Nishant Shah

Salve being a CIO of Indian Bank faced one of biggest challenge that its large number of customers were offline based and in order to bring customers to online banking the IS protocols should not be so rigorous as to cause inconvenience to customers. Although HDFC Bank was not pursuing market share as a business objective in its own right, securing regular annual increases in new customer accounts was crucial to business growth, and ensuring that existing customers stayed on with the bank was equally important. Thus Salve had to balance both the security and convenience of customers

Second he also came across the problem of location of its server the proposed IS infrastructure at HDFC Bank would include two types of servers: authentication servers (housing the software that would conduct the due diligence) and online servers (facilitating the actual transfer of money from one account to another)
The bank was in talks with RSA Security but dilemma was whether the online servers should be located at HDFC’s data centers and the authentication servers at RSA’s premises. The latter were outside of India, and maintaining server at far would present yet another potential point of systemic failure

3. What are the challenges faced by Salvi?
The Indian customers had reliable trust with offline banking and when internet was on rise online banking systems attracted customers for the comfortable nature of online banking. But considering legacy systems and paper work it was not easy to transfer online banking that too with security. Maintaining security while giving customer the convenience of online banking while withholding the trust that Indian customer was the biggest problem faced by Salvi
• He had to establish a IS security framework which was new to the online banking process
• Protect online banking platform from online hazards while guaranteeing Authentication, authorization, integrity, privacy, non-repudiation
• HDFC faced phishing attack in 2007, affecting 28% of its customers. This was the time when online banking was not prepared for it and implementing corrective measure rather than preventive.
• With new online model, IS risks identification, measurement and monitoring of credit risk, market risk and operational risk
• The problem was also with setting up servers. Customers should not directly communicate with bank server this indicated use of PKI. Should the Authentication server and online server be located onsite or with vendor or on cloud? Onsite will have less potential failure. When outsourcing IS services, vendors must not store confidential data. While maturing IS systems and guaranteeing security with each additional layer the complexity of process was increasing which went against customer ease of access.
• As it was a new implementation, his major issue was finding loose ends when banking online and tighten security there.
• With growing mobile platform, they needed to implement different authentication for mobile and online banking. With mobile systems in use, technology integration while maintaining independence of IT, business integration with each business unit dealing with its own risks, risk integration
• Dormant accounts were also vulnerable to fraud. For new customer’s secure access would be provided while account is created but what about earlier customers? A fraudster can steal an ID and password of dormant online customer, make a false registration, set up himself as a beneficiary and transfer funds during the unguarded, interim period.
• While validating user, there is high possibility of false positive. With immature IS technologies, false positives were high and thus increased customer inconvenience. The dilemma that should the protocols authenticate the customer to the transaction.
What Salvi basically faced was adaptation to new architecture at the time when risks were unknown. It was more of a corrective strategy that went against the mission of engaging customer trust convinience.

One of India’s leading private banks, HDFC bank revolutionized the Public Sector Banks (PSB’s) in 1994, reducing the slow and time consuming process of depositing and withdrawing funds by implementing 24/7 self-service technologies. The implementation of customer convenient technologies posed significant challenges to the availability, security, and integrity of a changing banking industry. The Reserve Bank of India (RBI) provided new provisions for new PSB’s entering the banking sector in 1994 to create competition for a newly re-organized banking sector. Expensive upgrades to legacy systems put the traditional brick-and-mortar PSB’s at a disadvantage in acquiring the new, younger, technology savvy depositor. As a premier provider of customer centric IS solutions, HDFC extended their remote banking services by entered the on-line and mobile banking system to target the non-traditional virtual banking customers. By adapting to the changing culture, HDFC had grown to 10 million customers, 684 branches, and 1,605 ATM’s across India from 1994 to 2007.

In August 2007, HDFC clients were sent a fraudulent email from a phishing hacker asking for sensitive account information. Phishing attacks take form of website links, phone calls, or email messages. The attack entices the recipient to perform an action that will compromise their identity to steal money or personal information. (Microsoft Safety & Security Center, n.d.)

Vishal Salvi had worked for HDFC bank as the Chief Information Security Office during the attack. He was confronted with many challenges in providing the employees and customers an easy-to-use, safe and secure information system, meeting and/or exceeding the RBI banking regulations. HDFC put a heavy focus on convenience for customers by investing in real-time technologies. The innovative technologies eliminated the need to visit a local branch, but posed new security risks for the customer. There had to be a balance between quick and secure. The system would have a multi-layered authentication process to identify the account holder and verify the transaction is accurate. Identification would require a user name and password called, “first level” authentication. Salvi decided to implement “second level” authentication, requiring another level of security fields to identify the user. The second level authentication is known in banking circles at “secure access” and requires the setup of commands unique to the user, such as and image, personal message, or answering a series of questions that will be automatically generated by the system during the log-in process. (Bose, September 24, 2016)

The multi-level authentication process provided Salvi a solution to minimize the effects of a phishing attack, but system availability and redundancy are expected to satisfy customer convenience. The HDFC IS infrastructure would consist of two sets of servers: Authentication Set & Online Set. The challenge faced by Salvi was to bring both sets of servers onsite, bring one set onsite & one set hosted, or to have both sets hosted by a 3rd party provider at an off-shore location. Bringing the servers in-house would reduce systemic failure because it would be supported by HDFC employees dedicated to each set of servers, but the cost of the equipment, payroll, utilities, and other factors didn’t make the solution cost effective. RSA security is a 3rd party security solutions provider, offering cloud computing solutions and involved in countering the phishing attack. RSA offered a scalable monthly fee solution, satisfying the security, ramp-up time, and budget.

You would think the authentication and outsourcing is a “no brainer”, but each step in both procedures reduces what HDFC considers to be convenience. It may take longer for the customer to log-in due to inexperience and/or forgetting security answers, or the system may decline an authorized transaction because it didn’t fall within the validation metrics of the authentication process. What about continuity? Will RSA provide acceptable recovery time if it goes off-line? How about access to the hosted environment, will HDFC employees have access to the co-location? Careful customer consideration and transparency would be required to maintain a secure environment, while meeting the expectations of the new and existing remote banking client.

Works Cited

Microsoft Safety & Security Center. (n.d.). How to recognize phishing email messages, links, or phone calls. Retrieved from http://www.microsoft.com: https://www.microsoft.com/en-us/safety/online-privacy/phishing-symptoms.aspx

Bose, I. (September 24, 2016). HDFC Bank – Securing Online Banking. Harvard Business Journal, 8.

There is another issue that is brought up in the case regarding server implementation, the issue of implementing secure framework within a short time and the cost required to do so.
With cloud The cloud model offered by RSA would take about 9 months while online model would take 15 months. With cloud HDFC Bank could opt for pay-by-use pricing, whereby the bank would be billed only for actual usage.
I think that while solving this problem or dilemma again the security issue was underseen. With the security issues going while the system was being transferred online, yet another cloud system was going to a new area to explore with new security threats.

HDFC bank becoming a target to phishing attack Salvi, the CISO was faced with the below challenges:
1. How to ensure the security of online transaction while keeping customer convenience as a priority?
For online transaction HDFC used the adaptive risk modelling where risk score was assigned to each transaction based on some predetermined parameters such as pattern of use, size of the transaction and geographical location. Higher the risk score higher will be the intervention by the system. Intervention may be OTP’s, calls from the bank to verify the transaction, asking security questions to verify the authorization. HDFC had RSA Security as service provider to monitor an ongoing phishing attack and authorized it to shut down the online banking transactions temporarily till the user goes physically to the bank to get it enabled. The bank also introduced ‘cooling period’ wherein transfer of funds to a new person could be done by adding the person as beneficiary and transfer would be initiated only after 24 hours giving time for bank to check the transaction and also giving customer the time to report fraud. It also implemented 3 factor authentication using the three authentication requirements – defining what you are, what you have and what you know. Though these measures were necessary Salvi was concerned that by introducing so many security measure it complicated the online transaction and wanted to focus on customer convenience.
2. Should secure access be mandatory or leave it to discretionary?
Dormant accounts were easily targeted for phishing attack or other attacks as anyone could get easy access to the account without raising an alert. Salvi was planning to introduce second level of authentication- secure access for all online customers which would automatically disable the account if the customer was inactive for a defined period of time. New customers would be provided Secure Access with the online registration itself. This created dilemma about the dormant users in the list of existing online customers as they were not sure on how long the they should retain them in the unguarded system before disabling their account Salvi had to make sure that he provides a timeframe for the dormant account holders to gain secure access and also make sure that this period was small enough to be misused.
3. Should the bank use onsite model or cloud model
The proposed IS infrastructure had 2 types of server: authentication server and online server. Salvi had to decide the location of the server:
a. HDFC’s own datacenter:
In onsite model the rate of system failure was low as the servers would be in the same network. In house servers would be costly as the bank would have to think about the future requirements as well.
b. Offsite, hosted by vendor(RSA Security): Internet was the medium of communication which was always exposed to threats. One more question was whether online server was to be located at HDFC’s datacenter and have the authentication server at RSA’s premises. But as vendor location was outside India, transcontinental links were required, which was open to a risk of systemic failure. To set up this system, it would take one and half years.
c. Cloud Computing(RSA Security): Here the resources would be stored in virtual environment. The main advantage of this system was that the company would be paying only for the storage space used and could be expanded as and when the need arises. Cloud model would take 9 months to go live. The cloud model had multiple options for network connectivity- Internet: no additional cost but was less reliable, Build dedicated bandwidth- reliable but would require high investment, Proxy Server- hosted by vendor but the Bank will have less control.
As setting up IS system was not the main objective of the business but was to provide world class Indian Bank too much of investment in setting up the IT system could be a big concern for the firm. Salvi had to decide which model he should go with aligning with the business goals and still consider the profitability factor and maintain strong customer relations,

Question 1: What are the challenges faced by Salvi?

Vishal Salvi, the Chief Information Security officer at HDFC bank at the time of the case, had several challenges facing him in his new role. As outlined in the beginning of the case, the three major dilemmas that Salvi faced were how to ensure security of online transactions, whether or not to make secure access mandatory or discretionary, and whether or not to use an onsite or cloud model for their information systems and databases. With the increased demand for online banking in India, a phishing scam that affected 1.28 million customers was the cause of these challenges for Salvi. While each dilemma is slightly different, each one is aimed to increase the security of the company.

The first challenge that HDFC bank and Salvi had to face was that of finding the right blend of security and convenience. In general, security at its core usually adds some level of inconvenience. While this is not necessary a bad issue, a lot of security practices are seen as unnecessary by many consumers. If HDFC creates strict security controls in accessing an online bank account, consumers might not understand the necessity of those controls and favor another bank instead. However, if security controls are not adequate then HDFC can be the target of data breaches and phishing scams. I think the pattern that most banks and businesses see, is that during the early stages of a business that security is not a high priority, mostly since they are not a large target. However, as the bank or business becomes more popular and successful, then stronger security controls are put in place. Since HDFC wants to establish authentication and validation controls which involve customer interaction, they need to be careful in which controls they want to implement without pushing away potential customers.

Salvi had answered the first challenge by establishing multi-factor access to online banking. This multi-factor authentication required that the user establish a list of security questions, establish personal messages, provide their address or telephone number, and other methods of authenticating that the user is the appropriate user. The problem was that HDFC had a number of dormant users who did not use the online functionality but instead used the bank or ATMs. It was easy for Salvi to establish that when the access control policy was implemented, any new customers going forward will have to use the multi-factor authentication. With the way the IS was established, there was a serious vulnerability for these users. While the case doesn’t identify Salvi’s actions, I would suggest to establish a timeline where users are required to establish the multi-factor authentication questions before the account is locked online.

The last challenge faced by Salvi was where to establish the location of a server and HDFC’s IT infrastructure. In my understanding, there are really only two methods for going about acquiring IT resources, which include purchasing or paying a service provider. In the case, Salvi had the option of purchasing its own data center to house at its headquarters or use the security service provider, RSA, which included either an offsite database or cloud computing. The difficulty is that each choice has their pros and cons. The major benefit of having the database “in house” is that it sits within the headquarters of HDFC, making it more accessible since it’s on the network. However, the con is that this option is the most expensive. The more inexpensive option of using RSA has issues of its own, with those being that it needed to create a safe means to access the data as well as rely on a third party.

Overall, Salvi had to face some serious challenges to address the security of HDFC bank. In most cases I examined, the answer is usually to implement a basic change or move focus from business efficiency to security. However, in the HDFC bank case, the challenges didn’t necessarily have a clear cut answer, making the decisions by Salvi that more difficult.

The ubiquity of the internet and banking reforms in India has made HDFC Bank one of India’s leading private banks with deposits over $15 billion in 2007. Along with the internet, the demand for online banking steadily increased and was considered to be the “banking of the future.” As Chief Information Security Officer for HDFC Bank, Vishal Salvi’s primary objective was to make certain that HDFC’s online banking was secure from cyber threats while maintaining a balance between security and customer’s convenience. The four challenges faced by Salvi are: addressing phishing attacks on HDFC Bank’s customers; implementing security controls without interfering with customer’s convenience; whether or not to add the “secure access” model to dormant online accounts; and deciding on new information systems sever location that would optimize its ability to deliver financial services to its customers.

Phishing is one of the nine most common online threats facing banks and financial institutions. To combat phishing targeted to its customers, HFDC contracted RSA Security to provide a 24/7 command center that would monitor for ongoing phishing scams and shut down online banking transactions as necessarily. Salvi also introduced a “cooling period,” where transactions to unknown third party would be held for 24 hours to allow the bank time to verify the transaction with the account holders. It also sent out awareness messages to its customer in an effort to educate them on the dangers of phishing. With all of these additional controls Salvi had to make sure that HDFC does not overdo it and create an inconvenience for the customers.

HDFC also had to ensure that security controls implemented on each online transaction is invisible to the customers. Some of these controls are user ID and passwords, tokens, account profiling, and even biometrics. With every layer of additional security control, the complexity of the systems grows, making it more difficult for a customer to make online transactions. Salvi had to decide whether the information security protocols should authenticate the account holder or authenticate the transactions. Identity authentication is focused on the proper identity of the account holder which may be verified using biometrics or security tokens. Transaction authentication is using instruments such as HDFC’s “adaptive risk modeling” to create a profile for bank to flag any abnormal transactions from an account.

Secure access, in banking terms, refers to additional security measures enforced by a system to authenticate the identity of a user. This may require the user to select a pre-chosen image, answer personal security questions, provide an address or phone number, or select a personal message. It may also require the account holders to provide a list of known beneficiaries, or third-party accounts, that the customer made periodic transfers to. Dormant accounts are accounts that had never made transactions over the internet although a customer have registered for online banking. Dormant accounts were very susceptible to fraud since the attackers can gain access to the accounts without raising any flags. Salvi had to decide if secure access should only be applied to active online accounts or dormant online accounts as well. He also had to decide how long the bank should wait before disabling a dormant account’s online privileges, since leaving it alone without secure access may provide an open window for hackers to gain unauthorized access to the account.

Lastly, Salvi had to decide how he would manage the IS infrastructure for HDFC’s growth. He had to choose whether the banks authentication and online servers should be located onsite or offsite. Having the servers onsite, at HDFC’s datacenters in India, would give the bank control of the system’s availability and security. The disadvantages of onsite servers are the upfront costs, management of idle capacity, and the inability to scale up or down efficiently with demands. Cloud servers gives the bank the advantages of scalability, pay-per-usage, and minimal initial investment costs. Cloud servers also requires an additional communication medium between the bank and the provider, that needs additional security measures. The main disadvantages of having the servers on the cloud are issues with connection reliability and no control over the third party’s security management processes. With this decision Salvi must also factor in the cost and time of implementing each type of infrastructure.

Hi Paul,

This is a very good summary on the case. Thank you for sharing. Aside from being expensive, having onsite server’s also requires additional physical security controls. Some other cons, as mentioned in the case, is scalability and idle capacity. For a growing online customer base, HDFC would need to ensure that the new onsite datacenter would have enough capacity to provide services to new customers, but not so much that the maintenance cost of unused capacity drains the bottom line. With offsite servers, not only that the bank would have to rely on third party for security but it also have to provide a medium that would not affect the Availability of critical systems. Overall, like you said, it’s a very difficult decision for Salvi to decide not only between time and cost, but also security and availability of the new IS infrastructure.

3. What are the challenges faced by Salvi?

The challenges faced by Salvi are:

• It was Salvi’s principal mandate to make certain that HDFC Bank’s online banking platform was secure from online hazards
• The two components of the online banking: Net banking and mobile banking, Mobile banking was a new concept in India and people were not that much friendly with it but since it was considered to be the banking medium of the future it needed to be promoted.
• For us at HDFC Bank, an IS framework was in the light of the changing ecosystem and was just at the beginning of the curve, which had three dimensions -technology integration, business integration and risk integration.
• It was a challenge to meet the following major aspects of all three dimensions:
o For technology integration, IS should be independent of the larger information technology (IT) scenario at the bank.
o For Business integration, business division in the bank should be accountable for the costs and risks associated with IS
o For the risk integration, employee should look at IS risks as part of overall risk management of the bank rather than as a standalone risk.
• Phishing was one of the nine common online frauds concerning the banks and HDFC was the fourth bank in India to encounter it but HDFC was quick to take corrective measures
• Another challenge was to ensure that the IS protocols were not so rigorous as to cause inconvenience to customers. It was important to secure regular annual increases in new customer accounts to ensure that existing customers stayed on with the bank.
• It was a challenge to keep IS transparent to the customer and at the same time making it effective from bank’s point of view.
• Reducing the false positive rate was a challenge since the IS technologies were not that mature and IS processes were not that much stabilized due to which it was time consuming for the customers. The customers perceive it as an inconvenience. Maintaining the bank’s competitive positioning was a challenge.
• Another challenge was managing the identity authentication of the account holder as well as transaction authentication and at the same time making it simple for customers.
• Managing the security of dormant accounts was a challenge. The bank need to make a decision on whether it should provide secure access to every registered online user or limit secure access only to active users. Time-frame was needed to be defined for dormant users to seek secure access before disabling their accounts at the same timekeeping the window small to prevent misuse during the interim period.
• Deciding the server location (whether should be onsite of offsite) was a decision to be taken.

Q: What are the challenges faced by Salvi?

Based on the case, Salvi was being faced three challenges: how to balance the security of an online transaction and the customer convenience, whether secure access was mandatory or discretionary, and whether he chose an on-site model or a cloud model.

The first challenge that Vishal Salvi was being faced was the balance between the security of an online transaction and the customer convenience. In general, as per the case, each online transaction required two minimum requirements for approving an online financial transaction: validation and authentication. Validation required a customer’s user ID and password, which allowed the security system of the bank to know the account holder. Authentication required six-digit number from a customer’s physical device, which allowed to check the person’s identity. Furthermore, other additional checks included the size of transactions, locations and IP address of customers.
However, with the increase risks of online banking, Salvi wanted to increase the security of online banking, however, he concerned that implementing new security system would influence customer convenience. If Salvi decided to continue using the same level of security, it was true that customers still felt convenient to use online banking, but it was also true that the low level of security was putting customers at high risks. One the other hand, if Salvi decided to increase the level of security, the security system would be trustworthy but the complexity of the system would push the customers away and lead a loss of customers. This was Salvi’s first challenge, the balance between security and convenience.

the second challenge that Vishal Salvi was being faced was that whether the secure access mandatory or discretionary. A number of online banking users that registered in HDFC would almost never use the internet, instead, use physical branches or ATMs. Those dormant accounts were easily targeted by fraudsters without raising any alert when they entered online accounts. So Salvi was planning to implement a second level of authentication for all online customers to ensure their security, as known as “secure access”. The second level of authentication included details of account holders and increased the process of validation by the system. Furthermore, Salvi said that HDFC would disable access for those who will not use internet, and once they needed, they needed to gain Secure Access. For new customers, Salvi planned to provide Secure Access once they registered an online account.
Even though Salvi had already had his plan to implement Secure Access, he still could not decide whether it was mandatory or discretionary. If Salvi decided to make Secure Access mandatory, it would be an optimal security and he had already had plans to implement, but the inconvenience would impact customer’s experience of using online banking and lead a large loss of customers. On the other hand, if he decided to keep it discretionary, it would be convenient for customers, but the higher risks of security would be a big concern. This was Salvi’s second challenge that whether Secure Access was mandatory or discretionary.

The third challenge that Vishal Salvi was being faced was that whether he used an onsite model or a cloud model. Based on the case, an on-site model would carry a low rate of systemic failure because its servers were built within HDFC’s own local area network. A cloud model’s advantages were fluid and elastic. It would require a separate connection between HDFC and its IS vendor by internet, and the vendor’s location was outside of India, which created additional concerns of systemic failure and transcontinental links.
Salvi concerned that if he chose the on-side model, it would require a longer timeframe and more expenditures than the cloud model that required shorter timeframe compared with on-site model, and allowed to use pay-by-use pricing.

Overall of these three challenges, Salvi’s goal was to keep online banking secured. However, before he made any decisions, he had to balance several elements including customer convenience, security risk, timeframe and expenditures.

What are the challenges faced by Salvi?

In August 2007, HDFC Bank, one of India’s leading private banks was a target of a phishing attack. Customers received e-mails claiming to have originated from the bank and seeking sensitive account information, including password and personal identification codes. Phishing is one of the most common online frauds related to banks and financial institutions and due to India’s growing prevalence of online banking, banks have to set up countermeasure to prevent such attacks. Vishal Salvi, HDFC Bank’s CISO, would like to improve HDFC Bank’s information security to prevent such attacks from happening again however, he is faced with customer convenience, secure access and server location challenges in his goal to improve security.

Customer Convenience

The first challenge Salvi faced is the impact of customer convenience while attempting to make online banking more secure. One of the primary purpose of offering online banking is to make banking more convenient and available to customers where ever they are as long as they have internet access. Salvi intend to implement additional layers of protection by implementing systems which authenticates the identity of the account holder or the transaction. The check points involved in authenticating the account holder require authentication instruments such as biometrics (“what they are”) and tokens (“what they have”). Authentication of transactions on the other hand concentrates on the integrity of the transaction process. It relies on internal systems which analyzes a customer’s historical transaction amount and recipient and raises a red flag if any transaction is out of the customer’s normal transaction activity. Salvi is contemplating on which security to implement by weighing the cost-benefit of security vs. customer convenience.

Secure Access

The second challenge Salvi faced is establishing secure access for dormant users. Salvi is planning to introduce a second level of authentication for all HDFC bank’s online customers. This introduces another authentication instrument where individual customer incorporate specific details of authentication into their account such as security questions and images (“what they know”) which will be part of the validation process of the customer’s online banking. Activating this new level of security is a non-issue with active or new users however the problem lies in dormant users, which represent approximately 20% of HDFC’s customers registered online. These accounts are vulnerable to attackers and fraudsters because the actual users do not monitor their accounts. If a perpetrator is able to gain access to the dormant accounts, they can set the secure access of those account for themselves and gain complete access to those accounts. Salvi is faced with the decision on whether to activate the secure access feature, disabling dormant user account and risk losing a significant number of registered user accounts.

Server Location

The third challenge Salvi faced is establishing server locations for the authentication servers and online transaction servers. By establishing the proposed IT infrastructure mentioned above, Salvi will need to decide on whether to have the servers built in-house or outsource them to RSA Security. RSA Security had built up competent could-based servers which allows data to be stored in the virtual world. The main advantage of outsourcing to RSA Security is flexibility it provides. HDFC can use data storage as needed without being reliant on server capacity. RSA Security has offered a bundled package to store the hardware, software, networks, services, and interfaces of HDFC in the virtual world with a pay-by-use pricing. With what RSA Security is offering, it will be the wise option to set up the authentication servers in the cloud. Salvi would then need to decide on a network connectivity, whether through internet (cheapest but unreliable), dedicated bandwidth (costly but reliable) or a proxy server hosted by the vendor where hardware and software architecture would need to be installed slowly in the banks own infrastructure.

3. What are the challenges faced by Salvi?

According to the beginning of the case, Vishal Salvi, the new Chief Information and Security Officer of HDFC was facing three dilemmas in strengthening the bank’s online security following a phishing attack in 2007, affecting 1.28 million online banking customers. Those challenges.

First dilemmas: How to ensure the security of an online transaction while still keeping customer convenience as a priority?

The first security challenge for Salvi was to find the right balance between convenience and security. These two components were conflicting with each other where customers were seeking simplicity and the system to be more trustworthy whereas HDFC bank aimed to increase the complexity of security of online banking to avoid data breaches and phishing attacks. Customers could be discouraged in online banking if the bank set up too strict and complicated security controls and policies. I would describe that online banking security as an onion, which has multiple layers to protect the money and personal information of online banking users.

To response to the challenge:
Multi-factor authentication:
Salvi established the multi-factor authentication in response to the security challenge. This multi-factor authentication requires the users to select a security image, establish a personal message, provide correct address or telephone number, and answer security questions. Nowadays, this process has been implemented by most banks to ensure the right identity of the account holders.
RSA Security:
In addition, Salvi also signed on with RSA Security, a third party security provider, to set up a 24/7 command centre to monitor an ongoing attack as well as shut down the bank’s online transactions temporally under authorization from HDFC bank.
Cooling period:
Moreover, the bank account holders were required to establish a list of “beneficiary”. Transfer of funds to a new person who was not listed would take at least 24 hours. The time window would give time for the bank to check the transaction and authorization of the account holder.
Educational alert:
After the security disaster happened, HDFC bank frequently educated the account holders about hazard of phishing by sending awareness messages

Second dilemma: whether he should make secure access mandatory or leave it discretionary.
Since there were still massive amounts of registered online customers who would never use the internet, even though they had registered for online banking and would instead use offline media such as ATM or visit a branch in person. These type of users posed a risk because fraudster could gain entry through them without raising an alert.
To response to this challenge: HDFC bank would disable the access for dormant customers who do not use the online medium regularly. Then they would need to visit a branch in person with an ID to gain secure access once again.

Third dilemma: Whether he should go for an onsite model on for the cloud model in terms of time, money and security.

HDFC bank was in conflict with choosing the right server location to include two types of servers: authentication serves and online servers because each model would have it own pros and cons
Onsite model: it would be located in HDFC’s data centres in India, carrying a low rate of systemic failure. The main advantage would provide the bank higher data availability and security. The disadvantages of onsite servers would be higher costs.
Cloud computing: Business application would be stored in the virtual space of the internet and shared by everyone. The bank could customize according to its computing need. Cost would be one of the main advantages because of pay-by-use pricing. Another main advantage would be the scalability for the future. The main disadvantages would be the lower reliabilities with its network connectivity and data security for the customers.

Overall, these three dilemmas enabled Salvi to reinforce the information security defenses at HDFC. In order to maximize the information security and minimize the vulnerability subsequent to a phishing attack on the bank’s customers, I believe both parties, the banks and their customers would have the responsibility to secure themselves by having the right attitude toward account protection and certain online behaviors.

Source: HDFC Bank: Securing Online Banking, Harvard Case
https://cb.hbsp.harvard.edu/cbmp/content/55253616

What are the challenges faced by Salvi?
As Salvi said, there’re three major dilemmas. How to ensure the security of online banking while still giving priority to customer convenience? Whether secure access should be made mandatory or discretionary? Onsite models or the cloud model?

The first one. The emergence of phishing attack and another online frauds along with ever-changing external environment put a high demand on HDFC bank’s information security framework. In order to secure each online transaction from hazards, multiple standard checks were implemented, validation and authentication were minimum requirements, then complement additional check points, such as based on the risk score of each transaction or the profile of the customer.
Each new layer will add to the complexity of the process, may lead to customer inconvenience, what’s worse, potential customer losing. So, how to achieve a tradeoff between security of the online process and customer convenience matters a lot to retain old customers and attract new customers.

The second one. Salvi was planning to introduce a second level of authentication for all online customers to ensure security, cause there’s a majority of dormant users who are vulnerable to online frauds without raising an alert, Salvi just wondered whether provide secure access to every registered online user or only to active users, this challenge is pretty similar to the first one, balance the security and customer convenience.

The third one, onside model vs could model. An onsite model, as an integral part of HDFC’s own local area networks, carried a low probability of systemic failure, while cloud model faced potential systemic failure caused by low reliable internet or upfront investment on dedicated bandwidth. Besides, cloud model may scale up or scale down relevant computing services depending on users’ need, while onsite model was idle and not scalable. In addition to fundamental issues of IS, time and cost should be taken into consideration, an onsite model would take longer than cloud model, and pay-by-use pricing offered by cloud model are more sustainable and flexible.

Shahla Raei
MIS 5206
HDFS: Securing Online Banking
What are the challenges faced by Salvi?

As a CIO of HDFS bank, Salvi was working on strenthing bank’s information security framework.

Here is chanllanegs that Salvi was dealing with :

– Keep secure newly established IS framework.
– He was concerned about IS security in five different aspect to keep online transaction secure; Authentication, Authorization, Privacy, Integrity and non-repudiation.
– Moving customers from offline banking and online banking.
– All banks are required to conduct risk management and analysis of security vulnerability assessment at least once a year. At HDFS the initial risk management model, and he wanted to make sure that all platform are secure.
– Phishing was one of the most occurred online fraud concerning Salvi.
– Need to ensure that the IS protocols were not so rigorous as to inconvenience to customer.
– To reduce the false positive rate.
– Securing access and considering second level of authorization. (can distinguish the access between returning users or new users)
– By implementing mobile platform the bank needs to implement different authentication levels.

Salvi was faced with a number of unique challenges he was forced to address by enabling HDFC as an online bank. The first challenge addressed was the dilemma of striking a balance between customer convenience while implementing controls to ensure customer’s mobile and internet banking was secure and maintained their “trustworthiness.” The first questions related to securing and implementing these controls was whether or not they need to authenticate at the transaction level or the account holder level. They ultimately decided to focus on the authentication of the account holder by implementing a combination of authentication of an electronic persona by use of things like bio-metrics as well as tokens from RSA that were what you have. The only way for an individual to access this code was to have both of these correct and even today is a fairly common authentication control used.

The next dilemma that Salvi addressed was the issue of secure access (a second layer of authentication for the account holder). Here he implemented a system which would require the customer’s to predetermine and set beneficiaries of the account or authorized users. At this second level of authentication customer’s were required to select an image, message, customer’s info such as address or phone number and answers to unique questions that were previously answered by the account holder. This created the issue for dormant online accounts, or account holders that had accounts for some time but were not using any of the online features and did not register for use. This left a gaping vulnerability in the system because anyone intent on committing fraud it would be fairly easy to register the accounts for online use with readily available information and being able to create their own answers to the validation questions.

The final dilemma that Salvi faced was where to house the authentication servers and the online servers (where the actual banking takes place). His options were to either house the m onsite at their own data centers or to leverage a service provider for cloud computing. Both options had their advantages and disadvantages. If he were to house them in their existing data centers it would be easier to ensure the availability of the servers because it would be integrated with their own LAN and there would not be another communication link required to ensure up-time for availability purposes but also to secure against any egress points. With the cloud option, even with the additional network to worry about for availability, the cloud option seemed to be the better option. With every business, their goals is to be as scalable or elastic as possible and to have the agility to change to keep up with any unforeseen circumstances such as customer tendencies and unexpected growth. In addition, with the cloud model they did not have to invest any internal resources into the ongoing maintenance of the hardware or the software, patches, failed hardware, etc. This responsibility is all outsourced to the cloud provider .Also, if Salvi wanted to leverage a hybrid solution where some of the solution sat in their own data center but they wanted to leverage the cloud for certain features it is an a la carte offering, meaning the customer does not have to purchase an entire hosted solution but can rather pick and choose what he would want to use of a storage, database, integration, testing and infrastructure. Also, even though the cloud model would take about 6 months longer to implement and roll out the factors mentioned above and the tax implications and the ability for HDFC Bank to write-off a significant portion of the cloud computing costs as operating costs since it was a pay by use model, whereas the internal option would require a balance when ordering the necessary hardware to take into account future grown but not wasteful spending by overestimating and having too many idle resources purchased and sitting in their environment.

Wen Ting Lu
MIS 5206
Case 1 HDFC Bank – Securing Online Banking
In this case analysis, I will describe the three major challenges that Vishal Salvi, the new Chief Information and Security Officer was facing, assess the pros and cons of each alternatives, and finally follow by the recommendations on how to overcome the challenges.
The first challenge that Salvi facing was improve transaction security and mitigating security risks while ensure customer convenience to develop good customer relationship. Salvi wanted to strengthen its online banking security by use a combination of validation and authentication for every transaction. In which each transaction had to have proper validation in terms of a user ID and password, also the transaction also required proper authentication, which proves “what the customer has”. However, at the same time Salvia was concerned about implementing this new security system will impact customers’ convenience and make them to breezed through the online with security assess barriers. My recommendation to resolve this challenge is to implement the new secure system –two factor authentication only to unrecognized devices. The reason is that it not only protect the online banking secure, it also make it convenient to the customers who constantly using the same online banking devices.
The second challenge that Salvi facing was whether to implement secure access for all online users, or make it discretionary and limit secure access only to active users. According to the statistics mentioned in the article, about 20% of the registered online customers were dormant users. These users never use the internet and instead they would prefer use offline media such ATMs or visit a local branch in person. However, dormant account were vulnerable to phishing attacks and it would provide a great opportunity for hackers gain entry without any alert. There are two alternative courses of action for this challenge. The first action is prohibit the logins from dormant users without warning. This will quickly resolve the dormant account vulnerability, but it will bring inconvenience to the customers because their account have been disabled. The second action is give dormant account users warning before disable their accounts and rewrite the current IT governance with dormant accounts in minds. This will prone to irritate customers, and address the dormant account vulnerability. My recommendation of course of action to resolve this challenge is rewrite IT governance policy and give warning to dormant account users that their account is under the threats. By rewrite the IT governance policy will not only allow HDFC bank to have a companywide IT policy that will state how to deal with dormant accounts, it could also be marketed to the customers as a good reputation of care for customers’ accounts safety. At the same time, an education platform can be created to help customers understand why the changes are being made in secure access and awaken dormant account users the importance of online security.
Lastly, Salvi was facing the challenge of made determination of where to located HDFC bank’s servers, either onsite or offsite as a cloud model. There are both pros and cons of onsite and offsite models. In the article it mentions that an onsite model carried a low rate of systemic failure because the servers would be an integral part of HDFC’s own local area network. On the other hand, an offsite model required a separate medium of communication between HDFC Bank and the IS vendor-the internet. However, onsite model is idle and not scalable as expansion and contraction cannot be done depending upon the needs of the users in computer services because this model is a fixed capacity of a data center. Compared with onsite model, the offsite cloud model is are to expand and contract depending upon the need of the users and made possible for the users to scale up and down in the computing services. My recommendation of course of action to resolve this challenge is to implement cloud based solution because technology grow rapidly and it is hard to predict, with elastic capacity cloud model resolved this issue. In addition, offsite cloud model has the benefit in pay-by-use pricing.

Vishal Salvi, Chief Information Security Officer of HDFC Bank, has the challenge to make several very tough decisions, which include: how does he ensure the security of an online transaction while still keeping customer convenience as a priority, should he make secure access mandatory or should he leave it discretionary, and should he go for an onsite model or for the cloud model?
Salvi looked-for ways to resolve how he would ensure the security of an online transaction while keeping convenience high for customers. One way Salvi decided to do this was by confirming that the bank would introduce a 24 hour “cooling period” where funds would not transfer to a not listed account until after the time period. This would give the bank time to check the transaction and it would allow the bank user to alert the bank if they noticed something was wrong. Salvi would also have the bank send a phishing awareness message to educate customers on its hazard. These both go along with his strategy of security without inconvenience.
Salvi addressed the issue of mandatory secure access with plans to enforce second level authentication. One way Salvi would do this is with making sure that every large transactions would have standard validation and authentication “checks”. However, he had to decide whether he wanted to have the bank authenticate the identity of the account or authenticate the actual transaction which is a convenience issue. Another issue with secure access is that dormant accounts were extra vulnerable to attacks so Salvi also had to decide whether the bank should provide secure access to every registered online user or limit secure access to only active users. Salvi seemed to be leaning towards the option of making dormant account users lose access to online accounts and having to actually come into the bank.
In regards to the location of the servers, Salvi has two options: onsite model or offsite/cloud model. The benefits of the onsite model are: a low rate of systemic failure, total control of their network and data, better security against hackers, and a better client/customer relationship. The negatives of the onsite model are: longer implementation, increased costs, high upfront investment, the requirement of specialists to protect against cyber-attacks like phishing, and the requirement of each department to maintain all software and hardware.
An offsite/cloud model is more fluid and flexible, less upfront investment, the cost of the cloud is not fixed and is directly related to the amount of bandwidth used and the amount can be written off as financial expenditure, cloud is convenient for the customer to bank online, and less employees need to be hired with this model. The cons of the offsite/cloud model are: a third party controls their data, the increase of system failure due to the separate medium of communication, HDFC has no control of their servers, may have to purchase data if they end their partnership with the cloud company, and there are questions concerning transactional links.
All of these decision will be tough because Salvi will have to make the decision based on the bank’s core activities (providing and facilitating financial services) and not hardware and software maintenance, upkeep of websites, management of data centers, and provision of links at ATMS. These types of decisions will only get harder as more and more users convert to online accounts. Salvi will also base his decisions on his ability to ensure security without inconveniencing the account holders so that the bank can secure regular annual increases in new customer accounts while ensuring that existing customer stayed on with the bank.

Priya & Vaibhav,

The decision to move functions to the cloud, or to outsource is a difficult decision to make. The two main factors I see in this decision are:
1. Control – Do you want to have the ability to control the environment? Make changes, add & remove controls, ect. I see difference between a companies cloud solution vs. on-site solution is control and not so much functionality.
2. Cost – Do you want to pay for it upfront or forever with a monthly cost. You will have to try and estimate a break-even point based on the number of users / licenses. You will have to include variable costs like: Support, but also fixed costs like: Hardware.

This is why it is important to have a council made up of individuals who are using the solutions.

Fred – Although I believe control and cost are factors I do not think they are the main factors.
I think all of these decision will be based on the bank’s core activities (providing and facilitating financial services) and how they can provide these services in the best way possible that will allow for annual increases in new customer accounts while ensuring that existing customer stayed on with the bank. With that said, I think the two main facors are 1)security (without inconveniencing the account holders) and 2) growth.

The term “acceptable information system security risk” means that the risk of information system security is not high enough for the organization to worry about it. In fact, accepting level of risk occurs when the cost of managing the risk outweigh the cost of handling the loss.

The authorizing official (or designated approving/accrediting authority) is a senior management official or executive with the authority to formally determines what the acceptable level of information system risk is.

In order to determine what is an acceptable level of risk, the organization must perform a
security risk analysis, which is part of a 9 step risk assessment process, that should involve the following:
1-Control Analysis
2-Likelihood determination

3-Impact Analysis (determine impact to the systems, data, and the organization’s mission.)
Impact levels are described using the terms of high, moderate, and low.

4-Risk Determination
The level of risk to the system and the organization can be derived by multiplying the ratings assigned for threat likelihood (e.g., probability obtained in step 2 of risk analysis) and threat impact (obtained in step 3 of risk analysis).

For example, the probability assigned for each threat likelihood level is 1.0 for high, 0.5 for
moderate, and 0.1 for low, and The value assigned for each impact level is 100 for high, 50 for moderate, and 10 for low.
Then using a risk scale the risk should be classified as low(from 1 to 10) , moderate(10 to 50) or high (50+)

If an observation is described as low risk, the system’s authorizing official must determine whether corrective actions are still required or decide to accept the risk.

The term “Acceptable information system risk “is usually defined in terms of practical implementation that inspite of building security measures and risk mitigation features within an organization the risk can never be reduced to zero .When risk can not be reduced to zero, so it’s important to determine how much to spend on lessening it to an acceptable level of risk.We can explain it with an example that despite of the measures taken by bank to secure the online banking system there are always attempt by hackers to hack into the system and this can never be reduced to zero so its important to determine how much to spend to bring the system to an acceptable level of risk

Acceptable risk levels should be set by management and based on the business’s legal and regulatory compliance responsibilities, Information security managers play an important decision in deciding the acceptable level of risks to balance the company operational costs and built a robust security mechanism.

To conduct a risk analysis some of the steps are being defined
1)Control analysis-Analyzing the controls to be used in the organization to protect the system
2)Likelihood determination-Likelihood ratings are described in the qualitative terms of high, moderate, and low, and are used to describe how likely is a successful exploitation of a vulnerability by a given threat
3)Impact analysis-This step usually defines calculating the impact in case the risk occurs in the organization and level of damage it may cost.The impact levels are also determined as low,moderate and high
4)Risk determination-Once the likelihood of risk and its impact has been determined we have to calculate risk by multiplying the ratings assigned for threat likelihood (e.g., probability)
and threat impact.
The probability assigned for each threat likelihood level is 1.0 for high, 0.5 for
moderate, and 0.1 for low.
The value assigned for each impact level is 100 for high, 50 for moderate, and
10 for low.
For example likelihood of risk is high so has been given the probability of 1 and impact to organization is moderate so assigned value 50.
The risk to organization finally is 50*1=50 in case the vulnerability is exploited

Risk, as defined in ISO 27000 series, is the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to an organization.
Acceptable information system security risk essentially means the level of harm the organization is willing to accept in an event that a threat should be successful in exploiting a vulnerability. It is impractical for organization to eliminate information security risk completely. Even after security controls are implemented to lessen the occurrence and/or impact of an Information security event, there will still be some residual risk. If the residual risk has not been reduced to an acceptable level, the risk management cycle is repeated until enough controls are implemented to make the residual risk acceptable.
Acceptable information system security risk is dependent on the organization, its resources, and risk appetite. Each organization has its own acceptable risk levels which is driven by legal and regulatory compliance responsibilities, its threats, and its business drivers. Management has the responsibility to set the organizations acceptable risks levels because they understand the business drivers and ultimately responsible for meeting business objectives.
There are several constraints that plays a role on how an organization determines its acceptable level of risk:
1. Time-frame to implement
2. Financial or technical issues
3. The way the organization operates or its culture
4. The environment in which the organization operates
5. Legal framework and ethics
6. Ease of use of security measures
7. Availability and suitable of personnel
8. Difficulties of integrating new and existing security measures
Due to these constraints, organizations may not be able to implement appropriate security controls or the cost of implementing controls outweighs the potential of a security event occurring. The organization must conduct the appropriate Risk Assessment process for each potential risk to the organization.

The term “acceptable information system security risk” is a determined in the risk treatment process which is the fundamental goal of going through the risk assessment and other prerequisites to the risk treatment phase of risk management methodology. This is the idea that after going through the context evaluation and risk assessment phases of the methodology, and when analyzing what the appropriate course of action is to minimize the cost of implementing controls to mitigate the risk identified (ultimate goal of the overall process) it is determined that the organization will live the risk and the potential consequences of the security event taking place against the asset. This occurs when either the risk is deemed to unlikely to occur or the cost of implementing any controls to mitigate the identified risk is too costly to implement and fails the cost-benefit analysis.

The acceptable level of risk should be decided by the steering committee within an organization. The steering committee should have the necessary stakeholders from all sides of the business that are impacted by the identified risk. This would include the executive management of the lines of business as well as executive management from the owner of the overall risk management process, i.e. CISO or CIO. It is important that all aspects of the business be included when creating a security steering committee or over site committee.

What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?

The term “acceptable information system security risk” is the level of risk that a company is able to tolerate. This could mean that the impact of the risk would not adversely affect the company too much if the risk were to occur or the risk is deemed too unlikely to happen.

The level of the acceptable level of risk is determined by the senior management of the organization. They will determine the level of financial impact the organization is able to absorb and the probability of risk that the organization is willing to accept.

The acceptable level of risk of an organization is determined through conducting a risk analysis.
The steps of the risk analysis are:

1) System Characterization – Knowing what exactly in the organization is at risk

2) Threat Identification – Knowing what or who are the threat that could lead to the risk

3) Vulnerability Identification – Knowing the potential flaws that could lead to the threat

4) Control Analysis – Analyzing the control that are implemented or could be implemented to reduce or eliminate the probability of risk

5) Likelihood Determination – Estimating the probability ratings of risks in defined terms such as low, medium and high.

6) Impact Analysis – Estimating the level of damage if the risk were to occur in defined terms such as low, medium and high.

7) Risk Determination – The level of risk can be determined using a risk-level matrix by multiplying the likelihood and impact ratings determined beforehand and defined in terms such as low, medium and high.

8) Control Recommendation – This is where the acceptable level of risk is determined. A cost-benefit analysis is conducted to determine if a control investment is worth the risk it could mitigate

Question: What is meant by the term “acceptable information system security risk”? Who within the organization determines what is the acceptable level of information system risk? How does an organization determine what is an acceptable level of risk?

Generally, the acceptable information system security risk includes two situations:
1. The information system security risks are initially in an acceptable level. For example, many employees may forget their user name or passwords, and not allowed to access their PCs. In this case, employees forget their passwords is a high frequency low damage risk, and most of information systems existing process can allow employees find back their passwords, so the risk is in an acceptable level.

2. The frequency and damage of the risks are mitigated to an acceptable level. For example, the firewall of a core servers is a protective control which can prevent the core servers of an organization from hacking. Moreover, with the assist of corrective controls like backup systems and disaster recovery plans, the frequency and damage of risks are acceptable.

The head of IT department or management like CIO of the organization usually is the one who determines what is the acceptable level of information system risk.

To determine what is an acceptable level of risk, I think the decision maker should compare the cost of mitigating the risks and what the potential damage the risks may cause. For example, if the company is a new-start company, spend millions to build a top level firewall is too expensive. In this case, the company can spend less money and build a backup system instead. Even if the attacks damage the servers, the backup system can ensure the business recover in a short time. Since the new-start companies usually don’t have too much valuable information assets, therefore, by using the corrective control can mitigate the risks in an acceptable level.

The acceptable information system security risk is essential the level or risk that an organization is willing to tolerate. It is impossible to prevent every risk, nor is it feasible to implement every possible control, or risk prevention/mitigation. Therefore it is necessary to allocate resources to the risks with the most probability and/or the highest impact. Some risks may be extremely rare but have a high impact so a company might decide to accept that risk because the probability is so low that resources are better spent elsewhere. Alternatively a risk may have a high probability and very low impact, so controls/mitigation may either be less of a priority or not addressed.

Credit cards are an excellent example of the latter. Credit cards in Europe utilized the EMV chip for decades because it was more secure while those in the US did not. Although effective at reducing fraud, many companies decided it would be more expensive to implement the technology than the current fraud. However, credit card fraud grew so prolific in recent years, the cost became too onerous and the chips were eventually implemented. Clearly the decision was made on the impact vs risk mitigation costs.

Acceptable level of risk should be determined by management. Should include CIO, IT security subject matter experts, legal and regulatory considerations, and financial implications of impact and cost to implement controls.

Paul,

This is a good explanation of acceptable risk level. Organizations will sometimes have to make the decision on how much controls will be needed to reduce their risk to an acceptable level. Like an example given in class, the chances of a thermal-nuclear war is very low, but if it happens then the impact would be devastating. There’s probably nothing that an organization could do to prevent the event from happening, but they can reduce the impact by, exaggerating of course, building a facility underground. The cost of such endeavor may too extreme for the company to handle, so they might simply choose to accept the risk based on the resource that they have available.

Brou,

Good way to put it: “when the cost of managing the risk outweigh the cost of handling the loss.” I would just like to add that, In the real world, attaining zero risk is impossible. But after risk avoidance controls are in place, the residual risk shouldbe acceptable. There are different degrees of risk that consequently require degrees of safety.

The term “acceptable information system security risk” means that the risk of information system security is not high importance for an organization to worry about. No organization is ever totally without risk, but there are steps that can be taken to establish an acceptable level of risk that can be properly mitigated.
Acceptable risk should be determined by management based off the business’s regulatory compliance and its business objectives. When determining risk a business must measure loss of revenue, unexpected costs or the incapability to carry on production that would be experienced if a risk actually occurred. Information security professionals need to serve as the transition between the threats and management.
-Identifying company assets.
-Ranking assets in order of priority
-Recognizing each asset’s potential vulnerabilities
-Calculating the risk for the known asset
The countermeasures to mitigate the calculated risks and carry out cost-benefit analysis for these countermeasures are up to senior management and from there they can decide how to treat each risk.

The main aim of Risk Assessment to help the decision making process to verify if the risk has come to a acceptable level or not. and what measures can be taken to provide its acceptability.
When the cost of risk is smaller than the mitigation cost, it is reasonable to accept risk.In this case however the organization must be able to provide the rationale behind risk acceptance. In order to assess the level of risk organization must estimate and access the likelihood and impact of occurrence
The risk assessment process defines how to calculate the likelihood and impact –
1. Identifying Threats – identify business,environmental, natural threats
2. Identifying Vulnerabilities – Conduct vulnerability scans, penetration testing
3. Relating Threats to Vulnerabilities – Relate threat to the vulnerabilities
4. Defining Likelihood –
It is the probability that a threat caused by a threat-source will occur against a vulnerability.
-Low -0-25% chance of occurrence of risk
– Moderate -26-75% chance of occurrence of risk
– High -76-100% chance of occurrence of risk
5. Defining Impact
Impact can be defined in terms of confidentiality, availability and integrity and quantified in terms of low. moderate and high.
6.Assessing Risk – Draw a likelihood and impact matrix to determine risks and its level

Typically, business managers, not IT security personnel, are the ones authorized to accept risk on behalf of an organization.
It depends upon the business what is level of risk that the business can tolerate. Ingeneral it can depepnd upon folowinf factors,
– Legal/Government rules
– Timeline to implement mitigation action
– Organizational policies, objectives
– Interest of stakeholders

[source] https://www.sans.org/reading-room/whitepapers/auditing/introduction-information-system-risk-management-1204

It depends upon the business what is level of risk that the business can tolerate. In general it can depend upon following factors,
– Legal/Government rules
– Timeline to implement mitigation action
– Organizational policies, objectives
– Interest of stakeholders

The term “Acceptable Information System Security Risk” outlines the Information Security Risks and the level of exposure the company is willing to endure.

The management is responsible to identifying the risks and deciding what is an acceptable level because they know the operation of the business and the impact behind each function.

The level of business risk a company holds is dependent on an organizations unique variables. The management will build a risk profile to determine what is an acceptable level of risk. This will help assign value to determine what mitigation techniques will be used and amount of money will be spent on the risks.

Two companies may perform similar operations but the management for each company may set different risk levels for the operation. There is no right or wrong answer. It depends on managements perceptions.

The term “acceptable information system security risk” reminds me of one of other terms – “risk appetite”, Risk appetite is the amount of risk, on a comprehensive level, that an entity is willing to accept in pursuit of value. The risk falls into the range of “risk appetite” could be deemed as “acceptable information system security risk”, that is the cost of implementing appropriate measures to reduce risks outweighs the potential loss once risk occurring.

The way to determine acceptable level of risk is risk analysis, there’s steps for Risk Analysis:
1 Control Analysis
2 Likelihood Analysis – to consider a threat source’s motivation and capability to exploit a vulnerability, the nature of the vulnerability, the existence of security controls, and the effectiveness of mitigating security controls
3 Impact Analysis – considering impact to the systems, data, and the organization’s mission and the criticality and sensitivity of the system and its date to determine the level of risk to a system is impact
4 Risk Determination – to obtain the level of risk to the system and the organization based on previous analysis by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact.

Acceptable information system security risk is the level at which companies are willing to accept depending on whether the impact on the company and the cost to fix it is low. It also has to do with the idea that the risk isn’t affecting their customers too much. The CIO and CEO determine the level of acceptable risk because 1) The CIO is in charge of IT and sets policies and procedures to mitigate any sort of risk and solutions to solve system security occurrences and 2) The CEO overlooks the company as a whole, making sure the assets of the company is safe. Together these two can perform risk analysis to create strategies to determine what level of risk they are willing to accept through various methods such as a cost analysis. If a risk was low and has barely any impact on the company, they will accept it or if it’s too high, they try to find ways to bring it down to an acceptable level or create stronger policies to prevent it from affecting the company too much. They look at scenarios in which the probability of certain event occurring is either low, moderate or high. If a risk is low impacting and doesn’t require much to fix, the organization will accept the risk and won’t worry too much about it. But at moderate and high levels, they tend to look at it more closely and figure out what ways they can use to mitigate or eliminate it.

Paul, you make a great point. It’s good to include stakeholders and get their ideas on what is an acceptable level of risk by utilizing a steering committee. The CIO/CISO are major players in this because they can give a more informative and closer insight since they deal with the systems on a daily basis and the CEO is another major player because the CEO is overlooking the company and how costly some risks can impact the organization.

My weekly news post is about a video that relates Wells Fargo fraud. As we talked about it last week, Wells Fargo was fined $190 million because of 1.5 million fake accounts created by multitude employees. Out of the $190 million fine only $5 million will go to the victims.
The company fired more than 5,000 employees and said they will invest in training and improve their control. The outrageous thing is that nobody is going to jail. A fraud has been committed and no one is being held responsible for it. This kind of fraud should result up to 15 years in prison.
Plus, the fine represent only 3% of Wells Fargo revenue ($5.6 billion) in the second quarter of 2016. The government should be stricter, otherwise other banks will do the same knowing the punishment won’t be hard.

https://www.facebook.com/BenSwannRealityCheck/videos/1205025702895711/

I agree that two similar companies may have different risk management practices, and there is no one superior strategy. However, there some risk management practices that provide excellent framework/guidelines. For example, transferring risk, or purchasing insurance is sometimes not advisable unless there are regulatory requirements to consider. A risk that has a high probability and low impact should not be insured, but rather retained by the company. Insurance is generally not a good risk management practice for low impact risks, regardless of frequency. However, a company may decide that it does not want to retain the risk and would rather predictability. In this example, insurance would not be a good choice. However different companies may pursue diverging risk mitigation practices with positive results.

I totally agree with your opinion Deepali. From a decision maker’s perspective, balance the cost of risk and the cost of governance the risk is very important. For example, the risk with high frequency and high damage should be handled firstly. Management of an organization should also consider specific circumstance to decide which is the best way to mitigate the risks.

Yes, I also think the organization can mitigate the impact even if it might not prevent the risk from happening. Comparing with the preventive control, I think corrective control like backup systems and disaster recovery plan also have important position in mitigating the risk. If an organization is new-start, it might no need to invest millions in building a top level firewall, but an available backup system can fit what it needs.

Great post Ming Hu. You brought a good point about Risk Appetite. I read in detail about it,
An organization should consider risk appetite at the time of aligning organization goals.
To determine risk appetite following steps should be taken:
1. Develop risk appetite
2. Communicate risk appetite
3. Monitor and update risk appetite
However there are 2 important aspects
(1) articulating risk appetite is too difficult
(2) Communicating risk appetite does not contribute to growth of organization.
However the costs to manage risk sometimes outweighs the main objective of business.Determining risk appetite is an element of good governance that managements and boards owe to stakeholders.

Hi Priya,

Thanks for giving a great explanation of how an organization accesses risk and verify if the risk acceptable or not. Actually, to assess risk, an organization can create a Sample Risk Management Table including risk
risk Description, impact, likelihood, risk management strategy, cost residual risk after implementing risk management strategy. so that they can determine the level of risk they are able to accept or tolerate.

Ming, Great Answer. I have heard it referred to Risk Appetite as well. I think a company’s Risk Appetite is also affected by Company Culture. Some company’s are by design riskier than others and vice versa. That is because many companies survive off taking risks because it is the nature of their business. For example, Life Insurance companies are often times take high risk because it is necessary in that field.

An information risk profile is an evaluation of the types, amounts and priority of information risk that an organization finds acceptable and unacceptable (risk appetite).

Organizations use a risk profile as a way to mitigate potential risks and threats.

An information risk profile is critical to the success of an organization’s information risk management strategy and activities because it provides valuable insights into an organization’s information risk appetite and expectations for information risk management.

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

An information risk profile documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. This profile is developed collaboratively with numerous stakeholders throughout the organization. It is used to manage and apprehend risks in the organization.

Plus, risk profile is critical to the success of an organization’s risk management strategies and activities because it is the tool that the organization use to benchmark different risks it can face. By knowing what it can accept or not allows the organization to develop appropriate strategies.

