Introduction to Netflix and its Security Issues
In the global landscape of cyber threats, the threats are still evolving and there is no hope that it will end soon. This has led to a constant challenge among individuals, organizations and the security community at large. Netflix Inc. is no exception. Netflix Corporation is an organization that provides its subscribers with streaming services allowing them to watch a wide variety of award-winning TV shows, movies, as well as documentaries among other many internets enabled services. It is one of the organizations offering cloud-based services. As such, the organization has many software engineers at its service being led by Reed Hasting, the CEO and the founder of the Corporation (Crunchbase, 2018, pp.1). As a move to mitigate this critical issue, organizations have adopted various mitigation techniques, one noteworthy approach being the Information Security Management System. Following this rationale, the main purpose of this document is to develop a security program that would help Netflix organization to mitigate security threats that have become common today.
There have been a rapid expansion on the number of the titles produced by the organization making Netflix one of the largest producers globally. This has led to an increased number of subscribers of the services offered by the organization. It is thus no secret that the organization is a hot spot of security threats. Moreover, Netflix has committed its future to streaming movies to its clients; the organization almost exclusively rely on cloud vendors for its infrastructures which have raised security concerns. However, Netflix has launched various security software to protect its information system. The security software has the capability of analyzing and responding to threats as well as applications that manage access to the organization’s information system (McSherry, and Mironov, 2009, pp. 627-636). Jason Chan, the director of cloud security at Netflix Corporation also cited in an occasion that the organization will always build solutions to address the issues that are either not well served in the marketplace or that the organization’s security department choose to solve in a traditional way. However, these strategies are not enough for a more robust system security. Despite the security measures that have been put into place, the organization still faced a considerable cyber-attacks in 2017. Ten new episodes of the Netflix’s original shows “Orange is the New Black” got exposed by attackers who compromised Larson Studio, the post-production company. This attack elucidates insufficiency in the organization’s information security management system. The act of extortion demonstrated a critical chink in the organization’s security system that will continue to occur if the organization does not make changes in its security management. It is high time that Netflix acknowledges a robust security management strategy.
Importance of Security Management Program for Netflix
Due to the fact that one of the core Netflix’s anticipation is to protect the originality of their products as it is their contents’ originality that drives the organization’s revenue model since it relies on big releases in order to support the interest of its customers and hence more return, Netflix must have implemented some of the most advanced cybersecurity defense in the corporate world. The organization has however forgotten that human beings are the weakest link in security. Vulnerabilities from the third parties in the organization is a critical threat to the corporate’s security system and can lead to loss of the organization’s proprietary properties. New York Times (2017) reportedly learned about the theft that occurred at Larson Studio in 2017 January and waited until a month when they exposed a list of the companies involved in the attack. It had been reported earlier that the organization’s security personnel were not surprised by the attack despite the details of the incident being revealed. This is because the organization has received several warnings earlier about the vulnerabilities at the third party vendors for the year (Chou, 2013, p.79; Booth, Soknacki, and Somayaji, 2013, pp. 4-5). It is even more surprising that the security management of the organization never changes, neither did the organization consider the establishment of pertinent policies as a countermeasure for such cyber-attacks.
The attack should be a wake-up call for the organization that they have not yet implemented a relevant security management program that provides policies and procedures to protect the corporate’s sensitive information as well as critical infrastructures and many other assets of the organization. Information system security will never hold up to the ever increasing weight of internal as well as third-party vulnerabilities if Netflix management does not consider a security conscious culture. Leaving the burden of security solely on IT staffs’ shoulders and establishment of various security software are no longer enough for mitigating security threats might have been seen by the organization. Additionally, it has become clear that information system security does not only compromise IT but also affects an organization’s business (Teece, 2010, pp.172-194). Following this rationale, Netflix must take a much more initiative into making the security threat mitigation be part of the organization’s risk management technique and formulate formal policies to govern the operations within the organization.
Another awakening security incidence that signifies the weak security governance in the organization is the email phishing scam that targeted over 110 million subscribers of the organization (Sebayan, 2017). This did not only happen once; the Netflix subscribers experienced the same problem several times in the year 2017 where an email instructs them to click and update their credit card details which were only meant to lure them into giving out their personal data which would compromise their privacy. This came to be due to lack of controls governing the access control of the organization’s information system which signifies the need for information system security management programs to mitigate such vulnerabilities which might affect the organization’s business.
