You are on page 1of 7

Information Security Assessment in Nature Parks

Saa Aksentijevi 1, Toni ugum 2, Kreimir aki 3


1
Aksentijevi Forensics and Consulting, Ltd.
Gornji Sroki 125a, Vikovo, Croatia
Tel: +385 51 65 17 00 Fax: +385 51 65 17 81 E-mail: axy@vip.hr
2
National Park Krka
Trg Ivana Pavla II br. 5, ibenik, Croatia
Tel: +385 22 20 17 77 Fax: +385 22 33 68 36 E-mail: toni.dugum@npk.hr
3
National Park Krka
Trg Ivana Pavla II br. 5, ibenik, Croatia
Tel: +385 22 20 17 77 Fax: +385 22 33 68 36 E-mail: kresimir.sakic@npk.hr
Abstract In this paper, specific requirements for
information security assessment will be identified along
with proposal for the model specially tailored to suit the
audit needs of the information systems within nature
parks - protected and conserved areas. Elements of
information security management system for nature
parks are described along with specific information
security elements called situations, to be evaluated.
Proposed model is set in a way to provide quantitative
evaluation of the overall system of information security
management. The audit approach involves definition of
cardinal events of information security, assets, threats
and related vulnerabilities. Final outcome of the
assessment is not only mark that represents overall state
of affairs within information security management
system, but also a set of recommendations for remedial
measures and implementation of controls of information
security in nature parks in order to elevate already
achieved and determined compliance level. Proposed
model is tested in case of nature park Krka in Croatia
and the test results provide unique and adequate insight
in achieved level of information security management
system compliance.
Key words: information security, nature park, audit,
quality systems, national park Krka

INTRODUCTION

Standard definition of the nature park is that it is an area of


countryside, or occasionally sea or fresh water, protected by
the state for the enjoyment of the general public or the
preservation of wildlife: commercial exploitation of natural
resources in a national park is illegal [1]. Internationally
recognized definition of the nature parks is the one according
to the IUCN organization, International Union for
Conservation of Nature whose core mission is to help the
world identify pragmatic solutions to the most pressing
environment and development challenges. IUCN considers
national parks to be under the 2nd category of protection, and
defines them as areas represented by large natural or near
natural areas set aside to protect large-scale ecological
processes, along with the complement of species and
ecosystems characteristic of the area, which also provide a
foundation for environmentally and culturally compatible,
spiritual, scientific, educational, recreational, and visitor
opportunities [2]. Primary objective of existence of nature
parks is protection of biodiversity with underlying ecological

structure, supporting environmental processes and promotion


of education and recreation [3].
IUCN anticipates existence of two other forms of protected
areas before national parks:

Ia Strict Nature Reserve, and


Ib Wilderness Area.

There is also a number of protected areas of lesser


significance in categorization, just below nature parks:
III Nature Monument of Feature,
IV Habitat/Species Management Area,
V Protected Landscape / Seascape, and
VI Protected area with sustainable use of natural resources.
In this paper, a model of information security assessment
especially suited for use in audits of information security
management systems in nature parks is described. It is
important to emphasize that according to Croatian Nature
Protection Act [4], aligned with EU directives, the division of
protected natural areas is slightly different. This law
recognizes national park as a form of protected area one
level below strict nature reserve, and two levels above nature
parks. However, for the purpose of this research, theoretical
model presumptions are taken from IUCNs internationally
recognized nature parks, while field testing of model is
performed using real processes of a national park according
to Croatian legislation, in function, similar to IUCNs
definition of nature park.
Ensuring information security compliance means adoption of
a system that is able to respond to question what is the
achieved level of compliance to predefined set of rules of
information security, and consequentially, identify existing
gaps and measures used to close them in order to approach as
much as possible the ideal model of information security
management. Golden standard for information security in
corporate environments today is ISO 27000 series of
standards, that strictly define and govern this process,
including document and process requirements, identification
of scope of information security, information security assets
and their characteristics (vulnerabilities and threats that can
exploit identified vulnerabilities), checks of various controls
that aim to address those vulnerabilities and threats and final
conclusion and remedial actions. This process is performed in
famous ISO PDCA cycle (Plan-Do-Check-Act), and they
are subject to perpetual improvements and implementation of

checks and corrective actions. This cycle is shown in Figure


1.

