5.2. Overall Planning and Administration
System administrators once may have found themselves in the uncomfortable position of being the security advocates within their organizationshaving to sell security both to users (who may question why they need to use features they may find cumbersome) and to upper management (who may question why it all costs so much money).
It is a different environment today. In the wake of 9/11, several industries found themselves regarded as part of their nations' critical infrastructure. While it is nice to be wanted, this carries with it the responsibility of confidentially and availability that meets someone else's imposed standards, rather than what internal leadership considered previously to be good enough to get by. In addition, many recent corporate accounting scandals appear to have defrauded millions of people and have led to an increased accountability regarding the creation and maintenance of financial data. Finally, and somewhat belatedly, privacy has been raised as an issue, likely because of fear of identity theft, and in some cases of fear of discrimination based on personal or health data. This too has lead to a raft of new statutes. These regulations go by titles such as PDD-63, HIPAA, GLBA, the Patriot Act, the Sarbanes-Oxley Act, and others. Many of them carry fines, some of them per incident, for security infractions.
In addition, it has been determined that the storage or transmission of certain materials, such as pornography, obscene materials, or materials designed to incite racial hatred or discrimination based on gender, may produce a threatening environment for employees subjected to them. This may be considered a form of job discrimination, and federal and state law enforcement agencies can investigate. Even if no discrimination is proved by the authorities, the party who feels aggrieved may choose to pursue legal action on his own after the official investigation.
Finally, there is the issue of copyrighted material. If software or MP3 music files are downloaded or distributed using company property, it may subject the company to legal action.
With the increasing liability surrounding their computers and networks, management is now much more interested in security. Unfortunately, moving towards a more secure network is often handled on a piecemeal, sporadic basis. A much more regulated approach is usually indicated.
5.2.1. Analyzing Costs and Risks
Computer security is a tradeoff. When you're considering building, buying, or even using a security product, you have to balance the cost of the product against the risk of doing without it. Most organizations formalize this process and call it a risk analysis. Risk analysis is a procedure used to estimate potential losses that may result from system vulnerabilities and to quantify the damage that may result if certain threats occur. The ultimate goal of risk analysis is to select cost-effective safeguards that reduce risks to an acceptable level. Basically, risk analysis is a way to figure out how important your system is, and how far you're willing to goin terms of equipment, people, and budgetto protect it.
Standard risk analysis involves looking at your tangible assetsfor example, your buildings, computers, and other equipmentand determining how to protect them. Because your organization's most valuable asset may be the information processed by your computers, not the computers themselves, you need to take a good look at how best to protect that information as well.
When you're evaluating your organization's information asset and considering whether and how to protect it, you'll have a number of important questions to ask.
188.8.131.52. What information do you have, and how important is it?
There are many different types of information: national defense information describing military resources and deployment; corporate records showing projected profits, losses, and strategies; personnel records describing health, financial, academic, and employment history. You'll need to assess how important that information is to your own organization. Information of inestimable value to one organization may have little or no value to another organization.
However, holding information is a two-edged sword. Legal safeguards today make it an expensive offense to release information in your possession. The Health Insurance and Portability and Accountability Act protects patient records, the Gramm-Leach-Bliley Act of 1999, protects customer records in the financial industry, and its January 2003 extensions apply to all data in the financial industry. Other specific legislation may apply to other areas, such as the Family Educational Rights and Privacy Act, which applies to educational records.
184.108.40.206. How vulnerable is the information?
Some information may be very important to you, but may be of little interest to anyone else. The novel you're writing on your PC may fall into this category. In this case, simple backups may suffice (and hard disk encryption if you write controversial material). Other information may be of great interest, but may be so inaccessible that additional security controls aren't really justified. (Classified military information that's stored on a heavily guarded computer with one authorized user and no network connections may fall into this category.)
Everyone needs to worry about physical threats (e.g., fire and power loss) and accidents caused by careless or untrained employees. Beyond these obvious perils, you'll need to evaluate whether realistic attempts are being made, or could be made, to break into your system, and to assess how likely it is that a break-in will occur in the future. If you're responsible for national defense information, you'll have to worry about foreign intelligence. If you're protecting your business's data, you'll be concerned about your competitors, crackers, and insider threats. Remember, too, that threats to information tend to grow as people learn about your system's vulnerabilities, and as methods of exploiting those vulnerabilities get cheaper and easier.
220.127.116.11. What is the cost of losing or compromising the information?
There are many different costs and consequences for failure to secure computers and networks effectively. If we're talking about the loss of vital national defense information, the cost of information loss or leakage might be cataclysmic. If a medical experiment is disrupted, or if patient records are lost or compromised, people might die. If the security of an ATM is breached, a bank might lose a lot of moneyand, when the news hits the press, the bank might also suffer a loss of confidence by customers and possibly lawsuits by shareholders.
What about corporate strategy information? Personal health or financial information? Loss or compromise of each has its own risks, costs, and consequences, both tangible and intangible, ranging from the loss of competitive advantage to the risk of losing government benefits to personal embarrassment. Again, legislative action has increased the stakes to system operators, often making data safety the responsibility of the computer system owner. Any lapses in security may be reportable. The California Data Security Act (California SB 1386), for instance, requires disclosure of computer-security breaches in which confidential information of any California resident may have been compromised.
18.104.22.168. What is the cost of protecting the information?
There are certain basic costs that you must incur. You must back up your data. No matter what security violation occursa natural disaster, a user mistake, or a break-inhaving a recent backup of your data will allow you to go on.
There are many different types of additional costs. Will you need to buy new equipment? Will the use of a security product slow down response time and performance in a system that must provide quick customer service? Will security controls detract from the user-friendliness of a system that you're marketing as easy to use?
Here, too, you'll have to consider the different types of costs within your own organization and to assess the impact of security costs in relation to expected security benefits. One rule of thumb is that the cost of securing information shouldn't exceed the financial and administrative cost of recovering that informationalthough certain types of information, such as national defense information, can't necessarily be quantified in this way. It's also hard to quantify the damage done by publicity and the loss of public confidence. Dennis Steinauer of the National Institute of Standards and Technology put it this way, "Controls that are more expensive than the value of the information they protect are not cost-effective. Absolute security is achieved only at unlimited cost."
Based on the answers to these questions, you'll need to make a determination, balancing your assessment of the value of your information asset against the risks of losing it and the financial and human costs of protecting that information. Then you'll need to decide what your priorities are, and what types of securityphysical, operating system, communications lines, encryption, biometric devices, and so onbest fit your information, your risks, and your budget. Finally, you'll need to make an educated guess about what to protect and how.
22.214.171.124. Who are you going to call?
One issue that requires considerable attention in advance is to whom to report computer incursions. A computer attacker may be wading through your dumpster right now, trying to find old employee directories, in which case the local police or sheriff would be a good start. However, electronic breaking and entry is not always simple to prosecute. The attacker may be in your city or across the globe. Local agencies may not have the expertise or jurisdiction to help you much. A good rule of thumb is to start with higher authorities first. Federal investigators can always refer you to state agencies in your area.
A "don't cry wolf" policy may be a good thing to apply. If a break-in you experienced has definitely resulted in the release of confidential records, you might want to take steps to preserve any evidence and call the authorities. If you suspect some script kiddie is probing your resources after school is out, you may want to tighten your firewall and hope she just goes away. If your network is violated, some of the new disclosure laws may limit your ability to keep it secret. Review with counsel your rights and obligations before any incursions occur. Then put the steps for your plan into the security policy, and distribute it to all personnel likely to be affected.
Of course, there is an obvious reason to state the course of action to be taken in advance in writing. It helps preclude an executive from committing a crime and then ordering the staff to avoid documenting or investigating it. For further information, see Chapter 25 of Practical Unix and Internet Security (Garfinkel et al., O'Reilly).
5.2.2. Planning for Disaster
One of the most important things you can do to protect your organization from disaster is to plan for that disaster. A disaster recovery plan is a plan for keeping your computer equipment and information available in case of an emergency. Disaster planning may spell the difference between a problem and a (possibly business-threatening) catastrophe.
Your organization's disaster recovery plan will involve such activities as backing up data for storage at remote secure facilities and arranging for the use of other computer facilities or equipment in case of an emergency. Such arrangements may be informal (for example, you might make a reciprocal agreement with another department or organization to use each others' equipment if a disaster occurs), or they may be formal (for example, you might prepare a separate emergency site or contract with an organization that handles disaster preparedness).
Emergency sites are usually characterized as cold, warm, or hot. Cold sites are emergency facilities containing air conditioning and cabling, but no computers. You can hustle up some servers and desktops, move other replacement equipment into this site, and continue processing. Hot sites are emergency facilities containing computers, backup datathe works! Warm sites, a hybrid, are sites in which computers and equipment are preinstalled, but not programs or backup data With increasing awareness of the frailty of the interconnected power grid, more companies are incorporating an additional requirement into their back up sitesgeographic distance. It is no good having the backup site and the main site both fail due to the same calamity.
In addition to protecting your organization's equipment and information, a disaster recovery plan may greatly increase public confidenceas well as the confidence of your employees and managersin your ability to safeguard data and continue to provide service.
Remember that backups are the key to disaster planning. If a disaster occurs and you've backed up your system, you'll be able to recover eventually. See the discussion in the section "Performing Backups" later in this chapter.
Chapter 9 discusses some of the natural disasters that face your organization and describes what you can do to reduce your risks.
5.2.3. Setting Security Rules for Employees
Some aspects of security are simply good management. Be sensible about who you hire, what computer resources you let them use, and what you do when they leave your organization. See the sidebar "Hints for Employee Security Management" for the most basic rules.
5.2.4. Training Users
No matter how diligent and careful a system administrator you are, you can't underestimate the ability of your users to undermine your efforts. In polite language, this is called "the human factor," and it has grown exponentially since the PC became commonplace. The users in your organization have to take some responsibility for security. Teach your users how to use the hardware and software, be sure they understand your organization's security policy, and impress upon them the importance of observing good security practices. (See the sidebar "Hints for Safe Computing" for some very basic guidelines for individual user security.) Most important, be sure they know how to recognize security problems and what to do if they occur. Remember, improperly trained users are more of a peril to system security than attackers.