Blockchain and whistle blowers

A whistleblower is a person who comes forward and shares his/her knowledge on any wrongdoing which he/she thinks is happening in the whole organisation or in a specific department. A whistleblower could be an employee, contractor, or a supplier who becomes aware of any illegal activities.

To protect whistleblowers from losing their job or getting mistreated there are specific laws. Most companies have a separate policy which clearly states how to report such an incident.

A whistleblower can file a lawsuit or register a complaint with higher authorities who will trigger a criminal investigation against the company or any individual department.

There are two types of whistleblowers: internal and external. Internal whistleblowers are those who report the misconduct, fraud, or indiscipline to senior officers of the organisation such as Head Human Resource or CEO.

External whistleblowing is a term used when whistleblowers report the wrongdoings to people outside the organisation such as the media, higher government officials, or police.

The Whistleblower Protection Act, 2011 in chapter V “PROTECTION TO THE PERSONS MAKING DISCLOSURE “ gives in detail the policy and laws against Safeguards against victimisation, Protection of witnesses and other persons, Protection of identity of complainant.

But what if we can provide a platform where the whistleblower does not require any kind of protection as the identity remains unknown to all only the whistleblower himself. Blockchain provides just the thing.

Here’s how block chain works:

  1. Makes permanent copies of every transaction.
  2. Gives a copy to everyone in the system every time.
  3. Uses cryptography to guard against fraud.

 

The identity of any whistleblower no matter how big or small the fraud is needs to be protected and blockchain helps in keeping all the information secure and extremely difficult to acquire by any means. Blockchain whistle blower will help protect lives of every whistleblower and provide all the information of any fraudulent activity to the right authority.

Why asset important for information Security Management

There is a lot to know about asset management because it has become more of a necessity for businesses across all verticals.

Let's first understand - what is an asset ??

Anything that has value to the organization is known as asset.

Now the question arise who should be the asset owner?

Asset owner can normally be a person who operates the asset and make sure that information related to this asset is protected.

 

why are assets important for information security management??

There are 2 reasons responsible for this :-

  1. Risk assessment
  2. Responsibility assignment

In risk assessment, we identify risk, threat and vulnerabilities whereas, in responsibility assignment we define asset owners.

Therefore, asset management is a set of business process design to manage lifecycle of assets.

If we talk about the benefits then

  1. It lowers IT costs,
  2. Reduces IT risk and
  3. Improves productivity

Asset management clauses are

8.1  (Responsibility for assets)

8.2 (Information classification)

8.3 (Media handling)

The purpose of the IT Asset Management Policy is to maintain accurate records of the organization physical
computer assets. This document establishes procedures to ensure that organization comply with government
regulations, legal industry standards and to ensure accurate reporting of physical assets.

Since ISO 27001 focuses on the preservation of confidentiality, integrity and availability of information, this means that assets can be:

Hardware – e.g. laptops, servers, printers, but also mobile phones or USB memory sticks.
Software – not only the purchased software but also freeware.
Information – not only in electronic media (databases, files in PDF, Word, Excel, and other formats) but also in paper and other forms.
Infrastructure – e.g. offices, electricity, air conditioning – because those assets can cause lack of availability of information.

An asset management policy guides how we purchase and maintain e-equipment and other assets. This ensures that purchases are made wisely, making the best use of our available resources and that we protect these investments by ensuring and maintaining them in good working order.

CURRENT STATE OF GRC: THE CHALLENGES

GRC professionals are accustomed to change
driven by professional standards or by regulators. Until recently, the vast
majority of GRC projects were driven by external regulations or compliance
requirements that offered little option over whether, when or how to implement.
For example, the Sarbanes-Oxley Act and related PCAOB audit standards drove
significant effort and influenced the methodology used to assess internal
control over financial reporting. The business case for Sarbanes-Oxley
compliance was simple: comply at any cost or face significant negative market
impact or jail time for the CEO or CFO. The same can be said in regards to the mandated
adoption of XBRL and many of the provisions of the Dodd-Frank act that are
driving business change. While response to these regulatory changes is
necessary, the implementation of process change in isolation has resulted in an
environment of working in silos, conflicting information and terminology,
disparate technology, and a lack of connection to business strategy.

