What is it?
Information security means protecting a set of data or information systems in order to preserve its value and prevent unauthorized access, use, modification, alteration or destruction of documents of an individual or organization. There are three pillars that support information security:
In order to implement the three principles listed above is necessary to go through three distinct phases (“Risk Analysis,” Implementation of a Management System of Information Security or “ISMS – Information Security Management System” and Intrusion Tests or “Penetration Testing “, and all phases provide important and fundamental contributions to the implementation of good policy on Information Security.
A informação é um dos activos mais importantes de qualquer organização, estando a mesma diversificada em várias suportes (digitais e não digitais). O valor da informação armazenada nos sistemas de uma organização é cada vez mais crítica para o seu bom funcionamento, no entanto, existem cada vez mais ameaças à segurança da informação de uma organização, quer externas, como o caso de hackers, motivados por “fun” ou “profit”, quer internas, motivadas por falta de informação ou conhecimento, descuido ou intenção propositada. Além disso, regularmente são descobertas vulnerabilidades nos sistemas ou aplicações utilizadas diariamente pelas organizações, e as mesmas podem ser exploradas para ter acesso a informação confidencial e fundamental para a organização.
Devido ao crescimento exponencial de informação, actualmente é fundamental armazenar e proteger os dados de forma segura (mantendo a confidencialidade) no entanto sem prejudicar a exactidão dos dados (integridade) e a acessibilidade imediata quando requisitada (disponibilidade).
Audit and Risk Analysis
The audit and risk assessment are important components in the definition of a computer and information security policy. The main goal is to protect the organization, their methodology, their assets and not just the protection of the IT infrastructure. An audit and risk assessment should be considered from the point of view of an administration of the organization and not just only from the IT department, as the scope of the solution is far more comprehensive.
Risk is the result of vulnerability when considering the probability of occurrence and impact. The audit and risk analysis aims to identify and classify the risk associated with the assets, and then recommended mitigation measures to reduce the risk to acceptable levels for the organization.
Executing an audit and analysis of the risks, the organizations can attain the following benefits:
• Significant improvements in the security of information systems that store information, process and transmit information in the organization;
• Allow for better management of organizational risk;
• Allow the administrative branch of the organization to make better decisions on the investments in information security;
The following steps in an audit or risk assessment are as follows:
1. Define the scope and organizational context;
2. Risk Identification;
3. Risk estimate and calculations;
4. Risk Assessment;
5. Communication of Risk and Mitigation Controls;
6. Implement controls;
7. Acceptance of risk.
Defining an Information Security Management System (ISMS)
What is ISMS?
• It is a set of policies related with Information Security, which is based on continuous improvement model through the PDCA (Plan -> Do -> Check -> Act) methodology.
• The main objective is to maintain the effectiveness and efficiency of processes and IT infrastructure over time, keeping always the same standards regardless the changes that may exist internal or external.
An ISMS is defined by:
- Designing the ISMS, establish the scope (Statement of Applicability, SoA);
- Evaluate the assets and Information Security risks (“Risk Analysis”);
- Establish an action plan and select measures (controls) appropriate;
- “Gap Analysis”
- Implement the action plans (measures, defined controls);
- Make internal audits, to validate / verify the measures (controls) previously applied;
- Analyze, verify and implement corrective and evolutionary actions;
Security Auditing and Intrusion Tests
The value of information stored on the systems of an organization is increasingly critical for its proper functionality and is necessary to ensure in particular three key factors – confidentiality, integrity and availability. However, there are increasing threats to information security of an organization, externally, as the case of hackers, they can be motivated by fun or profit, and internally motivated by lack of information or knowledge, carelessness or purposeful intent.
Besides that, there regular discovery of vulnerabilities in systems or applications used daily by organizations, which could be exploited to gain access to confidential information and fundamental to the organization.
The purpose of intrusion tests is the creation of reports that include not only the identified vulnerabilities, but also their degree of risk, as well as corrective measures (controls) to be applied to improve the security of systems and networks.
There are two main types of intrusion tests – external and internal, or “black-box” and “white-box”. The external tests or “black-box” usually implies that the entity that execute the tests does not have any knowledge about the systems available or access to the internal organization structure under test. All work is carried out without any assumptions. The internal testing or “white-box” implies a prior knowledge of the systems being tested, such as network settings, services abroad, IP’s, etc.., or who has access to the infrastructure of the customer, so that vulnerabilities from inside the organization can be verified.
The main benefits of conducting internal audits and intrusion tests are that in this way, companies take significant steps to protect their infrastructure and information against more conventional types of attacks that are on the market and reduce their exposure and risk of loss information and as a result a reduction in the risk of financial loss and damage to the company image.