IMPLEMENTING IT SECURITY FOR SMALL AND MEDIUM ENTERPRISES

Short Presentation by Subhash Uppalapati.

- Edgar R. Weippl and Markus Klemen

INTRODUCTION

Small and Medium Enterprises(SMEs) < 400 employees

Fewer Resources and less expertise in IT security

Limited Know-how regarding IT security

FOUR LEVELS OF SECURITY IN SMES

A PRAGMATIC APPROACH FOR SMES

Aspect 1: Inspection

Aspect 2: Protection

Aspect 3: Detection

Aspect 4: Reaction

Aspect 5: Reflection

ASPECT 1: INSPECTION Inspection: “To determine which key processes and

corporate functions are essential, the capabilities they require and their interaction with one another”.

This aspect consists of five steps:

1.Resource inventory

Thorough inventory of company’s resources and assets.

2.Threat assessment

Identifies what threatens the identified assets. Threats categories (human error, natural disasters, system failures, malicious acts, and collateral damage)

ASPECT 1: INSPECTION (CONTD…)

3.Loss analysis

Potential angles to focus are theft of resources, deletion of information, theft of information, disclosure of information, corruption of information etc.

4. Identification of vulnerabilitiesWhere are weaknesses in the company? These might be technical(security design flaws) or organizational weakness(e.g., social engineering).

5.Assignment of safeguardsAvoidance, mitigation, transference or acceptance

6.Evaluation of current statusAfter the above five steps, re-assess and test.

ASPECT 2: PROTECTION

Protection: “The objects that need protection, the required level of protection, and how to reach this level by creating a comprehensive security design”.

This aspect consists of five steps:

1.Awareness

Awareness training for 1 or 2 hours once in a year

2. Access

Physical + logical

ASPECT 2: PROTECTION (CONTD…)

3.Authentication and Authorization

Using existing access control technologies like Kerberos, Active directory

4.Availability

Lack of redundant server systems lead to developing and updating outage emergency plans.

5.Confidentiality

Information is the important asset.

ASPECT 3: DETECTION

Detection: “Process that intend to minimize the losses from a security incident that could interrupt the core business processes”.

This aspect consists of three steps:1.Classify intruder types

Who is likely to attack from outside? How tough is the competition in the branch?

2.Enumerate intrusion methods

Most probable intrusion methods and the corresponding process

Requires highly know-how of intrusion detection and recommends consulting specialists.

ASPECT 3: DETECTION (CONTD…)

3.Assess intrusion detection methods

Logging, Simple Network Management Protocol(SNMP)

ASPECT 4: REACTION

Reaction: “How to respond to security incidents. It must define the process of reacting to certain threat scenarios”.

This aspect consists of three steps.

1.Develop response plan

Guidelines on how to proceed in case of emergency

2.Assessing the damage

Administrator should thoroughly assess the damage before starting the recovery procedures.

ASPECT 4: REACTION (CONTD…)

3. Incident recovery procedures

Recovery procedures should be defined, management-approved, and tested.

ASPECT 5: REFLECTION

Reflection: “After security incidents are handled, follow-up steps should be taken to put incidents behind and continue normal operations”.

Only one main step

1. Incident documentation and evaluation

Incident should be documented properly and discussed with partners and colleagues.

Incident response should be evaluated and if improvements are necessary, should be added to the IR plan.

MAIN COMMUNICATION PATH FOR IT SECURITY-RELATED ISSUES IN SMES

Stakeholders1. Decision maker

2. IT administrator

3. User

4. External consultants

IT ADMINISTRATOR

Responsibilities like changing printer toner, assigning and modifying user rights in operating systems, setting up and maintaining internet connections etc.

Can neglect security with so many responsibilities

Recognizes the impact once the company has been hit by a serious incident.

Three scenarios of the amount of IT personnel resource1. No dedicated administrator2. One dedicated administrator3. More than one dedicated administrator

IT USER

Believe it or not 77% of information theft is caused by company employees(Cox, 2001)

Not appropriate – restrictions on web surfing, private e-mailing, or individual desktop settings

Apply restrictions with care and communicate the reason

Gain the employee understanding and support

WORKFLOW LEVEL

WORKFLOW LEVEL(CONTD…)

INFORMATION LEVEL

Thank you