CompTIA CASP+ CAS-004 Certification: Business and Industry Trends, Influences, and Risks

Description: Security and IT teams don’t operate independently; the work and tasks are highly influenced by the organization’s business objectives, which define the IT roadmap and decisions. However, factors outside the enterprise’s control, like constant attacks, technology changes and upgrades, regulations, and compliance add to the complexity of securing the organization’s security ecosystem.

This guide includes the various security technology and market trends, influences, and global risks affecting IT security.
- Business and industry influences
- External and internal factors
- New and changing business models/strategies
- Risk management
- Dynamic business models
- New strategies
- Security concerns during integration
- External and internal influence
- De-Perimeterization

In this guide, we will learn about the challenges presented by constant yet dynamic business changes. The security and IT departments do not operate in silos. The tasks and aims are influenced by the organization’s business objectives and corporate policies, which guide and alter the decisions. The job of the security and IT professionals is more difficult due to the additional considerations, either introduced by factors that are outside the enterprise or out of their control, legal regulations, and partnerships or technical concerns. Add to this, the introduction of new, untested and unfamiliar technologies, and there is a perfect prescription for a security incident waiting to happen.

This guide covers the security risks introduced by the dynamic business influences, along with some actions that are taken to minimize the risks.

Structure
- Risk management from new technology partnerships, outsourcing, cloud, acquisition/merger and divestiture/demerger
- Policies, regulations, and geographical trends
- Competitors, auditors/audit findings, regulatory entities
- Internal and external client requirements, and top-level management
- Impact of telecommuting, cloud, mobile, BYOD, and outsourcing
- Ensuring third-party providers have requisite levels of information security

Objective
After studying this guide, you will get to understand the challenges presented by risks from new products, businesses, and technologies along with new partnerships outsourcing or during acquisitions and mergers. Security concerns due to cloud, internal, and external factors along with the constantly changing edge network boundaries are also discussed in this guide.

Risk management of new technologies
For security experts, the list of new products, technologies, collaborations, and user behaviors is never-ending. It is neither conceivable nor advised to halt the technological tide, but it is always necessary to manage any associated hazards. Every new technology and behavior must be thoroughly examined as part of a systematic risk management procedure. The most important takeaway from this guide is that risk management is a circular, never-ending activity. While the approach should result in a risk profile for each activity or technology, keep in mind that the elements that affect risk profiles and technology profiles are continually changing. When a company decides to implement new cutting-edge technology, there are always worries regarding the system’s maintenance and support operations. This is especially true for software applications; for instance, what would happen if the software provider shuts down or goes out of business? Include a source code provision in the contract to alleviate this worry. Source code is maintained by third-party providers. If the vendor goes out of business, they are accountable for giving the client the most recent updated source code.
To improve user performance, it’s important to stay on top of any changes in the tasks that users do on a daily basis. For example, if an organization’s users are increasingly interested in using chat sessions rather than emails when discussing sensitive issues, secure instant messaging communications become just as important as securing email systems.
To stay up-to-date with the ever-changing work habits of users, the security teams should monitor user activity frequently to uncover new threat vectors and protect themselves from expanding and changing the risk regions.

The figure below illustrates the new trends in the IT domain. These reveal new performance-enhancing techniques used by office workers, as well as potentially dangerous habits such as writing passwords on sticky notes. Security policies and user awareness training assist to reduce, dissuade, and avoid hazards. The aim is to proactively anticipate harmful user behaviors by monitoring emerging mobile trends, such as cloud usage.

The figure below illustrates the upcoming technology trends:



Figure: Upcoming technology trends

Changing business models
The way an organization does business with others is the major cause for a change in the organization’s risk profile associated with a process or a specific activity. The organization’s security is influenced in some manner as new partnerships and collaborations are created, new assets are added or lost, and new technologies are introduced as a result of mergers or demergers. Establishing official or informal connections with other organizations necessitates the interchange of sensitive data and information. This inevitably results in new security concerns. The security procedures that must be followed while managing sensitive data sent between the two parties are spelled out in a third-party connection agreement, or TCA document. This agreement is used whenever the relationship necessitates relying on another organization to protect corporate data. Organizational collaborations do not always entail the exchange of sensitive information, but rather the provision of a shared service. These can be created between comparable company organizations in the same industry or with third-party affiliates. The TCA agreement defines the parties’ duties for securing data, connections, and sensitive information, regardless of the nature of the partnership.

