9.6 Continuity Planning & Disasters Security

Question 1

What is involved in Continuity Planning & Disasters from a Security perspective?

Answer 1

Events such as a cyber attack or loss of data impacts the business - needs to be covered in continuity plan
Extreme events business becomes inoperable - needs to be covered in disaster recovery plan
Evidence suggests humans are cause of most security breaches

Question 2

Identify the well know security problems

Answer 2

Phishing
Hacking (DDOS, key logging, cookie theft)
Malware
Scareware
Spyware
Bots
Ransomware
BYOD 
Lack of compliance with security policies

Question 3

Identify the types of security issues

Answer 3

Technical
Procedural
Physical
Personnel

Question 4

Describe each of the types of security issues

Answer 4

Technical
Storage (hardware, temperature, moisture)
Access
Manipulation
Transmission of data must be safeguarded by technology that enforces particular information control policies

Procedural
Procedures used in operation of system must assure reliable data

Physical
Computers must be physically inaccessible to unauthorised users:
Doors opened by swipe cards
Voice / palm / fingerprint recognition or keypad
Security guard
Sensors

Personnel 
People responsible for system administration and data security at your site must be reliable:
Background checks
Dismissal procedures
Password protocol

Question 5

Identify what is involved in Human Perception of Security

Answer 5

Belief that ‘technology’ takes care of it
Legacy ways of working
Perception of risks is ‘low’ so standards slip
Little / poor understanding of system and how it works
Basic human belief in trust
No value placed on data by staff
Company culture

Question 6

Identify what are the Human Factors in Security

Answer 6

Many security breaches are due to ‘human factor’ in equation
Estimated 60% of financial losses are due to human error
Vulnerabilities still exist, no matter how good computer controls are
Staff must understand responsibility towards data protection

Question 7

Identify the risks involved with Human Factors in Security

Answer 7

Disgruntled employees
Sacked (or resigned staff)
Work rounds
Elevated privileges
Carelessness
Sabotage
Time & resource theft
Loss of portable media (USB sticks) with encrypted data
Loss of laptops (carelessness or theft)
Password sharing and writing down strong ones
Tailgating into buildings
Accidental introduction of viruses / trojans / malware

Question 8

What steps can companies take for Continuity Planning & Human Security?

Answer 8

Have a Security Strategy and Policy

Security strategy must be embedded into overall business strategy and processes
Security must be designed into systems not be a ‘add on’ (user authentication, firewall, anti-virus)
Quality software from respected vendors
Training of all staff and good communication to all staff about security issues
Appoint ‘Data Guardians’ in every department (responsibility for championing at top level)
Strategies such as clear desk policy / use of swipe cards make security seem more important
Change company culture, if senior management take it seriously culture will improve lower down organisation
Pre-employment screening of all staff and ongoing screening of existing staff