View metadata, citation and similar papers at core.ac.uk brought to you by CORE

provided by Research Papers in

228 Informatica Economică vol. 15, no. 1/2011

Security - Approaches and Methodology

Elena Ramona STROIE, Alina Cristina RUSU Academy of Economic Studies, Bucharest, Romania [email protected], [email protected]

In today’s economic context, are looking for ways to improve their , to keep head of the competition and grow revenue. To stay competitive and consolidate their position on the market, the companies must use all the information they have and process their information for better support of their missions. For this reason managers have to take into consideration that can affect the and they have to minimize their impact on the organization. helps managers to better control the business practices and improve the . Keywords: Risk Management, , Methodology

Introduction 2 Risk management: definition and 1 Today’s economic context is objectives characterized by a competitive environment The concept of the risk management is which is permanently changing. To face this applied in all aspects of business, including fierce competition, managers must take the planning and project risk management, health correct strategic decisions based on real and safety, and . It is also a very information. In order to maintain the common term amongst those concerned with authenticity and the accuracy of the IT security. A generic definition of risk information used in the decision process, any management is the assessment and mitigation organization must use informatics systems to of potential issues that are a threat to a process their information and for a better business, whatever their source or origin. [2] support of their missions. For this reason, The concept of risk management is now the management risk of the security fairly universally understood, having been in information plays a very important role in the widespread use for a number of years. It is organizational risk management, because it applied in all aspects of business. assure the protection of the organization from To discuss the definition of the risk the threatening information attacks, that management is necessary to explain in could affect the business activity and advance the meaning of the three main therefore its mission. concepts: An effective risk management process is Risk is the potential that a chosen action or based on a successful IT security program. activity (including the choice of inaction) This doesn’t mean that the main goal of an will lead to a loss (an undesirable outcome). organization’s risk management process is to Threat is the potential cause of an unwanted protect its IT , but to protect the impact on a system or organization (ISO organization and its ability to perform their 13335-1). Threat can also be defined as an missions. Therefore, the risk management undesired event (intentional or unintentional) process should not be treated primarily as a that may cause damage to the goods of the technical function carried out by the IT organization. experts, who operate and manage the IT Vulnerability is a weakness in system system, but as an essential management procedures, architectural system, its function of the organization and its leaders. implementation, internal control and other [1] causes that can be exploited to bypass security systems and unauthorized access to information. Vulnerability represents any weakness, administrative process, act or

Informatica Economică vol. 15, no. 1/2011 229

statement that makes information about an approach may be an effective response to the to be capable of being exploited by a security risks that have already occurred threat. through creating security incidents. The Risk management is a process consisting on: analysis of the causes of producing security - identifying vulnerabilities and threats to the incidents could help the organization to information resources used by an prevent their repetition and be prepared for organization in achieving business any possible problems. Companies that objectives; respond to security incidents in a calm and -risk assessment by setting the probability rational way, meanwhile they determine the and impact of its production, following causes that have allowed the incidents to threats by exploiting vulnerabilities; occur, will be able to respond in a shorter - identify possible countermeasures and time to similar problems arising. deciding which one could be applied, in There are six steps that an organization order to reduce the risk to an acceptable should take into consideration when the level, based on the value of information reactive approach is applied: resource to the organization. [3] 1. Protecting human life and safety The goal of performing risk management is It's the most important and most active of to enable the organization to maintain at the the six. Organizations have to respect laws highest values the activity results. This that protect the employers and that require process should combine as efficient as protection measures to prevent work possible, all factors which can increase the accidents. Development of computerization probability of success and decrease of the production process has led many of its the uncertainty of achieving objectives. Risk activities in an organization so they often can management should be an evolving process. arise where production risks and security of Particular attention should be given to the their information systems is likely to implementation of the strategies for endanger human life and health. eliminating or reduce the risk and their 2. Controlling damage appliance, to the analysis of the past It is an activity that consists on stopping or evolution of risks and to the controlling the spread of the damage present and future prediction of the produced through the risks fulfilled. In case events. Management process should of a cyber-attack, organizations should take be implemented at the highest management actions to protect information, important level. application and the hardware components, as In IT&C, one of the most important goal of soon as possible, and minimize the time risk management is to accomplish by better when the system is not working properly. securing the informatics systems that store, Sometimes maintaining the system available, process, or transmit organizational during such an attack, may increase the information; by enabling management to damages. make well-informed risk management 3. Damage assessment decisions to justify the expenditures that are Damage assessment will be done by restoring part of an IT budget and by assisting activity and after reinstatement of all in authorizing (or accrediting) affected by risk. If cyber damage assessment the IT systems, on the basis of the supporting involves conducting detailed investigations documentation resulting from the on the incident, immediately proceeded to performance of risk management. [1] restore or replace hardware, reinstall the software used and recovery affected data . 3 Risk Management approaches: If the damage assessment takes too long, Proactive and reactive approach contingency plans should be considered so Risk management can be approached in two that the organization resumes normal activity ways: reactive and proactive. The reactive without bigger damage.