Understanding business and process specifics of nature park


operations on one side and information security compliance
on another, our working hypothesis is the following: based on
the available information security implementation models it
is possible to propose a model for evaluation of information
security best suited for use in nature parks. This model will
be tested using available processes in National park Krka in
Croatia.
II
SPECIFICS
OF
OPERATIONS
AND
INFORMATION SECURITY IN NATURE PARKS

Figure 1. PDCA
implementation [5]

cycle

of

information

security

Most information security management methods and


underlying standards claim to be equally applicable to
organizations of all sizes and types, regardless of ownership
structure, goals or achieved maturity levels. However,
practitioners of information security are well aware of the
fact that one size fits all approach may sorely fail when
faced with various facets of reality. Some of the reasons for
this can be identified as follows:
1.
2.
3.
4.
5.
6.
7.

Achieved level of information security,


Corporate culture,
Culture of information security,
Complexity of business processes,
Available financial resources,
Level of management maturity, and
Legislation.

Sometimes, detrimental influences to information security


management whose sources lie in the DNA of organizations
may be of such magnitude that they completely distort overall
information security inside such organizations. Furthermore,
it is possible to envisage, for example, small organizations
that are financially and organizationally very weak, yet they
strongly require adequate information security (for example,
start-ups), because their sole existence relies on strong
information
security
and
mainly information
confidentiality. This is the reason why some authors have
started to recognize that theoretical blueprints for information
security cannot be used as a single unique model without
adjustments aimed towards specific implementations.
During preliminary research of available online resources, it
was not possible to identify a single model that would be
adjusted for use in nature parks. Information security and
nature parks can be identified only in terms of their
information security policies that are publicly available. It
seems that this activity is best underway in Japanese and
Taiwanese national parks, while, incidentally, Japan was
among the first countries to embrace ISO certification of
information security managements systems, and most such
certificates are issued exactly in Japan [6]. Some examples of
such information security policies are those of select
Taiwanese national parks: Yangmingshan National Park [7],
Shei-pa National Park [8] and Taroko National Park [9].

In order to propose a methodology for information security


management in nature parks information systems, it is
important to recognize what is specific for operations of
nature parks, and what divides them from other organizations
(corporations, NGOs or SMEs) implementing rules of
information security and compliance. These characteristics
will prove to be very important for creation of a specific
model, best suited for nature parks.
Identified characteristics of management and operations of
nature parks are the following:
1.

Dependence. Nature parks are usually institutions


founded by the state itself under separate legislative
acts and therefore, nature parks do not have full
management autonomy. They are subject to
specific laws, regulations, directives and
international laws,

2.

Financing. Nature parks are subject to strict


financing, but as autonomous subjects providing
also tourist and visiting services, usually they have
abundant own sources of income.

3.

Distribution. Nature parks are often distributed


across large geographic areas, and their
significance is usually regional, limited to a single
county, region or other form of local governance.
Operations are executed from distributed centres,
varying in size and architecture, while support
operations and top management are usually in a
separate location, making overview of all
operations difficult. Distributed operations in the
field of nature parks require a specific mix of
BYoD technologies [10], nomad computing and
distributed data processing.

Geographic layout of the National Park Krka including


its main operations locations is shown in Figure 2.

Figure 2. Layout of National Park Krka, Croatia


[11]

4.

Workforce. Operations of nature parks are highly


seasonal; depend on the geographic location, some
nature parks have peaks of visits during summer
and/or winter periods, with large parts of the year
being relatively underutilized or scarcely visited.
This means that most nature parks experience peaks
in temporary employments during peak periods in
the year. Introduction of temporary workers
employed in nature parks presents a challenge for
organization of information security

5.

Connectivity. Operative locations of nature parks


are usually in rural areas, out of the way of main
dana links provided by large ISPs. Due to
geographic traits (forests, large open sea areas),
they are sometimes difficult to connect even by
using mobile dana services. Propagation of wireless
signal is also sometimes difficult and dampened by
natural landscape (trees, hills, depressions). Nature
parks' management often has to invest more in
infrastructure, undertake complex connectivity
projects and finally, pay more for operations of
such systems, than some other similar organization
that functions under urban scenarios.

6.

Strict adherence to SLAs. Most nature parks


experience high revenue from incoming visitors
during peak times (and hours). From business
continuity aspect, nature parks can easily quantify
the cost of service disruption. Therefore, strict
adherence to SLAs with providers of Internet and
other services is of utmost importance for
management of nature parks [12].

7.

8.

9.

Billing systems. Billing systems, their availability,


integrity and confidentiality of contained dana is of
utmost important for nature parks. Most of the
income of nature parks comes from tickets and
entry fees for visitors, and related services provided
to
visitors
(dining,
entertainment
and
sports/recreation). Proper and uninterrupted
functioning of billing systems is the most important
single factor in operations of nature parks.
Seasonality. Seasonality of nature parks operations
is already mentioned in relation to workforce, but it
is also important for the number of incoming
visitors and planning of operations. Nature parks
experience not only seasonal and annual peaks and
lows, but also local peaks and lows during high and
low seasons, depending on the precipitation and
daily temperature. Therefore, weather forecast and
extremes have high influence on operations of
nature parks, but also present a difference in load
on information systems and information security
management system.
Organization. Organizational chart of nature parks
is usually very complex despite relatively modest
number of permanent staff, because nature parks
need to attend to various field aspects of operations,
and have a number of general service departments
and groups. This requires formation of very diverse
hierarchical structure. Usually, nature parks do not
use matrix or project organizations. In the Figure
3., a typical organizational chart of the national
park in Croatia is shown. While exact constituents

of the chart are not that important for the context,


the chart is included to show developed and
distributed organization of a national park. While
the typical number of employees is not large, there
are many organizational units and sub departments.
This fact requires inclusion of a large number of
processes in the evaluation of information security
and presents a special challenge in organization and
subsequent assessment of information security in
nature parks.

Figure 3. Typical example of the complex organizational


chart National park Krka, Croatia [13]
10. Compliance.
Owing
to
the
dependant
organizational nature, information security
management systems of nature parks are subject to
complex compliance requirements that are not only
professional, but also legislative, and depend on the
goals and mission set by their founders and the
State.
These ten special requirements for information security audit
in nature parks present a special challenge for those in charge
of setting up and maintaining information security in nature
parks. However, they also form a set of rules for visitors and
transient IT system users and should be taken in
consideration by those that are tasked with answering the
most important questions for the management of nature
parks:
1.
2.
3.

How safe are our information and information


processing facilities,
What should we do in order to increase our
compliance, and
How much do proposed actions cost us in terms of
financial impact and invested time for
implementation?

III
PROPOSAL OF MODEL FOR EVALUATION
OF INFORMATION SECURITY IN NATURE PARKS
Thorough analysis of various systems of information security
audit has lead the authors to work of David Brewer and
Michael Nash from 2010 [14]. These two authors recognize
that ISO 27001 standard requires organizations both to carry
out a risk assessment and select controls and measures
relevant to information security of their systems. Relationship
between these two requirements is often unclear and murky.

The authors have spent almost four years investigating these


relationships and demonstrated that ensuring the coverage of
controls of Annex A of ISO 27001 standard limits the scope
of risk assessment, while fulfilment of risk assessment of the
standard may result in coverage of controls of Annex A but
not necessarily providing addressing of the real exposure to
information security risks. This relationship is shown in the
Figure 4.

Relation plot of these events and controls of Annex A is


shown in Figure 5. This model further recognizes that there is
not one easily perceptible information security breach event
in the sequencing story of information security, rather, it has
to be broken down in some way. The authors have recognized
three possible candidate (cardinal) events:
EI1 Vulnerability exploitation,
EI2 IT failure, and
EI3 Disposession.

Figure 4: The cross-checking process [14]


In the cross checking process, there are controls identified by
the risk assessment and risk treatment process (shown in the
left column), controls of Annex A (divided into applicable
and non-applicable in the right column). However, real
situation of the information security management system is
shown in the middle: clearly, there might be controls that are
not present in the Annex A and those that were by mistake or
negligence not identified by the risk assessment and/or
treatment process.

Figure 5. Relation plot of events and Annex A controls [14]


The authors of the model have further created a Venn
diagram relating identified three cardinal events to Annex A
controls, shown in Figure 6.

As a result of this approach, concerns of the management


related to information security are addressed, where concerns
are mixture of events and impacts of those events on
operations. This defines eight major events [14]:
S1 Theft,
S2 Acts of God, vandals and terrorists,
S3 Fraud,
S4 IT failure,
S5 Hacking,
S6 Denial of service,
S7 Disclosure,
S8 Law.
Three possible impacts of the major identified events are as
follows:
B1 Inappropriate deployment of people,
B2 Failure to maintain proper records and
B3 Issuance of wrong documents.

Figure 6: Relationship between the cardinal events and the


Annex A controls [14]

In our approach, Brewer-List's methodology [15] was used


superimposed over the scenario of the National park Krka's
ISMS.

5.
6.
7.

Nine different situations are anticipated:


1.
2.
3.
4.
5.
6.
7.
8.
9.

Solution implementation: reduction of probability


of information security incidents caused by solution
vendors,
Security of the workplace: limiting access to
informations in the workplace,
Dislocated computing: care about use of
information and systems outside protected
information security perimeter,
Open computer access: control of physical access
to computers in the workplace,
Remote actions: protecting computer systems from
cyber-attack,
Applications: ensuring security of computer
applications,
Working conditions: ensuring uninterrupted
functionality of the hardware;
Information security status: checking information
security management system before the attack or
incident occur, and
Incident management: undertaken steps in case of
incident or attack.

8.

Quantitative ICT data (number of users, desktop


and notebook computers, mobile phones, budget),
List of computer equipment and service vendors,
Ongoing and past contracts for ICT equipment and
services, and
Available ICT procedures and related/applicable
legislation.

After preliminary analysis of the data, audit plan was


compiled. An advantage of the described model is the fact
that audit can be performed quickly if pre-audit phase was
completed thoroughly. All applicable matrixes, situations and
controls are anticipated in advance so they were readily
available during real field audit of the system. The flash-audit
was carried during two days. Before the beginning of the
audit and after the audit was completed, there was a brief
meeting with the management where the methodology was
initially described and findings were presented. Focal point
for the audit was IT manager, while regulatory system was
discussed with the Legal manager and security of practices
and procedures related to ERP and CMS systems was
discussed with Administration and Finance manager. The
audit plan is shown in Table 1.

For each of these nine situations, applicable situational


fragments are identified and they are mapped onto applicable
controls of annex A of ISO 27001 standard.
Due to restricted space available, not all situations and
applicable controls will be discussed in this paper, yet it has
to be clearly stated that described methodology covers all
controls, control objectives and domains stated by Annex A
of ISO 27001 standard. Also, one dilemma that authors faced
was whether to use new version of the standard (ISO
27002:2013) or stick to the old one. It was decided early on
to use the older standard because of two reasons: first, the
model is well developed and described, readily available, and
does not require further adjustments and second, using older
standard has enabled immediate audit of the ISMS without
further delays. Finally, current architecture of the information
infrastructure and services would not significantly benefit
from usage of the newer standard, so it was decided early on
to use the old one.
V IMPLEMENTATION OF THE
NATIONAL PARK KRKA, CROATIA

MODEL

IN

After setting up and modifying the initial information


security assessment model, the audit of ISMS was undertaken
in National park Krka in Croatia. The first step of the preaudit was gathering all related information in order to
properly identify all information assets. This includes the
following:
1.
2.
3.
4.

