Summary of my blog

This week’s part of the assignment is to summarize my entire blog I wrote since the beginning of this term/class.  Each week I wrote different topic about information security. I chose some topic from textbook and some that interested me about information security. In my Summary blog, I will summarize each week what I wrote.

 

Week 1, How to Prevent Cybercrime

On Week 1, I talked about how we can prevent the cybercrime. As we know cybercrime has increased rapidly. Criminals are finding ways to hack our personal information. As internet users we should all be educated about what and where to access information.  Some of the precaution approaches like avoiding scams securely dispose of your personal information, securing browser and keeping password private can help from cyber crime.

 

Week 2, 4 Quick tips to safely store your data in the cloud

Cloud is a hot topic right now. It’s becoming a trend for organization to move their data into cloud. I believe most of us also use cloud to store our information like pictures & documents. Drop box, Google drive, MS. One Drive are some of the common cloud storage software available free of cost. Storing data in cloud does not mean it’s safe and secure. As a information security student we must know nothing on Internet is secure. We have to and we must take few steps to protect. Week2 blog explains some quick 4 steps to safely store data in the cloud.

 

Week3, How to avoid online scams when selling your cell phone or tablet?

This week again was all about avoiding or preventing us from cybercrime.  Apple had released Iphone 6 on this week, so I thought it was right time to put something for old Iphone sellers. I read few articles about people becoming a victim of online scams. It is important to know this information when we are selling something online like eBay, Amazon and craigslist.

 

Week 4, Business Contingency Planning

It was time to talk about what we learned on week 4. Preparing for something unexpected is contingency planning. Business can face any situation from financial crisis, high/low market demand, decline on market share etc. So in order to be prepared for the unexpected situation business need to have a contingency plan.  Having a contingency plan helps business to react quickly, stay ahead of competitors, and lead with confidence.

 

Week 5, Importance of Security Policy

On week 5 my blog was about the importance of security policy. This topic was also taken from text book and the week’s class discussion. Today, Information security has become the core part of business. It is important for business to maintain the availability, integrity and confidentiality of information in order to remain business. So, how do you regulate all of this? Having a right security policy in hand helps define the overall security strategy. Blog also talked about various kinds of security policy like Issue-specific security policy and system specific security policy. Having an information security helps organization provide framework to keep company at desired security level and avoid possible security threat.

 

Week 6, The Importance of Security Awareness Training:

As we talk about the policy and planning, it is important to train employee about the security awareness program. Employees should be educated about the information security.  Making employees aware of cyber threats and the huge loss that can cause by hackers is important. Organization can implement different trainings like face to face, seminars, webinar or awareness through email. This will help ensure employees have solid understanding of company security policy and procedures.

 

Week7, Issue-Specific Security Policy

As my blog on week 5 talked about Importance of security policy, I thought it was worthwhile to talk about Issue-specific security policy. It is one among three information security policy. It is also one of the common policies used by business and organization. It covers mainly electronic mail, use of internet, computer usage, and other personal use of equipment. The objective to talk about this topic was to assure employers and members of organization on what resources can be used and what cannot be used during work.

 

Week8, Threat Identification

Threat or risks are not something that can be avoided completely. But they should be identified constantly and managed to minimize the risk. By identifying the threat or risk on time, organization can save lot of time and money. Regular monitoring is necessary to control the threats. There are different kinds of threats, some of the threats I talked in my blog are physical threat and logical threat. Physical threat consists of fire, water, energy, structural damage; pollution etc. and Logical threat consist of viruses, worms and intrusion.

 

Week 9, Risk Mitigation

On week 9 we learned about Risk mitigation. We learned about different risk handling procedures, feasibility analysis and recommended risk control practices.  Risk mitigation is talking steps to reduce any adverse effects. Blog also talks about different ways to mitigate the risk. It is important to understand the risk and find a way to deal with it. Organization must take appropriate steps to reduce or eliminate the risks.

 

Week 10, why do we need Firewall?

We talked a lot about Information security, its policy and planning. How can we avoid our PC from viruses or hackers accessing information? Well having a strong firewall can help you this. When our PC is connected to internet, there is a high chances we leave our PC in a potential cyber threat. It is important we have strong firewall that will help prevent from malwares, Trojans that can infect your PC.

