Transcript Chapter 3
Chapter 4 An Affirmative Model of Defense: Digital Liability Management Introduction Chapter discusses 4 defensive tiers of the digital liability management model (DLM) They are: Senior management support Acceptable-use policies Secure use procedures, and Technology tools Not Being Met: The Information Security Challenge Info Sec strategies that are technology-centric or policy-centric will fail Technology-centric strategies are weak w/o strong policies and practices Policy-centric strategies are ineffective w/o technology to monitor and enforce them A comprehensive, multifaceted approach w/ senior mgmt support, policy, process, and technology is necessary Hallmarks of Proper Execution The following hallmarks are needed for proper execution of security initiatives Clear and powerful mandate from senior leaders of the org Communication and adoption of the strategic vision from snr mgmt throughout every level of the org A commitment to continuous 2-way communication about policy and procedures An ongoing commitment to training employees about policies, practices, and procedures A system that monitors compliance w/ security practices The Risk and Reward of New Initiatives Survey in information week of 8,100 tech and security professionals found that 18% report intrusions to watchdogs like CERT or govt authorities, 14% inform their business partners when there is a lapse in security Read top of pg. 55 (note author) Higher Standards of Security 2001 subscriber data including credit card info stolen from Ziff Davis’ magazine website In August of 2002, they paid $100,000 in state fines and $500 per credit card lost to victims Why is Information Security Poorly Executed? Mgmt of digital assets and investment in info security are often misunderstood, underfinanced, and poorly executed In a cost-conscious economy one common mistake is purchase of IT security defenses championed by IT staff in a rapid response to a well-publicized threat or intrusion Several problems (next page) Poorly Executed (2) Shows little senior mgmt Has no specific economic justification Requires little or no active participation from employees Often gets defeated by faulty configuration of the tools, neglected maintenance, or a process failure Like failing to close out network Ids of terminated employees The DLM Defense Model The DLM model provides a 4-tiered approach that raises the discipline from a technology tactic to higher standards as in a strategic business initiative Again, the four Tiers are: Senior mgmt commitment and support Acceptable use policies and other stmsts of practice (like e-mail and Internet-use) Secure use procedures Hardware, software, and network security tools Look at Fig 4.1 on pg. 57 is this too much info? Is it a security risk? Tier 1: Senior Mgmt Commitment and Support Security Awareness Begins and Ends in the Boardroom Cybersecurity was never a strictly technical issue that could be delegated to network administrators If the issue does not find its way into the boardroom, the consequences most likely will. Tier 1 (2) As U. S. Security laws get tougher and compliance w/ privacy laws becomes more prevalent there will be lawsuits alleging mismanagement, violation of security laws, or other wrongful acts These violations may cause corporations, directors, and officers to be at risk See fig 4.2, pg. 58 Overcoming Objections and Adversaries p 58 Security is Unpopular We’ve discussed much of this (you read) Look at the @Lert on this page. (58) Security Requires a Strong Mediator to Resolve Conflicts Good security can be expensive, and will often require funds that would otherwise go to projects w/ strong political support Computer Security administrator’s relationship with users and network administrators tends to be adversarial Senior mgmt needs to apply its influence proactively to decide the outcome of these power struggles Tier 2: Acceptable-Use Policies and Other Statements of Practice AUPs define Acceptable and Unacceptable Behavior Two concerns of employers in designing effective AUPs Preventing system misuse and Avoiding exposure to subsequent liability AUP should define responsibilities of every user by specifying acceptable and unacceptable actions and consequences of noncompliance Email, Internet, and computer AUPs should be thought of as extensions of other corporate policies like those addressing equal opportunity, sexual harassment, etc. They exist to protect the rights of the employees and limit the liability of the employer Stakeholders Involved in AUPs HR managers, traditional stakeholders, managers, and legal counsel, members of IT staff and those responsible for physical security Also, accountants and auditors who are concerned w/ practices and policies pertaining to efraud should review AUPs As with other HR policies, an AUP should require that every employee explicitly acknowledge in writing his or her understanding and compliance w/ the policy AUPs Define Expectations and Demonstrate Due Diligence The AUP defines what is expected of all employees when they use company computing devices including PDA’s, phones, voicemail, wireless, etc. AUPs set employee expectations w/ regard to violation consequences and privacy We’ll see example AUPs in chapter 6 Maintenance and Teamwork Info Security must become a part of everyone’s job description whether or not they use the computer Helps to make staff more vigilant of possible security problems which they become more likely to report Just having AUP policies is not enough, if they are deficient or obsolete they put the organization at risk Of 1, 000 U.K businesses 27% had documented security policies, of those though, 76% updated them annually and 31% updated them every six months Tier 3: Secure Use Policies This is the transition from documents and policies to actual day-to-day application of policy within the context of business operations Covered more in chapter 7 Provides examples of practices to be encouraged as well as those to be discouraged, or totally prohibited Much of this is focused on planning and organization Tier 3 (2) Secure Use procedures require a survey and evaluation of digital assets at risk and estimates of the probability of loss This discipline is fundamental to all types of risk management but is rarely practiced w/ intangible digital assets Tier 3 (3) B/c of this, the value of these assets and their replacements is often seriously underestimated and underinsured Underestimated replacement costs make it difficult to justify large investments in the protection of these assets Other main area is the preparation of appropriate response to a major security event when it occurs Reactions need to be immediate and properly targeted to limit exposure, damages, and legal liability Tier 4: Hardware, Software, and Network Security Tools Putting everything in place Discussed more in chapter 8 End chapter Review Discussion Questions