CHAPTER 63

MANAGEMENT RESPONSIBILITIES AND LIABILITIES

Carl Hallberg, M. E. Kabay, Bridgitt Robertson, and Arthur E. Hutt

63.1 INTRODUCTION

63.1.1 Role of Management

63.1.2 CISO

63.1.3 Information Security Integrating into Strategic Vision

63.1.4 Net Present Value of Information Security

63.1.5 Case Study: Veterans Affairs

63.2 RESPONSIBILITIES

63.2.1 Policy Management

63.2.2 Motivation

63.2.3 Supervision

63.2.4 Judgment and Adaptation

63.2.5 Management Failures

63.2.6 Risk Management

63.3 LIABILITIES

63.3.1 Stakeholders

63.3.2 Due Diligence of Care

63.3.3 Downstream Liability

63.3.4 Audits

63.4 COMPUTER MANAGEMENT FUNCTIONS

63.4.1 Planning for Computer Security

63.4.2 Organizing

63.4.3 Integrating

63.4.4 Controlling

63.5 SECURITY ADMINISTRATION

63.5.1 Staffing the Security Function

63.5.2 Authority and Responsibility

63.5.3 Professional Accreditation and Education

63.6 CONCLUDING REMARKS

63.7 FURTHER READING

63.8 NOTES

63.1 INTRODUCTION.

This chapter reviews the critical roles of management in establishing, implementing, and maintaining information security policies in the modern enterprise. It also reviews some of the risks to management personnel in failing to ensure adequate standards of information security.¹

63.1.1 Role of Management.

Organizations are unequally affected by the risk of loss. In certain government computer installations, matters of national security are at stake, and the measures required to protect such facilities are elaborate and costly. At the other end of the spectrum are computers used exclusively for word processing of unclassified materials, and which are not connected to networks; these require few security precautions except for file backup and antivirus software. This chapter and this Handbook do not address either of these extremes, but rather the bulk of user organizations in business, government, and universities, where concentrations of information assets and dependence on computers create an exposure to loss, and managers must balance security with cost effectiveness and common sense while convincing colleagues with a superficial knowledge of security to pay attention to their recommendations.

Management provides the essential framework for accomplishing technical work. Whether it is drawing up a security policy, enforcing such policies, training the individuals who will implement and enforce those policies, or proposing a budget to get all this done, management plays an essential role. Information technology (IT) managers ensure the consistent functioning of the organizational computing environment. Ideally, they also provide insights and guidance to upper management in strategic planning to take advantage of new opportunities.

Many organizations, regardless of size and history, have heterogeneous networks with many different operating systems running different applications and serving many purposes and clients. Web servers sit next to e-mail servers, which connect to outside networks, which then rely on connections to more than one third-party corporate network. The rapid pace of technological change impedes the IT manager's ability to keep the enterprise IT infrastructure running smoothly.

A key function of IT managers is loss avoidance by managing risk intelligently, in order to reduce the likelihood of trouble in the IT sector and to reduce the costs of coping with such trouble.² In a broader sense, this entire Handbook is designed to support management in these efforts.

IT managers must focus constantly on enabling business functions. Given that most enterprises do not consider security as their main task, IT managers must ensure that information security policies and technology support, rather than hinder, the principal business of the enterprise. It is equally important to impress this philosophy of service to the strategic and operational goals of the enterprise on all members of the security staff. Many of these members may have developed their careers entirely in the technical sectors, and they may not have developed a service orientation towards their nontechnical fellow workers, and toward the enterprise itself.

63.1.2 C ISO.

In recent years, information security has been growing in visibility as a major business concern. IT managers are now being joined by information security managers. For example, a major bank responded to infiltration of its systems in the 1990s by naming a CISO, a chief information security officer reporting at the same level as officers such as the CIO (chief information officer), CFO (chief financial officer), COO (chief operations officer), CTO (chief technology officer), and CEO (chief executive officer). Together, the CIO and the CISO face complex responsibilities, and are increasingly visible in the corporate infrastructure.

Today, CISOs are increasingly found in all types of corporations. They may report to the CIO, or they may have a position on an equal level with the CIO. Some of the functions in a security organization are suggested in the hierarchy that follows. (These functions do not imply one team or one person per function but simply illustrate the range of functions a CISO must coordinate.)

• CISO
  • Security policy team
    • Development
    • Awareness
    • Education
    • Update management
  • Access controls
    • Data classification functions
    • Identification, authentication and authorization functions
  • Intrusion detection and prevention
    • Outward-facing intrusion detection systems
    • Gateway security devices
    • Malware control team
  • Security assessment
    • Security auditing
    • Penetration team
  • Engineering coordination
    • Software quality assurance coordination
    • Patch management review
    • Network security oversight
    • Control systems and logging management
  • Security Incident Response Team
    • Planning and rehearsals management
    • First line response
    • Data gathering and forensic analysis
    • Coordination with internal functions (legal, public relations, human resources, etc.)
    • Coordination with law enforcement

One of the factors in this increased visibility of the CISO is the rapid growth in the popular press of technology issues coverage and of information security breaches in particular. For example, distributed denial-of-service attacks, malware infestations, breakdowns of privacy policies, theft of credit card numbers, loss of control of large volumes of personally identifiable information, identity theft, Web site defacements, spam, phishing, and the other forms of abuse to information systems, described in several chapters of this Handbook, have kept the public aware of information security and its breaches.³

In some sense, publicity has helped the IT world because some IT managers now have increased ammunition with which to argue for management support of the security function. Publicity has increased visibility, however, so that even a minor breach of security may spark an overreaction in the upper echelons of the enterprise. Indeed, in California, it is now law (SB 1386) that companies that suffer from some forms of information security breaches must quickly advise their customers of these events.⁴

63.1.3 Information Security Integrating into Strategic Vision.

IT security managers are now able to help their businesses achieve strategic goals and to further their responsibilities by showing that security involves more than just protecting assets, it is also potentially a business enabler. In the absence of a secure IT infrastructure, businesses may be slow to enter a given market for fear of losses and liabilities resulting from security breaches. However, with security integrated into the corporate culture, these enterprises can confidently enter new arenas and convince their potential clients that their data will be safe. The authors have personal experience from consulting assignments in which clients stated that their own potential customers were reluctant to do business with them because their security measures were inadequate.

George Lin describes the benefits of a business-focused IT organization:

In this framework, information security becomes not an afterthought, preventing loss, but part of the design strategy, which will help realize gain. This is a much more powerful, and positive, view of information security's role in the business world than is the traditional one. Using information security principles in the design of a product or service generally helps to create a more robust product or service, one that will be less prone to risk.

The National Institute of Standards and Technology has articulated a roadmap for integrating security considerations into the system development life cycle (SDLC)⁶ (with addition of three more security objectives in compliance with the Parkerian hexad described in Chapter 8 in this Handbook):

Integrating a security methodology into a product or service helps to defines roles and responsibilities and helps to manage expectations.

63.1.4 Net Present Value of Information Security.

A paper from the late 1990s articulated the positive value of information security in a competitive economy. The summary included these conclusions:

Another perspective on the value of integrating information security into a corporate culture argues that “the responsibility for protecting the organization's information assets is no longer restricted to the CSO [chief security officer]. Every employee has a responsibility to help protect the proprietary data they are entrusted with.”⁸ The authors write that:

63.1.5 Case Study: Veterans Affairs.

The next summary of a specific case of management failures will serve to help readers think about the management responsibilities for information assurance.⁹

63.1.5.1 Announcement without Taking Responsibility.

In March 2007, Network World writer Jon Brodkin wrote an excellent analysis of 10 letters informing victims of data theft or loss of control of personally identifiable information (PII) that their data might be compromised.¹⁰ He pointed out that almost all of the letters failed to express any responsibility for the loss of control over data stored on unencrypted disks that were lost or stolen or for poorly secured Web sites that posted PII without protection, or with poor protection. Perhaps staff attorneys warned the public relations officials to avoid any implication of responsibility to avoid contributing anything that would exacerbate their liability in potential lawsuits. Passive voice is often used to shift responsibility from specific agents to the great gaseous cloud of the unnamable and unblamable. The classic example is “Mistakes were made.”

