Whistle Blowing Using Blockchain the New Concept….

Whistleblowing:

The disclosure by a person, usually an employee in a government agency or private enterprise, to the public or to those inauthority, of mismanagement, corruption, illegality, or some other wrongdoing. Whistleblowers often face reprisals from their employer, who may suffer reputational damage as a result of the whistle being blown, or from colleagues who may have been involved in the illicit activities. In some cases reprisals become so severe that they turn into persecution. In some cases reprisals come from legal channels, particularly if the whistle has been blown for illegitimate reasons.Protection of whistle blowers is an important focus for the legal system, as is incentivising whistle blowing when there are many reasons stopping employees from doing so. In the UK, the Public Interest Disclosure Act 1998 is the basis of legal protection of whistle blowers. Previously disclosures had to be in the public interest, but new legislation enacted in late June 2013 changed this so that disclosures had to be in good faith.

The blockchain technology is probably the best invention since the internet itself. It allows value exchange without the need for trust or for a central authority. Today we have three options to manage this transaction:

  1. We can trust each other.
  2. We can turn the bet into a contract. With a contract in place both parties will be more prone to pay, however, should any of the two decide not to pay, the winner will have to pay additional money to cover legal expenses and the verdict might take a long time. Especially for a small amount of cash, this doesn’t seem the optimal way of managing the transaction.

 

Human resource security – defining roles and responsibilities

The   crucial   task   for HR department when it comes to information security is to be proactive rather than reactive. It is indecorous just to rely on your IT departments  to make sure staff are educated about data loss and how to prevent it.

HR professionals has to ensure that  employees  comply  with  security policies.

The purpose of this standard is to set rules that apply before, during and after the termination of employment

The controls in this section ensures that those people who are under the organization’s control and can affect information security are fit or appropriate for working and know their responsibilities, and that any changes in employment conditions will not hamper  information security.

The following terms is used to identifies who within the organization is Accountable, Responsible,Informed or Consulted with regards to the policy.

  1. Accountable :- The person who has accountability and authority for the policy.
  2. Responsible :- The person(s) responsible for developing and implementing the policy.
  3. Consulted :- The person who is consulted prior finalizing the policy implementation.
  4. Informed :- The person to be informed after  policy implementation.

 

There are 3 areas of human resource security –

Ø  Prior to employment –   In this roles and responsibilities for the job are defined. Also the access control over sensitive data must be defined. During this phase, contract terms should also be  entrenched.

Ø  During Employment – Employees who have access to sensitive information should receive periodic reminders regarding their roles and responsibilities.

Ø  Termination and change of employment –   This phase includes  the return of any assets of the organization that was held by the employee. To prevent unauthorized access to sensitive information, access must be revoked immediate upon termination of an employee who has  access to such information.

The objective of human resource security is to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

 

Security polices embedded in the information technology…..

The confidentiality,integrity,availability of the data is very important for the good governance  Failure to adequately secure information increases the risk of financial and reputational losses.   This information security policy outline approach to information security management.

It provides the guiding principles and responsibilities necessary to safeguard the security of the information systems. Supporting policies, codes of practice, procedures and guidelines provide further details. The main idea is basically to Provide the principles by which a safe and secure information systems working environment can be established for staff, students and any other authorized user. Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing. Information security policy is nowadays a boom through which the organization should know why they are using the particular control. What is need of the particular control, whether the user is being informed or not. In many cases, the executives have no idea as to how information security can help their organization, so the main purpose of the policy is that the top management defines what it wants to achieve with information security.

The second purpose is to create a document that the executives will find easy to understand, and with which they will be able to control everything that is happening within the ISMS – they don’t need to know the details of, say, risk assessment, but they do need to know who is responsible for the ISMS.https://advisera.com/

 

How to Identify Security Breaches Quickly?

Network administrator and cabling teams are the key persons spotting the security breaches in an organization. Two technologies currently used in network monitoring systems: SPAN (switched port analyzer), also known as port mirroring, and TAP (traffic access point). A SPAN port copies traffic from any traffic port to a single unused port. SPAN ports also prohibit bi-directional traffic on that port to protect against back flow of traffic into the network, and direct packets from its switch or router to the test device for analysis. A tap, on the other hand, is a passive component that allows non-intrusive access to data flowing across the network and enables monitoring of network links. A tap uses passive optical splitting to transmit inline traffic to an attached monitoring device without data stream interference. So, they are completely passive and cause no disruption to the live network.

Choosing an option among two that allows you to monitor your network without affecting live applications. A tap enables you to do exactly that. Network monitoring when implemented optimally should allow you to see all network traffic including errors, regardless of packet size, in real time. Taps are truly passive and do not add any additional load onto the live network. A TAP device simply splits the signal instead of replicating it, a portion of that signal can be taken offline, or out of band, to conduct analysis of the I/O traffic without affecting live applications.

A SPAN port is actually configured by a network engineer and it needs to be disabled during a network refresh, if it is not done then it is possible ,that port to be cabled to serve as a network port, creating a “bridging loop,” which will result in network performance issues.

When It comes to cost, A 10G switch port is more expensive than a 1G switch port, whereas a tap port at 1G costs the same as a tap port at 10G or even 40G. For these reasons, optical tapping is becoming a more popular solution for higher data rates.

The Importance Of Organization Information Security………

To implement an security control inside the organization is very important for the organization to survive and to have some competitive advantage. By having the segregation of duties is very important apart from that who is doing what and the roles and responsibilities of the persons i the organizations is very important so that to classify like what is the role of information security officer in the organization.

In compliance with the Enterprise Information Security, each agency must implement a formal internal information security program. Agency executive management is ultimately responsible for protecting agency-wide assets and setting security philosophy that will determine the overall effectiveness of the information security program.  As such, it is necessary to establish a security management organization with clearly defined roles and responsibilities that will collectively and cooperatively develop, implement, and maintain the agency’s information security program by aligning security objectives with the business objectives of the organization.

Assets which are being used in the organizations whether compliant or not all are secured are not is very important. Conflicting duties and duties should be segregated to reduce unauthorized modification. Appropriate contacts with relevant parties should be maintained. When starting any project it very necessary to implement the security controls properly and early in project so as to avoid any later issues in the project and also to reduce the cost and all compliance is necessary. Nowadays BYOD(bring your own device) is very popular through which by having a proper control and compliance people can bring there mobiles phones and can work through them. Proper backups, and remotely accessing the databases can be compliant and used properly. Smaller agencies and agencies with small IT budgets may chose to assign these functions as additional duties, or all of these functions may be the responsibility of one or two individuals.

Access Control- Limiting access to a system

A.9. Access Control

 

To begin with “ if  you have no access control means you have no security at all.”

Access control is one of the main building blocks of information security. It is to be designed as it is both secure enough and acceptable to users.

The purpose of this document is to specify the rules for access to various systems, sensitive information and equipment facilities.

Using an access control system allows you to manage access or entry to almost anything like file access, workstation access, printer access and in our case, door-, facility-, building or office access.

There are two main types of access control  – Physical and logical .

Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data.

Basic components of access controls are :

  • User facing (access card)
  • Admin facing(API)
  • Infrastructure(Electric door lock)

 

Access  control  policy make sure  that both logical and physical access to information system are in place to ensure the protection of information system and sensitive data.

Factors of authenticating information :-

  • Password , PIN (user knows)
  • Smart card (user has)
  • Fingerprint (user is)

 

For computer security, access control includes the authorization, authentication and audit of the entity trying to gain access. Access control models have a subject and an object. The subject – the human user is the one trying to gain access to the object – usually the software. In computer systems, an access control list contains a list of permissions and the users to whom these permissions register. Such data can be viewed by authorized people and not by unauthorized  people and is controlled by access control. This allows an administrator to protect information and set privileges as to what information can be accessed, who can access it and at what time it can be accessed.

 

Keep Calm and have a Business Continuity Management in Place.

Business continuity is a proactive plan to avoid and mitigate risks which might create a disruption in the delivery of service to your customers or abrupt your operations.

Business continuity management outlines the steps should be taken before, during and after an event to maintain the financial viability of an organization. Business continuity management elaborates a framework for identifying organization’s risk of exposure to internal and external threats. BCM includes disaster recovery, business recovery, crisis management, incident management, emergency management and contingency planning.

Information security continuity has to be embedded into the organization’s business continuity management systems(BCMS). An information security continuity plan elucidates the necessary procedure that can be executed on arrival of adverse situations such as a disaster or calamity. The organization needs to establish, document, implement and maintain processes, procedures, and controls to ensure the required level of continuity for information security is achieved during an adverse situation. The organization has to verify & implement appropriate information security continuity controls at regular intervals in order to ensure that they are valid and effective during adverse situations. Also, the organization needs to maintain the redundancy of information processing facilities such as offshore backup systems, data warehouses, etc. to meet the availability requirements. BCMS encompasses all the above factors while creating a business continuity plan.

Thus, Business Continuity Management helps an organization to achieve the following:

  • Minimise the effect of a disruption on an organization.
  • Reduce the risk of financial loss.
  • Retain company brand, image & reputation, and give staff, clients and suppliers confidence in the organization’s services.
  • Enable the recovery of critical systems such as facility, data, and assets within an agreed timeframe.
  • Meet all legal and statutory obligations.
  • Ensures continuous delivery of critical services and products to customers.
  • Establish Training programs for the employees about the necessary steps that need to be taken during the time of any unforeseen event.

 

An Incident Management is a must in today’s organisation!!

A.16. Information security incident management

An incident is defined as any disruption in IT service. Incident management deals with handling incident and ensures to restore IT service soon as possible. The A.16. clause of the ISO 27001 provides appropriate methods to manage any information security incidents that may take due to a series of unforeseen adverse events. It also formulates strategies for improvements in the information security domain. Information security incident management ensures a consistent & effective approach to the organisation’s management about information security incidents, security events and weaknesses.

This clause fortifies the management’s responsibilities and procedures to ensure a quick, effective and orderly response to information security incidents. The information security events are reported through appropriate management channels as quickly as possible which helps the employees and contractors to report any observed or suspected information security weaknesses in systems or services.

The information security events are assessed thereafter to decide if they are to be classified as information security Incidents or not. The events which are classified as information security incidents shall be responded to in accordance with the documented procedures. Some of the activities which are conducted in incident management are as follows:

  • Understanding what exactly has gone wrong
  • Understanding chronological order of the events
  • Confirming the full impact of the incident
  • Identifying any events that could have triggered the incident
  • Searching for previous similar kind of incidents

There are always some incidents which are not new. They may happen again over a period of time. Therefore, it is best practice to have pre-defined model to handle such incidents. The knowledge gained from analysing and resolving information security incidents should be stored & used to reduce the likelihood or impact of future incidents. The organisation has to define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence.