search

Any external responsibility for an organization’s security lies mainly with which individuals?

1 Jahrs vor
Kommentare: 0
Ansichten: 95

Insider Risks and Threats to Intangible Assets

Show

Michael D. Moberly, in Safeguarding Intangible Assets, 2014

Information asset protection professionals frequently use the 20-60-20 rule to characterize insider threats. According to this rule, approximately 20% of employees are inherently honest and possess consistently high levels of personal and professional integrity; 20% of employees reside on the opposite end of the spectrum and are likely inherently dishonest and unethical individuals who possess little, if any, sense of professional and personal integrity or loyalty; and within the middle 60% lie employees who do not demonstrate a particular receptivity or proclivity to engage in dishonest, unethical, or illegal acts but do so based on their interpretation of their employer’s reactions to either of the other employee groups. This chapter describes insider threats and what to look for.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128005163000100

Third-Party Risk Management

Timothy Virtue, Justin Rainey, in HCISPP Study Guide, 2015

Assessment and audit support

While requirements for third-party information asset protection controls will vary by covered entity, scope of services and information, and regulatory requirements, they will generally align with the objectives of the covered entity’s information governance and risk management program. Figure 7.1 provides a sample from NIST Special Publication 800-66 Revision 1 of the key administrative, physical, and technical controls and activities required under the HIPAA Security Rule. While all controls may not be required for third parties, it can serve as a guide to assist covered entities with identifying applicable controls, communicating requirements, and monitoring ongoing compliance.

Any external responsibility for an organization’s security lies mainly with which individuals?

Figure 7.1. Sample of NIST key activities for HIPAA Security Rule.

Security Management Process
Key ActivitiesDescription
Identify relevant information systems

Identify all information systems that house EPHI

Include all hardware and software that are used to collect, store, process, or transmit EPHI

Analyze business functions and verify ownership and control of information system elements as necessary

Conduct risk assessment

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the third party (refer to Chapter 6 for risk assessment methodology)

Implement a risk management program

Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level

Acquire IT systems and services

Although the HIPAA Security Rule does not require purchasing any particular technology, additional hardware, software, or services may be needed to adequately protect information. Considerations for their selection should include the following:

Applicability of the IT solution to the intended environment

The sensitivity of the data

The organization’s security policies, procedures, and standards

Other requirements such as resources available for operation, maintenance, and training

Create and deploy policies and procedures

Implement the decisions concerning the management, operational, and technical controls selected to mitigate identified risks

Create policies that clearly establish roles and responsibilities and assign ultimate responsibility for the implementation of each control to particular individuals or offices

Create procedures to be followed to accomplish particular security-related tasks

Develop and implement a sanction policy

Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the third party

Develop policies and procedures for imposing appropriate sanctions (e.g., reprimand, termination) for noncompliance with the organization’s security policies

Implement sanction policy as cases arise

Develop and deploy the information system activity review process

Implement procedures to regularly review records of information system activity such as audit logs, access reports, and security incident tracking reports

Develop appropriate standard operating procedures

Determine the types of audit trail data and monitoring procedures that will be needed to derive exception reports

Implement the information system activity review and audit process

Activate the necessary review process

Begin auditing and logging activity

Assigned Security Responsibilities
Key ActivitiesDescription
Select a security official to be assigned responsibility for HIPAA security

Identify the individual who has final responsibility for security

Select an individual who is able to assess effective security and to serve as the point of contact for security policy, implementation, and monitoring

Assign and document the individual’s responsibility

Document the assignment to one individual’s responsibilities in a job description

Communicate this assigned role to the entire organization

Workforce Security
Key ActivitiesDescription
Implement procedures for authorization and/or supervision

Implement procedures for the authorization and/or supervision of workforce members who work with EPHI or in locations where it might be accessed

Establish clear job descriptions and responsibilities

Define roles and responsibilities for all job functions

Assign appropriate levels of security oversight, training, and access

Identify in writing who has the business need – and who has been granted permission – to view, alter, retrieve, and store EPHI, and at what times, under what circumstances, and for what purposes

Establish criteria and procedures for hiring and assigning tasks

Ensure that staff members have the necessary knowledge, skills, and abilities to fulfill particular roles

Ensure that these requirements are included as part of the personnel hiring process

Establish a workforce clearance procedure

Implement procedures to determine that the access of a workforce member to EPHI is appropriate

Implement appropriate screening of persons who will have access to EPHI

Implement a procedure for obtaining clearance from appropriate offices or individuals where access is provided or terminated

Establish termination procedures

Implement procedures for terminating access to EPHI when the employment of a workforce member ends or as required

Develop a standard set of procedures that should be followed to recover access control devices (e.g., identification badges, access cards)

Deactivate computer access accounts

Information Access Management
Key ActivitiesDescription
Isolate healthcare clearinghouse functions

If a healthcare clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the EPHI of the clearinghouse from unauthorized access by the larger organization

Determine if a component of the third party constitutes a healthcare clearinghouse under the HIPAA Security Rule

If no clearinghouse functions exist, document this finding. If it does, ensure implementation of procedures for access consistent with the HIPAA Privacy Rule

Implement policies and procedures for authorizing access

Implement policies and procedures for granting access to EPHI, for example, through access to a workstation, transaction, program, process, or other mechanism

Decide how access will be granted to workforce members within the organization

Select the basis for restricting access

Select an access control method (e.g., identity-based, role-based)

Determine if direct access to EPHI will ever be appropriate for individuals external to the organization (e.g., third parties, subcontractors)

Implement policies and procedures for access establishment and modification

Implement policies and procedures that, based on the organization’s access authorization policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process

Establish standards for granting access

Provide formal authorization from the appropriate authority before granting access to sensitive information

Evaluate existing security measures related to access controls

Evaluate the security features of access controls already in place, or those of any planned for implementation, as appropriate

Determine if these security features involve alignment with other existing management, operational, and technical controls, such as policy standards and personnel procedures, maintenance and review of audit trails, identification and authorization of users, and physical access controls

Communication of Findings

Findings resulting from completed third-party assessments should be clearly communicated to management at both the covered entity and third party. Treatment decisions and action plans should be agreed between the parties, documented in writing, and formally tracked until remediation has been completed.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128020432000070

Distinguishing Intellectual Property and Intangible Assets

Michael D. Moberly, in Safeguarding Intangible Assets, 2014

The Shortest and Least Expensive Path to Success Is Infringement

There is a well-used adage in the asset protection arena that is particularly apropos to intangible asset strategists and information asset protection practitioners: The shortest path to innovation/invention commercialization and monetization does not always lie in incurring the substantial time, resources, and costs associated with conventional (legal, ethical) R&D models. Instead, it lies in illegally acquiring the necessary data, information, intellectual and structural capital, or prototypes from the rightful asset holders and producing the product in an illegal manner, known as product counterfeiting, and inserting the counterfeits in legitimate supply chains globally.

There are important asset preparations that should occur prior to launching any new innovation, product, or service, or handing off intellectual and structural intangible assets to IP/patent counsel. Examples of these preparations evolve around ensuring that companies have procedures and practices in place designed specifically to safeguard and monitor the assets’ value, materiality, and prevent or mitigate risk.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128005163000070

Reputation Risks and Their Management

Michael D. Moberly, in Safeguarding Intangible Assets, 2014

Slow Access to Needed Information

There is a perception, real or anecdotal, that CAs will limit or otherwise adversely affect the speed and collaborative necessities that come from sharing and disseminating information in a timely manner. Those actually responsible for information asset protection may not find this argument to be particularly credible.

Another relevant, but often overlooked, reality related to that is the contributory value of an employee’s existing or future intellectual, structural, and relationship capital are indeed intangible assets, and exist as either standalone or in collaborative combinations. Therefore, companies may find proactive prudency in, at minimum, revisiting or rewriting then reexecuting an employee’s CA, versus assuming its initial one-time execution is a sufficient inhibitor for the duration of an employee’s employment.