CHALLENGE 1: WORKING IN SILOS

In response to meeting the compliance
requirements of a single regulation or driven by internal reporting structures
and traditional functional roles; legal, internal audit, risk management, and compliance
professionals often are found to work in very rigid silos, focused on a
tactical set of departmental objectives. In this environment, too many white spaces
exist where information is not exchanged and there is a lack of accountability
among GRC groups. The obvious problem with this missing connection and
functional overlap is inefficiency. A variety of GRC groups often duplicate efforts,
wasting GRC resources and management time.

CHALLENGE 2: CONFLICTING INFORMATION AND
TERMINOLOGY

With more than 12,500 regulatory changes
made in 2010, keeping up with change and analysis on regulatory information is
a challenge for most compliance officers. This challenge is amplified by the
fact that most organizations do not dynamically link these changes and information
to a standard set of policies, risks and controls. Historically, legal, audit,
risk and compliance professionals have all operated using a different
“language” of GRC and unique definitions for policies, risks and controls. The
end result is the inability to effectively share information and the reporting
of complex sets of redundant, overlapping information to the board.

CHALLENGE 3: DISPARATE TECHNOLOGY

GRC technology includes information
solutions, documentation and workflow software, business and legal research,
screening, and reporting and disclosure solutions. A natural outcome and a potential
driver of a siloed approach to managing GRC business processes is using
different technology solutions to manage each discrete assurance area. When a
company uses disconnected solutions to manage risk management, internal audit,
policy management, and compliance, it runs the risk of inconsistencies and
inefficiencies that may lead to unnecessary high costs. Multiple systems with
multiple deployments cause conflicting versions of the truth. A standardized
suite of solutions resolves these problems and establishes a single source of
truth for the entire enterprise.

CHALLENGE 4: NO CONNECTION TO BUSINESS
STRATEGY

Since most GRC process change has been
driven by a reaction to a specific regulatory requirement, most organizations
have not mapped their GRC processes to business strategy. This challenge
becomes significant when trying to justify an end-to-end GRC project. If the perception
of the GRC professionals is that of cost center functions addressing tactical
audit or compliance initiatives, a more comprehensive GRC project will be difficult
to justify. To overcome this perception and gain the proper funding and support
required, a business case that links end-to-end GRC needs to be developed.

 

GDPR@FixNix

General Data Protection Regulation

General Data Protection Regulation (GDPR) will implement a new legal framework in the European Union (EU) for the protection and distribution of personal data on May 25, 2018. Organizations around the world that serve customers and individuals in the EU will be required to put in place security policies to address different risks and effectively enforce these policies with technical controls or potentially face fines of up to €10 million or more.

Under the GDPR, individuals will have rights including the ability to access their personal data; rectify inaccuracies or omissions; request deletion or removal of data once it is no longer required; restrict the processing of their data; and object to the use of their data.

The biggest concern now for the respondents is the potential fine. Breaches of some provisions could lead to fines of up to 20 million euros or 4% of global annual revenues whichever is greater. For other breaches, the authorities could impose fines on companies of up to 10 million euros or 2% of global annual revenues whichever is greater.

 

Fixnix-GRC Solutions can facilitate GDPR readiness by providing a foundation of confidentiality, integrity and availability across all types of on-premises, hybrid cloud and public cloud IT environments.

Whistle Blowing Using Blockchain the New Concept….

