Securing information of an organization ultimately means:
- Making sure that information remains confidential and only those who have access to that information, can use them. ( Confidentiality )
- Knowing that no one has been able to modify information, so one can depend on its correctness .(Information Integrity)
- Ensuring that information is available when one requires it (by creating back-up copies and, if appropriate, archiving the back-up replicas off-shore).( Availability )
Access to information must be limited to people who are authorized to access. This needs that mechanisms must be in place to control the access to information. The level of the access control mechanisms should be at par with the worth of the information being secured – the more delicate or valued the information the stronger the control mechanisms need to be. The basis on which access control mechanisms are constructed start with
identification, authentication and authorization.
Identification is assertion of who someone is or what something is.
Authentication is the act of proving a claim of identity.
Authorization is, program or user has successfully been identified and authenticated then it must be determined what information assets they are allowed to access and what activities they will be permitted to perform.
Need-to-know principle is a newly adopted concept by
software companies India as an extension of access control concept. Within the need-to-know principle, network administrators provide the employees minimum amount of rights to prevent employees’ access and performing more than what they are supposed to.
Even though the security architect or engineer assists in setting up security standards and procedures, operations security is the genuine procedure for implementing, maintaining, and monitoring safeguards and controls on a regular basis to avoid security incidents.
Software companies in India can use numerous safeguards and controls to protect their operations, such as executing:
- Preventive controls: reduce the threat of unintended faults or unauthorized users gaining access to the system and altering information.
- Detective controls: help detect when an error has happened.
- Separation of duties: Also known as SoD, assigning tasks to various personnel, avoiding one person from having total control of the security procedures
- Back-ups: in the event of a crash, restore systems using routine back-ups.
- Strict policies: Measures for tracking and agreement of modifications or reconfiguration to the system (Note: This is stereotypically addressed in a formal alteration control process and through configuration management that comprises an updated catalogue of hardware, operating system, and software and patches)
- BGC: Employee background checks and screening for roles that have access to extremely sensitive information or one who is in control of security procedures
- Retention: Suitable retention policies as defined by organization policies, standards, legal and business guidelines
- Documentation: Proper documentation, such as organizational security policy and procedures, security, incident, and disaster recovery tactics
- Proper protection: Safeguards for hardware, software, and information assets
In addition to controls, comprehensive security operations include suitable monitoring and auditing.
Three common techniques used to
monitor security include:
Intrusion prevention/detection:
A procedure to monitor network traffic or host audit journals for such security violations as interferences that have gone around or passed through the firewall or intrusions happening within the local area network behind the firewall.
Vulnerability scanning/penetration testing:
A dynamic test run on systems or devices associated to a network to verify the existing configurations of systems with respect to widely recognized vulnerabilities and evaluating the level of exposure and determining the total effectiveness of the existing controls.
Violation analysis:
A dynamic monitoring software package or tool that lets organization recognize areas of concerns. For example, a user continually forgets to log out of a critical application and the application automatically logs the user off after a preset period of inactivity. This slip-up (time out instead of log off) generates an error message or audit record entry. The analysis of the records can point out the necessity for user awareness with respect to reminders to log off when they are done using a system.
Auditing is the assessment of audit trails on a regular basis, which can help alert a firm to unlawful practices.
Thus safeguards allows
software companies in India to protect sensitive information and eventually allows them to escape un-necessary costs and time and utilization of other resources. Along with
tangible assets, they can avoid loss in
intangible assets such as brand image, customers, suppliers and employees faith.