In 2007, this letter was sent to physicians affected by a security breach.

63.1.5.2 Initial Problems.

On May 3, 2006, a career civil servant at the Department of Veterans Affairs (VA) violated official policy by taking computer disks containing PII about 26.5 million veterans home with him. The disks were stolen from his home.¹¹ Two weeks after officials learned of the theft, the VA disclosed the incident to the public and set up a Web site and an 800-number to provide veterans and with information and a channel for reporting possible identity theft.¹²

The USA.gov Web site put up a page called “Latest Information on Veterans Affairs Data Security”¹³ with answers to frequently asked questions; the VA itself also continued issuing press releases.¹⁴

In early June 2006, the VA announced that the stolen data might include PII about up to 1.1 million active-duty troops, 430,000 members of the National Guard, and 645,000 members of the reserves.¹⁵ Reactions from a coalition of veterans groups were immediate: They launched a class-action lawsuit demanding full disclosure of exactly who was affected by the theft and seeking $1,000 in damages for each victim.¹⁶

The VA struggled to cope with the bad publicity and potential legal liability resulting from the May theft. On May 26, 2006, Secretary of VAR James Nicholson issued a Directive to all VA supervisors in which he wrote:

On May 30, 2006, the VA fired the analyst “responsible for data loss” and announced changes in the administration of information security in the organization.¹⁸ The press release made no mention of who was responsible for allowing anybody to store unencrypted PII on VA computers or media.

Coincidentally, at the end of May, the Government Accountability Office (GAO) issued a report: “GAO-06-612: Homeland Security: Guidance and Standards are needed for Measuring the Effectiveness of Agencies' Facility Protection Efforts.”¹⁹ The report specifically named the VA as requiring “guidance and standards for measuring performance in federal government facility protection.”

On June 21, 2006, the VA announced that it would provide free credit monitoring for everyone affected by the data theft in May.²⁰

But worse was yet to come.

63.1.5.3 Systematic Management Failures.

On June 14, 2006, Linda D. Koontz, Director, Information Management Issues, and Gregory C. Wilshusen, Director, Information Security Issues of the Government Accountability Office of the United States, offered testimony before the Committee on Veterans' Affairs, House of Representatives. The GAO report on their analysis and recommendations later appeared as GAO-06-866.²¹ Highlights of their analysis included these comments:

Two related reports appeared about a week later with specific comments about the May 2006 data breach²² and about the overall challenges facing the VA and the Department of Defense (DoD) in protecting PII of active-duty and retired military personnel.²³

At the end of June 2006, the laptop and external hard drive stolen on May 3 from the consultant's home were recovered. Forensic examination suggested that the data had not been accessed. This good news suggested that the disaster might blow over.

It was not to be.

The Inspector General (IG) of the VA, George Opfer, released a report on July 11 severely criticizing senior managers of the VA for their lackadaisical response to the original theft of unencrypted PII. The inadequate data security policies had not yet been corrected.²⁴ VA secretary James Nicholsen responded to the IG's report with assurances that the agency had “embarked on a course of action to wholly improve its cyber and information security programs.”²⁵

63.1.5.4 Continued Problems.

On Monday, August 7, 2006, Secretary Nicholson announced that a Unisys subcontractor working for the VA offices in Philadelphia and Pittsburgh had reported that his desktop computer was missing. The computer contained PII for 18,000 and possibly up to 38,000 veterans.

A week later (August 14), the VA announced that it would spend $3.7 million on encryption software and would encrypt data on all the department's computers and external data storage media or devices. Installation would begin Friday, August 18.²⁶

In mid-September, the stolen Unisys desktop computer with VA data was located and a temporary employee working on subcontract to Unisys was arrested and charged in the theft.²⁷

In October 2006, the Congressional Committee on Oversight and Government Reform published a report on data losses in U.S. government agencies since January 1, 2003.²⁸ There were 788 incidents in 19 agencies—in addition to hundreds of incidents at the VA. The report's findings included these bald assertions:

1. Data loss is a government-wide occurrence….
2. Agencies do not always know what has been lost. The letters received by the Committee demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, “the Department did not track the content of lost, stolen, or otherwise compromised devices.”
3. Physical security of data is essential. Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees.
4. Contractors are responsible for many of the reported breaches. Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors.

Alas, the best-laid plans of VA administrators gang aft agley, and on October 31, 2006, VA officials informed 1,400 veterans that their PII had been lost on unencrypted data disks sent by mail from the VA clinic in Muskogee, Oklahoma, on May 10, June 10, and July 10 were lost. A spokesperson for the hospital explained the three-month delay as being due to the “wait for officials in Washington to approve the wording of the letter.” Approval arrived October 26. There was no explanation of why the data were unencrypted nor why two additional disks were mailed out after the May 10 disk was lost. A report on this incident dated November 3, 2006, by Rick Maze in the Federal Times²⁹ also indicated that a laptop computer from the VA hospital in Manhattan was stolen on September 8 from a computer locked to a cart in a locked room in a locked corridor—and that the data on the stolen machine was deliberately not encrypted despite policy because “a decision had been made not to encrypt data being used for medical purposes.”

And more was to come in February 2007.

63.1.5.5 Analyses and Responses.

On Friday, February 2, 2007, Secretary of Veterans Affairs Jim Nicholson announced that a VA employee in the VA medical center in Birmingham, Alabama, had reported an external hard drive as missing on January 22. According to Representative Spencer Bachus (R-AL), the backup hard drive contained PII on up to 48,000 veterans—and despite VA regulations promulgated in 2006, as many as 20,000 of those records were not encrypted.³⁰ A week later, the VA admitted that the hard drive actually contained PII about 535,000 patients and 1.3 million doctors.³¹ It was that loss that led to the letter quoted in the first part of this section.³²

A few weeks later, the GAO released the closest thing to an exasperated blast of which government workers are capable. In testimony before the Subcommittee on Oversight and Investigations, Committee on Veterans' Affairs, House of Representatives on February 28, 2007, GAO Director of Information Security Issues Gregory C. Wilshusen presented a report entitled “Veterans Affairs Needs to Address Long-Standing Weaknesses.”³³ The summary on page 2 of the PDF file includes this commentary:

In early March 2007, the VA reacted to the January 22 loss of the portable hard drive. CIO Robert Howard promulgated a policy restricting the use of portable data storage devices. Only flash drives smaller than 2 GB—and only those issued by the VA's CIO office itself—would be permitted on the VA network or computers. Encryption would be used throughout the system, just like the assurance issued in August 2006 about spending $3.7 million on encryption tools.³⁴ In addition, the CIO announced sweeping changes in security administration, with promotion of five deputy CIOs to the rank of assistant secretaries for these functions: application development, information security, operations and maintenance, resource management, and strategic planning.

As of late May 2007, federal agencies announced that they would stop storing Social Security numbers and other PII wherever possible.³⁵

For an extensive compilation of additional cases of interest, see the “Chronology of Data Security Breaches” managed by GuardianEdge.³⁶

63.2 RESPONSIBILITIES.

Modern information processing philosophy transcends the boundaries of the computer room and demands the consistent delivery and collection of data to and from remote sections of the organization. Once this operating mode is extensively used, the company becomes dependent on its continued availability. Any shutdown or cutoff in service can be disastrous, unless the company is able promptly to revise operations, in order to continue vital activities. Central computers, local servers, workstations, and the network are essential to the operating environment.