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

An information risk profile records different kinds of information risks based on their types, amounts and priority, which measures the amount of risk that an organization wants to accept. The elements of this profile include many different kinds of opinions from stakeholders related to the organization.
An information risk profile should include guiding principles because they provide accurate information and help evaluate threats, vulnerabilities and risks to an organization. It helps the organization manage and mitigate risks to reduce the possibilities of all kinds of risks.
It is critical to the business because it helps the organization reduce the possibilities of risks. And also it allows decision makers to make decisions. In addition, the organization also analyzes the acceptability of risks.

An Information risk profile documents types, amounts and priority of information risk that an organization finds acceptable or unacceptable. It is a quantities analysis of the type of threats of an organization.

This profile should include guiding principle aligned with both its strategic directive and supporting activities. This is developed by stakeholders through the organization, including leaders, data and process owner and enterprise risk management. The information risk profile should include the organization’s data classification schema and a summary of the control requirements and objectives associated with it.

Risk profiling is an important tool for investment process. Decsiosn makers in a company can reference to information risk profile that developed and endorsed by organization business leader. The profile provides important insights and guidelines associated with information risk identification and management.

Very well explained Brou. I would like to add an example to this.

If a drug company does not properly test its new treatment through the proper channels, it may harm the public and lead to legal and monetary damages. Failing to minimize risk could also leave the company exposed to a falling stock price, lower revenues, a negative public image and potential bankruptcy.

Shahla, since you brought up the topic of investment i want to point out that organizations should be careful about over relying on risk-profiling tools because in a banking system for example, they only assess a client’s attitude to risk and capacity for loss. By only using this approach, advisers could be failing to take into account clients’ overall investment objectives or other key factors that need to also be considered.

I think organizations overall shouldn’t over rely on risk profile although it is a crucial step in managing risk.

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

According to the ISACA, An information risk profile documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. An organization’s information risk profile should include guiding principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile to allow the reader to understand its context and intent. Common guiding principles include the following:

Ensure availability of key business processes including associated data and capabilities.
Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.
Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.
Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.

An information risk profile is critical to the success of an organization’s information risk management strategy and activities. It provides valuable insights into an organization’s information risk appetite and expectations for information risk management. Information risk and security professionals and programs that effectively leverage this information in their actions and activities can be confident in their alignment with business requirements and expectations.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

Definition: Information risk profile is an evaluation of organization’s willingness (usually rated in high, moderate and low) to take risks, as well as the threats to which an organization is exposed.

How to use: A risk profile is important for determining a proper investment asset allocation for a portfolio. Organizations use a risk profile as a way to mitigate potential risks and threats.

Why it is critical: according to ISACA’s article, an information risk profile is critical to the success of an organization’s information risk management strategy and activities. It provides valuable insights into an organization’s information risk appetite and expectations for information risk management. Information risk and security professionals and programs that effectively leverage this information in their actions and activities can be confident in their alignment with business requirements and expectations

link: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

What is an information risk profile?

An information risk profile records different categories of risks depends on its types, amounts, and priority, and the organization will classify the acceptable and the unacceptable.

How it used?

The information risk profile provides important insights and guidelines associated with information risk identification and management. The ERM function can leverage these information provided by the profile as it calculate the overall enterprise risk and develops control objectives and management practices to effectively monitor and manage it.

Why is it critical to the success of an organization’s risk management strategies and activities?

In my opinion, the information risk is critical, because it reduces the friction between decision makers and IRMS, and helps the Information risk and security professionals and other related programs to be confident in their alignment with business requirements and expectation
Frictions exist between decision makers and (information risk management security (IRMS), cause of misunderstanding of each other’s activities and motives. The appearance of the information risk profile can reduce the friction, as it is mutually developed, and both of IRMS and decision makers can use to guide their respective activities.
It provides valuable insights into an organization’s information risk appetite and expectations for information risk management, so that the Information risk and security professionals and other related programs could be confident in their alignment with business requirements and expectations.

source:http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

According to ISACA, an information risk profile is a quantitative analysis that documents types, amount and priority of information risks that an organization finds acceptable and unacceptable.

An organization’s information risk profile should be structured and formatted in a fashion that quickly demonstrates its value and intent to the organization, is easily understood and applicable to the organization as a whole, and is viewed as useful and beneficial to its leaders and stakeholders. The following can be useful in meeting these goals.

How it’s used:

Guiding Principles and Strategic Directives

An organization’s information risk profile should include guiding principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile to allow the reader to understand its context and intent.

Common guiding principles include the following:
¥ Ensure availability of key business processes including associated data and capabilities.
¥ Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.
¥ Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.
¥ Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.

Why critical?

An information risk profile is critical to the success of an organization’s information risk management strategy and activities. It provides valuable insights into an organization’s information risk appetite and expectations for information risk management. Information risk and security professionals and programs that effectively leverage this information in their actions and activities can be confident in their alignment with business requirements and expectations.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

What is an information risk profile?
-An information risk profile is a quantitative analysis that documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. This profile is developed collaboratively with numerous stakeholders throughout the organization.

How is it used?
– An organization’s information risk profile should include guiding principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities.
– Also, transparency is a key aspect to the success and adoption of an information risk profile.
– The information risk profile should include a current-state analysis of identified information risk factors that have a reasonably high probability of occurrence and would represent a material impact to business operations if realized. The current-state representation should also include the organization’s IRM views, expectations and requirements.
– The information risk profile should include the organization’s data classification schema and a summary of the control requirements and objectives associated with it

Why is it critical to the success of an organization’s risk management strategies and activities?
– It provides valuable insights into an organization’s information risk appetite and expectations for information risk management. Information risk and security professionals and programs that effectively leverage this information in their actions and activities can be confident in their alignment with business requirements and expectations.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

The information risk profile of an organization is produced in collaboration with various stakeholders in the organization. The list of stakeholders can include, business leaders, internal and external audit, legal team, enterprise risk management, compliance team, process owners, etc.

An organization may choose to mark a specific risk acceptable and unacceptable, which is decided using the types, amounts and priority of information risk, and is documented in the information risk profile.
It ensures availability of key business processes. It also identifies and evaluates threats, vulnerabilities, which is crucial in making informed risk management decisions by the business leaders and the process owners.

It is important that proper risk mitigating controls are implemented and are also functioning properly.

2. What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

The Business and Information Risk management security professionals disagree to the risk factors because the business believes in taking risk to achieve their business activity and the IRMS professionals try to mitigate the risks and ensure that their organization’s information infrastructure and assets are protected properly. The best method to reduce the tension is to mutually develop and maintain an information risk profile that they both can use as a guide.

Information risk profile contains both acceptable and unacceptable risks- the type, amount and priority. It should demonstrate its value and intent to the organization, be beneficial to the leaders and stakeholders and should be easily understandable.

Risk profile provides a base for the business leaders to consider them and adjust the organization’s risk profile to business objective by modifying the requirements. This way both the IRMS and Business leaders work together to align with the organizations information risk management expectation.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Documents/13v4-Key-Elements.pdf

An Information Risk Profile is a description of the overall IT risk to which the enterprise is exposed (Risk IT Framework p. 101). The Risk Profile will identify how much value / loss is associated with the risks accepted by the organization.

The Risk Profile is an important document because it outlines the valuable assets of an organization, defines the risks that may hinder the businesses assets, determines the risks management is willing to accept, and the expectations for mitigating the risks. Accurately outlining the values and risks will enable organizational leaders to manage information risk.

http://www.isaca.org/JOURNAL/ARCHIVES/2013/VOLUME-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

2 As per ISACA’s Risk IT Framework, the Risk profile of the enterprise is the overall portfolio of identified risks to which the enterprise is exposed. The Risk profile is gives a picture of
• the key business processes, associated data and capabilities and the type of risk the process is exposed to
• accurate identification and evaluation of threats, vulnerabilities and their associated risk
• information on risk-mitigating controls already in place and whether they functioning as per the Organization’s acceptable risk levels
The Information Risk profile helps business leaders and process owners to make informed risk management decisions. It communicates whether the funds and resources available are utilized effectively to best mitigate risks in a way that the risk posed is within the company’s acceptable risk threshold. It also serves as a brief risk response plan and helps in planning and tracking risk mitigation activities.

The information risk profile is the portfolio of all the identified IT risk that the enterprise is exposed to.

This is really important since it weighs the impact of the IT investments a company can make. This allows executives to make decisions based on the likehood of success and the perils of failure. The goal of the decisions is to reduce the overall risk facing the company. Risks can be chosen to be accepted, mitigated, offset, or removed.

What is an information risk profile? How is it used? Why is it critical to the success of an organization’s risk management strategies and activities?

In the article, “Key Elements of an Information Risk Profile”, Isaca defines an information risk profile as: “An information Risk Profile documents the types, amounts and priority of information risk that an organization finds acceptable and unacceptable. This profile is developed collaboratively with numerous stakeholders throughout the organization, including business leaders, data and process owners, enterprise risk management, internal and external audit, legal, compliance, privacy, and IRMS.”

An information risk profile is critical to the success of an organization’s information risk management strategy and activities. A risk profile is often used when it comes to making decisions, developing, and/or creating an asset allocation portfolio. It is used as a guide to minimize risk and achieve business goals. Organizations tend to use the valuable insights that come from analyzing an organization’s risk profile, specifically information risk appetite and expectations for information risk management, to mitigate potential risks and threats. An information risk profile is needed because organizations identify and embrace risk to achieve business goals.

Source: http://www.isaca.org/Journal/archives/2013/Volume-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

Well explained Alexandra!
I would also like to add that the risk profile will help organization determine priority of IT requirements.
It also proves as a plan to manage risks,target spending,, preparation for impacts. This is a proactive means of handling risk.

Hi Abhay,

I have never thought of the stakeholders who should participate in determining the risk profile. This is a great and clear list. Each of them have different responsibilities to determine the types, amount and priority of information risk. Many companies hire independent auditors to help discover any risks, so they can be properly addressed before they become external issues.

How would you go about creating an information risk profile for a small start-up business? Describe what the risk profile for the business would contain? How should the business use the risk profile?

Principles and directives to create risk profile:

An organization’s information risk profile should include principles aligned with both its strategic directives and the supporting activities of its IRMS program and capabilities. This information should be listed early in the profile. Principles include the following:
• Ensure availability of key business processes including associated data and capabilities.
• Provide accurate identification and evaluation of threats, vulnerabilities and their associated risk to allow business leaders and process owners to make informed risk management decisions.
• Ensure that appropriate risk-mitigating controls are implemented and functioning properly and align with the organization’s established risk tolerances.
• Ensure that funding and resources are allocated efficiently to ensure the highest level of information risk mitigation.

Risk profile for the business would contain the following:

• Key risk areas (e.g., strategic, operational, project)
• Strengths and weaknesses of the department/agency
• Major opportunities and threats
• Risk tolerance levels
• Capacity to manage risks
• Learning needs and tools
• The organization’s risk tolerance, priority setting and ability to mitigate risks
• Linkages between different levels of risks (e.g., operational and overall departmental priorities, business and program risks, sector specific and department-wide)
• Linkages with management processes of the department

Business can use the risk profile:

• To Identify potential risk areas and work on it.
• To classify the data (confidential, proprietary and internal use only, public)
• To identify the key business processes and capabilities which if impacted negatively can cause material impact to the operations.
• To identify stakeholders which are important in making risk management decisions.
• All this information if combined and effectively leveraged can be used in aligning business requirements with the expectations.

I agree with you. The small corporation used the risk profile and should focused on those aspects:
• key external influences on your business, e.g. political, social, legal
• key internal influences, e.g. organisational objectives
• risk management context, e.g. risk management requirements, objectives, timeframes

I would go about creating the information risk profile by conducting interviews with owners / employees to understand:
1. What the business does
2. How it sustains a competitive advantage
3. Resources utilized to sustain the competitive advantage
4. What would happen if one or all of the resources were compromised?

The information gathering sessions with owners / employees will help assign a value on each IT resource. The value assign will give us a starting point to budget for the risk-mitigation solutions.
The risk profile would include ISACA’s Key Elements of an Information Risk Profile, which gives a few options I would include on structuring an effective Risk Profile

1. Guiding Principles and Strategic Directives
This information discloses the key business processes, identifies the risk and evaluations of threats, risk-mitigating controls, and budget for risk-mitigation.
2. Information Risk Profile Development
Information on how the profile was created. Will reference those included in developing the Risk Profile
3. Business-State Representation of Information Risk
The Business-State Representation is the current-state of the IT environment. The information will outline the risks with a reasonably high probability of occurring.
4. Future-State Objectives and Requirements
The Future-State identifies what the organization’s ideal state of IT risk management and tolerance. The information will show the procedures in progress, a summary, timelines, and expected level of risk reduction
5. Key Business Processes & Capabilities
A list of key business processes and capabilities which could severely impacting the organization, and the risks for each process.
6. Key Data Elements
The Key Data Elements often include intellectual property, financial data, customer data, and other sensitive data assets.
7. Identification of Data Owners & Stakeholders
This information is used to assign ownership to company data. Assigning ownership provides key duties and responsibilities for each manager, and helps evaluate the solution.
8. Identification of Business Value
The Business value is a perception of what a company’s data is worth. The general rule is, securing the information should never cost more that the value of the information.
9. Data Classification Schema
This Schema categorizes the control objectives and requirements on data-handling. It should be simple and easy to understand for managements review.
10. Risk Levels and Categories
The Risk levels & Categories places each risk into separate levels and/or categories to provide a scale to represent the business impact for each risk. Risk Levels are broken up into the standard: High, Medium, Low. Risk Categories are broken up into Confidentiality, Integrity, Availability.

The business should use the Risk Profile to understand the risks associated with the critical business functions, the value of the critical functions, the severity of the risks, how you plan on mitigating the risks, and who will be responsible for the risk. It should be used as a guide and should be evaluated to determine the success and if it risk aversion solutions are cost effective.

http://www.isaca.org/JOURNAL/ARCHIVES/2013/VOLUME-4/Pages/Key-Elements-of-an-Information-Risk-Profile.aspx

Great explanation Deepali and I completely agree with your suggestions. The data obtained through the risk identification process makes it possible to create a risk profile and then prioritize the various risks and profile categories. The profile exposes the gaps in a company’s ability to manage its risk across the spectrum of potential exposures such as legal, political, economic, social, technological, environmental, reputational, cultural, and marketing. Ranking in this situation shows the comparative importance of the risk, including the probability of threats and vulnerability and the probable business impact.

Right Magaly. Based on the ranking we can define the impact of the risk such that:

Catastrophic, Major, Moderate, Minor and negligible.

On the above identification we can make a decision on its safeguard procedures and mitigation plan.

Deepali, thanks for sharing.

I think you have a very good lists of principles and directives to create risk profile for small start up company , what risk profile for business contains, and the purpose of the risk profile include what it is for . In order to have a efficient risk profile, I would suggest to schedule appointments with employers to go over the background of the company to have a better understanding of the organization’s environment.

Great answer Deepali. As we are talking about startups, there will be two major factors that company has to keep account of one is expenditure on risk mitigation and two establishing of security framework.
The risk profile will help the startup understand the picture from broader perspective and help management in creating awareness.
Generally startups have budgeting issues and they will need to understand the tolerance level and determine how to prioritize risk handing.

the 3 types of risk mitigating controls are :
1- Preventive controls : they prevent a loss from occurring.
2-Detective controls : they monitor activities and identify issues. They can ameliorate preventive controls.
3-Corrective controls: they are used after a loss to restore the system to its original state.
In my opinion, the most important controls are the preventive controls because they minimize risk by preventing certain events from occurring.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are preventative controls, detective controls, and corrective controls. Preventative controls are, as the name implies, controls to prevent any problems or errors from occurring. Examples of preventative controls include username and passwords which prevent unauthorized users from access to information or an application. Detective controls are those that detect or identify an an error or problem after it has occurred. An example of a detective control is that of audit trails or user logs when certain employees access an application. Lastly, corrective controls are those that fall in between preventative and detective. These corrective controls are those that identify an error or problem but already have the necessary actions steps identified to resolve the issue. An example of a corrective control would be Antivirus, which identifies malware and removes it.

In my opinion, the importance of which type of control is highly dependent on how established the IT environment is within an organization. As stated earlier, preventative controls are implemented to prevent a risk from happening. Why have a control that detects or corrects a problem when you can have a control that prevents the problem from happening in the first place? Therefore, for an IT environment that is developing, setting up proper preventative controls will be most important since they want to establish policies and procedures that will mitigate risks from happening in the first place. However, in today’s IT environment, data breaches are prevalent and some breaches go years without being noticed, one example being the recent Dropbox breach that went unnoticed for four years. Therefore, detective controls are more important for well-established IT environments since those organizations need to identify any areas of vulnerability or error. Knowing that there is usually a way to circumvent controls, it is important to first have those preventative controls established then focus on detective controls to really mitigate risks going forward.

Preventive – controls that prevent the loss or harm and reduce the risk from happening in the first place. Examples of preventive controls are segregation of responsibilities and firewalls

Detective – controls that monitor activity to record issues after it has happened. An example of detective controls is performing an audit.

Corrective – controls that restore the system or process back to the state prior to a harmful event

I believe detective controls are the most important controls because it is a response to review the logs to look for the inappropriate event where we can correct data error and recover the issues. If the IT auditors know what the issues are, it can help prevent the next event.

Corrective controls are not practical from a business standpoint because the business might lose business data or business tasks have to be redone and the controls do not help prevent the next event from occurring.
Preventive controls are used to minimize the risks but it is not able to remove all the risks from happening. I think the response after the event is relatively important.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are: preventative, detective, and corrective. All three play a significant role in ensuring that the company’s assets are properly secured and accounted for.

The most cost effective control is the preventive control because preventative helps avoid the loss of resources to begin with and are usually not very expensive to implement. Examples: employee background checks, employee training and required certifications, password protected access, physical locks, and security camera systems.

When preventive controls fail, detective controls seek to identify issues in order to prevent further errors, irregularities, and harm to company assets. Examples: bank reconciliations, physical inventory check

When preventative controls flop and detective control activities are forced to identify an error or irregularity, corrective control activities then kick in to fix it. Examples: new system implementation to prevent it from happening again, data backups.

In my opinion, all tree controls are equally important because the balance of the three will result in the most secure assets. However, for the sake of the question, corrective controls are the most important because when all else fails, you need an emergency plan to fix the mess up. Otherwise, the company’s assets are dead and gone.

source: https://learn.canvas.net/courses/37/pages/study-how-do-the-three-types-of-internal-control-activities-safeguard-assets?module_item_id=97915

Ian,

You detailed the three controls and gave great examples of the control flow. I also agree that all controls are important for a controlled environment.

However, I think of the most important control as Preventative control because it costs more money to react to a problem, than to prevent the problem. An example of this would be a firewall device. By spending $1,000 on a firewall device and 1-2 hours a week to manage it will reduce the chances of intruders penetrating the network. If you didn’t have the firewall, the intruder could bring down or hold your system hostage for a ransom. Much more than the initial cost and time investment.