Learners should conduct the research and study on the following security organizations, which have adjusted their business models in response to the shifting trends:
- Clear Biometrics https://www.clearme.com/
- Onfido https://onfido.com/
- Stanley Security https://www.stanleysecurity.com/
- Telstra https://www.telstra.com.au/
- TSA https://www.tsa.gov/

Outsourcing and partnerships
Outsourcing labor to third-party providers introduces liability, which many firms overlook when doing risk assessments. Outsourcing agreements must guarantee that the information entrusted to third parties is constantly secured by appropriate security procedures that meet legal and regulatory standards.

The figure below presents the IT outsourcing contract and procurement processes, like third-party outsourcing agreements, that must be codified. Contract and procurement management processes should be established by organizations to guarantee that regulatory and legal obligations are satisfied. Periodic audits confirm that the contractual vendor organizations are adhering to the contract’s terms.

The Figure below that illustrates the IT outsourcing models:



Figure: IT outsourcing models

When a vendor subcontracts a function to another third party, outsourcing can become a problem for a corporation. In that instance, the firm that owns the data should immediately cancel the contract with the vendor if the vendor cannot show an agreement with the third party that assures the appropriate security for any data handled by the third party. When functions are distributed among numerous providers, the risks associated with outsourcing might be exacerbated. The separation of tasks amongst providers has a negative influence on strategic architecture. Vendor management expenses rise, limiting the organization’s ability to respond to the changing market conditions. Internal IT system expertise is dwindling, limiting future platform development. Because security restrictions and upgrades must be implemented across different borders, it takes longer. Finally, when outsourcing crosses national borders, other challenges emerge. The laws of certain countries are more stringent than those of others.

Cloud computing trends
The regulations of many countries or regulatory organizations must be addressed when it comes to cloud computing trends and cloud security in terms of data origin and storage. Because the laws in other nations are less stringent, businesses may be hesitant to do business with anyone. Regulatory compliance and security levels of environments, such as restrictions with credit and debit cards handled by shared hosting providers or outside the nation that does not follow PCI DSS, impede the use of the public cloud.

The figure below illustrates the cloud computing trends:


Figure: Cloud Computing Trends

Instead, a private cloud hosted on-site within the firm should be explored. Security concerns, cloud benefits, and drawbacks must be outlined in relation to the options, and a path forward should be recommended. Elasticity is a feature of cloud deployments since virtual resources are commissioned and decommissioned on the fly over a shared resource pool. The hardware platforms utilized are not disclosed to the organizations. Another risk is that data may be scraped from decommissioned hardware for a period of time after it has been stored on that platform. Hybrid clouds combine public and private environments that are separate but interconnected. An organization’s data might be stored on a private cloud that links to a public cloud-based business intelligence platform. In the event that massive demand exceeds the capacity of the private cloud, organizations may use a public cloud provider to access the services. A third-party or cross-company team serves as the supplier for community clouds shared by enterprises with a common objective to address. When a community cloud is set up, it may be beneficial to everyone because the overall cost is split among the participating organizations.

Merger and acquisition influences
Networks are joined, server systems and applications are integrated, and new infrastructures are occasionally created during mergers and acquisitions. Such conditions offer an opportunity to reconsider the idea of safeguarding the linked infrastructures. However, if one business uses different hardware manufacturers, network designs, or rules and processes than the others, things get difficult. During the integration planning and talks, all parties must consider security issues. This is known as the due diligence phase, which allows you to analyze and comprehend every area of the other company’s activities. Then, with a thorough understanding of the integrated infrastructure environment ahead of time to assure security, a suitable merger or acquisition is achievable. Penetration testing on both sides is required prior to merging the networks. Both businesses will have a comprehensive grasp of the current and future hazards as a result of this. An interconnection security agreement (ISA) that includes a full risk analysis of the acquired organization’s whole operating ecosystem is recommended. Systems and equipment that do not meet the requirements for compliance and security must be removed, changed, or rebuilt.
When a corporation splits or demerges sections of itself, a spin-off is executed, with the demerger resembling a divorce. The impacted parties or agencies must agree upon which entity’s assets, services, and infrastructure will be used. This normally entails removing all data from systems and reviewing security measures on both sides in preparation for the upgraded architecture. When components of an organization are sold to another firm, the parent company should verify that just the necessary data is transmitted to the acquiring company and nothing else. The hazard of integrated networks during the transition phase is the greatest risk faced by an organization selling a unit to another firm or acquiring from another company. It is vital to identify the data flow between the companies involved, and any data flow that is not required should be avoided. To achieve secure mergers or de-mergers, a due diligence team made up of professionals from both firms must be formed. This group is in charge of establishing a strategy for assessing current security measures as well as monitoring the process at each stage. The team also looks for security overlaps and gaps between the two integrating units. For each identified risk, risk profiles should be built, which includes transferring data and prioritizing procedures to identify those that require immediate attention. Auditors and compliance teams must ensure that security procedures and frameworks are in sync.

