Translate

вторник, 13 декември 2016 г.

Информационна сигурност за малкия и среден бизнес



Small Business Information Security:
The Fundamentals

This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.7621r1
November 2016



2 Understanding and Managing Your Risks
Risk is a function of threats, vulnerabilities, the likelihood of an event, and the potential impact such an event would have to the business. Most of us make risk-based decisions every day. While driving to work, we assess threats and vulnerabilities such as weather and traffic conditions, the skill of other drivers on the road, and the safety features and reliability of the vehicle we drive.
By understanding your risks, you can know where to focus your efforts. While you can never completely eliminate your risks, the goal of your information security program should be to provide reasonable assurance that you have made informed decisions related to the security of your information.
It is impossible to completely understand all of your risks perfectly. There will be many times when you will have to make a reasonable effort when trying to understand threats, vulnerabilities, potential impact and likelihood. For this reason, it is important to utilize all resources available to you, including information sharing organizations (e.g., [US-CERT], [ISACA], etc.), relevant stakeholders, and knowledge experts.
2.1 Elements of Risk
In information security, a threat is anything that might adversely affect the information your business needs to run. These threats might come in the form of personnel or natural events; they can be accidents, or intentional. Some of the most common information security threats include:
Environmental (e.g. fire, water, tornado, earthquake);
Business Resources (e.g. equipment failure, supply chain disruption, employees), and
Hostile Actors (e.g. hackers, hacktivists, criminals, nation-state actors).

When looking at these types of threats, many people do not understand how they relate to information security. It is helpful to consider what would happen in the event of, for example, a flood. Computers, servers, and paper documents can easily be destroyed by even a small amount of water. If it is a large flood, you may not be allowed in the area to protect or collect the information your business needs to run.
A vulnerability is a weakness that could be used to harm the business. Any time or situation where information is not being adequately protected represents a vulnerability. Most information security breaches can be traced back to only a few types of common vulnerabilities. Section 3 and Section 4 of this publication are geared towards minimizing your vulnerabilities and reducing the impact of a security incident should one happen.
Some threats affect businesses and industries differently. For example, an online retailer may be more concerned about website defacement than a business with little or no web presence. Likelihood is the chance that a threat will affect your business and helps determine what types of protections to put in place.

Similarly, most businesses have different types of information. If a marketing pamphlet is leaked online, it will probably not harm the business nearly as much as if, for example, sensitive customer information or proprietary business data was leaked. The impact an event could have depends on the information affected, the business, and the industry.
Figure 2 shows the relationship between threats, vulnerabilities, impact, and likelihood.

Threats                                                   Vulnerabilities

Environmental  
Business Resources                  ⇆              Weakness in security protection
Hackers / Criminals
                                 ↓

Likelihood – chance of threat affecting to usiness

Occurrence based on history / industry statistics
For adversarial threats: capability and intent
                                ↓

Impact – potential harm to business

The theft or disclosure of sensitive business information
Business information or systems being modified
The loss of information or system availability
                               ↓

                  RISK


Figure 2: How Risk is determined from Threats, Vulnerabilities, Likelihood, and Impact

2.2 Managing Your Risks
The activity of identifying what information requires what level of protection, and then implementing and monitoring that protection, is called “risk management”3. This section contains simple steps for creating a risk-based information security program to help you manage risk.
This process will likely require the input and collaboration of a broad array of personnel within the business to be successful. You should bring together those personnel in your business that can help make informed decisions, for example project managers, executives, legal, and IT personnel. In addition, you may want to consider including customers, particularly you do a significant amount of business with, and use them as an additional resource.
You should review and update your risk management plan at least annually and whenever you may be considering any changes to the business (e.g. beginning a new project, a change in procedure, or purchasing a new IT system). Also, if you hear that something happened to one of your business partners, suppliers (including makers of any computer equipment or software you may use), customers, or employees, use this exercise to make sure you are still adequately protected.
Identify what information your business stores and uses
Because it is unreasonable to protect every piece of information your business uses against every possible threat, it is important to identify what information is most valuable to your business or to others. This first step is often the most challenging and most important part of risk management.
Start by listing all of the types of information your business stores or uses. Define “information type” in any useful way that makes sense to your business. You may want to have your employees make a list of all the information they use in their regular activities. List everything you can think of, but you do not need to be too specific. For example, you may keep customer names and email addresses, receipts for raw material, your banking information, or other proprietary information.
Determine the value of your information
Go through each information type you identified and ask these key questions:
• What would happen to my business if this information was made public?
• What would happen to my business if this information was incorrect?

• What would happen to my business if I/my customers couldn’t access this information?
These questions relate to confidentiality, integrity, and availability, as discussed in Section 1.1 and help determine the potential impact of an event. Table 1 below shows a template worksheet or spreadsheet you can adapt and use to identify the value of your information. Table 1 also includes some additional, helpful questions to consider what would happen to your business reputation, your productivity, and your legal liabilities.
You may not be able to assign a dollar value amount for many types of information, so instead, consider using use a scale of 0 to 3 or “none,” “low,” “moderate,” and “high.” Note that one person alone may not know how a piece of information is used throughout the business – a team effort will likely be required.
Using the answers to these questions, rank how critical each type of information is to the continued operations of your business. When calculating an overall ranking or risk score for an information type, either add the values to give a total value or use the highest value or score given. For example, if the information type has one “high” rating, the entire information type should be rated as “high”. Information that has a higher score needs to be more protected than information with a low score. Higher-rated information types may warrant use of the techniques identified in Section 3 of this publication, depending on the relevant threats and vulnerabilities.
Table 1 on the next page is an example worksheet showing how this information can be gathered. The worksheet includes a worked example shown in italics. The worksheet is also available in Appendix D.
Table 1: Identify and Prioritize Information Types


Example:
Customer Contact Information
Info type 1

Info type 2

….
Cost of revelation (Confidentiality
Medium



Cost to verify information (Integrity)
High



Cost of lost access (Availability)
….



Fines, penalties, customer notification





Cost of lost work





Other legal costs





Reputation / public Relations costs





Cost to identify and repair problem




Overall Score:







Develop an inventory
Identify what technology comes in contact with the information you listed in Table 1. Complete Table 2 to include the technology you use to store, access, process, and transmit that information. This can include hardware (e.g. computers) and software applications (e.g. browser email). Make sure to include the make, model, serial numbers, and other identifying information; this information is necessary for identifying the product in case of maintenance, repair, or insurance purposes. Every information type should have at least one hardware / software technology listed. Where applicable, include technologies outside of your business (e.g., “the cloud”) and any protection technologies you have in place such as firewalls.
You should also track where each product is located. For software, identify what machine(s) the software has been loaded on to. You may also want to include the owner of the technology, if applicable.
Evaluate the impact of the information, as decided in Table 1—this will help you determine the most appropriate security controls needed to protect the information. You may choose to add up impact scores for all types of information the product comes in contact with, or only use the highest score. Update this list at least annually. This table is also included in Appendix D.

Table 2: Inventory



Description (e.g. nickname, make, model, serial number, service ID, other identifying information)
Location
Type of information the product comes in contact with.
Overall Potential Impact
1
Dr. J. Smith’s cell phone;
Type – Sonic; Version – 9.0
ID – “Police Box
Mobile
T&S Network
Email; Calendar; Customer Contact Information; Photos; Social Media; Locations; Medical Dictionary Application
High
2







Understand your threats and vulnerabilities
All businesses face information security and cybersecurity threats and vulnerabilities. While certain categories of threats and vulnerabilities may be consistent across businesses, some may be specific to your industry, location, and business. You should regularly review what threats and vulnerabilities your business may face and estimate the likelihood that you will be affected by that threat or vulnerability. This can help you identify specific strategies to protect against that threat or vulnerability.
Table 3 provides an example of how to determine the likelihood of an incident based on the information you collected in Tables 1 and 2. The left-hand column of the table lists some example threat events or scenarios—you should create a list that is specific to the threats and vulnerabilities your business faces. Evaluate the likelihood of the threat to your business in the bottom row. Use the highest value or score given. For example, if the information type has one “high” rating, the entire information type should be rated as “high”. See Appendix D for more information on this worksheet.

Table 3: Identify Threats, Vulnerabilities, and the Likelihood of an Incident

Example:
Customer Contact Information on Dr. J. Smith’s cell phone
Info type / Technology
Info type / Technology
Info type / Technology
Confidentiality





Theft by criminal
Med
(encrypted; password-protected)




Accidental disclosure
Med
(has previously lost phone twice)




Integrity





Accidental alteration by user / employee
Med




Intentional alteration by external criminal / hacker
Low




Availability





Accidental Destruction
(fire, water, user error)
Med
(Regular backups)




Intentional Destruction
Low




Overall Likelihood:
Med





Your business likely already has some processes and procedures in place which help to protect from these threats. It is useful to record these protections as you go through this exercise (e.g. the destruction of information may be mitigated or protected by regular backups). Information about threats and common vulnerabilities can be found through your local InfraGard chapter [InfraGard], [US-CERT], your local SCORE[NVD]). 4 chapter, hardware or software vendor announcements, your local police department and many other places (e.g., the National Vulnerability Database - NVD)
Vulnerabilities found in software applications are the most common avenue of attack for hackers. Because of the broad range of vulnerabilities possibly found within a network or system, a vulnerability scan or analysis should be minimally conducted once a year by a professional and again whenever you make major changes to your computers or network. The prices for this service can vary widely—from free to thousands of dollars—depending on the specific actions performed and the size or nature of the business being assessed.
You may want to consider conducting a penetration test against your business. This test simulates an attack in order to identify weaknesses. The test should include physical, social engineering, and cyber-based attacks. Other tests may also be useful—work with a cybersecurity professional to identify what is appropriate for your situation.
The information gathered in Tables1 - 3 provide the information necessary to identify the areas where you need to focus your information security efforts. Table 4 below shows an example of how the value of your information types or “impact” (Tables 1 and 2) and the potential likelihood of an attack (Table 3) can be combined to help you prioritize your information security efforts.
Table 4: Prioritize Resolution Action

HIGH  Impact
Priority 3 – Schedule a resolution. Focus on Respond and Recover solutions
Priority 1 – Implement immediate resolution. Focus on Detect and Protect solutions
LOW Impact
No action needed
Priority 2 – Schedule a resolution. Focus on Detect and Protect solutions

LOW Likelihood
HIGH Likelihood




Using the previous example, Dr. J. Smith’s Cell Phone, which contains customer contact information, may be a Priority 3 device due to the High impact and Low Likelihood.
As you review the practices in Section 3 and 4 of this document, look at what technologies and services you may need to purchase. When you develop a budget, apply the information from this exercise to help you select, obtain and implement systems and services that are commensurate with your risk.

2.3 When you need help
No one is an expert in every business and technical area. You may choose to outsource some of your technology and information security needs to companies that provide these services. Here are a few tips which can help you find a provider that’s right for your business:
Ask for recommendations. You can ask your business partners, local Chamber of Commerce, Better Business Bureau, colleges or universities, or SCORE Office for referrals.
Request quotes. Make sure to have a clear list of actions or outcomes that you want to achieve. This may be done with the potential provider, depending on whether or not you want their opinion of what actions or outcomes your business should have.
Check past performance. Often providers will have reviews posted online. Check for complaints with the Better Business Bureau or Federal Trade Commission. If possible, request a list of past customers and contact each to see if the customer was satisfied with the company’s performance and would hire them again for future work. Find out how long the company has been in business and whether or not there have been recent or several changes in management – this can be an indicator of future difficulties.
Find out who will be doing your work. Ask for the professional qualifications of the personnel who will be handling the project – including those working directly with you or on your systems as well as any personnel that will be overseeing the project. Look for recognized professional certifications and relevant experience.

Recognize that anyone you hire to perform a service for you may not know your business or industry. Any large decisions – including any changes in processes or technologies used - should be made in collaboration with business executives, project leaders, and other relevant personnel.
In some cases, larger organizations will help their small business suppliers analyze their risks and develop an information security program. If you have a business partners or large customers that depend on your organization, consider asking for their input or participation in your risk management process.

Следва публикуване на част 3Safeguarding Your Information

Няма коментари:

Публикуване на коментар