Business Process Security Model -Aliens Hacked My Website Model – sale/purchase of a pencil model

Business Process Security Model – better know to gAtO as “Aliens Hacked My Website Model”

What type of data are we attempting to secure. Internal/External, let’s look at the business process to better understand security in your company. Let’s take a look at the sale of a pencil model  and the purchase of a pencil model. So the gAtO can have fun let’s remember every person in the food chains can be an “insider threat” –gAtO scary.

Customer orders a pencil. 

  • Order is taken
  • Copy – Accounting – Sales – Inventory – Shipping

Company purchase a pencil

  • Buyer –
  • Select vendors
  • Make contract -Management
  • Buy Pencil – from China
  • Copy – Accounting – Inventory – Shipping – Management

The basic “cyber business process model” when applied to a security assessment clearly define the security data points. Let’s look at this example and look at some of what we gained from the Aliens Hacked My Website Model

What does the business person think important about this process? Customer List Vendor listFinancial InformationLegal (contrat – International laws). A security person may think, is the order for the pencil online, do I need a SSL connection. They may see an Access Control List (ACL) list as to who has access to financial information. Financial information is very sensitive and so is Legal, during International contract negotiations. The Shipping department or Inventory control department don’t need to see accounting and legal information. Sales may need to see some financial information (calculate pay-performance) and the Inventory department may need to see some legal aspect (contracts) to know when re-supplies are coming in. Compliance manager may need this to stay ISO standards compliant. Document everything.

So you can see that by taking a business process and looking at it from a security and business perspective together, it may help define what are the security points are and what needs mediation for a security solution. There is a lot more to gleam from looking at the SOP and then how security can help you be compliant. I will also point to the security aspect of people involved in every operation and what roles and rights to give to access data. This alone will help you with the problem of “insider threats” in a forensic investigation.

Here are useful advice for any organization from gAtO: Cyber Security advise:

  • have a Incident Response Plan (IRP) -READY NOW!!!!
  • Deploy defense-in-depth
  • Check your Log’s
  • Use a strict but flexible information security policy and practices
  • Have regular audits of your security by an outside firm
  • Use IDS or IPS
  • Teach your staff about information security
  • Teach your staff about social engineering
  • Develop good Vendor relations
  • Keep your software and hardware up to date -Patch control – Test every patch it may open more security holes.
  • Watch security (Intelligence Team) sites for news on computer security and learn what the new attacks are. zero(0)day…xxs
  • Have a disaster recovery plan ready
  • Let your sysadmins go to Defcon.
  • Get good sysadmins who understand security -pay them well
  • Encrypt all your data (something like AES-256)
  • Use spam filters
  • Develop an Intelligence team to look at cyber chatter
  • Keep an eye on what information you are letting out into the public domain
  • Use good physical security. What good is all the [security] software if someone could just walk in and take [your “secure” systems]?

PII (Personally Identifiable Information)

Privacy has been and will continue to be a hot topic; however, if you are an international organization, you definitely should watch for it on your radar.

While Information Security may consider privacy part of their jurisdiction, it should be the responsibility of Legal and HR.  Information Security should be present to guide the protection of information, but should not own the compliance and/or business processes surrounding Personally Identifiable Information (PII).

With the E.U. Safe Harbor framework, many organizations are scrambling to understand what this means, and whether other countries will accept the standard (i.e., Germany), or whether the standard will accept them (sorry, Mexico).  One idea which often is overlooked when discussing PII is the presence of a good Incident Response Plan (IRP).

Privacy regulations are very particular with regard to PII being leaked or breached. When performing a privacy assessment, be certain to allocate some of your budget to the development/update of your IRP.

ISO/IEC 27001 requires that management:

  • Systematically examine the organization’s information security risks, taking account of the threats, vulnerabilities and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
peace..out- gAtOmAlO
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: