IT Security Readings

A summary ofManagement's Role in Information Security

in a Cyber Economy and

The Myth of Secure Computing

The primary message

• Good security in an organization starts at the top, not with firewalls, shielded cables or biometrics.

• Senior management has a much more significant role to play in achieving security than they may think.

E-commerce and virtual organizations

• Organizations have an internal value chain and must interact with external entities at either end of this chain.

• External entities may be other businesses, individual customers, or the government.

• Interactions must be protected from being compromised by unauthorized parties,

Security vs. Privacy

• Privacy deals with the degree of control that an entity, whether a person or organization, has over information about itself.

• Security deals with vulnerability to unauthorized access to content.

Why won’t Sr. Management engage in Security?

• It is difficult to connect security security-related expenditures to profitability

• Increases in security will often increase costs and reduce efficiency

What Should Sr. Management Know?

• Security is not a technical issue; it is a management issue

• Total security is a myth. – Not all information is of equal value– it is not technically possible to protect all information

assets

• Stakeholders will be increasingly less tolerant of cyber-related vulnerabilities

Threats• Numerous adversaries are aligned against any firm's information,

systems, and the critical infrastructures that support them. – disgruntled current or former employees– Hackers– virus writers– criminal groups– those engaged in corporate espionage– Terrorists– foreign intelligence services– information warfare by foreign militaries and various other actors.

Barriers to Security

• The worldwide diffusion of the Internet opens up new business opportunities (e.g., 3-R Framework)

• It also increases an organization's vulnerability since so many more individuals of unknown origin and intent now have access to its systems

Increasing Richness; Good or Bad?

• Active web content, such as Java applets, enhances interaction with customers and suppliers.

• This technical capability allows programs created by external entities to also run on an organization's machines

Increasing Reach; Good or Bad?

• Organizations that have an extensive partnering network find it difficult to define the boundaries of their information systems

• There is an inherent conflict between security and "open systems" architectures that facilitate EC interactions

Clue IT In!

• Organizations commonly look for technical certification when hiring IT staff, but how often is any effort made to educate new security workers on the organization's strategic focus or to communicate to them the criticality levels of their information assets?

Three Cornerstones

• Senior managers need to remember that security depends on the strength of the three cornerstones– Critical infrastructures– Organization– Technology

• Security also requires an end-to-end view of business processes.

Critical Infrastructures

• Critical Infrastructure Protection • Government-Industry Collaboration • Management's Role in Critical Infrastructure

Protection – To recognize that critical infrastructure protection is

an essential component of corporate governance as well as organizational security

Organization • Structure leads to locus of ownership of data and processes• Business Environment: threats are based on…

– Value of the firm's intellectual property– The degree of change the firm is facing– Its accessibility– Its industry position

• Culture• SOPs• Education, Training, and Awareness

Technology

• Firewalls and Intrusion Detection

• Password Layering

• Public Key Infrastructure

• Secure Servers

• VPNs

Ok, So What? Managerial Implications

• Asset Identification • Risk Assessment • The Control Environment

– Physical– Data– Implementation– Operations– Administrative– Application System Controls

Balancing Risks and Costs• Step 1: Identify information assets at an appropriate level of

aggregation• Step 2: Identify the financial consequences of these information

assets being compromised, damaged, or lost• Step 3: Identify the costs of implementing the control mechanisms

that are being proposed to enhance organizational security• Step 4: Estimate overall risk based on the likelihood of compromise• Step 5: Estimate the benefits expected by implementing the

proposed security mechanisms• Step 6: Compare the expected benefits obtained in Step 5 with the

cost estimates obtained in Step 3

Management Actions

• Corporate boards should ensure that senior managers buy into the process of risk assessment

• Senior managers also need to ensure that technical and operational staff understand each other's requirements and cooperatively engaged in the process

• Establish an ongoing process of monitoring risk

The Myth of Secure Computing

• When it comes to digital security, there's no such thing as an impenetrable defense. But you can mitigate risks by following sound operating practices

What’s a Manager to Do?

• Business managers should focus on the familiar task of managing risk.

• Their role should be to assess the business value of their information assets, determine the likelihood that they'll be compromised, and then tailor a set of risk-abatement processes to particular vulnerabilities

Threats

• Network attacks

• Intrusions

• Malicious code

The Operational Approach

• Identify your company's digital assets, and decide how much protection each deserves

• Define the appropriate use of IT resources

• Control access to your systems

• Insist on secure software

The Operational Approach

• Know exactly what software is running

• Test and benchmark

• Rehearse your response

• Analyze the root causes

The Bottom Line…

• Managers need to sort through which risks are most likely to materialize and which could cause the most damage to the business, then spend their money where they think it will be most useful

• When viewed through an operational lens, decisions about digital security are not much different from other cost-benefit decisions general managers must make

Back to the Risks

• Facebook and Privacy

• Google Hacks