ACCESS CONTROLS SHOULD NOT BE IMPLEMENTED RANDOMLY. A well-thought-out approach to access control implementation furthers the goals of an organization. In this chapter, we will discuss the reasons behind access controls in both the public and private sectors. In the public sector, access controls and the information they protect could save a soldier's life or keep the public infrastructure running smoothly. In business, or the private sector, access controls help protect valuable assets such as trade secrets. This chapter covers how information can have value, and what role secrecy and access controls play in protecting that value.
In business, it is vital to protect the assets that make doing business possible. Inventory and raw materials are kept in secure locations to avoid theft or damage. Information assets are no different—they must be kept securely to avoid compromise.
In modern life information is the lifeblood of any organization. Controlling who has access to that information and how they can access it is vital for the profitability and survival of a company. Technology can only do so much to safeguard confidential information. Clear business practices and policies will prevent many information security breaches from ever occurring, as long as they are strictly enforced.
For example, a chemical company may have a policy that states that only those employees with a legitimate purpose can enter the labs. This policy should ensure that secret chemical formulas are not leaked to unauthorized personnel. Unfortunately, if that policy is not widely enforced, both by technological means such as a smart card ID reader as well as by alert employees, that policy can become ineffective. A policy cannot prevent an information leak if employees regularly hold open the lab doors and allow each other to enter without swiping their ID badge.
Classification of information is the act of declaring information available to only approved information consumers. Both nations and many major corporations have sensitive information that gets classified, limiting its availability both to the organization and the outside world.
A classification scheme is a method of organizing sensitive information into various access levels. Only a person with the approved level of access is allowed to view the information. This access is called clearance. Every organization has its own method of determining clearance levels. The methods usually include a background check, interviews, and a determination of the user's need for the information. Most nations and some corporations have classification schemes set up to handle the organization and access of sensitive information.
The National Security classification scheme has three main levels as well as unclassified, which has subcategories. Each level has a corresponding level of security clearance. Each level of security clearance allows access to that level of information and those below it. By law, information may only be classified to protect national security, not to conceal embarrassing information or illegal activities. Classification levels are described as follows:
Note
The FOIA was passed in 1966 and requires the government to provide access to any governmental information to any requesting party. Certain information, such as classified and CUI information, is exempt from these requests. This law applies only to federal documents, but many states have similar laws.
Unclassified—Unclassified isn't actually a classification level, it is the lack of classification level. This is used for information that the government has not classified under the national security classification system. Other U.S. departments may still secure this information via their own classification schemes. Until 2008, there were hundreds of sub classifications, each with their own rules. They have now all been condensed into one category called Controlled Unclassified Information (CUI). Anyone can get access to unclassified information through legal means via a Freedom of Information Act (FOIA) request. Unclassified information is immediately accessible to the requester. CUI data may be exempt from FOIA requests, and both the FOIA request and the data are closely reviewed.
Confidential—This is the lowest level of sensitivity. This is information that would damage security if it was disclosed. This information may only be handled by personnel with security clearance, may not be disclosed to the public, and must be disposed of in a secure manner.
Secret—This is information that would cause serious damage if disclosed. This is the most common classification level.
Top Secret—This is the highest level of information sensitivity; it is defined as any information that would cause grave damage to national security if disclosed.
Information may change classifications at any time, as circumstances warrant. Information that may have been deemed confidential in 1992 may be considered Secret or even Top Secret today. Likewise, information that was of Top Secret importance in 1939 may no longer be sensitive enough to be classified at all.
Just like governments, corporations need to restrict access to information.
Private—Information that a corporation wants to keep internally. This is a general category. The rest of the categories are subsets of it.
Sensitive—Information that could cause harm to the organization if it is compromised through exposure or alteration. Bonus and salary information are two examples.
Restricted—Any information that a corporation wants to limit access to. It is usually only accessible to a small group of individuals.
Proprietary—Often used interchangeably with "trade secrets" but covers a wider range of information and is not as well legally defined. The term "proprietary" covers any information that a company derives a competitive advantage from. Marketing data, formulas, customer lists, salary structure, test results, and software source code are some examples of proprietary information. This information may be shared with outside organizations with the expectation of confidentiality, usually enforced with a non-disclosure agreement.
Trade secret—A trade secret is any information that an organization holds that is not generally known to the public and provides economic benefits to the organization from maintaining its secrecy. A trade secret is a special case of proprietary information.
Information is generally classified if disclosure could harm the controlling organization. Corporations classify information to try to keep a competitive advantage over other companies. A soup company, for example, may want to keep its recipes as trade secrets. A company that tests the strength of materials may want to keep its testing methodology proprietary. Governments want to classify any information that would damage their security, such as troop locations and movement, facility locations, and so on.
Declassification is the process used to move a classified document into the public domain. Every country and organization that classifies documents has a method of declassification. Let's look at the U.S. model as a baseline.
There are four ways a U.S. government document can become declassified:
Automatic declassification—This happens with any document over 25 years old. Unless it meets strict criteria, the document is automatically declassified after the department that owns the document reviews it. The document is then moved to the publicly accessible shelves of the national archives.