For new hires—particularly, those who have been recruited for possessing specific intellectual and structural capital, presumably to advance a new or existing company initiative or project—should be subject to regular review. Seldom does an employee’s intellectual and structural capital remain stationary relative to its contributory value. In most instances, such intangible (intellectual) assets will likely elevate and expand—that is, their contributory value will heighten—and, as such, become increasingly attractive commodities to economic adversaries globally.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128005163000069

New Dimensions for Company Management1

Michael D. Moberly, in Safeguarding Intangible Assets, 2014

Information Security and Information Asset Protection

If a “hole” is found in a company’s or its client’s proprietary information “fence,” the job of information security is to patch the hole; but, the job of an information asset protection specialist is, in addition to helping patch the hole, to determine:

What caused the hole in the fence to occur in the first place, and were there precipitating circumstance or triggering factors?

Under what circumstances was the hole in the fence initially discovered?

Who, if anyone, knew the hole in the fence existed before it was discovered, but did not report it?

How long did the hole in the fence exist before it was discovered?

What information assets moved through the hole in the fence before it was discovered and patched?

Is there evidence that the information-based assets that moved through the hole in the fence before it was discovered and patched were specifically targeted or merely arbitrarily acquired?

How much economic hemorrhaging or impairment to asset value, materiality, competitive advantage, brand, reputation, ownership, trade secrecy, and strategic planning occurred as a result of information assets moving through the hole in the fence?

Is it known who the recipients of the information assets that moved through the hole in the fence are, before it was discovered and patched?

How will the recipients likely use or exploit those information assets?

The responsibilities of information asset protection specialists are now cross-functional and converge with risk management, human resources, IT security, intellectual property counsel, audits, valuation, R&D, reputation risk, and brand integrity, among others.

To mitigate adverse effects of information asset losses, an important key is to collaborate with information security with a singular objective: to preserve control, use, and ownership, and monitor the value and materiality of a company’s information-based assets (Brenner).

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780128005163000045

Information Security and Counterintelligence

Kevin E. Peterson, in The Professional Protection Officer, 2010

The Role of the Professional Protection Officer

The most effective protection officers are those who know their customer (the organization they serve) and tailor the way they provide security services to the customer’s mission and culture. In many organizations, information assets are absolutely crucial to the survival and success of the enterprise. Officers should recognize this aspect of the organization and factor it into the performance of their protection duties. It should be noted that many contemporary companies are centered on information as their core business function, hence our “information-based society.” It is our responsibility to remember that a key objective of information asset protection is to enable core business functions, rather than present obstacles. As the past Chairman of the ASIS Information Asset Protection Council puts it, “The ultimate objective is to enable business. Security’s role is to help organizations assess and address risk to enable ‘smart’ business transactions” (Heffernan, 2007).

Three emerging issues that are relevant to the protection of information and intangible assets are the increasingly interconnected global business environment, the rapid advances in information technology, and the fact that we now have to consider—in a different way—the security of security systems. These issues are discussed in this chapter, but need to be constantly reviewed due to the unprecedented pace of change in today’s security environment.

The advances in information technology have a number of implications. One is the new family of risks that are introduced by drastically increased use of information technology in business, organization, government, and home settings. As such use and popularity increases, systems and the data residing on them become more attractive targets for a variety of adversaries.

These new technology tools can also be exploited by adversaries to support their illicit activities. The best examples at the moment are the new cottage industry of information brokers and the use of sophisticated data-mining tools and techniques to target sensitive information. This trend will expand in the future and newly introduced business tools such as cloud computing and wireless technologies will likely be “abused” by bad actors for nefarious activities.

In general, professional protection officers place most of their emphasis on protecting people and property, but it is important to support the third asset category as well: information. Elements of information asset and intellectual property protection should be included in officer and supervisor training, as well as quality assurance standards for security programs.

