Security Challenges and Responsibilities

With constantly increasing technical complexity, legal barriers and privacy expectations, the challenges of information security have risen exponentially in the past five years . The enormous drive in the late 1990s to Web-enable internal applications and drive market share often relegated security processes to a second or third level priority. When combined with continuing computer industry disagreement about the degree of user and access security standards, many financial and customer- facing systems that should be highly protected continue to use six-character passwords.

Opportunistic computer crime is now just a click or two away for just about anyone who can ” and often does ” download free hacking tools from the Internet. Information security engineers are familiar with how these tools work, and well-designed and maintained networks can usually block their penetration through the first level of firewalls. However, networks that are incorrectly configured, do not have current patches applied, or are not maintained ” remember that security is a process, not a single event ” are often successfully attacked , with information getting illegally obtained or destroyed .

Challenges faced by information technology support organizations include:

1. Knowing who should ” and should not ” have access to information, systems and networks. Accurate personnel records are sometimes not distributed quickly to the IT organization, or sometimes not kept at all, leading to a default access decision of welcome .

2. Understanding the differences between a multitude of different, and sometimes conflicting, security technologies available from many unique suppliers.

3. Waiting for comprehensive security standards agreed upon by all major software and network suppliers and the federal government.

4. Maintaining a rapid response engineering capability to viruses, worms, Trojan horses, denial-of-service (DoS) attacks, as well as continuing network and access probing from hackers and crackers trying to gain access to valuable information.

5. Developing and maintaining accurate configuration management records concerning security software patch levels for critical and noncritical systems.

6. Knowing where to apply software patches for maximum impact to reduce user or production system impact ” for example, gateway systems to public networks are usually the first line of defense, and should have the most current software levels compared to a system dedicated to printing bar code labels on the factory floor.

7. Providing the right level of access for employees and system users to do their jobs, without providing total access to all files and systems.

8. Knowing whom to trust for information transfers from suppliers, partners and customers. All information is not equal ” e-mail attachments can contain worms and viruses, images can contain embedded messages (encryption known as steganography,) and executable files can contain trap doors and time bombs .

9. Attracting and retaining qualified information security engineers through educational and personal challenges.

10. Obtaining adequate budgets for equipment, personnel and service providers. Security is a cost of doing business, similar to keeping the lights on and telephones working.

Legal challenges continue to increase as attorneys begin to understand the technology components involved and the financial and operational impact of losing valuable information to unauthorized users. Technology developers, suppliers and service providers are increasingly being blamed for not designing secure software or systems, and not planning for all possible security scenarios. IT management is being challenged and blamed for not doing everything possible to employ the best defenses against unauthorized access or information loss. Users are being blamed for carelessly losing or sharing passwords, security access tokens, and user IDs, often against company or organization policy. Of course, hackers ” when found and identified ” are arrested and jailed.

As larger and larger value computer crimes occur, more and more blame is being distributed to IT executive and senior management, often with the connotation that they should have known this could have happened . Given the global trends concerning information and identity theft, it is clear that IT management should plan for worst case scenarios, although they may be infrequent in number.

However, IT executive and senior management must retain a vigilant posture concerning information security, as the impact of a successful attack or theft can be devastating to customers and the organization in terms of loss of customer trust, unreliable information and corrective action expenses.

Internet-related fraud accounted for more than 55% of more than 500,000 consumer complaints filed with the Federal Trade Commission in 2003, according to the agency, up 45% from 2002. The agency reports the median loss for victims of Internet- related fraud was $195. Identity theft was the most common complaint for the fourth consecutive year, representing 42% of all complaints in 2003 (FTC, 2004.)

Unfortunately, the information technology executive team s responsibilities related to safeguarding corporate, citizen, and personal information continue to expand through legislation, market force expectations and court ordered restitution. For example, since 1996 Congress has passed several regulations including HIPAA, GLBA, 21 C.F.R. Part 11 (FDA drug manufacture), Sarbanes-Oxley and E- SIGN that specify how information must be protected from unauthorized users and purposes, and/or provide for transparency and verification of trusted information.

In 2003 the Do Not Call list went into effect, blocking telemarketing calls for most private businesses not having an existing customer relationship. Anti-telemarketing forces prevailed on Congress to overcome the last minute legal challenges to the law. Privacy advocates, such as the Electronic Frontier Association and the National Law Center, are actively monitoring identify theft events and responses by business to force innovative approaches to stop theft of private information and assist the victims of this crime. These privacy advocates and others are equally alarmed by the proposed use of the airline passenger screening program named CAPPS2 , which profiles every passenger s identity using a combination of private and public databases. Government sources have stated that passenger information in the CAPPS database will be deleted a few days after a trip has been completed, but privacy advocates have not been provided details. Airline passengers have started to independently pursue litigation against the airlines sharing of their personal data, but it is not clear what, if any, viable alternatives to this screening process airline transportation travelers have.

From the IT perspective, it is probable that businesses and government organizations will be asked to provide confidential business and customer information to be used for security screening purposes. It is probable that customers and partners will be very displeased with this situation, and will try to apply market force pressures ” boycotting companies that provide the information, filing litigation, and providing incomplete information ” to stop its proliferation and enforcement. Complying with these mandates will increase operational costs for IT organizations, and escalate the financial and legal exposure for noncompliance .

Courts have begun to order restitution in cases of egregious business error in personal privacy cases such as massive credit card theft from poorly protected business databases, medical records stolen from hospital files, and allowing obvious identity theft to continue after customer notification to the originating organization. IT executive and senior managers need to be aware of these legal challenges and expectations during strategic technology and investment planning so that changes can be incorporated into existing processes and systems with minimal cost instead of being added at the last minute at great expense.