List of ICT assets and services (servers, computers,


data storage, payment gateways, ERP and CMS
systems, internal and external data processing),
List of ICT personnel with role description,
Organizational chart,
Available network topology blueprints (leased
lines, ISPs, wireless and fixed network, optical
network),

Table 1: Audit plan


During audit, all situations, situational fragments and controls
of Annex A that fall under them, and that were previously
described, are thoroughly analysed in terms of related
information assets, their vulnerabilities and related threats.
Special care was given to analyze information security of
working personnel (permanently and temporarily employed),
remote computing and billing system. The end result of the
process is matrix of applicable controls of Annex A and
identified aspects of information security. These identified
aspects are:
1.
2.
3.
4.
5.
6.

Information security of human resources,


Physical security, security of services
environment,
Technical security,
Systems security,
Business continuity, and
Risk avoidance.

Adherence to identified controls is summed up in Table 2.

and

Number

Symbol

Meaning

Number

Ponder

SUM

of

VI CONCLUSION

controls
1.

Information security control is not applicable for the

N/A
2.

analyzed ISMS

Information security control is respected


5

3.

Information security control is partially respected

4.

Information security control is not respected

1
SUM

Maximumpossiblemark

133

Maximumpossiblemarkcorrectedfornotapplicablecontrols

EstimatedaverageofimplementationofcontrolsofAnnexA

x,xx on a scale
of 1 to 5

665

Table 2: Summary table of adherence to identified controls of


Annex A
There are four possible statuses of identified controls. Control
can be not applicable; it can be respected or not respected.
Considering that the proposed audit model is a quick
derivative model, authors are not required to adhere to set
rules of the ISO 27001 standard, so additional status
information security control is partially respected was
introduced in the model. Use of this evaluation of control has
to be in practical terms limited to those cases where noncompliance is of lower impact on the ISMS as a whole and
when just minor corrections can be quickly implemented to
forward the control on to status of respected. In terms of
audit, these controls can be viewed as minor nonconformities.
Finally, in order to create a synthetic quantitative mark that
could give the management a clear overview of ISMS,
ponders are introduced. Considering 133 possible controls,
maximum sum of 665 points can be reached if ISMS respects
all controls. This sum has to be corrected for those controls
that are not applicable. Finally, grade 1 is given to control
that is not respected, grade 3 to control that is partially
respected and grade 5 to control that is fully respected.
Dividing corrected sum with number of applicable controls
will provide a single quantitative mark in range of 1 to 5, that
is easily understandable to the management. However, when
evaluating this mark, one has to be very careful to understand
that it does not take into consideration possible damage
derived from information incidents, as it equally treats all
controls regardless of their impact. However, this model may
be used as a quick and dirty litmus test for the state of
ISMS. Furthermore, this model will provide easy
identification of problem and improvement areas of the
system in a quick and very efficient way.
Finally, at the end of the audit, a list of recommendations is
produced in order to elevate non-compliance status to partial
or full compliance, and elevate partial compliance status to
full compliance. This list of recommendations is in line with
initial PDCA cycle, because the newly reached state of ISMS
can be again audited using the same model, or standard ISO
27001 auditing model. In both cases, it is reasonable that one
expects higher level of compliance both with modified model
of information security audit and standard ISO 27001 model.
In case that the same modified model is used again, using
synthetic mark, the management can track the progress in a
clear way.

