Information security revolves around three concepts, confidentiality, integrity, and availability. In a secure environment, your information is:
- Confidential, as no one should be able to access data they are not authorized to see.
- Whole and complete, without any unauthorized additions or deletions.
- Available to those who need it when and where appropriate.
It is useful to look at security concerns from a risks and consequences viewpoint. You need to assess your security risks, and determine what issues need to be addressed and how. Every organization will perceive certain risks differently, and may choose to rank their resolution differently. This means that not every concern can or will be addressed either given the resources available, or the priority given to addressing that particular risk.
HSC advocates looking at security from a risks, consequences, and resources viewpoint:
- What are the risks you face from a security breach, and what are the possible consequences of that breach?
- What would it take to address those risks?
- What risks are the most important to you, and what resources do you have to address these important risks?
For example, the confidentiality of an information and referral database of social services available to low-income families may be a lower priority than the data maintained by a domestic violence shelter. A social services organization may invest very little to protect its data, while a domestic violence shelter may be required by law to make confidentiality their top security priority.
Here is a list of common risks and consequences.
Risks:
Loss of confidential or sensitive data, e.g., from a server drive failure.
Theft or loss of a laptop computer, e.g., from an office burglary.
Unauthorized access to data, e.g., a hacker steals sensitive client data.
Loss of important hardware, e.g., an Internet router failure.
Consequences:
Loss of clients due to exposure of confidential data.
Financial burden of replacing lost or stolen hardware.
Legal fines and penalties as a result of sensitive data losses.
Loss of organizational capacity due to lost Internet connection.
The HSC program uses a "defense in depth" approach to security so that any individual security flaw has a limited impact on your systems. Every technology in use in your organization should be "hardened", that is configured in as secure a fashion as possible, so that there are no weak points for an intruder to exploit.
Some important areas to secure are as follows:
Internet Access/Internet GatewaysAny connection to the Internet, dial-up, DSL, leased line, etc., is, by definition, public and accessible from anywhere else on the planet. The numerical nature of the Internet makes it impossible to hide your connection from hackers. As a result, securing your Internet connection with a firewall is a necessity.
If you use a dial-up connection, be sure to install a firewall program, such as Zone Edit or the integrated firewall in Windows XP and Macintosh OS X.
DSL and other broadband users should put a dedicated router device on their connection. Besides allowing multiple users to access the line, they function as a simple and effective firewall, limiting access from the Internet to computers on your local network.
Network ApplicationsAny application that makes use of the Internet, such as web browsers, email clients, and operating systems, must be secured. This usually means installing the latest versions and patches, though some applications may require additional configuration to insure their security. If you operate your own Internet servers, such as email servers or web servers, you will need to make sure that these services are configured securely.
User Accounts, Authentication and Access ControlAll computers and information systems (databases, email, file servers) need to use some sort of authentication system so only authorized users may access these systems. In practice this usually means user accounts and strong passwords. In addition, most organizations will need to set up a permissions-based access system to most data, so that once authenticated, users only have access to data appropriate to their position in the organization.
Encryption of Exposed TransportIncreasingly, organizations use technologies such as wireless networking and virtual private networking that extend the local network beyond the confines of the office. These technologies need to be configured to use robust encryption so that information passed through them cannot be easily compromised.
Security and convenience are often difficult to balance: the more secure a system is, the more difficult it can be to access and use. An important aspect of HSC is proper end user training, so that users understand the security systems and how to use them properly so they can do their work without unnecessary inconvenience and necessary security. It is worth remembering that secure systems are often compromised by the systems users in the name of convenience and ease-of-use.
Worksheet 4: Security Assessment