8/15/2019 Information Security Assessment in Nature Parks

1/7

Information Security Assessment in Nature Parks

Saša Aksentijević 1, Toni Đugum 2, Krešimir Šakić 3 1 Aksentijević Forensics and Consulting, Ltd.

Gornji Sroki 125a, Viškovo, CroatiaTel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: axy@vip.hr

2 National Park KrkaTrg Ivana Pavla II br. 5, Šibenik, Croatia

Tel: +385 22 20 17 77 Fax: +385 22 33 68 36 E-mail: toni.dugum@npk.hr3 National Park Krka

Trg Ivana Pavla II br. 5, Šibenik, CroatiaTel: +385 22 20 17 77 Fax: +385 22 33 68 36 E-mail: kresimir.sakic@npk.hr

Abstract  – In this paper, specific requirements for

information security assessment will be identified along

with proposal for the model specially tailored to suit the

audit needs of the information systems within nature

parks - protected and conserved areas. Elements of

information security management system for nature

parks are described along with specific information

security elements called situations, to be evaluated.

Proposed model is set in a way to provide quantitative

evaluation of the overall system of information security

management. The audit approach involves definition of

cardinal events of information security, assets, threats

and related vulnerabilities. Final outcome of the

assessment is not only mark that represents overall state

of affairs within information security management

system, but also a set of recommendations for remedial

measures and implementation of controls of information

security in nature parks in order to elevate already

achieved and determined compliance level. Proposedmodel is tested in case of nature park “Krka” in Croatia

and the test results provide unique and adequate insight

in achieved level of information security management

system compliance. 

Key words: information security, nature park, audit,

quality systems, national park Krka

I INTRODUCTION

Standard definition of the nature park is that it is an area ofcountryside, or occasionally sea or fresh water, protected by

the state for the enjoyment of the general public or the preservation of wildlife: commercial exploitation of naturalresources in a national park is illegal [1]. Internationallyrecognized definition of the nature parks is the one accordingto the IUCN organization, International Union forConservation of Nature whose core mission is to help theworld identify pragmatic solutions to the most pressingenvironment and development challenges. IUCN considersnational parks to be under the 2nd category of protection, anddefines them as areas represented by large natural or nearnatural areas set aside to protect large-scale ecological processes, along with the complement of species andecosystems characteristic of the area, which also provide afoundation for environmentally and culturally compatible,spiritual, scientific, educational, recreational, and visitoropportunities [2]. Primary objective of existence of nature parks is protection of biodiversity with underlying ecological

structure, supporting environmental processes and promotionof education and recreation [3].

IUCN anticipates existence of two other forms of protectedareas before national parks:

•  Ia – Strict Nature Reserve, and•  Ib – Wilderness Area.

There is also a number of protected areas of lessersignificance in categorization, just below nature parks:

III – Nature Monument of Feature,IV – Habitat/Species Management Area,V – Protected Landscape / Seascape, andVI – Protected area with sustainable use of natural resources.

In this paper, a model of information security assessment

especially suited for use in audits of information securitymanagement systems in nature parks is described. It isimportant to emphasize that according to Croatian NatureProtection Act [4], aligned with EU directives, the division of protected natural areas is slightly different. This lawrecognizes “national park” as a form of protected area onelevel below strict nature reserve, and two levels above nature parks. However, for the purpose of this research, theoreticalmodel presumptions are taken from IUCN’s internationallyrecognized nature parks, while field testing of model is performed using real processes of a national park accordingto Croatian legislation, in function, similar to IUCN’sdefinition of nature park.

Ensuring information security compliance means adoption ofa system that is able to respond to question – what is theachieved level of compliance to predefined set of rules ofinformation security, and consequentially, identify existinggaps and measures used to close them in order to approach asmuch as possible the ideal model of information securitymanagement. Golden standard for information security incorporate environments today is ISO 27000 series ofstandards, that strictly define and govern this process,including document and process requirements, identificationof scope of information security, information security assetsand their characteristics (vulnerabilities and threats that canexploit identified vulnerabilities), checks of various controlsthat aim to address those vulnerabilities and threats and finalconclusion and remedial actions. This process is performed in

famous ISO PDCA cycle (“Plan-Do-Check-Act”), and theyare subject to perpetual improvements and implementation of

8/15/2019 Information Security Assessment in Nature Parks

2/7

checks and corrective actions. This cycle is shown in Figure1.

Figure 1. PDCA cycle of information securityimplementation [5]

Most information security management methods andunderlying standards claim to be equally applicable toorganizations of all sizes and types, regardless of ownershipstructure, goals or achieved maturity levels. However, practitioners of information security are well aware of thefact that “one size fits all” approach may sorely fail whenfaced with various facets of reality. Some of the reasons forthis can be identified as follows:

1.  Achieved level of information security,2.  Corporate culture,3.  Culture of information security,4.

 

Complexity of business processes,5.  Available financial resources,

6. 

Level of management maturity, and7. 

Legislation.

Sometimes, detrimental influences to information securitymanagement whose sources lie in the DNA of organizationsmay be of such magnitude that they completely distort overallinformation security inside such organizations. Furthermore,it is possible to envisage, for example, small organizationsthat are financially and organizationally very weak, yet theystrongly require adequate information security (for example,start-ups), because their sole existence relies on stronginformation security – and mainly informationconfidentiality. This is the reason why some authors havestarted to recognize that theoretical blueprints for informationsecurity cannot be used as a single unique model withoutadjustments aimed towards specific implementations.

During preliminary research of available online resources, itwas not possible to identify a single model that would beadjusted for use in nature parks. Information security andnature parks can be identified only in terms of theirinformation security policies that are publicly available. Itseems that this activity is best underway in Japanese andTaiwanese national parks, while, incidentally, Japan wasamong the first countries to embrace ISO certification ofinformation security managements systems, and most suchcertificates are issued exactly in Japan [6]. Some examples ofsuch information security policies are those of selectTaiwanese national parks: Yangmingshan National Park [7],

Shei-pa National Park [8] and Taroko National Park [9].

Understanding business and process specifics of nature parkoperations on one side and information security complianceon another, our working hypothesis is the following: based onthe available information security implementation models itis possible to propose a model for evaluation of informationsecurity best suited for use in nature parks. This model will be tested using available processes in National park Krka in

Croatia.

II SPECIFICS OF OPERATIONS AND

INFORMATION SECURITY IN NATURE PARKS

In order to propose a methodology for information securitymanagement in nature parks information systems’, it isimportant to recognize what is specific for operations ofnature parks, and what divides them from other organizations(corporations, NGOs or SMEs) implementing rules ofinformation security and compliance. These characteristicswill prove to be very important for creation of a specificmodel, best suited for nature parks.

Identified characteristics of management and operations ofnature parks are the following:

1. 

 Dependence.  Nature parks are usually institutionsfounded by the state itself under separate legislativeacts and therefore, nature parks do not have fullmanagement autonomy. They are subject tospecific laws, regulations, directives andinternational laws,

2.  Financing.  Nature parks are subject to strictfinancing, but as autonomous subjects providingalso tourist and visiting services, usually they haveabundant own sources of income.

3. 

 Distribution.  Nature parks are often distributedacross large geographic areas, and theirsignificance is usually regional, limited to a singlecounty, region or other form of local governance.Operations are executed from distributed centres,varying in size and architecture, while supportoperations and top management are usually in aseparate location, making overview of alloperations difficult. Distributed operations in thefield of nature parks require a specific mix ofBYoD technologies [10], nomad computing anddistributed data processing.

Geographic layout of the National Park Krka including

its main operations locations is shown in Figure 2.

Figure 2. Layout of National Park Krka, Croatia[11]

8/15/2019 Information Security Assessment in Nature Parks

3/7

4.  Workforce. Operations of nature parks are highlyseasonal; depend on the geographic location, somenature parks have peaks of visits during summerand/or winter periods, with large parts of the year being relatively underutilized or scarcely visited.This means that most nature parks experience peaksin temporary employments during peak periods in

the year. Introduction of temporary workersemployed in nature parks presents a challenge fororganization of information security

5.  Connectivity. Operative locations of nature parksare usually in rural areas, out of the way of maindana links provided by large ISPs. Due togeographic traits (forests, large open sea areas),they are sometimes difficult to connect even byusing mobile dana services. Propagation of wirelesssignal is also sometimes difficult and dampened bynatural landscape (trees, hills, depressions). Nature parks' management often has to invest more ininfrastructure, undertake complex connectivity

 projects and finally, pay more for operations ofsuch systems, than some other similar organizationthat functions under urban scenarios.

6.  Strict adherence to SLAs. Most nature parksexperience high revenue from incoming visitorsduring peak times (and hours). From businesscontinuity aspect, nature parks can easily quantifythe cost of service disruption. Therefore, strictadherence to SLAs with providers of Internet andother services is of utmost importance formanagement of nature parks [12].

7. 

 Billing systems.  Billing systems, their availability,integrity and confidentiality of contained dana is of

utmost important for nature parks. Most of theincome of nature parks comes from tickets andentry fees for visitors, and related services providedto visitors (dining, entertainment andsports/recreation). Proper and uninterruptedfunctioning of billing systems is the most importantsingle factor in operations of nature parks.

8.  Seasonality. Seasonality of nature parks’ operationsis already mentioned in relation to workforce, but itis also important for the number of incomingvisitors and planning of operations. Nature parksexperience not only seasonal and annual peaks andlows, but also local peaks and lows during high and

low seasons, depending on the precipitation anddaily temperature. Therefore, weather forecast andextremes have high influence on operations ofnature parks, but also present a difference in loadon information systems and information securitymanagement system.

9. 

Organization. Organizational chart of nature parksis usually very complex despite relatively modestnumber of permanent staff, because nature parksneed to attend to various field aspects of operations,and have a number of general service departmentsand groups. This requires formation of very diversehierarchical structure. Usually, nature parks do notuse matrix or project organizations. In the Figure3., a typical organizational chart of the national park in Croatia is shown. While exact constituents

of the chart are not that important for the context,the chart is included to show developed anddistributed organization of a national park. Whilethe typical number of employees is not large, thereare many organizational units and sub departments.This fact requires inclusion of a large number of processes in the evaluation of information security

and presents a special challenge in organization andsubsequent assessment of information security innature parks.

Figure 3. Typical example of the complex organizationalchart – National park “Krka”, Croatia [13]

10. 

Compliance. Owing to the dependantorganizational nature, information securitymanagement systems of nature parks are subject tocomplex compliance requirements that are not only professional, but also legislative, and depend on the

goals and mission set by their founders and theState. 

These ten special requirements for information security auditin nature parks present a special challenge for those in chargeof setting up and maintaining information security in nature parks. However, they also form a set of rules for visitors andtransient IT system users and should be taken inconsideration by those that are tasked with answering themost important questions for the management of nature parks:

1.  How safe are our information and information processing facilities,

2. 

What should we do in order to increase ourcompliance, and

3. 

How much do proposed actions cost us in terms offinancial impact and invested time forimplementation?

III PROPOSAL OF MODEL FOR EVALUATION

OF INFORMATION SECURITY IN NATURE PARKS

Thorough analysis of various systems of information securityaudit has lead the authors to work of David Brewer andMichael Nash from 2010 [14]. These two authors recognizethat ISO 27001 standard requires organizations both to carryout a risk assessment and select controls and measuresrelevant to information security of their systems. Relationship

 between these two requirements is often unclear and murky.

8/15/2019 Information Security Assessment in Nature Parks

4/7

The authors have spent almost four years investigating theserelationships and demonstrated that ensuring the coverage ofcontrols of Annex A of ISO 27001 standard limits the scopeof risk assessment, while fulfilment of risk assessment of thestandard may result in coverage of controls of Annex A butnot necessarily providing addressing of the real exposure toinformation security risks. This relationship is shown in the

Figure 4.

Figure 4: The cross-checking process [14]

In the cross checking process, there are controls identified bythe risk assessment and risk treatment process (shown in theleft column), controls of Annex A (divided into applicableand non-applicable in the right column). However, realsituation of the information security management system isshown in the middle: clearly, there might be controls that arenot present in the Annex A and those that were by mistake ornegligence not identified by the risk assessment and/ortreatment process.

As a result of this approach, concerns of the managementrelated to information security are addressed, where concernsare mixture of events  and impacts  of those events onoperations. This defines eight major events [14]:

S1 – Theft,S2 – Acts of God, vandals and terrorists,S3 – Fraud,S4 – IT failure,S5 – Hacking,S6 – Denial of service,S7 – Disclosure,S8 – Law.

Three possible impacts of the major identified events are asfollows:

B1 – Inappropriate deployment of people,

B2 – Failure to maintain proper records andB3 – Issuance of wrong documents.

Relation plot of these events and controls of Annex A isshown in Figure 5. This model further recognizes that there isnot one easily perceptible information security breach eventin the sequencing story of information security, rather, it hasto be broken down in some way. The authors have recognizedthree possible candidate (cardinal) events:

EI1 – Vulnerability exploitation,EI2 – IT failure, andEI3 – Disposession.

Figure 5. Relation plot of events and Annex A controls [14]

The authors of the model have further created a Venndiagram relating identified three cardinal events to Annex Acontrols, shown in Figure 6.

Figure 6: Relationship between the cardinal events and theAnnex A controls [14]

8/15/2019 Information Security Assessment in Nature Parks

5/7

In our approach, Brewer-List's methodology [15] was usedsuperimposed over the scenario of the National park Krka'sISMS.

 Nine different situations are anticipated:

1. 

Solution implementation: reduction of probability

of information security incidents caused by solutionvendors,2.

 

Security of the workplace: limiting access toinformations in the workplace,

3.   Dislocated computing: care about use ofinformation and systems outside protectedinformation security perimeter,

4.  Open computer access: control of physical access

to computers in the workplace,5.

 

 Remote actions: protecting computer systems fromcyber-attack,

6. 

 Applications: ensuring security of computerapplications,

7.  Working conditions: ensuring uninterrupted

functionality of the hardware;8. 

 Information security status: checking informationsecurity management system before the attack orincident occur, and

9.   Incident management : undertaken steps in case ofincident or attack.

For each of these nine situations, applicable situationalfragments are identified and they are mapped onto applicablecontrols of annex A of ISO 27001 standard.

Due to restricted space available, not all situations andapplicable controls will be discussed in this paper, yet it hasto be clearly stated that described methodology covers allcontrols, control objectives and domains stated by Annex A

of ISO 27001 standard. Also, one dilemma that authors facedwas whether to use new version of the standard (ISO27002:2013) or stick to the old one. It was decided early onto use the older standard because of two reasons:  first , themodel is well developed and described, readily available, anddoes not require further adjustments and second , using olderstandard has enabled immediate audit of the ISMS withoutfurther delays. Finally, current architecture of the informationinfrastructure and services would not significantly benefitfrom usage of the newer standard, so it was decided early onto use the old one.

V IMPLEMENTATION OF THE MODEL IN

NATIONAL PARK KRKA, CROATIA

After setting up and modifying the initial informationsecurity assessment model, the audit of ISMS was undertakenin National park Krka in Croatia. The first step of the pre-audit was gathering all related information in order to properly identify all information assets. This includes thefollowing:

1.  List of ICT assets and services (servers, computers,data storage, payment gateways, ERP and CMSsystems, internal and external data processing),

2.  List of ICT personnel with role description,3.  Organizational chart,4.

 

Available network topology blueprints (leasedlines, ISPs, wireless and fixed network, opticalnetwork),

5.  Quantitative ICT data (number of users, desktopand notebook computers, mobile phones, budget),

6.  List of computer equipment and service vendors,7.

 

Ongoing and past contracts for ICT equipment andservices, and

8.  Available ICT procedures and related/applicablelegislation.

After preliminary analysis of the data, audit plan wascompiled. An advantage of the described model is the factthat audit can be performed quickly if pre-audit phase wascompleted thoroughly. All applicable matrixes, situations andcontrols are anticipated in advance so they were readilyavailable during real field audit of the system. The flash-auditwas carried during two days. Before the beginning of theaudit and after the audit was completed, there was a briefmeeting with the management where the methodology wasinitially described and findings were presented. Focal pointfor the audit was IT manager, while regulatory system wasdiscussed with the Legal manager and security of practicesand procedures related to ERP and CMS systems was

discussed with Administration and Finance manager. Theaudit plan is shown in Table 1.

Table 1: Audit plan

During audit, all situations, situational fragments and controlsof Annex A that fall under them, and that were previouslydescribed, are thoroughly analysed in terms of relatedinformation assets, their vulnerabilities and related threats.Special care was given to analyze information security ofworking personnel (permanently and temporarily employed),remote computing and billing system. The end result of the process is matrix of applicable controls of Annex A andidentified aspects of information security. These identifiedaspects are:

1. 

Information security of human resources,2.  Physical security, security of services and

environment,3.  Technical security,4.  Systems security,5.

 

Business continuity, and

6. 

Risk avoidance.

Adherence to identified controls is summed up in Table 2.

8/15/2019 Information Security Assessment in Nature Parks

6/7

Number Symbol Meaning Number

of

controls

Pond er SUM

1.

N/AInformation security control is not applicable for the

analyzed ISMS

2. Information security control is respected

5

3. Information security control is partially respected

3

4.

 Information security control is not respected

1

SUM

Maximum possible mark  133 5 665

Maximum possible mark corrected for not applicable controls   5

Estimated average of  implementation of  controls of  Annex A x,xx on a scaleof 1 to 5 

Table 2: Summary table of adherence to identified controls ofAnnex A

There are four possible statuses of identified controls. Controlcan be not applicable; it can be respected   or not respected .Considering that the proposed audit model is a quick

derivative model, authors are not required to adhere to setrules of the ISO 27001 standard, so additional status –information security control is  partially respected   – wasintroduced in the model. Use of this evaluation of control hasto be in practical terms limited to those cases where non-compliance is of lower impact on the ISMS as a whole andwhen just minor corrections can be quickly implemented toforward the control on to status of “respected”. In terms ofaudit, these controls can be viewed as “minor non-conformities”.

Finally, in order to create a synthetic quantitative mark thatcould give the management a clear overview of ISMS, ponders are introduced. Considering 133 possible controls,

maximum sum of 665 points can be reached if ISMS respectsall controls. This sum has to be corrected for those controlsthat are not applicable. Finally, grade “1” is given to controlthat is not respected, grade “3” to control that is partiallyrespected and grade “5” to control that is fully respected.Dividing corrected sum with number of applicable controlswill provide a single quantitative mark in range of 1 to 5, thatis easily understandable to the management. However, whenevaluating this mark, one has to be very careful to understandthat it does not take into consideration possible damagederived from information incidents, as it equally treats allcontrols regardless of their impact. However, this model may be used as a “quick and dirty” litmus test for the state ofISMS. Furthermore, this model will provide easyidentification of problem and improvement areas of thesystem in a quick and very efficient way.

Finally, at the end of the audit, a list of recommendations is produced in order to elevate non-compliance status to partialor full compliance, and elevate partial compliance status tofull compliance. This list of recommendations is in line withinitial PDCA cycle, because the newly reached state of ISMScan be again audited using the same model, or standard ISO27001 auditing model. In both cases, it is reasonable that oneexpects higher level of compliance both with modified modelof information security audit and standard ISO 27001 model.In case that the same modified model is used again, usingsynthetic mark, the management can track the progress in aclear way.

VI CONCLUSION

Overall management and management of informationsystems of nature parks is connected with various specificsthat are derived from the fact that national parks are usuallynot fully independent, they are usually regionally distributed,their operations are highly seasonal and their operations

depend on strict adherence to SLA for ICT services with billing systems being most sensitive and important becauselack of their availability translates directly into quantifiableloss of income stream. Management is generally quite waryof information security management audits because they arestrange and unknown to them, sometimes they do not seedirect benefits but they are usually connected with high costof information security solutions. Complex informationsecurity audits using conventional models just add to all theseissues.

In our research, the main hypothesis was that it is possible to propose an audit system that would be better adjusted tospecific requirements of ISMS in nature parks. A hybrid

model of information system audit is envisaged starting fromISO 27001 standard and modified Brewster-Listmethodology that replaces standard dilemma "riskassessment" vs. " ICT control adherence" with a new systemthat includes ICT security situations, fragments and events.Furthermore, a model was developed that quantifiesadherence to identified applicable controls and translates it toa single mark easily measured and understood by themanagement for further evaluation.

This model was tested on example of the National park Krkain Croatia, where audit was applied in real life situation, finalsnapshot of the information security system is created andsynthetic grade of maturity of the system is produced forfurther evaluation by the management. End result of the

described process is a list of suggestions for improvement,whose implementation would increase synthetic grade.

There are further possibilities of research of this model. Forexample, it can be modified to suit some other applications,and synthetic grading system can be made more complex, inorder to better approximate real situation or to follow someother grading system (applicable grading could range from 1to 10 or relative percentages can be utilized).

REFERENCES

[1] Oxford Dictionaries – Languages Matter,http://www.oxforddictionaries.com/definition/english/national-park (accessed 14th February 2016.)

[2] Philips, A., Harrison, J. “International Standards inEstablishing National Parks and Other Protected Areas”, TheGeorge Wright Forum, Volume 14, Number 2, 1997.

[3] IUCN, International Union for Conservation of Nature, http://www.iucn.org/about/work/programmes/gpap_home/gpap_quality/gpap_pacategories/gpap_pacategory2/ (accessed14th February 2016.)

[4] Official gazette of Croatia, NN 8/13

[5] Pelnekar, C. “Planning for and implementing ISP 27001”,ISACA Journal, Volume 4, 2011.

8/15/2019 Information Security Assessment in Nature Parks

7/7

[6] ISO survey 2014.,http://www.iso.org/iso/home/standards/certification/iso-survey.htm?certificate=ISO%209001&countrycode=JP#countrypick (accessed 14th February 2016.)

[7] Information Security Policy, Yangmingshan NationalPark,

http://www.ymsnp.gov.tw/index.php?option=com_content&view=article&id=549&gp=0&Itemid=568 (accessed 14thFebruary 2016.)

[8] Information Security Policy, Shei-pa National Park,http://www.spnp.gov.tw/v2/Article.aspx?a=jNakCHfRhqw%3D&lang=1 (accessed 14th February 2016.)

[9] Information Security Policy, Taroko National Park,http://www.taroko.gov.tw/English/?mm=0&sm=0&page=5(accessed 14th February 2016.)

[10] Evans, D. “What is BYOD and why is it important”,Techradar, 07. October 2015.

[11] Hagi@Sophia,https://hagia27sophia.wordpress.com/sem-eira-nem- beira/croacia/parque-nacional-krka/ (accessed 14th February2016.)

[12] “What is a service level agreement”, Palo Alto Networks,https://www.paloaltonetworks.com/resources/learning-center/what-is-a-service-level-agreement-sla.html (accessed14th February 2016.)

[13] National Park Krka, internal organizational chart, 2015.

[14] Brewer, D., Nash, M. “Insights into the ISO/IEC 27001

Annex A”, Gamma Secure Systems Limited, 2010.

[15] Brewer, D.F.C., List, W. “Measuring the effectiveness ofan internal control system”,http://www.gammassl.co.uk/research/time040317.pdf,Gamma Systems Ltd., March 2004. (accessed 9th April 2016.)