Web Application Security

Web applications are the most vulnerable element of an organization’s IT infrastructure. As your organization uses the Internet for customer, supplier, employee, and vendor interactions, Web technologies and database interfaces become more complex and require additional security. Web application and database assessments are ideal for:

• Web sites that interface with database systems
• Ensuring compliance (HIPAA, Sarbanes Oxley, GLB, etc.)
• Emerging and fast growing firms Businesses concerned about security
• Organizations in the financial and health care industries
• Buffer overflow, SQL injections, cross site scripting, JavaScript, and other programming concerns

Assessments help your firm manage a range of vulnerabilities including buffer overflow, SQL injection, cross site scripting, Google hacking, authentication risks, JavaScript, Common Gateway Interface (CGI), PHP, broken links, authentication hacking, and many other types of web related vulnerabilities.

Controls Help Mitigate and Reduce Risks

Controls are administrative, management, technical, and legal methods that are used to manage risk. Controls include policies, procedures, programs, techniques, technologies, guidelines, and organizational structures. They help an organization comply with standards by addressing information security risks, information confidentiality, integrity, and availability.

Security policies and control objectives express management’s commitment to the implementation, maintenance, and improvement of its information security management system. Leading organizations use best-practice information security control measures to satisfy the stated control objectives. Standards frequently do not mandate specific controls, but leave it to the users to select and implement controls that suit them, using a risk-assessment process to identify the most appropriate controls for their specific requirements. Organizations are typically free to select controls as long as their control objectives are satisfied.

Leading organizations follow a Plan, Do, Check, and Act process:

• Plan – planning
• Do – implement, operate, and maintain
• Check - monitor, audit, and review
• Act – continual improvement

An example of a control standard is ISO/IEC 27002:2005 Information technology -- Security techniques -- Code of Practice for Information Security Management. Network and security assessments are part of the "Check" process and help ensure you have the proper controls in place and they are functioning as desired.

Business Continuity - more than disaster recovery

Business continuity requires more than just a plan to recover from a disaster. Business continuity policies, planning, and activities allow an organization to continue critical operations even during a business disruption. Business continuity generally consists of three areas:

• Business resumption planning (business operations recovery)
• Disaster recovery planning (technical aspects of recovery)
• Crisis management (organization's response)

A top down approach to business continuity planning helps an organization minimize the impact of a disruption on business operations. More than just recovering from a data center outage, continuing business operations requires the involvement of business units and upper management.

Risk management and a Business Impact Analysis (BIA) provide management with a planned approach to managing a disruption caused by a fire, flood, earthquake, terrorism, or other natural disaster. When recovering from a disaster, the organization's image and reputation must be protected. An employee, designated as the spokesperson for the organization, allows a consistent message to be delivered to employees, customers, and the media.

Business continuity plans reduce the cost of a business disruption. Many organizations use risk assessments to help them itentify areas that can lead to disruptions in business operations.

Information Security Policy

Security Policies. Policies represent the corporate philosophy of an organization. They provide management the direction and support needed to perform their day-to-day duties. In the case of information security, an information security policy helps provide direction in accordance with business requirements, standards, laws, and regulations.

Policies should be established in line with business objectives. For example, management demonstrates support for and commitment to information security through the issuance and maintenance of an information security policy.

Leading organizations use an information security policy to define information security and establish the framework for setting control objectives within an organization. Risk assessments help organizations ensure that preventative, detective, and corrective controls are in place and operating as desired.

IT Governance

What is IT governance and why is it important? Let's first start with corporate governance. Corporate governance is a set of responsibilities and practices used by an organization’s management to provide strategic direction to the business. Governance ensures that goals are achievable, risks are properly addressed, and organizational resources are properly utilized.

IT governance is an integral part of corporate governance and consists of the leadership, structures, and processes that ensure IT extends the organization’s strategy and objectives. IT governance is the responsibility of the board of directors and executive management.

IT governance helps ensure the alignment of IT with business objectives. Fundamentally, IT governance is concerned with:

• Value - IT delivers value to the business by strategic alignment of IT with the business
• Risks - IT risks are mitigated by embedding accountability into the business

Assessments help ensure IT is propertly managing risks and delivering value to your organization.

Need to Manage your Risks?

