Small Business Information Security:
The Fundamentals
This publication is available free of charge from: https://doi.org/10.6028/NIST.IR.7621r1
November 2016
2 Understanding and Managing Your Risks
Risk is a function of threats, vulnerabilities, the likelihood of
an event, and the potential impact such an event would have to the business. Most of us make risk-based decisions
every day. While driving to work, we assess threats and vulnerabilities such as
weather and traffic conditions, the skill of other drivers on the road, and the
safety features and reliability of the vehicle we drive.
By understanding your risks, you can know where to focus your
efforts. While you can never completely eliminate your risks, the goal of your
information security program should be to provide reasonable assurance that you
have made informed decisions related to the security of your information.
It is impossible to completely understand all of your risks
perfectly. There will be many times when you will have to make a reasonable
effort when trying to understand threats, vulnerabilities, potential impact and
likelihood. For this reason, it is important to utilize all resources available
to you, including information sharing organizations (e.g., [US-CERT], [ISACA],
etc.), relevant stakeholders, and knowledge experts.
2.1 Elements of Risk
In information security, a threat is anything that might adversely affect
the information your business needs to run. These threats
might come in the form of personnel or natural events; they can be accidents,
or intentional. Some of the most common information security threats include:
• Environmental (e.g.
fire, water, tornado, earthquake);
• Business Resources (e.g.
equipment failure, supply chain disruption, employees), and
• Hostile Actors (e.g.
hackers, hacktivists, criminals, nation-state actors).
When looking at these types of threats, many people do not
understand how they relate to information security. It is helpful to consider
what would happen in the event of, for example, a flood. Computers, servers,
and paper documents can easily be destroyed by even a small amount of water. If
it is a large flood, you may not be allowed in the area to protect or collect
the information your business needs to run.
A
vulnerability is a weakness that could be used to harm the
business. Any time or situation where information is not being adequately
protected represents a vulnerability. Most information security breaches can be
traced back to only a few types of common vulnerabilities. Section 3 and
Section 4 of this publication are geared towards minimizing your
vulnerabilities and reducing the impact of a security incident should one
happen.
Some threats affect businesses and industries differently. For
example, an online retailer may be more concerned about website defacement than
a business with little or no web presence. Likelihood is
the chance that a threat will affect your business and helps determine what
types of protections to put in place.
Similarly, most businesses have
different types of information. If a marketing pamphlet is leaked online, it
will probably not harm the business nearly as much as if, for example,
sensitive customer information or proprietary business data was leaked. The impact an event
could have depends on the information affected, the business, and the industry.
Figure 2 shows the relationship
between threats, vulnerabilities, impact, and likelihood.
Threats Vulnerabilities
Environmental
Business
Resources ⇆ Weakness in security protection
Hackers
/ Criminals
↓
Likelihood – chance of
threat affecting to usiness
Occurrence
based on history / industry statistics
For
adversarial threats: capability and intent
↓
Impact – potential harm
to business
The
theft or disclosure of sensitive business information
Business
information or systems being modified
The
loss of information or system availability
↓
RISK
Figure 2: How Risk is determined from
Threats, Vulnerabilities, Likelihood, and Impact
2.2 Managing Your Risks
The activity of identifying what information requires what level
of protection, and then implementing and monitoring that protection, is called
“risk management”3. This section contains simple steps for creating a
risk-based information security program to help you manage risk.
This process will likely require the input and collaboration of a
broad array of personnel within the business to be successful. You should bring
together those personnel in your business that can help make informed
decisions, for example project managers, executives, legal, and IT personnel.
In addition, you may want to consider including customers, particularly you do
a significant amount of business with, and use them as an additional resource.
You should review and update your risk management plan at least
annually and whenever you may be considering any changes to the business (e.g.
beginning a new project, a change in procedure, or purchasing a new IT system).
Also, if you hear that something happened to one of your business partners,
suppliers (including makers of any computer equipment or software you may use),
customers, or employees, use this exercise to make sure you are still
adequately protected.
• Identify what information your business stores and uses
Because it is unreasonable to protect every piece of information
your business uses against every possible threat, it is important to identify
what information is most valuable to your business or to others. This first
step is often the most challenging and most important part of risk management.
