Security through a hygiene lens
by Marise Alphonso, Information Security Lead at Infoxchange
This article originally appeared in Women in Security Magazine, March/April 2021. You can subscribe to the magazine for free at womeninsecuritymagazine.com.
The advice from local and international authorities for protecting ourselves and others from coronavirus (COVID-19) is all about washing or sanitising our hands, physical distancing, wearing masks, self isolation, quarantine, signing in at locations we visit, and cleaning our workplaces and other common areas.
The requirements to maintain security of data and IT systems in organisations are in some ways similar to these hygiene practices. The asset in each case: “data and human life”. We can draw parallels with how we have been guided to do our part to stop the spread of the coronavirus. Defence-in-depth equates to mask wearing, hand washing and the other practices listed above. Least privilege equates to leaving your home only for specific reasons when restrictions are in place, or isolating if you have symptoms.
“It should come as no surprise that the hygiene practices we apply in the physical world have parallels in the digital world”
Security is not a state, but a process (Cyber Leadership, Mansur Hasib, p2) with risk management at its core. Organisations must assess their level of risk regularly in light of changes in internal and external factors that influence their security posture. Risk scenarios promote discussion around events that could compromise the security of an organisation. Standards and frameworks, such as ISO/IEC 27001 and NIST CSF, detail multiple security measures that can be applied to people, processes and technology.
Similarly, risk assessments have been performed in workplaces across Australia based on COVID-19 government advice, and COVID-Safe workplans have been developed and implemented to keep employees and customers safe.
For example, one measure to create a COVID-safe workplace is the requirement for visitors to a location to register their contact details so health authorities can conduct contact tracing, protect others and limit the spread of the virus. In the information security realm we maintain an inventory of our assets, in particular organisational data, to understand where it is and how it is protected, and create a baseline for security practices.
A critical initial step to maintaining the confidentiality, integrity and availability of IT systems and information is to identify the key assets that require protection. To this end COBIT (Control Objectives for Information and Related Technologies), a framework for the governance and management of enterprise information and technology, may prove useful. COBIT is an IT management framework developed by ISACA to help businesses develop, organise and implement strategies around information management and governance.
COBIT references components of a governance system and can be used to understand how asset management, as a process, works in an organisation. Its application to specific practices within an organisation will, over time, increase the efficiency and effectiveness of those practices.
An overview of the contribution of COBIT’s components to asset management is outlined here:
- Principles, policies and procedures: documented information outlining practices and activities for managing technology assets and nformation.
- Organisational structures: roles and responsibilities allocated to ownership and administration of assets.
- Processes: business processes dependent upon and depended on by key assets.
- Information: details recorded about assets that facilitate their lifecycle management.
- Services, infrastructure and applications: asset management systems or repositories.
- People, skills and competencies: staff awareness and training on asset management practices.
- Culture, ethics and behaviour: information security is a part of the operational practices of the organisation.
By applying the COBIT framework an organisation should be able to: identify and understand the assets to which information security hygiene practices are applicable; perform risk assessments linked to those assets; apply protection measures using defence-indepth, least privilege and separation of duties.
As we move more of our lives and organisational activities into the digital world, the physical and virtual worlds begin to merge. So it should come as no surprise that the hygiene practices we apply in the physical world have parallels in the digital world.