Whistleblowing:

The disclosure by a person, usually an employee in a government agency or private enterprise, to the public or to those inauthority, of mismanagement, corruption, illegality, or some other wrongdoing. Whistleblowers often face reprisals from their employer, who may suffer reputational damage as a result of the whistle being blown, or from colleagues who may have been involved in the illicit activities. In some cases reprisals become so severe that they turn into persecution. In some cases reprisals come from legal channels, particularly if the whistle has been blown for illegitimate reasons.Protection of whistle blowers is an important focus for the legal system, as is incentivising whistle blowing when there are many reasons stopping employees from doing so. In the UK, the Public Interest Disclosure Act 1998 is the basis of legal protection of whistle blowers. Previously disclosures had to be in the public interest, but new legislation enacted in late June 2013 changed this so that disclosures had to be in good faith.

The blockchain technology is probably the best invention since the internet itself. It allows value exchange without the need for trust or for a central authority. Today we have three options to manage this transaction:

  1. We can trust each other.
  2. We can turn the bet into a contract. With a contract in place both parties will be more prone to pay, however, should any of the two decide not to pay, the winner will have to pay additional money to cover legal expenses and the verdict might take a long time. Especially for a small amount of cash, this doesn’t seem the optimal way of managing the transaction.

 

Human resource security – defining roles and responsibilities

The   crucial   task   for HR department when it comes to information security is to be proactive rather than reactive. It is indecorous just to rely on your IT departments  to make sure staff are educated about data loss and how to prevent it.

HR professionals has to ensure that  employees  comply  with  security policies.

The purpose of this standard is to set rules that apply before, during and after the termination of employment

The controls in this section ensures that those people who are under the organization’s control and can affect information security are fit or appropriate for working and know their responsibilities, and that any changes in employment conditions will not hamper  information security.

The following terms is used to identifies who within the organization is Accountable, Responsible,Informed or Consulted with regards to the policy.

  1. Accountable :- The person who has accountability and authority for the policy.
  2. Responsible :- The person(s) responsible for developing and implementing the policy.
  3. Consulted :- The person who is consulted prior finalizing the policy implementation.
  4. Informed :- The person to be informed after  policy implementation.

 

There are 3 areas of human resource security –

Ø  Prior to employment –   In this roles and responsibilities for the job are defined. Also the access control over sensitive data must be defined. During this phase, contract terms should also be  entrenched.

Ø  During Employment – Employees who have access to sensitive information should receive periodic reminders regarding their roles and responsibilities.

Ø  Termination and change of employment –   This phase includes  the return of any assets of the organization that was held by the employee. To prevent unauthorized access to sensitive information, access must be revoked immediate upon termination of an employee who has  access to such information.

The objective of human resource security is to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities.

 

Security polices embedded in the information technology…..

The confidentiality,integrity,availability of the data is very important for the good governance  Failure to adequately secure information increases the risk of financial and reputational losses.   This information security policy outline approach to information security management.

It provides the guiding principles and responsibilities necessary to safeguard the security of the information systems. Supporting policies, codes of practice, procedures and guidelines provide further details. The main idea is basically to Provide the principles by which a safe and secure information systems working environment can be established for staff, students and any other authorized user. Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing. Information security policy is nowadays a boom through which the organization should know why they are using the particular control. What is need of the particular control, whether the user is being informed or not. In many cases, the executives have no idea as to how information security can help their organization, so the main purpose of the policy is that the top management defines what it wants to achieve with information security.

The second purpose is to create a document that the executives will find easy to understand, and with which they will be able to control everything that is happening within the ISMS – they don’t need to know the details of, say, risk assessment, but they do need to know who is responsible for the ISMS.https://advisera.com/

 

How to Identify Security Breaches Quickly?

Network administrator and cabling teams are the key persons spotting the security breaches in an organization. Two technologies currently used in network monitoring systems: SPAN (switched port analyzer), also known as port mirroring, and TAP (traffic access point). A SPAN port copies traffic from any traffic port to a single unused port. SPAN ports also prohibit bi-directional traffic on that port to protect against back flow of traffic into the network, and direct packets from its switch or router to the test device for analysis. A tap, on the other hand, is a passive component that allows non-intrusive access to data flowing across the network and enables monitoring of network links. A tap uses passive optical splitting to transmit inline traffic to an attached monitoring device without data stream interference. So, they are completely passive and cause no disruption to the live network.

