260 likes | 417 Views
IT Security Readings. A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing . An Important Question. Who in an organization is responsible for security?. The primary message. Who in an organization is responsible for security?
E N D
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing
An Important Question • Who in an organization is responsible for security?
The primary message • Who in an organization is responsible for security? • Good security in an organization starts at the top, not with firewalls, shielded cables or biometrics. • Senior management has a much more significant role to play in achieving security than they may think.
E-commerce and virtual organizations • Organizations have an internal value chain and must interact with external entities at either end of this chain. • External entities may be other businesses, individual customers, or the government. • Interactions must be protected from being compromised by unauthorized parties,
Security vs. Privacy • What are the differences between privacy and Security? • Privacy deals with the degree of control that an entity, whether a person or organization, has over information about itself. • Security deals with vulnerability to unauthorized access to content.
Root cause! • Why won’t Sr. Management engage in Security? • It is difficult to connect security security-related expenditures to profitability • Increases in security will often increase costs and reduce efficiency
What Should Sr. Management Know? • Security is not a technical issue; it is a management issue • Total security is a myth. • Not all information is of equal value • it is not technically possible to protect all information assets • Stakeholders will be increasingly less tolerant of cyber-related vulnerabilities
Threats • Where do threats come from? • disgruntled current or former employees • Hackers • virus writers • criminal groups • those engaged in corporate espionage • Terrorists • foreign intelligence services • information warfare by foreign militaries and various other actors.
Barriers to Security • The worldwide diffusion of the Internet opens up new business opportunities (e.g., 3-R Framework) • It also increases an organization's vulnerability since so many more individuals of unknown origin and intent now have access to its systems
Increasing Richness; Good or Bad? • Active web content, such as Java applets, enhances interaction with customers and suppliers. • This technical capability allows programs created by external entities to also run on an organization's machines
Increasing Reach; Good or Bad? • Organizations that have an extensive partnering network find it difficult to define the boundaries of their information systems • There is an inherent conflict between security and "open systems" architectures that facilitate EC interactions
Clue IT In! • Organizations commonly look for technical certification when hiring IT staff, but how often is any effort made to educate new security workers on the organization's strategic focus or to communicate to them the criticality levels of their information assets?
Three Cornerstones • Senior managers need to remember that security depends on the strength of the three cornerstones • Critical infrastructures • Organization • Technology • Security also requires an end-to-end view of business processes.
Critical Infrastructures • Critical Infrastructure Protection • Government-Industry Collaboration • Management's Role in Critical Infrastructure Protection • To recognize that critical infrastructure protection is an essential component of corporate governance as well as organizational security
Organization • Structure leads to locus of ownership of data and processes • Business Environment: threats are based on… • Value of the firm's intellectual property • The degree of change the firm is facing • Its accessibility • Its industry position • Culture • SOPs • Education, Training, and Awareness
Technology • Firewalls and Intrusion Detection • Password Layering • Public Key Infrastructure • Secure Servers • VPNs
Ok, So What? Managerial Implications • Asset Identification • Risk Assessment • The Control Environment • Physical • Data • Implementation • Operations • Administrative • Application System Controls
Balancing Risks and Costs • Step 1: Identify information assets at an appropriate level of aggregation • Step 2: Identify the financial consequences of these information assets being compromised, damaged, or lost • Step 3: Identify the costs of implementing the control mechanisms that are being proposed to enhance organizational security • Step 4: Estimate overall risk based on the likelihood of compromise • Step 5: Estimate the benefits expected by implementing the proposed security mechanisms • Step 6: Compare the expected benefits obtained in Step 5 with the cost estimates obtained in Step 3
Management Actions • Corporate boards should ensure that senior managers buy into the process of risk assessment • Senior managers also need to ensure that technical and operational staff understand each other's requirements and cooperatively engaged in the process • Establish an ongoing process of monitoring risk
The Myth of Secure Computing • When it comes to digital security, there's no such thing as an impenetrable defense. But you can mitigate risks by following sound operating practices
What’s a Manager to Do? • Business managers should focus on the familiar task of managing risk. • Their role should be to assess the business value of their information assets, determine the likelihood that they'll be compromised, and then tailor a set of risk-abatement processes to particular vulnerabilities
What types of threats come from the outside? • Network attacks • Intrusions • Malicious code
How do you protect assets? • The Operational Approach • Identify your company's digital assets, and decide how much protection each deserves • Define the appropriate use of IT resources • Control access to your systems • Insist on secure software
The Operational Approach • Know exactly what software is running • Test and benchmark • Rehearse your response • Analyze the root causes
The Bottom Line… • Managers need to sort through which risks are most likely to materialize and which could cause the most damage to the business, then spend their money where they think it will be most useful • When viewed through an operational lens, decisions about digital security are not much different from other cost-benefit decisions general managers must make