etc.). In the course of these checks, they bring in various technical experts from a variety of security fields. In their assessment, they also take a close look at the information security processes defined and practised in the organisation. These processes include, for example, incident management, monitoring and event management as well as change management, to name just the most important ones. Once the security requirements are clear, the consultants proceed to phase two. There, they devise ITC security architecture geared to the customer's needs and the basic situation as a target definition for maximum security. The architecture takes in all technical and organisational protective measures, including the structures and procedures for setting up and operating these security precautions.
Security as a continuous improvement process
Phase three consists of realising and defining a process. The consultants adapt procedures and roles based on various best practices and Crypto security methodology specifications and implement a tailor-made process framework. They define processes to match the customer's needs, infrastructure and environment. The objective is for customers to be able to achieve the level of security specified in their security policy, to maintain that level in the long term and to monitor it on a continuous basis.
To ensure that customers practise genuine information security, they need information security governance on three levels:
- Strategic level or the question of why
- Conceptual level or the question of what
- Operational level or the question of how
Regular audits required
Security is only as good as the security practices actually applied. To ensure optimum information security, customers must regularly check organisational and technological measures to minimise and eliminate risk. Phase four of Consulting Services from Crypto AG involves the steps of assuring and verifying, when consultants precisely measure the effectiveness of the measures taken.
Each organisation has to decide for itself how much security it needs. However, the rule of thumb is as follows: anyone who fails to verify his own information security in good time has no information security. To manage risks successfully, a customer first has to know what those risks are.