An Overview of Loss Prevention and I.T. Security

Loss prevention encompasses a wide range of threats and Loss Prevention Professionals have to be ready to handle each type of threat that could affect their corporation.

There are four main types of threats;
  • Natural
  • Environmental
  • Technical
  • Human

Natural Threats – Tornados, Earthquakes, Hurricane/Typhoons, Floods, Landslides, Lightning Storms, Heavy Rains, Blizzards, Fires, ect.

Environmental Threats – Gas Leak, Fires, Toxic Waste, Pandemics, Fuel Outage, Drainage Chokes, Neighborhood Hazards, ect.

Technical Threats – Power Outage, IT systems Failure, Fires, System Breakdowns, Manufacturing Defects, Malicious Codes, ect.

Human Threats – Terrorism, War, Spying, Sabotage, Theft, Arson, Hacking, Immoral Employee Ethics, Legal Disputes, Unaware Users, ect.

A study conducted by Robert W. Taylor et al., in the book Digital Crime and Digital Terrorism, states that 73% of the risk to computer security is from internal sources; while 23% is attributable to external sources. Internal threats include violence in the workplace, theft of proprietary information, sabotage, infiltration by gangs or organized crime, and terrorism. (Purpura pg. 134, Security and Loss Prevention) One of the most obvious of threats would be theft. Theft can be broken down into sub-categories to include shoplifting, occupational fraud and abuse, employee theft, and as described by Purpura theft of proprietary information.

The I.T. threat from within is of great concern to those who wish to protect a company’s proprietary information. There are many reasons that companies would want to protect their data. Reasons may stem from loss of trade secrets, compliance, national defense, the fear of lawsuits, defalcation, or business continuity. Whatever the reason, companies have good reason to be concerned about I.T. security.

The Fourth Annual US Cost of Data Breach Study, an independent study conducted by Ponemon Institute, states that the average cost of data loss has risen to $202, up from last year’s $197 per customer record.

Internal threats and data loss can be intentional or accidental and are caused by current employees, non-current employees, or Third Party Employees. There are many I.T. threats that corporations face with everyday. I.T. threats include many of the main threats listed above with an emphasis on Information Technology Business Continuity and Security.

To get a better understanding for what an I.T. Security Professional needs to know we can look at the International Information Systems Security Certifications Consortium (ISC)2 for guidance. (ISC)2 has developed one of the highest regarded and sought after information security certificates called, Certified Information Systems Security Professional (CISSP) certification. Books that help you study for the CISSP, such as CISSP for Dummies by Lawrence Miller and Peter Gregory, are broken down into what is know as the Common Body of Knowledge (CBK) domains. Ten domains illustrate the vast range of topics that must be master to earn the CISSP certification. The domains are (excerpted from CISSP for Dummies):

Access Control – is about securing the perimeter; many security breaches result from inadequate Access Controls.

Telecommunications and Network Security – This domain is easily the most extensive and encompasses topics like networking models, protocols, standards, services, technologies, and vulnerabilities.

Information Security and Risk Management – This domain gets to the heart of Information Security Concepts and Risk Management concepts.

Application Security – essential concepts to understand in this domain are principles of applications, applications, application development, and databases.

Cryptography – you must fully understand the basic operation of cryptographic systems and how they apply in real-world applications.

Security Architecture and Design – this domain requires knowledge of security models, embedded systems, and basic computer architecture.

Operations Security – this domain details resources that must be protected, who should be restricted, control mechanisms available, the potential for abuse of access, appropriate controls, and good practices.

Business Continuity and Disaster Recovery Planning – detailed knowledge of Business continuity Planning and Disaster Recovery Planning are needed.

Legal, Regulations, Compliance, and Investigations – in this domain you must know what a computer crime is, how to conduct an investigation and collect evidence, and understand what laws may have been violated and the (ISC)2 Code of Ethics.

Physical (Environmental) Security – understand the various threats to physical security. Elements include planning and design, physical security controls, and administrative controls, physical security controls, access controls and technical controls.

By: Joseph Dustin