Computer security includes the protection of confidentiality, control, integrity, authenticity, availability, and utility of information.³⁷ Computer security encompasses the total infrastructure for maintenance and delivery of information, including physical computer hardware, supporting equipment, communication systems, logical processes defined by software, and the human factors that support and possibly threaten this infrastructure.

Computer security is inseparable from the basic structure of the information processing system; one cannot and should not design a system without including security as an underlying strategy. The objectives and properties of secure systems must be considered collectively from their inception.

Software, systems, and networks should be designed to ensure information protection that corresponds to business needs. There are many steps that can be taken to do this, but managers must place a high priority on making it happen. Managers are in a position to see what the business needs actually are, much more so than the typical infosec analyst or engineer. A prime example is e-commerce Web site management. No reputable site allows transactions without minimal SSL encryption. A savvy information security manager will track all information from the setting up of the SSL tunnel, all the way through the shipping process, and beyond into the storage of information gathered during any transaction, and ensure that security is not lacking at any juncture in the process. If the data are not securely stored while sitting in a database, the whole process falls apart.

The ability of a system to ensure accuracy, reliability, and confidentiality is a basic building block. The collective system (hardware, software, communications, and people) must be able to maintain and process data correctly, and move traffic (transactions, inquiries, commands, etc.) from its origins to the intended destinations, without unauthorized modification or disclosure and without misrepresentation, forgery, or other breaches of authenticity. Reliable performance is essential. Any failures should be orderly and predictable, with adequate detection methods to provide timely evidence of failure and to permit prompt corrective actions. Hardware/software limitations should be known and documented, as should load limits. Bounds checking, at a minimum, should be implemented in all software to avoid buffer overflows. Any inputs that are not checked should be documented, and measures should be put in place to detect possible abuses.

Suspicious user activity should be detectable through appropriate analysis of logfiles. The network and its data should be protected from contamination or outside interference using appropriate gateway security devices and other intrusion prevention systems. Firewalls must be present, updated, and frequently reviewed, along with intrusion detection systems and intrusion prevention systems (IDS/IPS), and all logs should be centralized and scrutinized. Measures should be put in place to ensure that data transmitted are the same as the data received and that error correction is used wherever possible.

Service-level agreements should define goals for efficient response and adequate capacity, in order to support acceptable performance. Systems should be able to recover quickly from either short-term or long-term disruptions. Backup measures, including data backup and equipment backup³⁸ and tested incident response, contingency, and recovery plans, should be in place.³⁹ Appropriate cost recovery measures should also be in place.⁴⁰ Prevention of harm is of primary importance.

Single points of failures should be avoided. Avoid dependence on single equipment devices or single communications pathways. Web servers should be clustered, and databases should be replicated across various servers and placed in different geographic regions. Avoid overloading the network at peak activity periods. Provide environmental backup (redundant power, air-conditioning, heating and other support systems, limited equipment access, etc.) to reduce other exposures.⁴¹

Management should have the capability to limit who can access the systems, how much capacity can be used for each purpose or function, what purposes are allowed, what data are accessible and transmittable for each user, and what connections can be made. Technical measures include access control (system access, resource restrictions), logon password control, alternative identification methods (personal tokens, digital signatures, biometric authentication), callback connections, network isolation from public networks, firewalls, and physical security of system components.⁴²

Administrative measures include publication of policies, standards, and guidelines; screening of personnel; security awareness training; system change control procedures, including security criteria in system design; and monitoring system activity and quality.⁴³

In addition, management should use the audit function as an independent arbiter to measure compliance with policies, standards, and guidelines as well as to assess the adequacy of technical protection. The system and its network should preserve and display evidence of use, behavior, and content, and should record deviations from expected use.⁴⁴

Managers are responsible for specific tasks or functions to the extent that they make decisions about business processes and suffer the consequences or reap the benefits of those decisions.

63.2.1 Policy Management.

Managers spend more time on people issues than on technical issues. The right people must be hired for each position. (See Chapter 45 for more on employment practices and policies.) Employees who do not work responsibly and competently must either be brought up to the proper standard or let go. Employees who do their jobs properly must be kept satisfied, lest they move to another organization. Management in the IT world must ensure compliance with corporate policies.⁴⁵ Compliance with policies includes motivation, supervision, judgment, and adaptation.

63.2.2 Motivation.

Employees need motivation to pay attention to information security policies, which often are perceived as a nuisance, interfering with the fundamental goals of the enterprise. Upper management, in particular, must set an example by following enterprise policies; when top managers are seen to ignore policies, the people reporting to them quickly imitate their behavior, and the problem spreads throughout the organization. For example, if the CEO refuses to wear a picture badge, the vice presidents (VPs) will quickly follow suit because they will associate not wearing badges with high status. Similarly, the directors reporting to VPs will start dropping their badges, and so within a few months the entire hierarchy will be convinced that no one but stock clerks should wear badges. Sometime later, the stock clerks will be resisting badges too.

According to Computerworld writer Mary Pratt, writing in 2006:

A survey by NFO Prognostics highlighted that 66 percent of the companies surveyed believe that staff training or certification has improved their IT security through increased awareness and proactive risk identification.⁴⁷

Since people can be the company's greatest strength against attacks, training employees should be a high priority in any organization. At Stop and Shop, in February 2007, employees noticed suspicious activity; they saw four people tampering with the keypads for credit/debit card authorization units. The employees notified police at once, and the suspects were arrested. That kind of quick thinking and commitment can make an enormous difference in the effectiveness of security systems of all kinds—and it depends on management support and motivation.⁴⁸

Some managers think that punishment is the only motivation that can change behavior; but everything known about human psychology shows that reward is more powerful.⁴⁹ Reward is not limited to salary increases and bonuses; sometimes the most effective way to keep IT employees satisfied and productive is to provide training. The IT world is evolving, and the demand for competent staff has never been higher. Most employees want to feel that their employers value their services and that they are worth an investment to improve staff competence. Training employees, and providing challenging opportunities for the exercise of intelligence, serves the interests of both employer and employee. See Section 63.5.3 for more details about education.

Challenging employees in other ways can be highly motivating. For example, managers can encourage staff to prepare and deliver presentations at internal meetings and at security conferences. Some examples of useful conferences are SecureWorldExpo, InfoSecWorld, and NetSec. Motivated employees can lead special interest group discussions at conferences (such as RSA, SANS, etc.) and so develop a web of relationships that promote sharing of knowledge, and that enhance their self-image. There are also security contests to test their skills, such as the Honeynet forensics contest.

The Honeynet Project provides archives of past security challenges that allow security staff to challenge their technical skills, as well as to learn and teach new tricks of the trade. The Honeynet Project posts these challenges on the Web,⁵⁰ and tasks would-be contestants to unravel what the hacks were and how they were performed. Along with finding out what had happened, judging was also based on how much information was uncovered and how this information was communicated. These challenges have been solved, but they are still valuable lessons for any infosec staff. Many other challenges pop up frequently and can easily be found using Google.

Many journals and Web-based magazines are ready to accept articles written by professionals in the field. Not only does writing solidify employees' knowledge and build their own confidence, but it also instills confidence in the entire team. Writing and teaching help the enterprise, as well as its clients and partners, to view the security team as a real benefit, at the same time that the organization develops a strong reputation for excellence in security.

Another way for management to make the security team more cohesive is to build camaraderie. A monthly pizza party or an occasional outing to a sports event can do a lot to ease stress and to help everyone to know each other. Having good friends at work can reduce turnover and motivate employees to do their best, not only for the rather abstract goal of doing good for the enterprise, but also because of a commitment to their colleagues.

