A Beginners Guide to Building a RAG App Using Open Source Milvus
The Role of Information Security Policy
1. THE ROLE OF INFORMATION SECURITY POLICY
The Role of Information Security Policy
Jarin Udom
CMGT/400
November 22, 2013
Eric Clifford
1
2. THE ROLE OF INFORMATION SECURITY POLICY
2
The Role of Information Security Policy
According to Kevin Mitnick, one of the world’s most famous (or infamous) hackers,
“companies could spend millions of dollars towards technological protections and that's money
wasted if somebody could basically call somebody on the telephone and either convince them to
do something on the computer which lowers the computers defenses or reveals the information
that they're seeking” (PBS, n.d.). Technical defenses have become increasingly sophisticated, but
the human element is still the biggest—and will likely continue to be the biggest—security
vulnerability at any organization. Although not completely effective, arguably the best ways to
mitigate this risk are policies, standards, and a concerted organizational effort to train and
educate employees and others working for the organization.
Policies and Standards
What is the difference between information security policies and standards? Information
security policies outline the ways an organization will protect information in the form of highlevel business rules and guidelines (PJ, 2009). Information security standards dictate more
detailed requirements for how an organization will implement those policies (PJ, 2009). For
example, an information security policy may require all sensitive emails be encrypted and
digitally signed. The corresponding standard may specify that all sensitive email is to be
encrypted and digitally signed via PGP, using a 2048-bit key size and the RSA algorithm.
Policies
In any organization, it’s important to start with a high level security policy before
considering standards, guidelines, or procedures. A security policy addresses the overarching
goals, concerns, and risks of the organization’s overall information security efforts. Information
3. THE ROLE OF INFORMATION SECURITY POLICY
3
security policies are “made by management when laying out the organization’s position”
(Conklin, White, Williams, Davis, Cothren, & Schou, 2011) on organizational security issues.
According to Diver (2006), when developing a security policy it’s important to consider
the company’s level of process maturity. She further elaborates that aiming too high at first,
especially in large organizations, “isn’t likely to be successful for a number of reasons including
lack of management buy-in, unprepared company culture and resources and other requirements
not in place” (Diver, 2006). Since information security policies are generally created by
management, it’s also important to assemble a team of subject matter experts to provide
information and assist managers and executives during the process.
Standards
Most standards in an organization are developed based on the organization’s high-level
security policy. However, according to Conklin et al. (2011), other standards are “externally
driven. Regulations for banking and financial institutions, for example, may require certain
security measures be taken by law.” Once a security policy is in place, engineers and subject
matter experts can begin the task of determining the best standards for implementing the
individual goals of the policy. For general information security, the National Institute of
Standards and Technology’s (NIST) Computer Security Resource Center is an excellent place to
start. NIST’s website contains a plethora of recommended cybersecurity standards and best
practices. Similarly, the Open Web Application Security Project’s (OWASP) wiki is a
community-maintained resource for web and other application security recommendations and
vulnerabilities. Finally, the organization may wish to employ subject matter experts and
consultants to develop standards based on industry-standard best practices and experience.
Role of Employees
4. THE ROLE OF INFORMATION SECURITY POLICY
4
As stated above, people are the weak link in any organizational information security plan.
Most people realize that employees with trusted access privileges may abuse their access to
compromise an organization’s information. However, as Kevin Mitnick illustrated, employees
can also be unwittingly tricked into divulging sensitive information or information that can assist
an intruder in compromising computer systems. Organizations must include human factors in
their security policies, and they must take efforts to inform employees and others working for the
organization about policies, standards, procedures and guidelines.
It is absolutely essential that employees understand that information compromises can
have serious consequences, not just for the organization but also for the employee themselves.
Employees and others working for the organization must be ever vigilant against social
engineering attempts, phishing, physical security, and other human-oriented intrusion attempts.
For example, an intruder may attempt to gain access to a secure facility by waiting for an
authorized employee to swipe their security badge and then following them through the door, or
“piggybacking”, before it closes. Organizations can prevent this kind of intrusion by
implementing clear policies that every person passing into a secure area must swipe their badge
before entering. This kind of policy counteracts the normal human tendency to avoid
inconveniencing others.
Another example might be an intruder attempting to gain sensitive security information
over the phone. Kevin Mitnick famously exploited the natural human tendency to be helpful by
calling government agencies and posing as a fellow employee who was having technical
problems, and he was able to convince employees to give him the names of computer systems
and even execute commands on his behalf (PBS, n.d.). Employees should verify the identity of
any unknown caller, even if they claim to be in distress or a high-level executive (another
5. THE ROLE OF INFORMATION SECURITY POLICY
5
common tactic). However, an exception can be made for familiar voices, as studies have shown
that people are quite good at recognizing voices—an accuracy rate of 92% when hearing a
familiar voice for only 5.3 seconds and an accuracy rate of 79% when hearing a barely familiar
voice for 15.3 seconds (Kreiman & Sidtis, 2011, p. 177).
Conclusion
As Kevin Mitnick said, “the human side of computer security is easily exploited and
constantly overlooked” (PBS, n.d.). While the proliferation of botnets, worms, and easily
available “script kiddy” tools has clearly made the role of technological information security
measures more important than ever, the human element remains the weak point of any
information security plan. In order to mitigate this risk, organizations must develop clear
information security policies and then use them to develop standards to be implemented
throughout the organization. In addition, they must train and educate employees about both the
risks and importance of social engineering attempts, phishing, physical security, and other
human-based intrusion attempts.
6. THE ROLE OF INFORMATION SECURITY POLICY
6
References
Conklin, A., White, G., Williams, D., Davis, R., Cothren, C., & Schou, C. (2011). Principles of
Computer Security CompTIA Security+ and Beyond (Exam SY0-301). (3 ed.). New York,
NY: McGraw Hill Professional.
Diver, S. (2006). Information security policy - a development guide for large and small
companies.SANS Institute Reading Room, Retrieved from
http://www.sans.org/reading-room/whitepapers/policyissues/information-security-policydevelopment-guide-large-small-companies-1331
Kreiman, J., & Sidtis, D. (2011). Foundations of voice studies: An interdisciplinary approach to
voice production and perception. (1st ed., p. 177). John Wiley & Sons. Retrieved from
http://books.google.com/books?id=gwu48EvAXIsC
PBS. (n.d.). Testimony of an ex-hacker. Retrieved from
http://www.pbs.org/wgbh/pages/frontline/shows/hackers/whoare/testimony.html
PJ. (2009, February 03). What are policies, standards, guidelines and procedures?. Retrieved
from
http://mindfulsecurity.com/2009/02/03/policies-standards-and-guidelines/