It is similar to the medical care some people are practicing today. Some people are don’t go to the doctor out of fear, uninsured, religion, or maybe just don’t have enough time. After a few years without a regular check-up, it turns out the person developed high blood pressure, had a heart attack, rushed to the hospital, and almost dies. The medical costs for this situation are too high and out of my expertise, but rumor has it that it would be expensive. Much more expensive than the 30 minute visit, $20 co-pay, and medication.

The idea is to be pro-active vs. re-active because it is much more expensive to be reactive, and it is much more difficult to budget for multiple unknown disasters. ,

1. What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are:

Preventive controls:
They are controls that prevent any problems, losses and harms from happening. For example, segregation of responsibilities, if an employee authorizes a payment to Staples to order office supplies for the company, his supervisor or related person must approve it, which reduces the possibility to do it wrong.

Other examples: secured accounts and passwords, segregation of duties, approvals, authorization, verifications, etc.

Detective controls:
They are designed to find errors or problems after they have occurred. For example, if a person does the general ledger or payment request, his supervisor may review and compare information to identify fraudulent payments.

Other examples: bank reconciliations, physical inventory counts, counts of cash on hand, audits, etc.

Corrective controls:
They restore the system or process back to state prior to a harmful event. For example, if a company’s system was down, they may consider restoring its system.

Other examples: data backups, data validity tests, insurance, training and operations manuals, etc.

Preventive controls are the most important. Because they prevent happening, which minimizes the possibility of loss or errors. They are proactive and emphasize quality.

https://learn.canvas.net/courses/37/pages/study-how-do-the-three-types-of-internal-control-activities-safeguard-assets?module_item_id=97915

http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html

https://www4.vanderbilt.edu/internalaudit/internal-control-guide/different-types.php

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?
1. Preventive—some of the best controls prevent fraud, theft, misstatements, or ineffective organization functioning. For example, the effectiveness of segregation of duties to prevent fraud. Preventive controls can be as simple as locks and access codes to sensitive areas of a building or passwords for confidential information.
2. Detective—a security camera is a good example of a detective control. A store manager who notices a pattern of a cash drawer coming up short when attended by a particular clerk can easily look at video of the clerk’s actions throughout the day to detect potential theft. An access log and an alert system can quickly detect and notify management of attempts by employees or outsiders to access unauthorized information or parts of a building.
3. Corrective—coupled with preventive and detective controls, corrective controls help mitigate damage once a risk has materialized. An organization can document its policies and procedures, enforcing them by means of warnings and employee termination when appropriate. When managers wisely back up data they can restore a functioning system in the event of a crash. If a disaster strikes, business recovery can take place when an effective continuity and disaster management plan is in place and followed.

I found the explanation and examples this website–on http://www.cfocareer.com/manage-risks-preventive-detective-corrective-controls/. I think the examples are excellent and helped me understand this three risk mitigating controls. In my own words, preventive controls act as a lock to prevent any “bad people” (fraud, loss etc.) to go inside. Detective controls act as a camera to detect any people who break the lock. Corrective controls act as an insurance. After something was stolen, the insurance will help you to minimize the loss. I think the most important one is preventive control because for example, if we can prevent any kind of virus, malware to intrude our computer, we don’t need detective and corrective anymore. However, when a new system invented, people can always find the defect and intrude it. Hopefully one day, someone will invite a program that is unbreakable.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The 3 types of risk mitigating controls are:
– Preventive controls: stop a bad event from happening…
– Detective controls: record a bad event after it has happened…
– Reactive controls (aka Corrective controls: fall between preventive and detective controls, and provide a systematic way to detect bad events and correct them…

In my opinion, the most important risk mitigating controls are preventive controls because they prevent bad events from happening.

Ian, your explanations and examples are well explained these three types of risk mitigating controls. I also agree with you that corrective controls can be important for the company to restore all systems and data.
However, I would like to say that as Paul said above, “Why have a control that detects or corrects a problem when you can have a control that prevents the problem from happening in the first place? ”

Thanks for sharing your points!

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are:

Preventative: Controls that prevent the loss or harm from occurring.

Detective: Controls that monitor activity to identify occurrences where practices or procedures were not followed.

Corrective: Controls that reestablish the system or process back to the state prior to a harmful event.

These risk all play a vital role in safeguarding an organizations assets. However, the most important control is Preventative. This control allows preventive measures to be installed to prevent harm/threats from happening; by taking the proactive approach, management is able to combat and minimize the possibility of loss in data, money or errors.

1. What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three forms of controls:

1. Administrative – These are the policies, laws that for overall governance.
2. Logical – These are the virtual controls
3. Physical – These are the environmental controls in physical space

To provide the degree to how how to mitigate risks, controls are classified as below,
1. Preventive – Actions taken to prevent a risk or failure.
ex. Establishing policies, governance.
2. Detective – These controls are which identified by a minor activity.
ex. Reconciliation of accesses of employees to confirm if the level of access is based on authorization.
3. Corrective – Corrective controls are actions taken to restore the system or process after an incident has occurred.

All the controls play important role in risk management. However, preventive control is the most important one. They minimize the possibility of loss by preventing the event from occurring.

source [http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html]

Ans.1
The 3 types of risk mitigating controls are :
1) Preventive controls – These prevent or stop a security incident from occurring.
2) Detective control – through this type of control, a fault in the system is identified upon reviewing the system logs.
3) Corrective or Reactive control – This type of control falls between Preventive and Detective control – meaning that they automatically trigger a corrective action as soon as a fault is identified.
Of the 3 types, I believe that the most important type is the Preventive control. This is for the simple reason that it’s better to prevent an incident from occurring in the first place rather than trying to fix it.

There are three types of risk controls:
1) Preventive Controls

Preventive Controls are designed to keep errors or irregularities from occurring in the first place. Example, installing firewalls, segregation of employee responsibilities, etc.

2) Detective Controls

Detective controls are designed to search for errors or irregularities after they have occurred. For example, Performance reviews, audits, physical inventories, etc.
To put light on performance reviews, managers can compare information about current performance to the prior periods, budgets, forecasts or any other benchmarks to identify
unusual conditions that may require a follow-up

3) Corrective Control

A corrective control restores a process or a system back to the phase prior to an unwanted event.
Examples include submitting corrective journal entries after identifying an error, completing changes to IT user access lists in case of a change in an employee role, etc.

Preventive control sounds the best of all the controls and As an IT manager, if I have resources, I will implement all the controls. But in case of limited resources, an IT manager will have to go with a balanced approach. Implementing preventive controls can be proven costly.

Source: https://www.newpaltz.edu/internalcontrols/about_preventative.html
http://ishandbook.bsewall.com/risk/Assess/Risk/control_types.html

There are three types of risk controls:

Preventive controls. These controls are intended to proactively mitigate the occurrence and/or impacts of risks. Examples include policies and procedures, Firewalls, IPS/IDS.

Detective controls. These controls operate after the fact to identify if a predefined event occurred. Examples such as log file reviews, or scanning current configurations for unauthorized changes and to better enable incident and problem management, are detective in nature.

Corrective controls. These controls are tasked with restoring the current state to an approved state. It may be that a hacker has compromised a system or something has impaired data integrity. Examples include restoring a system and corresponding data from a backup service

I think the detective control is the most important control. Because the detective control can know the loss after attacking and it identifies and reports on all changes.

Paul,

I really enjoyed the way you answered the question regarding which control is the most important. I didn’t think about it in a hypothetical situational based manner.

What are the 3 types of risk mitigating controls? Which is the most important? Why is the most important?

1. Preventive controls: it prevent the problem from occurring. For example, the gas station will launch a policy that not allowed anyone smoke.
2. Detective controls: I think the camera security is a good example, but most the time, it works after the problem occurred. For example, the supermarket will use surveillance camera to observe a specific area.
3. Corrective controls: When the “bad” thing happened, there is something to make it up. Data backups, and insurance is a good example.

I think preventive control is the most important. As one phrase says, prevention is better than cure.

Fred I do not agree when you say that ” it costs more money to react to a problem, than to prevent the problem.” In fact, when assessing risk, organizations have 4 options :

Mitigate risk – activities with a high likelihood of occurring, but financial impact is small. The best response is to use management control systems to reduce the risk of potential loss.

Avoid risk – activities with a high likelihood of loss and large financial impact. The best response is to avoid the activity.

Transfer risk – activities with low probability of occurring, but with a large financial impact. The best response is to transfer a portion or all of the risk to a third party by purchasing insurance for example.

Accept risk – if cost-benefit analysis determines the cost to mitigate risk is higher than cost to bear the risk, then the best response is to accept and continually monitor the risk.

As you can see, accepting the risk is an example where it cost less money to react to a problem.

The 3 types of risk mitigating controls are:

1. Preventive Control – These are controls that prevent the loss or harm from occurring
Ex: Authorization and approval procedures;
-Use of passwords to stop unauthorized access to systems/applications
Supervision such as assigning, reviewing/approving, guidance and trainings
Segregation of duties on authorizing, processing, recording and reviewing;
Controls over access to resources and records.

2. Detective Control – These controls monitor activity to identify instances where practices or procedures were not followed.
Ex: Reconciliations; verifications;
reviews of operating performances; and reviews of processes and activities.

3. Corrective Control- These controls restore the system or process back to the state prior to a harmful event
Ex: Restore data from back up

I think preventive control is most important and effective control among the three types of risk mitigating controls. Preventive control minimizes the possibility of loss in company’s assets by preventing the event from happening.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The 3 types of risk mitigating controls are:

1) Preventive Control – A set of measures taken in order to reduce a risk from happening

2) Detective Control – Measure taken to determine the the cause of the loss event once it has already happened.

3) Corrective Control – Measures taken restore the loss once the loss event has already happened.

I believe that preventive control is the most important because it minimizes the chance of a loss ever occurring to the company. Although, preventive controls are most important, it can also be the most expensive. Thus, complete prevention is impossible. The other 2 controls are important in the event that preventive controls fail.

Preventive control is definitely most important, but complete prevention is impossible. From your Dropbox example, Dropbox may have taken the best preventative measure but they were still a victim of data breach. The other two measure are important when preventive controls fail.

While I do agree that preventive control is the most important, I think that both detective and corrective control are also very important and should not be downplayed. The key is that preventive control only MINIMIZES risk. They do not eliminate them. Loss can still happen, and when they do, the two other controls play a huge role in preventing similar future loss from happening as well as mitigating the effect of the loss.

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

There are 3 types of controls:
• Preventive – These controls prevent the loss or harm from occurring. Example: Firewall or the username, password which stops unauthorized access of data, color coded ID’s.
• Detective – These controls monitors, detects and records after the threat happens. For example, log files- Syslog, Event viewer.
• Corrective – These control detect and correct the situation once it happens. For example, connected backup- to retrieve data from a previous restore point.
Out of the three types of control preventive control is the best because it minimizes from the possibility of loss of data or asset by preventing the event from occurring in the first place. But preventive controls are usually very costly. Corrective controls minimize the impact of loss, by providing a backup but this takes some time and can result in loss of productivity time due to unavailability of the system or application etc. Least effective is detective control, as mostly the damage is done already. But having a detective system in place helps in identifying the threats and risks involved and plan for a better system in place.

Controls can be preventive, detective, or reactive, and they can have administrative, technical, and physical implementations

1. Administrative – laws, policies or standards defined by an organisation. For example, password policy of having a length of minimum 8 characters with alphabets, numbers and special characters.
2. Logical/ Technical – Tools that logically control. Example: firewalls, anti-virus software, content scanner, single sign ons.
3. Physical – These risks are related to physical location of assets and its protection. Example video surveillance systems, gates and barricades, guards, locked doors and terminals, environment controls, and remote backup facilities.

Source: IT Auditing Using Controls to Protect Information Assets.

I think along with detective controls there should be some preventive and corrective controls as well. Once some threat is detected and identified, a protective control has to be in place to avoid the same threat to reoccur. This could lead to loss of reputation of the company and may result in no credibility of the firm with their clients as it can be considered as negligence. Preventive and corrective controls give the clients also a reason to do business with the firm as it implies that you are serious with their data and protection of their assets as well.

Yes all the controls are important.

Yu Ming you mentioned that corrective controls are not useful. I disagree.

For example,

An employee may have worked ina company for almost 10 years and have worked on N no. of projects or have very confidential data on his laptop. What happens if his laptop crashes? All his data is lost. What can be done?

If there is a backup system available we should be able to restore to the nearest restore point, thereby restoring most of the data. Thus reducing the impact.

Now the same for an application server or router or firewall… These can have huge impacts and result in loss of business as well.

I agree with you all. I think that any control in an organization is really important and they support each other with no doubt. Without detective control, preventive controls won’t be as efficient because you have no clue about what to prevent from the harmful causes.

Binu,
I agree with you. However, you mentioned an organization should have a efficient system to minimize the impact. However, Do you agree that an efficient backup system would fall into the preventive controls category? Does an efficient preventive control bring a positive impact to corrective control?

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

Three types of risk mitigation controls are preventative, detective, and corrective. Preventative risk controls can be passwords, encryption, firewalls, access restrictions, and other procedure or policy that reduces the probability that a risk or incident can occur. Detective controls can be log files, any type of system/network monitoring, or anything that can capture data to review after an incident to determine the root cause and use to predict/prevent future risks. Corrective controls can be back ups, which will enable the system to be restored to a level before the incident. These type of controls to do not prevent, or seek to determine why it happened. They simply serve to restore the damage.

Preventative controls are the most important controls. While corrective and detective controls are important, preventative controls will be used frequently and likely prove cost effective. Without proper preventative controls, many companies would suffer larger losses than if one of the other too controls were not implemented. If there is no file wall, encryption, login credentials, etc., then a company will most likely suffer a data breach/hack in addition to a myriad of other losses. Data integrity will be compromised which will impact core business functions in addition to many other problems.

Preventive – These type of controls preventing the loss from occurring. Segregation of duties is an example of this type.
Detective – monitoring activity and detect errors or irregularities that may occurred.
Corrective – Restore the system or process back to the state prior to a harmful event. Anti viruses example, correcting errors that have been detected.

Preventive Controls is the most important one, since they minimize the possibility of loss by preventing the error from occurring. They are proactive controls that help to ensure departmental objectives are being met.

Agree with your point Magaly. Preventive Controls are designed to discourage errors from occurring. They are proactive in nature.
In some cases, detection of a irregularity that occurred is the only way to realize that the organization needs controls in that area.

I have experience that I can share,
Objective – Visitor laptops are not allowed in dedicated clean room environments. It must be ensured that visitor do not carry laptops in clean room.
Problem: There used to be a security guard to allow laptops based on the person is employee or visitor. During an audit I introduced myself as a employee and the guard let me take my laptop inside.
This is a finding that was detected.
Solution: The guard did not have list of laptops and their serial numbers that were assigned to employees. This problem was only resolved once detected.
Detective Control – Here audit was the detective control that could point out to the problem.

Preventive controls – these controls proactively mitigate risks by preventing from occurrence, such as password protection, identity authentication, etc.
Detective controls – these controls are designed to find errors and within the organization, include audits, reviews of performance, etc.
Corrective controls – these controls help mitigate damage once a risk has materialized, such as recovery systems.

For me, preventive controls is the chief one, while detective controls is the most important one. There’s no absolutely secure environment exists, all of the organizations in information age are exposed to risks more or less, the most important mission for top management is to detect, and then mitigate the potential risks to an acceptable level. Besides, the data from detective controls can feed predictive analytics tools and support preventive controls.

Alex,

You make great points about a companies options for handling risk. But, in each example, I believe it would cost more to be reactive vs. proactive. However, I will say that my belief is for a majority of the time. Each situation will need to be evaluated independently, but it is safe to assume being pro-active is less expensive than being re-active

You mention Accept risk as costing less to react but I disagree because you are not spending anything to be proactive. Your total preventative costs for accepting risk is $0.00, but reacting to the issue will cost at least $1.00.

3 types of risk mitigating controls are:

1. Preventive controls
2. Detective controls
3. Corrective controls

The most important control is the preventive controls. Preventive controls are put in place to reduce the chances of the event from happening. If the preventive controls does the job, there will never be a need to detect or correct the issue because it was prevented.

Now, realistically there is no solution that will ever eliminate IT risk. That is why we need to be able to detect the issues the preventive controls missed, correct the issues, and readjust your preventive controls if need be.

Question: What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three types of risk mitigating controls are preventive, detective, and corrective.

Preventive control – this type of mitigating control is preventing the harm of loss before them actually happened. For example, one person reports the monthly department administration expenses, but a second person should authorize it.

Detective control – This type of mitigating controls is monitoring activities to identify the problems which obey the rules or procedures.

Corrective control – Corrective controls restore the system or process back to the state prior to a harmful event. For example, the company may have a backup system, if some important data missed, the backup system can correct the mistakes.

I think the preventive control is the most important. Comparing with detective and corrective control, preventive control can stop the loss before it literally occur, and minimize the possibility of damaging the information assets for an organization. Indeed, the cost of preventive control like the firewall of corn servers is usually expensive, but it’s the best way to protect company’s information assets.

Good example of user name and passwords. The personal identification is a very important preventive control in business and mitigate the loss by data leak. I believe that the user name and passwords are one of the most commonly used tools in preventive control. Some organizations now even required the employees set a secondary password on the PCs, which can enhance the security level and better protect the sensitive business information would not have copied by attackers.

Alexandra,

Good example about a store manager install security cameras. I do agree with your opinion that the preventive control is most important. However, when management make a decision of controlling, the cost also should be considered. For example, the firewall and other security devices for core servers maybe costly, only use preventive control to mitigate the risks may have negative influence to the financial statements. Indeed, preventive control can stop lose before happening, but if management reasonable balance all three types of control, the organization may spend less money and lower the risks to an acceptable level.

Paul,

I agree with your opinion that which type of control is important really depends on the specific situation. Generally, the preventive control can stop loss before risks actually occurred, however, the preventive control related devices are usually costly. As for a main public corporation with millions of information assets, the preventive control maybe the most important one for it. But what if it is a new start or barely profitable company? In this case, the company don’t need a top level preventive device like a powerful firewall, or it can’t afford this. In this situation, a cheaper alternative like a backup plan (corrective control) maybe a better choice.

Thanks for your sharing, your reason looks like that one organization can’t live without corrective controls, so that’s the most important, well, organizations can’t live without preventive controls and detective controls as well, does that mean all of them are the most important? It’s not convincing.

But I do agree with you that the balance of the three will result in the most secure assets.

Well-put Yu Ming.
Layered controls implemented as a combination of preventive, detective and corrective controls, decrease the probability of failure exponentially. Systems that house sensitive information or are critical to business usually have layered controls for the same reason.

