Information Security & Cybersecurity

What is it and why is important?

 

Murray Security Services


Information security is an older term used by professionals in our industry to define critical or sensitive information that should be identified and protected with some amount of rigor. 

Cybersecurity is the newer term that has (in a way) rebranded information security. We do use the terms “information security” and “cybersecurity” interchangeably. 


Why Cybersecurity?

Consider this – most organizations (profit, not for profit, small, medium or large) create information, store information and transmit information. It has been stated that 80% of any organization, in any industry uses automation to process, transmit and/or store data and information. This means that 80% of your business processes are automated using some type of technology!

Here are some technologies that may be used

·        Computer desktops
·        Laptops and tablets
·        Mobile devices, personal and/or company owned
·        Servers
·        Cloud services
·        Dropbox
·        OneDrive
·        Google drive
·        Email
·        Printers
·        Point of sale systems
·        Other devices?

While this may be transparent for most users, it needs to be understood by organizational leadership and a strategy should be developed to classify and categorize its data/information based on importance or sensitivity.  Once the data and information has been classified, it can then be inventoried and aligned to computing devices that process, transmit and store it. Once this has been accomplished, the organization has identified their “information assets”. These devices can then inherit the classification scheme and the organization can determine the appropriate protection strategy for these “information assets”.  

Examples of classification schemes:

Government/Federal

Classified

·        Top Secret
·        Secret
·        Confidential

Unclassified

·        Controlled Unclassified Information (CUI) 
            - Covered Defense Information (CDI)
            - Controlled Technical Information (CTI)
·        Sensitive but Unclassified (SBU)
·        International Traffic in Arms Regulation information
·        Public

Commercial/Not for Profit Organizations

Highly Confidential

Sensitive

Proprietary 

Internal Use Only

Public

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

What Information Should be Protected?

The information owner/creator should determine what the appropriate classification should be based on organizationally defined requirements. Some organizations have regulatory requirements that are very stringent and define minimum requirements based on their industry like banking, finance, healthcare etc. Consider the following:

Privacy Information – The United States does not have an overarching law or regulation for defining and protecting privacy information. Because of this, it is up to the business owner or organizational leadership to understand the various privacy laws for each state that they operate in. Remember, if you target customers in multiple states, you may have to comply with each state’s requirements. It can become overwhelming!

How do you protect privacy information for employees, customers, clients or business partners?

Some federal laws that are industry specific:

·        The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
·        Family Educational Rights and Privacy Act (FERPA)
·        The Gramm-Leach-Bliley Act
·        Fair Credit Reporting Act (FCRA)
·        Children's Online Privacy Protection Act (COPPA)

Some state privacy laws that businesses should be aware of:

·        The Colorado Privacy Act (CPA)
·        New York SHIELD Act
·        Virginia's Consumer Data Protection Act (CDPA)
·        California Consumer Privacy Act (CCPA)
·        California Privacy Rights Act (CPRA)

Some international privacy laws that organizations should be aware of if doing business outside of the United States:

·        European Union - General Data Protection Regulation (GDPR)
·        Brazil - General Law for the Protection of Personal Data (LGPD)
·        Canada - Personal Information Protection and Electronic Documents Act
·        United Kingdom - Data Protection Act 2018
·        Singapore - The Personal Data Protection Act (PDPA)
·        Australia - Privacy Act 1988
·        Japan - Act on the Protection of Personal Information

Intellectual Property – To be competitive in their industry, some organizations create intellectual property (IP) that sets them apart from their competitors. This information should be identified and classified as well so that all stakeholders understand how to handle and share it based on organizationally defined criteria. Consider the following (common) IP categories: 

·        Scientific or technical information created by the organization
·        Software or applications developed by the organization
·        Marketing strategies
·        Business strategies
·        Research and development information or specifications
·        The recipes for successful food and beverage items
·        Architectural or engineering diagrams 
·        Proof of concepts or models
·        Copyright, trademark or patent information
 
 ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


How should information and assets be protected?

To meet basic information and cybersecurity requirements, the organization should develop a strategy and a plan to assess risk in areas that might require additional protection measures. This can be accomplished by completing a risk assessment. There are various approaches for assessing information security risk. They can include the following:

·        Vulnerability Assessment
·        Physical Security Assessment
·        Penetration Assessment
·        Regulatory Compliance Assessment

Some organizations can adopt frameworks that provide a structured approach to addressing vulnerabilities and threats to their organization. Compliance assessments towards these frameworks can help the organization achieve a better understanding of their cyber hygiene and make improvements to mature their posture. Here are some common frameworks used by organizations to mature their compliance posture and/or cyber hygiene:

·        NIST Risk Management Framework – NIST SP 800-37
·        NIST Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations – NIST SP 800-171
·        Cybersecurity Maturity Model Certification (CMMC)
·        ISO/IEC 27001 - Information Security Management System (ISMS)
·        Control Objectives for Information and Related Technologies (COBIT)
·        Payment Card Industry Data Security Standard (PCI DSS)
·        Committee of Sponsoring Organizations of the Treadway Commission (COSO)
·        The Open Group Architecture Framework (TOGAF)
·        Information Technology Infrastructure Library (ITIL)
·        FDIC - Risk Management Manual of Examination Policies

Many of the above frameworks have their own set of controls that complement other processes or frameworks and may be required by some organizations that have to comply with more than one standard. Common control categories include but are not limited to:

·        Identity Management
·        Physical Security
·        Change Management
·        Software Assurance
·        Security Engineering
·        Vulnerability Management
·        Business Continuity Management
·        Confidentiality
·        Integrity
·        Availability
·        Access Management
·        Vendor Management

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


What now?

The purpose of explaining the relevance of information and cybersecurity is to educate the audience as to the importance of protecting their business from unnecessary risk. To accomplish this, the organization must understand their most critical data, information and the business processes that allow them to be productive and competitive in their industry.  

More requirements are being levied against businesses to demonstrate a mature cyber hygiene in order to do business with the government or establish relationships with other businesses.  

Murray Security Services is an experienced security company that can help you solve basic or complex information or cybersecurity problems. We provide consulting and training in multiple industries worldwide. Please contact us to set up an appointment to speak with one of our many professionals!

Let's Talk

Phone: 1-719-645-8504

Fax: 1-800-375-8167

Visit Us

455 Pikes Peak Ave, Suite 306

Colorado Springs, CO

Email

info@murraysecurityservices.com

Support

Phone: 1-719-645-8504

Fax: 1-800-375-8167