The 7 Top Mistakes - Part 2 By Dale McNulty

continued from Surrex Solutions Corporation information technology news

Management’s Role in Information Security – The 7 Top Mistakes Part 2 of 3 By Dale McNulty This is the second in a series of papers that chronicles management’s role in information security (InfoSec). Security breakdowns occur at all levels of the organization. A following series of articles will describe other influences, such the IT staff and the users themselves. But, this series focuses on management’s role because management is the key to effective information security.

514 IT Consulting Jobs Available

This series chronicles the mistakes that management makes, however the series also covers management’s legal liability, the parts of uniform code and regulations that specify the liability, and what can be done to mitigate the liability, safeguard individuals and, above all, safeguard data and the enterprise. Put another way, these articles should motivate management to take a more active role in InfoSec.

The first article in this series focused on the single most significant mistake that management makes – failure to effect security policy. Security starts with policy and management must establish and support policy. Security is only as effective as the weakest link in the organization, therefore information security must be affected across the entire enterprise and that means that management must take responsibility for establishing policy across the entire. Management must do the following.

• Management must create policy that matches the needs of the enterprise. This should be done in conjunction with the IT department. As such, policy plays a number of roles. Firstly and foremost, it establishes the basis for procedures, guidelines and behavior across the organization that are intended to safeguard data and data associated resources. Secondly, it serves as the basis for enforcement. Thirdly, because IT and management should work together establishing the basis, it is a medium of communication between the 2 groups. Once established, IT understands management’s thinking relative to security and, therefore, has its marching orders. Management, on the other hand, knows what to expect from IT.
• Management must support policy. Management demonstrates this in a number of ways. Management must hold policy up as a visible standard for performance. Incorporating portions into the employee handbook is one way to do this. Management should publicly and privately act in accordance with policy such that the enterprise can see that management values it. Similarly, management must fairly enforce policy. This is one of the biggest mistakes management makes relative to policy. This brings us to one other means of supporting policy that deserves its own paragraph.
• Management must educate employees about policy. If employees aren’t educated about policy, they can’t be expected to support it. Additionally, and just as important, if employees aren’t educated, and educated verifiably, policy can’t effectively be enforced. Often management assumes that putting policy in the employee handbook and having the new employee sign off is sufficient. It’s not. Employees should be educated and tested. Additionally, the education should be renewed periodically. Also note that Note that the acts of support and education don’t necessarily end with employees. It’s often useful and even necessary to educate partners and customers.

In summary, the first point of this series of articles is this: Effecting information security across the enterprise depends on management’s active role in establishing policy, supporting it consistently and effectively educating the enterprise in the use and importance of policy to the enterprise and to the individual. Management should be should be motivated to play these roles because of the importance of policy in safeguarding the data assets of the organization but if more motivation is needed, consider the following. Firstly, management has personal liability in safeguarding data assets. In fact, that liability can mean jail time and fines but more on that in the next article of this series. Secondly, it has been demonstrated repeatedly that education and training increase ROI for the organization. And, significantly, that ROI isn’t just limited to a return on investment in security. Security training provides ROI for all the computing resources in the organization. And, while you’re thinking of training the organization, don’t overlook education and training of management itself. This is often overlooked but, indeed, it might be best if training starts with management because some of the most influential mistakes in information security originate with management. Here are some of the other mistakes.