Systematic declassification—Any document that is under 25 years old but of significant importance to the historic record of the United States is reviewed for early declassification. Once identified, these documents go through the same procedures as automatically declassified documents.
Mandatory declassification review—Instigated when an individual attempts to get a document declassified. After the review request has been filed, the owning organization must respond with approval, denial, or the inability to confirm or deny the existence or nonexistence of the document. If the request is denied the requester can appeal to the interagency security classification appeals board.
Freedom of Information Act request—This is an attempt by a member of the general public to get a document declassified. The act allows for full or partial disclosure of the document, if the owning organization refuses the request the decision can be appealed in a judicial review.
On its Web site, the U.S. Department of Commerce defines "personally identifiable information (PII)" as:
Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.1
This is usually sensitive information for a corporation and must be safeguarded. This is also information that is targeted for theft, as it is the key to identity theft. Protection of this information is mandated by numerous federal and state laws and any security breaches must be disclosed in a timely manner. This information is especially tightly controlled in the health care and financial industries.
This is any information that is covered by the Privacy Act of 1974. The act covers the collection, maintenance, and dissemination of personally identifiable information (PII) inside the federal government. Information covered in this act includes Social Security number (SSN), payroll number, information on education, financial transactions, medical history, criminal history, and employment history. This information can only be disclosed with the written consent of the subject or if the use fits into one of the following exceptions:
By the U.S. Census Bureau or the U.S. Bureau of Labor Statistics for statistical purposes
Routine use within a U.S. government agency
A document with significant historical value for archival purposes
For law enforcement
Congressional investigation
Other administrative purposes
It is important to remember that this act only applies to organizations inside the federal government. State government and private entities are not governed by the Privacy Act of 1974.
Obtaining information about a competitor or its products can give an organization a significant competitive advantage, if it is used strategically. If an organization obtained and released certain information to a competitor's best customers, it could drive those customers away. That's why it's vital to keep information, like formulas and recipes, secret—ensuring customers can only get the information from one source.
The basic idea of warfare as a model for business is to view your competitors as opposing armies, and market share/customers as the battle field. You win by taking and holding profitable market share. The key to this is understanding your advantages and weaknesses, and avoiding damaging battles. Fight where you gain an advantage, and never fight over what is worthless or will be destroyed. An example of this is a price war. One business may gain market share over others by driving the price down, but in the end they all lose profitability.
In a business-as-warfare model, the tools of war are company trade secrets and proprietary information. It is vital to protect these tools because opponents can gain a competitive advantage by discovering them.
Sun Tzu was an ancient military general and strategist. His book, The Art of War, is one of the definitive treatises on warfare. Its six principles apply very well to a business setting:2
Capture your market without destroying it—Sun Tzu called this "Win all without fighting." You must capture market to be profitable, but if the act of capturing it ruins the profitability of the market the fight wasn't worth the effort. A price war, as discussed above, illustrates this concept well. It is not worth starting a price war if the result is a market in which you cannot sell a product at a profit.
Attack your competitors' weak points; avoid their strengths—If you take your competition head on against their strength (challenging a discount store on price, for example) you end up fighting a battle of attrition. Although you may win the battle, the victory will be costly. Focus on their weaknesses, maximize your gains while minimizing use of resources, and increase your profits. For example if you can't beat your competitors on price, focus on differentiating your business by providing a better customer experience than your competitors provide.
Use knowledge of your opponent and cunning to maximize your business intelligence—To effectively attack your competitors' weak points, you must have a deep understanding of their business and decision processes. Likewise, you have to strive to keep your plans secret and mask your actions to keep your competitors from utilizing their strategies on you.
Use speed and preparation to overcome the competition—To fully exploit your knowledge of your competition, you must act swiftly without hesitation. Your company must make decisions quickly, and be able to anticipate the competition's reactions.
Use alliances and industry control points to make the competition conform to your will—Through a strong web of alliances and control of strategic points in your industry, you control the rules of the contest, increasing your ability to anticipate your competitors' actions.
Develop character as a leader to maximize employee effort—It takes a special kind of leader to implement these strategies and utilize the tremendous potential of its employees.
Carl Von Clausewitz was a Prussian major-general whose treatise On War is still considered one of the most influential documents in Western warfare. Clausewitz viewed war as commerce, as many people today view commerce as war. Clausewitz stressed having a strong organizational structure and logistics. He also introduced the concept of "fog of war." Fog of war is the ambiguity and lack of knowledge about the opposition. The term describes uncertainty about your opponent's intent, strength, and capabilities. Clausewitz stressed that your strategies and tactics must be flexible when you encounter the opponent. This concept of adapting your plans to a changing environment is Clausewitz's biggest contribution to business.
Acme learned that its largest competitor, National Widgets, was courting Acme's best customer. National Widgets offered customers an extremely good deal that would have been impossible for Acme to meet profitably. Acme managers realized they could not compete on price. They couldn't afford to keep the company's best customer if it wasn't a profitable account. If other customers learned about the deal, it could endanger all of Acme's business.