Overall management and management of information


systems of nature parks is connected with various specifics
that are derived from the fact that national parks are usually
not fully independent, they are usually regionally distributed,
their operations are highly seasonal and their operations
depend on strict adherence to SLA for ICT services with
billing systems being most sensitive and important because
lack of their availability translates directly into quantifiable
loss of income stream. Management is generally quite wary
of information security management audits because they are
strange and unknown to them, sometimes they do not see
direct benefits but they are usually connected with high cost
of information security solutions. Complex information
security audits using conventional models just add to all these
issues.
In our research, the main hypothesis was that it is possible to
propose an audit system that would be better adjusted to
specific requirements of ISMS in nature parks. A hybrid
model of information system audit is envisaged starting from
ISO 27001 standard and modified Brewster-List
methodology that replaces standard dilemma "risk
assessment" vs. "ICT control adherence" with a new system
that includes ICT security situations, fragments and events.
Furthermore, a model was developed that quantifies
adherence to identified applicable controls and translates it to
a single mark easily measured and understood by the
management for further evaluation.
This model was tested on example of the National park Krka
in Croatia, where audit was applied in real life situation, final
snapshot of the information security system is created and
synthetic grade of maturity of the system is produced for
further evaluation by the management. End result of the
described process is a list of suggestions for improvement,
whose implementation would increase synthetic grade.
There are further possibilities of research of this model. For
example, it can be modified to suit some other applications,
and synthetic grading system can be made more complex, in
order to better approximate real situation or to follow some
other grading system (applicable grading could range from 1
to 10 or relative percentages can be utilized).

REFERENCES
[1] Oxford Dictionaries Languages Matter,
http://www.oxforddictionaries.com/definition/english/nationa
l-park (accessed 14th February 2016.)
[2] Philips, A., Harrison, J. International Standards in
Establishing National Parks and Other Protected Areas, The
George Wright Forum, Volume 14, Number 2, 1997.
[3] IUCN, International Union for Conservation of Nature,
http://www.iucn.org/about/work/programmes/gpap_home/gp
ap_quality/gpap_pacategories/gpap_pacategory2/ (accessed
14th February 2016.)
[4] Official gazette of Croatia, NN 8/13
[5] Pelnekar, C. Planning for and implementing ISP 27001,
ISACA Journal, Volume 4, 2011.

[6] ISO survey 2014.,


http://www.iso.org/iso/home/standards/certification/isosurvey.htm?certificate=ISO%209001&countrycode=JP#coun
trypick (accessed 14th February 2016.)
[7] Information Security Policy, Yangmingshan National
Park,
http://www.ymsnp.gov.tw/index.php?option=com_content&v
iew=article&id=549&gp=0&Itemid=568 (accessed 14th
February 2016.)
[8] Information Security Policy, Shei-pa National Park,
http://www.spnp.gov.tw/v2/Article.aspx?a=jNakCHfRhqw%
3D&lang=1 (accessed 14th February 2016.)
[9] Information Security Policy, Taroko National Park,
http://www.taroko.gov.tw/English/?mm=0&sm=0&page=5
(accessed 14th February 2016.)
[10] Evans, D. What is BYOD and why is it important,
Techradar, 07. October 2015.
[11] Hagi@Sophia,
https://hagia27sophia.wordpress.com/sem-eira-nembeira/croacia/parque-nacional-krka/ (accessed 14th February
2016.)
[12] What is a service level agreement, Palo Alto
Networks,
https://www.paloaltonetworks.com/resources/learningcenter/what-is-a-service-level-agreement-sla.html (accessed
14th February 2016.)
[13] National Park Krka, internal organizational chart, 2015.
[14] Brewer, D., Nash, M. Insights into the ISO/IEC 27001
Annex A, Gamma Secure Systems Limited, 2010.
[15] Brewer, D.F.C., List, W. Measuring the effectiveness of
an internal control system,
http://www.gammassl.co.uk/research/time040317.pdf,
Gamma Systems Ltd., March 2004. (accessed 9th April 2016.)