230 Informatica Economică vol. 15, no. 1/2011

4. Determine the damage cause Therefore organizations have to develop in During this activity, to discover the starting parallel the incident response method and point of an attack, it is necessary to proactive approach to security policies. understand what resources have been Proactive approach consists in several main targeted by attacks and which vulnerabilities categories of activities: were exploited to gain access or to - Making special training activities for staff discontinue the services. It should be whose work is or risk; investigated the system configuration, and - Develop and implement a formalized also the patch level, system logs, audit logs work procedures to meet safety and audit trails. These operations help to requirements and quality standards for discover the place where the attack started each of its activities; and what resources were affected. - Establish an internal control system on 5. Repairing the damage compliance the work procedures This activity is very important because the developed and on specific legislation in damage must be repaired in the shortest time force (of personnel carrying out inspection in order to restore the information system, to activities, establish procedures for the resume organization’s activity and to recover conduct of control, the establishment of the data affected by the attack. That is why measures for eliminating the possibility of every business action plan should include a application dysfunction found in the strategy data recovery. After the damage has inspection, etc.) been repaired the elimination or the reduction - Periodic evaluation for the viability of of the vulnerabilities that were exploited proactive measures is applied in order to during the incident should be considered. reduce or eliminate risks. 6. Review responses and updating policies Another activity related to the reactive 4 Risk management process approach, refers to the process of evaluating Risk management is a permanent cycle the way in which the back-up plans and the process that involves activities for strategies of restoring the activity have establishing, monitoring and ensuring functioned during the security incident. If continual improvement of the organization’s there had been some failures in the process, activity. This process contains four main there should be made the replacements or the activities, which have to be permanent changes needed. applied and developed: The proactive approach of the risk - Design the management system involves management has several advantages identifying business requirements, assessing compared with the reactive approached the likelihood and the impact of the risks, described above. Rather than wait for the including the implementation of a security occurrence of incidents and then to repair the policy and selecting the adequate damage, is better and cheaper to minimize countermeasures for the existing risks; the likelihood or the impact of occurring the - Implement the management system involves risk, from the beginning. Organization’s applying control measures and work leader should develop plans for protecting procedures, resource allocation, setting the the organization’s most important assets by responsibilities and conduct training and implementing controls that reduce the risk of awareness programs; exploitation of organization’s vulnerabilities - Monitoring, reviewing and reassessing the by malicious software, due to malicious or management system involve an evaluation of accidental misuse. A proactive approach can effectiveness of controls and working help organization to effective reduce the procedures, of business changes, of previous significant effect of the numbers of security incident reports and of existent risks; incidents that can occur in the future, but will - The improvement and update of the not completely eliminate these problems. management system involves correcting the

Informatica Economică vol. 15, no. 1/2011 231

identified dysfunctions, or eliminating the compliance with existing regulations in the unsustainable decisions or applying new field and ensuring the effectiveness of those control measures. activities. In this sense can be considered Risk management encompasses three national or international standards developed processes: risk assessment, risk mitigation and published by professional organizations and the reassessment of the residual risk. [1] and associations.[4] Risk assessment process includes Thus, it requires work to watch these procedures: establishing criteria under which the - The way of identify and evaluate on evaluation takes place (procedure on existing existing threats and vulnerabilities, and threats and vulnerabilities, and risks risks associated with; associated with, proceedings concerning the - Setting the values of impact and impact and likelihood of identified risks, risk probability of impact and likelihood assessment procedures, procedures for identified risks; identifying measures to mitigate or eliminate - The way of risk assessment; risks, procedure for selecting the best - The way of identifying measures to measures to mitigate or eliminate the risks) mitigate or eliminate risks; and identifying and assessing risks.. - The way of selecting the best measures to The risk mitigation refers to determining mitigate or eliminate the risks. optimal measures to eliminate or mitigate the 2. System characterization risks, to planning, implementing the This step provides information about the optimized selected measures, according to resources, data and boundaries of the IT the plan, and controlling the rightfulness of system. It is very important that to define the the implementation process. specific field of Reassessment of the residual risk consist in interest, links and dependencies between the evaluating the remaining risk after the risk resources that are being analyzed. For this mitigation step and determine whether it is an step, the responsible person has to collect acceptable level or whether additional information about hardware, software, data measures should be implemented to further and information, system interfaces, system reduce or eliminate the residual risk, before mission, persons who support and use the IT before the organization can perform work system, system security architecture, system properly. security policies, technical, operational and management controls. 5 Risk Assessment for IT systems In gathering the information, the persons Risk assessment is the first process in the risk involved must apply the up mentioned management methodology. The objectives of procedures and should use some of the the risk assessment process are to determine following techniques: questionnaires, the on- the extent of potential threats, to analyze site interviews, documents review and vulnerabilities, to evaluate the associated automated scanning tools. This activity can risks and to determine the contra measures be conducted throughout all the eight steps of that should be implemented. The risk the risk assessment process. assessment methodology encompasses eight 3. Threat identification primary steps, as follows: In this step are identified the potential threat- 1. Define specific working procedures of risk sources. A threat is the potential that a management activity particular vulnerability is exploited by To make a proper assessment of the risks to external factors, intentionally or accidentally, the operation of an IT system needs to be in order to produce the associated risks. A established a system of working procedures threat-source could not represent a cause to a that describe in detail each of the operations risk, if there is no vulnerability that can be carried out for this purpose. The development exploited. A threat-source is defined as any of working procedures needs to consider

232 Informatica Economică vol. 15, no. 1/2011

circumstance or event with the potential to A common taxonomy is CIA (confidentiality, cause harm to an IT system. [5] integrity, availability), which defines the Threats can be based on human (deliberate or characteristics of the organization's data. [5] The unintentional) or non-human (external or components of CIA are as follows : internal to the operating environment) Confidentiality – is the property of the data actions. Human threats can occur most often which defines the fact that the information is and are the most dangerous ones. In this not compromised through being accessed by category are included unintentional acts, such unauthorized users. as negligence or errors and deliberate attacks, Integrity –– is the property of the data which like unauthorized access to confidential defines the fact that information is not altered information, destruction of important by unauthorized users, in a way that is information, information theft, misuse of detected or undetectable by authorized users. data, falsification of information, sabotage Availability – ensures that principals (users the system. The non-human threats don’t and computers) have appropriate access to concern directly the human actions, and resources. could be floods, earthquakes, landslides, The following table is a list of examples for avalanches, supply voltage drops, voltage threats and their effects over security objective fluctuations etc. of CIA. This list does not claim to be exhaustive:

Table 1. Threats and their effects over security objective of CIA The security objectives that are affected THREATS CONFIDENTIALITY INTEGRITY AVAILABILITY 1. Human 1.1. Deliberate human threats Interception and espionage X Placing destructive codes X X X Destruction with intention of date and X X facilities Unauthorized access of data X X Use of pirated software X Falsifying identity X X 1.2. Unintentional human threats Personnel operating errors X X Programming errors X X X Technical failure X X 2. Non-human 2.1. External operating environment Fire X X Earthquakes X X Floods X X 2.2. Internal operating environment Supply voltage drops X Voltage fluctuations X X

Another taxonomy, called STRIDE, consists R – Repudiation – consists in creating a in identifying various threat types. STRIDE situation in which denying performing an considers threats from the attacker’s action, could not be confirmed or perspective. [6] contradicted by the other parties. Non – The components of STRIDE are: repudiation is a system’s ability to counter S – Spoofing identity – refers to the repudiation threats. situations in which a cyber-attacker can pose I – Information disclosure – involve the as something or somebody else. exposure of information to individuals who T – Tampering – involves malicious are not supposed to have access to it. modification of data or code.

Informatica Economică vol. 15, no. 1/2011 233

D – Denial-of-service (DoS) – deny or of specific features of the security system degrade the availability of service to valid and security, technical and operational users. measures used to protect the system or the E – Elevation of Privilege (EoP) - occurs way the personnel appointed to use the when a user gains increased capability, often system, fulfills his tasks. as an anonymous user who takes advantage One important action in the vulnerability of a coding bug to gain admin or root analysis process is the identification of the capability. vulnerability source. Some of these sources 4. Vulnerability identification are previous risk assessment documentation The purpose of this stage is to identify the of the IT system, system’s audit reports, system vulnerabilities (defects/ weaknesses) security’s review reports, vulnerabilities lists, that can be exploited by potential threats. such as the NIST I-CAT vulnerability Vulnerabilities are represented by the database, security advisors and system system’s weaknesses, which, if exploited by software security analysis. To identify some accidents or intentional actions, could system vulnerabilities different test methods result in a violation of system's security. are used: Suggested methods for vulnerabilities - Automated vulnerability scanning tolls that are identification have to take into account used to automatically scan a group of hosts or vulnerabilities sources, performances and a network for known vulnerable services. requirements of the system development. [7] - Safety tests and evaluation are special The methodology for vulnerabilities techniques used to identify vulnerabilities in an IT system during a risk assessment process. identification depends on the nature of the IT The purpose of system’s security testing is to system and the stage of the system test the efficiency of the security controls that development: have been implemented. - If the IT system is in the design stage, System penetration system that can be used identifying vulnerabilities should be in addition to security controls tests to ensure focused on security policies, planned that several IT system components are security procedures, system requirements secure. The goal of this activity is to test the and the analysis of security product IT system in terms of a threat source and to distributor. identify potential defects in the system - If the IT system is under implementation, protection schemes. identifying vulnerabilities should be As a result of this step, staff dealing with the focused specific information such as the risk assessment designs a list of security planned features of the system described requirements that includes basic safety in the documentation, test results and standards, procedures, processes and previous evaluation or the way the transfers of information associated with an IT personnel appointed to carry out system in security areas like management, implementation, fulfills his tasks. operational and technical area. - If the IT system is operational, identifying vulnerabilities should include an analysis

Table 2. Vulnerability identification Vulnerability Threats Affected goods Fire Earthquakes Floods Supply voltage drops No back-up Data Voltage fluctuations Use of pirated software Unauthorized access of data Placing destructive codes Inadequate configuration Technical malfunction Data

234 Informatica Economică vol. 15, no. 1/2011

management Interception and espionage Unauthorized access of data Unauthorized changes of the Technical malfunction Data attributions of Error programming Software programmers with operational staff Inadequate training of staff Data Routing / rerouting wrong messages responsible for data communications Security measures implemented in a Denial of Service Data wrong way Unauthorized access of data Software Non-regularly updating antivirus Data Malicious code software Software Fire Earthquakes Floods Data Lack of business continuity plans or Supply voltage drops Software procedures for data recovery Voltage fluctuations Hardware Use of pirated software Ancillary facilities Unauthorized access of data Placing destructive codes