Start by listing all of the types of information your business
stores or uses. Define “information type” in any useful way that makes sense to
your business. You may want to have your employees make a list of all the
information they use in their regular activities. List everything you can think
of, but you do not need to be too specific. For example, you may keep customer
names and email addresses, receipts for raw material, your banking information,
or other proprietary information.
• Determine the value of your information
Go through each information type you identified and ask these key
questions:
• What would happen to my business if this information was made
public?
• What would happen to my business if this information was
incorrect?
•
What would happen to my business if I/my customers couldn’t access this
information?
These questions relate to confidentiality,
integrity, and availability, as discussed in Section 1.1 and help
determine the potential impact of an event. Table 1 below shows a
template worksheet or spreadsheet you can adapt and use to identify the value
of your information. Table 1 also includes some additional, helpful
questions to consider what would happen to your business reputation, your
productivity, and your legal liabilities.
You may not be able to assign a dollar
value amount for many types of information, so instead, consider using use a
scale of 0 to 3 or “none,” “low,” “moderate,” and “high.” Note that one person
alone may not know how a piece of information is used throughout the business –
a team effort will likely be required.
Using
the answers to these questions, rank how critical each type of information is
to the continued operations of your business. When calculating an overall
ranking or risk score for an information type, either add the values to give a
total value or use the highest value or score given. For example, if the
information type has one “high” rating, the entire information type should be
rated as “high”. Information that has a higher score needs to be more protected
than information with a low score. Higher-rated information types may warrant
use of the techniques identified in Section 3 of this publication, depending on
the relevant threats and vulnerabilities.
Table
1 on
the next page is an example worksheet showing how this information can be
gathered. The worksheet includes a worked example shown in italics. The
worksheet is also available in Appendix D.
Table
1: Identify
and Prioritize Information Types
Example:
Customer
Contact Information
|
Info
type 1
|
Info
type 2
|
….
|
|||
Cost
of revelation (Confidentiality
|
Medium
|
|||||
Cost
to verify information (Integrity)
|
High
|
|||||
Cost
of lost access (Availability)
|
….
|
|||||
|
||||||
Cost
of lost work
|
||||||
Other
legal costs
|
||||||
Reputation
/ public Relations costs
|
||||||
Cost
to identify and repair problem
|
||||||
Overall
Score:
|
• Develop an
inventory
Identify what technology comes in contact with the information you
listed in Table 1. Complete Table 2 to include the technology you
use to store, access, process, and transmit that information. This can include
hardware (e.g. computers) and software applications (e.g. browser email). Make
sure to include the make, model, serial numbers, and other identifying
information; this information is necessary for identifying the product in case
of maintenance, repair, or insurance purposes. Every information type should
have at least one hardware / software technology listed. Where applicable,
include technologies outside of your business (e.g., “the cloud”) and any
protection technologies you have in place such as firewalls.
You should also track where each
product is located. For software, identify what machine(s) the software has
been loaded on to. You may also want to include the owner of the technology, if
applicable.
Evaluate
the impact of the information, as decided in Table 1—this will help you
determine the most appropriate security controls needed to protect the
information. You may choose to add up impact scores for all types of
information the product comes in contact with, or only use the highest score.
Update this list at least annually. This table is also included in Appendix D.
Table
2: Inventory
Description
(e.g. nickname, make, model, serial number, service ID, other identifying
information)
|
Location
|
Type of
information the product comes in contact with.
|
Overall
Potential Impact
|
|
1
|
Dr. J. Smith’s cell phone;
Type – Sonic; Version – 9.0
ID – “Police Box
|
Mobile
T&S Network
|
Email; Calendar; Customer Contact Information;
Photos; Social Media; Locations; Medical Dictionary Application
|
High
|
2
|
…
|
|||
…
|
• Understand your threats and
vulnerabilities
All businesses face information security and cybersecurity threats
and vulnerabilities. While certain categories of threats and vulnerabilities
may be consistent across businesses, some may be specific to your industry,
location, and business. You should regularly review what threats and
vulnerabilities your business may face and estimate the likelihood that you
will be affected by that threat or vulnerability. This can help you identify
specific strategies to protect against that threat or vulnerability.
Table
3 provides
an example of how to determine the likelihood of an incident based on the
information you collected in Tables 1 and 2. The left-hand column of the
table lists some example threat events or scenarios—you should create a list
that is specific to the threats and vulnerabilities your business faces.
Evaluate the likelihood of the threat to your business in the bottom row. Use
the highest value or score given. For example, if the information type has one
“high” rating, the entire information type should be rated as “high”. See
Appendix D for more information on this worksheet.
Table 3: Identify
Threats, Vulnerabilities, and the Likelihood of an Incident
Example:
Customer
Contact Information on Dr. J. Smith’s cell phone
|
Info type / Technology
|
Info type / Technology
|
Info type / Technology
|
…
|
|
Confidentiality
|
|||||
Theft by criminal
|
Med
(encrypted;
password-protected)
|
||||
Accidental disclosure
|
Med
(has
previously lost phone twice)
|
||||
Integrity
|
|||||
Accidental alteration by user /
employee
|
Med
|
||||
Intentional alteration by external
criminal / hacker
|
Low
|
||||
Availability
|
|||||
Accidental Destruction
(fire, water, user error)
|
Med
(Regular
backups)
|
||||
Intentional Destruction
|
Low
|
||||
Overall Likelihood:
|
Med
|
Your
business likely already has some processes and procedures in place which help
to protect from these threats. It is useful to record these protections as you
go through this exercise (e.g. the destruction of information may be mitigated
or protected by regular backups). Information about threats and common
vulnerabilities can be found through your local InfraGard chapter [InfraGard],
[US-CERT], your local SCORE[NVD]). 4 chapter, hardware or software vendor
announcements, your local police department and many other places (e.g., the
National Vulnerability Database - NVD)
Vulnerabilities found in software
applications are the most common avenue of attack for hackers. Because of the
broad range of vulnerabilities possibly found within a network or system, a
vulnerability scan or analysis should be minimally conducted once a year by a
professional and again whenever you make major changes to your computers or
network. The prices for this service can vary widely—from free to thousands of
dollars—depending on the specific actions performed and the size or nature of
the business being assessed.
You may want to consider conducting a
penetration test against your business. This test simulates an attack in order
to identify weaknesses. The test should include physical, social engineering,
and cyber-based attacks. Other tests may also be useful—work with a
cybersecurity professional to identify what is appropriate for your situation.
The information gathered in Tables1
- 3 provide the information necessary to identify the areas where you
need to focus your information security efforts. Table 4 below shows
an example of how the value of your information types or “impact” (Tables
1 and 2) and the potential likelihood of an attack (Table 3) can
be combined to help you prioritize your information security efforts.
Table 4: Prioritize
Resolution Action
|
Using
the previous example, Dr. J. Smith’s Cell Phone, which contains customer
contact information, may be a Priority 3 device due to the High impact and Low
Likelihood.
As
you review the practices in Section 3 and 4 of this document, look at what
technologies and services you may need to purchase. When you develop a budget,
apply the information from this exercise to help you select, obtain and
implement systems and services that are commensurate with your risk.
2.3 When you need help
No one is an expert
in every business and technical area. You may choose to outsource some of your
technology and information security needs to companies that provide these
services. Here are a few tips which can help you find a provider that’s right
for your business:
• Ask for
recommendations. You can ask your business partners, local Chamber of
Commerce, Better Business Bureau, colleges or universities, or SCORE Office for
referrals.
• Request quotes.
Make sure to have a clear list of actions or outcomes that you want to achieve.
This may be done with the potential provider, depending on whether or not you
want their opinion of what actions or outcomes your business should have.
• Check past performance. Often providers will have reviews
posted online. Check for complaints with the Better Business Bureau or Federal
Trade Commission. If possible, request a list of past customers and contact
each to see if the customer was satisfied with the company’s performance and would
hire them again for future work. Find out how long the company has been in
business and whether or not there have been recent or several changes in
management – this can be an indicator of future difficulties.
• Find out who
will be doing your work. Ask for the professional qualifications of the
personnel who will be handling the project – including those working directly
with you or on your systems as well as any personnel that will be overseeing
the project. Look for recognized professional certifications and relevant
experience.
Recognize that
anyone you hire to perform a service for you may not know your business or
industry. Any large decisions – including any changes in processes or
technologies used - should be made in collaboration with business executives,
project leaders, and other relevant personnel.
In some cases, larger
organizations will help their small business suppliers analyze their risks and
develop an information security program. If you have a business partners or
large customers that depend on your organization, consider asking for their
input or participation in your risk management process.
Следва публикуване на част 3: Safeguarding Your Information
Няма коментари:
Публикуване на коментар