Process of adaptation of the practices of the clients to the demands emanating from the regulators, in matters of technological risk and information security.

Origin of technological risk How does it affect us?

The technological risk has its origin in the continuous increase of tools and technological applications that do not have an adequate security management. Their incursion in organizations is due to the fact that technology is being the end and the middle of attacks due to vulnerabilities due to inappropriate protection measures and their constant change, factors that make it increasingly difficult to keep these security measures updated.

In addition to intentional attacks, there is the incorrect use of technology, which in many cases is the main cause of the vulnerabilities and risks to which organizations are exposed.

technological risk security magazineThe technological risk can be seen from three aspects, first at the level of the technological infrastructure (hardware or physical level), secondly at the logical level (risks associated with software, information and information systems) and finally the risks derived from misuse of the above factors, which corresponds to the human factor as a third level.

If the definitions of the goals, objectives, vision or mission of the organizations are reviewed, they are not based on technical terms or in relation to technology. However, when analyzing this type of managerial approach in a profound and thorough manner, it is found that its application is based on the performance of a technological infrastructure that allows it to achieve these qualities.Therefore, the corresponding compliance with the provision of the services and development of the products offered by the company, the maintenance of the operative activity and even the continuity of the business, depend on the care and conservation of the technological base and of course , of the personnel that operates it.

Insurance measures against technological risk

Talking about controls and measures that allow organizations to counteract this type of risk can be complicated, but it is possible to take actions that lead to their mitigation. The assurance can be made from the three levels mentioned above.

At the physical level, the measures to be taken are technical or computer security, referred to the application of control procedures and physical barriers to threats to prevent damage or unauthorized access to resources and confidential information that is stored in the physical infrastructure . Within these are:

  • Physical access controls, which may include the use of biometric and surveillance systems for access in specific areas.
  • Management of tokens or identification cards.
  • Controls at the equipment level, such as location and protection, safety in wiring or periodic maintenance of equipment.
  • Basic services (energy, water and sewerage, among others) of support for continuity.
  • Management of removable storage media.
  • Controls of technical vulnerabilities, among others.

At the logical level, the measures to be taken are given with respect to the use of software and systems, focused on protecting the data and guaranteeing authorized access to information by users through the correct procedures. As part of these measures you can take:

  • Logical access controls with the management of users, profiles and privileges for accessing applications and managing passwords.
  • Controls of access to the internal and external network, segregation in networks and controls to ensure network services.
  • Controls at the telework level and mobile teams.
  • Solutions for protection against malware.
  • Backup of databases and critical information.
  • Protocols for information exchange and information encryption.
  • Monitoring of systems, synchronization of clocks and protection over records.
  • Limitation in connection times to applications and session closures due to inactivity.
  • Change control management, among others.

The third level and the most critical within organizations, given their unpredictable nature, is the staff or human resource. Measures at this level should be more procedural, linked to regulation and awareness. These can include:

  • Definition of security policies that present the corresponding violations in order to comply.
  • Controls related to agreements with third parties, provision of services that may occur with them and segregation of functions.
  • Controls at the personnel hiring level.
  • Management before, during and after the termination of contracts.
  • Education and continuous training in security aspects.
  • Procedures and instructions for handling information.
  • Desktop policies and clean screen.
  • Compliance with applicable legislation, among others.

Technological risk as the root of other risks

Technological risk may be the cause and consequence of other types of risks, a failure on the infrastructure may involve risks in other areas, such as financial losses, fines, legal actions, impact on the image of the organization, cause operational problems or affect the strategies of the organization. If we think of the case of a disgruntled employee that may represent an operational risk, it could also involve a technological risk due to improper handling of systems and information.

Following are some examples that illustrate the above:

  • The recent discovery in May 2012 of the Flame malware, which targeted cyberespionage attacks in Middle Eastern countries. This attack represented loss of confidential and critical information. [one]
  • Another case of industrial cyber espionage is the malware found in AutoCad files, whose purpose is the theft of sensitive information such as architectural plans.[two]
  • A very named attack in March of last year is related to the theft of information made to RSA, which involved risks for online banking. [3]
  • Finally, the attack suffered by Sony in 2011, where they stole user account information. [4]

All the above, confirms the possibility of damages that may trigger a failure in security technology.

With these approaches we end the first part of this article, in a next installment we will talk about the importance of good practices and the COBIT reference framework in some of its versions.

References

[1] Meet 'Flame,' The Massive Spy Malware Infiltrating Iranian Computers, Wired Magazine, May 2012. Available at: http://www.wired.com/threatlevel/2012/05/flame/

[2] Malware in AutoCad files could be the beginning of industrial cyber espionage, Subdirección de Seguridad de la Información - Information and computer security services. Available at: http://www.seguridad.unam.mx/noticia/?noti=420

[3] At risk more than 40 million users of electronic banking, technology blog ALT1040, March 2011. Available at: http://alt1040.com/2011/03/en-riesgo-mas-de-40-millones- de-usuarios-de-banca-electronica

[4] Sony supports an additional theft of data that affects almost two hundred users in Spain, Diario El Mundo España, May 2011. Available at:http://www.elmundo.es/elmundo/2011/05/03/ navigator / 1304383366.html