When people think of information security, they typically picture a computer technician or network administrator protecting computers with anti-virus software and some sort of network firewall. However, there is much more to information security than just the technical staff and software. New malicious code, worms, and distributed denial of services are taking place in cyberspace at an exponentially faster level than ever before.

Senior level executives are becoming aware of the problem. Companies must deal with the internal threat of disgruntled employees, address fundamental security policies, and have a disaster recovery plan in place to be prepared for the worst.


All information security programs start with the CIA triad: Confidentiality, Integrity, and Availability of data.

“Confidentiality” means the assets of a computing system are accessible only by authorized parties.

“Integrity” means that assets can be modified only by authorized parties or only in authorized ways. In this context, modification includes writing, editing, changing status, and deleting.

“Availability” means that assets are accessible to authorized parties. An authorized party should not be prevented from accessing objects to which he, she, or a third party has legitimate access need. For example, a security system could preserve perfect confidentiality by preventing everyone from reading a particular object. However, this system does not meet the requirement of availability for proper access.

The opposite of availability is “denial of service”. Along with the fundamental basis of the CIA triad, a security program must start with the proper policies and gather input from all senior leadership within an organization.



There are four overarching components to performing a successful IT Data Risk Assessment/Audit. The first is data classification. The second is management controls, concentrating on controls that management is directly responsible for. The third is operational controls, which are the day-to-day operations run by systems and employees. The fourth is technical controls, which are usually run by automated computers.

Data Classification

  • CIA Triad:  Confidentiality, Integrity, Availability

Management Controls

  • Risk Management
  • Review of Security Controls
  • Life Cycle Enforcement
  • Disaster Recovery/Business Continuity Planning

Operational Controls

  • Personnel Security
  • Physical Security
  • Documentation
  • Security Awareness/Training
  • Incident Management

Technical Controls

  • Identification and Authentication
  • Logical Access Control
  • Audit Trails, Monitoring and Logging

Each of the subsets beneath the four overarching components above can be further extrapolated in
terms of what a Y&L Cyber Security Analyst will be auditing. For example, here are the different
elements that would be reviewed under “Operational Controls”:



Members of the Y&L Cyber Security practice and our Chief Security Officer (CSO) hold certificates in the following and have experience managing cyber security initiatives for a variety of Texas State Government Agencies:

  • Certified Information System Security Professional (CISSP)
  • GIAC Security Leadership (GSLC)
  • GIAC Security Essentials (GSEC)