2. Failure to enforce and audit the policy. Management’s support of policy does not end with creating policy and communicating it to the organization. The policy must be enforced and the policy must be kept modern. Enforcement is actually another way management shows its support for policy. Enforcement means establishing roles and responsibilities, training people to be watchful of potential problems, encouraging people to identify possible offences and supporting enforcement messages and penalties. Once policy has been communicated to the organization, offences should be dealt with consistently, decisively and equally across the organization. If policy is broken, the offender should be penalized appropriately regardless of the person’s position within the organization. Often, organizations fail to enforce penalties equally. Often management excuses such behavior claiming a person is indispensable and deserves special enforcement because otherwise that person would leave and the organization would be devastated. Obviously, this goes beyond a discussion about InfoSec because it’s also a management issue. It’s enough in this article to say that effective management means no one person is indispensable. If management feels special enforcement is necessary then policy should be amended not the enforcement. Management should be motivated because employees rapidly loose faith in policy when they witness uneven enforcement. Even more significant, employees loose faith in management when they see uneven enforcement. Enforcement is important but equally important is auditing and updating of policy. That is, management must measure the effectiveness of the organization’s information security and constantly tune it to reflect changes in the organization, the environment and culture. Obviously, management must know whether policy is working or not. Additionally, management has to measure how effective the policy is. Management’s tool for assessing the organization’s security status and the effectiveness of policy is the security audit. Audits can be internal or external. External audits examine external accessibility to the network, access controls, policies and procedures pertaining to those areas, and security mechanisms such as IDS and virus control. External audits provide a good measure of inbound security and application level access controls. However, the external audit doesn’t provide the thorough, in-depth analysis required to understand all aspects of the systems, data and data flows. Internal audits should be conducted regularly. Internal audits assess the state of servers and workstations relative to known vulnerabilities. Audits are involved activities that require more discussion than we have room for here.

3. Failure to acquire knowledge about security methods for the organization (i.e., not obtaining appropriate help or training). Information security (InfoSec) is a rapidly evolving field. Staying current with technology, vulnerabilities, legal issues and case study require a full time effort. It requires a dedicated professional. Few organizations can afford to dedicate personnel to the kind of effort that is required. Often management commendably recognizes the need for an InfoSec professional and hires one but then mistakenly burdens the role with extraneous responsibilities that detract from the InfoSec role. It’s often, therefore, useful to make use of third party personnel that are dedicated to InfoSec. Even in an organization that has InfoSec roles it’s often useful to employee third parties. Independent InfoSec people are not only dedicated to the field but have more experience across more organizations and technologies. Independent InfoSec personnel can, therefore, provide technology transfer that benefits the organization as a whole. Just as security training increases ROI in the organization, this type of technology transfer provides ROI. Organizations often conclude they can train existing staff in InfoSec and get the same benefits. If the individuals have no other responsibilities in the organization other than InfoSec and if the appointed personnel can cover all elements of InfoSec within the organization then this is definitely a useful alternative. However, even in that case, the organization should employ independent auditors and consider outsourcing other security services to gain the benefits of more extensive experience and technology transfer.

4. Failure to assess the real costs of the organization’s assets. There are two effects to consider. Firstly, if management fails to comprehend the true costs associated with the organization’s assets, it’s very likely they won’t appreciate the need for good security practices and, therefore, not take the appropriate steps to instill effective information security. Management may understand the role of policy but it often under-appreciates the need to affect it and, therefore doesn’t affect it. On the other hand, management might appreciate the need for information security and affect it, but their failure to comprehend the true values of the company’s assets often translates into ineffective use of policy and/or ineffective deployment of resources to protect the assets. This is essentially a risk management issue and, therefore, management should employ any of the tools and practices associated with risk management. Management should take note that management is bound by the “prudent man” principle which means that the level of safeguard deployed is determined by comparing the cost of the potential safeguard to the cost of loosing the corresponding asset. Legally, if a breach occurs, managers are liable if the cost of the associated safeguard was less than the projected loss and management did not deploy the safeguard. Therefore, management can’t exercise effective judgment if the costs of assets are not accurately known. Dale McNulty is Chief Technical Officer of Surrex Solutions Corporation. Surrex has a specialized practice in managed security consulting. Surrex provides policy, independent audit, education, and intruder preparation/detection computer forensics. Dale has been active in the computer industry for more than 25 years and is considered a leading knowledge source in the field.

Dale McNulty is Chief Technical Officer of Surrex Solutions Corporation. Surrex has a specialized practice in managed security consulting. Surrex provides policy, independent audit, education, and intruder preparation/detection computer forensics. Dale has been active in the computer industry for more than 25 years and is considered a leading knowledge source in the field.