630-2 Yhomit

profileabcity84
Computer_Security_Handbook_Set_----_INTRODUCTION_TO_PART_VII_MANAGEMENTS_ROLE_IN_SECURITY.pdf

INTRODUCTION TO PART VII

MANAGEMENT’S ROLE IN SECURITY

Management responsibilities include judgments of which resources can rationally be expended in defending against which threats. Managers must understand how to cope with the lack of quantitative risk estimates while using what information is available to guide investment decisions in personnel and technology. Their decisions are affected by regulatory and legal requirements and by the practical constraints of their relationships with other leaders within their organizations. This part includes chapters and topics that bear on information assurance managers’ roles:

62. Quantitative Risk Assessment and Risk Management. Which vulnerabilities warrant repair? Which threats must be taken seriously? How much expense is justified on specific security measures?

63. Management Responsibilities and Liabilities. Roles, responsibilities, due dili- gence, staffing security functions, and the value of accreditation and education

64. U.S. Legal and Regulatory Security Issues. For U.S. practitioners especially, this chapter reviews the Gramm-Leach-Bliley Act and the Sarbanes-Oxley legis- lation

65. The Role of the CISO. The chief information security officer as an agent of change and as a strategist working to ensure that security fits into the strategic mission of the organization, and that it is communicated effectively to other C-level executives

66. Developing Security Policies. Approaches to creating a culture of security where policies grow organically from the commitment of all sectors of the organization, instead of being imposed unilaterally by security staff

67. Developing Classification Policies for Data. The essential role of data clas- sification and how to implement systems that conform to regulatory and legal requirements

68. Outsourcing and Security. Security of outsourcing and outsourcing of security

VII · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62CHAPTER

QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

Robert V. Jacobson and Susan Baumes

62.1 AN INTRODUCTION TO RISK MANAGEMENT 62 · 2 62.1.1 What Is Risk? 62·2 62.1.2 What Is Risk

Management? 62·2 62.1.3 Regulatory

Compliance and Legal Issues 62·3

62.2 OBJECTIVE OF A RISK ASSESSMENT 62 · 4 62.2.1 Qualitative versus

Quantitative Risk Assessments 62·4

62.3 LIMITATIONS OF QUESTIONNAIRES IN ASSESSING RISKS 62 · 6

62.4 A MODEL OF RISK 62 · 6 62.4.1 The Two

Inconsequential Risk Classes 62·6

62.4.2 The Two Significant Risk Classes 62·7

62.4.3 Spectrum of Real-World Risks 62·7

62.5 RISK MITIGATION 62 · 10 62.5.1 ALE Estimates

Alone Are Insufficient 62·10

62.5.2 What a Wise Risk Manager Tries to Do 62·10

62.5.3 How to Mitigate Infrequent Risks 62·13

62.5.4 The ROI-Based Selection Process 62·15

62.5.5 Risk-Assessment/ Risk-Management Summary 62·16

62.6 RISK-ASSESSMENT TECHNIQUES 62 · 16 62.6.1 Aggregating

Threats and Loss Potentials 62·17

62.6.2 Basic Risk- Assessment Algorithms 62·17

62.6.3 Loss Potential 62·18 62.6.4 Risk Event

Parameters 62·21 62.6.5 Threat Effect

Factors, ALE, and SOL Estimates 62·22

62.6.6 Sensitivity Testing 62·23 62.6.7 Selecting Risk

Mitigation Measures 62·24

62.7 SUMMARY 62 · 24

62.8 FURTHER READING 62 · 24

62.9 NOTES 62 · 25

62 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 2 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

62.1 AN INTRODUCTION TO RISK MANAGEMENT

62.1.1 What Is Risk? There is general agreement in the computer security community with the common dictionary definition of risk: the possibility of suffering harm or loss. The definition shows that there are two parts to risk: the possibility that a risk event will occur, and the harm or loss that results from occurrences of risk events. Consequently, the assessment of risk requires consideration of both factors: the frequency of threat events that cause losses, and the loss each such event causes. The product of the two factors, frequency and loss, is a quantitative measure of risk; for example, we might express a risk as an Annualized Loss Expectancy (discussed in Section 62.2) of, say, $100,000 per year. Risk is managed by taking actions that recognize and reduce these two factors.

Management of risk is important to the design, implementation, and operation of information technology (IT) systems because IT systems are increasingly an essential part of the operation of most organizations. As a result, both the size of the potential harm or loss and the possibility of a risk event occurring are increasing. In extreme cases, a risk loss may be large enough to destroy an organization. If an organization’s risk- management program is deficient in some area, the organization may suffer excessive harm or loss, but at the same time the organization may be wasting resources on ineffective, excessive, or misdirected mitigation measures in other areas.

62.1.2 What Is Risk Management? This chapter discusses risk management with special emphasis on two aspects of risk management: risk assessment and risk mitigation. Exhibit 62.1 below suggests that risk management can be thought of as a four-step process.

Step 1: Identify and assess the risks. A risk assessment will only be as good as the inventory of systems and processes. If an organization does not have an adequate inventory, there may be systems or processes with significant risk that may not be reviewed. Once an inventory is complete, the organization can determine the risks associated with each.

Step 2: Identify the optimum set of risk-management measures.1 In this context, optimum means making the best use of the resources available for risk

IT Risk Management

IT Risk Assessment

IT Risk Mitigation

Collective Actions

IT Security Operations

Work Flow

Work Flow

Work Flow

IT Security Auditing

EXHIBIT 62.1 The Four IT Risk-Management Activities

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

AN INTRODUCTION TO RISK MANAGEMENT 62 · 3

management. Because no organization has infinite resources, risk manage- ment requires allocating finite resources by selecting from the broad range of IT risk mitigation measures, the optimum set. Since the resources being allo- cated are measured quantitatively in monetary terms, the risks must likewise be measured in monetary terms. A CIO can hardly expect to go to the CFO and announce that the risk assessment has identified a high risk, so a high security budget will be needed to address the risk. This issue is discussed in more detail in Section 62.4.3.

Step 3: Perform the ongoing, activities necessary for the effective functioning of the risk-management measures. Depending on the mitigating controls imple- mented, this could be ongoing log reviews of systems or quarterly meetings with local police. It will depend on the risk and the mitigating controls imple- mented.

Step 4: Security auditing is conducted to evaluate the effectiveness of IT security operations and to detect changing conditions that require a reassessment of risks, the implementation of new mitigation measures, or modifications to the security management program. Daily security management tasks and IT auditing are discussed elsewhere in this Handbook (see, for example, Chapters 23, 27, 40, 47, 52, 53, and 54), so this chapter will confine itself to the first two steps: risk assessment and risk mitigation.

62.1.3 Regulatory Compliance and Legal Issues. Increasing regulatory and legal issues are impacting risk management, most notably the Sarbanes-Oxley Act. More and more corporate officials are being sent to jail for infractions. As a result, it is not surprising that there may be an overreaction to compliance regulations, with excessive measures being recommended by auditors. Whenever implementation of a compliance recommendation does not include a cost justification, and the implemen- tation cost is material, it may be a candidate for a simple risk analysis like this.

1. What effect does the recommended measure have on the probability of noncom- pliance? In other words, what will be the difference in the likely loss experience with and without the recommended measure?

2. Does this difference compare favorably with the cost to implement and maintain the recommended measure?

There are several points to be made.

� If the cost-benefit is marginal or negative, consideration should be given to alter- nate (and lower cost) ways to achieve the same end result.

� If the cost-benefit is strongly negative, consideration should be given to dropping the recommendation.

� Under no circumstances should an organization deliberately break the law.

For more about these issues, refer to Chapter 65. Readers should note that there are strong disagreements about the validity of using

quantitative risk-assessment and risk-management methods. For example, Donn Parker has argued for decades that quantitative estimates of risk are an illusion and that expert consensus on best practices provide a far more solid foundation for risk management.2

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 4 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

Chapter 10 in this Handbook includes discussion of the problems of ascertainment that complicate quantitative estimation of risk.

62.2 OBJECTIVE OF A RISK ASSESSMENT. This Handbook describes the pros and cons of a wide range of security measures that can be applied to an IT system. However, no organization has unlimited resources, and so it is necessary to decide which measures should be implemented.3 It would be convenient if there were a set of security standards that applied equally to all IT systems, but as guidelines cited in Section 62.1.3 note, this is not the case for two basic reasons:

� Each IT system has its own particular risk environment. � Each IT system has a unique workload. Although two or more IT systems may perform the same list of functions, it is highly unlikely that the systems will have exactly the same level of activity for each of the functions, and so the cost of lost data and service interruptions will not be the same.

Because of these differences, each IT system will have unique security requirements.4 These two factors correspond to the two elements in the definition of risk:

� The risk environment determines the possibility of experiencing harm or loss. � The characteristics of the system workload, and the associated IT system assets, determine the magnitude of the harm or loss.

The objective of a risk assessment is to generate information about risk exposures and the potential for loss associated with the workload in order to estimate the annualized loss expectancy (ALE) of the IT system under current conditions.

62.2.1 Qualitative versus Quantitative Risk Assessments. There are two basic types of risk assessments: qualitative and quantitative. The difference be- tween them is substantial. A quantitative assessment provides a dollar figure associated with the loss. In the case of a qualitative risk assessment, the dollar figure may not be easy to obtain. The cost of the loss is difficult or in some cases impossible to quantify. As an example, if a retailer’s database containing customer records is breached, how does one quantify the reputational impact in financial terms? The retailer may have significant losses associated with the breach, but for how long? Loyal customers may continue to frequent the business, but there may be a loss of new clients. Obviously, the impact will depend on the type of business and the relationship of the customer to the business.

In the example of the retailer performing a risk assessment, the customer impact may be rated as Low, Medium, or High with set boundaries. Oftentimes an organization will incorporate a combination of qualitative and quantitative risk-assessment properties in their final risk analysis. Certainly, organizational maturity plays a role in the type of risk assessment completed, particularly one that has never performed any type of risk analysis. In instances where no analysis has been completed, the firm may start with a qualitative analysis and then apply quantitative analysis to the top 10 risks to help prioritize a mitigation strategy.

A quantitative assessment provides a dollar figure associated with a loss. As or- ganizations review their risk mitigation strategy, having the dollar figure is extremely

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OBJECTIVE OF A RISK ASSESSMENT 62 · 5

Funds have been allocated to Risk

Management

One or more risk factors are reduced.

