Business Managers and InfoSec

Previous page
Table of content
Next page


Some ISSOs may want to talk "techie" to keep business managers in the dark about the "mysteries" of InfoSec. They think that it will make the ISSOs invaluable to the corporation and, therefore, always needed. That is illogical and also works against the ISSO. The more the managers and all employees understand about the concepts and philosophies of InfoSec, the more they will understand ISSO decisions—and also the more supportive they will be.

Corporate management's knowledge may also challenge an ISSO, causing him or her to rethink some decisions and the logic that led to them. That's good, except for those ISSOs who do not want to excel and accept such a challenge—in other words, the lazy and unprofessional people in ISSO positions. However, in the long run, such criticisms and recommendations are good for the corporation. Why? Because it means that management is actually looking at InfoSec and becoming, as they should, a part of the information and information systems protection team. As an ISSO, you should know that the more input you get and the more interested corporate management and employees are in InfoSec, the better your InfoSec program will become, and the better it will meet the needs of the corporation. It is true that you will probably spend more time in discussions with corporate management, but that is really a good thing. In the long run, your job, if you do it right, will actually be easier.

It should come as no surprise to company managers that they are responsible for the protection of company assets. In today's information-dependent and information-based companies, it should also come as no surprise that these assets include information. These are facts of business life today and are probably concurred in by 99.9% of the company managers that one could survey. I would say 100%, except that there are always some managers (many of us have met them in our careers) who just don't seem to get it. So, let's allot the 0.1% to those managers that just don't get it.

So, if most company managers agree with that premise, why do so many either battle to negate information and information systems protection (InfoSec) instead of supporting InfoSec? Maybe they don't care for anything beyond their paychecks and bonuses. It seems today that there are many of those. It is ironic, but it seems in many companies around the world today that the truly company-loyal people are mostly the "regular employees" and not the managers. Employees are out there working hard and doing their best to help the company succeed. They have a loyalty—though somewhat less than in earlier years—to the company that it seems most of today's managers do not.

Today's managers either are so self-centered that they only care about their careers—you see, managers have "careers," while employees have "jobs"—or are ignorant as to their responsibilities. Let us assume ignorance is their problem. Perhaps they have been promoted into management but no one has ever explained their assets protection responsibilities. That may be because their boss did not know—it was not explained to him or her. Maybe it is because the managers try to avoid that responsibility by hiring someone to provide InfoSec. Thus the problem is delegated to someone else. Therefore, when things go wrong, it is not the company manager's fault; it is the fault of those hired to protect the assets.

Then what can be done about it? Whatever the reason, it is up to the company managers to know their responsibilities and the InfoSec professionals to politely remind them of those responsibilities. As the saying goes, "You can delegate authority but not abdicate your responsibilities."

If you are a company manager reading this, other than a security professional of some kind, congratulations! You are one of the few who are interested in InfoSec. May your career rise above the stars. For you others out there, it is assumed you have some responsibility for InfoSec or InfoSec-related tasks such as fraud prevention or other asset protection. If so, you should provide your company managers information that politely and professionally explains to them that they have some very basic and direct InfoSec responsibilities. Lay out those responsibilities to them as part of some awareness e-mail, on an internal company Web page or newsletter—whatever communication form works best in your environment.

The first things that company managers should be made aware (or reminded) of is that they do have a responsibility for protecting company assets—and some of the most important of those assets are sensitive information and information systems within their organization.

Company managers should understand the basics of InfoSec. It is not rocket science. It is common sense. They should know that the purpose of InfoSec is to do the following:

  • Minimize the probability of a successful attack on the company's information;

  • Minimize the damage if an attack occurs; and

  • Provide a method to quickly recover in the event of a successful attack.

The three basic principles that are the foundation of InfoSec are:

  • Access control,

  • Individual accountability, and

  • Audit trails.

These are rather basic and should be easy enough for company managers not versed in InfoSec to understand. Once managers understand the InfoSec purpose and the three basic principles, the InfoSec professional must be able to explain the concepts in detail and how they apply to the individual company managers. Obviously, there is not sufficient space in this entire book to adequately cover that topic. Furthermore, I hoped that, as an ISSO responsible for InfoSec within your company, you do understand these concepts and can easily explain them to company managers. If not—well, that is too scary a thought to contemplate.

What Company Managers Should Ask of Their InfoSec Professionals

Company managers should also be sufficiently knowledgeable to ask intelligent questions about InfoSec-related matters, and ideally the company ISSO can answer them. Some questions company managers should ask, and some possible answers that the InfoSec can give and then explain in more detail, include the following:

  • Question: How do you know you are actually under attack and not the victim of misconfigured systems? Answer: You may not know until it is too late; you may never know; you may know, but can't stop it.

  • Question: What are the warning signs of potential or actual attacks? Answer: There may not be any.

  • Question: Is it possible to know of pending attacks? Answer: Yes. No. Maybe—depending on conditions.

  • Question: What can you do to set up an "imminent" attack warning system? Answer: Base it on history; on the latest techniques identified in CERTs; on target visibility; on your defenses; on your countermeasures; on your use of technology; and on vendor products.

  • Question: What is the basis of deploying intrusion detection to assist in countering the attacks? Answer: What is normal activity? What is abnormal? One can compare activity against known attack methods and establish countermeasures; and one must have, as a minimum, an InfoSec policy, procedures, and awareness program.

  • Question: What must be considered when deploying the intrusion detection system and processes? Answer: Any available tools should be adapted to your unique environment. The intrusion detection process must be always secure, operating, and "fool-proof." It must detect all anomalies and misuse; must have audit-based systems for history; must have real-time monitoring and warnings; and take immediate action based on each unique attack. Also, one must know what to do if attacked.

  • Question: Any other things to consider? Answer: Audit entry ports, especially to critical areas; prioritize processes, shut down others; isolate the problem; and establish alternate routing paths.

What InfoSec Professionals Should Do

If the company managers are able to ask such questions and understand the answers and the details provided, the InfoSec professional has gone a long way to help protect their information and systems from attacks and external fraud. The ISSO has also gone a long way in gaining some basic, active support from company managers.

As part of the above, to be successful, the InfoSec professional should do at least the following:

  • Collect information on attacks from all available sources;

  • Develop and maintain a threat toolkit containing strategies, tactics, tools, and methodologies used to attack systems;

  • Continuously maintain a current toolkit and methodologies that can threaten systems through attack methods;

  • Model the capabilities of the potential intruders against real-time attacks;

  • Collect information related to the corporation's information systems' vulnerabilities; and

  • Establish systems simulating intruder attacks using threat tools in a simulations and testing environment;

  • Establish defenses accordingly.


Previous page
Table of content
Next page
The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204
Authors: Gerald L. Kovacich CFE CPP CISSP
BUY ON AMAZON
Project Management JumpStart
Absolute Beginner[ap]s Guide to Project Management
Identifying and Managing Project Risk: Essential Tools for Failure-Proofing Your Project
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
MPLS Configuration on Cisco IOS Software
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy