How Can You Improve Information Security

Michael Erbschloe, Republished from SafetyIssues Vol 2 Issue 21, August 2003

Volume 4 Issue 44

July 2005
Your organization can take several steps toward building more secure networks and information systems. It is important to start with a firm foundation which upper level managers, IT staff, and employees throughout the organization understand and support.

You must also approach technology in an organized, systematic way to assure that the technology you install is secured. It is also advisable to conduct vulnerability audits. Lastly, you can participate with other organizations in your community in helping fight against computer crime.
Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level, and maintaining that level of risk. Managers analyze risks for many aspects of their business; they consider alternatives and implement plans to maximize returns on their investments. A risk management process for information systems enables managers and their organizations to build an in-depth knowledge about their systems and how they are interrelated.
For many years, the General Accounting Office (GAO) had found weaknesses in the information systems of federal agencies. Many agencies had not instituted information security programs to establish controls for their systems and to monitor those controls for their effectiveness. To gain a broader understanding of how security programs can be successfully implemented, the GAO studied the management practices of eight nonfederal organizations. The focus was on the management framework that the organizations had established rather than on specific controls that had been adopted.
The nonfederal organizations studied by the GAO manage the same types of risks as federal organizations. Both federal and nonfederal organizations are concerned with protecting the confidentiality, integrity and availability of information. Secure information systems are essential to providing high-quality services to customers, avoiding fraud and disclosure of sensitive information, promoting efficient business operations, and complying with laws and regulations. All of the organizations studied had reoriented their security programs to make them visible, integral components of their business operations.
The GAO identified five principles of risk management, which had been adopted by the organizations studied:
  1. Assess risk and determine needs
  2. Establish a central management focus
  3. Implement appropriate policies and related controls
  4. Promote awareness
  5. Monitor and evaluate policy and control effectiveness.
The GAO noted that successful organizations applied these principles by linking them into a cycle of activity that enabled the organizations to address risks on an ongoing basis. The success of security programs depended upon the recognition and understanding of the senior executives that their information systems were subject to risks and that these risks affected their business operations. After assessing risks of their business operations, the organizations established policies and selected controls. They emphasized increased awareness of users to the policies and controls. They monitored the effectiveness of the policies and controls and used the results to determine if modifications of policies and controls were needed. Central security management offices coordinated this cycle of activities.
All organizations studied said that risk considerations and related cost-benefit tradeoffs were a primary focus on their security programs. Security was not an end in itself, but a set of policies and controls designed to support business operations.
The GAO found that there were general practices associated with each risk management principle and that these practices were common to the organizations studied.

Principle: Assess risk and determine needs

Practice 1. Recognize information resources as essential organizational assets that must be protected. The efforts of high level executives to understand and manage risks helped to ensure that security was taken seriously at lower levels in the organization and that security programs had adequate resources. Security specialists kept managers at all levels informed of emerging security issues. For some organizations, the high level interest was driven by an inc

ident that demonstrated system vulnerabilities. Some organizations were exploring new ways to improve operational efficiency and services to customers through information technology and were concerned about the security of these new systems.

Practice 2. Develop practical risk assessment procedures that link security to business needs. While the organizations explored a variety of risk management methodologies, they were generally satisfied with relatively simple risk assessment practices that could be adopted by different organizational units and that involved both technical people and those with knowledge of business operations. In one organization, simple automated checklists were used. Another organization established standard procedures for requesting and granting new network connections, requiring documentation of the business need for the connection and the risks associated with it. None of the organizations tried to quantify the risks precisely because of the difficulty of identifying such data.

Practice 3. Hold program and business managers accountable. The organizations studied felt that business managers should be held accountable for managing the information security risks associated with their operations, just as they are held accountable for other business risks. Security specialists in these organizations had an advisory role, including keeping the management informed about risks. Similarly, program managers in federal agencies are also considered to be in the best position to determine which of their information resources are the most sensitive and to assess the impact of security problems.

Practice 4. Manage risk on a continuing basis. The organizations studied emphasized continuous attention to security. The continuity of attention helped to ensure that controls are appropriate and effective, and that individuals who used and maintained information systems complied with the organizational policies.

Principle: Establish a central management focal point

Practice 5. Designate a central group to carry out key activities. Central security groups served as catalysts for ensuring that information security risks are considered in planned and ongoing operations. These groups provided advice and expertise to all organizational levels and kept managers informed about security issues. They developed organization-wide policies and guidance; educated users about information security risks; researched potential threats, vulnerabilities, and control techniques; tested controls; assessed risks; and identified needed policies.

Practice 6. Provide the central group with ready and independent access to senior executives. The organizations studied knew that security concerns could be at odds with the desires of business managers and system developers to develop new computer applications quickly and to avoid controls that might impede efficiency and convenience. Elevating security concerns to higher management levels helped to ensure that the risks were understood and taken into account when decisions were made.

Practice 7. Designate dedicated funding and staff. Unlike many federal agencies, the organizations studied defined budgets that enabled them to plan and set goals for information security programs. The budgets covered central staff salaries, training, and security software and hardware. In these organizations, information security responsibilities had been clearly defined for the groups carrying out the security programs, and dedicated staff resources had been provided to carry out these responsibilities.

Practice 8. Enhance staff professionalism and technical skills. The organizations studied had taken steps to provide personnel involved in information security programs with the skills and knowledge that they needed. Staff expertise was updated frequently to keep skills and knowledge current. Staff members attended technical conferences and specialized courses, connected with other professionals in the field, and reviewed technical literature and bulletins. Special training courses were provided for system administrators who are the first line of defense against security intrusions and often in the best position to notice unusual activities. Because of the strong demand for security professionals, these organizations made special efforts to attract and keep expert staff members.

Principle: Implement appropriate policies and related controls

Practice 9. Link policies to business risks. The organizations studied stressed the importance of up-to-date policies that made sense to users and others who were expected to understand them. A current and comprehensive set of policies is a key element in an effective security program. These policies must be adjusted on a continuing basis to respond to newly identified risks. The policies of the organizations studied paid particular attention to user behavior. In today's interconnected network environment, users can accidentally disclose sensitive information to many people through electronic mail or introduce damaging viruses that are then transmitted to other computers in the organization's networks.

Practice 10. Distinguish between policies and guidelines. Policies generally outlined fundamental requirements that managers considered to be mandatory, while guidelines contained more detailed rules for implementing the policies. By distinguishing between the two, the organizations studied were able to emphasize the most important elements of information security while providing flexibility to unit managers in implementing policies.

Practice 11. Support policies through the central security group. The organizations studied had central security management groups responsible for writing policies in partnership with other organizational officials. The central groups provided explanations, guidance, and support to the various units in the organization. This practice encouraged business managers to support centrally developed policies that addressed organizational needs and were practical to implement.

Principle: Promote awareness

Practice 12. Continually educate users and others on risks and related policies. The central security management groups worked to improve everyone's understanding of the risks associated with information systems and of the policies and controls in place. They encouraged compliance with policies and awareness on the part of users of the risks involved in disclosing sensitive information or passwords.

Practice 13. Use attention-getting and user-friendly techniques. The techniques used included intranet websites that explained policies, standards, procedures, alerts and special n

otices; awareness videos with messages from top managers about the security program; interactive presentations by security staff with various user groups; security awareness days; and products with security related slogans.

Principle: Monitor and evaluate policy and control effectiveness

Practice 14. Monitor factors that affect risk and indicate security effectiveness. The organizations studied directly tested the effectiveness of their controls. Most organizations relied primarily on auditors to carry out this function. This enabled the security organizations to maintain their roles as advisors. The central security management groups kept track of audit findings and the organization's progress in implementing corrective actions. In some cases, the central security management groups conducted their own tests, and some organizations allowed designated individuals to try to penetrate systems. The testing of controls enabled the organizations to identify unknown vulnerabilities and to eliminate or reduce them. All of the organizations monitored compliance with policies, mostly through informal feedback to the central security group from system administrators. All of the organizations kept summary records of actual security incidents to measure the types of violations and the damage suffered from the incidents. The records were valuable input for risk assessments and budget decisions. Many of the organizations expressed an interest in developing better techniques to measure the benefits and costs of security policies and controls.

Practice 15. Use results to direct future efforts and hold managers accountable. Organization officials said that monitoring encourages compliance with information security policies, but the full benefits of monitoring are not achieved unless results are used to improve the security program. Results can be used to hold managers accountable for their information security responsibilities.

Practice 16. Be alert to new monitoring tools and techniques. Security managers of the organizations studied said that they continually looked for new tools to test the security of their systems. They found current professional literature and involvement with professional organizations useful in learning about the latest monitoring tools and research efforts.

Email this article to a friend

Email a friend a link to our web site
Previous
 
Back to Safety Issues...

Have you seen a safety device you think our readers should know about?
Does your company make or sell a safety device you would like to see featured in this column?
If so, please e-mail the information about the device to Safety Issues.
The purpose of this column is to make your life safer with the use of the latest technology.
Neither Safety Issues nor its affiliated companies are responsible for any opinions expressed in this column.
Thank you for reading this column.

  © 2008 SafetyIssues.com, Inc. All Rights Reserved.