5. Risk’s likelihood determination 6. Impact analysis To determine the likelihood that a potential In this phase of the risk assessment process, threat to exploit a vulnerability of the IT it is determined the negative results of a system should be considered the following potential exploitation successful of a factors: vulnerability. Before starting the impact - Threats-sources’ motivation and analysis, it is necessary to collect information capability; about the role of the system, system and data - Nature of the existing vulnerabilities; criticality or system and data sensitivity. This - Existence and effectiveness of current information can be obtained from the controls; existing documentation, such as analysis The likelihood that a vulnerability be report of the impact over the mission of the exploited by a particular threat, need to be company or the assessment report regarding evaluated in order to determine the the critical assets. The negative impact of a associated risk. security event can be described in term of An often used scale for evaluating the loss or degradation of the three of the most likelihood of risk is the high, medium or low important characteristics of the information: scale (sometimes it is used the extended integrity, availability and confidentiality. [8] versions, as the very low – low – medium – Integrity is lost if unauthorized changes to high – very high version). The risk’s data or IT system are made by accidental or likelihood high means that the threat-source intentional actions. If loss of data or system is highly motivated or very strong or the integrity is not corrected and the system is security controls are inefficient or all these used with the corrupted data, wrong results conditions together are cumulative. On can be obtained and wrong decisions can be another hand, if the risk’s likelihood is made. Violation of system integrity may be medium, it is probably, if the threat source the first step of a successful attack made on is highly motivated or very strong, that the the availability and confidentiality of an IT control of the system's security to be good system. enough to prevent most of the manifestation If the system availability to end-user is of the threats. The case of a low likelihood affected, whole organization activity can be means that the threat's source is weak or affected. Loss of system functionality and poorly motivated or the security controls efficiency can lead to loss or reduction of the can prevent or, at least, significantly impede productivity or the employers’ performance. the exercise of the threats.

Informatica Economică vol. 15, no. 1/2011 235

System confidentiality refers to the - The probability that a threat source to protection of information against exploit vulnerability; unauthorized disclosure. The impact of - The impact dimension, in case the threat unauthorized disclosure of highly classified source exploits with success the information can lead to attacks on vulnerability; organization’s interests or even on national - Preparation of existing or planned security security. controls to be implemented in order to Tangible impacts can be measured reduce or eliminate risk. quantitatively in term of loss of turnover, To measure risk is necessary to identify or cost of system repair or level of effort develop a method of evaluating it. One such necessary for correcting the problems caused method is the risk level matrix. This matrix is by of a successful exploitation of a threat. a 3x3 to 5x5 matrix which contains values Some other impacts can’t be measured in for threat likelihood on columns and for units and for this reason they are classified threat impact on rows. We choose, for our and described as high, medium and low. exemplification, the values High, Medium 7. Risk determination and Low, for both the dimensions. For the The role of this step it to assess the risk level 5x5 matrix are added 2 values: Very High of an IT system. Risk determination for a pair and Very Low. Depending on the type of of a “threat-vulnerability”, can be expressed risk, the values could be replaced with as a function of: numbers. The following matrix is an example of a 5x5 risk matrix:

Table 3. 5x5 risk matrix Severity of Threat Likelihood: negative Very Very High Medium Low impact: High Low Very Very Very High High Medium Low High High Very High High High Medium Low High Medium Mare High Medium Low Low Very Low Medium Medium Low Low Low Very Very Very Low Low Low Low Low Low

The result of the evaluation the risk, using the not very high to affect the objectives of proper method chosen, must be interpreted in the company’s activities, so that the order to determine the type of the risk (negligible, leading management could assume its tolerable or intolerable): realization without implement all the - The negligible risk does not need any countermeasures. measure to be applied. It is monitored - If the risk has an intolerable level, then it periodically. needs an immediate response. This means - The tolerable risk does not need also any that the management team must identify countermeasure to be implemented, but it and implement the right measure to reduce is permanently monitored and whenever it or eliminate the risk (risk mitigation). In is identified any growing of its value; it some cases, in which the risk management will become the object of some team does not have the needed level of supplementary actions, in order to reduce means, for implementing certain its level. This means that the level risk is

236 Informatica Economică vol. 15, no. 1/2011

measures, the process of decision would made taking into consideration the risk be transferred to higher forum of behavior of the organization and the management. partner that support and control better the For our hypothetical example, we could define risk. the level very low for the negligible risk, the - Risk Assumption. Organizations can level low for tolerable risk and the values choose to acknowledge the existence of medium, high and very high for the intolerable risk and monitor it. They also can ignore risk. it, but this action can be very dangerous. 8. Results documentation The decision to assume a risk must be After the threat sources and vulnerabilities well documented and analyzed by the are identified, risk assessed and provided, the management team of the organization. results should be written in an official report. - Risk Elimination. The goal of this action is Risk Assessment Report is a report addressed to eliminate the risk, but most of the to managers and owners that helps them to options tend to eliminate organization out take decision concerning security policies of the market. An organization that and procedures. A risk assessment report doesn’t prefer risk will not survive on the presents in a systematic and analytical way market. the existing risks and how these can be To reduce the risk, organizations should use exploited in order to help managers to some tools like: understand and allocate resources to reduce - Identify all the methods available for or correct any losses reducing the risk and choose the optimal ones. 6 Risk mitigation - Planning the appropriate activities for After the risk assessment, any organization applying the method previously chosen. If has to implement methods to reduce the level risks are related to activities deadline of risk. Since it is almost impossible to using activity planning software can eliminate all risks, top managers must reduce risks within reasonable limits. implement the most effective measures to - Implementing the activities planned in reduce risk to an acceptable level and to order to mitigate the risks. Some of the minimize the negative impact of risk on the measures generally applied are: organization’s mission and goals. Training the staff dealing with activities There are several methods to reduce risks, at risk - many IT risks are connected to which are applied depending on the type untrained personnel and this affects of risk: productivity and work quality. Through - Risk Avoidance. Where it is possible, training in security field, there can be managers should choose not to implement reduced the likelihood of incidents and some processes and procedures that can their effect. generate a higher level of risk or Redesigning security measures - complicates the organization’s activity. organizations should identify those - Risk Limitation. Risk can be reduced by threats and vulnerabilities that generate implementing security measures and risks with a strong impact on company’s procedures. When implementing these activity and improve the security systems measures it should be taken into account permanently. the cost and benefits of the When control actions must be taken, the implementation. If costs of the risk following rule applies: Address the greatest reduction outweigh the benefits, accepting risks and strive for sufficient risk mitigation risk should be preferred to implementing at the lowest cost, with minimal impact on the expensive security measures. other mission capabilities. [1] - Risk Transference. Risk can be shared The methodology of implementing security with different partners or transferred to measures contains several steps: companies. This action must be

Informatica Economică vol. 15, no. 1/2011 237

- Establishing personnel responsible for - Informing personnel about security security measures imposed Security personnel is responsible for Many security programs fail because of a creating, implementing and evaluating lack of efficient communication. Most of the security policies and also for oversight technical employees believe that technical security processes. The only security solutions are sufficient to any problems. It is problem that doesn’t concern security necessary that any security program to have personnel is security management. One of the two essential components: awareness and security personnel tasks is defining a security communication programs. These programs table, an official document indicating the should receive sufficient resources and responsibilities of the person involved in this attention in order to achieve the goals. activity and the way security is approached. During the awareness program employees are Another tasks is gathering information about informed about the impact of the security existing policies, information that are policies on their behavior. The valuable in understanding what functions communication program involves a continue properly in the organization, how communication between responsible information about risk are communicated to personnel and top managers concerning the the top managers, how is decided the priority efforts and success in maintaining the level of the projects and how the security security at an acceptable level. processes are structured. - Auditing and monitoring security - Establishing main activities to ensure The auditing of security-relevant events and security the monitoring system activity are key To ensure an effective security within the elements in an analyzing risk process. For company, it is necessary to go through some recovery from security breaches and for stages that are crucial. The main steps of a keeping under control the access to security program are presented in order to information, this step is essential. help any organization to implement a correct In the process of minimizing the level of risk, security program. There are four important organizations should consider some security steps that have to be defined from the controls that can be classified as follows: beginning: risk assessment and documents technical, management and operational or a and data classification; establishing access combination of these. The purpose of these rights; defining security policies and controls is to prevent and limit the risks in planning, designing and implementing order to achieve the goals. security controls. Technical controls - Defining requirements for improving Technical controls can range from very security quality simple to very complex and usually must be Another task of the responsible personnel is combined in order to determine the system’s to define the requirements for improving good functionality. These measures are security quality. The team proposes solutions divided in three categories according to their for the identified problems, which are purpose. important in the process of planning, First category includes the basic technical designing and implementing security measures that are used to support the measures. This step is often overlooked, but implementation of other security measures: it is vital. Any organization is different and - Identification: identify users, processes for this reason measures implemented in and information resources. another company can’t be suitable for other. - Cryptographic keys: key generation, If insufficient time is allocated to the process distribution, storage and maintenance. of defining requirements, unimportant data - Security administration: are measures that can be protected from non-existing threats. must be configured to meet security system requirements.

238 Informatica Economică vol. 15, no. 1/2011

- System protection: ensure the quality of least privilege, user computer access IT system implementation in terms of registration and termination. design and manner in which the - Technical training to ensure that end users implementation was accomplished. and system users are aware of the rules of Another category includes the measures for behavior and their responsibilities in prevention that prevent the occurrence of protecting the organization’s mission. events that have a negative impact on the Second category, detection management organization’s activity: security controls, includes: - Authentication: these measures verify user - Implementation of personnel security identity. Mechanisms used are passwords, controls, including personnel PINs, personal identification numbers. investigation, rotation of duties - Authorization: verify if employees are - Periodic review of security controls to authorized to make changes to the system. ensure that they are effective - Protected communications: ensure - Periodic system audits integrity, confidentiality, availability of - The existence of a continuous sensitive data during their transmission. management process - Transaction privacy: protect against loss - The third category, recovery management of privacy of important information. security controls, includes: The third category, detection and recovery - Provide continuity of support and measures, detects an adverse event and/or develop, test, and maintain the operations recovers lost information in case of an plans adverse event: - Establish the system capacity to respond - Intrusion detection: ensure the detection to the incident and return the IT system to of possible events with negative impact in operational status order to avoid them or reduce their Operational security controls impact. Operational security controls are used to - Restore secure state: these measures are correct operational deficiencies that could capable of bringing the system to last arise when a threat is exercised. These known security state after a security include preventive and detection operational breach occurs. controls - Virus detection and eradication: detect, Preventive operational controls are as identify and remove viruses to ensure follows: system and data integrity. - Controlling data access Management security controls - Limiting external data distribution These controls are implemented to reduce the - Control software viruses level of risk and protect the organization’s - Ability to create backup copies mission. They are focused on policies, - Protect laptops, personal computers, guidelines and standards for information workstations protection. Management security controls - Provide emergency power source includes three categories: preventive, - Control the humidity and temperature of detection and recovery controls. the computing First controls, preventive management Detection operational controls include the security controls include the following following: controls: - Providing (motion - Development and maintenance of system detectors, sensors and alarms) security plans in order to support of the - Ensuring environmental security (smoke organization’s mission. and fire detectors, fire sensors and alarms) - Implementation of personnel security controls, including separation of duties,

Informatica Economică vol. 15, no. 1/2011 239

7 Cost- benefit analysis technical. Technical controls are safeguards The cost – benefit analysis represents the incorporated into computer hardware, estimation and comparison of the relative software or firmware such as value and cost associated with each proposed mechanism, authentication mechanism, control. This analysis is an efficiency encryption methods and the non-technical criterion used for choosing the control to be ones are management and operational implemented. controls like policies, procedures and In order to make a cost – benefit analysis an personnel and environmental security. organization must follow the next steps: Technical and non-technical control - Determining the impact of implementing described above can be classified into new measure or improving the existing preventing controls and detective controls. one Preventing controls inhibit attempts to violate - Determining the impact of not security policies, meanwhile detecting implementing new measure or improving controls alert violation or attempted violation the existing one of security policies. These controls are - Estimating the cost of implementation implemented during the risk minimization which includes hardware and software phase. purchase, cost of implementing new policies and procedures, training cost and 9 Conclusion system maintenance cost Since the economic environment is really - Assessing the costs and benefits of fierce and constantly changing, organizations implementation controls. that desire to remain on the market should The organization must determine the pay greater attention to risk management accepted level of risk to decide whether a process. Managers’ responsibility is very measure will be implemented or not. The high and for this reason information security following rules should be followed when risk management is of fundamental concern deciding if a measure is implemented or not: to all organizations. This process is a long - If the implementation reduces the level of term cycle and its importance should not be risk more than is necessary, a less missed at any time. All steps must be expensive alternative should be chosen followed, risk identification not being - If the implementation costs more than the enough for saving an organization from benefit that would be obtain after the disappearing from the market. Risk implementation, another control should be identification should be done with greater sought care; all risks must be identified and treated - If the implementation does not reduce the carefully. The evaluation and assessment of level of risk enough, more effective potential threats, vulnerabilities and possible controls preferable with a similar cost damage is very important. After this should be sought assessment is done, necessary controls - If the implementation reduces the risk at should be implemented in terms of cost- an acceptable level and is cost-effective. effectiveness and the level of risk reduced by The measure should be implemented the implementation. To identify the most appropriate controls a cost- analysis has to be 8 Control analysis done. Its results help managers implement After the implementation of security policies, the most efficient controls that bring the in case the occurrence of security incidents, greatest benefit to the organization. the organization must re-evaluate the entire Risk management helps managers to better risk management system, is being made as control the business practices and improve appropriate approaches for change, in the the business process. If the results of risk way to improve the security policies. analysis are well understood and the right Security policies can be technical or non- measures are implemented, the organization

240 Informatica Economică vol. 15, no. 1/2011

not only that will not disappear from the information security risk management”, market, but it will develop and more easily International Journal of Information obtain the targeted results. Management, pp. 413-414, 2008. Available: http://www.sciencedirect.com References [6] M. Howard, S. Lipner, “The security [1] G. Stoneburner, A. Goguen, A. Feringa, development lifecycle”, United States of Risk Management Guide for Information America: Microsoft Press, 2006, pp. Technology System, 2002. 114-116. [2] S. Southern, “Creating risk management [7] E. Humphreys, ”Information security strategies for IT security”, Network management standards: Compliance, Security”, 2009, pp.13-14. governance and risk management”, [3] Information Systems Audit and Control Information Security Technical Report Association, Certified Information I3, 2008, pp. 247-249. Available: Systems Auditors, 2006, pp.85-89. http://www.sciencedirect.com [4] The Department of and Industry, [8] M. Siponen, R. Willison, “Information “Achieving Best Practice in Your security management standards: Business Information Security: Problems and solutions”, Information Protecting Your Business Assets”, pp. 8- and Management, vol. 46, pp.269-270, 22, Available at: 2009. Available at: http://webarchive.nationalarchives.gov.u http://www.sciencedirect.com k/tna/+/http://www.dti.gov.uk/files/file9 [9] E. Burtescu, Securitatea datelor firmei, 985.pdf/ Editura Independenta Economica, 2005. [5] R. Bojanc, B Jerman-Blazic, “An economic modeling approach to

Elena Ramona STROIE has graduated The Bucharest Academy of Economics Studies, Faculty of Cybernetics, Statistic and Economic Informatics in 2008. She holds a Master diploma in Informatic Systems for Economic Processes and Resources Management from 2009 and in present she is a PhD Candidate in Cybernetics and Economic Statistic with the Doctor’s Degree Thesis: Methods of Risk Analysis and Assessment in an Information System. Her areas of interests are: Information System Security, Risk Analysis Management.

Alina Cristina RUSU has graduated The University of Craiova, Faculty of Automatics, Computers and Electronics, Computers Engineer. She holds a Master diploma in IT & C Security from Academy of Economics Studies and present she is a PhD Candidate in Economic Informatics with the Doctor’s Degree Thesis: Protection of confidential information in a computer system. Her areas of interests are: Information Systems Security, Risk Analysis Management and Security Policies in Informatics Systems.