Data ownership
A changing company model has an impact on data ownership. Management must make judgments about data ownership based on the business model being used. Security experts must assess if data will stay as independent ownership or be integrated as part of a corporate purchase or merger. If a data merging is to take place, a strategy detailing the actions involved in the data merge should be created. Management must select which organization will control the data in a corporate sale or demerger. To guarantee that the required data is collected effectively, detailed plans and processes must be created.

Data reclassification
Security professionals need to examine the data classification model when an acquisition/merger or divestiture/demerger occurs. In the case of an acquisition/merger, the security professionals must decide whether to keep the data separate or merge the data into a single entity. In the case of a divestiture/demerger, security professionals must ensure that legally protected data is not given to an entity that is not covered under the same laws, regulations, or standards. Laws, regulations, and standards governing the two organizations must be considered. It may be necessary for the organization to carefully design the new data classification model and define the procedures for data reclassification. The laws, rules, and standards that regulate the organizations must be considered. When it comes to weather data, whether it’s being integrated, kept distinct, or split based on ownership, enterprises must make sure data security is a top concern. Assume a healthcare organization has decided to sell an application it has built. Management must collaborate with security experts to guarantee that all application data, source code, development plans, and marketing and sales data are supplied to the acquiring business. Management must guarantee that no confidential healthcare data is included in the data that will be taken as part of the divestiture by accident.

Security concerns of integrating industries
In many situations nowadays, businesses are combining business models that are vastly different from one another. Organizations are sometimes venturing into new domains with vastly diverse cultures, geographic locations, and regulatory regimes. This can lead to new business opportunities, but it can also lead to security flaws. The following sections provide an overview of some of the concerns that must be examined. When it comes to merging different industries, the problem is to strike a balance in terms of rules. While uniformity across all aspects of a company is a noble objective, imposing an unfamiliar set of regulations on one element of the company may result in resistance and morale issues.
A long-standing culture in one unit may be one of trusting users to administer their computers, which may include local administrator powers, but another unit may be hostile to allowing users such access. While standardizing regulations throughout a company may become necessary, it should not be done without first assessing the advantages and downsides. The advantages should be weighed against any opposition that may arise, as well as any potential productivity losses. However, due to localized concerns, it may be essential to have a few alternative regulations. This decision should be made by top management in collaboration with the security specialists.
Because policies are less likely to prescribe precise answers, they may be easier to standardize than the rules or regulations. Many rules use ambiguous terminology, such as “the utmost feasible data protection must be provided for data believed to be secret”. This terminology gives each department the freedom to decide what is and is not a secret. However, when a business acquires or merges, its rules should be thoroughly examined to ensure that they are current, offer adequate security precautions, and are not unduly onerous to any unit within the firm. Government bodies (such as the DHS, FCC, and DOT) frequently adopt regulations to guarantee that specific areas of the sector are controlled. When corporations from severely regulated sectors are joined with companies from less heavily regulated industries, the degrees of regulation within each business unit will be vastly different. In many circumstances, this scenario should be recognized as usual, rather than being viewed as lacking standards.

Export controls
The laws and regulations that regulate the transfer or transmission of commodities from one nation to another are known as export controls. This includes the disclosure of technical data transfers to individuals outside the nation. Exports are governed by rules and regulations in both the United States and the European Union (EU). Concerns about exports emerge for three main reasons – the item’s qualities, the item’s intended destination, and the item’s probable final use. Export controls are in place to safeguard national security, carry out foreign policy, and retain the military and economic advantage. Governing organizations, such as those in the United States and the EU, publish lists of restricted items. Entity lists, disbarred parties, denied people, and embargoed states are common. While the export rules include exceptions, firms should consult with legal counsel before exporting any entities. Failure to follow export control laws can result in criminal charges, monetary penalties, and damage to one’s reputation, and the loss of export control licenses. Organizations with issues about export controls in the United States should contact the north-western university’s office for export controls’ compliance.

