Problems, challenges at CB Hart that are addressed and which solution is proposed for.
Following the recent data leakage from the Hale firm I suggest that cryptography is used as a prevention measure to avoid similar issues. Business relies to certain extent on mobile technology and portable storage devices to communicate and exchange data faster and easier. Encrypting data is very efficient method to protect sensitive information. In such a merger it is important to keep a safe internal network and synchronised antivirus software on all devices and components. As well as keeping patches of used applications up to date. “Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.” (AUS Government). It is important to minimise the number of users with administrative privileges until an efficient network is driven through all devices. Only people who are in need of information about an ongoing case should be permitted to access any sensitive data and even that must be done under after an administrative permission of a higher executive. Consumerisation of IT must be brought down to a minimum of only in-office desktop devices usage until everyone is generated an appropriate username and password for the company network access. * To prevent the law firm from having any more data leakages proper network activity/security must be carried out and documented. * Patch applications such as PDF readers, Microsoft Office, Java, Flash Player and web browsers. * Patch operating system vulnerabilities.
* Minimise the number of users with administrative privileges. Proper Network Access Control must be carried out to set appropriate user privileges * Data encryption must be applied if assessed as a necessary data protection measure
What are the major information security problems that currently challenge organisations? (Background information)
Following another recent accident similar to Hale firm’s data leakage here is what is considered as for why it happened and what is important to focus on. “It would seem that this data breach was purely down to poor server administration and a lack of suitable data protection and security technologies.” (Mitchell, 2010) “The law firm made a raft of personal information such as email correspondence, scans of letters and possibly credit card information available”
The most important thing to do first is a risk assessment and a proper cost efficient method must be chosen before applying any Information Security Management System. There is a lot of evidence about Information Security risks and threats. What is commonly seen in evaluation reports for Information Security is a trend to underestimate and ignore these potential threats as in the face of business management it is a low probability risk and is considered a too big cost with no turnover. The statistics I will show you represent a needle in the Information Security world. The actual security issues related to Information and data are emerging so fast that no record can be accurate enough to evaluate the risk there is to be managed. • 2001 – Approximately 1400 new technical vulnerabilities documented • 2007 – over 4000
Consumerisation of IT or how spread is the use of unofficial devices to access company files/networks/databases (By ‘unofficially’, we are referring to the use of equipment that has not been supplied by or funded by the employer – i.e. personal kit used for work that the employee has acquired independently.) (The Register, 2011) According to the Kaspersky IT Risk Report in the UK
91% have been affected by attacks in the last year
45% are under-prepared for dedicated cyber attacks
17% have lost financial information as a result of attacks
57% have banned access to social networks due to potential security risks 30% have still not fully implemented anti-malware software
In a small business, there could be 50 or more of these devices...
References: Alan Calder & Steve Watkins, International IT Governance: An Executive Guide to ISO 17799/ ISO 27001, Kogan Page Limited, 2006
Freeform Dynamics Ltd., The Register, The Consumerisation of IT: A question of freedom versus control, October 2011
Andrew Rose, “Information Security in Law Firms”, 2006
Australian Government, Department of Defense, Intelligence and Security, “Top 35 Mitigations”; http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm (accessed 8pm on 22 Nov 2011)
Please join StudyMode to read the full document