Instead of engaging in a damaging price war with National Widgets, Acme attacked in an unexpected way. Acme took National Widgets' pricing promotion that was being offered to Acme customers and presented it to National's three best customers. Acme told those National customers that National was offering certain customers lower prices. National quickly withdrew its offer to Acme's best customer, and had to deal with its three customers demanding the same low-cost deal.
This case study shows that a price war isn't always an effective business strategy. Had Acme just slashed prices, both companies would have been damaged. One may have come out the victor, but at the cost of profitability. The study also indicates why information security is so important. National's failure to secure what should have been proprietary information (the special pricing offered to the Acme customer) allowed Acme to counter its attempt at expansion.
How valuable information is depends upon its strategic importance and the impact of disclosure. Some information, such as federally protected health information, if improperly disclosed, can cost an organization millions of dollars in fines and even lead to prison sentences for those responsible for the disclosure. Other information, such as trade secrets, will lead to lost profits if they are leaked to competitors.
It is often said that information is the competitive advantage. Many companies use marketing data, custom business models, and custom business practices. A company may have a formula for its product or a method of servicing its customers that differentiates itself from the pack. These things are the life of a corporation, and are all information based. Securing that information is paramount to a company's success. Loss of that information can lead to a company's decrease in market share and reduced profits.
The 1971 Data General Corporation v. Digital Computer Controls, Inc. case is an example of insufficiently secured trade secrets and the penalties for misappropriating them.
Upon request, Data General Corporation would include the design documents for its Nova 1200 computer system. This was done to allow customers to maintain and repair their own computer systems. The drawings were marked as confidential, and customers were given an agreement of confidentiality when they received the documents.
The president of Digital Computer Controls purchased a used Nova 1200 through a third party in March of 1971. Digital Computer Controls requested the design documents as part of the purchase and were supplied a copy from the seller. Digital Computer Controls then developed the D-116 minicomputer from the design drawings, ignoring the annotation on the drawings that they could not be used to manufacture similar items without written permission.
Data General Corporation eventually won a permanent injunction barring Digital Computer Controls from selling the D-116, but it took five years. During that time, Digital Computer Controls sold many D-116 computers and had time to develop its next system.
A lot of information that a corporation collects is legally protected sensitive information, for example PII, financial information, and in some industries classified government documents. Although this information might not have an intrinsic value, there are severe penalties for improper disclosure, both official and in the market. The following are some examples of what a company faces for improperly disclosing information.
Below are penalties for disclosing medical/patient information in violation of the Health Insurance Portability and Accountability Act (HIPAA):
Unknowingly disclosed—$100 per violation
Reasonable cause to disclose—$1,000 per violation
Disclosure due to willful negligence situation that is corrected—$10,000 per violation
Disclosure due to willful negligence that is not corrected—$50,000 per violation
Disclosure due to criminal intent—up to $250,000 and 10 years in jail
Penalties for disclosing PII are as follows:
Social Security number—Criminal penalties for certain violations up to $250,000 and five years in prison; civil penalties of $5,000 for misuse or fraud; and civil penalties of up to $11,000 per violation of noncompliance with Social Security Act regulations.
Credit card/bank account information—A corporation can be brought into civil court and forced to pay damages. There are criminal penalties as well. Knowingly and willfully disclosing information, and willfully maintaining a system of records without published notice can result in a $5,000 fine. If an organization willfully accesses information under false pretenses, it can be fined $5,000 from the Federal Deposit Insurance Corporation (FDIC). The disclosure will also be subject to at least a $500,000 fine and the loss of ability to process payment cards from the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a standards group made up of all the major credit card companies.
In all of these situations there are also unofficial penalties. The loss of consumer trust adversely affects a company's sales. No one wants to give their credit card number to a company that can't or won't secure it.
There are obvious business reasons to secure information. To determine whether or not there is a clear business reason to secure a specific piece of information, consider a cost-benefit analysis, the results of your organization's risk assessment, and various other factors.
A cost-benefit analysis is essentially a pros and cons list that helps businesses make decisions. To decide whether a given piece of information justifies the effort and investment of access controls, consider two factors: The advantage gained from keeping the information secret, and the risks avoided by controlling access to the information.
Some information is not usually worth the effort to secure. The date of the company picnic is a good example. There is little to be gained by keeping this information secret, even externally. There are few risks associated with releasing the information—it is highly unlikely that a competitor will try to disrupt your company picnic if the competitor knows the date.
Other information is more important. Keeping employees' addresses and phone numbers secret, for example, does not necessarily offer any competitive advantage, but there are significant risks to be avoided by securing that information. Secret formulas and recipes confer a definite advantage to the company, but only if they are kept secret.
One consideration of access control is that of advantage. Does a company gain an advantage from securing its information? Could its competitors gain a similar advantage if they had access to the information? Is the information already secret?
Consider a proprietary recipe developed by a food manufacturer. In testing, the company realizes its new recipe is popular with customers. In fact, since releasing the new product, its sales have tripled. If sales levels hold steady, the new item will become the best-selling product of its kind within a year. Holding the recipe for such a popular product clearly gives the company an advantage over its competition.
Would a competitor gain a similar advantage if it had access to the same recipe? The competitor would probably release a similar product at a lower price point, because it did not have to invest in research and development. Once customers realize that the less-expensive product is very similar to the original, sales of the more expensive original product could decrease.
Another consideration of access control is risk. As you read earlier in this chapter, there can be significant penalties for allowing sensitive information to be disclosed, even if the disclosure is purely accidental. In the preceding example concerning a secret recipe, the company might not risk fines or jail time by sharing its recipe, but it does risk being undercut by the competition.
This is where the asset valuation portion of a risk assessment (covered next) becomes important. Every organization should know what information it possesses, and how important that information is in terms of access control. Organizations should also be aware of negative consequences that could arise if that information is not adequately secured.
Chapter 2 described ways to conduct a risk assessment in depth. Here you'll learn how to use the information discovered during a risk assessment. One of the deliverables from a risk assessment should be a prioritized list of threats and vulnerabilities, as well as a complete inventory of assets, including sensitive information.
The inventory of information assets (also called "intellectual property") can help you determine what should be classified and what information is not important or advantageous enough to warrant access control resources.
The list of threats and vulnerabilities is another guideline you can follow when deciding what to secure. When taking this approach, you might choose to secure the most vulnerable assets first. For example, you know that there have been concentrated efforts to obtain the personal cell phone numbers and vacation schedules of senior U.S. executives, probably as a precursor to a social engineering attack at a later date. This information makes it more crucial to secure information that may not otherwise be considered a top priority. The fact that it can be used to obtain more critical information makes it critical itself.
Information is the backbone of many business processes. In manufacturing, inventory and order numbers determine how productive the assembly line must be in any given week. In the financial industry, constantly changing stock prices dictate buy and sell decisions. Controlling who has access to this information, and at what level, is critical for facilitating the day-to-day operations of a business.
Note
Modern operating systems implement access rights in a more granular way, giving users read, write, and execute privileges. Some operating systems combine these three basic privileges into other combinations.
In terms of business facilitation, there are essentially three levels of information access: no access, read access, and read-write access.
To understand access levels, let's use a corporate newsletter as an example. A corporate newsletter is a tool used to distribute important information, such as the dates for open benefits enrollment. All employees have permission to read it, but only a few are entitled to write and publish information in the newsletter. This one-to-many scenario—or few-to-many, depending on how many people are involved in writing the newsletter—is used to carefully control the flow of information to the average employee. If the enrollment dates are published in the newsletter, every employee receives the same information and is expected to abide by the published deadlines.
The newsletter is also a tool for creating corporate culture and supporting employee morale. You will rarely find a negative article in a corporate newsletter, because that would be damaging to morale. Likewise, the tone of the newsletter is indicative of corporate culture.
In a traditional financial firm, the employee newsletter is likely to be straightforward and data-heavy. In a dot-com style company, the newsletter is more likely to be written in a fun, slightly irreverent tone. It might include trivia, news oddities, and other "fluff" that would not be included in a financial firm's newsletter.
Both newsletters support and reinforce the firms' corporate cultures. This does not happen by accident, but is carefully constructed to meet a goal. This goal is met by carefully restricting who can publish information in the company newsletter. By restricting write access, the organization maintains a unified voice.
What about other information sources within a company? Consider a single order for an herb garden kit from a mail-order nursery. A wide variety of people have access to that information throughout the life cycle of the order, as shown in Figure 3-1.
Mike, the customer, is the first person to have access to order information. When he places his order via the company's Web site, Mike has read-write access to the order data. Once he submits the order, however, he is restricted to read-only access. He can track the status of his order, but can no longer change the data.
When the order is placed, the data is stored in a database, and notifications are sent to Mike (confirming the order) and to an employee in order processing. This person collects the pots, seeds, and peat pellets necessary to assemble the herb garden kit, and passes the kit to the shipping department. At this point, order processing updates the database to reflect the new status of the order. The order processor may also update the inventory database to reflect the fact that items were removed from inventory to assemble the order. The person in order processing has read-write access to the order information, at the point at which he or she needs it. The order processor has no access to the information during order creation, has read-write access while fulfilling the order, and has no access once the product is sent to shipping.
The shipping department schedules a pickup with Mike's preferred carrier and receives a tracking number from the carrier. This tracking number is amended to the order information and sent to Mike. When the shipping carrier picks up the package, the order is closed. The shipping department may have read access to the order information while the order is in processing, and has read-write access during the time the order resides within the shipping department—after it leaves processing—but before it is picked up by the shipping carrier.
