chapter 4 an affirmative model of defense: digital liability management
TRANSCRIPT
Chapter 4
An Affirmative Model of Defense: Digital Liability Management
Introduction
Chapter discusses 4 defensive tiers of the digital liability management model (DLM)
They are:Senior management support
Acceptable-use policies
Secure use procedures, and
Technology tools
Not Being Met: The Information Security Challenge
Info Sec strategies that are technology-centric or policy-centric will failTechnology-centric strategies are weak w/o strong policies and practicesPolicy-centric strategies are ineffective w/o technology to monitor and enforce themA comprehensive, multifaceted approach w/ senior mgmt support, policy, process, and technology is necessary
Hallmarks of Proper Execution
The following hallmarks are needed for proper execution of security initiatives
Clear and powerful mandate from senior leaders of the orgCommunication and adoption of the strategic vision from snr mgmt throughout every level of the orgA commitment to continuous 2-way communication about policy and proceduresAn ongoing commitment to training employees about policies, practices, and proceduresA system that monitors compliance w/ security practicesPrudent investment in technology to implement and enforce best practices
The Risk and Reward of New Initiatives
Survey in information week of 8,100 tech and security professionals found that 18% report intrusions to watchdogs like CERT or govt authorities,
14% inform their business partners when there is a lapse in security
Read top of pg. 55 (note author)
Higher Standards of Security
2001 subscriber data including credit card info stolen from Ziff Davis’ magazine website
In August of 2002, they paid $100,000 in state fines and $500 per credit card lost to victims
Why is Information Security Poorly Executed?
Mgmt of digital assets and investment in info security are often misunderstood, underfinanced, and poorly executed
In a cost-conscious economy one common mistake is purchase of IT security defenses championed by IT staff in a rapid response to a well-publicized threat or intrusion
Several problems (next page)
Poorly Executed (2)
Shows little senior mgmt
Has no specific economic justification
Requires little or no active participation from employees
Often gets defeated by faulty configuration of the tools, neglected maintenance, or a process failure
Like failing to close out network Ids of terminated employees
The DLM Defense ModelThe DLM model provides a 4-tiered approach that raises the discipline from a technology tactic to higher standards as in a strategic business initiative
Again, the four Tiers are:
Senior mgmt commitment and support
Acceptable use policies and other stmsts of practice (like e-mail and Internet-use)
Secure use procedures
Hardware, software, and network security tools
Look at Fig 4.1 on pg. 57 is this too much info? Is it a security risk?
Tier 1: Senior Mgmt Commitment and Support
Security Awareness Begins and Ends in the Boardroom
Cybersecurity was never a strictly technical issue that could be delegated to network administrators
If the issue does not find its way into the boardroom, the consequences most likely will.
Tier 1 (2)
As U. S. Security laws get tougher and compliance w/ privacy laws becomes more prevalent there will be lawsuits alleging mismanagement, violation of security laws, or other wrongful acts
These violations may cause corporations, directors, and officers to be at risk
See fig 4.2, pg. 58
Overcoming Objections and Adversaries p 58
Security is Unpopular
We’ve discussed much of this (you read)
Look at the @Lert on this page. (58)
Security Requires a Strong Mediator to Resolve Conflicts
Good security can be expensive, and will often require funds that would otherwise go to projects w/ strong political supportComputer Security administrator’s relationship with users and network administrators tends to be adversarialSenior mgmt needs to apply its influence proactively to decide the outcome of these power struggles
Tier 2: Acceptable-Use Policies and Other Statements of Practice
AUPs define Acceptable and Unacceptable BehaviorTwo concerns of employers in designing effective AUPs
Preventing system misuse andAvoiding exposure to subsequent liability
AUP should define responsibilities of every user by specifying acceptable and unacceptable actions and consequences of noncomplianceEmail, Internet, and computer AUPs should be thought of as extensions of other corporate policies like those addressing equal opportunity, sexual harassment, etc.They exist to protect the rights of the employees and limit the liability of the employer
Stakeholders Involved in AUPs
HR managers, traditional stakeholders, managers, and legal counsel, members of IT staff and those responsible for physical securityAlso, accountants and auditors who are concerned w/ practices and policies pertaining to efraud should review AUPsAs with other HR policies, an AUP should require that every employee explicitly acknowledge in writing his or her understanding and compliance w/ the policy
AUPs Define Expectations and Demonstrate Due Diligence
The AUP defines what is expected of all employees when they use company computing devices including PDA’s, phones, voicemail, wireless, etc.AUPs set employee expectations w/ regard to violation consequences and privacyWe’ll see example AUPs in chapter 6
Maintenance and Teamwork
Info Security must become a part of everyone’s job description whether or not they use the computer Helps to make staff more vigilant of possible security problems which they become more likely to reportJust having AUP policies is not enough, if they are deficient or obsolete they put the organization at riskOf 1, 000 U.K businesses 27% had documented security policies, of those though, 76% updated them annually and 31% updated them every six months
Tier 3: Secure Use Policies
This is the transition from documents and policies to actual day-to-day application of policy within the context of business operationsCovered more in chapter 7Provides examples of practices to be encouraged as well as those to be discouraged, or totally prohibitedMuch of this is focused on planning and organization
Tier 3 (2)
Secure Use procedures require a survey and evaluation of digital assets at risk and estimates of the probability of lossThis discipline is fundamental to all types of risk management but is rarely practiced w/ intangible digital assets
Tier 3 (3)
B/c of this, the value of these assets and their replacements is often seriously underestimated and underinsuredUnderestimated replacement costs make it difficult to justify large investments in the protection of these assetsOther main area is the preparation of appropriate response to a major security event when it occursReactions need to be immediate and properly targeted to limit exposure, damages, and legal liability
Tier 4: Hardware, Software, and Network Security Tools
Putting everything in placeDiscussed more in chapter 8End chapterReview Discussion Questions