Paying Ransomware Could Lead To Fines

Ransomware has become an all too common problem for businesses. The question of whether a company should pay the ransom to get their information back is a complex one. More statistics are showing that using a proactive plan to information security will have better results than paying the ransom. Recent statistics do show that a higher percentage of victims are getting their data recovered, but 1/3 of victims still are not. In addition, statistics show that lost work costs a company several times more than the cost of the ransom.

Please read more on what the U.S. Government is asking the public to do, and why they may start fining individuals, or companies, that negotiate with an entity that is already under economic sanctions. 

https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam

“Ransomware has become an all too common problem for businesses.”

Information Security Policies and Plans

Information Security is important for any business.  Below, I will discuss some of the policies and plans that businesses should implement.

AUP – Acceptable Use Policy – ”An acceptable use policy (AUP) is a document stipulating constraints and practices that a user must agree to for access to a corporate network or the Internet” (techtarget.com).  More and more companies are making this a part of the employee handbook, as making sure current and new employees understand what is acceptable use with regards to the technology and specifically the internet that is available to them is necessary.  There are still employees that abuse the IT resources at their disposal, but having this policy in place allows a company a means to discipline, or prosecute, as needed. 

ACP – Access Control Plan – “Access control is a security measure which is put in place to regulate the individuals that can view, use, or have access to a restricted environment” (getkisi.com).  The environment can be a physical area, or even a technological area such as a computer, server, or other device that would hold data.  With physical areas, companies can use door locks, keypads, card readers, or biometric pads to allow a user access.  On technology, the use of passwords, key fobs, fingerprint readers, and smartcards can be used.  It should be important for all companies to have a formal plan in place, as this allows for enforcement.  Three important concepts of the access control plan are: identification, authentication, and authorization. 

ISP – Information Security Policy – “Information Security Policy (ISP) is a set of rules enacted by an organization to ensure that all users or networks of the IT structure within the organization’s domain abide by the prescriptions regarding the security of data stored digitally within the boundaries the organization stretches its authority” (infosecinstitute.com).  This policy should be what all of the other policies and procedures create.  There should be an overlying statement that explains what an organization wishes to accomplish in regards to information security.  Then each policy under this should define its respective policy, but still focus on how it will also support the main ISP.  The ISP should use the CIA Triad for Information Security to help guide its creation.  The characteristics of the CIA Triad of Information Security are: Confidentiality, Integrity, and Availability. 

IRP – Incident Response Plan – “Incident Response Planning includes the identification of, classification of, and response to an incident” (Whitman “Guide to Firewalls & VPNs” 56).  There are four phases to incident response: planning, detection, reaction, and recovery.  Incident response is reactive, but because of the planning phase, there should be some part that is proactive.  Enough different scenarios should be considered and planned for, that a company should have answers for future problems.  Reacting to and recovering from an incident is as important because a company will need to implement the plan, and recover from any damage done to data, or another asset. 

RAP – Risk Assessment Plan – Risk Assessment is “an approach to combining risk identification, risk analysis, and risk evaluation into a single strategy” (Whitman “Management of Information Security” 305).  This plan tries to be proactive as it asks questions to identify any risk that could occur; what the current level of risk is; and what level of risk is acceptable.  Managing the risk is an important part of this plan. 

E/CP – Electronic Communication Policy – The Electronic Communications Policy “provides guidelines for the appropriate use of electronic communications. It covers privacy, confidentiality, and security and is intended to ensure that electronic communications resources are used for appropriate purposes only” (techrepublic.com).  This is similar to the Acceptable Use Policy in that they both guide the usage of IT resources.  This policy is more of an overview for the company’s use of any form of communication: email, phone calls, and instant messaging.  And it further explains what can be done with the communication media by any representative of the company. 

DRP – Disaster Recovery Plan – “Disaster Recovery Planning (DRP) entails the preparation for and recovery from a disaster, whether natural or man-made” (Whitman “Management of Information Security” 538).  I would have thought that disaster recovery was a recent development, but after some research, it started in the 1970s.  With the increase in media coverage, whether news stations, or through social media, the major natural disasters that have struck around the world, and the increase in terrorist attacks have made this planning important to companies.  This is more of an overview of all policies that will assist in recovering from a disaster.  One part of this is the BCP, which will be explained in the next part.  A company should create a plan to lay out the steps agreed upon across all departments that will help recover from any disaster. 

BCP – Business Continuity Plan – “Business Continuity Planning ensures that critical business functions can continue if a disaster occurs” (Whitman “Management of Information Security” 549).  This planning is part of the bigger Disaster Recovery Plan.  The plan is specific to make sure that data is protected before a disaster occurs, so that business can continue after a disaster, or incident.  One way that this is done is by keeping a backup server off site, or have a warm site that has a full backup of all servers and data. 

Works Cited 

Techtarget.com. https://whatis.techtarget.com/definition/acceptable-use-policy-AUP. “Acceptable Use Policy”. 

Getkisi.com. https://www.getkisi.com/guides/access-control-planning-examples. “Planning Access Control? Here Are Some Examples”. 

Infosecinstitute.com. https://resources.infosecinstitute.com/key-elements-information-security-policy. “Key Elements of an Information Security Policy”. 

Whitman, Michael E., Herbert J. Mattord, and Andrew Green. “Guide To Firewalls & VPNs.” Pg 56. Course Technology. 

Whitman, Michael E., Herbert J. Mattord. “Management of Information Security”. Pg 305. Cengage. 

Techrepublic.com. https://www.techrepublic.com/resource-library/whitepapers/electronic-communication-policy/. “Electronic Communications Policy”. 

Whitman, Michael E., Herbert J. Mattord. “Management of Information Security”. Pg 538. Cengage. 

Whitman, Michael E., Herbert J. Mattord. “Management of Information Security”. Pg 549. Cengage. 

“The [Business Continuity Plan] is specific to make sure that data is protected before a disaster occurs, so that business can continue after a disaster, or incident.”