Analecta Cyber Company Blog: Security as a System

2016-10-12

Security as a System


Many organizations perceive security, cyber security specifically, as a true or false proposition: "We have cyber security" or "We don't have cyber security." Cyber security requires the right balance of controls that block access to unauthorized users, but also detects anomalies and adequately audits activity.


In reality, security matters are a complex cost benefit analysis of external stakeholders that the typical business person has little understanding of. For example, who exactly are you trying to remain secure from?

Let's use the physical office environment as an example of how this model of "secure" or "not secure" fails. Every healthcare office uses locks on doors, file cabinets, medication cabinets and may even have a safe in the office. Each of these locks provides a certain level of security and the combination of procedures, practices and different types and complexity of locks culminate in a level of assurance from a specific threat.

Door Locks

Door locks are used to protect the office from an unauthorized individuals when the office is closed.

File Cabinets

File cabinets store a mass of protected health and identity information that must be protected even from inadvertant access within the office. The lock ensures only authorized record custodians have access to the files.

Medication Cabinets

Locks protecting medication cabinets may store costly or controlled substances that need special accounting for and can only be handled by specific medical personnel.

Safes

The office may have a safe where it stores money during the day or in-between bank deposit schedules. The safe may have a numeric code or combination lock that protects access to the contents and is only available to the finance staff.

Each of these locks and the container that is protected serves a specific purpose and has a clearly defined role. You would not expect the file records lock to protect deposits or medication and more than you would entrust the patient records to simply being secured behind the main facility door.
Now, consider for a moment, what assets in this scenario are protected from a locksmith? Frankly, none of the security features we've outlined above are protected from the expertise and professional capability of a locksmith.

Control Types

Locks are a technical control that are very effective for regular use - but must be balanced with the use of other security controls like alarm systems, video recording (Detection controls) etc. Policies and procedures are also a type of control - administrative controls.

A combination of these security controls are used together to create a checks-and-balances based security that validates the proper function of individual systems and allow you to ensure the overall security system is operating correctly.

Given enough time, any system can be hacked into. It's understanding the current vulerability of a system and monitoring the threats and activity of the system that keeps you one step ahead of attackers.

Analecta Security Services for healthcare practices uses a combination of these controls and systems to monitor the security status of your network and keep patient data secure. This combination of controls and monitoring is exactly why Analecta was sought to provide monitoring and oversight of more than 70 of the world's best hackers at the international Cyberlypics competition this year.