This week's lesson involved more of the business and financial aspects of information security. Companies want to be protected but they also want to know exactly how much that protection will cost.  Why?

Because the cost to secure them could be greater that incurring the actual threat. Strange? Possibly but it could be true. 

Now, there are different layers to be considered when we talk about information security protections: 

1. How much would a single incident cost the company?
2. How many times a year would it be anticipated for this incident to occur?
3. How much money would this incident cost the business?
4. How much does an annual solution cost?

Information security professionals have to be well rounded in not only areas of security but the financial impacts that a business leader must pay.  That may be the MOST unpleasant part of the conversation but it is obviously one of the MOST important parts. 

Helpful and detailed information like being able to articulate the cost benefit analysis is also added skill we need. 

This article gives some helpful insight on analyzing costs and why they are important for information security. 

http://www.notablesoftware.com/Papers/SecCost.html

Week 11 is all about Personnel and Security.

I was in management for over 4 years and have been in management role at my current job for over 2 years.

Security issues with employees is such a sensitive topic because employees sometimes feel offended if you request company property as if you suspect them of wrong doing. It is also sensitive because usually during either a termination or a layoff or even a resignation, there are emotions involved.

However, managers need to be sure that they handle terminations appropriately and professionally.

When medical facilities are involved, there is an additional layer added to this complex situation. Employees must be reminded that he or she still have an ethical responsibility to keep information confidential that was learned during the course of their employment.

An employee could think that their confidentiality is void once they are terminated but that just is not the case.

This article helps provide some additional information security insight for terminating employees in the healthcare industry.

http://www.hcpro.com/content/42936.pdf

Risks, Risks and More Risks...

This week's lesson centered around Risk Management. I personally was surprised at the depth this topic was covered in an information security class. My exposure to risk management until recently had only been in regards to providing healthcare or medical documentation. But after this week's reading and assignments, I've broadened my understanding of risk management, especially pertaining to information security.

First, it should not be ignored that there are risks in every genre but particularly in information security, one needs to determine how to address, mitigate and resolve these risks.

Secondly, various strategies should be used on how to approach risk management plans for information security. The needs and structure of the organization or other factors could drive this.

Thirdly, constructing a risk management plan identifying vulnerabilities and likelihoods is not a one and done process. It's ongoing.

I read an article from the Office of Civil Rights (http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf), which had a really neat point.

It suggested that that "A truly integrated risk analysis and management process is performed as new
technologies and business operations are planned, thus reducing the effort required to
address risks identified after implementation" (OCR, 2010).

While I figured that new technologies should encourage reevaulation of processes, I had not included a change in business operations as a driver.

I think the big picture comment for when to re-evaluate processes is "whenever it's necessary". If a new technology warrants a revamp to the entire risk management strategy, then it should happen. If a new business process impacts the risk management process, then it should change.

This guidance on when to review the process is a great nugget of information for a question that could seemingly have a static answer.

It is broke, fix it?

This weeks assignment involved reviewing recommendations for issues identified in the Verizon Data Breach Investigations report.

So, I find things like this interesting because when you have an issue that is identified in the company, how do you evaluate when/how to fix it?

For example, in this report, a lot of problems were identified. However, in order to fix most of them would require process changes and financial expenses. So, the system is broke - do we fix it?

Well, that depends... What's at stake? Are lives on the line? Possibly. Are customer accounts vulnerable? Maybe. Will we lose business? Perhaps.

Better question - Can we be a company with integrity if we do not fix known issues to avoid possible breaches? No.

I know ethics is covered later in the book but here's my take - companies will often do detailed analysis on issues and find all kinds of gaps. The problem that follows is their willingness to resolve and correct these deficits because of cost. However, in order to maintain some level of integrity, any reasonable business owner must fix issues, no matter the cost because we have an obligation to do so.

This week was all about security training. From 2006 - 2008, I was a compliance auditor and HIPAA auditor. I provided HIPAA training to all new employees and annual training to established employees at a medical school and its partner medical practices. I thoroughly enjoyed that job because I was able to help open employee eyes to real security threats.

I remember sitting in the training as a new employee myself years before and now I was on the other side.

What did I learn?

I learned that security training is designed to make you aware and then make you apply. It does no good to train employees about security breaches if I do not share with them how they can make practical use of the information given.

A trainer is only as good as the information that he/she provides and is only as good as the information that is retained.

Employees or attendees should walk away saying "now I know what to do so X doesn't happen to me".

I wish more trainers would transfer knowledge and not just information...

Out of all the homework I did this week, I was very intrigued by the various different types of policies. If I had to nail down a good policy type, I'd say the issue specific type. First, they describe the technology that is discussed in the policies and they mention what problems could arise that would necessitate the need for the policy.

Could these types of policies leave gaps? Possibly. I can recall a story about a hospital that had identity theft of patient information. The perps would view patient information in the course of their routine work but then would use it to open fake accounts. The institution could not have foreseen that employees would steal patient information. So, in a situation like this would an issue policy forbidding the unauthorized access of information be applicable?

Not really because they had to see the patient's social security number. A new policy would need to be created to mention that any illegal use of patient information would be prosecuted.

Unfortunately, the mentality of our society dictates the need to craft a policy for any type of foreseeable problem.

This week's class gave me a chance to research things like disaster recovery and business continuity plans. I had never researched or read about either topic prior to this week.

So, what did I learn?

I learned that some people use these terms as synonyms for each other. In actuality, a business could have a continuity plan but not necessarily have a disaster recovery plan.

I also learned that some people did not have recovery plans until major catastrophes happened like hurricanes or terrorist attacks.

I think it definitely makes sense for any business to have both of these plans but does this create paranoia? I don't think so because we have evidence that the unexpected do happen.

As information security professionals, we will need to prepare individuals in a way that demonstrates a proactive approach instead of a reactive one.

If we can manage to exude confidence in being prepared, we should be able to obtain buy in for both disaster recovery and business continuity plans.