Home > IT Solutions > Cyber Security

Cyber Security

information-governance-cyber-security

Information security is often thought of as a computer technician or network administrator protecting computers with anti-virus software and some sort of network firewall. However, there is much more to information security than just the technical staff and software. New malicious code, worms, and distributed denial of services are taking place in cyberspace at an exponentially faster level than ever before.

Senior level executives are realizing there is more to information security than just a computer technician installing anti-virus software. Companies must deal with the internal threat, the disgruntled employee; they must address fundamental security policies, and have a disaster recovery plan in place to be prepared for the worst.

AN INFORMATION SECURITY PROGRAM

All information security programs start with the CIA triad. The CIA triad is referring to Confidentiality, Integrity and Availability of data.

“Confidentiality” means the assets of a computing system are accessible only by authorized parties.

“Integrity” means that assets can be modified only by authorized parties or only in authorized ways. In this context, modification includes writing, changing, changing status, deleting, and creating.

“Availability” means that assets are accessible to authorized parties. An authorized party should not be prevented from accessing objects to which he, she, or it has legitimate access need. For example, a security system could preserve perfect confidentiality by preventing everyone from reading a particular object. However, this system does not meet the requirement of availability for proper access.

Availability is known by its opposite, “denial of service”. Along with the fundamental basis of the CIA triad, a security program must start with the proper policies and must gather input from all senior leadership within an organization.

data-integr

COMPONENTS OF AN IT DATA RISK ASSESSMENT/AUDIT

There are four overarching components to performing a successful IT Data Risk Assessment/Audit. The first is data classification. The second is management controls, concentrating on controls that management is directly responsible for. The third is operational controls, which are the day-to-day operations of systems and those that a human is most likely to do or act on. The fourth is technical controls, which are usually automated computers applying the controls.

Data Classification

  • CIA Triad:  Confidentiality, Integrity, Availability

Management Controls

  • Risk Management
  • Review of Security Controls
  • Life Cycle Enforcement
  • Disaster Recovery/Business Continuity Planning

Operational Controls

  • Personnel Security
  • Physical Security
  • Documentation
  • Security Awareness/Training
  • Incident Management

Technical Controls

  • Identification and Authentication
  • Logical Access Control
  • Audit Trails, Monitoring and Logging

Each of the subsets beneath the four overarching components above can be further extrapolated in
terms of what a Y&L Cyber Security Analyst will be auditing. For example, here are the different
elements that would be reviewed under “Operational Controls”:

operation-controls

Y&L CYBER SECURITY CERTIFICATIONS

Members of the Y&L Cyber Security practice and our Chief Security Officer (CSO) hold certificates in the following and have experience managing cyber security initiatives for a variety of Texas State Government Agencies:

  • Certified Information System Security Professional (CISSP)
  • GIAC Security Leadership (GSLC)
  • GIAC Security Essentials (GSEC)

Schedule an Assessment

Let us show you how Y&L can increase ROI, boost sales, and improve service.

Relevant Topics
Other Category Links