20
A Practical Guide to Security Assessments
on a Greenfield Online survey performed in 2001 cited by BBB
OnLine
, “almost
90 percent of online shoppers would feel more confident shopping on a site that
displays the BBB
OnLine
Privacy Seal, than from an online company that does not.
9
To receive the BBB
OnLine
Privacy Seal, companies must apply and meet require-
ments in the following general areas:
Threshold requirements —
These requirements lay out some general con-
ditions for the organization completing an application for the BBB
OnLine
Privacy Seal. They also detail the eligibility requirements for organiza-
tions — one of which is having a good standing with the BBB.
Privacy notice requirements —
These are detailed guidelines for the con-
tent of privacy notices. Some of the key requirements include having to
describe “…all the types of personally identifiable information or prospect
information that may be collected through the Web site or online service
(including e-mail correspondence)”
10
Other key requirements in this sec-
tion include a stated commitment to online data security and an “opt-in
or opt-out” provision for consumers, so they can decide whether or not their
personal information can be shared. A number of other specific require-
ments related to the Privacy Notice can be found on www.bbbonline.org.
Sharing information —
This section outlines rules regarding when and
how consumers’ personally identifiable information can be shared with
third parties. Sharing information is specifically prohibited when the party
with which information is being shared can take that information and use
it for its own marketing efforts.
Choice and consent —
These requirements provide consumers with an
explicit choice of whether to “opt in” or “opt out” when deciding whether
they want their personally identifiable information used in a company’s
direct marketing efforts. The choice and consent requirements also provide
guidance on how information should be transferred to outside parties and
the choice that is required to be given to consumers.
Access and correction —
This section requires organizations to have a
policy and process in place so that consumers can have their personally
identifiable information corrected if they find it to be factually incorrect.
This section also obligates companies to have personally identifiable infor-
mation available in retrievable form so that consumers can readily access
this information.
Security —
The security requirements essentially say that a company must
take “reasonable steps to ensure that personally identifiable information
or prospect information is safe from unauthorized access, either physical
or electronic. These steps include at least the following:
The
organization maintains logs to properly track information and
assure that authorized individuals only access data.
The organization maintains a written data security policy.
The organization performs at least an annual review of its written data
security policy.
AU1706_book.fm Page 20 Tuesday, August 17, 2004 11:02 AM
Evolution of Information Security
21
The organization provides adequate training for employees, agents, and
contractors.
The organization stores information in a secure environment (using
features such as doors, locks, and electronic security).
11
The security section also requires the use of encryption when certain
personal information such as credit card numbers or social security infor-
mation is transmitted or received online.
Additional staff determinations —
The additional staff determinations deal
with providing proper measures for screening out children when the Web
site content is inappropriate for children under the age of 13. The require-
ment also provides guidance for where the BBB
OnLine
Privacy Seal may
be used when there is content inappropriate for children under 13.
The BBB
OnLine
Privacy Seal is prevalent today and, based on the requirements
listed above, is quite comprehensive. Two of the security-related requirements are
that the company must have a data security policy and an annual review of that
policy. As with some of the regulations that have been discussed so far, the developers
of the BBB
OnLine Privacy Seal recognized the need to look at information security
in terms of a comprehensive program and the need to perform regular assessments
in this case, there are requirements for a policy and an annual review, which is very
similar to doing a security assessment.
AICPA/CICA WebTrust Program
The American Institute of Certified Public Accountants (AICPA), along with the
Canadian Institute of Chartered Accountants (CICA), developed the WebTrust Pro-
gram to address security and privacy concerns that consumers have with companies
conducting business over the Internet. The WebTrust Program provides a seal for
companies that can pass an audit against the WebTrust standards. Although compa-
nies conducting electronic commerce over the Internet do not have to have the
WebTrust seal, it is a recognized standard that gives some consumers confidence in
the integrity of transactions and some assurance that their personal information is
secure — very similar to the BBB OnLine Privacy Seal. The value of this kind of
program is significant, considering all of the press about consumers being hesitant
to do business over the Internet for fear of having their personal information com-
promised. Similar to the BBB OnLine program, the WebTrust program attempts to
allay fears that some consumers have by providing an independent certification to
companies. The program is only offered by Certified Public Accountants (CPAs)
and Chartered Accountants (CAs), who are appropriately trained and licensed. The
independence aspect is very important to note here. Notwithstanding some of the
scandals that the CPA profession has seen recently, the profession is known for its
independence.
The AICPAs WebTrust Seal program is a set of best practice standards for
electronic commerce sites. Separate standards and programs exist for fundamental
areas defined by the AICPA and the CICA. The specific programs were released in
2003 and are listed on the AICPA Web site.
12
AU1706_book.fm Page 21 Tuesday, August 17, 2004 11:02 AM
22 A Practical Guide to Security Assessments
Below is a detailed discussion of one of the WebTrust Seal programs — WebTrust
Security. This standard is an example of what the requirements of an information
security program specific to business to commerce could be. It is an example of a
standard that looks at information security as a program that is built on a foundation
of policies and with ongoing monitoring and enforcement to ensure that the program
is functioning as intended and is updated as necessary.
From a security assessment perspective, this is relevant because the things
described in the standard below are similar to those you would look for when
conducting a security assessment.
WebTrust Security
The WebTrust Security certification has some similarities to the other WebTrust
certifications, but the focus here is on restricting access to the electronic commerce
system and data to authorized individuals.
The criteria used in performing a WebTrust Security examination are divided
into four distinct areas:
Disclosure — Disclosure requirements obligate companies to disclose
their security practices regarding:
Access to information collected during electronic commerce activities.
Access to systems used and how it is controlled.
Consumer recourse and third party resolution processes — Consumer
recourse is an important aspect of electronic commerce, and there is a
common interest for customers and companies in ensuring that disputes
are resolved quickly without costly litigation, which many consumers
cannot afford and in which companies do not want to engage.
Policies — The requirement related to policies obligates companies to
have security policies in place to address roles and responsibilities related
to information security including user access and administration, change
management (ensuring proper testing before migration to the production
environment), physical security for systems used in electronic commerce
activities, incident handling, and dispute resolution. In addition, require-
ments exist related to security awareness training and ensuring that the
company has allocated adequate resources to security initiatives.
Procedures — Procedures are the next step after policies. Although the
policies describe “what” has to be in place, the procedures describe “how”
a company becomes compliant with those policies. For example, there
are specific user ID access requirements or policies related to who can
access systems. The procedures lay out the specific steps taken (e.g.,
giving network access to employees) to ensure that those requirements
are met.
Monitoring — The monitoring requirements help ensure that systems and
processes are in place to make certain that companies can monitor the
security of their e-commerce systems, react to events, and make changes
as required to ensure an adequate level of security. The monitoring com-
ponent of this standard is the enforcement aspect of the policy, which is
AU1706_book.fm Page 22 Tuesday, August 17, 2004 11:02 AM
Evolution of Information Security 23
a key component of any information security program. A lack of enforce-
ment can be interpreted as a lack of commitment to security, and personnel
may therefore not take security very seriously.
Another aspect of the monitoring component is ensuring that updates to the
policies and procedures and the information security program in general are made.
Organizations tend to be dynamic, and as changes to the organization occur, adjust-
ments are required from a security perspective. For example, there may be changes
to the business related to new processes, changes in technology, or organization
structure. These changes may require adjustments to the overall information security
program. Considering the speed of change in today’s companies and the fact that
much of it is fueled by technology, security processes can become obsolete quickly.
The final aspect of the monitoring component addresses noncompliance with
security policies. Noncompliance can happen in two ways.
First, despite the security polices being feasible, personnel do not follow policies
for a variety of reasons including a lack of understanding of security policies,
resource constraints, or a lack of awareness. In this scenario, there should be com-
pliance and it should be enforced.
The second type of noncompliance is when a policy is not feasible or it does
not make business sense to adhere to a policy. It may not be possible because the
cost related to compliance far outweighs the benefits. In these cases, the risks must
be understood, and mitigating controls must be put in place to the extent possible.
Management should also formally acknowledge that they are accepting risk. This
process ensures that management understands the risk and takes ownership of the
decision to accept the risk.
The WebTrust Seal programs are a good standard by which to measure e-com-
merce companies. As evident from the descriptions of the WebTrust security program,
the standards are technology neutral and can be incorporated into an information
security program to address e-commerce operations.
ORGANIZATIONAL IMPACTS
Another aspect of the evolution of information security is the organizational changes
that have taken place as information security has become more important. Before
information security became a central issue for many companies, security was just
a part of someone’s job in many cases. This meant that one of the people in IT had
information security in his or her job description. There was no concept of conducting
a formal risk analysis, determining what the risks are, and determining recommen-
dations to address those risks. Enforcement related to security was not really a
concept either.
In today’s market, information security is becoming a more important issue.
Many companies recognize that one of their most important assets is their data. With
all of the different security vulnerabilities that exist today and the government
regulations related to security, it is no wonder that companies are taking steps to
adequately secure these assets. This recognition has resulted in companies making
AU1706_book.fm Page 23 Tuesday, August 17, 2004 11:02 AM
24 A Practical Guide to Security Assessments
a number of changes in their businesses — specifically at the organization level.
Some of the changes that have occurred and are discussed in detail in the next few
sections include:
Rise of the Chief Security Officer (CSO)
Separate organizations dedicated to information security
The organization is a critical part of a security assessment. Organizations speak
to roles and responsibilities and ownership of the security function. How information
security is handled from an organizational perspective is based on several factors
including budget, personnel, and most important — how to best align security
personnel and organization so that security risk is managed effectively. An informa-
tion security program with the best processes and technology can be completely
ineffective without the right organization structure and clearly defined roles and
responsibilities. One of the challenges when conducting a security assessment is a
company’s tendency to focus on technology when talking security. The organization
aspect and clearly defined roles and responsibilities are critical for the success of
an information security program.
RISE OF THE CHIEF SECURITY OFFICER
One of the major shifts that the industry has seen is the coming of the Chief Security
Officer (CSO). This would typically be an executive- or management-level position
with overall responsibility for security. The CSO’s role will vary from company to
company but in general is very broad because it touches virtually every piece of
the company including technology, critical business processes, physical security,
investigations, and executive protection. The CSO must be aware of security, oper-
ational, and financial risks and issues facing a company and have the ability to
communicate and build relationships across organizational boundaries.
The advent of the CSO is a new trend that is a very positive step in realizing
the importance of information security. In a survey performed by CSO Magazine in
September 2002, where approximately 1,000 security professionals were surveyed,
37 percent said that they were in that position for less than one year and over
60 percent were in their positions less than two years.
13
Clearly, it is a new trend
but a very positive one. It is possible that many of these positions came to be in the
aftermath of the 9/11 tragedy in the United States, because that brought on a
heightened awareness of security.
Although having someone with the CSO title or having someone with overall
ownership for security is becoming more common, it is still an uphill battle to justify
security and show its value. This is largely because of the mentality — “since nothing
has happened, nothing is wrong—so why fix it?” This mentality gives senior man-
agement a false sense of confidence. A security officer with a global financial firm
recently commented, “The greatest threat we face is the belief of senior management
that there is no threat. So we don’t get funds, money, or resources, and without those
things, you can never address security threats and risks.
14
There is a lack of edu-
cation within many companies at all levels from management on down about the
AU1706_book.fm Page 24 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.195.110