Future risk losses are reduced Funds are

saved

Future

PresentImplement mitigation measures today.

Funds are spent.

Compare funds

spent and saved.

What is the ROI?

EXHIBIT 62.2 Evaluating an IT System Security Strategy

helpful. The dollar estimate is used to optimize the subsequent risk mitigation decisions and to validate decisions about existing security measures. In this context, optimize means to allocate the organization’s resources to those actions that will yield the best overall performance. It would be suboptimum to spend $10,000 to avert $1,000 in expected losses. To avoid such wasteful expenditures, one must be able to estimate quantitatively both expected losses5 and the effect of proposed mitigation measures. For this reason, in all but the simplest situations a risk assessment must produce a quan- titative, monetary measure of risk, so that (a) risks can be compared with one another on a common basis and (b) the cost of risk mitigation measures can be related to the risks they are meant to address. Assessing a risk as high, unacceptable, or in other qualitative terms does not provide the information needed to support decisions to implement risk mitigation measures, which will always have quantitative implementation costs.

Exhibit 62.2 above shows why a quantitative estimate of ALE is an essential element in the optimization of the strategy. A sum of money has been budgeted for IT risk management for next year. A risk-management measure is selected and implemented, and so funds are expended. The implementation is expected to reduce one or more risk factors. As a result, we expect future risk losses will be reduced, and funds will be saved. By comparing the present values of the funds expended now and those saved in the future, we can estimate the return on investment (ROI) of the implemented measure. The goal is to maximize the ROI, and to avoid risk-management measures with small or negative ROIs. This is the essential character of businesslike IT system risk management. However, it is evident that we must be able to make credible estimates of expected risk losses under both conditions, and under the assumption that a proposed risk-management measure has been implemented to optimize our risk-management strategy.

It may be suggested that quantitative assessment of risk is too complicated, and so a simpler, qualitative method can be used instead. However, the complexity is inherent in risk itself, and any simple assessment technique will be inherently weak, and potentially misleading. This topic is discussed in more detail in Section 62.4.3.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 6 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

62.3 LIMITATIONS OF QUESTIONNAIRES IN ASSESSING RISKS. One may be tempted to think of a security questionnaire or checklist as a valid risk assess- ment, but even if the checklist seems to be authoritative because it is automated, this is not the case. Typical questionnaires can help identify inventory and therefore potential areas of risk, but not expected loss. At best, a questionnaire can only compare the target of the questionnaire with a security standard implicit in the individual questions. Questionnaires do not meet the objective of a risk assessment, because the answers to a questionnaire will not support optimized selection of risk mitigation measures. The most a well-designed questionnaire can do is to identify potential risk areas, and so they can be of help in scoping and focusing a quantitative risk assessment.

Questionnaires suffer from several other shortcomings:

� The author of a question and the person who is answering the question may have different understandings of the meanings of key words. As a result, an answer may not match the intent of a question.

� Questions tend to be binary, but most answers are inherently quantitative. For example, consider the binary question “Do users comply with password policy?” Although the anticipated answer is either yes or no, a meaningful answer is likely to be much more complicated because each user will have a unique pattern of compliance. Some users will make every effort to be 100% compliant, some will make every effort to circumvent the policy, and the remaining users will comply to a greater or lesser extent. Note also that the question does not attempt to evaluate the appropriateness of the policy.

� Because questionnaires are inherently openloop, and because of the binary answer issue discussed above, questionnaires tend to miss important information that would be elicited by a risk analyst who interacts directly with respondents and responds to a quantitative answer with a new question.6

Questionnaires are appealing because they appear to relieve the risk assessor of the need to probe into the business system being assessed, but something better is needed for a valid risk assessment. The ensuing sections of this chapter will build a model of risk, and then show how to apply quantitative parameters to the model. Although a greater effort is required, far superior results are achieved.

62.4 A MODEL OF RISK. Exhibit 62.3 is a simplified model of threats and consequences devised by Robert Jacobson. The model takes the first steps toward quantification of risks. In this very simple model, all risk events are assumed to have either a low or high rate of occurrence, and all consequences of risk event impacts are assumed to be either low or high. Mr. William H. Murray, at the time an executive consultant at Deloitte & Touche, referred to this risk model as Jacobson’s Window. Let us now consider the implications of the model.

62.4.1 The Two Inconsequential Risk Classes. The two-by-two empty matrix model implies that there are four classes of risk: low-low, high-low, low-high, and high-high. Exhibit 62.4 suggests that two of the classes can be ignored. The low- low class can be ignored because these risks do not matter. As an extreme example, it is obvious that a risk event that occurs at about 10,000-year intervals and causes a $1 loss each time can be ignored safely. Experience suggests that the high-high class can be assumed not to exist in the real world. If 50-ton meteorites crashed through the roofs

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

A MODEL OF RISK 62 · 7

Consequences

Low High

O cc

u rr

e n ce

R a te

L o w

H ig

h EXHIBIT 62.3 Jacobson’s Window, A Simple Risk Model

of computer rooms every day, there would be no attempt to use computers. In practice, high-probability, high-loss risks just do not exist. Catastrophic events do occur, but not frequently.

62.4.2 The Two Significant Risk Classes. This analysis suggests that there are only two significant risk classes: high-low and low-high. Data entry keystroke errors are an example of a high-low risk: a high probability of occurring, and usually a low resulting loss. A major fire that destroys the building housing an IT system is an example of a low-high risk: a low probability of occurrence, and a high consequential loss. However, we know that real-world risks do not fall into just these two classes. Instead there is a spectrum of risks from high-low to low-high.

62.4.3 Spectrum of Real-World Risks. Exhibit 62.5 illustrates the distribu- tion of representative risks from high-low (key stroke errors) to low-high (major fires). Conceptually, there is little difference between the high-low and low-high threats. Ex- perience suggests that averaged over the long term the high-low and low-high threats will cause losses of similar magnitude to an organization. This concept is quantified by the notion of annualized loss expectancy (ALE). The ALE of a risk is simply the prod- uct of its rate of occurrence, expressed as occurrences per year, and the loss resulting from a single occurrence expressed in monetary terms, for example, dollars per year.

Consequences

Low

Don’t care

High

O cc

u rr

e n ce

R a te

L o w

H ig

h Doesn’t happen

EXHIBIT 62.4 The Two Inconsequential Risk Classes

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 8 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

Consequences

Low

“low-high” major fire

flooding cash fraud

power failure software bug

key error “high-low”

High

O cc

u rr

e n ce

R a te

L o w

H ig

h EXHIBIT 62.5 The Spectrum of Real-World Risks

Here is a simple example of ALE: Assuming that 100 terminal operators each work 2,000 hours per year and make 10 keystroke errors per hour, the occurrence rate of keystroke errors would be 2,000,000 per year. Next, assuming that 99.9% of the errors are immediately detected and corrected at an insignificant cost, 2,000 errors slip by each year (a high occurrence rate risk), which must be corrected later at a cost estimated to be $10 each, a low consequence for each occurrence. Thus, the ALE of the high-low risk: Keystroke error is estimated to be 2,000 occurrences per year × $10 per occurrence, or an ALE of $20,000/year.

Continuing our example, assume that the probability of a major fire in any one year is 1/10,000 (in other words the annualized probability of occurrence of a major fire is estimated to be 0.0001), and if the loss resulting from a major fire would be $200 million, then major fire is a low-high risk. These assumptions lead to an estimate of $20,000/year for the ALE of major fires.

Thus, the two risks from opposite ends of the risk spectrum are seen to have ALEs of about the same magnitude. Of course, we have manipulated the two sets of assumptions to yield similar ALEs, but the results are typical of the real world. However, note that we are assured of having a loss of $20,000 every year from keystroke errors, but a loss of $200 million in one of the next 10,000 years.

Exhibit 62.6 is a computer-generated7 plot of threat occurrence rates and conse- quences (total single occurrence loss) taken from an actual quantitative risk analysis of a facility. Each of the numbered boxes represents a threat type. Because the two scales are logarithmic, the contours of constant ALE are diagonal straight lines. As expected there are no threats in the high-high (Doesn’t Happen) and low-low (Trivial) zones.

While the ALEs span a range of about four orders of magnitude (from about $50 per year to about $500,000 per year), frequencies and consequences each span about seven orders of magnitude. This result is typical of the real world, and illustrates the fundamental flaw in High-Medium-Low risk models like the matrix in Exhibit 62.7. These models attempt to simplify risk assessments by defining a very limited range of values, three each, for frequency and consequence. As a result, threat event ALEs that differ by as much as two orders of magnitude, as illustrated in Exhibit 62.5, are given the same ranking when assessed using a high-medium-low matrix.

Proponents of this risk model are silent about the details. Firstly, as Exhibit 62.6 shows, the Very High and Very Low risks are meaningless in the real world. Secondly, the matrix requires users to compress numerical values with a range of almost seven

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

A MODEL OF RISK 62 · 9

EXHIBIT 62.6 A Plot of Actual Threat Frequencies and Consequences © Copyright 2005 International Security Technology, Inc.

orders of magnitude, for example, from 100/year to 1/20,000 years, into only three values: Low, Medium, and High. In other words, two risks with same consequence but occurrence rates that differ by a factor of 100 might receive the same evaluation. Likewise, because of the arbitrary boundaries between low, medium, and high, two risks with the same consequence but with occurrence rates that differ by 1% could receive different ratings. These considerations defy common sense, and make it clear

Threat Occ. Rate

Low

Low

Low

Medium

Medium

Medium

Medium

High

High

High Very High

Very LowS y s te

m I m

p a c t

L o w

H ig

h M

e d .

EXHIBIT 62.7 A Typical Risk Matrix

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 10 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

that rating a risk as High, Medium, or Low cannot be the basis to cost-justify a proposed risk management measure.

62.5 RISK MITIGATION. Exhibit 62.6 shows that the effect of risk exposures on IT systems can range from trivial to catastrophic, and it is not always immediately obvious which risk exposures are the most dangerous. For this reason, it is essential to base the selection of risk mitigation measures on a quantitative assessment of risks. In this section we consider the practical considerations in generating quantitative assessments and applying them to risk mitigation decisions.

