Andy Jones | The Information Systems Security Officers Guide: Establishing and Managing an Information Protection Program

The role of the Information Systems Security Officer (ISSO) has never been of greater importance than in the environment in which we presently find ourselves and which we anticipate for the future.

As organizations and companies continue to become more dependent on information systems and connect to an ever wider group of partners that we have to rely on and "trust," the probability that they will encounter problems increases on an almost daily basis. In addition to this increasing reliance on systems that are increasingly interconnected, it is now an unfortunate reality that those people who would seek to do us harm increasingly have the knowledge and capability to do so.

For a number of years, the governments of a number of countries have been aware that there are some industries and systems that are essential to the well-being and maintenance of normal life within a country. These may include power production, telecommunications, water supply, food distribution, banking and the financial sector, and a whole range of other industries and have, together been tagged the Critical National Infrastructure (CNI). It is unfortunate for the ISSOs of these industries that in addition to all of the other risks that they must deal with, they now have to be concerned that they will be a target of attack by terrorists and others who wish to affect not their organization, but the government. This makes life a whole lot more difficult in a number of ways.

Some organizations are starting to better appreciate the implications of these developments and are recognizing that the role of the ISSO is not only increasingly important, but also increasingly difficult. Unfortunately, others have not taken the situation on board for the often repeated, endless set of reasons that have caused them to ignore it in the past. These include the lack of understanding of the underlying problems, a lack of skill to address them, insufficient resources, the "it won't happen to me" attitude, a lack of education and training, and a lack of direction from government.

The last of these has changed significantly in the recent past, and there is now a will by the governments of most developed countries to improve the security of information systems. This is particularly true of the United States, and huge investment has been made in "Homeland defense," with an apparently genuine drive by government to make information-dependent countries a safe place to live and trade.

One of the major problems that an organization faces in recognizing the need for an ISSO is based on the undeniable truth that in most cases, security is a costly drain on resources, in both financial and staff terms, that delivers no tangible return on the investment. If you are a member of the board of a company and have to make the choice between investing in a new plant that will reduce production costs and improve profitability, and investing in information security, which is likely to get your vote? This is often the decision that must be made, especially when the argument for "spend on information security" is based largely on the intangible and the unprovable. How do you prove that you are likely to be attacked or have security problems, when the evidence from past experience is that it has not been a problem before? How does the person presenting the argument for the information security investment convince a group of people who have probably never suffered the consequences of an information security breach that this is good value for money? If the members of the corporate board have been involved in a previous breach of information security, the investment argument will be received in a very different manner and by people who understand the value of it.

What is different about an ISSO from other types of security officers? Well, the short answer is that the ISSO is a hybrid that did not need to exist in the past. Security officers have traditionally gained their experience in the military or in government or public service (police or three-letter agencies) and they can tell you all about protecting tangible "things," whether they are objects or people. They are normally very good at it and the methods, tools, and techniques that they use have all been tested and refined over a long period of time.

Because the security of information systems cannot and must not be treated in isolation, the ISSO needs to have all of this knowledge and then, in addition, needs to be able to understand information systems and computers and the implications of their use. In this area, there is no collective pool of knowledge that has been gained over centuries by a large group of people. Information systems are, in historical terms, very young, and their maturity has taken them through so many evolutions in such a short time that there are very few computer professionals, let alone security specialists, who are able to keep pace with the changes and the diversity that have occurred. So the ISSO needs to have a wealth of knowledge and experience in security and in information technologies and has to be able to develop, implement, and manage policies that will protect the information resources of the organization in a dynamic environment.

A complication now arises. Where people will complain about physical security and will subvert it if it becomes too inconvenient and complain about the delays that the checking of passes and locked doors will cause, when you apply security to the information environment, a whole new set of problems is exposed.

The users of information systems have been exposed to and suffered from years of badly conceived and implemented information security that has caused inconvenience and prevented them from getting on with their job. It is a sad comment that, in the field of information security, the user of the system has often had more knowledge of the information technology than has the "security expert."

The bright side of the situation is that things are improving—the "information security experts" within organizations are gaining experience and the technologies that can help them to provide coherent security for systems are becoming available. The whole issue of threat and risk assessment is gaining credibility as methods are developed that give traceable routes to support the decisions that are made.

In the global context, while things proceed at a very slow pace, there are at least discussions on ways to harmonize the laws in different countries and groups of countries and the exchange of information between those who need it in order to maintain security.

