Contributors - CyberSecurity Malaysia

More documents

Recommendations

Info

34.Improving OrganizationalSustainability through InformationSecurityIntroductionOrganizational sustainabilityThe increased usage of ICT in doing businesses and growingoutsourcing services has changed business requirementsand the way of doing business; thus makes it a more riskyplace. The driving force to success in businesses andachieve sustainability by making the right decision throughhaving the right information at the right time.As the economy moves faster to the global economy, itis imperative for organizations to pay attention on howto protect from and survive a disaster. This does not onlyallow them to grow but also achieve sustainability throughtasks and controls implemented outlined in businesscontinuity.Information security and business continuity are two areasthat have been in board agenda in many organizations forthe past few years. Given recent high profile events in boththe private and public sector, information security hasnever been higher on the board agenda. Reputation, trustand brand value can all be seriously affected by informationloss and theft.As for business continuity, it provides the mechanismwhereby an organization able to continue to operate itscritical business functions in the event of disasters; be itICT or natural disasters by invoking planned procedures.It has been increasingly important for every organizationto have a strategy to transform organisation to becomesustainable and resilient.Both; matters for business survival.Achieving information securityInformation security is achieved by preserving the threemost significant properties, confidentiality, integrity andavailability. Different organizations emphasize differentinformation property in setting their priority. For military,confidentiality is their top priority.They cannot afford to disclose any sorts of information; beit accidentally or otherwise. As for financial institutions,availability means a lot to these organizations. A fiveminuteoutage could cause millions to them! In thehealthcare industry, it could mean loss of lives whenintegrity of the information systems was compromised forwhatever reason.Often many associate sustainability with financial oreconomic aspect, but it can also interpreted in a moreholistic conception including social, cultural, technological,legal, political and organizational aspects. In the contextof organizational aspect, many organizations contend toremain operable and remain in the business for a long time.For organisations to achieve this sustainability, a solidprogram within the organizations needs to be establishedin meeting this goal. The interconnected systems in today’strend of doing business stimulate more opportunities ofdoing business anytime and anywhere. Ironically, it alsoprovides a platform for intruders with illegal activitiesfor financial gain by exploiting weaknesses organsationsmight have within their systems. In other words, borderlessbusiness environment has become riskier when systemsthe organizations are operating in are not secure as theyshould be.Effective security is not a technology problem, but it is abusiness issue. For many countries, healthcare industryhas been privatized to increase efficiency in servicesdelivery. Due to this, sustainability of organizations inthis industry depends very much on services it provides.Customer satisfaction measures from hospitality, efficientservices and information protection. High dependencieson ICT require more controls to be in place in assuringinformation are accessible at all times. Patients informationneed to be critically protected against loss of patientsrecords that could subsequently mean; absence of knowingallergies, prescription, life-threatening diseases and otherinformation required by doctors in treating patients. Justimagine when someone hacks into a hospital system andchange the prescription!In many developed countries, the enforcement of actsor regulations in data protection, has significantlysafeguard patient and other medical data. HIPAA (HealthInsurance Portability and Accountability Act) in US made itsrequirement where data shall not only be protected fromtheft and disclosure, but also from data loss. Organisationalsustainability is not only affected by the monetary fine,but very much towards image and reputation. Securitybreaches may cause monetary loss in short term, but lossof confidence to patients could lead to further losses whenpatients began to shy away.In similar context, failure to implement reasonable policiesand procedures in disposing securely crucial information
has caused a US$2.25 million fine to the largest retailpharmacy chain in the US, violations to the HIPAA thatcarried headlines in the nation earlier this year. The incidentreported by the media in 2006 where these pharmacieshad dumped thrash that exposed critical informationincluding details of patients, physicians, medicationinstructions, consumers, credit card and insurance cardinformation. Not only fine, the chain was also requestedby the enforcement to provide security programmes andensure its effectiveness for the next 20 years.People do businesses in borderless environment whererisks are obvious. As such, cyber threats have becomeone of most serious and national security challengesfor a nation. Failure to protect information as it is beingtransmitted in cyber world can create huge adverseimpact to organizations and the country in total. This isvery much reflected in any Critical National InformationInfrastructure of any countries where failure in protectingone organization may cause a cascading effect to otherorganisations due to interdependencies that exist amongstthem. This causes service disruptions that can createloss not only in monetary form but also a public outcryas happened once in Malaysia a few years back when oneof the public light rail transit services went down due topower failure.Whether we realize it or not, impact of security breacheswill be as huge as capable to bring down a power grid. TheSupervisory Control and Data Acquisition (SCADA) systemsare frequently used to control sensitive equipment power,water and gas sectors in which the information can bemanipulated if they were not protected. Not only causingpower blackout, but also constituting dangers to peopleand environment. In one of the classic incident of SCADAback in 2003, “Blaster Worm” virus managed to get hookedinto the SCADA system for power grid in the northeast ofUS that caused blackout. In Malaysia itself, the spread ofthe virus has caused us as much as RM31million that took2 months to eradicate.SCADA can also vulnerable to disgruntled employees ormalicious hackers who will exploit security weaknessesin information systems. In an incident in the US, afterbeing turned down for a permanent position in an oiland gas company, an IT consultant purposely tamperedwith the computer systems. When this happen, integrityand confidentiality of the systems and information can bequestionable.Getting assurance through ISMSIncidents highlighted earlier can simply cause businessdisruptions; consequently impact the image, reputation,confidence as well as monetary. Thus, informationsecurity controls have to be in place to prevent securitybreaches coupled with business continuity plan toensure organizations remain in business for long. Manyorganizations are moving towards complying withInformation Security Management Systems (ISMS) ISO27001:2005 as an approach to assure the main informationproperties are preserved. Complying and certifying againstthis standard provides confidence to stakeholders andbusiness opportunities to grow knowing the informationsecurity related risks are well taken care since it is a riskbasedapproach.ISMS implementation is capable in increasing predictabilityand reducing uncertainty of business operations bylowering information security-related risks to definableand acceptable levels. Controls of 11 security domainsprovided by the standard reflect the holistic approachfor organizations to equip themselves in securing theirbusiness environment. Business continuity plan is one ofthe domains to ensure necessary tasks and procedureswere in place to allow continuity in the event of servicedisruption. For top management, compliance andcertification to the standard allows information security isachieved in a controlled manner.ConclusionManaging information security is not just having anti-virusor audit controls in place; it is more than that. It requirestop management commitment as at the end of the day,the adverse impact resulting from information securitybreaches will fall back on them.Thus, top management has great responsibilities inprotecting their stakeholders’ interest and for the businessto stay relevant in their industry. They must recognize thatsecuring information in not just an investment, but it isessential for organizations to survive and even better increate a competitive advantage. •References[1] Paul Williams, Andersen, “Information SecurityGovernance”, Information Security Technical Report,Vol 6, No. 3 (2001) 60-70[2] Linda Tucci, “FTC pursuing HIPAA violations as amatter of consumer Protection”, SearchCompliance.com, Sep 2009[3] Goodin, Dan, “(Former) IT consultant confessesto SCADA tampering”, http://www.theregister.co.uk/2009/09/24/scada_tampering_guilty_plea/,Sep 2009[4] Lim Mi-jin, Kim Jeen-kyun, “Digital dangersin a wired world”, JoonAng Daily, Dec 2009,http://joongangdaily.joins.com/article/view.asp?aid=291393335.e-Security | CyberSecurity Malaysia | Volume 21 - (Q4/2009)
Page 1: Volume 21 - (Q4/2009)“Companies s
Page 4 and 5: 4.MyCERT 4th Quarter 2009 SummaryRe
Page 6 and 7: 6.USB PortA culprit to ICT Security
Page 8 and 9: 8.Specific device setup classes can
Page 10 and 11: 10.ConclusionReferencesUSB removabl
Page 12 and 13: 12.Figure 9: Interpreting “Active
Page 14 and 15: 14.7. A list of time zone propertie
Page 16 and 17: 16.allowing you to specify which da
Page 18: 18.Guide to Motion Compensation (Ph
Page 21 and 22: Graph 1 shows all the satisfied poi
Page 23 and 24: CyberdatingHow to Have Funbut Stay
Page 25 and 26: find them. If anything goes wrong,
Page 27 and 28: 27.What could be the threats to ena
Page 29 and 30: 29.InternetRadio Frequency Identifi
Page 31 and 32: Common Criteria andNational Cyber S
Page 33: 33.Case Study: US Government Direct
Page 37 and 38: 37.lewat sampai pada penerima ataup
Page 39 and 40: For instance TM, Malaysia’s large

Contributors - CyberSecurity Malaysia

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?