62.5.1 ALE Estimates Alone Are Insufficient. As noted above, ALE is a useful concept for comparing risks, but we recognize intuitively that ALE alone is not a sufficient basis for making risk mitigation decisions about the low-probability high-consequence risks. There are two reasons for this.

� The first reason is the difficulty in generating a credible estimate of occurrence rate for low-probability risks. As a rule, one can generate credible estimates of the consequences of a low-probability risk, but the same is not true of its occurrence rate. Risks that flow from human actions such as fraud, theft, and sabotage are also difficult to quantify credibly.

� The second reason stems from what appears to be a common human trait that this writer has postulated as Jacobson’s 30-Year Law:

People (including risk managers) tend to dismiss risks that they have not personally experienced within the past 30 years.

Why 30 years? It is not clear, but it may be related genetically to human life expectancy, which until just a few generations ago was about 30 years. Possibly, people who were able to suppress anxiety about rare events were more successful than those who worried too much. Numerous instances of Jacobson’s 30-Year Law can be found. For example, the United States Government has had a major fire at about 28-year intervals beginning in 1790, most recently at the Military Records Center. Presumably each new generation of federal property managers must relearn the lessons of fire safety by direct experience. The Northeast power blackout of 2003 followed a similar event in 1976, 27 years earlier.

It seems to be common for senior managers, particularly public officials, responding to a calamity such as the meltdown of the Fukushima nuclear plant in March 2011 following an earthquake and the resulting tsunami, to say something like this: “Who could have imagined that such a thing would happen? However, we have taken steps to see that it will never happen again.”8 This is an imprudent statement for two reasons. First, prudent managers will anticipate potential disasters. Second, saying never implies that perfect security is the goal. This is nonsensical, since perfect security is infinitely expensive, and so cannot be achieved.

62.5.2 What a Wise Risk Manager Tries to Do. Unlike the senior man- agers quoted above, an organization’s risk manager should be trying to imagine every possible material risk the organization faces, even those not personally experienced, and developing estimates of the impact of these risks. Next, the risk manager should strive to identify the optimum response to each material risk by identifying security measures that have a positive return on investment (ROI). Note that potentially fatal

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RISK MITIGATION 62 · 11

low-occurrence/high-consequence threats require treatment irrespective of ALE and ROI as discussed in Section 62.5.3.

Consider this example of cost effectiveness (presented as individual steps in reason- ing):

� The ALE for keystroke errors was estimated in the Section 62.4.3 example as $20,000 per year, or $200 per operator.

� This estimate is credible because presumably there has been ample past experience with both the occurrence rate and impact cost of the keystroke-error risk.

� The risk manager considers how to treat this risk. � Imagine that experience suggests that spending $100 each year on keyboard skills training for each operator would reduce the undetected error rate by 30%.

� Because the $100 per operator expense would yield a benefit of $60 in reduced ALE (30% of $200, the per-operator ALE), the ROI9 of training would be –40%, clearly not a cost-beneficial mitigation measure.

� In effect we would be spending $10,000 to achieve a $6,000 loss reduction. � However, if the error rate were reduced by 90% instead of 30%, the training would appear to be a good investment; spending $100 each to train operators, would produce a reduction in ALE per operator of $180, an ROI of +80%.

� The goal of the risk manager is to find the package of risk-management measures, which yields the greatest overall ROI.

62.5.2.1 The Three Risk-Management Regions. Basing risk- management decisions on ROI estimates, as described above, does not work for the low-probability, high-consequence risks because of two negative factors (1) the credibility of risk estimates and (2) management’s concern about the risk consequences. End users commonly have a higher level of concern about risks than IT system managers, but as a rule it is the IT system managers who make the decisions about security measures. An IT system manager generally has no difficulty choosing between buying a faster server, and a more reliable server. The benefit of higher throughput is immediately evident. The benefit of higher reliability is not as obvious. Thus, although a risk manager may identify a significant low-occurrence, high-cost risk before it has occurred, an organization’s senior managers probably would be unaware of these low-high risks, and would be genuinely surprised were a major loss to occur. Hence, the “Who could have imagined . . .” press releases. In other words, simply identifying an exposure might be thought to be enough to justify adoption of a mitigation measure to address the exposure. This suggests that the risk manager needs additional criteria for selecting risk mitigation measures. The next section presents an overview of mitigation measures to clarify the selection criteria.

It will help risk managers to understand the universe of risk events to which an organization is exposed, by dividing the total risk space into the three regions shown in Exhibit 62.8. The two axes are logarithmic, and the dots represent individual threats.

These regions help define appropriate risk-management actions. The bounders of the regions are defined by two senior management decisions.

1. The first decision is to define the minimum significant threat event occurrence rate. The concept is that it is reasonable to simply ignore the risk of threat events for which we have estimated occurrence rates less than some minimum rate. For

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 12 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

Minimum Significant Occ. Rate M a

x .

to le

ra b

le c

o n

s e

q u

e n

c e

O c

c u

rr e

n c

e R

a te

( lo

g s

c a

le ) Critical

threat.

Must

mitigate.

high

h ig

h

low

lo w

Consequence (log scale)

EXHIBIT 62.8 The Three Risk Zones © Copyright 2002 International Security Technology, Inc.

example, senior management may decide to ignore risks with occurrence rates estimated to be less than once in 20,000 years—that is, the probability of an occurrence of the threat next year is estimated to be less than 0.00005.

2. Senior management may also identify a loss level (consequence) that is intoler- ably high. Risk events of this type will appear in the upper right of Exhibit 62.6. The occurrence rate of these events is immaterial as long as they exceed the min- imum consequence criterion and the minimum occurrence rate. If we estimate that the loss caused by an occurrence of a threat event (commonly referred to as the single occurrence loss, or SOL) exceeds the loss threshold and the occurrence rate exceeds the minimum material occurrence rate, then we must take steps to reduce the loss, perhaps by transferring the risk with an insurance policy, or by reducing the estimated occurrence rate to a value below the minimum material occurrence rate.

It is instructive to consider where to plot an unusual risk event like the attack on the World Trade Center on September 11, 2001. It is likely that many organizations have facilities that would generate losses in excess of their maximum tolerable loss if totally destroyed by a similar terrorist attack. This implies that such organizations should take steps to protect these facilities against terrorist attacks. However, we should also take into account the estimated rate of occurrence before making a decision. How can we make a credible estimate of such a rare event? We can begin by estimating how many such events will occur next year in the United States. For example, based on past experience we might assume that there will be about two such attacks each year. Secondly, we estimate the likelihood that, of all the facilities in the United States, our facility would be selected for attack. This will depend on the attractiveness of our facility to a terrorist group when compared with all other potential targets in the United States. For example, assume that there are 100 attractive buildings that are as widely recognized and as vulnerable as the WTC. If our facility is one of the hundred, then we might estimate the occurrence rate as 1/100 × 2, or a probable occurrence rate of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RISK MITIGATION 62 · 13

0.02/year. On the other hand, if our building is not one of the 100 high-profile buildings, then we might estimate that if there are 200,000 similar buildings in the United States, our occurrence rate is 1/200,000 × 2 or an occurrence rate of 1/100,000 years. In this latter case, our senior management probably would choose to ignore the risk.

The remaining portion of the Exhibit 62.6 graph, the mid- to upper-left-hand corner, is the zone where the risk manager attempts to find cost/beneficial risk-management measures as discussed in the sections that follow.

62.5.2.2 Where ROI-Based Risk Management Is Effective. ROI-based mitigation works well for high-probability, low-consequence risk exposures for two reasons: The manager who approves the expenditure believes that the risk exists and should be addressed, and believes further that the parameters used to generate estimates of ALE and the reduction in ALE, used to estimate ROI, are reasonable and credible.

62.5.2.3 Four Reasons for Adopting a Risk-Management Measure. There are four general tests of the utility of a risk-management measure:

1. The measure is required by law or regulation. In effect, a governing body has determined (one hopes) that the measure makes good public policy because it will always meet one of the remaining three tests. Exit door signs in public buildings are a good example. Sarbanes-Oxley may be an example of a bad (not cost-effective) law.

2. The cost of the measure is trivial, but its benefit is material. For example, a little-used door, which compromises physical access controls, is not being kept locked. One can institute a procedure and install security hardware to keep the door locked at very low cost.

3. The measure addresses a low-high risk that has an intolerable SOL, as discussed in Section 62.5.2.1. For example, it would be intolerable for a corporation to experience an SOL that exceeded owner equity or net worth. The failure several years ago of a prominent British merchant bank following unwise speculation by a staff member is a tragic example of an organization that failed to identify and address an intolerable SOL exposure.

4. The cost of the measure will be more than offset by the reduction in future losses (ALE) that it will yield. In other words, the mitigation measure has a positive ROI. This reason is commonly used to justify protection against the high-low risks. Operator keyboard training described in Section 62.5.2 is an example.

Procedures for managing the last two risk categories follow.

62.5.3 How to Mitigate Infrequent Risks. After the high-low threats have been addressed using an ROI analysis, the risk manager considers all imaginable low- high risks, one by one, and makes for each such risk an estimate of the SOL and the rate of occurrence. The report of this analysis should describe for each threat the confidence level of the estimates of its SOL and occurrence rate. These estimates are arranged in descending order of SOL. The list is presented to senior management, who draws a line somewhere on the list and says, “The risks above the line are intolerably high. Do something about them.” The risk manager then considers each of the unacceptable risks in two ways.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 14 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

62.5.3.1 Reduce the Magnitude of High Single-Occurrence Losses. Sometimes the magnitude of an SOL can be reduced. There are several possibilities:

1. Transfer the risk by obtaining insurance against it. The premium will depend in part on the amount of the loss that is deductible. For example, one might obtain insurance against a $100 million SOL with a $10 million deductibility to minimize the insurance premium. In effect, the intolerable $100 million SOL has been reduced to a tolerable $10 million SOL at the cost of the insurance policy premium.

2. Disburse the risk exposure. For example, replace a single IT center with an intolerable SOL of $500 million of catastrophic physical damage, and service interruption losses, with three centers having SOLs of about $167 million each. The centers should be sufficiently isolated from one another to rule out shared disasters. The cost will be the incremental cost of the less efficient operation of three facilities.

