Try it this way Imagine you are the owner of a critical infrastructure asset. For discussion’s sake, call it a chemical manufacturing plant. What assets do you have that need protecting. How do you protect them?

There are both physical and digital assets that must be protected.  Security policies consider the company as a whole with both electronic data and physical assets as the backbone of the company’s security planning. The security policy must include several facets of protection such as property protection, access, surveillance, daily security, threat mitigation, and disaster planning. Daily network security measures must be included for information handling, and other work process related network functions (Microsoft, 2015). Threat mitigation is a facet of the security policy in which managers and employees are aware of potential threats and have system in place for reporting these threats. As such weak points in the physical security must be identified.

Network policies may include, but are not limited to: permission levels, disabling accounts for departing employees, employees changing positions, and monitoring potential security issues. Policies will also include the enforcement of strong passwords, expiration of passwords when not being used, and monitoring logins from terminals to see if individuals are sharing passwords (Microsoft, 2015).


Microsoft. (2015). Developing Network Security. Retrieved from Microsoft:




Clouds have come along way in security. For example only allowing access on an as needed basis has been a major advance.  If a billing department needs to grant access to payroll they are allowed permission-only to the needed files.   Some departments might be able to access accounting but others might not. As well, permissions can be set in order make documents unchangeable. The cloud also has the ability to wipe all files from a remote computer and revoke all permissions.

Another security feature of the cloud is the enhancement of thin client methodology. Rather than purchasing dozens of software keys for independent computer systems, a single software program can be shared via the cloud. In fact, an entire office of computers can use the cloud to access software as needed rather than storing separate programs and files on many different computers. These computers would be workstations and they utilize the cloud in order to share applications such as Office and Database programs such as Access (Kroenke, 2013). For security purposes the workstations are dummy computers that store no information and must be tied into the cloud to operate.


Kroenke, D. (2013). Experiencing MIS (4th Edition). New Jersey: Prentice Hall.


Sadly, most security breaches can be traced to poor policies or ignored policies.  The Sony attack was performed using a malware that infects a computer through email.  Once the malware was delivered it attacked the WMI or Windows management instrumentation tool using a denial of service attack:

…primary feature of the malware is that it wipes the hard drives of targeted systems. This is at minimum a strong indication of North Korean involvement. Previous attacks attributed to North Korea, including one last year against TV networks and banks in South Korea, have often included wiping software that destroys all data stored on the system (Hesseldahl, 2014).

The malware uses the WMI to allow access to the computers and before deleting their contents (Kovacs, 2014).  This is a far from sophisticated attack as it was a denial of service attack which required entry to the system in order to be effective (Trend Micro, 2014). After the Sony Hack, investigations began to show that the reason for the attack was an issue of weak security policies which allowed for a breach in the system.  The only way that this attack could have occurred is if the security to the network was weak enough to allow a malware to enter (Zetter, 2014).   As such the security failed to perform its function since a lack of security culture was formed using the core risk assessment process:

…former employees, who asked to remain anonymous, have told us that they’re disappointed but not surprised by the massive hack given Sony Pictures’ long-running lax attitude toward security. They say that employees highlighted specific vulnerabilities on company websites and systems that were never addressed (Hill, 2014).

There was a history of security violations being reported and ignored at Sony. Basic policies for hardening and creating information assurance were not followed because there was a lack of critical assessment of the systems (Hill, 2014). So lax was the security at Sony that the company was hacked once before when an employee was working remotely from a public terminal and forget to log out of the company (Hill, 2014). Sony’s security and information assurance framework failed mainly because it was not able to prioritize its risks and there was no insight into the dangers.


Hesseldahl, A. (2014, December 2). Details Emerge on Malware Used in Sony Hacking Attack.     Retrieved from Recode:

Hill, K. (2014, December 4). Sony Pictures hack was a long time coming, say former employees.   Retrieved from Fusion:

Trend Micro. (2014, December 3). An Analysis of the “Destructive” Malware Behind FBI Warnings . Retrieved from Trend Micro:

Zetter, K. (2014, December). Sony got hacked hard: what we know and don’t know so far.