Body
Contemporary information security is concerned primarily with managing risk to the confidentiality, integrity, and availability of data and IT services and assets. These three attributes are referred to as the CIA triad:
- Confidentiality - The degree to which only authorized individuals can access, view, or modify data that is restricted
- Integrity - The degree to which only authorized modifications are made to data and other IT resources (i.e. assets and services)
- Availability - The degree to which all data and IT resources are available as planned
Non-compliance with regulations that address information security are one type of risk that is managed, but compliance should be a by-product of overall information security risk management and not an end goal itself of the program. In US Congressional testimony by the founder of a prominent cyber investigation firm (Kevin Mandia of Mandiant, Inc.), it was revealed that the company's largest clients who had major cyber breaches, including both large government agencies and Fortune 500 companies, were all compliant at the time of their breach with all applicable information security regulations. Clearly, regulatory compliance alone is insufficient to manage information security risk.
There are many strategies to manage information security risk. Some of the key strategies that lower risk are adhering to best practices, aligning enterprise security controls and configurations to a recognized information security standard, and assessing risk through various types of assessments (and following up on findings).
It's not possible to bring risk to zero in every area, so managing risk involves accepting some risks and transferring others. Cybersecurity insurance is an example of transferring risk.
Are we secure?
This is a commonly asked question, but it reveals a misperception: Information security is not assessed to a binary state of either secure or not secure. As explained in the prior section, the goal of an information security program is managing risk effectively by assessing, quantifying, and mitigating specific risks. Where there are threats and vulnerabilities there is always risk, so risk can never be zero across the board, such as in a hypothetical fully secure state.
Information security is a community responsibility – everyone who has access to a MassArt computer or network ID has a role and responsibility. Some basic information security responsibilities we all have are evaluating emails for legitimacy, keeping your password strong, and sharing files securely. Employees in roles who handle sensitive data or manage systems and/or applications have additional responsibilities relevant to information security which are outlined in the Administrative Applications Data Management Policy. The precepts of everyone's general information security responsibilities are articulated in the Acceptable Use Policy.
Similarly, all employees are part of the information security program. The information security program encompasses the risk management strategy and the tactical elements implemented to lower risk, such as policies, operational plans, guidelines, and procedures. The CIO is the executive directly responsible for execution of the information security program, and the CIO delegates the administration of the program elements to the Information Security Officer.
To lower cyber risk it is necessary to understand that risk is a product of threats and vulnerabilities. Without a threat there is no risk; similarly, when there is no vulnerability that a threat can exploit there is no risk. So how can you lower your overall cyber risks? The table below shows common cyber risks and how to reduce your risk to each:
|
Risk
|
Threat
|
Vulnerability
|
How to be Proactive in Lowering Risk
|
|
Loss of confidentiality of Controlled information
|
Phishing email
|
Failure of recipient to evaluate an email for legitimacy
|
Understand and look for the signs of a suspicious email
|
|
Loss of confidentiality of Controlled information
|
Laptop theft
|
Unencrypted confidential information on a laptop
|
- Don’t store confidential information unencrypted on a mobile device
- Encrypt the hard drives on the mobile device
|
|
Loss of confidentiality of Controlled information
|
Email intercepted en route to recipient
|
PII sent in unencrypted email
|
Don’t put unencrypted PII in an email; send an encrypted file attachment or a Google Drive link to the file
|
|
Loss of access to files and extortion to regain access
Computer hijacked by cybercriminal
|
Malware infection (ransomware)
|
- Failure of recipient to evaluate an email for legitimacy
- Clicking on a link in an email or web page without first hovering over the label and examining the address carefully to verify it is appropriate
|
Don’t click on a link if you have any doubt the email is completely legitimate;
|
Information Security compliance regulations and best practices
The information security program is designed with the goal of full compliance with various state and federal regulations and industry standards, such as:
- Massachusetts Privacy Law
- Massachusetts Public Records Law
- Red Flags Rule (FTC)
- PCI DSS (Payment Card Industry Data Security Standard)