Security service providers should consider adding information asset protection services to their suite of protective service offerings. This might include conducting information protection assessments, specialized protection services, courier services, or other tools focused on this category of asset.

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781856177467000213

Topics of Concern

Philip P. Purpura, in Security and Loss Prevention (Sixth Edition), 2013

Technical Surveillance Countermeasures

ASIS International (2007: 17) states the following:

Technical Surveillance Countermeasures (TSCM) refers to the use of services, equipment, and techniques designed to locate, identify, and neutralize the effectiveness of technical surveillance activities (electronic eavesdropping, wiretapping, bugging, etc.). Technical surveillance countermeasures should be a part of the overall protection strategy. Individuals within the organization responsible for physical security, facility security, information asset protection, telecommunications, meeting planning and information technology all have a stake in addressing these concerns.

The physical characteristics of a building have a bearing on opportunities for surveillance. Some of these factors are poor access control designs, inadequate soundproofing, common or shared ducts, and space above false ceilings enabling access. The in-house security team can begin countermeasures by conducting a physical search for planted devices. If a decision is made to contact a specialist, only the most expertly trained and experienced consultant should be recruited.

The Countermeasures Consultant

Organizations often recruit a countermeasures consultant to perform contract work. As a consumer, ask for copies of certificates of TSCM courses completed and a copy of the insurance policy for errors and omissions for TSCM services. What equipment is used? What techniques are employed for the cost? Are sweeps and meticulous physical inspections conducted for the quoted price? Watch for scare tactics. Is the consultant really a vendor trying to sell surveillance detection devices, or a PI claiming to be a TSCM specialist? Will the consultant protect confidentiality? The interviewer should request a review of past reports to clients. Were names deleted to protect confidentiality? These questions help to avoid hiring an unqualified “expert.” One practitioner offered clients debugging services and used an expensive piece of equipment to conduct sweeps. After hundreds of sweeps, he decided to have the equipment serviced. A service person discovered that the device was not working properly because it had no battery for one of its components. The surprised “expert” never realized a battery was required.

For a comprehensive countermeasures program, the competent consultant will be interested in sensitive information flow, storage, retrieval, and destruction. Extra cost will result from such an analysis, but it is often cost effective.

The employer should use a public telephone off the premises to contact the consultant in order not to alert a spy to impending countermeasures. An alerted spy may remove or turn off a bug or tap and the TSCM may be less effective.

Techniques and Equipment

Detection equipment is expensive and certain equipment is subject to puffing, but useless. A company should purchase its own equipment only if it retains a well-qualified TSCM technician, many sweeps are conducted, and the in-house TSCM program is cost-effective.

Equipment includes the nonlinear junction detector (NLJD), costing between $10,000 and $20,000. It is capable of detecting radio transmitters, microphones, infrared and ultrasonic transmitters, recorders, video cameras, cell phones, remote-controlled detonators, and other hidden electronic devices, even when they are not working. Gruber (2006: 284–285) offers the following on the NLJD. It transmits a microwave signal through its antenna and an internal receiver listens for a RF response that may mean a device is present. NLJDs are available in various power outputs to the restricted government version. The effectiveness of this equipment is poor in an area containing several electronic devices; in this case, a physical search is best.

The telephone analyzer is another tool designed for testing a variety of single and multiline telephones, answering machines, fax machines, and intercom systems. The spectrum analyzer is still another tool. Basically, it is a radio receiver with a visual display to detect airborne radio signals. Other types of specialized equipment are on the market. Buyer beware.

In one case, a TSCM specialist was conducting a sweep in a conference room of a major corporation when a harmless looking stapler sitting among other office supplies was found to contain a voice-activated recorder with memory. A pin-hole lense camera was then installed in the room and video showed an office worker exchanging the stapler every week for a similar looking one. When confronted and interviewed, the worker revealed who was behind the spying, that he was paid $500 for each stapler containing audio, and that he only transferred three staplers to the spy during his employment of five months. The worker was fired, police were not contacted, the media and stockholders never knew about possible leaks of information, and the spy was informed about the discovery and threatened with criminal and civil legal action.

