A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, “phishing” alerts, commentary regarding staffing levels. etc. etc.
New NIST Publication
August 27, 2009 at 11:08 am #78795
NIST Computer Security Division announces that Draft NISTIR 7621, Small Business Information Security: The Fundamentals, has been released for public comment. NISTIR 7621 is intended to help small businesses and small organizations implement the fundamental components of an effective information security program.
NIST requests comments on draft NISTIR 7621 by September 16, 2009 Please submit comments to [email protected], with “Comments NISTIR 7621” in the subject line.
Author:Richard L Kissel
For some small businesses, the security of their information, systems, and networks might not be a high priority, but for their customers, employees, and trading partners it is very important. The term Small Enterprise (or Small Organization) is sometimes used for this same category of business or organization. A small enterprise/organization may also be a nonprofit organization. The size of a small business varies by type of business, but typically is a business or organization with up to 500 employees.
In the United States, the number of small businesses totals to over 95% of all businesses. The small business community produces around 50% of our nation’s Gross National Product (GNP) and creates around 50% of all new jobs in our country. Small businesses, therefore, are a very important part of our nation’s economy. They are a significant part of our nation’s critical economic and cyber infrastructure.
Larger businesses in the United States have been actively pursuing information security with significant resources including technology, people, and budgets for some years now. As a result, they have become a much more difficult target for hackers and cyber criminals. Consequently, the hackers and cyber criminals are now focusing their unwanted attention on less secure small businesses.
Therefore, it is important that each small business appropriately secure their information, systems, and networks.
This Interagency Report (IR) will assist small business management to understand how to provide basic security for their information, systems, and networks.
Why should a small business be interested in, or concerned with information security?
The customers of small businesses have an expectation that their sensitive information will be respected and given adequate and appropriate protection. The employees of a small business also have an expectation that their sensitive personal information will be appropriately protected.
And, in addition to these two groups, current and/or potential business partners also have their expectations of the status of information security in a small business. These business partners want assurance that their information, systems, and networks are not put “at risk” when they connect to and do business with this small business. They expect an appropriate level of security in this actual or potential business partner – similar to the level of security that they have implemented in their own systems and networks.
Some of the information used in your business requires special protection for confidentiality (to ensure that only those who need access to that information to do their jobs actually have access to it). Some of the information used in your business needs protection for integrity (to ensure that the information has not been tampered with or deleted by those who should not have had access to it). Some of the information used in your business needs protection for availability (to ensure that the information is available when it is needed by those who conduct the organization’s business). And, of course, some information used in your business needs protection for more than one of these categories of information security.
Such information might be sensitive employee or customer information, confidential business research or plans, financial information, or information falling under special information categories such as privacy information, health information, or certain types of financial information. Some of these information categories have special, much more restrictive regulatory requirements for specific types of information security protections. Failure to properly protect such information, based on the required protections, can easily result in significant fines and penalties from the regulatory agencies involved.
Just as there is a cost involved in protecting information (for hardware, software, or management controls such as policies & procedures, etc), there is also a cost involved in not protecting information. Those engaged in risk management for a small business are also concerned with cost-avoidance – in this case, avoiding the costs of not protecting sensitive business information.
When we consider cost-avoidance, we need to be aware of those costs that aren’t immediately obvious. Among such costs are the notification laws that many states have passed which require any business, including small businesses, to notify, in a specified manner, all persons whose data might have been exposed in a security breach (hacker incident, malicious code incident, an employee doing an unauthorized release of information, etc). The average estimated cost for these notifications and associated security breach costs is well over $130.00 per person. If you have 1000 customers whose data might have been compromised in an incident, then your minimum cost would be $130,000, per incident. This should provide motivation to implement adequate security to prevent such incidents. Of course, if there is such an incident then some customers will lose their trust in the affected small business and take their business elsewhere. This is another cost that isn’t immediately obvious, but which is included in the above per-person cost.
Considering viruses and other malicious code (programs); in mid-2009 there are about a million new viruses and other malicious programs created each month. It is unthinkable to operate a computer without protection from these harmful programs. Many, if not most, of these viruses or malicious code programs are used by organized crime to steal information from computers and make money by selling or illegally using that information for such purposes as identity theft.
You must be logged in to reply to this topic.