Information Protection - Management & Rules
It would be very easy to write yet another article about technical computer and communications security issues, such as a discussion of PKI, TCP/IP, SSL, RSA, firewalls, mobile code, etc. Yet, there is another perspective on these security issues that has become increasingly important to stress. That is why this article will be concerned with the ways by which senior executives can and must assist in the protection of information in the Information Age.
For an increasing number of senior managers, security has become a major concern. Unfortunately, quite often that recognition has developed at the same time that business competition has become more complex, profits have become less certain, security decisions have become more technically difficult and laws requiring certain forms of information protection have been established. Of course, there are all of the security uncertainties after 9/11.
Information security is composed of technical requirements, risk management decisions, legal liability protections, business ROI and reputational risks-- all mixed together into a complex set of decisions. These complex decisions are so important that this has resulted in senior managers becoming their organisation's chief security official in charge of information protection.
Information protection is now on the shoulders of the executives; whether they understand the technologies or not, have time for it or not, like it or not, want to do it or not. This shift in responsibility has happened, despite that fact that the challenge of protecting sensitive information requires even more expenditures and information security programs may hinder meeting the next quarter's profit numbers.
Managers need to understand that Information security has become a dynamic situation, requiring new perspectives and skills on their part. Organisations have to protect an information processing system no longer made up only of computers but, additionally, Palm and other PDA's, e-mail services, fax technologies, cell phone options, and wireless communications. As computers and communication devices have developed, they have become smaller, more powerful and less expensive. In reality, the information that they contain or process is now more difficult to protect than before.
Further, information that needs protection has multiplied as the global economy has flourished. The methods of illegally gaining sensitive information have increased and people with knowledge of how to commit computer crimes have grown. National borders do not limit illegal computer activities and law enforcement agencies are often outnumbered and ineffective. The Internet has created its own business advantages, which, unfortunately, also has led to a rapid increase in fraud, child pornography and other criminal matters.
If senior managers have to have a much more direct involvement in information protection, what are some of the fundamental information security rules for management that they must follow? Here is an overview of those rules.
1. Information security decisions should be driven by business requirements rather than technical needs. Be aware, however, that certain business requirements (immediate customer satisfaction) may be contrary to security concerns (limiting losses). Essentially, information security decisions should be derived from a risk management point of view, determining how much risk can be controlled or countered and what other risks will be acceptable, given the business climate. Use business cost/benefit and other management methodologies to evaluate security decisions, while realising that risk decisions cannot always be so easily quantified.
2. Some of the most valuable staff members in an organisation are the corporate security, information security, audit and business continuity specialists. They may quite literally save the organisation and its senior staff from disasters. Get to know them, ask them lots of questions, have them translate technical details into managerial language and make it quite clear to all employees that these staff members' responsibilities are so important for the organisation that they report directly to the top.
3. Information security is not solely composed of technical approaches. It is essential to understand the important roles of physical, administrative and personnel ("peopleware") controls that reinforce the technical controls. All of these controls need to work together, providing a coherent and consistent protection program. An over reliance on technical solutions, often used without changing default passwords and other well known features, could open up sensitive information to criminals, competitors or other dangerous persons.
4. Access control is an essential aspect of information security. Careful consideration should be given to establishing technical, physical and administrative rules that limit who can gain access to what information and what they are authorised to do with such information (read, write, etc.). Access controls decisions need to be based on the essential security principles of need-to-know and separation of duties. Where such principles cannot be followed, special auditing and monitoring might be added.
5. Information protection programs should stress prevention. However, since not all computer crimes can be stopped, an information security approach should also contain intrusion detection mechanisms that will monitor all system activities, determine what might be attempts to gain unauthorised access, and immediately notify managers of such attempts. Unauthorised access attempts should also lead to well developed incident response capabilities in order to limit further damage, determine the perpetrators, assist with recovery strategies, and establish what protections need to be strengthened. All of the mechanisms listed above have legal importance and thus require careful consideration of how best to meet legal responsibilities.
6. Encryption is essential in the protection of sensitive information. Whether it is to protect e-mail, files, backups or Internet communications, encryption provides some of the most effective means of controlling unauthorised access. Ask for information on some of the leading encryption solutions available on the market, particularly their ease of use, impact on processing, and their strength (resistance to successful attacks).
7. Specialised personnel should be assigned the responsibility of auditing the many existing services that provide alerts on new viruses, the latest computer vulnerabilities, unique attack scripts and other warnings indicating serious computer-related problems. Those warnings must be evaluated by the specialised personnel and, when appropriate, fixes need to be put in place quickly.
8. Consider seeking security specialists in the event that particular security expertise is needed. Consulting associations, such as the International Association of Professional Security Consultants (www.iapsc.org), can be an excellent resource for locating security experts who have undergone a vetting process and who have shown professional expertise.
9. Privacy has emerged as a major consideration, both domestically as well as internationally. Organisations are finding out that how their treat their customer/client information as well as their employees can sometimes lead to negative news coverage. Additional care should be taken concerning other privacy practices of an organisation, such as collecting information from visitors to websites without a proper notification of these practices.
10. An organisation's attorneys should become aware of computer crime-related laws and what impact those laws may have on the organisation's potential liabilities. These attorney should also work with information security personnel, providing guidance on the best legally appropriate measures to put in practice and how best to handle complex forensic investigations of computer crimes.
Supporting security of the computer and communications systems is one of the most important responsibilities of senior management today. The rules on how to carry out those roles have been discussed. It is now in the hands of your senior executives. Good luck.
Top of Page
|