Threats Require Action | IT Security: Risking the Corporation

The attack scenario against the Canadian dam, mentioned earlier, may sound a bit far-fetched. Consider, however, a Washington Post report on June 27, 2002, that U.S. forces in Afghanistan had seized al Qaeda computers in January. One contained models of a dam and software that enabled the planners to simulate a catastrophic failure. U.S. investigators also have evidence that al Qaeda operators spent time on Web sites that have software and programming instructions for the digital switches that run power, water, transportation, and communication grids, as reported by the Post. Attacks on the American infrastructure are possible, and if successful will cause disaster for the nation. An attack launched against this type of vulnerability was reported in June 2001, when hackers coming through networks operated by the Chinese Telecom penetrated the defenses of a practice network for the California Independent Systems Operator (Cal-ISO), which controls the state's entire electric grid. Obviously, these threats are real.

Taking action may require an organization to take a fresh look at the policies, procedures and controls they have in place to determine if what they are doing today meets the guidelines being set by the industry.

For example, is the organization compliant with any of the following:

ISO 17799
First published in 1995, BS7799 became so widely accepted in many countries as a code practice for information security that it developed into an international standard, ISO17799.
Gram Leach Bliley Act (GLB)
GLB is a federal law that requires financial institutions to protect individual financial information from loss or theft. GLB requires federal agencies that regulate financial institutions (like the OCC, Board of Governors of the Federal Reserve Systems, FDIC and OTS) to create legal standards for protection of this financial information.
Health Insurance Portability and Accountability (HIPPA)
HIPPA protects the privacy of personal health information. These regulations govern the security of health information that is transmitted or maintained in electronic form. Although these regulations are in draft form they are likely to become final. Then the entities will have two to three years (depending on their size) to implement them.

Costa Corp had good intentions, but its executives, contending with constraints involving resources, timing, and other business initiatives, did not take the time to clarify the threats to their organization, learn how to reduce the risks, or take adequate measures to mitigate those risks. They delegated security, removing the officers, directors, and executives from the decision making. As attorney Dan Langin mentions earlier, under the "prudent man rule" officers and directors cannot fully delegate the responsibility for information security. It is not enough to say, "I have a department that takes care of security."

Threats are on the rise, and attacks have become more sophisticated. Taking action against known and unknown threats demands more than good intentions; it requires commitment, funding, action, and people who understand security to make the right decisions for the corporation.

Many executive bonuses are tied to business initiatives and corporate goals. Make sure your company includes security as one of its corporate goals. Understand what the industry standards are for security and how they map to your environment. Leverage business initiatives to include security from the beginning, and don't simply delegate security. We are at war the enemy is already on your network. Don't become a statistic, or wind up in some messy lawsuit because your executive staff took inadequate measures or no measures at all to protect your corporation.