Some security personnel or executives plant a bug for the sole purpose of determining if the equipment of the detection specialist is effective. This “test” can be construed as a criminal offense. Alternatives are specially designed test transmitters, commercially available, that have no microphone pickup and therefore can be used without liability. Another technique is to place a tape recorder with a microphone in a drawer.

A tool kit and standard forms are two additional aids for the countermeasures specialist. The tool kit consists of the common tools (e.g., screwdrivers, pliers, electrical tape) used by an electrician. Standard forms facilitate good recordkeeping and serve as a checklist. What was checked? What tests were performed? What were the readings? Where? When? Who performed the tests? Why were the tests conducted? Over a period, records can be used to make comparisons while helping to answer questions.

The following list offers topics of consideration for TSCM (Gruber, 2006: 277–304; Kaiser and Stokes, 2006: 60–68):

Because a spy who learns of a TSCM search may turn off or remove his or her equipment, the TSCM specialist should be discreet by disguising vehicles, dress, and equipment. A top executive may choose to establish a cover story to avoid alerting anyone to the TSCM.

An early step in TSCM is a physical search for devices, beginning from outside the building. The physical search, both outside and inside, is very important and time-consuming. On the outside, focus on items such as utilities, wires, ductwork, and openings (e.g., windows). A spy can tap into lines outside the building without needing to ever enter the building.

Inside the building, the TSCM technician should check cabling and inside individual office equipment (e.g., telephones, faxes, and computers). Is there anything in the office equipment that appears odd?

The technician should be knowledgeable about IT systems, computers, internal network or Local Area Network (LAN), and a connection to the outside or Wide Area Network (WAN). These systems can be bugged or tapped like telephone systems. For example, a LAN analyzer connected to a line can read all e-mail that travels through the line. The technician should have equipment to check what is attached to lines.

Besides traditional cable, fiber optic cable can also be tapped. A tap on a fiber optic cable can be detected through an Optical Time Domain Reflectometer.

Since devices may be hidden in walls, the technician can use an ultraviolet light to detect plaster repairs to walls. A NLJD or a portable x-ray machine can be used to detect devices in walls.

Items in walls that should be checked are power outlets, phone jacks, and network jacks. Tools to check these items and inside walls are a flashlight, dental mirror, and a fiber optic camera.

Plates at light switches, wall outlets, and HVAC vent covers should all be removed for the search and prior to the sweep.

If a bug or tap is found, it should be documented and photographed. Caution is advised because the device could be booby-trapped. Although police could be contacted for assistance, their response and expertise will vary widely. Difficult questions surface as to whether the device should remain and whether to apply an OPSEC approach (e.g., feed false information). Seek legal assistance.

The TSCM technician often finds nothing unusual. However, 100 percent protection is not possible. A spy may outfox the technician and the equipment. In addition, there are many ways to steal information. Security practitioners should be creative and think like a spy.

Another strategy to thwart listening devices is “shielding,” also called electronic soundproofing. Basically, copper foil or screening and carbon filament are applied throughout a room to prevent acoustical or electromagnetic emanations from leaving. Although this method is very expensive, several organizations employ it to have at least one secure room or to protect information in computers.

Equipment is available on the market that may frustrate telephone taps and listening devices. Scramblers, attached to telephones, alter the voice as it travels through the line. However, no device or system is foolproof. Often, simple countermeasures are useful. For instance, an executive can wait until everybody is present for an important meeting, and then relocate it to a previously undisclosed location. Conversants can operate a radio at high volume during sensitive conversations, and exercise caution during telephone and other conversations.

Voice over Internet Protocol (VoIP) technology is popular with organizations and commercial telephony service providers because of lower costs and efficiency. VoIP enables voice to be transported digitally via a network using Internet Protocol standards. Such services may not even make contact with the traditional telephone network. One concern of VoIP technology relates to its inability to provide traditional location identification (i.e., Enhanced 911) for 911 emergency calls made to public safety agencies. Of particular interest for our discussion here is that traditional techniques for telephone intercepts and wiretaps are more difficult with VoIP, and end-to-end encryption compounds the challenges for the spy (National Institute of Justice, 2006).