It is easy for information security officers to become very insular and to look at the problems that they are facing in terms of only their organization—after all, these are busy, overworked people who are struggling just to keep pace with events and developments. This is a huge mistake and can only lead to disaster in the long term. We can no longer, for the most part, "conduct our business in isolation." The organizations that we work in have an ever-increasing need to communicate and to interconnect with other systems and organizations and in doing so, we have to be aware of the problems that such connections expose us to.

Learning from the best practice that has been developed in other organizations provides two benefits: The first is that it allows the knowledge of many to be applied to the problem of one; and the second is that it is one step down the line toward common standards and practices, which engenders confidence in others that the security that is being applied to your systems is of an acceptable standard (they can understand what you have done to make your systems secure and why you have done it!).

When the larger picture is examined, the responsibility that is placed on an information security officer is immense. The ISSO has a responsibility and a duty to the organization that the ISSO works for, but also has responsibility to partner organizations and others that may rely on the product of the organization. An example of this might be a power company, where the effect of a security breach might be the loss of availability of their systems. Unfortunately, the power supply company is networked to a number of other power suppliers to facilitate the balancing of power production to meet the customer needs. If one is affected, it may prove to be the weak link in the chain and allow the attacker to gain access to other power suppliers. There is also the issue of the customers—what impact will the loss of power supply have on their businesses? In turn, will it have an effect on their customers?

From the ISSO's point of view, life can only get worse. In some countries, laws are being introduced that place a legal obligation on organizations and their employees to take what is referred to as "reasonable" (or in some cases "appropriate") care of information that they have in their possession and also to take "effective measures" to protect the business, sometimes referred to as "due diligence."

How can ISSOs cope with doing the job of developing, implementing, and managing the security of the information while at the same time making sure that they understand the current risks and threats to their organization and the current technologies and techniques and the laws and best practice and standards? Well, no one ever said it would be easy. . . .

Gone forever are the good old days when we could operate with an island mentality and rely on the perimeter security of our organization to provide the first and main line of defense. The security perimeter is now almost meaningless with regard to our information, although it still has some benefits for the protection of physical assets. Now the routes into our organization are as much about the wires and fibers as they are about the roads and sidewalks. We can monitor physical access to our environment with a variety of technologies (CCTV, Access Control, pass entry systems) and we can also, fairly effectively, monitor what our staff is doing on our information systems (as long as we have the monitoring systems turned on and are watching them). We can put our security barriers up on the information systems (firewalls), but unless we deploy methods and tools to allow us to see what activity is taking place in our environment through systems such as intruder detection systems, we can not see what is happening in the area around our "virtual office." The nearest equivalent would be having the external doors locked, but not having any windows or cameras to let you see what is happening on the sidewalk outside the door (a potentially dangerous situation for when the door is opened, given that our door on an information system opens onto a sidewalk anywhere in the world).

It is also reasonable to suppose that, after the World Trade Center attacks, there is increased consciousness of the impact that a terrorist attack can have. It is a sad fact that in addition to the lives that were lost as a result of the outrage, a number of organizations that could and should have survived the incident did not, as they could not reinstate their business within the necessary period of time. Who was responsible for their demise? You could argue that it was the terrorists, but the reality is that it was actually their own lack of foresight and resilience and in some cases, just plain bad luck. If the organizations had all carried out risk assessments for their businesses in the environment in which they were operating, more would have taken steps to ensure that they had taken action on very old advice—have backups and store them in a safe place in another location, have contingency plans and practice them. As the ISSO, part of this is your responsibility—how are you going to ensure that your information is stored securely elsewhere and that you can recover it when you need to?

The life of an ISSO can never be an easy one—you are the voice of doom and authority within an organization that says "No" to users who want to do things that to their mind are quite reasonable. You are the one who acts as their conscience and highlights or investigates their sins, and you are the bearer of bad tidings to the board (you need more investment to keep the systems secure, or you have just had a security incident and are reporting the damage). You are the one who is responsible for the security of the "crown jewels" of the company. So why would you want to take on this role? Well, the answer is that it is one of the most satisfying and rewarding roles that you can imagine. It should never be boring, and there will usually not be the same problems to tax your intellect twice. It also allows you to use and develop skills in an area where you can make a difference and to contribute to a struggle that is becoming increasingly fast-moving and ruthless. It can be a hugely satisfying role, for those who can survive the apprenticeship and can accept the responsibility while maintaining a balanced view of the world.