Four Core Components of Higher IT Security

Mitigating risks: For all businesses, IT security must be a crucial part of their overall strategy. In this article, I will outline its cornerstones and how tools can support the risk management process.

The use of information technology introduces risks – risks, however, that can be kept at bay by suitable measures. The following areas are crucial and worth being considered more in detail: software development, technical protection measures, staff training and risk management.

1 Secure software is a basic prerequisite

An important prerequisite for secure IT systems is that previous experience concerning good as well as bad practices is considered already during software development. In addition, the software must undergo effective security checks, for example code analyses and penetration tests. Developers are often quite aware of how their software can be attacked or compromised. The challenge is motivating them to develop functional and secure software as well, which requires an appropriate time frame in line with high quality awareness.

2 Expertise is indispensable for technical protection measures

When operating IT systems with a high protection level regarding their availability, confidentiality or integrity of data, the highest priority is given to technical protection measures such as encryption methods, restrictive configurations, firewalls, intrusion detection or intrusion prevention systems. Applying and configuring these tools effectively requires expert knowledge, which must continuously be kept up to date – due to the rapid development of new technologies and concomitant threats.

Expert knowledge in technical measures cannot be replaced by protection catalogs as, for example, the IT baseline protection catalogs of the German Federal Office for Information Security (BSI) or the requirements of the PCI DSS standard. These guides provide good orientation, but experience shows that protecting a complex IT infrastructure during operation requires significantly more know-how.

3 Trainings are more effective than prohibitions

When confronted with potential threats to IT security, people tend to first think about external attackers. But actually, everyone involved in use cases or supporting and operating processes poses a more direct risk for confidentiality, availability and integrity. Because of that, some technical limitations such as access restrictions or surveillances (for example by virus scanners) are mandatory. However, I think that most restrictions as, for example, limited internet access, disabled USB ports or the prohibition of collaboration tools are counterproductive for companies subsisting on knowledge work.

It better serves IT security to make employees aware of risks, to sensitize and train them regarding good practices. Additionally, it is desirable to deal with security incidents in a constructive manner, for example by performing root cause analyses for security breaches. In order to prevent future repetitions, sufficient measures must be identified, implemented and subsequently checked for effectiveness.

4 Risk management is more than ticking boxes

For each company, one of the most significant challenges is to identify and assess its own security risks. This, however, is the exact groundwork for not only being able to respond to incidents but to mitigate or even prevent these risks. To support this, a framework or model is helpful which describes security objectives as comprehensively as possible. This approach is similar to quality management, where, for example, the standard ISO/IEC 25010 describes quality objectives for software products. Concerning information security management, PASS has decided to follow the established requirements and controls of ISO/IEC 27001/27002.

In 2011, after implementing an initial version of an information security management system (ISMS), we quickly learned that merely ticking catalogs of security objectives does not bring much benefit. Catalogs of requirements and controls are good as a blueprint, but the recommended measures must be adapted individually to each asset of the company. Every IT system, application, network, building, room, supplier and so on must be considered in particular.

In addition, ticking boxes in a list of controls as, for example, offered by ISO/IEC 27001, which simply represents the information “achieved” or “not achieved”, is very short-sighted. For each asset and for each objective, the consequences of non-achievement must be determined – not just as a monetary loss but also regarding reputational damage and violations of laws. Before any decision regarding risk mitigation measures can be made, the probability of the respective events and, where appropriate, their periodicity must also be assessed. Only after being acquainted with the overall picture it can be decided which residual risks can be accepted and where measures concerning risk treatment must be taken.

Tool support for IT security management

One of our key findings is: The benefit of risk management depends on the collaboration of all asset owners of the company. Many risk portfolios include several thousands of influencing factors (different systems, applications, networks, buildings, rooms, suppliers and so on) and specific threats with impacts and probabilities that only the respective asset owner can assess.

In order to combine decentralized risk assessments by all asset owners with a consolidated view by the risk manager, we have developed the PASS Risk Advisor (PRA). It guides the asset owners using risk assessment questionnaires derived from ISO/IEC 27001, BSI basic protection and the MaRisk standard of the German Federal Financial Supervisory Authority and recommends best practices for the treatment of risks, which can be centrally maintained based on own and company-specific experiences.

The PASS Risk Advisor increases the reliability of risk management as risks can be assessed directly by experts instead of from afar. It increases its efficiency as the handling is supported by rulesets conformal to established standards and the remaining workload is shared between multiple persons.

IT security is a matter for experts

If all these components are implemented, assets can be effectively protected from threats. Thereby, my conclusion is that their implementation should always be accompanied by experienced subject matter experts, either own or external ones.

 First published in the PASS Travel Industry Blog