The cyber-crimes today involves hacking into computer systems, creating and spreading computer viruses, perpetrating online fraud systems, stealing trade secrets and violating intellectual properties and the list goes one.
According to the researches it found out that the techniques of attacks include password guessing, self-replicated code, password cracking, disabling audits, social engineering and many more techniques revealed.
If we look at the cases mentioned in the paper both involves an insider of the organization, the most responsible person of the system, system administrator. Knowing and not knowing in both scenarios he contributed to the attacks which caused a black mark in the organization’s reputation history.
By having a proper process within a company the risk of undesirable behaviour of an insiders or the effects of intentional attacks from the outsiders can be avoided or minimized. it will verify the network is reliable, information is protected. Not only that it helps to align the information security and corporate goals. it helps the company to identify the roles of people and the worth of their presence. It makes the senior managers aware of the real need of security within the organization. It provides system administrators and all the employees proper guidelines and frameworks to adhere to and cross check with, It helps systems made forensic aware. It educates all the employees the dos and don’ts with the organizational properties including network and all assets. It also educate how to deal with disastrous situations. Most of all it provides recommended guidelines help carrying out a proper operation.
We can introduce ISO 27001 as such good process which helps to well run an organization. I am working in an organization where they are working towards achieving ISO 27001 certification. The main goal of achieving ISO 27001 is to have competitive advantage for winning customers and provide security to customer information and gain the trust.
|Image credits : http://www.iso-27001-it-security-management.com/images/slide-01.jpg|
Through the ISO 27001 implementation, management identified the need of having a proper process. Employees were educated about the acceptable usage and it also defined proper human resource guidelines, It separated the networks, adapted password policies, clean desk policies, network monitoring. Not only that it created a fire evacuation plans with employees training through fire drills. Data center was separated and marked as high security zones which monitors through video cameras. Came up with backup operational plans, employees were requested to wear identity cards all the time, avoid piggy backing, locking the screens. Basically it created a whole new organizational culture which was embraced by employees with their contribution. This ISO 27001 establishing process makes people aware about the probable risks and security concerns and educates them as part of the process on how to react effectively.
So we can see by employing a standard procedure such as ISO 27001 will help the organization to create a better organizational process which eventually leads to a good security a a by-product of the process.
 S. Fernando et al. “Compromising Information Systems Security:Cases of Network Administrator” in Global e-Security, 2nd Annual International Conference, 2006, pp. 138-147
 An Introduction To ISO 27001 (ISO27001) [Online] Available: http://www.27000.org/iso-27001.htm