Limiting data loss, leakage and damage
Maintaining the confidentiality, integrity and availability (CIA) of data are the cornerstones of an information security program (Goodrich & Tamassia, 2011). When organizational data is lost or damaged, any of the CIA elements may be impacted. In the instance of limiting one person’s access and the ability to cause damage, a combination of robust information security and anticipating such events are critical to early identification of issues and related response. For example, an organization with a staff member who is responsible for monitoring information systems activity may have greater opportunity to identify suspicious activity such as file deletion. With a backup and recovery system, modified or deleted information may be recovered for review and potentially restoration of earlier versions. This type of proactive response is based on advanced planning and having capabilities for response.
Defense-in-Depth
Limiting damage to information systems and assets begins with a defense-in-depth approach to protect, monitor and limit access to information resources (Cleghorn, 2013). External defense mechanisms such as firewalls, demilitarized zones (DMZs), and intrusion detection systems are utilized to limit access from potential threat actors with motives such as destruction of property. Log file and alerts should be employed for monitoring of network activity and early detection of possible threats. A system of access controls should be implemented, and encryption should also be used to protect data at rest, in use, and in transit (Goodrich & Tamassia, 2011). With layered defenses and protected data, the potential risk for damage is reduced.
Limiting Access
While defense-in-depth is a starting point to reduce risk, access controls such as Role Based Access Control (RBAC) provide further adherence to security principles such as least privilege and separation of duties as well as deeper limits on the possibility of damage (Sandhu, Coynek, Feinsteink, & Youmank, 1996). RBAC can be configured to establish finite permissions between subjects that require access to information resources and the actions that subjects may perform. Separation of duties is accomplished by defining roles with exclusive actions and limitations. For example, viewing employee payroll records and approving payroll are two different actions that can be segregated with RBAC. With well-defined and granular access control, defense-in-depth achieves breadth and depth of controlled access to information systems and assets. The possibility of damage remains but the extent of potential damage is ideally limited.
Expect the Possibility of Data Loss, Leakage or Damage
The potential for loss, leakage or damage of information resources exists in every information system and may be accidental or malicious. Malicious insiders have been known to abscond with financial and intellectual property assets through gaps in policies and procedures (Randazzo, Keeney, Kowalski, Cappelli, & Moore, 2005). These insiders had sufficient knowledge to manipulate or bypass hardware, software and network resources and often with little technical knowledge. Damage in these instances is the loss of confidential data and client resources. In the event of accidental loss, losses may stem from systemic failure, human error, theft, natural disasters, and malware (Smith, 2003). The impact of these loses may range from 10 days of business outage and a few thousand dollars to complete business closure. Planning for damage is an important element in a complete information security program.
Planning for Disaster and Recovery
Addressing the possibility of damage and recovering is achieved through disaster recovery and business continuity planning. Disaster recovery planning is a process that requires organizational commitment and time (Wold, 2006). It begins with risk assessment and prioritization of people, process and technology. In addition, disaster recovery requires an understanding of critical business systems and system uptime. Disaster recovery may also involve the use of an incident response plan for responding the certain incidents such as a denial of service (DoS) attack. Business continuity planning concerns business interruption and the ability to return to normal business operations in the event of disasters (Cerullo & Cerullo, 2004). Business continuity requires the same planning and preparation commitments as disaster recovery, but addresses the bigger picture of business operations.
For organizations without disaster recovery or business continuity plans, use of backup systems is an important element of information security that can address issues with loss or damage to information systems and data (Saint-Germain, 2005). Backing up data may be the best defense for to address loss, leakage or damage of important data.
References
Cerullo, V., & Cerullo, M. J. (2004). Business continuity planning: A comprehensive approach. Information Systems Management, 21(3), 70-78.
Cleghorn, L. (2013). Network defense methodology: A comparison of defense in depth and defense in breadth. Journal of Information Security, 4(3), 144.
Goodrich, M. T., & Tamassia, R. (2011). Introduction to computer security. Boston: Pearson.
Randazzo, M. R., Keeney, M., Kowalski, E., Cappelli, D., & Moore, A. (2005). Insider threat study: Illicit cyber activity in the banking and finance sector (No. CMU/SEI-2004-TR-021). Carnegie-Mellon Univ Pittsburgh PA Software Engineering Inst.
Sandhu, R. S., Coynek, E. J., Feinsteink, H. L., & Youmank, C. E. (1996). Role-based access control models yz. IEEE computer, 29(2), 38-47. Retrieved from http://www.comp.nus.edu.sg/~tankl/cs5322/readings/rbac1.pdf
Saint-Germain, R. (2005). Information security management best practice based on ISO/IEC 17799. Information Management, 39(4), 60.
Smith, D. M. (2003). The cost of lost data. Journal of Contemporary Business Practice, 6(3), 113-119.
Wold, G. H. (2006). Disaster recovery planning process. Disaster Recovery Journal, 5(1), 10-15.