 

Week 11, How Important is IT Certification?

This week we talked about the IT certification. Since I am new in the industry, I thought it would be interesting to know about the certification and what it does. As I leaned, I thought about sharing on my blog as well since many of us will be graduating with no work experience. Certifications are very helpful for building the skills and provide competitive career advantage.

           

 

I used Internet as my primary source and few topics from text book. Although there were lots of information and text book can be reliable source, I still used Internet, as I could find lot more than what it was in internet. While taking a information from Internet, it is important to know which information is accurate. Also, your sources should be authentic.

 

Writing a blog every week was a great experience for me. I learned a lot while doing research for my blog. It is not only what I wrote, it is also learning experience from other blog. I think this blog can help other students for references for their research as well.

I thank our professor David McGaha to give us this opportunity. This was a wonderful learning opportunity.

 

How Important is IT Certification?

Chapter 11, “Personnel and Security” talks about Information security job titles/ positions and certification. We also spent most our class discussion on different Information security certification.  As a student IT student with no real life IT experience, it caught my attention on IT Certifications.  I did little bit of a research on IT certification trying to find out why we need this and how important IT certifications are. During my research I found contradicting information. Some believe certifications can provide knowledge needed to gain experience and easy to sell yourself in a market. While some believe certification can prove IT professional is knowledgeable but may not prove how well they can actually do the job. Some also believed it is total waste of time and money. So who do we believe? After my findings and talking with few IT friends, I came to the conclusion that IT certifications are Important. The growing economy and high demand of skilled professionals, certifications can be very helpful for building the skills and provide competitive career advantage.  Below are few reasons why I think IT certification is important.

 

Job Retention: In corporate world, lay-offs are considered common things. But when companies lay-off, usually it’s with less skill and knowledge. So having a strong job skill and knowledge will have strong job retention.

 

Hiring and Promotion Eligibility: Listing of certification makes your resume strong and you can be strong candidate than with no certification.

 

Career Improvement:  With new and timely certifications, there are more opportunities in your career.

 

Organization will become more discriminating: Organizations are trying every possible way to save money by outsourcing or hiring a outside consultant. When you show them your certification, you prove that they have a competent employee inside the organization.

 

For those who graduate with no work experience, IT certification can help build “technical perspective” in a person that is supportive of field experience in very important ways. It all depends where you see your career in long run. Make a decision and choose a right certification that will be helpful on your career path. There are number of IT certification in the market. Take a look at link below that gives you idea on some of the best IT certification for 2014.

 

http://www.tomsitpro.com/articles/best-it-certifications,1-1352.html#best-it-certifications%2C1-1352.html?&_suid=141572142167107307915274015622

 

Reference:

 

Wlodarz, D (n.d.) 5 Reasons why IT certifications still matter. Retrieved from URL: http://www.technibble.com/5-reasons-why-it-certifications-still-matter/

 

Tittle, E (Oct 2014). Best IT certifications for 2014 & beyond. Retrieved from URL: http://www.tomsitpro.com/articles/best-it-certifications,1-1352.html#best-it-certifications%2C1-1352.html?&_suid=141572142167107307915274015622

 

Karr, J (Feb 2010). Are IT certifications really important? Retrieved from URL: http://www.trainingindustry.com/it-training/articles/are-it-certifications-really-important.aspx

Why do you need Firewall?

Most of us today use Internet, or it would be safe to say every one of us use Internet. Our PC is constantly connected to Internet. Whenever our PC is connected to Internet, we leave our PC in a potential cyber threats such as hackers, key loggers, and Trojans through unpatched security holes.  We also do lots of online shopping, online banking and other financial activities as well. This leaves us to potential target of identity theft and other malicious attacks. So, how do we protect ourselves from all of these cyber threats? How can we shop and bank online without being a targeted by hackers who wants to access our financial and personal information?

 

A strong firewall will help you prevent all the malwares and Trojans infect your PC. It will stop intruders from accessing your financial and personal information.  A firewall works as a shield between your PC and the cyberworld.  When your PC is connected to the internet, you are constantly sending and receiving information in small units called packets. The firewall helps to filter these packets and blocks any unwanted data.

 

A built in firewall that comes with your OS (windows XP, or Windows &) will help you alert any suspicious activity, but it only works to block the incoming traffic. When you are shopping online or banking, you are sending information outside. This means you need a strong firewall that protects you from outgoing traffic as well. There are lots of third party firewall in the market that works both- it will tell you about incoming and outgoing traffic.

 

Referece:

LAVASOFT (n.d.). What is firewall and Why do you need it? Retrieved from URL: http://www.lavasoft.com/mylavasoft/securitycenter/articles/firewalls. Retrieved on November 6th, 2014.

Anonymous (n.d.) Why you need Firewall. Retrieved from URL: http://personal-firewall-software-review.toptenreviews.com/why-you-need-a-firewall.html. Retrieved on November 6th 2014.

Risk Mitigation

Last week we learned about the Risk Management: controlling risk. The chapter talked about different risk handling procedures, feasibility analysis and recommended risk control practices. When we talk about Risk Management, it is important to talk about Risk Mitigation.

In simple terms, Risk mitigation is taking steps to reduce any adverse effects. It is a process by which organization introduce specific measures to minimize or eliminate unacceptable risks associated with its operations. There is no doubt that we are surrounded by different kinds of risk. To understand those risks and implementing the appropriate strategies to mitigate and manage risk, it is important we learn about Risk mitigation.  

 

There are different ways to mitigate the risk. Some of the risk mitigation handling options are:

Ø  Assume/Accept:   Project manager acknowledge the existence risk and make a decision to accept it without changing any project plan other than just agreeing to address the risk if it occurs.

Ø  Avoid: The team adjusts the project requirements to eliminate or reduce the risk. The adjustment could be done by changing the funding, schedule or any other technical requirements.

Ø  Control: Implementing actions to minimize the impact or likelihood of the risk.

Ø  Transfer: Changing or reassigning the organizational accountability, responsibility and authority to another stakeholders or project teams that are willing to accept the risk.

Ø  Monitor: Monitor the environment for changes that affect the nature or impact of the risk.

 

Overall, Risk mitigation is all about understanding those risks that can impact the objectives of the organization and taking appropriate steps to reduce or eliminate the risks.

 

Reference:

Anonymous (Feb, 2011). Risk Management: Understanding Risk Mitigation. Retrieved from URL: http://www.ica.bc.ca/ii/ii.php?catid=17

 

Anonymous (N.d.). Risk Mitigation Planning, Implementation, and Progress Monitoring. Retrieved from URL: http://www.mitre.org/publications/systems-engineering-guide/acquisition-systems-engineering/risk-management/risk-mitigation-planning-implementation-and-progress-monitoring

Threat Identification

Any organization can face wide variety of threats. A threat is some action or event that can lead to a loss. Threats and risk are usually used synonymously. Threats and risk always exist and cannot be avoided, but they managed to minimize the risk. Organization should be able to manage and minimize the losses in order to maximize the returns. It is very important for any organization to identify these threats and steps should be taken to control threats. Regular monitoring is necessary to control the threats as well.

 

Types of Threat:

Physical Threat: Physical threats are damaged caused to the physical infrastructure of the information system. Some of the examples are fire, water, energy variations, structural damage, pollution, intrusion.

 

Local Threat: Logical threats are damage caused to the software and data without physical presence. Some examples include viruses and worms, logical intrusion etc.

 

There are two approaches to threat identification.

Consider Common Threat:

In order to asses’ threat, consider the common threats like people, software and natural disaster.  There can be number of ways threat can occur. For e.g.  A employee could disclose the data. Or a software program could destroy data.

 

Review Properties:

In order to assess assets consider their properties like availability, integrity and confidentiality. Classify threats that may affect these properties: destruction, interruption, removal or loss, disclosure and corruption (toolbox.com).  

 

It is important for organization to understand the various threats and their potential effects on an information asset. Organization should be able to identify which threats presents a danger and which threats represents the gravest danger to their information assets.

 

Reference:

Anonymous (n.d.). Threat Identification. Retrieved from URL: http://www.zeepedia.com/read.php?threat_identification_types_of_threats_control_analysis_impact_analysis_occurrence_of_threat_information_systems&b=14&c=30. Retrieved on : Oct 22, 2014

 

Borysowich, C (Jul, 2009). Identifying security Threats. Retrieved from URL: http://it.toolbox.com/blogs/enterprise-solutions/identifying-security-threats-33182. Retrieved on: Oct 22, 2014.

 

Issue-Specific Security Policy

Issue-Specific Security Policy is one among three other Information security Policy. I found Issue-specific security policies (ISSP) more common policy used by business and organizations. Issue-specific policies may cover electronic mail, use of internet, Home use of company-owned computer equipment, use of personal equipment on company networks, use of telecommunications technologies etc. It provides a detailed, targeted guidance to instruct all members of the organizations in the use of resources.

The overall objective of ISSP is pretty clear. It assures employees and members of organization what resources can be used and what cannot be used.  An effective ISSP is a binding agreement between parties (the organization and its members) and shows that the organization has made good faith effort to ensure that its technology will not be used in an inappropriate manner. (p. 134, Whitman, Mattford)

Every Organization’s ISSP has three characteristics

Ø  It addresses specific technology-based resources.

Ø  It requires frequent updates.        

Ø  It contains an issues statement explaining the organization’s position on a particular issue.

Components of a typical ISSP:

1.       Statement of Purpose

a.       What is the scope of the policy

b.      What technology and issue it addresses

c.       Who is responsible and accountable for policy implementation

2.       Authorized access and usage

a.       Who can use the technology governed by the policy

b.      What the technology can be used for

c.       What constitutes ‘fair and responsible’ use of technology and it may impact ‘personal information and privacy’

3.       Prohibitive use of equipment

a.       What constitutes disruptive use, misuse , criminal use

b.      What other possible restrictions may apply

4.       System management

a.       Which kind of authorized employer monitoring is involved (e.g. electronic scrutiny of email & other electronic documents)

5.       Violation of Policy

a.       What specific penalties, for each category of violation, will apply

b.      How to report observed or suspected violations – openly or anonymously

6.       Policy review and modifications

a.       How is the review and modification of the policy performed, so as to keep as ‘current’ as possible

7.       Limitation of Liability

a.       How is liable if an employee violates a company policy or law

Whitman, M.E., & Mattord, H.J. (2014). Management of Information Security (4th ed.). Stamford, Cengage Learning

The Importance of Security Awareness Training

Cyber threat has been a major concern in IT world today.  Recent data breach in many companies like Chase, Home depot, Target has already proved that companies need to build their IT security strong enough to avoid any further damage.  Threat can come from anywhere, it may come from within an organization or outside the organization. But when threat comes from inside the organization, it is most dangerous since the employees are quite familiar with the infrastructure of an organization.  Most of the time when the threat comes from inside the organization it is either from accident or uninformed employees.

 

Many in organization who are not informed about the security threat often visit websites infected with malware, responding to phishing e-mails, storing their login information in an unsecured location or even giving out sensitive information over the phone when exposed to social engineering (sans.org). This can expose to major security threat to the organization.  Important information can leak.  One of the best ways to avoid these kinds of threat is providing with security awareness training to company employees. Organization can institute company-wide security awareness training initiatives like formal classroom style, seminars, discussion group, regular emails or posters in the break room. This will help ensure employees have a solid understanding of company security policy, procedure and best practices (sans.org)

 

Below are two You Tube videos that provide the importance of Information security awareness.

 

 

 

 

 

 

Source:

Sans (n.d.). The importance of Security Awareness training. Retrieved from URL: http://www.sans.org/reading-room/whitepapers/awareness/importance-security-awareness-training-33013. Retrieved on: October 9, 2014

 

Sayes, A (Mar, 2012). Physical & Information Security Awareness. Retrieved from URL: https://www.youtube.com/watch?v=tmOGJVDvJaQ. Retrieved on : October 9, 2014

 

Anonymous (Feb,2013). IT Security Awareness Week. Retrieved from URL: https://www.youtube.com/watch?v=LWi_ljAIhcM. Retrieved on: October 9, 2014

 

Importance Of Security Policy

Maintaining the information security is core part of the business today. Many businesses today maintain the security as an essential part of their business. It is also important for business to maintain the availability, integrity and confidentially of information in order to remain in business. Failing to maintain those three core values of information security might lead to unsuccessful business. 