Legal requirements
Any organization’s security approach must include legal compliance. Organizations must understand the regulations that apply to their business to achieve legal compliance. Financial, healthcare, and industrial production are examples of industries with numerous federal, state, and municipal rules to consider. The following sections highlight a few of the laws and rules that organizations must consider. You do not need to remember the rules and regulations presented in these sections; nonetheless, you should have a broad understanding of how they influence businesses in order to analyze the scenarios you may experience on the CASP test.

Sarbanes-Oxley (SOX) Act
The Sarbanes-Oxley (SOX) Act, also known as the Public Company Accounting Reform and Investor Protection Act of 2002, impacts any company that is publicly traded in the United States. It governs the accounting practices and financial reporting for businesses, as well as imposing penalties and even jail time on senior officials. It requires significant modifications to the existing securities legislation as well as harsh new punishments for violators. This legislation was enacted in reaction to the financial crises involving publicly listed corporations such as Enron Corporation, Tyco International plc, and WorldCom in the early 2000s.

Health Insurance Portability and Accountability Act (HIPAA)
The Kennedy-Kassebaum Act, often known as HIPAA, applies to all healthcare institutions, health insurance companies, and healthcare clearinghouses. The Office of Civil Rights of the Department of Health and Human Services is in charge of enforcing it. It establishes rules and processes for the storage, use, and transmission of medical and healthcare data. Unless the state laws are tougher, HIPAA takes precedence. All covered businesses must perform the following to comply with the HIPAA security rule:
- Ensure the confidentiality, integrity, and availability of all electronically protected health information
- Detect and protect against any risks to the information’s security
- Protect against anticipated impermissible uses or disclosures
- Certify compliance by their workforce

Gramm-Leach-Bliley Act (GLBA)
All financial institutions are affected by the Gramm-Leach-Bliley Act (GLBA), including banks, lending firms, insurance companies, investment organizations, and credit card companies. It establishes security requirements for all financial data and forbids the sharing of financial data with third parties. This legislation has a direct impact on the protection of personally identifiable information (PII).

Personal Information Protection and Electronic Documents Act (PIPEDA)
The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how the private-sector businesses in Canada gather, use, and disclose personal data in the course of doing business. The legislation was enacted in response to EU concerns regarding the security of personal information (PII) in Canada. The legislation requires companies to acquire consent before collecting, using, or disclosing personal information, as well as to establish clear, intelligible, and easily accessible personal information policies.

Payment Card Industry Data Security Standard (PCI DSS)
The Payment Card Industry Data Security Standard (PCI DSS) applies to all businesses that handle cardholder data for the main credit card issuers. PCI DSS Version 3.2 is the most recent. An organization’s compliance with the standard must be verified at least once a year. Despite the fact that the PCI DSS is not a law, it has influenced the implementation of various state legislation.

Refer to the figure below that illustrates the PCI DSS framework:



Figure: PCI DSS Framework

Federal Information Security Management Act (FISMA)
Every federal agency, as well as suppliers and service providers, is affected by the Federal Information Security Management Act of 2002. It mandates that each federal agency establish, publish, and implement an information security program for the whole organization. FISMA mandates that federal entities create an effective risk management program for information security. The National Institute of Standards and Technology (NIST) provides detailed recommendations for compliance with FISMA. This strategy produces formal advice that helps agencies meet their cyber security standards while emphasizing the risk-based approach, which builds a program that is fit for purpose based on the circumstances while putting a special emphasis on cost-effective protection.

USA PATRIOT Act
The USA PATRIOT Act of 2001 has an impact on the US law enforcement and intelligence institutions. Its goal is to improve law enforcement’s investigative capabilities, such as email communications, phone records, Internet communications, medical records, and financial information. The Foreign Intelligence Surveillance Act and the Electronic Communications Privacy Act were both altered by this statute when it was passed. Although the USA PATRIOT Act does not prohibit private citizens from using investigative tools, there are some exceptions, for example, if a private citizen is acting as a government agent—even if not formally employed, if the private citizen conducts a search that would require law enforcement to obtain a warrant, if the government is aware of the private citizen’s search, or if the private citizen is performing a search to assist the government.
The purpose of the USA PATRIOT Act is to deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and other purposes, some of which include:
- To strengthen U.S. measures to prevent, detect, and prosecute international money laundering and financing of terrorism
- To subject to special scrutiny foreign jurisdictions, foreign financial institutions, and classes of international transactions or types of accounts that are susceptible to criminal abuse
- To require all appropriate elements of the financial services industry to report potential money laundering
- To strengthen measures to prevent the use of the U.S. financial system for personal gain by corrupt foreign officials and facilitate the repatriation of stolen assets to the citizens of countries to whom such assets belong

EU laws and regulations
Several legislation and regulations affecting security and privacy have been established by the EU. The EU Privacy Principles contain strong legislation to protect personal data. The EU’s Data Protection Directive outlines how to comply with the requirements contained in the principles.

The Safe Harbor Privacy Principles were designed by the EU to assist U.S. firms in complying with the EU Privacy Principles. Some of the guidelines include the following:
- Data should be collected following the law.
- Information collected about an individual cannot be shared with other organizations unless the individual gives explicit permission for such sharing.
- The information transferred to other organizations can be transferred only if the sharing organization has adequate security in place.
- Data should be used only for the purpose for which it was collected.
- Data should be used only for a reasonable period.

A safe harbor, according to the EU, is an entity that complies with all of the EU Privacy Principles. A data haven is a jurisdiction that does not safeguard personal data legally, with the primary goal of attracting data-gathering firms. Electronic signature principles are defined in the EU Electronic Security Directive. A signature must be uniquely connected to the signer and the data to which it refers according to this guideline, so that any future data modification may be detected. The signer’s signature must be able to identify him or her.

Geography
Geographical differences have a significant influence in ensuring that a merger or demerger goes as smoothly as feasible. Aside from any language obstacles that may exist, the kind of technology accessible in different regions of the world might vary dramatically. While an organization may have rules in place requiring the use of specific technologies to secure data, the hardware and software necessary to implement these policies may be unavailable in other nations or areas, such as Africa or the Middle East. As a result, it may be required to implement policy changes and exclusions. If that is not acceptable, the organization may be forced to find alternative means to fulfill the long-term aim, such as prohibiting the transmission of particular types of data from a place where the requisite technologies are not accessible. Another difficulty is that legal and regulatory standards vary by country. While one jurisdiction may have stringent data archival and security regulations, another may have almost none. The question is once again whether cross-national standards make sense. In certain cases, the expense of standardization may be greater than the benefits gained. It may also be required for the business to opt to not keep data with greater security needs in countries that lack the relevant policies or laws to secure the data.

Data sovereignty
Data sovereignty refers to the idea that digital data is subject to the laws of the nation in which it is housed. The many privacy rules and regulations enacted by nations and governing bodies have an impact on this idea. The deployment of cloud technologies further complicates this paradigm. Many nations have passed laws requiring that customer data be stored in the country where the client resides. When engaging with service providers and other third parties, however, companies are finding it more difficult to confirm that this is the case. To ensure compliance, organizations should check the service-level agreements with these suppliers.
However, keep in mind that the legislation of several nations may have an impact on the facts. Consider the case where a corporation in the United States uses a data center in the United States, but the data center is managed by a company in France. US and EU rules and regulations would apply to the data. Another consideration is the type of data being saved, as various data types are governed differently. The regulations governing the transit and storage of data for healthcare and consumer data are substantially different.

The following questions should be answered by a security specialist:
- Where is the data stored?
- Who has access to the data?
- Where is the data backed up?
- How is the data encrypted?

The answers to these four questions will assist security professionals in developing a governance policy for their company that will help them solve any data sovereignty risks. Remember that both the entity that owns the data and the vendor providing the data storage service, if any, are responsible for adhering to data rules.

Jurisdictions
A jurisdiction is a geographical area or territory that is subject to governmental authority. Jurisdictions, on the other hand, are frequently flexible, owing to reciprocity agreements between various jurisdictions. For example, the United States has signed mutual legal aid accords with several nations, allowing information to flow freely between jurisdictions. As a result, businesses may not just need to be familiar with the rules and regulations that apply to a particular nation or regulatory agency. Because many nations have begun to address data residency and sovereignty issues, security professionals must keep track of the jurisdictions that may have an impact on corporate data.

Internal and external influences
Security rules aren’t born out of thin air. Without the impact of opposing constituencies, balancing security, performance, and usability is tough enough. Internal and external pressures must be considered and resolved in some way. The following sections go through the various sorts of impacts and how they might affect the formulation and execution of security policies.

Competitors
When it comes to security, businesses should constantly be looking at what their rivals are doing. While each company’s security requirements are distinct, maintaining one’s reputation is a worry shared by everyone. Almost every day, we hear about corporations whose digital reputations have been harmed by security breaches. Proclaiming a company’s network security has virtually become another commercial distinction. While increasing network security is clearly a good aim, security experts must guarantee that no superfluous steps, such as monkey see, monkey do, are performed. In virtually all circumstances, ineffective security measures degrade network performance or make the network less usable for users. While businesses should strive to improve their security to outperform their rivals, security professionals should properly investigate any new measures they want to adopt to verify that the benefits exceed the risks.

Auditors/audit findings
Without a record of actions and an assessment of those activities, accountability is impossible. The degree and scope of auditing should correspond to the company’s security policy. Self-audits or audits by a third party are also options. Self-audits are always fraught with the risk of subjectivity creeping into the procedure. The outcomes of audits or tests, regardless of how they are conducted, are meaningless unless they are incorporated into a revision of present policies and processes. Internal audits are conducted on a regular basis throughout the year, while external audits are conducted once a year. The International Organization for Standardization (ISO), also known as the International Standards Organization, collaborated with the International Electro-Technical Commission (IEC) to standardize British Standard 7799 (BS7799) into the ISO/IEC 27000 family of worldwide standards.

Regulatory entities
Many businesses operate in a highly regulated environment. Two examples are banking and healthcare. Regulations have a different impact on security. A third party verifies that a company is adhering to industry or government norms and laws. This third party examines organizational activities as well as any other area specified by the certifying or regulatory body. The third-party informs the certifying or regulatory body of all of its findings. Any discoveries or conclusions shall be conveyed solely to the analyzing organization and the regulatory organization, according to the contract with the third party. This procedure should be overseen by a member of top management, who will grant access to the third party as needed. A third party may be required to provide an onsite assessment, document exchange, or process/policy review as part of this study. A third-party team conducts an onsite examination. This team needs unrestricted access to all elements of the company. Observing personnel execute their daily responsibilities, examining records, evaluating paperwork, and other tasks may be included in this evaluation. To establish solid control of the process, the management should appoint a member of management to whom the team may make formal requests.
This testing might encompass both vulnerability and penetration testing, and it would be carried out by a team made up of both employees and hired third parties. A document exchange/review entails sending a group of papers to a third party for evaluation. On both sides of the transaction, the document exchange procedure must be secure. This is achieved by employing an encryption level that represents the sensitivity of the material in question, or, in certain situations, the level mandated by law or recognized industry standards. A process/policy review examines a specific process or policy inside an organization to ensure that it complies with the rules.

Internal and external client requirements
The security relationship that must be established with both internal and external customers can also play a part in defining the types of security to be employed. When we talk about customers, we’re referring to people who need to engage with the network in some manner. Internal customers, who operate within the LAN, and external customers, who operate outside the LAN, must communicate with the network. For example, while uploading data, connecting to a VPN, or downloading data, the sensitivity of the activities and the data they are handling determines which security measures should be used. It is common knowledge that security measures have an impact on network performance as well as user ease of use. It’s critical to distinguish between instances when certain security measures (such as encryption) are. Unnecessary procedures can improve the network speed while also reducing user complexity. While installing access control lists on a router can improve security, keep in mind that the processing consumes router CPU cycles and reduces the router’s capacity to accomplish its primary duty of routing. When there is an excessive reliance on such protection, when it is not necessary, the network’s performance will be slowed needlessly.

Top-level management
While senior management often brings the least amount of security knowledge to the table, these executives have a disproportionate amount of influence over security choices. They make judgments based on company needs, not on their infatuation with the latest security gadgets or their security fears. Most executives consider security only in the event of an emergency. While senior management’s role is to split the budgetary pie in the most cost-effective way possible, an IT security professional’s responsibility is to make the case for security solutions that add value to the firm. This entails showing that the money saved by avoiding data breaches and losses outweighs the cost of a certain security measure. Accepted risk management techniques must be used to present and assess the specified measures.

Impact of De-parameterization
This has to do with the fact that network boundaries are continually shifting. Security experts used to approach security by hardening the network’s edges, or the network’s entrances and exits. The location of a network’s edges has shifted as a result of new working methods. Furthermore, most corporate networks’ interiors are now separated into smaller portions, with control points in between. With the advent of wireless networks, portable network devices, virtualization, and cloud service providers, the network barrier and attack surface have become increasingly permeable. Security architecture progress has resulted in improved security capabilities, the same number of security threats, a higher total cost of ownership, but, on average, a smaller corporate data center. In conclusion, the game has altered as a result of de-parameterization, or the continual shifting of network boundaries.

Telecommuting
Telecommuting is becoming more popular for a variety of reasons. It saves money on petrol, and time spent commuting and is environmentally friendly because it minimizes the amount of hydrocarbons emitted into the atmosphere. Despite its many benefits, telecommuting did not gain widespread acceptance until the technology to protect it was established. Secure VPN connections may now be provided to telecommuters, allowing them to access resources and work as if they were in the office, except for coffee and lunch. Telecommuting involves several security implications. For example, the network access control (NAC) technology may be required to guarantee that machines not under the direct supervision of the IT department are examined and remedied if necessary before being allowed access to the LAN to avoid virus introduction.

Mobile threats
The introduction of mobile devices such as cell phones, tablets, and USB flash drives to an organization’s network poses a number of risks, which are as follows:
- Insecure web browsing
- Insecure Wi-Fi connectivity
- Lost or stolen devices holding company data
- Corrupt application downloads and installations
- Missing security patches
- Constant upgrading of personal devices
- Use of location services
- Insecure data storage

While corporate emails and company contact information are the most common types of corporate information stored on mobile devices, it is alarming to note that nearly half of these devices also contain customer data, network login credentials, and corporate data accessed through business applications. The growing usage of mobile devices, along with the reality that many of these devices connect to public networks with little or no protection, poses new problems for security experts. Educating users about the dangers of mobile devices and ensuring that they utilize suitable security measures will help protect them from the hazards that these devices pose.

Implementing a device-locking PIN, employing device encryption, adopting GPS location, and implementing remote wiping are some of the suggestions that should be presented to mobile device users. Users should also be wary about installing programs without first verifying that they are from a trusted source. Mobile device management (MDM) and mobile application management (MAM) technologies have been increasingly popular in businesses in recent years. They are used to guarantee that an organization can control the settings, programs, and other aspects of mobile devices while they are connected to the network.

BYOD
Users’ urge to use personal computing devices in the workplace—such as cellphones, tablets, and laptops—is similar to the pressures to utilize wireless networks in the company. The Bring Your Own Device (BYOD) genie is officially out of the bottle, despite the fact that the concept gives security experts nightmares. The impact on security is similar to that of telecommuting in that technologies like network access control may be required to ensure that personal devices that are not under the direct control of the IT department can be scanned and remedied if necessary before being allowed access to the LAN to prevent malware from being introduced. It should be noted that government restrictions that pertain to medical, financial, and other sorts of PII apply to the data, not to specific devices. This implies that the obligation to secure data that lives on personal devices brought into the network as part of a BYOD program remains the same. Keep in mind that while typical business images and software installation limitations may provide some data security, they do not cover all risks. An employee may, for example, use a business FTP tool to move customer lists and other proprietary material to an external computer and then sell them to a rival.
Because they aren’t limiting enough, BYOD programs fail. Non-company endpoint devices are not allowed on the business network, thus some firms have had to rethink and revise their rules. It could also be a good idea to create security-focused standard operating environments for all essential operating systems and make sure that each business unit’s demands are addressed. When it comes to supporting a BYOD program as a security expert, you should keep in mind that you have more to worry from users’ negligence than from hackers. Users are not just slackers when it comes to applying security updates and fixes to their devices. Not only are users less than diligent in maintaining security updates and patches on devices, but they also buy new devices as often as they change clothes. These factors make it difficult to maintain control over the security of the networks in which these devices are allowed to operate.
Centralized mobile device management technologies are quickly becoming the most popular option for both business and personal needs. Some solutions make use of the message server’s administration features, while others are third-party programs that can handle several device brands. Cisco Systems Manager is an example of a product that works with Cisco Meraki cloud services. Apple Configurator is a good example for iOS devices. One of the difficulties in putting such a system in place is that not all personal devices offer native encryption and/or management. In most cases, centralized mobile device management technologies differentiate between company-issued and personal mobile devices. A client application oversees the setup and security of the complete device for organization-issued devices. If the device is a personal device, the application normally only maintains the setup and security of itself and its data if it is part of a BYOD program. The application and its data are isolated from the rest of the system. As a consequence, if the device is taken, the organization’s data is safeguarded, but the privacy of the user’s data is also protected.

Regardless of whether a centralized mobile device management tool is in use, a BYOD policy should add the following to the security policy of the organization:
- Identify the allowed uses of personal devices on the corporate network.
- Create a list of allowed applications on the devices and design a method of preventing the installation of applications not on the list (for example, software restriction policies).
- Ensure that high levels of management are on board and supportive.
- Train users in the new policies.
 

In the process of deploying and supporting a mobile solution, the following guidelines must be implemented:
- Ensure that the selected solution supports applying security controls remotely.
- Ensure that the selected vendor has a good track record of publicizing and correcting security flaws.
- Make the deployment of an MDM tool a top priority.
- In the absence of an MDM system, design a process to ensure that all devices are kept up-to-date on security patches.
- Update the policy as technology and behaviors change.
- Require all employees to agree to allow remote wiping of any stolen or lost devices.
- Strictly forbid rooted (Android) or jailbroken (iOS) devices from accessing the network.

If possible, choose a product that supports the following:
- Encrypting the solid-state drive (SSD) and non-volatile
- RAM
- Requiring a PIN to access the device
- Locking the device when a specific number of incorrect PINs are attempted

Outsourcing
The link between the firms becomes a component of the perimeter when data is transferred to a third party. As a result, the connection’s security is crucial. With outsourcing, security protections like ISAs and contract language that clearly describe essential security implementations, become even more important. Finally, outsourcing procedures to a third party that handles sensitive information or personal information protected by a regulatory body would almost certainly have an impact on security. Outsourcing to third parties is a risk that many companies overlook while doing risk assessments. Any outsourcing agreement must guarantee that the information transferred to the other business is safeguarded by appropriate security measures in order to meet all regulatory and legal requirements.
Assuring that a third party has the necessary level of data security downstream liability is the debt incurred by a company as a result of its relationships with other businesses and customers. Consider if a hired third party has the necessary procedures in place to ensure that a company’s firewall receives the necessary security upgrades. Customers can sue the company for negligence if hackers enter the network through a security flaw and steal data and identities. Liability issues that an organization must consider include third-party outsourcing and contracts and procurements.

Due diligence and due care
These are two words that have to do with liability. Due diligence indicates that a company is aware of the security threats it confronts and has taken reasonable steps to mitigate those threats. Due care refers to an organization’s taking all reasonable steps to prevent security concerns or minimize the consequences of security breaches. Due care and due diligence are sometimes used interchangeably, but they must be understood independently before being evaluated together. Gathering information is at the heart of due diligence. Organizations must put in place the necessary procedures to evaluate potential dangers to their assets.
Due diligence gives you the knowledge you need to make sure your company is taking proper precautions. Due care cannot be taken without proper due diligence. It’s all about taking action when it comes to taking proper care. All organizational assets, particularly intellectual property, must be protected, and processes must be implemented. Failure to fulfill minimal standards and procedures is deemed negligent when done with appropriate care. An organization is negligent if it fails to take activities that a reasonable person would have taken in identical circumstances. Due diligence and due care, as you can see, have a symbiotic connection. Organizations detect areas of risk when they do due diligence.
A company may discover, for example, that normal employees are unaware of fundamental security concerns, that printed material is not properly disposed, and that employees have access to files to which they should not have access. Organizations consider the areas of recognized risk and take measures to defend against the risks when necessary care is taken. Due care would entail offering employees security awareness training, putting processes in place for correct destruction of printed material, and installing suitable access restrictions for all files for the due diligence instances just described. When working with other parties, it’s critical to make sure that the third party delivers the level of security that the data necessitates.

There are several ways to facilitate this, which are as follows:
- Include contract clauses that detail exactly the security measures that are expected of the third party.
- Periodically audit and test the security provided to ensure compliance.
- Consider executing an ISA, which may be required in some areas (for example, healthcare).

Conclusion
While engaging third parties can help meet time-to-market demands, a third party should be contractually obligated to perform adequate security activities, and evidence of those activities should be confirmed by the company prior to the launch of any third party-engaged products or services. The contract should also state that the corporation has the authority to audit the third party at any moment.