3. Reduce the vulnerability of the IT system to the risk. For example, implementing an enhanced business resumption plan, at some additional cost, can speed up recovery off site. This will reduce the SOL associated with catastrophic service interruption losses. Notice that this an example of a risk mitigation measure that affects more than one threat.

The risk manager also may strive to reduce the occurrence rate of a high SOL. Because of the uncertainty of the estimates of low occurrence rates, this is less satis- factory. Nonetheless, even the uncertain occurrence rate estimates can be useful. If two risk exposures have the same SOL, but differ by an order of magnitude in estimated occurrence rate, it is reasonable to assume that the risk with the lower occurrence rate represents a lesser danger to the organization.

62.5.3.2 Risk-Management Measures Selection Process. Assume that the risk manager has presented a risk-assessment/risk mitigation report to senior man- agement as described above. The report lists the low-high risks with one or more strategies for treating each risk.10 The senior manager is responsible for selecting the mitigation measures for implementation because, as noted above, ROI-based justifica- tion is inappropriate for this class of risks.

1. If the risk manager is able to identify a relatively low-cost mitigation measure that reduces the rate of occurrence of a risk to a low enough value, senior management may elect to adopt the mitigation measure.

2. There is some rate of occurrence below which the senior manager is willing to ignore a risk, even if the estimate is low confidence. Typically, this applies to very low occurrence rate events. Extreme examples are a nuclear detonation or a crashing meteorite.

3. Risk transfer by insurance, or one of the other techniques listed above, reduces the SOL to a tolerable level, and the senior manager is willing to accept the cost of the insurance coverage.

A complete tabulation of occurrence rates, and the costs of mitigating actions for all the high-SOL risk exposures, will help senior management to prioritize the imple- mentation of the mitigation measures.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RISK MITIGATION 62 · 15

62.5.4 The ROI-Based Selection Process. After the potentially fatal risks have been addressed as described in the preceding sections, the risk manager can turn to selection of measures to address the remaining high-low risks. A five-step procedure for selecting strategies on the basis of ROI is straightforward.

1. For each of the threats, identify possible risk-management measures. As noted above, some measures will affect more than one threat. There are four possible strategies: � Threat mitigation. Measures to reduce the occurrence rate and/or the impact of one or more of the threats.

� Risk transfer. Use an insurance policy or other contractual means to transfer some or all of the risk to another party.

� Business resumption plans. Take steps in advance of threat occurrences to decrease the time required to resume business operations. This type of strategy applies to non-IT business systems that are included in the scope of the risk- management project.

� IT system recovery plans. Take steps in advance of threat occurrences to de- crease the time required to resume operation of the IT system, and to reduce the amount of stored data lost. See Section 62.6.3.2 for details.

2. For each strategy, estimate the present value of the cost to implement and maintain the measure, taking into account the remaining life of the facility, the useful life of the measure, and the applicable time value of money. The organization will not enjoy the full benefit of a measure with a high initial cost and a low annual support cost if the life of the facility is less than the life of the measure.

3. For each strategy, estimate the effect of the measure on the occurrence rate and consequence of the threat(s) that the strategy addresses. Use these data to calculate total ALE, assuming the measure is implemented. Calculate the present value of the reduction in total ALE the strategy is expected to yield. This is the benefit of the measure. Note also that in addition to reducing risks a strategy may reduce operational costs. This cost saving should be added to the ongoing benefit (ALE reduction) of the strategy.

4. Using the values of cost and benefit, calculate ROI as follows:

ROI = (($Benefit − $Cost)∕$Cost) × 100%

For example, using the data in Section 62.5.2, ROI is calculated as follows:

ROI = (($6,000 - $10,000)/$1,000) × 100% = (-$4,000/$1,000) × 100% = 0.4 × 100% = -40%

This equation normalizes the ROI and expresses it as a percentage. Zero percent represents a neutral ROI (benefit equals cost). One hundred percent would represent a very beneficial measure, and 1,000% would probably be a no-brainer. If the measure generates a cost saving, the saving is added to the ALE reduction benefit when calculating the ROI. Note that the ROI analysis of a risk mitigation measure will understate its benefit, if the risk assessment does not include all the risk events that the measure will address.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 16 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

5. Make a list of the strategies in descending order of ROI after discarding the strategies with a negative ROI.

Presumably, management now selects for implementation the strategies in descend- ing order of ROI until all available resources are allocated. However, if two or more strategies impact the same threat, it is possible that their effects may be partially over- lapping. The risk manager can investigate this possibility the following way. Begin by assuming that the most attractive strategy has been implemented, and recalculate the baseline ALE. Next, verify the parameters for the remaining strategies, taking into account the effect of the measures assumed to have been implemented. Recalculate their ROIs as described above, and repeat the selection process. It would be conve- nient if there were an analytic way to do this, but this author has been unable to devise a practical way to do so because of the wide range and complexity of potential interactions.

62.5.5 Risk-Assessment/Risk-Management Summary. The risk model illustrated by Jacobson’s Window leads to the following conclusions:

1. Risks can be broadly classified as ranging from high-probability, low- consequence to low-probability, high-consequence events. In general, risk events in this range cause losses over a relatively narrow range of loss values when expressed as an annual rate or ALE.

2. Because of IT operating staff familiarity with the high end of the high-low risks, all available measures may already have been taken such that there may not be any cost-beneficial way to further reduce the ALE of some of these threats.

3. Midrange risks can be addressed by selecting mitigation measures with a posi- tive ROI, based on the relationship between the cost to implement a mitigation measure and the reduction in ALE it is expected to yield.

4. Treatment of low-high risks requires the judgment of senior management, based on estimates of SOL and, to a lesser extent, estimates of rate of occurrence. Mitigation measures or risk transfer may reduce SOLs to acceptable levels or decrease occurrence rates to the level at which risks can be ignored.

5. To be effective, the risk-management function must be: � Performed by properly qualified persons � Independent of IT line management � Reported to senior management to ensure that all risks are recognized, and that resource allocation is unbiased

62.6 RISK-ASSESSMENT TECHNIQUES. The first step in performing a risk assessment is to define the scope and focus of the assessment. The scope will define the IT functions or business processes, the physical assets, the intangible assets, and the liability exposures, which are to be included in the assessment. The focus means the kinds of risk events to be included in the analysis. Risk events may include failures of the IT hardware and software, software logical errors, deliberate destructive acts by both insiders and outsiders, and external events such as earthquakes, hurricanes, river floods, and so forth. Sometimes the focus is determined by the desire to evaluate a specific class of risk-management measures.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RISK-ASSESSMENT TECHNIQUES 62 · 17

62.6.1 Aggregating Threats and Loss Potentials. Aggregation is a key concept of quantitative modeling, and refers to the practice of combining related items to keep the model at a manageable size. For example, one can define a single risk event (IT Server Failure) or two risk events (Server01 Failure and Server02 Failure) under the assumption that the two servers support different systems with different loss potentials) and so on in ever-increasing detail. The more risk events defined for a risk assessment, the greater will be the effort required to establish the risk parameters, and perform the calculations. However, the individual risk events will not all have the same impact on the results of the assessment. Indeed, some risk events will be found to be completely inconsequential, so the time expended to estimate their parameters will have been wasted. In other words, an appropriate degree of detail will not be immediately obvious.

This suggests that one should begin an assessment using highly aggregated risks, functions (typically business processes), and assets, perhaps no more than 10 to 15 of each in a typical situation, together with roughly prepared estimates of the risk parameters. This preliminary analysis will show which elements are important to the results. One can then add details to the important elements as appropriate, and refine the material estimates to improve the validity of the model. This approach works to concentrate the effort on the important issues, and avoids wasting time refining unimportant input data.

62.6.2 Basic Risk-Assessment Algorithms. It is generally accepted that ALE, in dollars (or other currency as appropriate) per year, is calculated as follows:

ALE = Threat Occurrence Rate (number per year) × Threat Effect Factor (0.0 to 1.0) × Loss Potential (in monetary units)

The term threat occurrence rate (TOR) is used to designate the estimate of the probability of occurrence of a threat event during a risk-management planning period, typically one year, thus the TOR is the probability of occurrence at an annualized rate. The functions and assets are characterized by their potential to trigger a loss when impacted by one or more of the threats. The term potential for loss or simply loss potential is used specifically to designate the worst-case loss a function or asset can generate. This implies that there is at least one threat event (the worst-case threat) that will trigger a loss equal to the loss potential. Other threats will cause lesser losses because they have a lesser effect on the function or asset. The Threat Effect Factor is used to quantify the relationship between a threat event and a function or asset. If the threat event has no impact on the function or asset, the corresponding Threat Effect Factor will be zero. If the threat event triggers the worst-case loss (the loss potential), the Threat Effect Factor will be 1.0. Threat Effect Factors will range from zero to 1.0 for all threats.

Exhibit 62.9 illustrates how each threat-function or threat-asset pair includes a Threat Effect Factor. The SOL, expressed in monetary units for each function or asset with respect to a given threat event, is calculated as follows:

SOL = Threat Effect Factor (0.0 to 1.0) × Loss Potential (monetary units)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 18 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

P ro

c e

s s

# 1

TEF21

TEF32

P ro

c e

s s

# 2

TEF22

TEF33

TEF11

P ro

c e

s s

# 3

TEF23

TEF12 TEF13

TEF31 TEF34

P ro

c e

s s

# 4

TEF24

TEF14

TEF42 TEF43TEF41 TEF44

Threat #1

Threat #2

Threat #3

Threat #4

EXHIBIT 62.9 Threat Effect Factors Connect Threats and Processes, Functions, and Assets

The terms loss potential and Threat Effect Factor are as defined above. The sum of the SOLs for all the functions and assets with respect to a given threat is the consequence of an occurrence of the threat.

From these two definitions, we can see that:

ALE = SOL × Threat Occurrence Rate ($/year)

The sections that follow discuss these two equations in more detail and describe techniques for estimating values for TOR, loss potential, and Threat Effect Factor.

62.6.3 Loss Potential. There are four basic kinds of losses that contribute loss potential:

1. Property damage losses. Property damage losses occur when a threat event im- pacts an asset of the organization. The asset may be physical property damaged, for example, by a fire or flood, or the asset may be an intangible asset, such as a trade secret or a proprietary database, the improper disclosure, modification, or destruction of which causes a loss to the organization.

