Roles of Management and Technology in InfoSec

Information security is both a management issue and a technology issue.

The management of an institution could be the owner or custodian of the data that their information security program is trying to protect. They need to ensure that the systems they employ execute all the functions on the data as they are supposed to while ensuring the data is not leaked to unauthorized personnel. “Primary mission of an information security program is to ensure information assets-information and the systems that house them-remain safe and useful” (Whitman & Mattord, 2014)

Management is responsible for the reputation of the business, it’s proper functioning, the data it holds, and safeguarding the technology it uses. However, all these could be impacted if the technology that they deploy do not meet the requirements – functional as well as non-functional. Technology is only a tool that facilitates proper function of the business providing value to its customer and keeping track of all its transaction. Technology must be configured in such a way that the data that the business holds is protected while in transit, at rest and in process. Continue reading “Roles of Management and Technology in InfoSec”

Who doesn’t need to be concerned about InfoSec?

Would there be any person or group within an organization that does not need to be concerned with information security?

The only person who need not worry about information security is the one who has no value bearing data. Unfortunately, in this day and age, every single person who is connected to modern world has some data that is valuable either to the individual or someone else. Protecting that valuable informational data from a compromise is paramount depending on its value.

According to Verizon, “No locale, industry or organization is bulletproof when it comes to the compromise of data.” (Verizon, 2016) I would add “no connected person” to that list. Continue reading “Who doesn’t need to be concerned about InfoSec?”

Risk Based Authentication

The technique that uses both contextual and historical user information along with data supplied during an internet transaction to assess the probability of whether a user interaction is authentic or not is called risk based authentication.

Traditional username and password along with information such as who the user is, from where the user is logging in (IP address and information of the location from where the user is actually in at the time of transaction), velocity of the transaction (the process of verifying if its possible for a person who recently logged in from location 1 could login from location 2) and the type of device the user is using are considered as contextual information.

Continue reading “Risk Based Authentication”