Some of the important information like manufacturing records, sales, financial, customer, employee records are kept on computers. But how safe are all these information. In today’s digitized world, with the access of Internet this information can be easily stolen from any parts of the world.  Some of our confidential information can be compromised. Business might implement strong security technologies to avoid any kinds of hack. But how about the policies and procedures that will help keep your business/organization’s information confidential? It is very important to create and implement several security policies to define the overall security strategy.

 

All the business must have an information security policy that covers Enterprise information security policy, Issue-specific security policy (ISSP) and System-specific security policies. An Enterprise information security policy will focuses on issues relevant to every aspect of an organization.  It sets the strategic direction, scope and tone of an organization’s security efforts. An Issue-specific security policy security policy provides detailed, targeted guidance to instruct all members of the organization in the use of resources.  It focuses on specific department, network services, and function. A system specific security policy focuses on individual systems or types of systems and prescribes approved hardware and software, outlines methods for locking down a system, and even mandates firewall or other specific security controls (Marcelo Ferreira’s linkedin post).

 

No matter how large or small your organization is, it is very important to have a information security policy in place. It will provide a framework to keep your company at a desired security level by assessing the risks you or your organization might face.  Think about this, your organization’s information is crown jewels of your business. You wouldn’t want someone to steal your crown jewels, right? You want to keep it safe and secure.  I strongly believe, every organization should have a strong information security policy.

 

Reference:

Ferreira, M (n.d.). Why having an information security strategy is important for an organization. Retrieved from URL: http://www.linkedin.com/groups/Why-having-information-security-strategy-3138056.S.91456697

 

Kadam, A (n.d.). Why information security is important for your Organization. Retrieved from URL: http://www.networkmagazineindia.com/200209/security2.shtml

 

Business Contingency Planning....

Preparing for something unexpected is called contingency planning.  From the business perspective, unexpected event or situation can be financial crisis, market share of company going down, or it can also be large order, high market demand etc.  So anything that disrupts the company’s day to day operation by something unexpected is known as Business Contingency.  When businesses creates a plan or are ready to cope with any unexpected situation, it is known as business contingency planning.  Some of the threat usually covered in contingency plans is crisis management, business continuity, assets security, mismanagement and reorganization.

Crisis Management:  Some of the crisis that company run into includes natural disaster, terrorist attacks, fire in the warehouse, on the job injuries or even unhappy customers. Any plans to deal with these kinds of crisis are Crisis Management.

Continuity Plan: Business continuity plans cover a range of situations, including the death of a key executive or managers, threat to shut down of business, or other financial situations. Continuity plan generally involve insurance policies that provide cost of keeping the company in operation, and the cost and hiring consultants that can help solve problems.

Asset Security:  This includes the theft or destruction of intellectual property such as trade secrets or computer programs. A security plan attempt to block any negative contingencies that might occur is asset security.

Mismanagement: Fraud, theft, operational errors, mismanagement and personal scandal are all mismanagement crisis. Companies create a system of checks and balances to prevent such problem.

Reorganization: After any unexpected event happened, companies contingency plan also covers how the company will re-establish normal operations and reorganize to limit. It is very important to reorganize the new challenges that might come.

So what happens when Business Have Contingency Plans?

    A Contingency plan is a question and an answer to the questions. Contingency plan is also “What if Scenario”.  So what can a management do when they have a contingency plan? Here are few lists that a management can do:

Ø  React Quickly

Ø  Stay Ahead of Competitors

Ø  Lead with Confidence

Ø  More Accurate Forecasting.

Duff, V (n.d.) What is Business Contingency Plan?. Retrieved from url : http://smallbusiness.chron.com/business-contingency-plan-1081.html

Hill, Brian (n.d.) what happens when business have contingency plans? Retrieved from URL: http://smallbusiness.chron.com/happens-businesses-contingency-plans-20616.html