2. Liability losses. The operation of an IT system may expose the organization to liability for damage or injury. For example, improper operation of an IT-controlled process might release a toxic gas. Improper disclosure of personal information may cause the individual to sue the organization for damages. If third parties place reliance on data generated or maintained by an IT system, there may be an exposure to damage suits if the data are incorrect as a result, for example, of flaws in the IT system.

3. Service interruption losses. Service interruption losses occur when IT system services or other business functions are interrupted, or are not initiated in a timely manner because of the action of a threat event. In general, the longer the duration of an interruption, the greater will be the amount of the loss. This means that service interruption loss potential must be estimated in the form of a table of values appropriate to the expected range of interruption durations the threats are expected to generate. As a consequence, each threat that causes

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RISK-ASSESSMENT TECHNIQUES 62 · 19

service interruptions must be defined in terms of the percentage of the threat’s occurrences that result in each of the interruption durations used to define service interruption loss potential.

4. Lost data losses. IT systems typically require stored data to function. If the primary copy of the stored data is lost, the data are recovered from the most recent backup copy, or reconstructed from paper records, if they exist, of prior transactions. The magnitude of the data loss will depend on the rate at which the stored data change, the frequency with which a backup copy is made, the accuracy of the backup copy process, and the frequency of the occurrences of the threat events that require data recovery of the stored data. The stored data used by some IT systems do not change continuously, and so a complete backup copy can be made after each update phase, and data loss thus avoided.

Loss potentials, as described in the three following subsections, are based on esti- mates of the worst-case losses with respect to the list of risk events.

62.6.3.1 Property and Liability Losses. These losses are treated the same way, so they can be discussed together. It is advisable to begin consideration of property damage losses by making an aggregated list of possible sources. For example, the initial list might consider together all the hardware in an IT facility, and similarly all of the databases needed to operate each of the principal IT applications. For each such asset11, an estimate is made of the worst-case loss that the organization could experience with respect to that asset. For example, the worst-case loss for a set of stored data would be the cost to reconstruct the data from back-up copies, and the cost to recover any missing or corrupted data. There will be other losses resulting from interruptions to IT services that require the availability of the data, but these losses are described separately in the next subsection.

Liability12 loss potentials, if included in the scope of the risk-management project, should be estimated in the same way. The first step is to determine which liabilities should be included in the risk assessment. The organization may already have a mech- anism for addressing liability exposure, possibly through a risk transfer mechanism. However, the liability exposures that are unique to the IT operations should be included, and the worst-case loss potential estimated as described above.

62.6.3.2 Service Interruption Losses. Service interruption (sometimes re- ferred to as denial of service13) losses refer to the losses experienced by end-users of an IT system when the service is not performed on time. The first step in estimating service interruption losses is to construct a list of the IT services for which there is a significant interruption loss potential. Here, too, it is desirable to aggregate individual applications in basic service areas. Examination of a wide range of functions suggests that there are six different classes of service interruption losses. Since each class of loss may begin after a different interruption duration, it is unlikely that there will be a single loss rate that begins at the instant the interruption begins, and has a fixed rate per hour of interruption duration into the indefinite future. Reviewing the causes with the persons most familiar with each service, typically the line-of-business managers, will determine which classes apply and what the loss potential factors are. By tabulating the losses associated with each of the classes, one can generate an overall loss potential for a suitable range of service interruption durations.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 20 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

� Reduced productivity. Would people be idled if there were a service interruption? If yes, how many and how soon? What, approximately, is their total pay, including benefits? If substantial production facilities would be idled, what is the approx- imate hourly cost of ownership of the facilities, computed as the total life-cycle cost of ownership divided by the total operating life in hours?

� Delayed collection of funds. Does the IT system application trigger collection of funds for the organization, for example, a billing system, or a loan-notes-due col- lection system? If yes, determine the average amount collected each business day, which would be affected by a service interruption. Because in most cases it will be possible to do some manual processing of the high-value items, the affected amount may be less than the full daily processing dollar volume. Determine a suit- able cost-of-money percentage for use in present-value calculations by consulting the organization’s treasurer or controller. Alternatively, the current commercial bank prime rate plus one or two percentage points can be used. The total loss does not increase linearly with the duration of the interruption. For example, assume that the one-day loss is $100 due to delayed collection. After a two-day outage, the loss would be $300: $200 from the first day and $100 from the second day. A three-day outage would cost $600. $300 of accumulated losses for the first day, $200 for the second day of delayed collections, and $100 for the third day, and so on.

� Reduced income. Will an interruption of the application impact sales revenue or other income receipts? If yes, estimate the amount of income lost both im- mediately, and over the long term, for a range of service interruption durations appropriate to the risk events included in the risk assessment. It may be difficult for the end user to make an estimate, unless it is possible to remember the last major service interruption, and to describe what happened. What would the organization do if a major competitor had a service outage? How would the outage become known, and how would it be exploited to increase income? These questions may help to determine the amount of reduced income to be expected.

Along with reduced income, there would probably be a reduction in operating expenses, such as cost of sales, caused by the decreased activity. When the reduc- tion in operating costs is subtracted from the reduced revenues, the result is the net loss. Estimates should be made for the shortest service interruption duration that the user believes would cause significant lost business; in addition, planning should include provisions for one or more service interruptions of greater duration.

� Extra expense. How would the user respond to an outage? Would it be necessary to hire temporary help, or to work overtime? Could an outside service be used? Would there be an increased error rate, which would increase error research and correction expenses? Might there be increased fraud loss, and fraud investigation costs? The cost to catch up, after the outage ends, is often a major extra expense factor. Beginning with the shortest significant duration, several estimates should be made, including a worst-case scenario.

� Lateness penalties. If the application entails any lateness penalties, contractual, regulatory, or legal, an estimate should be made of the amount of the penalties that would be triggered by an outage, and the outage duration that would trigger the penalties.

� Public perception. Public perception, as a catchall term, refers to the indirect effects of a service interruption. Staff morale and customer attitudes may be

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RISK-ASSESSMENT TECHNIQUES 62 · 21

affected negatively by the impression that the organization’s risks are not being effectively managed. The value of publicly traded stock may be adversely affected, and pending mergers or stock offerings may be derailed. The cost of borrowing may increase.

Note that this procedure does not involve asking end users to estimate the maximum tolerable service interruption duration. Asking for a tolerable duration is not a useful question. An attempt by end users to establish the value of tolerable is simply an opinion or subjective judgment call. The basic risk assessment will establish the ex- pected annualized losses. Then, an evaluation of the cost-benefit or ROI of alternative risk mitigation measures, implemented to reduce the number and duration of service interruptions, will identify the optimum IT system configuration, including measures to control service interruptions.

62.6.3.3 IT Systems Interruption Mitigation. IT system service interrup- tion mitigation is a special case because of the effect of lost-data losses. This is why.

The performance of IT system continuity plans is often characterized using two parameters, referred to as Recovery Time Objective14 (RTO) and Recovery Point Ob- jective (RPO). RTO is the maximum service interruption duration that will result from the action of threats on an IT system. The RTO of the continuity plan in place for an IT system will determine the expected losses of an IT system that result from the impact of the service interruption threats. Decreasing the RTO will decrease the expected loss, but will increase the cost to implement and maintain the IT system continuity plan.

The RPO is a measure of the frequency with which an IT system backs up stored data. The more frequently data are backed up, the lower will be the lost data losses, but the greater will be the cost to install and maintain the backup provisions.

The risk-management task is to pick the IT system continuity plan (RTO-RPO combination) that has the most favorable cost-benefit. The cost is the cost to install and maintain a given RTO-RPO combination. The benefit is the reduction in expected loss the RTO-RPO combination will achieve, compared with the RTO-RPO combination currently in use. This is why the question: “What is your maximum ‘tolerable’ outage duration, that is, your RTO?” is worthless. A rational selection depends on both cost and benefit, not the subjective appeal of any particular RTO.

Typically, there is an interaction between RTO and RPO. For example, tape is probably less expensive as a backup storage medium than disk, so we would expect a tape-based IT system continuity plan to be cheaper than a disk-based plan. However, tape will restrict the range of RPOs that can be implemented, and may control the best achievable RTO, both of which will increase expected loss. There is another important point.

There is no inherent connection between the service interruption loss potential of an IT system and the cost of RTO-RPO combinations for the system.

For example, a small inexpensive system (one with low RTO and RPO costs) might be running a very time-critical, high-value function, such as currency trading, while a large system with high RTO and RPO costs might be analyzing the works of William Shakespeare for the local college, a low criticality task.

62.6.4 Risk Event Parameters. As noted in the prior section, during the determination of loss potential, a list of significant risk events can be constructed. The list should be examined critically to determine if additional event types should be

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 22 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

added to the list, bearing in mind the aggregation considerations discussed above and the defined scope of the project.

Once the risk events list has been completed, two parameters are estimated for each event as follows:

1. Occurrence rate. There are several ways to estimate occurrence rates. If the event has had a relatively high occurrence rate in the past, typically more than once in 10 years, the organization is likely to have records of those events, from which the occurrence rate can be inferred with high confidence. However, there are two cautions. First, consideration must be given to any changes in the environment that would affect the occurrence rate. For example, the root cause of some system crashes may have been corrected, so that one would expect the future rate to be lower than in the past. Second, it is important to avoid double counting. For example, a system outage log may lump electric power failures into a catchall category: hardware failure. If electric power failure is included in the risk assessment as a separate risk event, its occurrences may be inadvertently counted twice.

If the risk event is external to the IT facility, for example, river flooding and earthquake, one can usually find external sources of information about past occur- rences. For example, one could use the NOAA National Hurricane Center’s list of the United States’ most intense hurricanes (www.nhc.noaa.gov/pastint.html) to determine if a given U.S. location has ever been impacted by a high-intensity hurricane. There are numerous Websites that can support a risk assessment. One also may find that past copies of local publications can help to determine the past local history. In some cases, there will be no meaningful past history for a risk event, particularly if the event is of recent origin, for example, e-business fraud and terrorism. In these cases, it may be possible to reason by analogy with other similar risk events to develop a reasonable estimate.

2. Outage duration. The range of outage durations for each threat must be estimated in order to be able to estimate service interruption losses. If the outage duration is not the same for all the IT systems that the risk event impacts, one may either use an average value or define a separate risk event for each of the systems, keeping in mind the aggregation considerations discussed above.

