Information Security Best Practices
What is Information Security? Information security means that the confidentiality, integrity and availability of information assets is maintained. ď ˝ Confidentiality: This means that information is only used by people who are authorized to access it. ď ˝ Integrity: It ensures that information remains intact and unaltered. Any changes to the information through malicious action, natural disaster, or even a simple innocent mistake are tracked. ď ˝ Availability: This means that the information is accessible when authorized users need it.
Information Security Threats Most common types of information security threats are:
Theft of confidential information by hacking System sabotage by hackers Phishing and other social engineering attacks Virus, spyware and malware Social Media-the fraud threat
Information Based Fraud Controls To protect themselves from information security threats, organizations must:
Maintain information security policies that regulate employee access and guidelines for appropriate use. Train all employees in information security policies and procedures. Ensure consistent enforcement to prevent outside attack. Deploy technology: Consider using transaction monitoring software and other applications that screen for abnormalities in patterns of data usage that could point to insider fraud attempts. Not rely on the IT department for all security. They are familiar with the technology but not with the information management and security aspects. There should be separate computer experts or information security staff. Conduct IT security audit at least once in a year. Develop response plan for the possibility of a breach that mitigates customer losses and damage to organization’s brand.
Information Based Fraud Controls
Collect and share information across private industries and public sectors in order to stay abreast of developing criminal threats. Discontinue using embedded links over SMS text messages and emails to reduce the risk of phishing attacks and advice customers never to click links on messages purporting to be from the organization through these channels. Implement and adopt a formal governance risk management, compliance model with strict internal measures that protects and encrypts sensitive customer information (PINs, account numbers, etc.) against data breach threats. In e-mails, use personal identification information (such as customer’s full name, shortened account number, and a customer chosen symbol) to help customers determine the legitimacy of the message.
How to Prevent Impersonation Impersonation is one of the social engineering tools used by fraudsters to commit identity theft. Following are best practices to protect organizations from social engineering attacks:
Broaden company’s online reputation. Blogging is the best. As part of online reputation management, optimize your company’s listings in search engines like Google (search engine optimization). If a company identifies themselves using your organization’s photo or bio in social media, be very persistent in contacting their site administrators. They too have reputations to manage and they will often delete stolen profiles as this constitutes to fraud. Enlist services such as Mark Monitor or other brand protection and trademark management firms.
Best Practices For E-Merchants E-merchants face more information security threats. Since they store customer credit card information, there are industry rules and regulations with which they must comply to ensure maximum security for their customers’ information. Here are some of the recommendations for e-merchants:
Ensure that PINs and credit card numbers and card verification values (CVV) are stored using encryption, as required by the Payment Card Industry Security Standards (PCI DSS 2.0). PCI compliance must be annually validated by merchants and service providers that accept credit cards. The latest version is 2.0, released in October 2010. This standard is intended as minimum benchmark and will not prevent against all breaches. Merchants who process, collect or transmit payment account information must conduct network security scans. Ensure that transaction information is fully protected by using strong encryption or purchase information and secure internal and external networks. Protect purchases through the online channel using SSL, EV SSL, and robust multifactor authentication CCV to confirm cardholder identity before accepting purchases.
Want to learn more about information security, its threats and best practices to prevent security breaches? ComplianceOnline webinars and seminars are a great training resource. Check out the following links: Information Security and Cybercrime Prevention E
How to
Manage Ongoing Information Security Requiremen
How to Evaluate Effectiveness of Your Information
Auditing Your Information Security Program.
Third Party Information Security Assessment.