1.1 Information Security
Consider the following scenario. A former network administrator at a manufacturing plant thought he had destroyed not only his former employer's manufacturing capabilities but also the evidence that would link him to the crime. The trusted, 11-year employee built and maintained the network at the company. When he fell from corporate grace and knew he was to be fired for performance and behavioral problems, he built a software time bomb to destroy the system.
Three weeks after the network administrator was fired, a plant worker started the day by logging on to the central file server. Instead of booting up, a message came on the screen saying an area of the operating system was being fixed. Then the server crashed, and in an instant, all of the plant's 1,000 tooling and manufacturing programs were gone. The server wouldn't come back up. The plant manager ordered that the manufacturing machines be kept running with the previous set of programs. It didn't matter if the orders already had been filled. He had to keep the machines running.
Then the plant manager went to get his salvation—the backup tape, kept in a filing cabinet in the human resources department. But the tapes were gone. He then turned to the workstations connected to the file server. The programs, at least a good chunk of them, should have been stored locally on the individual workstations. But the programs weren't there.
The fired network administrator, the only employee responsible for maintaining, securing, and backing up the file server, hadn't yet been replaced. In the days that followed the crash, the company called in three different people to attempt data recovery. Five days after the crash, the plant manager started shifting workers around the department and shutting down machines that were running out of raw materials or creating excess inventory. He took steps to hire a fleet of programmers to start rebuilding some of the 1,000 lost programs.
The company's chief financial officer testified that the software bomb destroyed all the programs and code generators that allowed the company to manufacture 25,000 different products and customize those basic products into as many as 500,000 different designs. The company lost its twin advantages of being able to modify products easily and produce them inexpensively. It lost more than $10 million, forfeited its position in the industry, and eventually had to lay off 80 employees.
What Is Information Security?
Information security is more than setting up a firewall, applying patches to fix newly discovered vulnerabilities in your system software, or locking the cabinet with your backup tapes. Information security is determining what needs to be protected and why, what it needs to be protected from, and how to protect it for as long as it exists.
The burning question, of course, is how to assure your organization an adequate level of security over time. There are many answers to this challenging question, just as there are many approaches to managing an organization's security. Unfortunately, there is no silver bullet, no single solution that will solve all of your problems. There are four common approaches:
Following is a brief description of each of the above approaches.
A vulnerability assessment is a systematic, point-in-time examination of an organization's technology base, policies, and procedures. It includes a complete analysis of the security of an internal computing environment and its vulnerability to internal and external attack. These technology-driven assessments generally
Information Systems Audit
Information systems audits are independent appraisals of a company's internal controls to assure management, regulatory authorities, and company shareholders that information is accurate and valid. Audits will typically leverage industry-specific process models, benchmarks, standards of due care, or established best practices. They look at both financial and operational performance. An audit may also be based on proprietary business process risk control and analysis methods and tools. Audits are generally performed by licensed or certified auditors and have legal implications and liabilities. During an audit, the business records of a company are reviewed for accuracy and integrity.
Information Security Risk Evaluation
Security risk evaluations expand upon the vulnerability assessment to look at the security-related risks within a company, including internal and external sources of risk as well as electronic-based and people-based risks. These multifaceted evaluations attempt to align the risk evaluation with business drivers or goals and usually focus on the following four aspects of security:
Managed Service Providers
Managed security services providers rely on human expertise to manage a company's systems and networks. They use their own or another vendor's security software and devices to protect your infrastructure. Usually, a managed security service will proactively monitor and protect an organization's computing infrastructures from attacks and misuse. The solutions tend to be customized for each client's unique business requirements and to use proprietary technology. They can either actively respond to intrusions or notify you after they occur. Some employ automated, computer-based learning and analysis, promising decreased response time and increased accuracy.
Vulnerability assessments, information system audits, and information security risk evaluations help you characterize your security issues, but not manage them. Managed service providers manage your security for you. Although each of these approaches can be useful to an organization trying to protect itself, all of them have some limitations, based on their context of use. A small company may have no choice but to use a managed service provider. A company with limited IT resources may not be able to do much more than manage vulnerabilities, and, depending on what it has to protect, may not need to do much more. The next section looks at a more comprehensive approach that builds upon the previous approaches, allowing an organization to assume responsibility for characterizing and managing its security issues.
Implementing a Risk Management Approach
Risk is the possibility of suffering harm or loss. It refers to a situation in which a person could do something undesirable or a natural occurrence could cause an undesirable outcome, resulting in a negative impact or consequence. The first step in managing risk is to understand what your risks are in relation to your organization's missions and its key assets. This understanding is reached by carrying out a comprehensive risk evaluation to identify your organization's risks. Once these risks are identified, the organization's personnel must decide what to do to address them. Risk management is the ongoing process of identifying risks and implementing plans to address them.
In this book, we propose a risk management approach to establish and improve an organization's information security posture. A comprehensive information security risk management approach incorporates asset, threat, and vulnerability information and enables decision makers to develop relative priorities based on what is important to the organization. It is a flexible approach that is uniquely tailored to each organization.
A risk management approach involves the entire organization, including personnel from both the information technology department and the business lines of the organization [GAO 98]. Solution strategies derived by using this approach are practice-based, that is, they are driven by best or accepted industry practices. By implementing these practice-based solutions across the information technology department and the business lines, an organization can start institutionalizing good security practices and making them part of the way the organization routinely conducts business. This approach enables an organization to improve its security posture over time. The next section takes a closer look at an information security risk evaluation and management.