Customer service has read access to the order data throughout the entire workflow, so that representatives can give Mike an up-to-date order status. Customer service representatives may even have read-write access, if the business allows customers to modify orders or make special requests during the life cycle of an order. For example, the business may allow customers to call in and request an upgrade to priority shipping, as long as the order has not yet been sent to the shipping department. To facilitate this business need, customer service representatives must have read-write access to the order data throughout the order life cycle.
Customers themselves have read-write access only at the point of order creation. Once they submit their order, they are restricted to read-only access for the remainder of the order life cycle. This is done to avoid crisis. If a customer had read-write access, that is, the ability to modify his order at any point in the order life cycle, the order processing department could assemble the order, only to find that the customer has changed his mind and now wants a different product. The time and effort expended in assembling the first version of the order would have been nonproductive.
Controlling who can modify order data at any given point in the process is the only way to ensure productivity. Without this type of access control, order processing could go into an indefinite loop trying to assemble one customer's order.
As shown in the previous examples, restricting access to information can be a way to ensure productivity in business processes. Access restrictions to information can also be a way to ensure that a consistent message is conveyed throughout the organization. When information has one author—one individual with read-write access—you can easily verify that the information is accurate and has not been changed.
Consider the open enrollment dates discussed earlier in this section. If those dates are published in the corporate newsletter (an information vehicle with restricted read-write access), employees can be confident that those dates are correct. What if open enrollment dates were distributed by word of mouth (essentially, without any access restrictions at all)? If you ever played the game "telephone" in kindergarten, you can imagine the chaos that would ensue. No one would really know which dates were correct and which were not.
These are all simple examples of the need for access restrictions to facilitate business processes. However, there are more serious reasons that businesses need to restrict access to information. Internal business policies should not be shared with customers or competitors, for example. There are situations where commonly known information within one part of the business cannot be shared with another.
Consider a large financial firm with two divisions. One division handles client investments, while the other is involved in banking and insurance activities. On the banking side, everyone may be talking about an upcoming acquisition of an insurance carrier. Many of the details of the acquisition are common knowledge. However, employees on the investment side are not allowed to know those details because they could influence, even subconsciously, their buy and sell decisions. In this case, strict physical access limitations to data are necessary. An employee from the investment side of the firm, which has offices on the second floor of the building, would not be allowed on the third floor, where the banking and insurance division is located. Smart card ID badges and other physical security measures would generally be used to enforce this access restriction.
What would it cost a company if a given piece of information were released to the public? This is the essential question to ask when determining whether to secure information from a cost containment perspective. In some cases, there may be actual monetary fines for releasing information. A more likely scenario is that the cost to the company would be measured in terms of a competitive advantage or lost productivity.
Consider what seems like a trivial piece of information—a memo from the chief information officer (CIO) asking IT to research and make recommendations for a new customer relationship management (CRM) software vendor. The memo states that recommendations should be made by March 1, because the CRM project must be started by April 1.
On the surface, this does not seem like crucial information. However, if a CRM vendor was to find out that IT must choose a preferred vendor by a certain date, the vendor could delay a price reduction until after the contract is signed, thus costing the company more for the CRM product than it otherwise might.
Simple physical access restrictions may be enough to keep this memo out of most unauthorized hands. After all, unless the CRM vendor physically walks into an IT manager's office and sees the memo tacked to a bulletin board, the vendor would have no way of knowing the memo even existed. If the memo is sent in electronic form, as most are in modern businesses, the process of restricting access becomes more complicated. If hard copies of a memo are physically distributed to recipients, the only access control concerns are who has physical access to those documents. As long as the IT managers in this scenario don't leave these memos out where unauthorized people could read them, the information will not get into the wrong hands.
If memos are sent out electronically, access control becomes both simpler and more complex. It is more likely that a paper memo will be left lying out on a desk (or tacked to a bulletin board) than it is to have an electronic memo left visible on a computer screen for someone to walk by and casually read. On the other hand, it is trivially easy to accidentally or deliberately e-mail that memo to 100 or 1,000 people.
One of the IT managers in this scenario reads the CRM memo and decides to delegate the task to one of his lead developers. He begins to forward the memo via e-mail, when the phone rings. While he answers questions on the phone, he completes his e-mail and sends it. Unfortunately, because he was distracted, instead of sending the memo to one developer, he sends it to all development teams. Now the memo that was originally given to three IT managers has been distributed to dozens of developers, as shown in Figure 3-2.
What if one of those developers plays golf with a college buddy every Saturday? While they walk the golf course, they vent about work, and the developer mentions the hunt for a new CRM vendor, and the fact that he has had to put his other work aside in order to research CRM vendors and make a recommendation before next Monday. The college buddy mentions this to his wife, who has lunch with a friend who works for CRM First, Inc., one of the vendors under consideration. Knowing that the topic is something her friend might have an interest in, she mentions the big decision deadline coming up next week. Suddenly, an outside vendor knows about the internal deadline.
This simple scenario, of course, does not delve into the realm of corporate espionage and deliberate passing of internal memos to outside vendors. Those issues are dealt with elsewhere in this book. It does, however, highlight the importance of employee training in restricted information and the ease with which information can be decimated throughout an organization, especially when it is in electronic form.