Remember that until an initial overall risk assessment, like Exhibit 62.6, has been generated, the analysts do not know which of the input data are important. Consequently, it is counterproductive to devote effort to refining initial data. The wide range of values encountered in a typical risk assessment makes it clear that rough initial estimates of the risk parameters will be sufficiently accurate to identify the critical parameters.

62.6.5 Threat Effect Factors, ALE, and SOL Estimates. From the basic risk-assessment algorithms, it is possible to determine the risk event/loss potential pairs for which the Threat Effect Factor is greater than zero (see Section 62.6.2), and having done so, to estimate the value of the factor. It is then possible to use the risk data discussed above and the algorithms to calculate an estimate of the ALE and SOL for each of the pairs, and then to tabulate the individual ALE and SOL estimates to obtain a complete risk assessment for the IT organization. This is useful as a baseline because it provides an assessment against which to evaluate potential risk mitigation measures.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RISK-ASSESSMENT TECHNIQUES 62 · 23

In other words, the benefit of a risk-management measure is the amount by which it reduces this baseline or current expected loss estimate.

In order to validate the assessment, it is necessary to identify the threat event/loss potential pairs that account for the majority of the expected losses. Typically, about 20 percent of the pairs cause 80 percent of the total expected loss. Reviewing the details of each input item, these questions should be asked: Were source data transcribed correctly? Are the assumptions reasonable? Were calculations made correctly? Does any threat event/loss potential pair account for so much of the expected losses that it should be disaggregated from other data items? Once the validation process is complete and indicated changes have been made, it is feasible to consider risk mitigation, but first one must gain acceptance of these data.

Field experience has disclosed a very powerful technique for gaining acceptance of estimates used in the risk assessment. First we gather data from knowledgeable people in the organization: line-of-business managers, IT specialists, audit, security, and so on. We use these data to make a preliminary baseline estimate of risks as described in the previous sections. We then convene a round table meeting of all the people who provided the data. We show them the results and the input data. This results in a useful discussion of the data, and tends to identify inputs based on faulty assumptions, personal biases, and misinformation. It is rather like an instant peer review. The agreed- upon changes to the input data are then used to make a final estimate of risks, which can be used to evaluate proposed mitigation measures.

62.6.6 Sensitivity Testing. The preceding discussion implies that a single value is to be estimated for each of the risk parameters included in the risk assess- ment. However, it may be thought that a parameter should not be limited to a single value, and that a Monte Carlo technique should be used to generate a set of ALE and SOL estimates. In a Monte Carlo approach, one generates random inputs into a model following specified probability distribution functions for each of the variables being studies. The outputs of the model then generate frequency distributions that allow one to evaluate the sensitivity of critical outputs to the precision of specific inputs. There are two obstacles to using this approach. Apart from the big increase in the complexity of the calculations, there is still a requirement to select a single risk mitigation strategy based on the set of ALE and SOL estimates. It is not feasible to install a range of performance values for given mitigation measures to match a range of loss estimates. As described previously, cost-beneficial risk mitigation measures are selected by cal- culating the baseline ALE, and then recalculating the ALE, assuming that the proposed mitigation measure has been installed. The difference between the two ALE estimates is taken to be a reasonable estimate of the return in the ROI calculation. Assuming two sets of 1,000 ALE estimates (without and with a proposed mitigation measure), which were generated by a Monte Carlo simulation, calculating all possible differences produces a set of 1,000,000 returns. Which one should be selected to calculate ROI?

Using the most likely value for each risk parameter, and generating only two ALE estimates, the difference between the two may be used to calculate ROI. Because the ROI typically flows from a relatively large number of parameters, the overall result will tend to average out any individual departures from the average values used, and so will be a fair representation of the actual risk losses that will occur.

However, if confidence in the accuracy of an estimate is extremely low, estimates using low, median, and high values of the parameters should be used to evaluate the effect on the overall results. Whenever a risk assessment includes a material low- confidence parameter, full disclosure should be made to the managers who review and

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 24 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

act on the results. Risk analysts should bear in mind that almost all other decisions about resource allocations, which senior managers are regularly called on to make, are based on uncertain estimates of future events. There is nothing unique about the uncertainties surrounding risk mitigation decisions.

62.6.7 Selecting Risk Mitigation Measures. The objective of the risk mit- igation process is to identify the optimum set of mitigation measures. The first step is to address the intolerable SOL exposures as discussed in Section 62.5.3. The risk assessment and the evaluation of potential risk mitigation measures provide the raw material on which to base an implementation strategy for the risk exposures in the midrange. Considerations include:

The mitigation measures with negative ROIs can be discarded. The remaining mitigation measures can be tabulated in three ways:

1. In descending order of net benefit: ALE reduction minus the implementation cost 2. In ascending order of implementation cost 3. In descending order of ROI

Based on other considerations, senior management selects mitigation measures from one of the three lists. Other considerations include the following:

� The availability of resources for risk mitigation may be limited, in which case some mitigation actions must be deferred until the next budgeting period. In extreme cases, the lowest cost measures may be selected.

� The mitigation of risk exposures that have a particularly undesirable effect on marketing considerations, as compared with other loss categories, may be given priority.

62.7 SUMMARY. This chapter has shown the tremendous advantage of having a detailed, quantitative assessment of the risk exposures leading to a quantitative evaluation of prospective mitigation measures. Senior managers will appreciate the advantage of using rational business judgment in place of seat-of-the-pants guesswork.

62.8 FURTHER READING Anderson, E. Business Risk Management: Models and Analysis. Wiley, 2014. Bhatia, M. Handbook of Applied Risk Measurement. Wiley, 2014. Blundell, D. M., T. Cuthbertson, and J. Daniel. Operational Risk Management. Global

Professional Publishing, 2013. Coleman, T. S. A Practical Guide to Risk Management. Research Foundation of CFA

Institute, 2011. Crouhy, M., D. Galai, and R. Mark. The Essentials of Risk Management, 2nd ed.

McGraw-Hill, 2013. Gordon, L. A. Managerial Accounting—Concepts and Empirical Evidence, 6th ed.

McGraw-Hill, 2005. Lam, J. Enterprise Risk Management: From Incentives to Controls, 2nd ed. Wiley,

2014. Louisot, J.-P. ERM—Enterprise Risk Management: Issues and Cases. Wiley, 2013. McGill, W. L. Math for Security. CRC Press, 2014.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 62 · 25

Moeller, R. R. Executive’s Guide to COSO Internal Controls: Understanding and Implementing the New Framework. Wiley, 2013.

Mulcahy, R. Risk Management Tricks of the Trade for Project Managers + PMI-RMP Exam Prep Guide, 2nd ed. RMC Publications, 2010.

Siepman, F. ManagingRiskandSecurity inOutsourcingITServices:Onshore,Offshore and the Cloud. Auerbach, 2013.

Sweet, K. Introduction to Security and Risk Management. CRC Press, 2014. Sunstein, C. R. Risk and Reason: Safety, Law, and the Environment. Cambridge Uni-

versity Press, 2002.

62.9 NOTES 1. The term mitigation measure is used here broadly to refer to all actions taken

to manage risks, and may include logical controls over access to data, physical controls over access to IT hardware, facilities to monitor operations, selection and supervision of IT personnel, policy and procedures to guide operations, and so forth— in short, all of the security techniques described in this Computer Security Handbook.

2. Donn B. Parker, “What’s Wrong with Information Security—and How to Fix It.” Lecture at Naval Postgraduate School, April 28, 2005, www.youtube.com/ watch?v=RW9hOBCSy0g

3. Another way of expressing this concept is as follows: Perfect security is infinitely expensive, and so it is not a rational goal of a risk-management program.

4. As a practical matter, it may become obvious that in some situations the differences between the members of a group of like IT systems are too small to be significant, and that a single set of security measures can be adopted for all of the systems.

5. “Expected loss” is a shorthand term for the losses an organization can reasonably expect to experience given its risk environment and the potential for loss of its functions and assets. It is the sum of the individual ALEs.

6. This author has made it a practice at the end of each interview to ask: “Is there something I should have asked about?” or words to that effect. In most cases, new information emerges as a result.

7. The plot was generated automatically by CORA R© (Cost-Of-Risk Analysis), a risk-management software system.

8. D. McNeill, “With Fukushima Nuclear Plant Still Leaking, Japan Clean-Up Bill Soars to $50bn.” The Independent, July 24, 2013, www.independent.co.uk/ news/world/asia/with-fukushima-nuclear-plant-still-leaking-japan-cleanup-bill- soars-to-50bn-8730832.html

9. Return on investment is the ratio of the return received from an investment to the investment itself. If a bank pays back $1.05 one year after $1.00 has been deposited in the bank, the ROI is roughly 5%. To determine ROI accurately, one must take the ratio of the present value of the return to the present value of the investment.

10. A given measure may address more than one threat, so the total of the individual reductions in expected loss are used to evaluate the ROI of the measure.

11. This is an example of the advantage of aggregation. Rather than estimating the loss potential for individual physical item, it is much more efficient to aggregate the items into large classes. It may also be feasible to estimate loss potential on the basis of replacement cost per unit area.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

62 · 26 QUANTITATIVE RISK ASSESSMENT AND RISK MANAGEMENT

12. The term liability is used here as a shorthand for exposure to liability. For example, an IT service performed for others might expose the organization to a liability action if the service was performed incorrectly resulting in a client loss. This potential risk exposure is referred to here simply as a liability.

13. The term denial of service implies that service interruptions are the result of deliberate attacks on an IT system, but, of course, there are many other threats that cause service interruptions. For this reason, the term may cause misunderstanding, and so should not be used.

14. The use of the word objective is unfortunate in this context. It would be more precise to use a term like provision of performance to make clear that the quantity is what a contingency plan is expected to achieve . . . not a vague goal. However, the terms RTO and RPO are widely used, so we will use them here.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63CHAPTER

MANAGEMENT RESPONSIBILITIES AND LIABILITIES

Carl Hallberg, M. E. Kabay, Bridgitt Robertson, and Arthur E. Hutt

63.1 INTRODUCTION 63 · 1 63.1.1 Role of Management 63·2 63.1.2 CISO 63·2 63.1.3 Information Security

Integrating into Strategic Vision 63·4

63.1.4 Net Present Value of Information Security 63·5

63.1.5 Case Study: Veterans Affairs 63·5

63.2 RESPONSIBILITIES 63 · 10 63.2.1 Policy Management 63·12 63.2.2 Motivation 63·12 63.2.3 Supervision 63·14 63.2.4 Judgment and

Adaptation 63·15 63.2.5 Management

Failures 63·16 63.2.6 Risk Management 63·18

63.3 LIABILITIES 63 · 19 63.3.1 Stakeholders 63·19 63.3.2 Due Diligence

of Care 63·20

63.3.3 Downstream Liability 63·20

63.3.4 Audits 63·22

63.4 COMPUTER MANAGEMENT FUNCTIONS 63 · 23 63.4.1 Planning for

Computer Security 63·23 63.4.2 Organizing 63·23 63.4.3 Integrating 63·24 63.4.4 Controlling 63·25

63.5 SECURITY ADMINISTRATION 63 · 25 63.5.1 Staffing the Security

Function 63·25 63.5.2 Authority and

Responsibility 63·26 63.5.3 Professional

Accreditation and Education 63·27

63.6 CONCLUDING REMARKS 63 · 28

63.7 FURTHER READING 63 · 29

63.8 NOTES 63 · 29

63.1 INTRODUCTION. This chapter reviews the critical roles of management in establishing, implementing, and maintaining information security (INFOSEC) policies in the modern enterprise. It also reviews some of the risks to management personnel in failing to ensure adequate standards of INFOSEC.1

63 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 2 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

63.1.1 Role of Management. Organizations are unequally affected by the risk of loss. In certain government computer installations, matters of national security are at stake, and the measures required to protect such facilities are elaborate and costly. At the other end of the spectrum are computers used exclusively for word processing of unclassified materials, which are not connected to networks; these require few security precautions except for file backup and antivirus software. This chapter and this Handbook do not address either of these extremes, but rather the bulk of user organizations in business, government, and universities, where concentrations of information assets and dependence on computers create an exposure to loss, and managers must balance security with cost effectiveness and common sense while convincing colleagues with a superficial knowledge of security to pay attention to their recommendations.

Management provides the essential framework for accomplishing technical work. Whether it is drawing up a security policy, enforcing such policies, training the indi- viduals who will implement and enforce those policies, or proposing a budget to get all this done, management plays an essential role. Information technology (IT) managers ensure the consistent functioning of the organizational computing environment. Ideally, they also provide insights and guidance to upper management in strategic planning to take advantage of new opportunities.

Many organizations, regardless of size and history, have heterogeneous networks with many different operating systems running different applications and serving many purposes and clients. Web servers sit next to email servers, which connect to outside networks, which then rely on connections to more than one third-party corporate network. The rapid pace of technological change impedes the IT manager’s ability to keep the enterprise IT infrastructure running smoothly.

A key function of IT managers is loss avoidance by managing risk intelligently, in order to reduce the likelihood of trouble in the IT sector and to reduce the costs of coping with such trouble.2 In a broader sense, this entire Handbook is designed to support management in these efforts.

IT managers must focus constantly on enabling business functions. Given that most enterprises do not consider security as their main task, IT managers must ensure that INFOSEC policies and technology support, rather than hinder, the principal business of the enterprise. It is equally important to impress this philosophy of service to the strategic and operational goals of the enterprise on all members of the security staff. Many of these members may have developed their careers entirely in the technical sectors, and they may not have developed a service orientation toward their nontechnical fellow workers, and toward the enterprise itself.

63.1.2 CISO. In recent years, INFOSEC has been growing in visibility as a major business concern. IT managers are now being joined by INFOSEC managers. For example, a major bank responded to infiltration of its systems in the 1990s by naming a chief INFOSEC officer (CISO) reporting at the same level as officers such as the chief information officer (CIO), chief financial officer (CFO), chief operations officer (COO), chief technology officer (CTO), and chief executive officer (CEO). Together, the CIO and the CISO face complex responsibilities, and are increasingly visible in the corporate infrastructure.

Today, CISOs are increasingly found in all types of corporations. They may report to the CIO, or they may have a position on an equal level with the CIO. Some of the functions in a security organization are suggested in the hierarchy that follows. (These

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTRODUCTION 63 · 3

functions do not imply one team or one person per function, but simply illustrate the range of functions a CISO must coordinate.)

� CISO � Security policy team

� Development � Awareness � Education � Update management

� Access controls � Data classification functions � Identification, authentication, and authorization functions

� Intrusion detection and prevention � Outward-facing intrusion detection systems � Gateway security devices � Malware control team

� Security assessment � Security auditing � Penetration team

� Engineering coordination � Software quality assurance coordination � Patch management review � Network security oversight � Control systems and logging management

� Security incident response team � Planning and rehearsals management � First line response � Data gathering and forensic analysis � Coordination with internal functions (legal, public relations, human resources, etc.)

� Coordination with law enforcement

One of the factors in this increased visibility of the CISO is the rapid growth in the popular press of technology issues coverage and of INFOSEC breaches in particular. For example, distributed denial-of-service attacks, malware infestations, breakdowns of privacy policies, theft of credit card numbers, loss of control of large volumes of personally identifiable information, identity theft, Website defacements, spam, phishing, and the other forms of abuse to information systems, described in several chapters of this Handbook, have kept the public aware of INFOSEC and its breaches.3

In some sense, publicity has helped the IT world, because some IT managers now have increased ammunition with which to argue for management support of the security function. Publicity has increased visibility, however, so that even a minor breach of security may spark an overreaction in the upper echelons of the enterprise. Indeed, in

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 4 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

California, it is now law (SB 1386) that companies that suffer from some forms of INFOSEC breaches must quickly advise their customers of these events.4

63.1.3 Information Security Integrating into Strategic Vision. IT se- curity managers are now able to help their businesses achieve strategic goals and to further their responsibilities by showing that security involves more than just pro- tecting assets, it is also potentially a business enabler. In the absence of a secure IT infrastructure, businesses may be slow to enter a given market for fear of losses and liabilities resulting from security breaches. However, with security integrated into the corporate culture, these enterprises can confidently enter new arenas and convince their potential clients that their data will be safe. The authors have personal experience from consulting assignments in which clients stated that their own potential customers were reluctant to do business with them because their security measures were inadequate.

George Lin describes the benefits of a business-focused IT organization:

In a business-focused IT organization … IT staff are more interested in understanding the business—and the people, processes, and organization that make up the business—than they are in the technology for its own sake. These staff members possess a balanced set of soft skills, and business acumen as well as analytical and technical skills. They think about business processes first and technology second. The solutions they propose tend to be more complete, often involving people, process, and organization as well as technology, which is seen as simply a tool. Interacting with such an organization yields an experience similar to that expected from Big Four consulting firms, but with the added intimacy and insights only an internal organization can provide.

More importantly, IT/business alignment becomes a nonissue because it is natural to a business- focused IT organization, the very DNA of its staff. There is no need to expend effort specifically on IT/business alignment because the business-focused IT organization thinks and acts like the business that it serves, and is an integral part of that business.5

In this framework, INFOSEC becomes not an afterthought, preventing loss, but part of the design strategy, which will help realize gain. This is a much more powerful, and positive, view of INFOSEC’s role in the business world than is the traditional one. Using INFOSEC principles in the design of a product or service generally helps to create a more robust product or service, one that will be less prone to risk.

The National Institute of Standards and Technology has articulated a roadmap for integrating security considerations into the system development life cycle (SDLC)6

(with addition of three more security objectives in compliance with the Parkerian hexad described in Chapter 3 in this Handbook):

A general SDLC includes the following five phases: initiation, acquisition/development, im- plementation/assessment, operations/maintenance, and sunset (disposition). Each of these five phases includes a minimum set of security tasks needed to effectively incorporate security in the system development process. Including security early in the information SDLC will usually result in less expensive and more effective security than adding it to an operational system.

The following questions should be addressed in determining the security controls that will be required for a system:

� How critical is the system in meeting the organization’s mission? � What are the security objectives required by the system, e.g., integrity, confidentiality, and availability [and control, authenticity, and utility]?

� What regulations and policies are applicable in determining what is to be protected? � What are the threats that are applicable in the environment where the system will be opera- tional?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTRODUCTION 63 · 5

Integrating a security methodology into a product or service helps to defines roles and responsibilities and helps to manage expectations.

63.1.4 Net Present Value of Information Security. A paper from the late 1990s articulated the positive value of INFOSEC in a competitive economy. The summary included these conclusions:

The news is that we can now go beyond gibbering and fist shaking. In today’s e-commerce environment, effective information security can actually increase business and increase profits, not merely reduce risk. …

Tom Nelson, VP and Chief Strategy Officer of AtomicTangerine, has defined the Net Present Value of Information Security (NPVSec) as follows: “NPVSec is the value protection and value creation that is realized when barriers to e-Business are removed through mechanisms that ensure business integrity, service availability, and customer/consumer confidentiality and privacy. Value creation examples include: new distribution channels, new revenue streams, new business models, among others.”

In other words, instead of viewing information security solely as a risk-avoidance measure—like a kind of insurance policy that never actually pays anything back—we are forced by the nature of e-business to accept that security actually supports and enables e- business.

As we have seen … e-business has brought security to the forefront of strategic thinking for successful businesses. Business leaders can no longer tolerate the view that security is an add-on feature relegated to the end of the design process. Security is a process, not a product or a state; security affects every e-businesses bottom line in a positive way. Security is no longer a cost center; it’s part of your repertoire for meeting the legitimate needs of your public. Instead of seeing security as solely the purview of the technical staff in your organization, you should ensure that your marketing and public relations departments are well versed in the principles of information security and can communicate effectively to an anxious public about the measures you are taking to safeguard your customers’ privacy and their money.7

Another perspective on the value of integrating information security into a corporate culture argues that “the responsibility for protecting the organization’s information assets is no longer restricted to the CSO [chief security officer]. Every employee has a responsibility to help protect the proprietary data they are entrusted with.”8 The authors write that:

This approach:

� Improves individual leadership through collaboration and team building � Strengthens corporate allegiance � Helps to provide a sense of community � Builds an intelligent workforce where every employee is recognized and watched by their peers for their individual contribution to the team’s strength. …

In addition, embedding security deep into every process of the corporation, starting at the executive level, is an extremely effective method of taking one problem and leveraging the success of that solution to correct other problems.

