Conclusions
Despite rapid advances in technology, innovative policy and procedural approaches, and an ever-increasing emphasis on education, training and awareness, information assurance is not becoming any easier to do well. A new conceptual approach that considers requirements for information assurance in greater specificity, is inclusive of all possible means of defense, and recognizes how information, rather than systems, is used to support an organization s business processes is needed.
This third generation McCumber model, with the addition of enterprise architecture, is largely conceptual, but can form the basis of an analytical and engineering approach to matching requirements and countermeasures with information. This approach merges the disciplines of information assurance and management as never before, and provides a framework that can be continuously evolved.
As technology, business processes, and the threats to them continue to change, security must not just attempt to keep pace, but must seek opportunities to move out in front and stay ahead. Build it in, don t add it on later has been the mantra of security specialists for years . But good building does not start with all the tradesmen gathering at the construction site. A good building starts with a plan. The plan is architecture. And that is where security should also start.
Employee Monitoring and Privacy
In most cases, commercial and government organizations are able to monitor employee usage of company owned or provided equipment and networks. A formal policy document for employee distribution stating the organization permits (or does not permit) specific uses of the equipment provides guidelines. Along with a statement that the employee should not expect any privacy in their use of the system is often all that is needed for enforcement of the policy.
But, where should the line be drawn for acceptable personal use? Excluding the obvious list of gambling, pornographic, illegal pharmaceuticals and on-line commerce sites, what is reasonable? During winter months, does it make sense to permit employees to check the weather.com Web site to determine how powerful an imminent storm is? What about allowing parents to visit a daycare Web site that has Webcams installed to check on their children? What about checking CNN.com for news when a major disaster or accident strikes close to home that could harm their families or themselves during a commute home?
A management decision that applies common sense to what is and is not acceptable would seem to be the best approach to take, as it is impossible to specify every possible situation that could occur. What is important ” from both the employee and employer perspectives ” is that a written policy containing the guidelines be sent to all employees so that they are aware of it. As technology continues to make progress, and new and clever products and services are available for use, will there be exceptions for management to consider? Of course ” right now, instant messaging devices (IM) and camera-enabled phones are two new areas of concern for information security and privacy. Policies should be developed (or expanded) for both of these technologies to reflect management s expectations of their use (or non-use) in the workplace.
Many organizations that employ customer service agents monitor and record telephone calls and e- mails to ensure consistent customer service and delivery quality. Employees working these positions should know of corporate policies and standards about recording their conversations and messages through multiple messages, as well as from their supervisors. From an information security perspective, telling customers too much information may be just as damaging as telling them too little; for example, in the case of medical insurance claim processing or routine medical laboratory results.
In some cases ” such as in the financial securities markets and with police and military agencies ” it may make sense to create and maintain a security audit logfile for every transaction that occurs when a user logs in, accesses information, or sends files out of the system. Obviously, such a tracking capability is very expensive to build and support, but should a security breech occur, it does provide information useful in understanding what happened , when and by whom. All of these details are critical in making a determination about the severity of the security breech, collateral damage, and what must be done to limit further impact to the organization, its people, its customers and its shareholders.
Administrative Security Policies
Administrative security policies apply to the system administration activities such as entering user names and security privileges. A small team of highly trusted and experienced system or security engineers who have been given access to the superuser or sys admin passwords and accounts typically performs these functions. In almost all situations they follow detailed processes and policies to add people, remove people and change their approved access levels. These processes provide consistency and auditability to both the admin and user in case of technical errors or security breeches.
From an IT management perspective, there are two critical elements of control: (a) Having trusted administrators who possess significant technical expertise, and (b) Developing and maintaining comprehensive administrative security policies that align with the needs of the business. Many organizations focus on the first element, and assume that the second element will be taken care of by the system administrator. In some cases, this does occur, but in many cases system administrators do not have the training to write a security policy that aligns with, and stays current to, the organization s business objectives.
Given that the majority of security problems are internal to the organization, it is incumbent upon management to review system administration policies and procedures at least once a year to ensure required security levels are being followed. Obtaining a third party audit and certification of the processes is also a prudent approach. Specific items to note in administrative security policies include:
-
Defining multiple approval levels for adding new people to the system (this prevents a single point of failure)
-
Frequently reviewing security access levels and privileges to provide higher or lower levels of user access
-
Rotating staff members with security granting permissions into new and different assignments every few months to reduce the opportunity for a long term security breach with little fear of being caught
-
Having a formal process for tracking and filing paper documents that detail when a user was added to the system and when changes occurred to their access level
-
Having a security audit function to review paperwork and process compliance
-
Avoiding known conflicts of interest between security admins and users, such as a husband approving his wife for a high level access. Have a neutral third party perform system administration work for known conflicts of interest access to the system
-
Ensuring that system security admins have current training on all aspects of the specific technology they are responsible for supporting in addition to the organization s policies and procedures
-
Linking security policies to business policies protecting the business from internal and external attacks while maximizing customer and supplier access to information they need to purchase products and services or replenish inventories
EAN: N/A
Pages: 113