As we know, information assets can be collected in many different ways besides with physical devices. Losses can occur through speeches and publications by employees, in company trash, and by unknowingly hiring a spy. Comprehensive, broad-based information security is necessary.

Who do you think has “the edge,” those who seek information assets or those who protect them?

Search the Internet

Here is a list of websites relevant to this chapter:

ASIS, International: www.asisonline.org

Business Espionage Controls and Countermeasures Association: www.becca-online.org

Centers for Disease Control and Prevention: www.cdc.gov

Institute for a Drug-Free Workplace: www.drugfreeworkplace.org

National Association of Information Destruction, Inc.: www.naidonline.org

National Institute for Occupational Safety and Health (NIOSH): www.cdc.gov/niosh/homepage.html

Occupational Safety and Health Administration (OSHA): www.osha.gov

OSHA: www.osha.gov/SLTC/workplaceviolence/index.html

Strategic and Competitive Intelligence Professionals: www.scip.org

Substance Abuse and Mental Health Services Administration: www.samhsa.gov

U.S. Department of Labor: www.dol.gov/elaws/drugfree.htm

U.S. Department of State: www.state.gov

U.S. Drug Enforcement Administration: www.justice.gov/dea

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9780123878465000188

external responsibility organizations security lies individuals

zusammenhängende Posts

How do you solve jupyter is not recognized as an internal or external command?
How do you solve jupyter is not recognized as an internal or external command?

How do you fix composer is not recognized as an internal or external command?
How do you fix composer is not recognized as an internal or external command?

This Epic account was previously linked to a different external account Reddit
This Epic account was previously linked to a different external account Reddit

This Epic account was previously linked to a different external account it can only be relinked
This Epic account was previously linked to a different external account it can only be relinked

Flutter is not recognized as an internal or external command in android studio
Flutter is not recognized as an internal or external command in android studio

Gdb is not recognized as an internal or external command, operable program or batch file
Gdb is not recognized as an internal or external command, operable program or batch file

Rscript is not recognized as an internal or external command, operable program or batch file.
Rscript is not recognized as an internal or external command, operable program or batch file.

Apt is not recognized as an internal or external command, operable program or batch file.
Apt is not recognized as an internal or external command, operable program or batch file.

Select-String is not recognized as an internal or external command, operable program or batch file
Select-String is not recognized as an internal or external command, operable program or batch file

Clear is not recognized as an internal or external command, operable program or batch file.
Clear is not recognized as an internal or external command, operable program or batch file.

Werbung

NEUESTEN NACHRICHTEN

Borderline wer ist schuld
1 Jahrs vor . durch LunarLine-up
Wer hat mich auf Instagram blockiert
1 Jahrs vor . durch IncipientHeader
Wie geht es dir was soll ich antworten?
1 Jahrs vor . durch SolubleAuthority
Kind 1 Jahr wie oft Fleisch
1 Jahrs vor . durch ThirstyRepublic
Was müssen Sie bei der Beladung von Fahrzeugen zu beachten?
1 Jahrs vor . durch WaxedHeadquarters
Schütz Die Himmel erzählen die Ehre Gottes
1 Jahrs vor . durch ExtrinsicSaucer
In planning an IS audit, the MOST critical step is the identification of the
1 Jahrs vor . durch SteepPanther
Wie lange darf eine Kaution einbehalten werden?
1 Jahrs vor . durch SeasonalBanjo
Sarah connor nicht bei voice of germany
1 Jahrs vor . durch FloridIceberg
Kann man mit dem Fachabitur Jura studieren?
1 Jahrs vor . durch PolarIndecency

Werbung

Populer

Werbung

Um

Legal

Hilfe

Sozial

homeendefrjpkoptzhhiitthtr
Urheberrechte © © 2024 ketiadaan Inc.