63.1.5 Case Study: Veterans Affairs. The next summary of a specific case of management failures will serve to help readers think about the management respon- sibilities for information assurance.9

63.1.5.1 Announcement without Taking Responsibility. In March 2007, Network World writer Jon Brodkin wrote an excellent analysis of 10 letters

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 6 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

informing victims of data theft or loss of control of personally identifiable informa- tion (PII) that their data might be compromised.10 He pointed out that almost all of the letters failed to express any responsibility for the loss of control over data stored on unencrypted disks that were lost or stolen or for poorly secured Websites that posted PII without protection, or with poor protection. Perhaps staff attorneys warned the public relations officials to avoid any implication of responsibility to avoid contributing anything that would exacerbate their liability in potential lawsuits. Passive voice is often used to shift responsibility from specific agents to the great gaseous cloud of the unnamable and unblamable. The classic example is “Mistakes were made.”

In 2007, this letter was sent to physicians affected by a security breach.

DEPARTMENT OF VETERANS AFFAIRS

1615 Woodward St.

Austin, TX 78772

—–, MD

Dear —–, MD:

I am writing to you, as the Director of the Veterans Integrated Service Network (VISN) 7 in Atlanta, Georgia, to inform you that I have been notified that a portable computer hard drive used by an employee of the Birmingham Veterans Affairs (VA) Medical Center is missing. This portable hard drive was used to back-up information contained on a VA employee’s office computer, related to research projects with which the employee was involved. A file on the portable hard drive included information from the Unique Physician Identification Number (UPIN) Directory dated 2004, which includes demographic information and identifiers, such as the UPIN, dates of birth, state license numbers, business addresses, and employer identification numbers (EIN). In the case of your information, we believe the EIN was your Social Security Number. This file was obtained by VA from the Centers for Medicare & Medicaid Services (CMS) for the purpose of conducting research on veterans’ health care.

The Birmingham VA Medical Center has conducted extensive physical searches and has involved local police and Federal investigative resources, and a reward is being offered; however, the hard drive remains missing. To prevent further security breaches or losses, we have taken immediate measures to protect the integrity and security of all personally identifiable information including prohibition of the use of external drives and the required encryption of personally identifiable information when authorized distribution is required.

An independent risk analysis was conducted as required by law, and risk mitigation recom- mendations are being implemented immediately. VA will contact you shortly by mail to offer a credit monitoring service at no cost to you. In the mean time, one precaution we recommend is for you to request a free credit report from one or more of the three national credit bureaus by calling the toll free number 1-877-322-8228. The credit bureaus may also be contacted at:

Equifax P.O. Box 740241 Atlanta, GA 30374 1-800-685-1111 Experian P.O. Box 9554 Allen, TX 75013 1-888-397-3742

TransUnion P.O. Box 2000 Chester, PA 19022 1-800-916-8800

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTRODUCTION 63 · 7

More information about credit protection, including placing a “fraud alert” on your accounts, is available by calling the Federal Trade Commission at its toll free number, 1-877-438-4338, or by visiting its Website, http://www.ftc.gov/

If you have questions concerning this letter, the Birmingham VA Medical Center has established a dedicated call center to answer your questions. Please contact us toll free at 1-877-xxx-xxxx from 6:00 am to 9:00 pm CT, or email us at < address suppressed >.

We at VA take information security and privacy very seriously. We apologize for any inconve- nience or concern this situation may cause, but we believe it is important for you to be fully informed of any potential risk to you.

Sincerely,

[digitized signature]

Lawrence A. Biro

Network Director, VISN 7

63.1.5.2 Initial Problems. On May 3, 2006, a career civil servant at the De- partment of Veterans Affairs (VA) violated official policy by taking computer disks containing PII about 26.5 million veterans home with him. The disks were stolen from his home.11 Two weeks after officials learned of the theft, the VA disclosed the incident to the public and set up a Website and an 800-number to provide veterans and with information and a channel for reporting possible identity theft.12

The USA.gov Website put up a page called “Latest Information on Veterans Af- fairs Data Security”13 with answers to frequently asked questions; the VA itself also continued issuing press releases.14

In early June 2006, the VA announced that the stolen data might include PII about up to 1.1 million active-duty troops, 430,000 members of the National Guard, and 645,000 members of the reserves.15 Reactions from a coalition of veterans groups were immediate: They launched a class-action lawsuit demanding full disclosure of exactly who was affected by the theft and seeking $1,000 in damages for each victim.16

The VA struggled to cope with the bad publicity and potential legal liability resulting from the May theft. On May 26, 2006, Secretary of VAR James Nicholson issued a Directive to all VA supervisors, in which he wrote:

Having access to such sensitive information brings with it a grave responsibility. It requires that we protect Federal property and information, and that it shall not be used for other than authorized activities and only in authorized locations. As managers, supervisors, and team leaders it is your responsibility to ensure that your staff is aware of and adheres to all Federal and VA policies and guidelines governing privacy protected material. I also expect each and every one of you to know what sensitive and confidential data your subordinates, including contractors, have access to and how, when and where that data is used, especially in those cases where it is used or accessed off-site.17

On May 30, 2006, the VA fired the analyst “responsible for data loss” and announced changes in the administration of INFOSEC in the organization.18 The press release made no mention of who was responsible for allowing anybody to store unencrypted PII on VA computers or media.

Coincidentally, at the end of May, the Government Accountability Office (GAO) issued a report: “GAO-06-612: Homeland Security: Guidance and Standards Are Needed for Measuring the Effectiveness of Agencies’ Facility Protection Efforts.”19 The

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 8 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

report specifically named the VA as requiring “guidance and standards for measuring performance in federal government facility protection.”

On June 21, 2006, the VA announced that it would provide free credit monitoring for everyone affected by the data theft in May.20

But worse was yet to come.

63.1.5.3 Systematic Management Failures. On June 14, 2006, Linda D. Koontz, Director, Information Management Issues, and Gregory C. Wilshusen, Direc- tor, Information Security Issues of the Government Accountability Office of the United States, offered testimony before the Committee on Veterans’ Affairs, House of Repre- sentatives. The GAO report on their analysis and recommendations later appeared as GAO-06-866.21 Highlights of their analysis included these comments:

For many years, significant concerns have been raised about VA’s information security—particularly its lack of a robust information security program, which is vital to avoiding the compromise of government information, including sensitive personal informa- tion. Both GAO and the department’s inspector general have reported recurring weaknesses in such areas as access controls, physical security, and segregation of incompatible duties. The department has taken steps to address these weaknesses, but these have not been sufficient to establish a comprehensive information security program. For example, it is still developing plans to complete a security incident response program to monitor suspicious activity and cyber alerts, events, and incidents. Without an established and implemented security program, the de- partment will continue to have major challenges in protecting its information and information systems from security breaches such as the one it recently experienced.

Two related reports appeared about a week later with specific comments about the May 2006 data breach22 and about the overall challenges facing the VA and the Department of Defense (DoD) in protecting PII of active-duty and retired military personnel.23

At the end of June 2006, the laptop and external hard drive stolen on May 3 from the consultant’s home were recovered. Forensic examination suggested that the data had not been accessed. This good news suggested that the disaster might blow over.

It was not to be. The Inspector General (IG) of the VA, George Opfer, released a report on July 11

severely criticizing senior managers of the VA for their lackadaisical response to the original theft of unencrypted PII. The inadequate data security policies had not yet been corrected.24 VA secretary James Nicholson responded to the IG’s report with assurances that the agency had “embarked on a course of action to wholly improve its cyber and information security programs.”25

63.1.5.4 Continued Problems. On Monday, August 7, 2006, Secretary Nicholson announced that a Unisys subcontractor working for the VA offices in Philadelphia and Pittsburgh had reported that his desktop computer was missing. The computer contained PII for 18,000 and possibly up to 38,000 veterans.26

A week later (August 14), the VA announced that it would spend $3.7 million on encryption software and would encrypt data on all the department’s computers and external data storage media or devices. Installation would begin Friday, August 18.27

In mid-September, the stolen Unisys desktop computer with VA data was located and a temporary employee working on subcontract to Unisys was arrested and charged in the theft.28

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTRODUCTION 63 · 9

In October 2006, the Congressional Committee on Oversight and Government Re- form published a report on data losses in U.S. Government agencies since January 1, 2003.29 There were 788 incidents in 19 agencies—in addition to hundreds of incidents at the VA. The report’s findings included these bald assertions:

1. Data loss is a government-wide occurrence. … 2. Agencies do not always know what has been lost. The letters received by the Committee

demonstrate that, in many cases, agencies do not know what information has been lost or how many individuals could be impacted by a particular data loss. Similarly, agencies do not appear to be tracking all possible losses of personal information, making it likely that their reports to the committee are incomplete. For example, the Department of Justice reports that, prior to the May 2006 Veterans Administration data breach, “the Department did not track the content of lost, stolen, or otherwise compromised devices.”

3. Physical security of data is essential. Only a small number of the data breaches reported to the Committee were caused by hackers breaking into computer systems online. The vast majority of data losses arose from physical thefts of portable computers, drives, and disks, or unauthorized use of data by employees.

4. Contractors are responsible for many of the reported breaches. Federal agencies rely heavily on private sector contractors for information technology management services. Thus, many of the reported data breaches were the responsibility of contractors.

Alas, the best-laid plans of VA administrators gang aft agley, and on October 31, 2006, VA officials informed 1,400 veterans that their PII had been on unencrypted data disks sent by mail from the VA clinic in Muskogee, Oklahoma, on May 10, June 10, and July 10, which were lost. A spokesperson for the hospital explained the three-month delay as being due to the “wait for officials in Washington to approve the wording of the letter.” Approval arrived October 26. There was no explanation of why the data were unencrypted, nor why two additional disks were mailed out after the May 10 disk was lost. A report on this incident dated November 3, 2006, by Rick Maze in the Federal Times30 also indicated that a laptop computer from the VA hospital in Manhattan was stolen on September 8 from a computer locked to a cart in a locked room in a locked corridor—and that the data on the stolen machine was deliberately not encrypted despite policy because “a decision had been made not to encrypt data being used for medical purposes.”

And more was to come in February 2007.

63.1.5.5 Analyses and Responses. On Friday, February 2, 2007, