Introduction


The position of the ISSO has evolved over the years. We began with only physical security, as after all, the ENIAC and others did not connect to the world. A guard, a paper authorized personnel access list, an alarm, and such were all that were needed in those early days. But as the computer evolved over time, so did the profession of the ISSO.

The security profession at that time was primarily made up of retired or former law enforcement or military personnel, who had no interest in computer security. They knew physical security, investigations, and personnel security. This new thing called a computer was best left to the computer scientists and engineers.

As systems evolved, so did the departments responsible for their support. Departments that were once engineering departments perhaps became information resource management departments and later became known as information technology (IT) departments. The protection of this new technology stayed with the IT people. However, the computer security positions within the IT departments also evolved.

As the microprocessor and its related technology developed, the once-separated telecommunications and computer staffs began their integration. Consequently, the computer security profession began to also consider the protection of information as it flowed through telecommunications links. As the Internet evolved, the need for protecting information as it was displayed, such as on Web sites, also became an important task for those responsible for protecting the hardware, software, and firmware.

Information and related systems are some of a business's most valuable assets, probably second only to the employees. In fact, though no one in management within a business would ever prioritize assets to place information and systems above the employees—at least not publicly—people can always be replaced, and replaced at less cost and adverse impact to the business, than trade secrets and information networks. However, that will probably remain an unspoken issue because of the sensitive nature of valuing machines over humans.

When we think about it, though, information really is businesses' number one asset. After all, employees can be terminated, even replaced by computers, and the business survives. In fact, profits may even increase because of lower labor costs. However, eliminate an intranet, and the business incurs additional costs and possibly losses.

Today, the ISSO position is generally still part of the IT department's function. Now, the ISSO is responsible for the protection of information and the systems that store, process, transmit, and display that information. The ISSO profession has matured into a separate profession, and in most large to medium companies, it is more than a part-time job or additional responsibility these days. In smaller businesses it remains mostly a part-time job or is outsourced with other security-related functions.

Information systems of various types, such as cellular phones, notebook computers, PDAs, and fax machines, are all used to process, store, transmit, and display information. These devices are becoming more and more integrated into one device. Couple this phenomenon with the hard copies being produced, and one finds that information may be protected on an intranet but leaked through a cellular phone or printed on paper and then taken out of the business's facilities.

CASE STUDY

start example

Cellular phones are becoming smaller and smaller. Digital cameras are also being installed into these cellular phones. Since management wants their employees to have the latest high-technology devices that help support the business in the most efficient and effective way possible, employees are issued cellular phones. The cellular phones with digital cameras integrated into them allow employees to digitally send photographs as part of their business communications processes. It also provides the opportunity for the employee to photograph sensitive documents, facilities, and such, and send them directly to unauthorized sources. Thus, there is now another method of performing "Netspionage" (network-enabled espionage). As an ISSO, do you have policies, etc., in place to mitigate this new threat?

end example

The ISSO position must evolve to be responsible not only for protecting information and systems related to, or the responsibility of, the IT department, but also for protecting all of the business's information assets. It is ridiculous to have the business security profession responsible for the security of company assets, to include hard-copy documents, people, and facilities, and leave the protection of automated information and systems essentially to IT people. These positions must be integrated to provide a holistic asset protection approach. This may be accomplished through the evolution of the ISSO professional into more than a "computer protector" and the security manager into more than a physical security manager.

The ISSO position is evolving, but no real, permanent "home" has been identified for the ISSO position. We do see signs of this changing as this evolution continues from guard, computer scientist, engineer, IT specialist, computer security specialist, to ISSO, with some indications of change to Corporate Information Assurance Officer (CIAO) or Corporate Information Security Officer (CISO). In some cases, the evolution of the profession has already led to making the ISSO also responsible for physical security. This was the case with Howard Schmidt when he was at Microsoft. He started out as the Director of Information Security, was promoted to Chief Information Security Officer, and then was given the additional responsibilities of physical security, executive protection, and all investigations as Microsoft's Chief Security Officer.

Some like Bill Boni are also helping to lead the way in changing the profession. As Motorola's Corporate Information Security Officer (CISO), he is now the Vice President of Motorola's Information Protection Services. He is responsible for the company's overall program to protect critical digital proprietary information, intellectual property, and trade secrets. He also directs the people, processes, and technology programs that safeguard the company's global network, computer systems, and electronic business initiatives. Mr. Boni reports to Motorola's Chief Information Officer (CIO).

Still, the evolution must continue until all information and systems are integrated into a total business assets protection profession. This requires the combining of business (corporate) security, for example, physical security, personnel security, and the ISSO responsibilities. It is the best way to safeguard all business assets in a holistic and cost-effective manner.




The Information Systems Security Officer's Guide. Establishing and Managing an Information Protection Program
The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program
ISBN: 0750698969
EAN: 2147483647
Year: 2002
Pages: 204

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net