Paul, you showed some great forethought into the question regarding the maturity of the environment we’re talking about and how detective controls could be more important than preventative controls. I honestly don’t think there is a true “correct” answer to the questions because it always depends on certain variables that we are left to assume. In this instance I would have to put preventative controls above detective controls, however, timing is everything. If the system had been put in place before any controls were put in place, what’s more important, attempting to stop future breaches or making sure that a breach hasn’t already occurred. To me it’s almost 6 to one half a dozen the other. Great perspective.

Jianhui,

I agree with you, Corrective controls restore the system or process back to the state prior to a harmful event. For example, a business may implement a full restoration of a system from backup tapes after evidence is found that someone has improperly altered data.

Fred/Brou,

Yes, there are situations where it costs more to prevent than respond to the risk. However, yes, if your response is to just accept the risk, than it obviously doesn’t cost more. There are situations where it costs more to prevent and respond and vice versa…

My point is yes, it may cost more money to respond but if you can’t respond to an attack, it will cost way more than it would have cost to just plan and executive a response to an attack. The way I look at it is, there is always a hole. You can spend all of your resources on prevention and someone will still get by. That is the way of the cyber world. No system is impenetrable. Therefore, although prevention is very important, I believe risk response is the most important.

Q 2. How you would apply the FIPS security categorizations to decide if each of the information security risk mitigations (“safeguards”) described in the FGDC guidelines is needed?

FIPS applies security categorization in 2 ways:

1. SECURITY CATEGORIZATION APPLIED TO INFORMATION TYPES:

Establishing an appropriate security category of an information type essentially requires determining the potential impact for each security objective associated with the particular information type. The generalized format for expressing the security category, SC, of an information type is:

SC information type = {(confidentiality, impact), (integrity, impact), (availability, impact)}
where the acceptable values for potential impact are LOW, MODERATE, HIGH, or NOT APPLICABLE

2. SECURITY CATEGORIZATION APPLIED TO INFORMATION SYSTEMS

Determining the security category of an information system requires slightly more analysis and must consider the security categories of all information types resident on the information system.

The generalized format for expressing the security category, SC, of an information system is:

SC information system = {(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE, or HIGH

Information Security risk mitigation (safeguards) described in the FGDC guidelines are:

• The first is to change the geospatial data. You may find that the geospatial contain sensitive information that needs to be safeguarded but that changing data they would still be useful and could be made publicly accessible. This decision starts with your organization determining whether it has the authority to change the data. The idea of changing geospatial data includes redaction or removal of sensitive information and/or reducing the sensitivity of information by simplification, classification, aggregation, statistical summarization, or other information reduction methods.

• The second, and last, type of safeguard is to restrict access to, uses of, and/or redistribution of the data. At this step, you must decide if your organization has the authority to restrict the data. Some organizations have laws, regulations, policies, or concerns about liability that compel them to release data. Others have clear authority to restrict data.

Based on the decision taken from the two types of safeguards the security categorization of information type and information system is performed. The values are inserted in the formula and category is found.

EXAMPLE:

An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information. The management within the contracting organization determines that: (i) for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and (ii) for the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low. The resulting security categories, SC, of these information types are expressed as:

SC contract information = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},

and

SC administrative information = {(confidentiality, LOW), (integrity, LOW), (availability, LOW)}.
The resulting security category of the information system is expressed as:
SC acquisition system = {(confidentiality, MODERATE), (integrity, MODERATE), (availability, LOW)},

representing the high water mark or maximum potential impact values for each security objective from the information types resident on the acquisition system.

Great explanation and example Deepali!

Choosing the suitable security controls for an organization’s information systems can have tremendous repercussions on the operations and assets of an organization as well as the wellbeing of persons and the Nation as a whole.

Deepali, you provided clear explanations and examples on the security categorization.

I just want to add the potential impact definitions for each security objective—confidentiality, integrity, and availability and I believe it helps us learn the FIPS security categorizations in detail.

Security Objectives:
Confidentiality
Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

Integrity
Guarding against improper information modification or destruction, and includes ensuring information non- repudiation and authenticity.

Availability
Ensuring timely and reliable access to and use of information.

===============================================================

Potential impact:
Low
The unauthorized disclosure of information could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Moderate
The unauthorized disclosure of information could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

High
The unauthorized disclosure of information could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf

Another example of how the FIPS security categorizations can be used to decide if each of the information security risk mitigation described in the FGDC guidelines is the redaction of classified documents before released to the public. There is no doubt that covert operations are taking place without public knowledge. An example is the hunt for Osama Bin Laden.

In this example the Security categorization would be something like this:
SC information Type= {(Confidentiality, HIGH), (Integrity, High), (Availability, Low)}

Based on this SC, information leakage of Bin Laden’s location could have severe degradation to Seal Team 6’s mission, probably making the mission a failure. If integrity of the information provided by an intelligence group to Seal Team 6 was improperly modified it could have caused mission failure or loss of life to the operators. The availability of that information has limited affect to the USG, after all it did take them ten years to find Bin Laden.

SC Information System = {(Confidentiality, HIGH), (Integrity, HIGH), (Availability, High)}
For information systems, I’m specifically talking about the communication systems that Seal Team 6 had when executing the mission. If CIA security objectives were not met, then the loss of life would be imminent. If the enemy were able to hijack communication signals between the members of Seal Team 6, modify the communication between headquarters and the team, or scramble the communication of the team then the mission could have meet a severe or catastrophic ending.

The FGDC guidelines were used to redact or modify mission records to protect the names of Seal Team 6. The released records did not contain pertinent mission information, like how the location of Bin Laden was obtained, preserving the methods of intelligence gathering by the USG.

I would create the table to match table 8.2 in the Information Security Handbook: A Guide for Managers publication. After reviewing the security risks for the company, I would categorize each risk as a low, moderate, or high impact. I would review the FGDC guidelines to determine if the risks levels require specific safeguard procedures.

If I’m understanding this, the FGDC has guidelines for collecting, processing, archiving, integrating, and sharing geographical data. A risk may be improperly labeling latitude and longitude, putting the users at risk with high impact.

Deepali,

You explained it very detailed and very well, thank you, I liked the example and the way you categorized the information.

The FGDC guidelines recommends following safeguards in order to address the security concerns before disseminating the geospatial data to public .
1)Change the data
2)Restrict the data
Both the safeguards are posing the risk at the two important security objectives of INTEGRITY and AVAILABILITY.
When the data has been changed to mitigate the security concerns it is actually an act of improperly modifying the data which stands against the integrity principle of security objective.
When there is restriction on access of particular data in order to protect the particular information it is against the objective of availability of data.

Great point.

The altering of data inadequately changes the data which contradicts the whole principle of Integrity. Additionally, the constraints on the public’s access to data, undermines the principle of Availability as well.

Integrity and availability are the two information security objective that could be put at risk if safeguards are applied.
In fact, Integrity refers to guarding against improper information modification or destruction whereas, safeguard offers the option to “change the data, to remove or modify the sensitive information and then make the changed data available”. Although organizations need to have the authority to make those changes, safeguarding the data may result in a lack of integrity.

Similarly, availability refers to a reliable access and use of the information with no disruption. However, safeguards establish restrictions, on access to, use of, or redistribution of the, data.

Just restating what everybody has already said:

The FGDC guidelines for safeguarding Geospatial data are:
1. Change the data – changing the data to remove sensitive information and then make the changed data available without further safeguards.
2. Restrict the data by adding additional access controls or Defense-on-depth to protect the data from access, use , and redistribution.

I agree with what everybody else said about how these two safeguards would adversely affect Integrity and Availability of the security objectives, Changing the data would definitely affect the authenticity of the data disseminated to the public, but Integrity is the “improper” modification or destruction of data. If the guidelines are appropriately followed through the decision tree, the originator of the data may modify the data in the interest of national security or public safety.

For instance, we know that America has fighter carriers and battleships deployed all over the world. We know that they’re in the Asia-Pacific, Atlantic Ocean, Mediterranean, etc, but we do not have access to exact GPS location data. Based on that, the US Government is in fact using both safeguards guidelines to protect the Navy’s fleet from unwarranted or targeted attacks. Their exact locations are available but are highly restricted to only those with required clearance.

Although those guidelines would hinder the Integrity and Availability of security objectives, it’s only towards the public. If proper controls are in placed for the data to be use by “privileged” personnel, then I believe that Availability and Integrity of that information will not be affected and probably meets the security objectives with flying colors.

The two information security objectives that could be put at risk are:

1. Integrity – You will lose the ability to see previously labeled items. I am not sure if this is a good example but Pluto was mapped as a planet, if the FGDC said it wasn’t there, it must be changed or restricted.

2. Availability – You won’t have access to the data on Pluto anymore because, as far as anyone is concerned, it never existed.

The government recognizes that other organizations may benefit from geospatial data it has collected. An issue arises when some of that data is considered sensitive, so guidelines were put in place before being allowed to publish the data. These change the way the data appears to users. The two information security objectives that could be at risk with the FGDC guidelines are confidentiality and integrity.

The first FGDC guideline is change the data. In this, they modify the data set so that sensitive information would be unrecognizable to the end user. This jeopardizes the integrity of the data. For safety, geographic points would be moved and the data set may end up not being usable by researchers. Ultimately, data is destroyed that may have been vital to the integrity of the data.

The second FGDC guideline is restrict the data. For this, they set up strong blocks that prevent access to the data relative the risk that the data holds. The confidentiality of the data is now at risk. The safeguards would have to vet those trying to the access the most sensitive data very closely. This may lead to an unauthorized disclosure to the public.

Noah,

The question asking two made it difficult for me to pick. I thought of Confidentiality in the same way because it would put the information at risk of being leaked,

I decided to go with integrity because they are restricting the truth and availability because it isn’t accessible, but confidentiality is also put at risk because now you restrict the information and there is a risk it may be leaked.

Quantitative Information Security Risk Analysis is when you are able to examine a risk by looking at its risk factors in order to place a dollar amount or another type of value to the specific risk.

An example is having 100 employee’s sensitive bank account numbers, bank router numbers, and other direct deposit information in a database in order to allow the employees to directly deposit their pay-checks into their accounts. When the board of directors analyzed the option to allow the employees to use direct deposit or not, they determined that if this data was stolen, it would cost the company $500 per employee. This $500 dollar cost is an average that was calculated by looking at a population/sample of people, their bank account info (like amount), and several other factors. The $500 amount would include: investigating to determine exactly which employees were affected, contacting the employees to notify them, replenishing the amount of actual money stolen, and the cost it would take to pay for the employee to change the information that was stolen. The max loss for this particular risk is $50,000.

In my above example, I made the risk value in terms of a dollar amount and I made the elements of the risk fairly simple. This is not always the case. In fact, risk can have more elements and there is not always an element that you can put a dollar amount to. Complexity of risk and the likelihood of partial or full risk loss are two factors that also make risk difficult to quantify. Lastly, there is no standard in each industry that tells you what each risk element is worth in terms of money or any type of value and that makes determining the quantitative risk value very difficult because each risk situation is unique.

In your simplified example, how might you approach attempting to quantify the loss to the business of “good will” from a data loss scenario (i.e. hacking data)? Would the business have to also quantify the loss due to compliance lawsuits like Target did in its security breach a couple years ago?

Sean to answer your query, you can study provided by one of SANS whitepaper, Quantitative Risk Analysis Step- by- Step
[ https://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849 ]

To summarize the steps are as below,

1. Determine risk factors
2. Determine values of assets under risk
3. Determine historical data of incident occurrence and loss
4. Determine Annualized rate of occurrence (ARO)
5. Determine counter measures to overcome risk
6. Determine Annualized Loss Expectancy (ALE)
7. Conduct safeguard cost analysis by calculating difference between ALE before and after implementing countermeasures
8. Using values in step 6 & 7 calculate Internal Rate of Return (IRR)
9. Present summarized results to management

Formulas you will need
Exposure factor (ex 40%), Single loss expectancy (ex 1000$ at 20% likelihood), Annualized Rate of occurrence (ex. 01. In 10 years), Annualized Loss Expectancy, Safeguard cost/benefit analysis,

To answer your question, “loss of goodwill” will come under calculating risk factor for intangible assets .
There is an example given in the whitepaper that you can read.

Quantitative Data-Data derived from mathematical and statistical figures
Risk Assessment-Process to identify potential risk to a business process.
So as the name suggest quantitative information security analysis is placing mathematical figure in terms of dollar value to the threat or asset involved in information security analysis.

An example of quantitative information security analysis is an organization XYZ is using a software or a tool worth $300 which has a risk of being hacked down by potential hackers.
The department analyzes that the hacking may result in 90% software corruption
So the true asset value is 300*90/100=270.
The organization may incur a loss of $270 in case of software being hacked and results are a part of information security analysis
Furthermore challenges involved in such risk measurement is posed in a question “How can you identify the estimate of loss occurred until the actual threat occurred”.The risk can be greater or even lesser than the actual threat estimated and there can be lot of other elements and subject getting involved when actual threat occurs

I agree with Shukla. Simply to say, the quantitative information security risk analysis is use mathematical and statistical way to figure out the potential risk of information of a business process. and the example is very clearly to show the risk and the loss. And I more think that this analysis is like a expect of loss, and the result will show the maximum outcome to us.

What is quantitative information security risk analysis? Provide an example of a measurement used in quantitative information security risk analysis. What challenges are involved in calculating such a measurement?
Quantitative information security risk analysis tries to estimate monetary value (dollar value) for each data leak event with potential data loss. Example: in case of health care company, Quantitative information security risk analysis produces estimated loss of 150K for every data loss of 10K patient personal information. Estimating expected loss requires calculating probability of data loss, and the extent of data loss if breach does happen.
Expected loss $ = Expected Consequence * Expected Frequency (probability)

What challenges are involved in calculating such a measurement?

The apparent issue will be accuracy of both measures needed to calculate Expected Loss $ (Consequence and Frequency) , in addition to difficulty calculating probability of breach event when multiple data loss events can and are interdependent.

When communicating metrics, it is important to remember that Baseline Defenses Coverage is not the only line of defense that an organization has. Looking through these numbers would frighten any executive who is being told that this firewall that they are spending a lot of money to maintain has flaws. They must be informed of the importance of having layers of security so that even if an attach breaches the firewall, they are prevented or detected in another way. Communicating metrics is a delicate conversation and using industry averages and numbers from outside trusted sources such as the Computer Security Institute is helpful for them to understand that the situation is not as bleak as the numbers initially may appear. knowing best practices and what others in the industry are doing can help when deciding if paying for various baseline defense technologies is worth it to an organization.

Magaly,

Great McDonalds example. The most difficult thing in economics is to put a cost on the impact of a policy. For example, how do you put a price on carbon dioxide put into the atmosphere? The risks of burning coal are known but putting a value on it and selling it to an emerging country is a difficult thing because all they see is short-term profits, rather than long-term tragedy.

Similar to companies who don’t value the risks of IT. It may not end well.

Information security is both a technical problem and a business problem in which both parties need to work together on establishing and solve. It’s a technical problem because the technical side know that without a proper framework in place, a business can go down if it’s not well protected against threats from technology or other outside forces. It’s a business problem because management is a key stakeholder and needs to work with the IT team to figure out how to keep the business safe. Management has the business knowledge, such as revenue and access to resources to help with these projects. IT Security alone can’t be an IT issue because they can only go so far to try and mitigate these problems. The business side has to get involved so they know how to provide ways to maintain it.

Information security is a technical problem and a business problem. Since information is digitized to such a degree today, its security is in the hands of IT professionals. Their training and expertise is needed to properly secure data and to create safe and reliable methods to access and transport data. The IT personnel need to develop training plans to train employees how to properly control information security at their individual levels and how to safeguard data in their control. IT personnel need to constantly stay up-to-date on the latest threats to the security of data and to institute physical and software updates to safeguard the data.

Information security is just as much in the hands of the rest of the business too. Again, with the digital nature of data today, businesses have a key role to safeguard data. The data plays a significant role in profitability to both its business and its competitors. Employees need to be properly trained to safeguard the data at all times, and to understand the importance of the integrity of the data. If employees are not properly trained, or get careless, their actions can cause significant interruptions to a business to the point of halting operations and potentially even as far as bankruptcy.

Since information security is both a technical and business wide issue, all employees should be invested with its importance. IT personnel can do everything possible on the technical side, but without employees doing their part in security the data can be lost, destroyed, or fall into a competitor’s hands. If employees have the keenest senses of security, but the IT personnel lack the ability to institute proper protocols and security measures, data can be just as easily, lost, destroyed, or fall into a competitor’s hands. Information security is a technical problem that the entire business must properly understand and address collectively to properly safeguard.

I agree with your opinion. An organization that can demonstrate an infrastructure protected by robust security mechanisms can potentially see a reduction in insurance premiums. A secure organization can use its security program as a marketing tool, demonstrating to clients that it values their business so much that it takes a very aggressive stance on protecting their information. Therefore, the company should combined the technical problem and business problem.

I agree with you. The company should provide security training for IT staff now and forever. Because management does not understand technology, they are not in a very good position to judge a person’s depth of knowledge and experience in the field. Decisions are often based on the certifications a person has achieved during his or her career. Many certifications require nothing more than some time and dedication to study and pass a certification test. IT staff meet the new technology, they will figure it out, however, a strong security posture requires significant training and experience. In addition, very few organizations have a stagnant infrastructure; employees are constantly requesting new software, and more technologies are added in an effort to improve efficiencies. Each new addition likely adds additional security vulnerabilities. (CAIS CH1)

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is a technical problem and a business problem. Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction. If the company lost important data, it will be lead to business problem. When we implement any security mechanism, it should be placed on the scale where the level of security and ease of use match the acceptable level of risk for the organization. For example, employees can easily copy data from the devices to their devices to their home computers before the devices are returned. it easily lead to data leak. If the employees left their position, they may take the important information leave to competitor company. So the problem is the technique problem and the a technique problem. The company should invest employees’ background before recruiting, and it is important for an organization to establish policies outlining the acceptable use of these devices as well as implement an enterprise-grade solution to control how, when, or if data can be copied to them. Using some products that can protect against this type of data leak, such as DeviceWall from Frontrange Solutions and GFI Endpoint Security.

2. Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is not solely a technical problem as it involves not just technical glitches but also the intention of the intruder. More that considering Information Security as a technical problem, I would consider it as an ethical issue where people tend to misuse the privileges for financial gains or getting proprietary ideas or are just ignorant of the best practices or want to try new things out of curiosity endangering critical and confidential data. It is a business problem as security of the confidential data or PII’s is important for the reputation of the firm and also building trust with the clients. If a company loses it credibility it looses it business.
The employees whether current, former employees or contractors who have the knowledge about the company policies, processes, procedures and technology can exploit this knowledge to provide the information to external attackers for gain or they themselves can facilitate attacks or accidently reveal information to potential attackers. A company can have the best infrastructure in place with the latest and the costliest security controls and still be a victim to data security breach because of one user who forgot to lock his machine while going for a break or by an employee who decides to save the PII content on his personal desktop which does not have the same security policies and is exposed to malwares and information theft.
Yes it is a technical issue with open ports available or no latest update on anti-virus protection in place which makes the system vulnerable for threats but more than that I think it is the human factor involved here that can make a difference. So everyone in the organization: management, IT department and employees should make sure that they are complaint with the organizations policies and make effort to make sure that their machines are compliant too. The management should educate its employees of the consequences and take necessary steps to mitigate the risks involved and thus provide a secure business to the client that they can rely on.

Question: Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

The information security is a technical and a business problem. First of all, the information security of an organization requires some basic technical devices like hardware and software to protect the information assets. For example, in order to prevent the unethical hacking or unknown internet attack, a firewall is necessary for the core servers. Besides, the antivirus software on each PCs in the organization also needs technical support. From this perspective, the IS is a technical problem. Moreover, the IS is also a business problem. For example, according to the Sarbanes-Oxley Act, Section 302 and 404, the management of an organization must take the responsibility of Internal Control System in writing, and disclose the effectiveness and weakness of the organization’s internal control in the ICS report with confirmation from external auditor. After the accounting scandals in several major public corporations like Enron and Worldcom, the importance of the control environment and internal control of an organization was enhanced. Furthermore, a weak information security system may cause a huge loss of company’s information assets. For instance, without the data backup and disaster recovery plan, the organization may lose all information about contracts, orders, and clients’personal information by the damage of core servers. Therefore, the information security is both a technical and a business problem.

In an organization both technical and business problem of Information security must be solved.
Many businesses believe that by implementing secure infrastructure and utilizing security tools such as firewall, IDS and anti virus program, they can create secure organization. However, the security chain is as strong as the weakest link, and the weakest link in the IT security chain are the employees.

Security is process, all security products are as secure as people who configure and maintain them. In order to get most effective result of implementing security tool in an organization, IT strategy should be aligned with business strategy. For example, IT professionals mostly focus on technical view of security, and the management mainly focus on revenue, profitability and ROI.

IT professional should Implement the technical infrastructure in a cost-effective manner that would be beneficial to the organization.

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both?  Explain the nature of the problem in the context(s) you chose. 

Information security is business problem that must be solved by an organization but it requires adequate technical support by the information security manager. A business needs the proper security in place to manage business risk and mitigate intrusion. The organization could face a huge risk in data breach if it does not maintain a clear perspective of all areas of business that require IS protection through collaboration with other department.

According to Computer and Information Security Handbook By John R. Vacca, “through collaboration with all business units, security manager must work security into the proves of all aspects of the organization, from employee training to research and development. Security is not an IT problem, it is a business problem.”

I agree with you Neil and Wenlin. Every business is different and thus the threats it will face be business dependent. That is why it is necessary for security team members to understand the business processes in order to formulate risk analysis and form a secure IT framework.

Also as rightly pointed out by Wenlin, robust security can be used for marketing. Acquiring certifications and being complaint to global standards increases brand value of the company. Adhering to the standard, company follows best practices and that helps gain trust from the users.

Information security is not just a technical problem anymore. It is a technical and business problem that the entire organization must frame and solve. Data breach has become a significant security risk to all business. I have done a case study of Home Depot data breach in 2014 which could be the largest breach after Target. They detected the crisis after 6 months. 56 million cards’ information were stolen and they lost at least $62 million. This is also an example of what might happen if organizations didn’t pay enough attention on their information security. Data breach is only one risk of information security and it can’t be protected only by IT department. Information is one of the most important asset in a company and many people have accesses, therefore it is hard to control and protect. Usually, many executives believe “information security” is the same as “IT security” and is therefore the responsibility of the IT manage. This belief might explain why the question “Is our information secure?” is often answered with “Yes, we have firewalls.” The lack of incentives for businesses to invest in cyber security and lack of understanding from business about the nature of information flows play important role in this. If any organizations want to completely protect their information, the whole organization needs to be aware of the threatens and look beyond the risk. Therefore, information is a business problem more than a technical problem now.

Question 2

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

In my opinion, information security is both a technical and business problem that an organization has to frame and solve. Information security, as most know, is the practice of protecting information from those who do not have authorized access. While the concept might sound simple, protecting information can require a great deal of technical skill since most information today is kept and transferred via computers and networks. Due to this, positions such as Chief Information Officers, Security Directors, and many others require employees to have the technical knowledge to prevent access to this information. What makes this a business problem as well is that information security is only as good as its weakest link, in which case in the non-technical computer user within an organization.

In protecting information, there is one limitation which is those who have authorized access to the information. Since you can’t restrict everyone from having access to that secured information, those who want to steal information generally take advantage of those who have this authorized access. This is often done through phishing scams or having susceptible users download malware. Regardless, since these authorized users have access to information but don’t necessarily have the technical skill to best protect valuable information, they are often the avenue that those trying to steal information go through. Even despite an organization have a well-designed IT policy, these users most of the time do not follow these IT policies and don’t care to understand the risk since they are not “technical”.

With all that being said, information security is certainly both a technical problem and business problem. You need to have technically skilled employees who have the computer and network knowledge to protect information from a wide range of attacks as well as create certain policies that prevent attacks. On top of that, there needs to be education and enforcement of these policies, making sure that even the least technical individual who has authorized access to information know the importance and consequences of not following the IT policies.

Information security is an everyone problem. Everyone at every level in an organization must work together to protect the information of an organization. A breach could come from anywhere in the organization, from a physical breach to the building, to a phishing scam, to a port breach. While protecting the information of an organization often times has a technical solution, that does not make it just a technical problem. If a breach occurs, it does not matter how the breach occurred, the entire organization will suffer as a result. Because the breach can come from anywhere, the entire organization must frame and solve the problem of protecting the information assets it possesses. The information that can be lost can affect the organization in a number of detrimental ways, reputational damage, competitors gaining proprietary information, using organizational resources for nefarious activities, and more. The entire organization must create a plan to define what they see as the highest risks and the most important to be addressed and a plan to address the risks. IT is used as a means to address many of these risks, and they will work together with the business to address them, but they alone cannot secure all of the organization’s information. Business processes must also be in place to secure the information and protect the organization from breaches.

I agree with Shahle, In the company security link, there has a lot of ways to protect the informationa safety by computer programs and employees. Like Vacca said in Computer and Information Security Handbook “Security is not an IT problem, it is a business problem.” IT problem can sloved by computer, but business problem need to slove by money and person. Company spent money and time to training their employees in order to decline the risk of the security.

I agree with Binue that think about the information security is a ethical issue. In fact, employees following the company framewor is like government staff fllowing the country rules, And under a complete system, there has a lot of rules to limit the staffs in order to decline the sefaty of a company. Employees may disclosure of confidential carelessly or on purpose for benefits, and the company will pay the loss. so it is a business decision that company need to have a baisc cost to imporve their employees` ethical.

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is a business and a technical problem. Organization must solve the information security due to it will cause many internal problems, such as data breach. In order to decline the risk of organization safety, organization should be training their employees about the information security aspect, which is not just a IT behavior at all.

Information security primarily being just a technical problem is indeed a myth. It all dials down to human behavior. The core security issue is that the computers were created without a thought to security and the computer users are unsophisticated but the people breaching security are very smart.

The role of IT from being in the basement as an “engine room” has changed and information/data has taken up the role of a business enabler. The value of a firm is in its data: customer details, product information, financial information’s CIA (confidentiality, integrity and availability) should be protected; failure to do so may result in legal repercussions & loss of goodwill in the market. Information is now the engine of global enterprise and information security should be viewed as a business problem and it should be a significant part organization’s overall enterprise risk management.

In addition to proper employee training, an organization’s information security must be aligned with its business goals and strategy.

Information security is both a technical problem and a business problem, however, is not necessarily a mutually exclusive argument. That is to say each individual security related event will always be a business problem, but not all security events will be a technical problem. Security can be compromised by a myriad of internal and external factors, some we can control while others are outside of any one human’s ability to control. While it is everyone’s responsibility inside the organization to be aware of and follow the policies and procedures put in place to minimize the vulnerability to a malicious attack there are certain events that can occur that no level of technical preparation or expertise would be able to prevent. For example, while it is critical to examine components such as environmental risks when creating a business continuity plan and determining where your most business critical information should be housed there is no guarantee that anyone can provide that there will be no force majeure to impact the datacenter location. As we all know, in recent years while we can do our best to predict where certain natural disasters can occur the exist is not exhaustive and definitive. Year after year additional exceptions are made and added. Therefore security risk can be strictly a business problem, but can never be strictly a technical problem because the analysis is always how it impacts the overall business.

Good point that the employee may become the weakest link in the IT security chain. Information security is a complex problem which related both technical and business. As what you mentioned about security process, IT professionals and the management sometimes focus on different strategies. Indeed, the technical tools like hardware, antivirus software, and firewall may cost a lot as a basic support for the IT security, but management should also realize the significance of protecting information assets instead of thinking the IT protection is wasting money. Therefore, I think employees and even management need to take a training about why information asset is so important for an organization and how to enhance the IT security.

Sean, thanks for the post. I think that people are the weakest link in any security program. Even with the right technology (hardware or software), if not configured or implemented correctly, can cause business disruptions. Like you have mentioned, IT personnel must stay abreast on all current attacks, vulnerabilities, and technology to become of any value to a company. It is no doubt that lack of training and awareness is a contributing factor with data breaches, but I don’t think it’s enough. Information security requires a certain mindset and a belief that nothing is ever completely secure. It requires a tone at the top, a organizational culture that is security sensitive. For example, how many times have we sat through cyber security PowerPoint and web applications that tells us not to open emails from unknown resources. Yet, a good amount of malware that are present in an organization’s network can be traced back to just that. Without strict enforcement of company’s policies, I believe that people just go through the motion.

Information Security is both a technical and a business problem that an organization must frame and solve. It doesn’t matter if you’re in IT, HR, or customer service. The information that you access to carry out your duties is the responsibility of the entire organization. IT(Technical) has the responsibility to secure that information within the bounds the organizations security policies. Their challenge is to provide a balance between security and accessibility. Even if IT have the resources and knowledge to employ all the latest and greatest security technology, it does not guarantee a 100% secure IT infrastructure. Intrusion Detection and Prevention Systems are only good for known vulnerabilities and cannot prevent Zero day attacks. In an effort to improve efficiency, companies will add new software and applications which adds new vulnerabilities to their security program.
Cybercriminals are far more sophisticated and persistent at finding new ways to exploit vulnerabilities with any given technology. If they can’t attack the system directly they will go to the next best thing, the people. People are the weakest link in any security program. They can be the victims and the perpetrators of adding malicious components into an organization’s network. Phishing, malware, and viruses can be added to an organizations network by unknowingly clicking a link on an email or downloading a word document.
The organization must create a security sensitive culture that enables collaboration between IT and its businesses. Technology can be implemented, but people need more than training and awareness. People need to be encouraged to practice security controls set forth in policies and processes. Having a policy is meaningless unless it is enforced and this has to be set from the tone at the top.

There is no doubt that information security is both a technical and business problem and everyone should be responsible for it.

From the technical view, physical protection is greatly needed, proper information protection infrastructure ought to be established, such as the technology of firewall, encryption, identification, etc, so as to achieve that valuable information within the organization is only accessible to those authorized group, even though it would cost extra steps to process which may lead to certain inconvenience.

From the business view, a favorable security environment is very helpful to strengthen awareness and attitude of personnel toward information security, complements professional training to prevent both intentional and unintentional information leakage. Besides, based on existent resources, after assessing risk and balancing return and costs, how to formulate a most favorable information security strategy is also a critical issue from business aspect. So, it is clear that information security is a multifaceted problem.

I agree with Binu. This is a very good example to show how information security is not just a technical but a business problem. The example which you gave about the current and ex employees of the organisation, I would like to add one more thing to your point.
It is important to keep the entries of the present as well ex employees up to date in the risk register. For example, If an employee leave the organisation, the status of the employee should be changed in the risk register so that there are no more access privileges available in the name of that employee. If the risk register is not updated, it can be a big security issue for the business as anyone can use the access rights to fetch information. This can be a big loss to the business if any important information goes into the hands of an unauthorized person.
Many organisations fail during the audits as they don’t keep their risk registers updated.

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.
Information security is a technical problem and a business problem. IT security technical team ensures systems and network security through fortifying Operating Systems, firewalls, authentication and authorization systems. The business side should be concerned with human factor that may impact the company data. The business should have proper controls in place for data access and handling. Business develop policies for access data, levels of authorization, processes for data handling, in addition to business continuity planning in case of data leak. Business should be concerned with user’s education to prevent data leakage due to user’s error.
.
https://www.weforum.org/agenda/2015/03/why-information-security-is-not-just-a-technical-problem/

I believe that information security is both a technical problem and a business problem.
Information security is kind of IT issues. In term of risks, all the enterprise risk is related to IT. There is about 6 kind of enterprise risk, and they all have an IT component to IT. Like operational risks (the financial industry in the Basel II framework), Credit risk (poor IT security), strategic risk (enbler of new business initiatives) etc. IT risk should be treated like other key business problem. As business managers determine what IT needs to do to support their business and the use of IT can provide significant benefits to the enterprise, but also involves risk do, so IT issues is important, if IT risk occur, the failure of business objectives do as well.
The entire organization must frame and solve it.

Information security is not only a technical problem but also a business issue. It is true that for an organization to be very secure, some software and hardware may be needed to protect the assets of the company. However, as the book (VACCA) mentioned in chapter 1, thinking that information security is only a technical matter is a myth; “firewall […] antivirus program …are just some of the tools available to assist in protecting a network and its data” (pp9). In fact, most of the time employees are the main reason why there are data breaches in organizations. A lack of awareness and training on information security can lead to severe losses for the organization.
Similarly, failure to immediately terminate former employees’ access to data can potentially be dangerous for a company especially if the former employees work for competitors. Security measures can be implemented, but the human factor must be taken into consideration. Management should educate employees about their impact on security programs. That is why in addition to be a technical issue, information security should also be seen as a business problem that must be solved to prevent tremendous risks.

I agree with Wenlin. Good point raised. I have seen this happening in one of the organisation’s I have worked with. Not only employees but interns who were not permanent were allowed to use Personal USB Drives on their office laptops and computers.

In an incident one intern was caught copying some of important official data from project onto his personal USB drive. So this is a big security concern for which personal devices should not allowed in the premises of the organisation.

Rightly pointed Shahla. But just to say your point in a different way, employees are not the weakest link rather they can be the weakest link in an organisation if the organisation doesn’t have good security policies and standards.
I would like to quote an example to this to explain my point. I would differentiate the experiences which I had with two of the organisations I have worked. In my first organisation, Security policies were strong and employees were not allowed to enter inside the premises of the organisation without the ID’s and with any kind of personal devices such as pen drives. For this reason the environment was secure enough for any kind of security breach that may lead to data leakage.
On the other hand, with one more organisation I have worked with, there were some interns who were temporary and for the three months they worked, they were not issued any ID’s. They use to enter inside the office zone by just making an entry in the register. Also all the employees were allowed to bring any kind of personal devices. In this way due to weak standards and policies this organisation was vulnerable to any kind of security breach from employee’s end.

I agree, IT in general are merely tools used to make business process run quicker and smoother. IT itself can never cause any harm or damage to the business. It is usually the human operating the IT systems will cause harm.As you mentioned, employees who are negligent towards IT are one of the main reason for data breaches in an organization. This can be avoided by fostering proper IT awareness and culture within an organization. This will tremendously reduce the risk of IT failures internally.

On the other hand, in order to avoid external breaches, the employees responsible for IT within an organization should always be aware of their own IT system’s security. They have to constantly update and audit their own system to prevent external intrusions.

I agree. It is crucial to have the entire company invest in Information Security. There needs to be a cross department collaboration to successfully implement the company’s Information Security plan. It definitely is a technical issue as well but that is part of the company’s plan that directly affects the company’s business and the ability to conduct their business most efficiently.

I agree with Mengxue, Information security is a techical and a business probelm. Information security problem such as dara breach will cost company not only just economic loss, but also the company reputation. You said Information hard to control and protect due to people can accesses it. It is very clearly to show company managers should pay more attention to this part and need to spend more to decline the risk, that`s why we said infromatyion security is not just a techical problem but also treat as a business problem.

I agree with Mengxue, Information security is a technical and a business problem. Information security problem such as data breach will cost company not only just economic loss, but also the company reputation. You said Information hard to control and protect due to people can accesses it. It is very clearly to show company managers should pay more attention to this part and need to spend more to decline the risk, that`s why we said information security is not just a technical problem but also treat as a business problem.

At the two companies I have worked for, all employees (in all departments) were required to take training on “Safe computer use”, IT security, etc. The training went through many of the same things as the video and had the same corny jokes too haha! It was definitely needed though and I think it definitely did help a lot of the employees that were not in the IT department. I think along with this, putting controls in place to safeguard and make sure that employees are practicing what they were trained on is important to success.

I agree with your opinion that the information security both related technical and business problems. You mentioned the potential risk in information leak because of the authorized access issues. If management barely have basic understanding in technical operation, they might underestimate the importance of protecting information assets. Without an effective control environment, the organization may be hacked through ineffective information security protection, which may cause huge lose for organization’s information assets.

Good point in mobile device management (MDM). Indeed, mobile device has potential risks in data leak includes personal information or even sensitive business documents. If the mobile device with internet connection information is stolen, the remoter attacker may have the access authority and replace the firmware on a device like router and take complete control over it. Therefore, the MDM is very important to enhance the information security in an organization.

Paul,

I completely agree with you. I would say, that information security is both a technical and business problem. The two entities overlap in many instances within an organization and must conjoin together to frame and solve the information security problems at hand. Even though, in some instances the issue may start off as a technical issue, eventually it will protrude/ evolve into a business problem, vice versa.

An example being:
-leaky repositories: firewalls are implemented to prevent intrusive hacking yet information doesn’t also live in the digital environment but also in the business environment as a hard physical copy.

Laly,

Exactly. While physical copies of information might not be as easily accessible, they are still controlled as well with physical security. For large organizations, you have security monitoring who enters and exits the buildings as well as file rooms where the entrance to the room is locked by each department. Not only that, many companies try to implement a clean desk policy where all important information should be stored and locked when not at the desk. In fact, when I worked my Internal Audit internship, two of the auditors performed a walk through of the building to just see what exactly they could find that was out in plain site. Unfortunately, too much information was left out in the open and corrective actions had to be made. This is another example of how securing information is not only a technical problem but a business problem as a whole.

Paul,

You bring up a really good point that all information security is a business problem but not always a technical problem. You provided the example of a non-technical problem that can affect information security being how a natural disaster can affect a data center. Another example could be that a disgruntled worker who remains working for the organization and has access to information, decides to steal that information either to sell or damage the organization. No amount of technical knowledge could identify who is a disgruntled worker or not, therefore this would fall under as a business problem.

Great post, Tran!

I completely agree with you that if the latest and best security technology is being employed, it does not mean you are 100% safe. The new technology for now will become old obsolete in one day soon. Companies need to keep an eye on the zero day attack because it is hard to be detected by newest security.

When I was taking the cyber security class, I was taught that “people” is the weakest element because they like to click on insecure email or website and increase the profitability of getting hacked. Only through training sessions can really help people learn how to protect the organization from malwares and viruses.

Information security is a technical problem and a business problem everyone individual must be involved with the solution.

The technical problem lies with the equipment and network infrastructure. The proper system configurations, authentications, policies and security must be checked and tested on a regular basis to ensure proper functionality. It is a business problem because the business reputation is on the line. The business must protect all sensitive information to give, not just the shareholders, but also the stakeholders peace of mind. A security breach could ruin the reputation of an organization and raise doubt when using technological equipment from the company, from an investor, employee and customer aspect.

We can’t be passing the buck or keep saying, “it’s not my problem”. One of my favorite quotes from a movie is, “Information is the most valuable commodity in this world”. I may not agree with the character who said this but I do agree with the statement. Information is very valuable to many people and it needs to be protected by technological and business best practices.

Haozhu,

I strongly agree with you. There is a need of managers to proactively include information security in their risk management plan and make sure it is aligned with the organization’s objectives.

Ahbay,

I completely agree with your point that human factor is one of the biggest issue for information security. Every business is different so that an organization security is necessary to align with its business goals and strategy. How to defense the information from data breach is a technical problem. However, If the company lost its most valuable data, it will lead to a business problem such as loss of revenue, reputation and goodwill. Company should invest heavily on its internal training for those unsophisticated employees or the company can background check before recruiting to ensure the employees have basic security training and knowledge.

Yu Ming,

Yes, and in addition to training and workshops, I firmly believe that there has to be a mechanism in place that checks if they training is updated and in order to keep the employees updated, there should be half yearly or even quarterly security workshop setup by the IT team.

Rightly pointed out, Amanda. I too believe that it all comes down to human behavior. Even though an organization implements the highest security standards, if the employees are ignorant and are putting passwords on sticky notes, then there is very little standards and policies can do.

In my internship experience, even a top level executive had a habit to put his NetSuite ERP access information on his keyboard. And I agree, the mindset has to be changed and employees need to realize that not just the company’s information is at stake, it is also going to affect their identity.

Paul that’s a great point. I’m glad you guys agree with my stance. I think that it’s very easy for people that work in IT tend to start viewing things as tunnel vision when it’s absolutely critical that they keep an open mind and think outside of the box when analyzing problems or trying to determine where their vulnerabilities may lie. This is why social engineering is always a big part of any penetration testing that I sold through Verizon. It’s also definitely one of the most interesting subtopics in the overall umbrella of IT/IS Security posture.

In my opinion, ITACS students do represent information security vulnerabilities to Temple University, and Temple represents information security vulnerabilities to ITACS students as well.

Based on the readings, Information security vulnerabilities can be considered to anywhere, anyone and anytime. First, Temple students can access to secured and sensitive information easier through internal way. For example, an ITACS student studying at Temple University, has some access passwords and codes for some rooms, software and public laptops, etc., so he would steal some sensitive information of Temple University by accessing from internal internet through these ways, and Temple would lose its secured and sensitive information because of this ITACS student uses internal way, rather than other outside people use external way, which is harder. Second, the trust from a professor would also be an information security vulnerability. If a person has the trust from a professor, the professor may behave negligence by allowing this student to access to some accounts which would be considered not allow to students. For example, if a professor wants to show something through his account, the student is there to watch the professor to access the account, and then, the professor may act negligence by typing his account name and password in front of this student, and the account may be stolen easily. Third, students or professors may have bad behaviors and collude with classmates and friends to steal information of Temple University. The possibility of this is tiny small but I think it can be also considered as information security vulnerabilities to Temple University.

In addition, Temple University also represents information security vulnerabilities to ITACS students as well in several ways. First, Temple University experts who control sensitive information of students and colleges may behave negligence and errors of operations to exposure information. Second, Upper management of Temple University also has a possibility to behave badly if the person is angry and criminal. Third, the change of MIS department dean or upper management may also bring some information loss and errors, because if the previous management person left, he may not have everything (information, account passwords, or secret system controls) to the new person.

ITACS students and Temple University both represent information security vulnerabilities to each other. Temple University stores Personally Identifiable Information (PII) of each student, which include grades, and financial information, and in some instances health-care information. A data breach to Temple University could target student’s social security numbers, personal banking account information, and medical information if a student is enrolled in a university sponsored plan. Temple University stores large amounts of sensitive information about students, which creates an attractive target for cyber criminals. Medical identity theft is a growing exposure for Temple University because medical information is more lucrative than financial information. Not all students enroll in the sponsored plans, some do, and others may use a medical service during their tenure at Temple. Students trust the university with sensitive data, which poses a risk to Temple because it is now responsible to safeguard the data.
While Temple represents vulnerabilities to students, students also pose security risks to Temple. The university must create a tuportal account for every enrolled student, from which campus computers, and many other university services are accessed. There are over 30,000 students at Temple University, not including faculty and staff, which is a lot of accounts to monitor. Any student can find a flash drive on the ground, and then immediately connect it to a campus computer to download documents. Flashdrives can contain viruses and malware and can potentially spread to the network from a single access point. Prevalent use of removable storage is an important security vulnerability to Temple. Students can also access file attachments through email on the university network. If an attachment is infected with malware, it can now spread to the computer and then network. It would be difficult for Temple to limit access through the network because many departments rely on online software, require students to submit work online, and need to access data themselves. The same methods that are used to augment student academics also increase security vulnerabilities.

I think everyone at Temple University represents information security vulnerabilities to Temple University. In fact, ITACS students and regular students do more than sending emails while on Temple internet connection. Even though, the university blocks some sites it does not stop students to go to insecure sites. I have been seeing some students shopping on the school computers. Somebody can voluntary or involuntary download a virus on the computers or the network.
Also, the laptops in MIS labs in rooms 602 and 603 are not really password protected as everyone knows the password. The only really credentials you need is your TU access username and password for the Wi-Fi. Once again an ill-intentioned individual can take advantages of this system. He/she can do bad things without being traced.
Temple University and its third parties’ partners can represent information security vulnerabilities for its students. What will happen if someone can hack the university system? In fact, some students have received phishing emails asking them to provide their passwords. The University system contains a lot of sensitive information like medical records, payments information… If there is a data breach, more than 30,000 persons will be affected.

I believe when we are entering into any account, we might have lot of people around and we do enter our credentials in front of them. That is the reason why passwords are masked.
I agree with your point that eavesdropping can happen. Hence being alert while handling sensitive data is important.

ITACS students represent vulnerabilities to Temple university and vice versa.

Both entities have access to confidential and restricted data of each other.

Vulnerabilities that students bring in:
1. University provides wifi to all students. The laptops, mobiles phones via which they connect to wifi is a door for hackers to plan Wireless network attacks. ex. Denial of Service, man in the middle, eavesdropping on the wifi, If data is not encrypted they payload is exposed and a sniffer can capture emails, passwords etc

2. Students have access to confidential university data. If a student does not follow basic security practices university data like university intranet, contacts of faculty and other students, university news and events details is at threat.

3. Students have access to course work, assignments, lectures, power point presentations which are IP of the university.

4 Students can bring in visitors and if visitors if have malicious intend can cause harm.

5. If students use illicit software to develop a university software, it can cause huge damage.

How is student data vulnerable while it resides on university servers

1. University servers can be prone to data attacks on which student confidential and restricted data resides. Ex. student personal identifiers(SSN,address, contact numbers), financial details like bank details, transactions etc.

2. Student grades, resumes, photographs, medical information is also with the university. Data is present with the university not only in digital format but in form of paperwork which is easily vulnerable.

Am I the only one not being able to enter answer to other questions?

Anyways below is questions 2 and my answer :

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is not only a technical problem but also a business issue. It is true that for an organization to be very secure, some software and hardware may be needed to protect the assets of the company. However, as the book (VACCA) mentioned in chapter 1, thinking that information security is only a technical matter is a myth; “firewall […] antivirus program …are just some of the tools available to assist in protecting a network and its data” (pp9). In fact, most of the time employees are the main reason why there are data breaches in organizations. A lack of awareness and training on information security can lead to severe losses for the organization.
Similarly, failure to immediately terminate former employees’ access to data can potentially be dangerous for a company especially if the former employees work for competitors. Security measures can be implemented, but the human factor must be taken into consideration. Management should educate employees about their impact on security programs. That is why in addition to be a technical issue, information security should also be seen as a business problem that must be solved to prevent tremendous risks.

I agree with Priya, Temple represent information security vulnerabilities to students because they have sensitive data, such as social security or bank account number, about us. Should a data breach happen we will all suffer consequences.

Said made a good point here. Temple university system doesn’t seem to be well protected and i’m not sure not all students are aware of the importance of information security. I personally went couple of times to the computer lab and witnessed students watching movies on third party website, shopping or networking on social media. Logically , one would think that an ITACS student is aware of information security and should be careful. However, that is not always the case. Human beings can be negligent and this is why students represent information security vulnerabilities to Temple.

Good point Alexandra. While doing activities like online shopping or online banking, a cross site request forgery attack can be launched. CSRF is combination of social engineering along with.

It becomes easy to launch CSRF attack when user session cookie details are stored. ex. IP address or credentials. The server will not know if it is a forged request.

Sometimes a attack can be launched with a hidden image which executes while the page is loading. The user does not understand the difference. If credentials are already stored by the browser, it becomes easy to authenticate.

In my opinion ITACS students represent vulnerabilities to Temple university and vice versa. Temple ITACS students are vulnerabilities to the university because they are they constantly logged into the system and are active users and therefore, their actions while on the system affect the university directly. The users ability to nagviate through the web without domain regulations not only, contribute but enable threats such as malware, which may affect the computers operation systems and the protection of personal information. However, the students aren’t the only ones who provide vulnerabilies, the university has an abundant amount of personal files of its students and employees, which can be accessed through hacking and software breeches. Thus, versatile vulnerabilities that are result of ITACS students and the university are subjected to human error. Human errors affect both entities as a whole and therefore, they are both to blame for vulnerabilities.

Do ITACS students represent information security vulnerabilities to Temple University, each other, or both?

Explain the nature of the vulnerabilities ITACS students represent in the context(s) you chose?

I do believe that ITACS students represent information security vulnerabilities to Temple University and the other way round.

Some vulnerabilities that ITACS students may bring in to Temple:

1. Computer hardware that students bring in such as flash drives or laptops may contain viruses that could infect Temple’s system when the hardware connects to Temple’s computers or wifi.

2. ITACS students will eventually learn how to hack. A student may attempt to try their newly attained skill on Temple’s computers or sites which may or may not cause harm.

3. A student may accidentally download malware, spyware or virus into Temple’s system when the visit insecure sites or click on suspicious links.

Some vulnerabilities that Temple may bring to students:

1. Temple University is a host to all students data and private information. Students can link their bank information in order to pay their tuition bills. Student Personal identifiable information such as SSN, contact information and address are all in Temple’s database. This can post as a target to potential hackers.

2. Temple employees who have access to all students data may not adhere to Temple’s control and may perform activities that increase the risk of security threats

3. Temple employees may also be negligent when handling students’ data. Wrong data may be inputted which may cause a chain reaction that can affect the student.

I believe ITACS students represent information vulnerabilities to Temple University; on the other hand, Temple University represent information vulnerabilities to ITACS students as well.

As Temple students, we have access to Temple’s wifi and computers. Everyone could possibly bring viruses to Temple’s network system when he or she connects hardware such as USB drives to Temple computers. This not only damage the computer that has the viruses, but it will also spread the viruses to other computers in the school because they all sharing the same network. In addition, a student may accidentally entering a website when they are click on links that they are not aware of. It is very essential that students should have awareness of the websites they are viewing. In addition, one other vulnerabilities that students may bring into Temple University is we all have access to blackboard and MIS Community site, students are able to download or make a copy of any documents that they have and share it with someone else who are not a part of the class or even not a part of Temple community.

Of course, Temple University represent information vulnerabilities to ITACS students as well. Temple has not only students’ unrestricted and sensitive information, but also restricted information such as social security number, Temple University ID, as well as billing information. The database that Temple has storing student information can rise a major potential target to hackers

Do ITACS students represent information security vulnerabilities to Temple University, each other, or both? Explain the nature of the vulnerabilities.
The ITACS students represent information security vulnerabilities due to several reasons. The students connect different types of devices to network (Laptops, Cell phones) that may not be secured and potentially spread viruses, malware, smart dust, or BOTNET on temple network proper. Students access university wide network and applications from their personal devices, opening the door for data leakage in case student device is hacked.

ITACS students are a great vulnerability to Temple University. Vacca points out that power users, in this case students who have just started an advanced program, may know enough to install software while ignoring security policies. Bad guys looking to exploit vulnerabilities will target these users to get access to a network (Vacca, 4). Unless all students undergo security training, some may not understand the significance of some policies that are in place. There has been times where Temple has had to send out mass emails warning of phishing attacks targeted at Temple emails, meaning that someone must have let something bad in at some point. Another vulnerability that students have is their passwords. Some students may make theirs very weak or save them in obvious locations. The requirement to change your password every few months may make Temple systems less secure as students may lean towards easier passwords. An article I read a while ago showed how a hacker may try to decrypt hashed password files by comparing changes knowing that the user is only changing theirs slightly (https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
Temple University is a security vulnerability to ITACS students as well. Large organizations are seen as more lucrative targets for cybercrime groups. Temple holds a lot of PII, and for some students, PHI, which criminals can sell for a profit. Students need to trust that temple is taking all the steps to keep their information safe. Is Temple conducting background checks on IT employees? Are they spending money on security as a priority? Does Temple require IT professionals to continue to learn as the security environment changes? The real list that Temple has to do to stay secure is much longer than I can list here. The security issue is compounded by the multiple devices Temple must support. There are multiple buildings, multiple Wi-Fi networks across campus, and many new cellphones and tablets being hooked into the network every day. If a bad guy ever finds a way in, they can take a student’s information and exploit it.

Agreed. Bringing in visitors may be a big concern to Temple University. because these people may be your friends, however, people’s behaviors are hardly to see clearly.

Software development is also a concern. Universities always develop new and professional students in the world. So if these kind of students want to try their solution of their new creation, Temple’s internal internet and all Temple computers and laptops may result in risks.

You are correct that Temple students are a security vulnerability to the university. On the other side, the university is also a security vulnerability to students. Temple stores a large amount of personal identifiable information on its students, from social security numbers to payment information and anything in between. Because the university has so many students and faculty connecting to its network with various personal devices, the university must be more vigilant in protecting its information. While students can bring viruses and other nefarious software to the university, the university has a lot more sensitive information about its students that if lost, would cost its students, and by result the university.

Your comment about larger organizations being more lucrative targets for cybercrime made me think about what a unique situation universities are in as opposed to other large organizations. In your average company the employees are supplied with the devices that they will use to connect to the organization’s network. At universities students all have their own devices. Even at organizations that have bring your own device policies, generally IT has some screening processes on the personal devices that are allowed to be used. The university has no control over what devices students are connecting to their network. They can monitor the traffic and prevent a student from downloading malware while on the network, but if they student picked up the malware while on another network and then connects to Temple’s network, Temple must have strong defenses in place to protect itself. Employees are also generally not downloading as many things from random websites on their work computers. People are generally more couscous with what they download onto their work computer than their personal computer. Since students are on their personal computers they may be less couscous with what they download.

As a student it is easy to see how your information is at risk and take that side. Priya, do you think that the university is more at risk with all of the students on their network or do you think that students are more at risk that their information could be stolen and held for ransom?

I just hope Temple practice what their Information Security professors teach. I hope that Temple invests an appropriate amount to keep their students’ data safe. I hope they invest in educating their employees and their students who are not in the IS field, I hope they have cross-department collaboration on this effort because successful Info Security takes an “all-in” approach. .

Hi Wenting,

I think you bring up some valid points as to how a data breach can be a problem with all the PII of students on the server. To go with that, restricting access to worker students is a huge issue too. For those say working in admissions, you need to make sure that access to PII is restricted from those student workers. Likewise, if students do have access to that information, you need to make sure that those student workers have the integrity to not steal that information or not be negligent enough to allow someone else access by not practicing standard computer security policies. A hacker can easily see a student worker as the weakest link and use them as an avenue to steal information.

I agree with you all. Not only ITACS students but everyone at Temple represents information vulnerabilities to Temple, and Temple represents information security vulnerabilities for all students as well because Temple stored our sensitive data in its database where it can be the target to hackers. Let’s say the “TUpay” got hacked, our payment card information including our account numbers or routing numbers may get stolen.

Temple should work with professors to offer workshops for students to learn about how to protect their personal information from being stolen at Temple.

Nice post Priya,

I just want to add some of my thoughts to your point 1. Temple provides wifi and printing services to all students. We can get access to the networked printing servers through Temple’s computers or our personal computer by sending email. It is easy, convenient and comfortable. However, the printer will store our documents in its hard drive which can easily become a target to hackers. Some students even print their sensitive information at Temple. We often ignore and overlook the vulnerability of the security of networked printer. Hacker with malicious intent may hack the printing system if it is not encrypted.

Yulun,

Great post! It reminded me about an incident that happened in one of the dorms at the Temple University. As you know that students living in dorms have access to use “TURESNET,” which is Temple’s own network for its dorm students. One of the students had connected his Xbox or Playstation onto the network and he got into an argument with a player online. Turns out that other player wanted to retaliate, and Temple student’s IP was tracked and there was a series of DDOS attacks, which disturbed the Temple’s network for a couple of days until they identified the cause. Student was not allowed to connect his Xbox/PlayStation on the network again.

This story was told by Prof. Larry Brandolph in the MIS intro class.

Ian,

Nicely point out, I think students are more at risks, and all personal or financial information might be stolen. I think these processes are not properly implemented and the network are properly secured!

Ian, I agree with Shahla

I also think that as students, we are more at risks.
The reason is that Temple has database that store over 30,000 students’s confidential data such as SSN# and bank information. If someone hack in Temple’s database, then it will bring a tremendous impact on students because all of their restricted information are stolen. In addition, Temple’s reputation will also be ruined.

Wow! Inspired me!!!!! My professor said in MIS 2501(Mart Doyle) before, you can always plug a cord to the internet of your apartment’s building and see what your neighbors do. Trust me, for majority (like 99% of our students and professors) are still good to trust!

Thanks for sharing!

I was going to bring that study up but see you already mentioned it. I’ve seen other studies conducted where the percentage was extremely high, The one I’m linking below shows that the Department of Homeland Security found 60% of ‘dropped’ flash drives plugged in. I think people see them as if someone dropped a wallet and want to check to see if they can find the owner by identifying the files on the drive. If its blank, its like picking up a lottery ticket. People who have never heard of these risks will just plug it in to check to see if they’ve won.

http://www.slate.com/blogs/future_tense/2013/07/30/don_t_touch_that_flash_drive_you_have_no_idea_where_it_s_been.html