Security Features - April 2011

A journey from the present to the future of security technology at IFSEC 2011
IFSEC, the world’s largest annual security event, returns to the NEC Birmingham from 16 – 19 May 2011. The 38th edition of the award winning event* will offer security professionals the opportunity to discover innovative security solutions in the industry as well as providing a glimpse into the future of security through the extensive exhibition, comprehensive educational programme and innovative feature areas.
James Blue, Portfolio Director – Fire & Security at UBM Live, organisers of IFSEC, said: “Every year, thousands of visitors come to IFSEC to source the most up-to-date technology in this evolving industry. As the organisers, we see it as our responsibility to be at the forefront of the security market so for 2011, we are expanding the seminar content and introducing new features to demonstrate what the future of this industry will hold. This will enhance the IFSEC experience for visitors as we also see the return of established, interactive features, including the Intelligent Integration Zone, and our industry-leading exhibition.”
Divided into six product areas, the IFSEC 2011 exhibition will house more than 700 of the world’s leading companies, including Dallmeier, Dedicated Micros, HID, HIK Vision, Norbain, Panasonic, RISCO, Samsung, SATEL, Tyco and Y3K. Assa Abloy also return for 2011 and are sponsoring the Access Control product area of the exhibition.
Hosting more than 22,000 visitors every year, including an international audience of more than 6,500 professionals, this is the central meeting place for the international security industry. Several countries will also have dedicated pavilions to house leading manufacturers and suppliers from the respective countries. China, France, Italy, Taiwan and USA are just a few to benefit from this initiative.
Since its inception, IFSEC has prided itself on providing unparalleled educational content to its thousands of visitors and 2011 will be no different. The ‘New Security Products & Technology Showcase’ seminar theatres will offer hours of free educational content looking at the newest technologies available in the marketplace. The IFSEC Conference 2011, the world’s leading security conference dedicated to the end user, also returns with a jam-packed programme of unique and topical content. Please visit www.ifsec.co.uk/conference for the very latest information.
IFSEC 2011 will also see the launch of the Future of Security Competition, produced in association with the Global Security Challenge. Bringing together the brightest minds from all over the globe, the next generation of security innovations will be unveiled at the event as they are pitted against each other in a Dragons Den-style live judging session. Please visit www.ifsec.co.uk/FutureSec for further information about how to enter or become involved in shaping the competition.
Finally, the IFSEC Security Industry Awards, organised in association with the British Security Industry Association (BSIA), will acknowledge the people, products and technological advancements that have played a big part in the security industry over the past year. Please visit www.ifsec.co.uk/awards to enter your company or book your place.
Co-located with three other industry leading events – Safety & Health Expo 2011, The Facilities Show 2011 and International Firex 2011.

Information Security from a Business Perspective
By Christos K. Dimitriadis, Ph.D., CISA, CISM
As enterprises struggle to remain profitable in an ever-changing risk environment, the current economic crisis has elevated the need for effective business risk management. Information security is a key parameter that affects business risk. The academic definition of information security is the “preservation of confidentiality, integrity and availability of information.” Confidentiality is the preservation of secrecy of information (e.g., business reports, technical designs or financial projections) by ensuring that viewing is conducted solely by authorized people. Integrity is ensuring that information is accurate and consistent and has not been manipulated. Availability ensures that information is accessible to authorized people when needed.
Historically, information security has been addressed primarily as a technical issue. Preventive controls, such as firewalls, user access control mechanisms, encryption of data and communications, digital signatures, data backup systems, and detective controls, such as intrusion detection systems or security monitoring platforms, have formed the basic components of security architecture. Often, the technical controls are complemented by a set of security policies, procedures and guidelines aimed at controlling the actions of personnel.
This approach, though, has proven to be insufficient. Security incidents continue to rise and security problems remain unsolved while information security experts have been challenged to effectively communicate the value of information security to enterprise management. The root cause of these problems may be the definition of information security itself. There is a lack of consistency as each sector, industry and even enterprise has had to define information security uniquely, based on very specific business needs. This lack of consistency has contributed to a lack of understanding and a lack of appreciation for the value of information security.
INFORMATION SECURITY DEFINED
To define information security in an organisation, one must understand its business objectives, identify stakeholders and link them to information protection attributes. Organisations have to be trusted to achieve customer acquisition and retention, which directly affect their revenue. This trust is a key success factor that is directly related to:
• Business integrity
• Customer asset protection
• Customer privacy
Providing services to the public also has societal and political facets. Businesses must adhere to a governmental regulatory and legal framework. The provision of secure and fair outlets to citizens is a matter of social responsibility. Moreover, the government is a shareholder of business (directly or indirectly through taxing); thus, business success affects the corresponding governmental revenue.
The aforementioned facts are clarified in relation to information security when the drivers of shareholders’ trust are studied in more detail.