Choosing an option among two that allows you to monitor your network without affecting live applications. A tap enables you to do exactly that. Network monitoring when implemented optimally should allow you to see all network traffic including errors, regardless of packet size, in real time. Taps are truly passive and do not add any additional load onto the live network. A TAP device simply splits the signal instead of replicating it, a portion of that signal can be taken offline, or out of band, to conduct analysis of the I/O traffic without affecting live applications.

A SPAN port is actually configured by a network engineer and it needs to be disabled during a network refresh, if it is not done then it is possible ,that port to be cabled to serve as a network port, creating a “bridging loop,” which will result in network performance issues.

When It comes to cost, A 10G switch port is more expensive than a 1G switch port, whereas a tap port at 1G costs the same as a tap port at 10G or even 40G. For these reasons, optical tapping is becoming a more popular solution for higher data rates.

The Importance Of Organization Information Security………

To implement an security control inside the organization is very important for the organization to survive and to have some competitive advantage. By having the segregation of duties is very important apart from that who is doing what and the roles and responsibilities of the persons i the organizations is very important so that to classify like what is the role of information security officer in the organization.

In compliance with the Enterprise Information Security, each agency must implement a formal internal information security program. Agency executive management is ultimately responsible for protecting agency-wide assets and setting security philosophy that will determine the overall effectiveness of the information security program.  As such, it is necessary to establish a security management organization with clearly defined roles and responsibilities that will collectively and cooperatively develop, implement, and maintain the agency’s information security program by aligning security objectives with the business objectives of the organization.

Assets which are being used in the organizations whether compliant or not all are secured are not is very important. Conflicting duties and duties should be segregated to reduce unauthorized modification. Appropriate contacts with relevant parties should be maintained. When starting any project it very necessary to implement the security controls properly and early in project so as to avoid any later issues in the project and also to reduce the cost and all compliance is necessary. Nowadays BYOD(bring your own device) is very popular through which by having a proper control and compliance people can bring there mobiles phones and can work through them. Proper backups, and remotely accessing the databases can be compliant and used properly. Smaller agencies and agencies with small IT budgets may chose to assign these functions as additional duties, or all of these functions may be the responsibility of one or two individuals.

Access Control- Limiting access to a system

A.9. Access Control

 

To begin with “ if  you have no access control means you have no security at all.”

Access control is one of the main building blocks of information security. It is to be designed as it is both secure enough and acceptable to users.

The purpose of this document is to specify the rules for access to various systems, sensitive information and equipment facilities.

Using an access control system allows you to manage access or entry to almost anything like file access, workstation access, printer access and in our case, door-, facility-, building or office access.

There are two main types of access control  – Physical and logical .

Physical access control limits access to campuses, buildings, rooms and physical IT assets. Logical access limits connections to computer networks, system files and data.

Basic components of access controls are :

  • User facing (access card)
  • Admin facing(API)
  • Infrastructure(Electric door lock)

 

Access  control  policy make sure  that both logical and physical access to information system are in place to ensure the protection of information system and sensitive data.

Factors of authenticating information :-

  • Password , PIN (user knows)
  • Smart card (user has)
  • Fingerprint (user is)

 

For computer security, access control includes the authorization, authentication and audit of the entity trying to gain access. Access control models have a subject and an object. The subject – the human user is the one trying to gain access to the object – usually the software. In computer systems, an access control list contains a list of permissions and the users to whom these permissions register. Such data can be viewed by authorized people and not by unauthorized  people and is controlled by access control. This allows an administrator to protect information and set privileges as to what information can be accessed, who can access it and at what time it can be accessed.