Upload
assuringbusiness
View
217
Download
0
Embed Size (px)
Citation preview
8/14/2019 Security Failure
1/3
Business Issues
Security Failure
1
Understanding security risk and strategy in the Telecommunications,Media and Entertainment sectors
Security Failure may be defined differently from
business to business, and person to person,
depending upon specific viewpoints and
experience. Security in itself can also vary in
scope and definition and might be considered very
broad or very narrow. Generally, whatever the
definition, any failure to consider, defend against
or mitigate any attack or risk incident might be
considered a security flaw irrespective of
consequential loss. The stark reality is that
security failure remains a very common
occurrence in many businesses through the lack
of an holistic perspective on security management.
Security might commonly be considered as being
applicable to the following business areas:
Information all types of information but
especially customer and market-sensitive
business data that may appear in any form
electronic, printed etc.
Information Technology/Systems, Network and
other Operational Technologies commonly
allied to Information Security as a means to
process and store data and are critical to the
operation of the business.
Physical infrastructure components office
buildings, network sites, data centres and other
constructions or sites hosting the technologies and
people within the business.
People employees, customers and suppliers
surprisingly-often not the first consideration in
terms of risk or protection but essential to protect
operations and the good name of the business.
Suppliers and/or business partners although
some employ decent security policies and
practices, these are often not reflected within the
operations of key suppliers or partners.
Business Continuity Planning incorporating
mitigation, disaster recovery and incident
management practices.
The issues
Good security protects assets, revenues,
reputation and people and provides for a
sustainable business. However, because of the
difference of opinions and approaches to security,
a fragmented security regime can easily develop,
especially if security is not coordinated across
business divisions or operations. An example may
help illustrate this point:
A Communications Service Provider (CSP)
operating across major cities in Europe was
especially focussed on the corporate customer
sector. Their security budget was allocated to
each division head and there was no coordination
across divisions. One city of operations was
subject to periodic terrorist attacks, particularly
bombing of targets of key infrastructure
components and business operations to affect the
economy. To protect service to customers, the
head of networks decided to encase a key
switching centre in a robust metal room within the
building effectively shielding the equipment from
blasts. On the floor above in the same building
was the billing system (and other important billing
and operational support systems), but the head of
IT decided that the security budget would be
diverted to other projects.
In analysing the exposure based on a bombtargeting the communications facilities, the
network would still be able to function (albeit
probably with some damage repair) and services
provided to customers after a very short
downtime, if any. However, the billing system
would probably be totally destroyed and the
recovery plan was based solely on the vendor re-
installing a new system. Such a recovery plan
would take between 4-6 months. Unfortunately,
the network data could only be stored for up to 2
weeks and so a significant revenue loss would be
likely in the event of a targeted bombing.
Business Assurance | Revenue Assurance | Fraud Management | Receivables Management
http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/see-the-difference/8/14/2019 Security Failure
2/3
Business Issues
2
Security Failure
Business Assurance | Revenue Assurance | Fraud Management | Receivables Management
Understanding security risk and strategy in the Telecommunications,Media and Entertainment sectors
This illustration of security risk is not as uncommon
as one might think. And when you consider the
principle illustrated here in other areas of security,
then the issues become even more significant.
Many issues arise from the poor operation of
security controls that are put in place, i.e. the
human factor. Any security defence is only as
strong as the weakest link and all too often that is
our people! Security practices are often perceivedas a hindrance and so many will passively or
deliberately not comply, without really seeing the
bigger picture and the damage that can be done.
What are the common problems
leading to security exposure?
Information Security is probably one of the most
commonly addressed areas of risk, but in practice
there tends to be much room for improvement in
many organisations. Accentuated by the need to
protect certain types of data through regulation,
e.g. personal data protection laws, the highly
competitive nature of some markets, and the
increasing dependence on IT systems for business
operations, Information Security usually draws the
most attention. However, in reality this
responsibility tends to be focussed on IT teams
where IT is actually just one facet of Information
Security the basic issues are often not
addressed and sensitive information may beexposed through other (non-technical) means. For
example, the head of marketing that had the
companys new strategy document taken from his
desk when the office was unlocked; or the early
release of market-sensitive business performance
data through a disgruntled employee that was able
to lay hands on a print-out left on a photocopier; or
the selling of VIP address and personal details
obtained from forms or returned bills stored in non-
secure facilities; or the non-secure disposal ofwaste paper providing a fraudsters dream!
IT and Network Security has a strong element of
Information Security embedded within, but more
fundamental logical, physical and people security
concerns should also be considered as part of an
overall plan. Although certain systems may not
host or process data that might be considered
sensitive, security failure might result in lost
revenues or increased costs. For example, internal
fraud is a very common problem and every CSP
will suffer to an extent (in one operation in Asia
11% of revenue was lost to internal fraud). Many
such frauds are facilitated by poor security.
How do you know if you have a
problem?
The range of security issues is broad so the nature
of the problems will reflect that. There will always
be specific incidents that bring security failure to
the attention of management; however, it is thesecurity failure that remains undetected that
causes the most concern. Apart from responding
to incidents, the only real way to identify security
risk is to be proactive and assess risk throughout
the business.
http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/see-the-difference/8/14/2019 Security Failure
3/3
Business Issues
3
Security Failure
Business Assurance | Revenue Assurance | Fraud Management | Receivables Management
Understanding security risk and strategy in the Telecommunications,Media and Entertainment sectors
Managing the problem
Security failure can arise from any aspect of the
operations. Incidents might be man-made or
natural in origin, and may result from deliberate
and planned attack or opportunist activity. It is
impossible to prevent all security failure, but
focussing on the key risk mitigation, management
and prevention (deterrence) for certain risks will
help maintain a cost-effective and pragmaticsecurity risk management approach.
Incorporating security as part of a Business
Assurance strategy is essential. The cost of
security will be outweighed many times by the cost
of security failure which may lead to business-
critical exposure. However, to be effective, security
must be coordinated across the business and
sensible judgements made to balance risk and
costs, customer experience and people protection.
Any security policy should be augmented by
guidelines on how to apply policy in practice
without this, application will be varied and often
weak. These in turn should also be subject to
awareness activity to maintain a focus on security
throughout the operations and keep the people
motivated to play a key role in good security
practice.
Security risks will arise through partnering with
suppliers or businesses it is imperative to protect
your interests through ensuring good security
practices with partners.
ISO27001 (ISO/IEC 27001:2005) is an
international security standard for Information
Security Management System (ISMS) that might
be considered as a target for operations.
Contact Usto discuss building a security strategy
or plan or to discuss other areas of interest.
The Business Assurance Cycle may be
applied to Security practice as with any
other Business Assurance domain
http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/contact-us/http://www.assuringbusiness.com/see-the-difference/