In relation to the business role of information security, drivers should be:
–Shareholders’ trust:
• Corporate viability, which is driven by compliance of license terms
• Competitive advantage, which ensures customer acquisition
• Brand name value preservation, which ensures customer retention
• Legal and regulatory compliance (e.g., the integrity of financial records and PII protection)
– Customers’ trust:
• Business integrity
• Service availability
• Protection of the confidentiality of customers’ sensitive information
Using this definition of information security for the business sector, a holistic approach is required for addressing the information security requirements of each unique organisation. This requires a detailed business analysis for embedding information security into the specific business processes and also for addressing the human factor and minimizing the uncertainty it introduces.  International security standards provide a solid base for information security from a business perspective.
THE INFORMATION SECURITY STANDARDS LANDSCAPE
In 2006, the Security and Risk Management Committee of the World Lottery Association (WLA) published the most recent version of its Security Control Standard (SCS). This standard describes a number of information security controls (technical and procedural) tailored to the lottery sector.
The Security Control Standard (SCS) is an extension of the globally recognized information security standard ISO 27001 of the International Organization for Standardization (ISO), which is related to the establishment of information security management systems (ISMSs). Such systems provide the framework for managing information security from planning to implementation, monitoring and improvement.
ISACA has published a set of information technology (IT) auditing standards and the Risk IT:  Based on COBIT framework, which provides a set of guiding principles for effective management of IT risk. Risk IT complements COBIT, a comprehensive framework developed by ISACA for the governance and control of business-driven, IT-based solutions and services. In 2009, ISACA published An Introduction to the Business Model for Information Security which addresses information security from a business perspective, and in 2010, the full model was published as The Business Model for Information Security.
Other standards include the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements for enhancing payment account data security, and the Special Publications (800 series) of the US National Institute of Standards and Technology (NIST), which are documents of general interest to the computer security community. The aforementioned standards provide an indicative view of the information security standards landscape. Other standardization bodies and associations provide their own guidelines in the field. In addition, technical security best practices of system vendors provide additional guidelines.
The modern business sector has to select the information security standards to use as a basis for its security architecture, and it must customize this selection according to its specific business needs.
BASIC PROCESSES
Studying the information security standards horizontally, a number of basic processes/steps that lead to the identification of information security requirements are:
• Step 1: Business impact analysis - Each business process is recorded and analyzed in terms of business impact from the realization of a possible security threat. 
The business must answer a number of questions to calculate the impact of security breaches, including:
- How much would this cost the business in monetary terms?
- What would be the indirect costs if information is sold?
- What would the legal implications be?
Business processes are then prioritized based on an impact scale that identifies the most critical issues.
• Step 2: Risk analysis - During this process, the possibility for the occurrence of a security incident is calculated, based on a database of security weaknesses. The risk analysis takes into account technical and procedural parameters, such as:
- Are there technical controls in place to safeguard customer data?
- Do procedures exist to complement the technical security controls?
• Step 3: Risk management - The result of the risk analysis is a prioritization of risk in relation to the impact level (the result of the business impact analysis) and the identification of possible security measures for addressing the risk. The risk management process - the selection of appropriate security measures for addressing the risk or for risk transferring or acceptance—is determined by the management of the organisation.
• Step 4: ISMS implementation - After the controls have been selected, they should be correlated under a common information security management system (ISMS). This correlation requires deep understanding of the operation of the organisation; consideration of human, cultural, technical, business and external factors; and continuous improvements.
Business Model for Information Security
One of the most recent information security frameworks that addresses information security from a business point of view is ISACA’s BMIS.
The following definitions of the BMIS elements (derived from An Introduction to the Business Model for Information Security) are necessary for understanding how BMIS works:
• Organization design and strategy—An organization is a network of people, assets and processes interacting with each other in defined roles and working toward a common goal.
• People—The people element represents the human resources and the security issues that surround them. It defines who implements (through design) each part of the strategy. It represents a human collective and must take into account values, behaviors and biases.
• Process—Process includes formal and informal mechanisms (large and small, simple and complex) to get things done.
• Technology—The technology element is composed of all of the tools, applications and infrastructure that make processes more efficient.
To understand the operation of BMIS in practice, it is important to study the links connecting organization design and strategy, people, process, and technology.
CONCLUSION
Information security will be understood, provide added value and effectively contribute to the operation of an organization only if it is designed and implemented as a core ingredient of the business strategy. Stakeholder, shareholder and customer trust are the key ingredients of information security; organizations from all sectors should identify such key ingredients in order to provide a business definition to information security.
While technical security controls are important, what distinguishes a typical information security management system from an effective one is the ability to correlate all parameters in the operation of an organization, especially the human factor. As can be seen, with particular attention to the above example of the World Lottery Association’s Security Control Standard, adapting to the unique landscape of a specific business situation should be the most salient consideration for any organization. While absolute information security is theoretically unachievable, organizations have the ability to reduce uncertainty and to continuously improve their approaches to making information security a business enabler.

Access control: taking care of your premises, your pockets and the planet
As British businesses continue their battle against rising inflation and the surprise economic shrinkage of late 2010, the need to cut costs in any way possible is still at the forefront of the corporate agenda in 2011.
Despite these financial cutbacks, corporate social responsibility and being able to demonstrate environmental credentials to customers and key stakeholders remains a priority for many businesses. What many businesses often fail to realise, however, is the crucial role that their security provider can play in helping to combine the two.
Thanks to the continuous technological development within the private security industry, access control and visitor monitoring systems can now be utilised as part of intelligent solutions that work alongside Building Energy Management Systems (BEMS) to help companies save money on their energy and heating bills.
In such systems, data gathered by access control and visitor monitoring systems is used to inform the BEMS of the nature and function of the people occupying a heating zone. This information is applied by the BEMS to heat-loss algorithms to determine the minimum amount of heat to be applied to a particular area, reducing the amount of energy consumed and avoiding unnecessary wastage.
Identifying patterns in visitor behaviour can stop the unnecessary heating of unoccupied heating zones, saving on fuel and CO2. This works using past data to assess when a certain area of the building is likely to be occupied, activating heating in time for visitors' arrival and reducing temperature or turning off the heating entirely during periods of inactivity.
Knowing what roles are being fulfilled by individuals operating within a heating zone also allows the BEMS to make adjustments and lower the amount of fuel consumed. For example, cleaners and/or people performing manual or physical tasks can work in slightly lower temperatures than, say, office workers whose role is largely sedentary. Figures published by Business Link show that the typical office can reduce its heating bill by up to 8% a year simply by lowering the temperature by one degree.
With many organisations both in the public and private sector experiencing variable occupation within their buildings, using intelligent access control and visitor management systems to regulate energy consumption is the logical next step to cutting costs and reducing environmental impact.
To find out more about Access Control, visit  www.bsia.co.uk/accesscontrol

Trusteer and WorkLight Partner to Deliver Integrated Security for Mobile Applications
Trusteer Secure Web Access and WorkLight Mobile Platform to Provide Automatic Malware Detection and Mitigation
Trusteer, the leading provider of secure web access services, and WorkLight, a global leader in mobile application platform technology, today announced a partnership to provide enterprises with enhanced security of mobile applications developed, run and managed using the WorkLight Mobile Platform.  
Integration of Trusteer Secure Web Access with the WorkLight Mobile Platform will complement built-in security mechanisms currently offered by WorkLight to ensure that enterprise applications developed for smartphones and tablets, including the iPhone, Android, BlackBerry, iPad and others, are automatically protected against the growing security risks associated with malware.
The proliferation of personal smartphones and tablets is creating a dangerous gap in enterprise security, and the problem is expected to grow significantly in 2011 and beyond. Gartner, Inc. recently reported that worldwide mobile device sales to end users totalled 1.6 billion units in 2010, a 31.8 percent increase over 2009, and smartphone sales to end users were up 72.1 percent from 2009 and accounted for 19 percent of total mobile communications device sales in 2010. In the U.S., Gartner expects smartphone sales to grow from 67 million units in 2010 to 95 million units in 2011.” The number of enterprise applications being developed and extended to mobile devices is growing at an even greater rate. For every smartphone and tablet, there are hundreds if not thousands of applications offered by companies for consumer, business, and employee use. 
The WorkLight Mobile Platform enables organizations to create and manage rich applications for these popular devices, while ensuring optimal user experiences per environment with reduced time to market, development cost and ongoing maintenance. Trusteer Secure Web Access  detects smartphones and tablets infected with, or at risk of infection from malware and prevents them from connecting to protected enterprise web resources. In addition, it provides real-time alerts to enterprises on infected or vulnerable devices that attempt to connect to resources and applications. Trusteer’s service allows enterprises to benefit from the productivity and flexibility provided by mobile applications without the security risk.
Built-In Mobile App Protection
Trusteer Secure Web Access is integrated with the WorkLight Mobile Platform to enhance existing security mechanisms currently offered by the platform. Both Trusteer and WorkLight are used by some of the largest companies in the world. Trusteer will provide WorkLight with the following native security capabilities:
Detection of malware and malicious activity on the device
Malware mitigation and removal
Tamper resistant security libraries and tamper attempt alerts
Protection against SMS-based phishing and out-of-band authentication attacks
Protection against man-in-the-browser attacks
Risk assessment of compromised devices accessing corporate network and applications
“Mobile devices are reshaping how companies do business by enabling always-on, always connected access to IT resources,” said Yaron Dycian, vice president of products for Trusteer. “However, this flexibility creates a very real security risk. Our partnership with WorkLight enables enterprises to harden the security of mobile applications from the inside-out to both protect mobile devices from malware attacks and prevent infected devices from accessing secure networks and data.”
“While the complexity of securing mobile applications is only now coming to light at enterprises deploying multiple apps across devices, WorkLight has been on the forefront of delivering enterprise-grade security as an integral part of our platform for some time,” said Ron Perry, CTO for WorkLight. “With this latest addition to our capabilities, made possible by integrating with Trusteer’s leading protection technology, WorkLight will uniquely provide customers with safeguards against increasingly frequent and sophisticated mobile malware attacks.”