Vulnerabilities and Weaknesses in Current Security System
An effective security management burns down to three crucial mechanism namely people, policy and procedures. Netflix management team should know that cyber threats are part of the organization’s risk and its solution lies in sound policies and procedures (Giesen, Riddleberger, Christner, and Bell, 2010, pp.17-26). The process also involves working with the organization’s third-party vendors along with ensuring that people at all levels of the organization are properly trained to recognize potential vulnerabilities and deal with them in accordance with the policies and procedures of the organization.
Some of the vulnerabilities identified are as listed:
- Deficiency in human resource security management
- Deficiency in IT security management controls and proper training on security management strategies
- Over-reliance on third-party vendors
- Deficiency in policies governing the agreements between Netflix and third-party vendors.
The security model involves a generic blueprint of security management provided by a service organization. There are various security models out there but only a few are appropriate for the Netflix’s case, some of which include Common Objectives for Information and Related Technologies COBIT, National Institute of Standard Technology (NIST) and International Organization for Standardization (ISO) (Sheikhpour, and Modiri, 2012, pp.13-28; Gehrmann, 2012, pp.66-77). The NIST is an essential model that every organization should consider when formulating a security management program, however, it can be expensive. Besides, what would be the cost of losing critical information that is the core component of a business model? On the off chance that a cyber-attack occurs, an organization can lessen its liability if the corporate can prove that it was doing everything possible to keep its assets from security risks by using the National Institute of Standard and Technology NIST framework as a foundation (Greer et al., 2014, pp. 23-31; Kampanakis, 2014, pp.42-51). ISO, on the other hand, is a worldwide federation which is consist of the natural standard of bodies. It has overreaching significance and has not been adopted by Netflix, it is therefore proposed for Netflix and will be used as a framework in developing the relevant security program that would be implemented by Netflix to secure its assets.
ISO refers to a non-governmental organization that is consist of standard bodies from over 150 countries around the globe with each member country represented by one standard body (ISO, 2012). This section will focus on ISO 27002. The ISO 27002 is a collection of cybersecurity guidelines which is used by companies to implement, maintain and improve cybersecurity management (Disterer, 2013, pp.92). ISO 27002 has various controls as well as control techniques designed to get implemented with guidance from ISO 27001; ISO 27002 is the refined standard of ISO 27001. The suggested controls provided by ISO 27002 are meant to address various issues presented during risk assessment. This standard also provides guidelines that help in the development of security standards as well as effective security management practices.
Mitigating Cyber Threats with ISO 27002
The standard was published by the International Organization for Standardization ISO in collaboration with the International Electronic Commission IEC. Its original name was ISO/SEC 1779, it got published in the year 2000 and updated in the year 2005 when it got complimented by ISO 27001 (Von Solms, and Van Niekerk, 2013, pp.97-102). The 2013 publication of ISO 27002 which will form the base of security controls to be designed for Netflix has various controls including security policy, IT asset management, human resource security, and many others. However, this section will only focus on cybersecurity controls, the major drawback in Netflix’s business activities.
ISO 27002 is proposed for the reason that its goals address the needs of Netflix. Netflix needs security management controls to protect its system from frauds and to ensure that its assets are secured. ISO 27002’s main goal is to establish controls for implementing, maintaining and improvement of information security management system in organizations along with selection, implementation and management of guidelines and general principles for securing the organization’s assets in accordance with the risk environment within the organization (Calder, and Watkins, 2012, pp. 9). On basis of the organization’s needs identified in the upper section of this document, it is obvious that ISO 27002 would be the best solution in Netflix’s case.
Introduction
Protecting the organization’s information system is of great importance to Netflix. As a consequence, the information system security must have controls as well as safeguards in order to offset any vulnerability and guarantee accountability, integrity, and availability as well as the confidentiality of data (Rhodes-Ousley, 2013, pp.17). This program offers definitive information on the prescribed measures that would help to establish and enforce appropriate security program at Netflix organization with the aid of ISO 27002 framework.
The purpose of this security management program
This security management program seeks to prescribe a comprehensive framework for the following:
- Compiling a cyber-security management program appropriate for Netflix with reference to ISO 27002 model.
- Safeguarding the availability, integrity, and confidentiality of Netflix data along with its information system.
- To guarantee the effectiveness of security controls over information system and the organization’s data that support the operations in Netflix organization.
- Protecting the Netflix, its employees, and customers from illicit use of Netflix information system.