To help encourage a higher level of expertise, and to establish a feeling of belonging, periodic “brown bag” lunch sessions can be effective. At each session, a different team member can be designated to present an informed talk or to lead a discussion on a topic of general interest. There could even be an informal call for papers, giving team members an opportunity to present valuable information in a professional manner.

At the same time, a little friendly competition can help as well. For example, if the enterprise has a training network that can be subdivided into several subnets, managers can organize a “tiger-team challenge.” Each team will be responsible for securing a subnet or host and then given the opportunity to break into the subnet or host of another team. The winners would get both a reward and a responsibility. The reward can be as simple as pizza for the team or a modest trophy. The responsibility would be to present the exploits used and the ways to secure against them to the rest of the teams.

Another way to build the team is to support staff in choosing the areas in which they want to excel. There may be some overlap, but overlap can be good. Clearly, if there are two firewall experts, the enterprise is less vulnerable should one of them be absent. Furthermore, the firewall experts can provide better-quality assurance by discussing alternatives when planning a change and better-quality control by checking each other's work. It can also help to have the security team members switch roles periodically, both to ensure that no one gets into a rut and to contribute to the challenges presented when a change is made.

Last, almost nothing is more infuriating than being expected to accomplish a task without the necessary resources. Adequate time to get a task done is always an important issue, as many people have several tasks to do, and each of the tasks may be seen as critical by someone. A manager should be willing to give the team all of the resources it needs to complete a task in the allotted time, or it should be made clear to other departments, or to higher management, what the realistic expectations are for the completion of such tasks, if required resources are lacking. If expectations are properly managed, there should be less conflict and fewer problems.

It is useful to view management not as separate from the IT security team, but as an integral part of it. This allows management to contribute directly toward the employees' enthusiasm as well as to detect early warning signals of impending trouble. A manager who does not spend time listening to the team members, or who does not understand what their jobs involve at a technical level, will not be respected by the team. Lack of respect will block communication and keep the department from becoming a solid, effectively functioning unit.

63.2.3 Supervision.

What we know about damage to computer systems indicates that errors and omissions are a major source of harm. Poorly trained employees make mistakes, but so do trained employees who have become careless. Managers should examine performance records as a normal part of their supervision of the security team. In particular, every incident that damages production systems should be analyzed to identify the reasons for the event. Careful technical support records and log files can help the team spot the crucial weaknesses, whether technical or human, that allowed compromise of the damaged systems.⁵¹

Analysis of security breaches of all kinds may reveal that certain employees are associated with unusually high or unusually low frequencies of particular problems. Careful analysis of both types of extremes can be helpful in spotting weaknesses for remediation and strengths from which to learn, so that the knowledge can be spread across the entire unit. However, managers must not assume that disproportionate numbers of problems are necessarily caused by the employees involved; for example, low rates of penetration during the day shift may be associated with lower rates of attack from hackers, who often work in the evenings or nights. Similarly, higher rates of security breaches may, after detailed study, be found to have been caused by factors entirely outside the control of a particular employee.

In addition to monitoring performance, managers must ensure that all employees know that they are being monitored. Warning notices, pre-employment agreements, and yearly policy reviews can ensure that staff develops no unwarranted expectation of privacy about their work.⁵²

One of the most effective supervisory practices an information security team leader, or any other manager, can use is managing by walking around.⁵³ Managers should set aside time every week to observe the conditions and to absorb the atmosphere of the working areas. Visiting team members, and hearing about their specific job experiences, both positive and negative, can only improve communications and motivation within the security team.

Not surprisingly, poor communication is a major enemy of effective team development. This poor communication can exist on multiple levels: among IT staff members, between staff members and IT management, and between IT and internal customers.⁵⁴

Tools for enhancing communication include production control meetings, regular brief status review meetings, all-hands updates at which group members are required to give updates, and individual staff members to give technical updates, as well as establishing regular and thorough communication with internal customers and top management.

All members of the IT staff should be familiar with all lines of communication and with what behavior is expected of them in every scenario. Pushing communication awareness down through the organization appears to be an effective strategy.

63.2.4 Judgment and Adaptation.

Management must not permit policies and procedures to keep the work from getting done. The comic strip Dilbert⁵⁵ has become popular largely because it caricatures managers who apply policy unintelligently; for example, in one real company known to the authors, managers decided to give the marketing department new laptops because of all the traveling they had to do. The managers then decided that to prevent theft, the laptops should be so securely fastened to the employees' desks that they could not be moved at all.

When security policies interfere with productivity, the correct solution is rarely black and white. Usually, neither dropping the policy nor enforcing it without change is appropriate. A hospital security administrator, for example, might note that a workstation in the emergency room is always logged on for the entire day, using the ID and password of the first person who logged on. Clearly, this violates the principle that everyone using the system must be positively identified and authenticated. Piggybacking on the first user damages the credibility of log files and makes it impossible to ascertain exactly which person is retrieving and modifying data at any time during the day. However, cracking down insensitively on the emergency room staff is a bad idea; chances are that the harried medical and support personnel are simply racing to get their work done saving lives. Logging off and on repeatedly is not a good method of identification and authentication in that environment. A reasonable security manager would listen to the employees, understand their point of view and their functional needs, and then explore technical alternatives to the usual ID-password technique. For example, the security manager might find that proximity cards or smart cards could meet the requirements at reasonable cost.⁵⁶

Management must concern itself with safeguarding the resources under its jurisdiction. Just as investors seek both a high rate of return and reasonable safety for their investments, so must managers seek a high rate of return through the effective use of resources under their command and take adequate steps to protect the value of the resources.

The manager's function is essentially the management of resources: human resources and capital resources. In a computer operations environment, capital resources are represented by the investment in equipment and operating programs. Human resources are represented by the skills needed to operate and control both hardware and software facilities. Human capital resources are also represented by complete operating programs. Information is another form of resource, one that is often created as a product of data processing or concentrated at the computer facility, in order better to utilize equipment resources.

63.2.5 Management Failures.

The most pervasive vulnerabilities in computer security are due to poor management. Efforts to contain or mitigate computer security exposures often fall short, or fail, because of management inadequacy, either of senior management or of operating management, or both. Sometimes the problem is simply inertia. Equally damaging is management lip service. In far too many instances, computer security is simply not taken seriously by senior management. Some of the most common management errors are listed next:⁵⁷

• The belief that “if it hasn't been needed before, it probably will not be needed now.” This is the default frame of mind, which is really self-insurance.
• Competition with other goals. Security measures use resources that are often needed for other activities. If security is regarded as an add-on burden rather than an integral part of the business process, it may be neglected or postponed.
• Lack of contribution to the bottom line. If security needs to be cost justified as an independent activity, it may be regarded as a target for elimination or reduction.
• Unwillingness properly to fund security activities. Far too often management is reluctant to commit all the resources needed for complete protection. A prime example is the lip-service contingency plan, published and display to the auditors, but never fully implemented.
• The explosive growth of the Internet and of the Web has increased the number of novice computer users into the hundreds of millions worldwide, cowering in fear at the latest hoax but cheerfully sending each other joke programs with embedded viruses. Some of these novices have taken on responsibilities for computer system management and have spread havoc within their organizations.
• The common occurrence of laptop theft has shown how vulnerable any kind of unencrypted removable media can be. Several companies have come under fire for not having a laptop encryption policy. This policy should be extended to any type of removable media (such as USB “thumb” drives) for certain types information.
• Cell phones and PDAs are other technologies that need to be controlled. They are frequently connected to company computers, on the company network, to sync up with Microsoft Outlook e-mail and calendars. These provide another potential point of entry for malicious software.
• Adults such as teachers and parents (many of them violating software copyrights without realizing they are breaking the law) have too often failed to teach children in their care how to resist the wiles of criminal hackers, virus writers, pornographers, and pedophiles. Some of these children have now grown up and become young managers who tolerate, encourage, or demand illegal acts by their employees.
• Some Web sites are being managed by undertrained staff who know nothing about the years-old vulnerabilities they have left invitingly on their systems. These unfortunate people are stuck with inadequate resources and dismissive managers, who nevertheless blame them when the site is plastered with obscenities by teenagers with little or no conscience. Even worse, the Web site may be used in a for-profit scheme by the ever-increasing legions of highly skilled professional hackers.
• In addition to the old vulnerabilities, these undertrained (or simply overworked) staff may also be introducing new vulnerabilities to their Web sites, by using new tools or methodologies with no consideration of security, These new methodologies, such as the current AJAX (Asynchronous JavaScript and XML), may make use of old tools, but may do it in a new insecure way.
• Some Web designers assume that users should trust mobile application programs (Java applets, ActiveX controls) whose origins are uncertain, whose documentation is unavailable, and whose actions may be pathological. Technically incompetent managers who take credit for their corporate Web site may have no idea of what their Webmasters are doing—and failing to do—to protect their site.⁵⁸
• Software makers, who ought to have known better, have blurred the distinction between document and program by adding automatic execution of macros to their word processors. E-mailed Trojan horses are activated automatically when the message is opened. Bloated programs are routinely so full of bugs that consumers now think it is normal to pay money for a service release that fixes what never ought to have been released. Some managers with inadequate training take this situation as a given.
• Not necessarily a failure on just the part of management, software is often written without thought to security at all. Buffer overflows continue to be the “low-hanging fruit” for software hackers. Unfortunately, secure coding has been slow to catch on, but is showing signs of gaining traction today.⁵⁹ SANS has announced it will offer courses in secure coding, and there is an expanding list of books and papers on the subject. Perhaps as it becomes mainstream, universities will start requiring full courses in secure coding practices for computer programming degrees.
• We collectively continue to use Internet protocols devised decades ago and which have no provision for packet authentication. Criminals forge mail headers and packet headers with impunity, and use them for denial-of-service attacks and e-mail spam. Network managers continue to avoid output filtering, which could reduce such attacks, because it is too low on their list of priorities, or because they have never considered their responsibility to other Internet users.
• Access control still relies largely on the outdated and ineffective use of passwords chosen by untrained users. Conveniently for criminal hackers, many users pick names of family members, people with whom they are having illicit romances, movie stars, pets, favorite sports teams, and the names of objects on their desks or visible from their windows. Some managers contribute to this situation by refusing to follow recommendations for better passwords and by refusing to consider better, or additional, authentication methods such as tokens and biometrics.
• Some managers are loyal neither to colleagues nor to employers. The boom in firings and job-hopping has led to a shortsighted emphasis on the quarterly bottom line that makes investments in corporate security seem pointless.
• Security specialists still lack reliable data on network and computer intrusions. Although there are now some resources for information sharing, such as CERT/CC, many managers resist contributing to the knowledge base for fear that they and their enterprise will be embarrassed by their victimization.
• Social engineering is still one of the largest weaknesses of the security realm. Hackers really do not need to spend much time trying to break through defenses when so many users are perfectly willing to give them free access to go right through. While it is debatable whether training programs will ever be sufficient to overcome this, managers need to pay close attention to the “phishing” attacks that are now becoming more popular, and more sophisticated.

Some organizations are taking steps to implement creative and memorable security awareness programs such as Jeopardy-style games, where workers compete to supply the right answers to security-related topics. Scavenger hunts on a company's Web site are used to find the answers to 10 security-related questions.⁶⁰

63.2.6 Risk Management.

Part of the data processing management task is to protect information resources and to safeguard the human capital resources that are essential to the services provided. Top management must concern itself with adequate recognition of the risks and must be assured that protective measures relative to these risks are in effect.⁶¹

In addition to the problems caused by management failures discussed in Section 63.2.5, managers should be aware of other risks in their work such as:

• Physical hazards. The likelihood of threats, whether accidental or intentional, that can result in physical damage. Fire, water, power loss, explosions, vandalism, terrorism, and civil disorder are all within this category.
• Equipment malfunction. The possibility of failures in computers and supporting equipment, such as printers, disk drives, and air conditioners.
• Software malfunction. The likelihood of loss and failures caused by computer programs, including operating system software and application programs.
• Human error. The threat of disruption or loss due to accidental or intentional action or inaction by employees. Computer operators, programmers, maintenance engineers, and service personnel can all precipitate loss.
• Misuse of data. The capacity for intentional misuse of information or facilities by perpetrators of crime, such as fraud, espionage, misrepresentation, forgery, or theft of data or other assets controlled by the data.
• Loss of data. The intentional or unintentional loss of information through disruption of the physical media upon which the data resides, or the corruption or erasure of the data.

In addition to classifying risks by category of threats, it is useful to analyze risks by the magnitude of potential loss, the probability of loss, and the frequency and permanence of occurrence. Although magnitude of loss can be expressed in terms of time or dollars, it is more practical to use dollar cost as a common basis for measurement. Quantifications should be based on reasonable and supportable estimates of the costs associated with the actual occurrences of adverse events.

Threats must be evaluated in terms of probability or occurrence. True risk is difficult or impossible to measure, but a reasonable priority of risks may be established by evaluating the likelihood of occurrence in conjunction with the magnitude of potential loss for each threat. An aggregation of consequential costs for each threat, over a common time period, and based on the likelihood of occurrence for each threat, can serve to prioritize seemingly diverse risks.

Three convenient groupings for permanency of damage are disasters, solid failures, and transient failures. Disasters are serious and lengthy disruptions usually resulting in costly reconstruction of data, alternative off-premises processing, loss of business, and high cost. Solid failures are those that require shutting down part or all of the system in order to take corrective action. Costs of solid failures may range from simple inconvenience to substantial loss of business. Transient failures are defined as temporary disruptions that do not recur regularly and therefore may be difficult to correct. Like solid failures, their costs can vary widely.

Quantification of risk is imprecise at best and varies greatly from one organization to another, and even among computer installations in the same organization. Nevertheless, quantification affords the means of ordering the relative importance of various threats and of substantiating the need for expenditure to counteract threats. In summary, even though probability estimates for specific events may represent intuitive feelings about likelihood, rather than actuarial knowledge, they can nonetheless serve as a basis for focusing discussion and planning.

An effective computer security program requires a balance of rationality and prudence. It also requires a continuing management commitment. Absolute security is an impossible dream unless one has unlimited resources—and even then, many responses would still have to be post hoc reactions to new threats, vulnerabilities, and attacks. Surprisingly, however, even on a modest budget, it is usually possible to achieve reasonable security. Many basic safeguards can be implemented for modest expenditures of time and effort. Many chapters in this Handbook discuss such basic safeguards.

63.3 LIABILITIES.

As discussed, security managers focus onminimizing liability by a practice generally known as risk management. Risk management is the traditional model for information security; ideally, one determines risk by identifying the threats and vulnerabilities and then evaluating the associated costs and probabilities of each type of incident. The probabilities are difficult to define, and as a result, much of risk management is, in practice, an intuitive, nonquantitative process.

Security managers face many liabilities. Some of the possible negative consequences of inadequate security include:

• Loss of revenue
• Loss of reputation
• Loss of business partner confidence
• Loss of consumer confidence
• Loss of enterprise valuation
• Failure of the entire enterprise

Each of these types of loss also involves a loss of trust. Trust is easy to lose, especially in uncertain economic climates, and it is, unfortunately, harder to regain trust than to establish and maintain it. It is necessary for managers to understand that security and privacy are integral to the services and products offered by the enterprise. Security and privacy must apply to data from customers, business partners, employees, and every other individual or entity with whom the enterprise comes into contact.

63.3.1 Stakeholders.

It is easy to think of only stockholders and customers when evaluating the potential costs of security breaches. However, it is useful to enumerate all of the people, and other entities, that are potentially affected by information security breaches. Such stakeholders can include:

• Stockholders. People and organizations owning stock in a privately held or publicly traded enterprise
• Employees. Managers and workers depending on an enterprise for their livelihood
• Customers. People and organizations depending on fulfillment of contractual obligations by the enterprise
• Potential customers. Those who might want to do business with the enterprise
• Suppliers. Those depending on the enterprise for acceptance of materials and services followed by payment as per contract
• Data subjects. People or other entities about whom an enterprise stores, manipulates, and reports data
• Regulatory agencies and law enforcement. People and organizations devoted to enforcing statutory regulations and laws
• Users of other systems victimized by means of a compromised system. Innocent bystanders who may be harmed, through no fault of their own, when a compromised system is used as an intermediary to launch attacks on an ultimate target

Managers must explore the potential consequences of specific types of security incidents with respect to all of the stakeholders. This wider analysis contributes significantly to effective risk management.

63.3.2 Due Diligence of Care.

Due diligence of care in information security refers to the research and analysis carried out in establishing that risks have been minimized to an extent consistent with industry standards. Due diligence investigations, typically, are crucial in mergers and acquisitions, where unanticipated liabilities resulting can result in financial disaster and legal culpability.

Unfortunately, just as there is no sound basis for assertions about computer crime rates, there is not even the most rudimentary basis for asserting that any given level of security represents adequate care for information. What, precisely, is the right length for the asymmetric encryption key used in protecting confidential e-mail sent across the Internet? Does failing to update antivirus signatures daily constitute a violation of due diligence, or is once a week good enough? Does due diligence in securing a manufacturing system require installation of an intrusion detection system? What about lacking an IDS in a hospital or a bank? Is a computer emergency response team a requirement to demonstrate due care in protecting information assets?

Attempts at defining security standards have not yet convinced more than a few enterprises to conform to their recommendations; the information security field is not yet at the point where quality assurance was a decade ago, when the International Standards Organization promulgated ISO 9000 certification, and it became widely used in manufacturing plants around the world.

Sensitivity to due diligence of care should, at a minimum, begin with consideration of legal and regulatory requirements for the protection of information. Contractual obligations with any and all stakeholders will determine the required degree of responsiveness to intrusion, and may help determine whether to cooperate with law enforcement authorities to investigate any breach of security.⁶²

63.3.3 Downstream Liability.

In recent years, a growing number of security experts and attorneys have predicted that the doctrine of downstream liability would become a significant factor in pushing management toward better security. Downstream liability is an application of the legal theory of contributory negligence as it applies to information security. In turn, contributory negligence refers to reckless endangerment of others, “reckless” meaning without consideration of the consequences and endangerment resulting from putting others at risk of harm. The term “downstream” refers to the conventional model in which the source of data is viewed as being upstream of the recipient of those data; thus if someone compromises a university computer system and uses those computers to launch an attack on a bank, the bank is viewed as downstream from the university. Conceivably, the bank's attorneys could accuse the university administrators of negligence for allowing their computers to be compromised and therefore claim damages.

Keeping in mind that the authors are not attorneys, and that the information being discussed here is in no sense legal advice (for legal advice, consult an attorney), examples of what might be construed in a court of law as downstream liability include:

• Distributing virus-infected documents through e-mail because all antivirus mechanisms have deliberately been turned off
• Allowing a malefactor to install zombie software on a poorly configured system and involving that compromised system in a distributed denial-of-service attack⁶³
• Failing to install patches for a well-known and years-old vulnerability, thus allowing a criminal hacker to attack a third party via a root compromise of the poorly secured system⁶⁴
• Allowing private information such as credit card numbers belonging to thousands of people to be stolen and distributed on the Internet, for use in credit card fraud
• Providing an unsecured e-mail server that provides an open spam-relay point for junk e-mail, with a forged REPLY-TO address, to flood millions of mailboxes with unwanted e-mail, thereby causing thousands of bounce messages and angry accusations to clog the mail system of the innocent owner of the forged REPLY-TO address
• Having an employee who sends out thousands of fraudulent notices using the employer's e-mail system to libel a competitor, causing depression of that competitor's sales and stock price
• Configuring a honey-pot system on the enterprise network to attract the attention of criminal hackers—who then turn around and use the honey pot to attack a third party

It is important to note that honey pots, while used as security measures to attract a hacker to a specific server for the purpose of gathering data on an attack, do in fact introduce security holes. The honey pot is a live server, with intentional vulnerabilities built in, connected to a company's network. Once penetrated, an attacker may use it as a platform from which to launch future attacks. Special safeguards must be designed to prevent this.

One possible safeguard is to prevent any traffic that leaves the honey pot to actually go anywhere, or to trap it on what might be termed a “honey logger,” a server designed to simply catch all the traffic for the purpose of analyzing it.

As of this writing, there appear to have been no cases in which a plaintiff has successfully sued an enterprise for damages on the basis of downstream liability linked to inadequate security. However, in December 2000, FirstNet Online (Management) Limited filed a lawsuit in the Court of Sessions in Edinburgh, Scotland, against Nike, Inc., apparently an innocent victim. The incident began in June 2000, when someone hacked the DNS (Domain Name System) by filing incorrect data for resolution of the nike.com domain with Network Solutions, Inc., which is charged with the responsibility of managing acquisition and retention of certain classes of domain names. All subsequent attempts to reach nike.com were redirected to the s11.org domain, an activist site devoted to fighting globalization. The redirection allegedly caused serious harm to the Web-hosting service for s11.org; according to the plaintiffs, FirstNET Online “experienced an 1800% increase of traffic over the 46 hours it took to correct the problem completely.”⁶⁵ Blaming Nike administrators for failing to protect the password required for updating the DNS records at Network Solutions, the plaintiffs demanded compensation for the expenses incurred. Nike officials rejected such accusations and blamed Network Solutions for allowing the redirection of Internet traffic to the s11.org site. Readers will want to search the Web for later developments in this interesting case.

63.3.4 Audits.

As managers attempt to manage security according to nebulous principles of due care, they must remember that in many enterprises, IT and information security departments are seen as being equivalent to the police. Many people in these departments have privileged access to other people's secrets; for example, they can read all e-mail, and can often tell exactly what Web sites employees have been visiting. In some environments, network monitors allow administrators and security personnel to activate keystroke monitoring and to view in real time the appearance of any given terminal or workstation on the network. Because of the enormous power of these people, managers must ensure that their levels of access are not abused.

Information systems auditors are responsible for keeping the technical and security staff honest. In some larger enterprises, there is a department of internal audit whose director reports to the same level as other officers, such as the CEO and CFO. In other cases, third-party auditors monitor adherence to policy, standards, and procedures.⁶⁶

Security audits are often feared, and with good reason. In general, many audits are performed with the focus of finding fault. This approach is counterproductive and unnecessarily stressful. The point of an audit should not be to find the maximum number of offenses but rather to assess the level of compliance. The most important outcome of an audit is finding areas of potential improvement. A nonadversarial style facilitates positive results; thus an auditing team should provide constructive suggestions for improvement wherever possible.