The cost containment benefits of access controls must be balanced with the cost of those restrictions. There are overhead costs involved in any effort to restrict access to information. It does not make sense to spend large amounts of time and money developing a customized access control system to protect information with little or no value.
There is such a thing as too much information, and too much of the wrong information. The key to operational efficiency is in giving the right people the right information, at the right time. The following factors are discussed in this section:
The right information
The right people
The right time
If a warehouse manager comes into work Monday morning and finds the quarterly financial report on her desk instead of the inventory report, she cannot do her job. She has to track down the necessary information, costing her valuable time. The warehouse manager has no immediate need for the financial report (although if she is vested in the company, she may be interested in the information), so having access to the report does not increase her efficiency. The inventory report, on the other hand, is information she has a direct need for.
In IT, it is your job to ensure that the warehouse manager has the inventory report on Monday morning, and only has access to the financial report upon request.
As shown in the earlier example of an order life cycle, if the wrong people have access to information, productivity can come to a halt. If a customer can change the details of his or her order after it has already been assembled, there can be a breakdown in processes and efficiencies.
The same thing can happen if too many people are brought into a decision making process. Consider the CRM vendor example in the previous section. Management and select experts from the IT department should be involved in that decision process. What would happen if the entire assembly line from manufacturing were invited to comment on each CRM choice? The decision process could be slowed down or even halted because the wrong people were brought into the process.
In the CRM vendor example, sales might be the driving force behind the initiative. The company has determined that a CRM solution will increase its ability to serve customers and make sales. This determination is made within the sales department before it is brought before senior management for approval. Senior management must approve the initiative before it is sent to IT for research, and before the contracts are requested from the legal department. Much time would be wasted if someone in sales was to send a memo directly to a manger in legal asking for a contract to be drawn up for a new CRM vendor. That work would have to be redone later because requirements would inevitably change during the requirements gathering and research phases.
In the warehouse example, if the manger has the quarterly financial report on Monday morning instead of the inventory report, she loses efficiency because she does not have the right information at the right time.
The risk assessment itself can be considered sensitive information. The risk assessment report contains a number of pieces of information that could have a devastating effect in the wrong hands:
Tip
The asset inventory should also reference intellectual property assets such as customer records, trade secrets, and business plans. This information is even more useful to an attacker than the existence and location of physical assets. The risk assessment report would not contain the information directly, but it would note where that information is stored and who is authorized to access it.
The asset inventory contained within a risk assessment report should contain a list, along with location information, of every major resource within the IT infrastructure. However, if an attacker learns that the company's customer database is located on Server A5 in the third rack on the northwest wall of server room 12, the task of stealing or disabling that server is a lot easier. Once the attacker is past physical security measures, he or she has a short amount of time to get in, do the job, and get out without being caught. Knowing exactly where to find resources helps to get in and out more quickly.
For a risk assessment to be useful, it must look at the weaknesses in the infrastructure. Every system has weaknesses. They are an unavoidable fact of life. The point of a risk assessment is to look honestly at those weaknesses and determine how to eliminate them or minimize their impact.
If an attacker were to obtain a copy of the risk assessment report with the vulnerability assessment, he has a customized manual for attacking the resources he is most interested in. Instead of trying dozens of possible vulnerabilities until he finds one that hasn't been patched, he knows exactly what has been done to strengthen the system and where the weak points can be found. This information makes attacking a system trivial.
A threat assessment is similar to a vulnerability assessment, with one slight difference. While the vulnerability assessment looks at weaknesses within the existing infrastructure, the threat assessment deals with the potential for those weaknesses to be exploited.
An attacker with access to a threat assessment knows what attacks the company's security team has already considered, and may have begun to mitigate. He also knows which attack methods the company has overlooked or did not realize were possible. This saves the attacker the trouble of attacking in ways that the security team has already anticipated. Depending on how recently the risk assessment was done, the attacker could assume that the threats described in the threat assessment have already been mitigated, or that they are open doors. If the risk assessment is relatively recent, the attacker has a list of attacks that are known to be effective. If the risk assessment is several months or years old, he knows which attacks he shouldn't bother with.
A risk assessment usually has a section that details plans to mitigate the vulnerabilities and risks described in the previous two sections. If an attacker has those mitigation plans, he knows how much time he has before a given attack is no longer affective. He can also pick apart those plans looking for new vulnerabilities that may be introduced in the course of mitigating older vulnerabilities.
A particularly sophisticated attacker that is skilled at social engineering could even pose as a vendor or consultant selling threat mitigation services. If he can convince the company that he is legitimate, the company could face the situation where the attacker is the same person hired to "fix" IT security problems.
The final section of a risk assessment report is usually a description of the company's policies governing how often a risk assessment should be carried out, what methods should be used, and who should be involved. It also contains a list of individuals who will receive a copy of the report.
An attacker can use this information as well. If he knows that a risk assessment is carried out every two years, and the report he has is 18 months old he may decide to wait six months to attack that company because he knows that in six months a newer risk assessment will be available. Like everyone else, an attacker is interested in the most up-to-date information available. He also knows what the risk assessment team is looking for, so he can figure out where to hide the evidence of his activities if an attack is already in progress. For example, if the risk assessment policy states that employees should be secretly tested for vulnerability to various social engineering ploys, an attacker might choose that time to attempt social engineering. He knows that if someone catches on, they are likely to assume he is just a member of the risk assessment team. The attacker has a built-in story to cover his actions if someone begins to suspect something.
In some industries, securing information is not simply good business practice, it is a legal mandate. Even in industries that do not fall under governmental regulation, there are legal compliance issues to consider. Chapter 4 covers regulatory compliance in depth. In this section, you'll focus on legally binding agreements made between two parties that govern information security.
Note
Any contract can have language restricting how information can be used or distributed, as well as how it must be stored. The most commonly used agreement that you may run into is the non-disclosure agreement (NDA) or confidentiality agreement. They are two terms for the same agreement.
Confidentiality agreements are usually used when confidential information must be shared before a more binding contract can be agreed upon. Consider a company that needs to hire a new IT manager. The company collects resumes and decides to interview five candidates. In the course of conducting those interviews, each of the five candidates must be brought into the office, shown the IT infrastructure, and given information on the business area that they might be managing. This is all confidential information that could be used to harm the company if it were to get into the wrong hands. Unfortunately, it is difficult to effectively carry out the interview process without disclosing some proprietary information.
To mitigate the risk that a candidate who is turned down for the position will sell or disclose any proprietary information gathered during the interview, candidates are asked to sign a confidentiality agreement. Realistically, a signed contract probably will not prevent an individual from selling proprietary information out of greed or spite. A person who is willing to sell proprietary information is likely to disregard a confidentiality agreement. The agreement is simply there to give the company some recourse in the event of an unauthorized disclosure.
Confidential information is the most common asset that is devalued by a failure in access control. In this case, information is only valuable if it is hidden. If confidential information becomes common knowledge, it ceases to hold special value.
Some information is confidential internally and externally. Salary and benefit information is a classic example of privileged information that must be controlled internally. Certain employees have a right to salary information, while most do not.
For example, a manager might have access to salary information for her direct reports, but not for other managers or employees who report to someone else. Implementing internal access controls to regulate which employees have access to confidential information is costly in terms of time and resources, but the risks associated with unauthorized disclosure of that information justify the costs. Unauthorized disclosure of sensitive employee information could cost the company millions in fines and legal fees. There would also be less tangible consequences from lowered morale and resources funneled away from primary business activities into rectifying the root causes of the information breach.
Note
It is more effective and less expensive, both in terms of time and money, to prevent a security breach than to fix one after the fact.
Trade secrets and business plans are some of the information that should be secured from external disclosure. You learned earlier in this chapter the consequences of failing to secure that type of confidential information, but it is crucial enough to warrant repeating it. In most cases, the cost (in time and resources) of implementing access controls to protect confidential information is justified by the penalties for failure to do so.
It is usually straightforward to implement access controls to safeguard internal information and to control what information is released to the public. When businesses begin to work with contractors, vendors, and other third parties, the access control puzzle gets significantly more complicated.
When outside contractors are hired to provide products or services to an organization, they often require information that could be considered confidential. A good example of this is an external consultant. In many cases, external consultants are either self-employed or employed by a consulting firm and work on an hourly basis for the client company. They are generally highly skilled professionals who are brought in to work on a specific project. When the project is finished, they move on to the next client company. Some client companies hire contractors indefinitely, so in day-to-day practice they are just like regular employees of the company.
This assumption, that a contractor is "just like a regular employee," can be useful when building team coherence, but it can also be dangerous. The contractor's primary alliance is to the consulting company, which provides payment. If a conflict of interest arises between the consulting company and the client company, the contractor is likely to side with the consulting company.
Tip
In addition to NDAs and user access rights, when dealing with outside contractors, it is important to restrict which outside equipment can be used on the corporate network.
Contractors often supply their own laptop computers and other equipment they need to perform their jobs. This can be problematic, because those laptops may or may not have the same security safeguards in place as corporate laptops. To illustrate this risk, consider a programmer who is brought in to create a specific application for a company. One of the terms of the contract states that the contractor will supply his own laptop. The contractor agrees, and does the work on his personal system, which he also uses to play online games and download music from various sites. At some point, he downloads a file infected with a virus. Because his virus scanner is out of date, the virus goes undetected and infects his system. When he connects his laptop to the corporate network to view design requirements for the application he is developing, the virus uploads itself and infects the file server, quietly sending information from the file server to the hacker that originally created the virus.
Note
With the increasing popularity of cloud computing and Web-based applications, vendors are becoming more and more responsible for information that was once strictly controlled internally. Unfortunately, many of these applications are seamlessly integrated with applications that run on corporate servers, so there is a danger of complacency.
When a company contracts with a vendor to manage confidential information, the client company is responsible for ensuring that the vendor has stringent access controls in place. This is especially true in regulated industries such as health care and finance.
A good example of this scenario is an insurance company that outsources its claims management application to a third-party vendor. The vendor runs the application on its servers, allowing the insurance agents to access it from any browser. This is convenient for the agents, who can submit a claim report directly from the site of the incident. It is also convenient for the insurance company because it no longer has to maintain and update its own servers. Unfortunately, the insurance company is still legally responsible for the information contained within those claims—including personally identifiable and sensitive customer information such as addresses, telephone numbers, and mortgage or auto loan information. If the vendor does not implement stringent access controls to protect that data, the client company is legally responsible for the disclosure as well as the vendor.
The most common way to safeguard confidential information that is processed or stored with a vendor is through contractual obligation. Before a vendor-client agreement can be reached, specific access control requirements should be laid out that describe what the vendor is required to do to safeguard any confidential information received in the course of dealing with the client company.
As business needs evolve, so do the partnerships that meet those needs. In the realm of access control, the key thing to remember is that the owner of the confidential information—the client company—is responsible for ensuring that it is handled securely. If the client company fails to do due diligence and hires a third party without investigating the third party's access control policies, the client company can be held partly responsible for the inevitable disclosure of confidential information.
Access control success stories are hard to find, because they are unremarkable. When access control works, no one really thinks about it. When access control fails, everything is thrown into crisis. In this section, you will discover both success stories and case studies of access control failures.
Acme Insurance has a complicated information access requirement. All customer data is held in an information store. Various entities need access to parts of this data, but not all of it. In fact, sharing the data incorrectly could violate federal law or expose proprietary information to Acme's competitors.
Some parts of the customer information needs to be shared with industry groups, which include Acme's competitors. If too much information is disclosed, competitors can derive an advantage over Acme.
All of the customer information has to be shared with the agent who signed up the customers. That agent should only have access to his or her own customers. If a customer is linked to the wrong agent, Acme could get into legal trouble, as well as have to resolve the issue with the agents.
Claims inspectors need access to all customer information attached to customer claims they handle. Various third-party vendors need access to some or all of the customer data for claims appraisal purposes, but only for customers they have claims on.
The solution to this complex problem is a multilayered access control list. Various groups can access what data they need when they need it, not at other times, and only the part of the information they need.
Access controls are not just a computer issue; they can also come into play in the physical realm. Due to lax security, Company X almost lost invaluable trade secrets.
Company X is a major beverage company that relies on trade secrets to protect its drink formulas. The company usually makes sure its trade secrets are secure, but this time physical security was easily breached. An executive administrative assistant gained access to the company's trade secrets. He copied the formulas and took two samples of a new experimental drink.
He brought the formulas and samples to a pair of accomplices to sell. They presented the samples and formulas to Company X's top competitor, Company Y. This is where the scheme fell apart. Company Y had no interest in the documents and instead alerted Company X to the theft. Company X and Company Y then worked with the FBI to set up a sting to arrest the thieves.
In the end no damage was done, because Company Y was not willing to buy the stolen trade secrets and instead notified Company X of the breach. However, you can't rely on luck and trust every competitor to be honest. Good access control policies, including physical access control, would have prevented the theft in the first place.
In this chapter, you read about the ways that information can be classified, and why businesses and governments go to great lengths to keep certain information secret. You looked at several business drivers for access control to protect the value of information that can be used in the competitive environment of business.
Automatic declassification
Classification scheme
Clearance
Confidential information
Confidentiality agreement
Controlled Unclassified Information (CUI)
Declassification
Freedom of Information Act (FOIA)
Freedom of Information Act request
Mandatory declassification review
Nondisclosure agreement (NDA)
Personally identifiable information (PII)
Private
Proprietary
Restricted
Secret
Sensitive
Sensitive information
Systematic declassification
Top Secret
Trade secret
Unclassified information
Just like governments, corporations need to restrict access to information.
True
False
Governmental classification levels include Secret, Top Secret, and ________.
PII may or may not be considered sensitive information.
True
False
PII may be disclosed without the written consent of the subject under a few specific circumstances, including law enforcement or congressional investigation.
True
False
A price war is an example of what key point Sun Tzu warned against?
Win all without fighting.
Win at all costs.
Only fight if you know you can win.
Fight only as a last resort.
Sacrifices must be made to win.
Which of the following mottos or concepts is Carl Von Clausewitz' greatest contribution to business?
Win at all costs.
Business plans need to be adaptable to a changing environment.
Attack your competition where they are weak.
War is commerce, commerce is war.
Time is money.
A company can face fines for disclosing sensitive information, even if the disclosure was accidental.
True
False
All information is potentially sensitive, so you should secure all of it.
True
False
The findings of a risk assessment are sensitive and should be protected.
True
False
There are situations where information that is common knowledge in one part of a business should not be disclosed to another part of the same business.
True
False
Another term for non-disclosure agreement (NDA) is ________.
A company can be held responsible if a third party such as a vendor or contractor discloses sensitive information owned by the company.
True
False