Mid-size firms have growth challenges. Many are growing quickly and don't have the resources of large firms. One mid-size organization provided employment screening and background checks. The firm was growing rapidly, attracting large clients, and expected to double in size within two years. Management was concerned that the IT staff and infrastructure cannot support the organization’s rapid growth.

They contracted with a firm to provide a network assessment amd an analysis of data backups, anti-virus, e-mail, software licensing, software patching, laptops, and many other areas. In addition to the IT infrastructure, the Work Plan included interviews with IT, management, and key users to determine if there was an alignment or satisfaction issue with IT.

The analysis included a comparison of the IT department with industry benchmarks so the organization could evaluate if they were making effective use of IT spending. The assessment also reviewed written policies, business continuity plans, and related procedures and guidelines.

The assessment identified several “hidden” issues that would have caused a disruption in business operations. The prioritized Action Plan gave the firm guidance to make immediate changes to their network infrastructure and IT staff. The organization’s management had peace of mind knowing that the plan allowed the firm double in size over the next two years.

Network assessments provide management with peace of mind and help organizations achieve growth targets.

Information Security Management Systems (ISMS)

Securing information systems is a business, not an IT issue. As more and more systems are automated, business managers are at risk to IT related disruptions. As a result, business managers now play an important role in IT related risk management.

Technology has revolutionized the operations of many firms as they have moved away from mainframe computer systems to infrastructures comprised of networks, the Internet, and enterprise-wide processing. Risk management services assess the risks of an organization’s use of technology, the resulting exposure to technology risks, and the adequacy of controls to mitigate those risks.

A variety of outside, independent risk assessments are available that help firms identify, manage, and reduce their risks. In addition to providing peace of mind, risk assessments help organizations meet compliance related requirements.

Preventing Identity Theft

Personally identifiable information such as your name, date of birth, social security number, and many other forms of identification present risks when this information is stored electronically. Not only can the information be easly accessible by many employees, but it can also be viewed by unwanted intruders.

Information identity thefts present two different types of risks:

• Take overs - accounts can be taken over by an imposter posing as you. The imposter can purchase goods and services using your existing accounts.
• Application fraud - with sufficient information, an imposter can open new accounts in your name. Their goal is to get as much money and products as quickly as possible.

Five steps you can take to protect sensitive information:
1) Request a free credit report by calling (877) 322-8228 or visiting http://www.annualcreditreport.com/.
2) Reduce the amount of credit cards and shred unsolicited credit card applications.
3) If a business requests a SSN, ask if another number can be substituted instead.
4) Ask businesses to only request and keep the minimum amount of information they need to do their job.
5) Ask if your information is shared with others and how your information is protected.

Five steps businesses can take to secure sensitive information:
1) Identify the minimum amount of information that needs to be collected and stored.
2) Identify the minimum amount of staff that needs to access sensitive information.
3) Educate your staff about policies and the need to keep information private.
4) Encrypt information so it is protected even if the network is compromised.
5) Outside independent security assessments help identify, manage and reduce risks.

For more information on assessments, please visit Altius IT.

High Connectivity Costs

Prevent high connectivity costs. Executives are concerned about the high costs of connecting people with information. Well managed networking and security initiatives with follow-up support can prevent these high costs.

Suites of networking, security, and risk management services specifically address concerns expressed by executive management:
1. High costs – Executives are finding it increasingly difficult to be in constant communication with business associates and the high cost of bringing together people and information is a major problem.
2. Experience - Very few IT personnel have the depth of experience and expertise working with executives to prevent the high costs of bringing together people and information.
3. Support – Executives are finding that efficient and effective use of their existing systems requires knowledgeable employees and support.

Outsourcing can be a cost effective solution if in-house IT personnel don't have the necessary experience and support.

Policies Manage Your Risks

Policies help organizations manage risks. By reviewing business requirements and anticipated future growth plans, organizations can identify and prepare policies that are aligned with the organization's goals and objectives.

Policies often consist of the following:

• Policy – the rules and requirements for risk management and continuing business operations.
• Standards – detailed networking and security technologies for protecting information systems.
• Guidelines – system or topic related recommendations and best practices.
• Procedures – details to implement standards and guidelines, guides for installing software, securing facilities, documenting security breaches, etc.

In some instances, policies can conflict with each other. In these circumstances, a steering committee can address policy conflicts and identify appropriate compromises and alternative solutions.

If your organization lacks policies, policy templates provide a jump start and help you manage your risks. More information on risk management is available at Altius IT.