Why Information Security is Critical to an Organization
By: Lubna Sheikh
Everyone has been impacted by the COVID-19 pandemic in one way or another. People aren’t working and interacting face-to-face as they once were, and millions of people around the globe are learning to work and go to school remotely. From the perspective of computer security, the transition to remote work has raised important concerns about the security of information systems that we use. As more Information is available to us online, it becomes equally important to protect and secure it. There is an increasing need for everyone to understand the importance of information security and take proactive steps to address it. From people working remotely to children experiencing distance learning for the first time, I realized the impact when I started to explain concepts of computer security to my 2nd grader.
There is a need for everyone to better understand how systems can be compromised by bad actors, and how it is everyone’s responsibility to protect the information and applications we use. Security starts with three important security principles, Confidentiality, Integrity and Availability, often called the CIA Triad. These are viewed as the primary goals and objectives of information security:
Confidentiality: Ensures information is not made available or disclosed to unauthorized individuals, entities, or processes;
Integrity: Protects the accuracy and completeness of assets; and
Availability: Ensures information is accessible and usable, upon demand, by an authorized entity.
Security controls or countermeasures that must be implemented by organizations are typically evaluated against these three core principles. Each vulnerability and its associated risk are also evaluated based on threats against these principles.
Organizations must take appropriate steps to improve overall security by aligning relevant security functions to a business’s missions, goals, and objectives. Senior management must take information security’s core principles into account when defining the organization’s policies. Security managers and the operations team can then flesh out these policies into standards, procedures, and guidelines and ultimately to end users, who are asked to comply with these policies. It is recommended by the National Institute of Standards and Technology (NIST) to review policies annually.
Regardless of the security solution implemented, humans are the weakest element. Organizations must improve staff awareness of information security issues through training and awareness initiatives. Implementing cyber security training programs can help organizations to reinforce their information security policies, as can regular reviews to ensure security requirements are met. For example, iWorks requires its employees and contractors to complete various mandatory government training on information security such as Personally Identifiable Information (PII) and the Cyber Awareness Challenge.
Out-of-date applications and operating systems are common targets for cyberattacks. Hacker’s exploits are known to be effective against outdated systems. Therefore, it is important to test and evaluate existing countermeasures and evaluate new and emerging security products against your business needs to help ensure that your network has the flexibility to accommodate current and future security challenges.
Not to be overlooked, patches and updates from vendors should also be identified and installed as part of a regular maintenance cycle and according to existing application change management procedures. Security policies and rules may also need to be updated as additional applications and devices are added to your network environment to help ensure any new gaps are appropriately addressed.
In addition to company-issued laptops, smart devices and Internet of Things (IoT) devices are other potential elements of a modern business network that need appropriate security management and oversight. For more information on the importance of proper security management of smart devices and IoT equipment, please see “NIST Initiatives in IoT”.
Lastly, distance learning for kids means they should also be educated to use technology safely. There are several ways to educate them. For example, some resources I used to introduce and explain concepts for being safe while online to my own child include:
- Watch videos online with your children that help them understand the basic security concepts (i.e., what is cyber security, who are bad actors etc. and how using technology for classes is a privilege that comes with certain responsibilities).
- Explain how information can be stolen and misused.
- Introduce the concept of password security and not to share your passwords with anyone.
- Utilize county-provided resources and guidelines, such as Internet Safety Basics provided by your child’s school.
The COVID-19 pandemic has introduced new challenges and obstacles to daily life. Remote work and learning is a new reality for many people that had not previously participated in it. But it also provides new opportunities for companies, agencies, and state and local governments to improve their information security stance. And with it, opportunities for individuals to learn as well. While there is so much misinformation out there, we all must be vigilant and responsible while using technology.
NISTIR 5153 under Security DoD 5200.28-STD