Information security is often thought of as a computer technician or network administrator protecting computers with anti-virus software and some sort of network firewall. However, there is much more to information security than just the technical staff and software. New malicious code, worms, and distributed denial of services are taking place in cyberspace at an exponentially faster level than ever before.
Senior level executives are realizing there is more to information security than just a computer technician installing anti-virus software. Companies must deal with the internal threat, the disgruntled employee; they must address fundamental security policies, and have a disaster recovery plan in place to be prepared for the worst.
All information security programs start with the CIA triad. The CIA triad is referring to Confidentiality, Integrity and Availability of data.
“Confidentiality” means the assets of a computing system are accessible only by authorized parties.
“Integrity” means that assets can be modified only by authorized parties or only in authorized ways. In this context, modification includes writing, changing, changing status, deleting, and creating.
“Availability” means that assets are accessible to authorized parties. An authorized party should not be prevented from accessing objects to which he, she, or it has legitimate access need. For example, a security system could preserve perfect confidentiality by preventing everyone from reading a particular object. However, this system does not meet the requirement of availability for proper access.
Availability is known by its opposite, “denial of service”. Along with the fundamental basis of the CIA triad, a security program must start with the proper policies and must gather input from all senior leadership within an organization.
There are four overarching components to performing a successful IT Data Risk Assessment/Audit. The first is data classification. The second is management controls, concentrating on controls that management is directly responsible for. The third is operational controls, which are the day-to-day operations of systems and those that a human is most likely to do or act on. The fourth is technical controls, which are usually automated computers applying the controls.
Each of the subsets beneath the four overarching components above can be further extrapolated in
terms of what a Y&L Cyber Security Analyst will be auditing. For example, here are the different
elements that would be reviewed under “Operational Controls”:
Members of the Y&L Cyber Security practice and our Chief Security Officer (CSO) hold certificates in the following and have experience managing cyber security initiatives for a variety of Texas State Government Agencies: