Information_Security

Quantitative Information Security and Risk Assessment Model using ISO 27001:2005 Abstract IT security incidents pose a major threat to the efficient execution of corporate strategies. This paper presents a new approach that supports decision makers in interactively defining the optimal set of security controls according to ISO 27001. The information security model provides a transparent representation of the status of an organisation’s Information Security Management System, as it uses a scoring level based on the Eleven Domains of ISO/IEC 27001:2005 and performs benchmarking based on globally accepted standard. As a maturity model, it provides an architecture model applicable at any security maturity Level (Level 1 to 5) of any size of the organization. Our maturity level scoring tool is easy for top level management authorities to understand. Benchmarking helps top level management in understanding what is acceptable industry's good practice, and at which level they stand with regard to these practices. In our model we have prepared a questionnaire which is presented to managers and based upon the answers of managers an evaluation is performed and the managers are shown the maturity level to which their organization belongs as well as benchmarking is also performed for their organization and it is presented in graphical format. Since our model quantifies risks associated with the information security management system, it becomes very easy for a manger to understand the entire scenario without going through detailed analysis. The information security model has been implemented using J2EE, Jfreechart, MySQL. Introduction Information is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Information can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever forms the information takes, or means by which it is shared or stored, it should always be appropriately protected. Information security is the protection of information from a wide range of threats in order to minimize business risk, maximize return on investments, and ensure business continuity and business opportunities. With the migration towards an interconnected business environment, it becomes more important to achieve information security. Security risks associated with information technology are a topic that has become increasingly significant. As corporations rely ever more on technology to run their businesses, security is becoming a major concern rather than an afterthought. Information security achieved through technical means is limited, and must be supported by appropriate management processes. Keeping this in mind we have prepared a maturity model which provides a framework to implement, maintain, monitor, and improve information security that is consistent with the organizational culture. Need of information security Organizations and their information systems and networks face security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Causes of damage such as malicious code, computer hacking, and denial of service attacks have become more common, more ambitious, and increasingly sophisticated. Information security is important to both public and private sector businesses, and to protect critical infrastructures. In both sectors, information security will function as an enabler, e.g. to achieve e-government or e-business, and to avoid or reduce relevant risks. The interconnection of public and private networks and the sharing of information resources increase the difficulty of achieving access control. The trend to distributed computing has also weakened the effectiveness of central, specialist control. Many information systems have not been designed to be secure. Case study: The SONY Incident What Happened' The first incident occurred on the 26th April 2011, when SONY announced that personal information had been compromised on their Internet service delivery networks, the 'PlayStation Network (PSN)'as well as image and music distribution service 'Qriocity'. A total number of 77 million users had their personal information such as user name, ID and online password stolen. A week later, on 2nd May 2011, a second security breach happened with a different SONY network. This time round, the target was the 'SONY Online Entertainment (SOE)'network and the compromised figure of data loss hit 24.6 million users, of which 12.3 million had their credit card information stolen. Shortly after, a third incident involving the loss of 2,500 users' names and addresses took place, with the source of the leakage coming from the electronics arm of SONY. Three security breaches in three weeks, all of which amounted to an unprecedented figure of more than 100 million users having had their personal information stolen. This was undoubtedly a word record of sorts in the history of data loss incidents. More importantly, the nature of the incidents, all of which involved the loss of confidential user information, showed that the stakes associated with security breaches had become ever higher. Why Did It Happen' Being one of the largest electronic appliance company, as well as most popular online gaming provider in the world, many believed that SONY would have implemented the highest levels of security policy and compliance in order to secure the massive database of sensitive data under their case. However, the latest slew of security incidents had led to people beginning to have doubt in the information management systems deployed by SONY and resulted in criticism coming from both detractors and supporters alike. In particular, the acknowledgment by the company that the third security breach was due to human error on the part of SONY's system management team cast even greater doubt on the efficacy of SONY's existing processes and procedures in dealing with issues on the IT security front. From the above case study we understood that achieving information security is not an easy task. Even if you giant company of you own area, it does not mean that you are secure from outside world threats. The security that can be achieved through technical means is limited, and should be supported by appropriate management and procedures. Identifying which controls should be in place requires careful planning and attention to detail. Information security management requires, as a minimum, participation by all employees in the organization. It may also require participation from shareholders, suppliers, third parties, customers or other external parties. Specialist advice from outside organizations may also be needed. How ISO 27001:2005 helps in achieving Information Security This International Standard establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined in this International Standard provide general guidance on the commonly accepted goals of information security management. The control objectives and controls of this International Standard are intended to be implemented to meet the requirements identified by a risk assessment. This International Standard may serve as a practical guideline for developing organizational security standards and effective security management practices and to help build confidence in inter-organizational activities. Risk assessments should identify, quantify, and prioritize risks against criteria for risk acceptance and objectives relevant to the organization. The results should guide and determine the appropriate management action and priorities for managing information security risks and for implementing controls selected to protect against these risks. The process of assessing risks and selecting controls may need to be performed a number of times to cover different parts of the organization or individual information systems. How we have used ISO 27001:2005 in our model In our model, our main aim is to quantify the risk related to information security. For that we have made a questionnaire based on 11 domains of ISO 27001 which are: 1. Security Policy 2. Organizing Information Security 3. Asset Management 4. Human Resources Security 5. Physical and Environmental Security 6. Communications and Operations Management 7. Access Control 8. Information Systems Acquisition, Development and Maintenance 9. Information Security Incident Management 10. Business Continuity Management 11. Compliance All the domains of ISO 27001 are not required for every organization. Some domains are critical and some are non-critical. To provide more transparency we have made the questionnaire adaptive. Each domain contains some security categories and each main security category contains: a) a control objective stating what is to be achieved; and b) one or more controls that can be applied to achieve the control objective. Maturity level evaluation: There are 39 control objectives and 132 controls in ISO 27001:2005. We have prepared questions on each controls with most of them have 5 options and the questions are coded on to a website in a user friendly format. The questions are presented to the manager and ask for the response. Based upon the response we have used scoring level for each question. We have given some marks for each option provided in the questions and sum total of all the marks is achievable score but from the answers of the manager, we get the total score which his company has scored and sum total of all the marks decides the maturity of the organization in the following way: if(totalmarks(achievable/5))&&(totalmarks