An auditing team also needs to listen to those being audited. Although a particular network may not be configured to full compliance with security policy, there may be reasons for this apparent failure. For example, suppose a specific patch was required by security policy to have been installed on a Solaris server, but a particular Solaris server did not comply. An auditor might report a failure without further investigation even though, in reality, the patch might have been installed but found to be incompatible with a critical application. Just like managers, audit teams need to see the big picture, not just the rules and procedures. The main point is that all audits must be done with the needs of the business in mind. It does no good to have a process that gets in the way of the business at hand. Instead, to enable the business, alternative measures must be found. That is the job of the auditor—to help ensure compliance and to provide another set of eyes that can see to it that all needs are taken care of.

To prove due diligence, auditing is a must. Generally, third-party audits create more trust, as a third party has no bias about the findings. However, it is important to ensure that a third-party audit firm maintains its independence. It can be risky to use a small firm that bases more than a modest fraction of its revenue on income from any one client. However, it may be undesirable to have the same large firm perform accounting or auditing functions while also serving as security consultants.

63.4 COMPUTER MANAGEMENT FUNCTIONS.

The job of the manager is to provide leadership, and it must be provided in an organized and creative manner. Management is dynamic, not static, and the manager must deal with change—change in the organizational environment, change in people, and change in the methods of management. Unfortunately, the laws of inertia apply to management as to physics, and change will often be resisted. The challenge to the manager is to manage change.

Even a successful security program will usually result in higher costs, as well as in changes in the organizational structure and in the working environment. To compound the problems, the benefits of the security program are not highly visible. Security is essentially preventive and is often regarded as capital expenses and overhead of questionable value. Too often, upper managers dismiss proposals for better security by pointing out that there have been no breaches of security in the last year; thus the more successful the security program, the less evidence there is to support its usefulness. To counteract this circular and destructive reasoning, security managers should compile evidence of the numbers and types of attempted penetrations identified by intrusion detection systems⁶⁷ and attempted malfeasance by authorized users identified by system and application logging.⁶⁸

The tools of the manager include planning, organizing, integrating, and controlling. These are not independent activities that can be completely separated; rather they represent a matrix. Taken as an interrelated process, they achieve balance and direction.

63.4.1 Planning for Computer Security.

The planning function of management includes the determination of objectives, policies, priorities, schedules, standards, and strategy.

It is important to define the scope and purpose of a computer security program in terms of objectives. There should be a clear statement of results to be achieved within a given period of time. Security objectives must be balanced with other organizational objectives, because conflicts may arise. As an example, the need for controlled access will naturally conflict with desires for user flexibility and convenience. Objectives should be imaginative and responsive to change and conflict.

Planning for computer security requires the participation of top management, so that security objectives can be reconciled with general organizational objectives and with financial priorities. It is also necessary to coordinate security activities between data processing and all the other areas of the organization. Auditing, insurance, legal, financial, and other groups are affected by, and should contribute to, a computer security program.⁶⁹

The objectives, policies, schedules, and standards that result from the planning process need to be communicated throughout the organization. While this is generally true for all planning, it is especially crucial to the success of a security program, which may conflict with existing corporate culture.⁷⁰ Finally, feedback is essential to permit recognition of failures and departures from plans. Only by monitoring results is it possible to take corrective action or to readjust the objectives, policies, plans, schedules, and standards to the practicalities of the real world.

63.4.2 Organizing.

Organization is the process of marshaling resources, grouping activities and responsibilities, and establishing relationships that will enable people to work together most effectively in determining and accomplishing the objectives of an enterprise.

The important elements of organization for computer security include:

• Obtaining resources of personnel, money, and facilities adequate to accomplish the assigned mission
• Fitting responsibly into the organizational pattern
• Assigning responsibility and authority to individuals
• Formulating supporting methods and procedures
• Measuring organizational effectiveness

Traditionally, the organizing function is concerned with grouping activities into manageable components and grouping human resources into logical relationships to accomplish the desired results. It would be unusual to find an enterprise that was designed with an optimum structure to achieve security at the expense of other goals. Security is not an independent activity, nor does it represent the primary goal of a data processing organizational element. Data processing departments are usually organized into units that reflect the nature of the work performed, or user relationships, or some other structure designed to achieve an adequate service level for the end user. Security measures quite often conflict with the service objectives. That conflict is all the more reason why security must be managed in order to be effective. It is also motivation for creating a separate functional activity, particularly in large organizations, so that information security can be administered independently of competing activities.

63.4.3 Integrating.

Computer security is frequently an afterthought to the organization of the data processing function. Security is also perceived as a passive activity. As a result, responsibility for security is often assigned haphazardly. Security should not merely be superimposed but, instead, should be carefully fitted into the organizational structure. Some important considerations are:

• Accountability for specific security tasks should be included in formal job definitions of every job level.
• Training programs should include a complete review of security objectives and policies, as well as details relating to assigned security tasks.
• Supervisory and management personnel should be assigned responsibility for both performance and attitude of staff with respect to security.
• Certain line or staff positions could include responsibility for overall security, or a grouping of security tasks, or measurement and monitoring of security. It may be convenient to combine security and control of data processing into a single function. Monitoring of security effectiveness is sometimes assigned to the data processing auditor.
• Primary responsibility for information security should not be assigned to those with inherently conflicting priorities; for example, it is a bad practice to assign major responsibility for security to the chief of operations, the director of software development, or the vice president of finance.
• Information systems security should be coordinated and reviewed with security specialists in other areas of the organization. In a manufacturing concern the plant security personnel, or in a bank the bank security officer, should be consulted. It may be desirable to assign monitoring responsibility for security housekeeping tasks to these specialists.
• Whenever possible, policies should be translated into written guidelines and procedures to provide the detailed requirements for each task. Standards for performance of each activity must be formulated and applied.

Initiating and monitoring the accomplishment of objectives according to established plans requires skillful leadership. The integration function has a direct bearing on the success of a security program. Without effective leadership, security can become a farce. With leadership, a security program can overcome its basic passivity and truly enhance the utility of information systems. Management must embrace and inspire the concept of security as an everyday fact of life. But beyond transmitting a positive attitude of acceptance, management must also be concerned with testing and improving security. The security program is dynamic rather than static. Management's role must be one of continued concern in order to identify, adopt, and adapt better methods to accomplish corporate security objectives.

63.4.4 Controlling.

The final process in the management cycle is measuring and controlling. It is the function that is concerned with achieving cost-effective results, and includes establishing standards, improving methods, examining results, and adjusting the organizational mechanism for corrective action.

The basis for effective control is the use of consistent techniques for measurement and the application of standards for comparison and interpretation. Results should be analyzed promptly, as feedback to effect corrective action. Control systems need not be burdensome or elaborate, but they should be consistent, and they should allow for flexibility and adjustment. Management action is the end product of control. Mistakes in original objectives and plans are forgivable, but failure to recognize and react to mistakes can only compound the problem, add to costs, and undermine the effective use of valuable resources.

63.5 SECURITY ADMINISTRATION.

In large organizations, an independent security administration function is often the most effective method for accomplishing the overall objective of improved information security.

63.5.1 Staffing the Security Function.

The importance of information security has given rise to a new management specialty, consisting of professionals involved in the planning and administration of protection for the integrity and security of automated information assets. Titles such as information security administrator, computer security manager, information systems security officer, and chief information security officer have been used to describe these roles.

Coordination of the information security function requires a combination of managerial and technical talents. The successful administrator must be a superior communicator capable of selling the concept of security and maintaining security awareness at all levels of the organization. Sufficient technical knowledge is important, so that the information security administrator can evaluate and initiate appropriate technological solutions to meet corporate information security policies and to counteract threats. While technical skill, in the form of a data processing background, is important, a broader range of capabilities is needed for maximum effectiveness. The ideal security administrator should possess the ability to communicate with all levels of management and should have good knowledge of related functions such as auditing, internal control, and general security. It is also important to have some knowledge of the industry within which the organization operates.

The administration of information security can be centralized or decentralized, depending on the needs of the organization. Where multiple data center locations are involved, the decentralized approach may be more appropriate to accomplish the details of administration. However, it is important to have one focal point for overall coordination of information security policy. It is also essential to understand that responsibility for information security rests with all members of the organization, and not just the security personnel. Security is a shared responsibility, and this concept must be widely promoted by the security administrator, and strongly backed by senior management.

63.5.2 Authority and Responsibility.

As in all management areas, information security administrators (ISAs) need not only specific responsibilities but also the authority to carry out their duties. Those duties are listed next:

• Establish policy statements and guidelines for information protection. Although policy is the primary responsibility of senior management, it is appropriate for the ISA to participate in the delineation of a formal policy statement covering this important organizational goal and to prepare appropriate guidelines.
• Identify vulnerabilities and risks. The ISA serves as a consultant and coordinator in the process of risk analysis. The sensitivity of data resources must be decided by senior management, but with full consensus and agreement by all affected sections of the organization. The ISA has a special responsibility to identify specific risks that affect the automated data resources. The ISA should then coordinate the process of quantifying or otherwise prioritizing the value of the vulnerable data, in order to establish a basis for selection and economic justification of protective measures.
• Recommend protective measures. Major responsibility for identification of economic solutions to information security vulnerabilities is usually assigned to the ISA. Requiring a combination of technical knowledge and management analysis, this process entails the evaluation of protective solutions for technological, operational, and economic effectiveness. Appropriate recommendations must be coordinated with other affected sections of the organization, including audit, data processing operations, software development, legal counsel, human resources, facilities security, public relations, and others. Implementation plans must also be developed, and there must be a management commitment to the implementation.
• Control the implementation of protective measures. Whether the final administration of the day-to-day security procedures is centralized or decentralized, the coordination and control of implementation for major protective measures should be centralized. A prerequisite for implementation is the development of standards for information security to ensure consistency in the application of protection. Important areas for standardization are security design for application systems, programming development, data sensitivity criteria, database access, and program maintenance. In general, security standards cover the entire systems life cycle.
• Measure effectiveness of security precautions. Feedback is essential to assess how effectively policies are being followed. Since the nature of information security is defensive, the measures adopted can easily fall into disuse unless there is ongoing confirmation of effectiveness. The ISA should have primary responsibility to conduct security audits for operational systems as well as for systems under development. Backup protection and disaster-recovery procedures are especially sensitive plans that must be tested periodically. Monitoring of variances in security procedures is also important, and is best controlled through the ISA function. In many organizations these activities are coordinated with the auditors. Finally, the ISA should provide senior management with reports on the effectiveness of security policy, with identification of weaknesses, and with recommendations for improvement.
• Promote security awareness and security education. Another important area of responsibility for the ISA is security education and awareness. The concept of security must be actively communicated to all members of the staff to maintain awareness of its importance. An effective program should achieve a workable balance between security and the utility of computer resources.
• Ensure security awareness across cultures. In today's global economy, many companies are located in various geographic regions. As a result, security professionals must understand the role that culture plays in the global enterprise. Different cultural perspectives exist regarding security, and these must be taken into consideration when developing a security awareness program. Understanding the impact of culture on business operations will be very beneficial for the organization. For example, how should global enterprises create cross-border awareness strategies? How might the laws and regulations in various countries help or inhibit the creation of an awareness program?

  Although English is still a widely used language of business, U.S. security professionals are well advised to understand the cultural nuances of their foreign counterparts in order to protect their organization against increasing threats. The growing economic power of the European Union, and of China, and India, should prompt U.S. professionals to begin expanding their language competencies to match those of their global competitors.

63.5.3 Professional Accreditation and Education.

Professional accreditation can provide managers with a basis of assurance that a common body of knowledge is applied to the requirements of information security in their enterprise. There are several professional societies and organizations that offer specialized certification to information security personnel. Such certification is voluntary, since there are no specific licensing requirements for information security practitioners. However, certification does signify serious professional intent on the part of the individual to acquire and maintain the needed knowledge and skills. In most cases, the certification process requires a combination of education, experience, and knowledge; knowledge is evaluated through written examinations. Once achieved, a professional certificate requires continuing education in the field to maintain its validity.

Unfortunately, some managers fear that after they provide training or support advanced education, their employees will leave and use their new skills to benefit some other organization—perhaps even a competitor. In reality, some employees are more likely to walk out if the investment is not made. Numerous studies have shown that if employees feel valued, they will be more willing to stay. For example, a summary of changing contributions to employee satisfaction specifically states that:

• Although money is clearly an important consideration, cash is not the primary factor that keeps people in their current job or attracts them away to a new job.
• Opportunity to grow and learn at work is emerging as a primary determinant of attracting and retaining employees….
• Although employees consistently indicate that education and training are key aspects of their willingness to stay at or leave their current job, employees also typically rank the quality of their employer's education and training function as low.⁷¹

Training need not be expensive, excessively time consuming, or difficult.⁷² Online security training can be taken anytime and is self-paced. Training videos are also an excellent tool for stimulating employee knowledge and interest. The simplest way to locate such resources is to search on the Web with a good search engine using keywords such as “security training.” A particularly helpful site is CCCure.org, which includes a wealth of self-study materials as well as links to many vendors.⁷³

Another alternative is to have the employer use obsolete equipment for training, equipment that would otherwise lie idle in a storage area. Even small departments may have old PCs lying around dormant, as well as hubs and possibly router/switches. These can be used to create a network for testing and learning at little cost. Companies that do not have spare equipment can buy used equipment for less than the cost of a one-week intensive course. For an employee who wants to learn the basics of firewalls, Linux is a cheap (and even free) operating system that has just recently started supporting firewalls. Setting up a Linux firewall requires no expensive software or appliances. It can provide an effective way of encouraging employees to learn the practical details of configuring firewalls—a valuable skill set in any security department—while rewarding loyal employees by showing confidence in their commitment to learning, and to their continued employment in the enterprise.

Once the firewall is set up, other employees can use the testing and training network to learn about penetration testing, intrusion detection, and other security elements. Different operating systems can be installed, with various applications, all for a minimal investment. As technology, techniques, and tools change, this training network will be valuable in keeping skills up to date.

External, college-level undergraduate and graduate education also provides resources for employees and managers. Universities and colleges are increasingly recognizing the value and validity of educational programs centering on information assurance, both at the technical and managerial levels. Some offer noncredit courses or certificate courses in addition to degree programs. Some offer online programs that support the needs of working adults. Managers can take advantage of these opportunities to improve the knowledge base within their organizations and to increase employee loyalty and retention by supporting employees who want to further their careers in information assurance. Some programs include case studies that may, with permission, center on fieldwork within the students' own work environments, resulting in extensive analysis and recommendations of immense value to their employers.⁷⁴

63.6 CONCLUDING REMARKS.

Society needs the insights of information assurance specialists. Managers with daily opportunities to think about the strategic implications of vulnerabilities, exploits, and, above all, about the business processes for which they are responsible are in an excellent position to contribute not only to the success of their own enterprises but also to the future of their societies. As Adam Shostack and Andrew Stewart have written in their future-pointing treatise, it is time for a new school of information security—one that involves:

Readers should embrace every opportunity to bring their experience and wisdom to a wider audience, and by speaking and writing they should share their insights with each other, and with the general public.

63.7 FURTHER READING

Laplante, P., and T. Costello. CIO Wisdom II: More Best Practices. Upper Saddle River, NJ: Prentice-Hall, 2005.

Patterson, T. Mapping Security. Upper Saddle River, NJ: Prentice-Hall, 2005.

Swiderski, F., and W. Synder. Threat Modeling. Redmond, WA: Microsoft, 2004.

63.8 NOTES