The formulation of this program is driven by various factors with the core factor being risk. This security program will, therefore, form the ground rules under which Netflix will operate and protect its contents and information in order to both mitigate risk and minimize the effects of the potential attack on the off chance that the organization is attacked. As a consequence, implementing these policy controls will help Netflix to mitigate the data breach that has been continually experienced by the corporate as it helps the organization to comply with its current and future legal obligation to guarantee a long-lasting diligence in protecting the organization’s integrity, availability and confidentiality of its contents (Srinivasan, 2012, pp. 3).
Benefits of Using ISO 27002 for Information Security Management
For Netflix to mitigate the information security risk, the organization must formulate, adopt and maintain a pertinent set of policies and procedures to manage its content and information system (Beckers, Faßbender, Heisel, Küster, and Schmidt, 2012, pp. 14-21). Netflix personnel are required to protect and guarantee the integrity, availability, and confidentiality of its data. For this reason, security controls will be formulated accordingly to ensure that they commensurate with the security risks as pointed out in the preceding sections.
Objective: to specify the development, adoption, assessment, authorization, and monitoring of the Netflix information security program. Effective implementation of this control will depend on the successful implementation of the Netflix controls at the program level.
Netflix shall protect the integrity, availability, and confidentiality of its information system, data among other assets regardless of how its data I managed.
Information security policy
The information security management system shall focus on the IT management and information system associated risks. The policy behind Netflix’s information security management system is that along with all management processes, the information management system shall remain effective and efficient in the long term adapting to the internal as well as external environment changes in the organization.
Information security policy
Netflix shall define a set of information security policies and have them approved, published and communicated to the organization’s employees and its third parties by its IT security management.
Publishing information security policies
Objective: to establish, publish, implement and maintain security policy.
The information security policies and standards of Netflix organization shall be presented in a single document in a written form that shall be endorsed by Netflix’s executive management and disseminated to the relevant parties in order to ensure that all Netflix personnel understand all that they are required of. The information security policy shall represent the roadmap for implementing Netflix’s security measures to protect its important contents. All Netflix personnel shall be aware of the sensitivity of Netflix’s data and information system as well as their responsibility to protect them.
Assignment of information security responsibilities (1.2.2)
Objective: to appoint individuals from the IT department and assign missions and resources to manage information security program within the organization.
All responsibilities and authorities of the information system shall be delegated to Netflix’s chief information security officer CISO. The information security management team shall also be delegated their responsibilities as well as Netflix users.
CISO roles and responsibilities
The CISO is anticipated to perform the following security management roles:
Conclusion
CISO has a responsibility to formulate, document and implement security policies and procedures to govern the Netflix information system.
CISO shall monitor and analyze information security alerts.
The CISO shall create, document and disseminate response and escalation procedures of a security incident in order to ensure an effective and timely handling of various incidents.
The CISO shall distribute security alerts to relevant individuals in the organization.
Management team ensure periodical implementation of security management policy manual
The management provides all resources, direction, and appropriate support to ensure that Netflix content, data, and the information system are well protected within their areas of responsibilities.
Netflix management team has a responsibility to ensure that pertinent policies and controls are documented according to the organization’s policies and procedures and implemented by all Netflix personnel.
The IT management team has a duty to evaluate the compliance with the policies and procedures through regular audits.
To follow the organization’s policies in the user secret information for authentication.
To comply with all policies and procedures of Netflix to ensure to secure the organization’s data and information system.
Security management policies for human resource
Objective: to ensure that the best security management practices are well incorporated in human resource personnel management.
Netflix shall ensure that the best practices of information security management are well incorporated into the human resource personnel management practices.
Objective: to mitigate the risk from the internal sources.
There shall be background verification for all organization personnel during employment, this will be carried out in accordance with the pertinent laws and procedures and shall be relational to Netflix’s business needs, the perceived risks as well as classifications of the asset to be protected.
Objective: to implement procedures to ensure that Netflix’s plan to conduct security training, testing and monitoring activities which are related to the information system of the organization.
The chief information security officer CISO in coordination with relevant personnel shall be responsible for the establishment and maintenance of procedures for security training, testing and monitoring activities which are related to the Netflix information system. These activities should be informed by the current threats that have been experienced by the organization according to the risk assessment.
Objective: to guarantee security for Netflix contents that are managed by the external parties or vendors.
Netflix shall agree upon the information and asset security requirements as a countermeasure for the risks associated with third parties and vendors access to the organization’s properties. All vendors of the organization shall agree in writing to comply with all applicable information security management policies and procedures to prevent breaches which are associated with vendors/third parties.
Objective: to ensure compliance with the organization’s policies and procedures
Any of the policies shall not be violated by any Netflix personnel. Anybody found to be in violation of the policies and procedures shall be subject to disciplinary actions which might lead to penalties, termination of the continued relationship with Netflix organization or prosecution as defined in the organization’s policies and procedures.
The legal and statutory observed
The information management program for Netflix comply with the legal statutory of the country. The legal statutory reference to the acts that must be adhered to during security management implementation process (Bulgurcu, Cavusoglu, and Benbasat, 2010, pp.523-548). Some of the main policies that were observed are the private security acts of the country, the security, and related activities and security providers’ regulation act.
Reference list
Beckers, K., Faßbender, S., Heisel, M., Küster, J.C. and Schmidt, H., 2012, February. Supporting the development and documentation of ISO 27001 information security management systems through security requirements engineering approaches. In International Symposium on Engineering Secure Software and Systems (pp. 14-21). Springer, Berlin, Heidelberg.
Booth, G., Soknacki, A., and Somayaji, A., 2013, June, Cloud security: Attacks and current defenses. In 8th Annual symposium on information Assurance (ASIA’13), pp. 4-5.
Bulgurcu, B., Cavusoglu, H. and Benbasat, I., 2010, Information security policy compliance: an empirical study of rationality-based beliefs and information security awareness, MIS quarterly, 34(3), pp.523-548.
Calder, A. and Watkins, S., 2012. IT Governance: an international guide to data security and ISO27001/ISO27002. Kogan Page Publishers, pp. 9.
Chou, T.S., 2013, Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), p.79.
Crunchbase, 2018, Netflix > Current Team. Available at: <https://www.crunchbase.com/organization/netflix/current_employees/current_employees_image_list#section-current-team> [Accessed on 6th October, 2018]
Disterer, G., 2013, ISO/IEC 27000, 27001 and 27002 for information security management. Journal of Information Security, 4(02), pp.92.
Gehrmann, M., 2012, Combining ITIL, COBIT and ISO/IEC27002 for structuring comprehensive information technology for management in organizations. Navus: Revista de Gestão e Tecnologia, 2(2), pp.66-77.
Giesen, E., Riddleberger, E., Christner, R. and Bell, R., 2010, When and how to innovate your business model, Strategy & Leadership, 38(4), pp.17-26.
Greer, C., Wollman, D.A., Prochaska, D.E., Boynton, P.A., Mazer, J.A., Nguyen, C.T., FitzPatrick, G.J., Nelson, T.L., Koepke, G.H., Hefner Jr, A.R. and Pillitteri, V.Y., 2014, NIST framework and roadmap for smart grid interoperability standards, release 3.0, pp. 23-31, (No. Special Publication (NIST SP)-1108r3).
ISO, B., 2012, 22301: 2012, Societal security. Business continuity management systems. Requirements. British Standards Institute, London, pp.15-19.
Kampanakis, P., 2014, Security automation and threat information-sharing options, IEEE Security & Privacy, 12(5), pp.42-51.
McSherry, F., and Mironov, I., 2009, June, Differentially private recommender systems: Building privacy into the netflix prize contenders, In Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 627-636, ACM.
New York Times, 2017, Hacker Leaks Episodes from Netflix Show and Threatens Other Networks. Available at: <https://www.nytimes.com/2017/04/29/business/media/netflix-hack-orange-is-the-new-black.html?_r=0> [Accessed on 6th October, 2018]
Rhodes-Ousley, M., 2013. Information security: the complete reference. McGraw Hill Education, pp.17.
Sebayan, D., 2017 November, Email phishing scam targeted millions of Netflix subscribers. Available from: <https://www.itgovernanceusa.com/blog/email-phishing-scam-targeted-millions-of-netflix-subscribers/> [Accessed on 6th October, 2018]
Sheikhpour, R., and Modiri, N., 2012, An approach to map COBIT processes to ISO/IEC 27001 information security management controls. International Journal of Security and Its Applications, 6(2), pp.13-28.
Srinivasan, M., 2012, Building a secure enterprise model for cloud computing environment. Academy of Information & Management Sciences Journal, 15(1), pp. 3.
Teece, D.J., 2010, Business models, business strategy and innovation, Long range planning, 43(2-3), pp.172-194.
Von Solms, R. and Van Niekerk, J., 2013, From information security to cyber security, computers & security, 38, pp.97-102
Order an Essay Now & Get These Features For Free:
Turnitin Report
Formatting
Title Page
Citation
Outline
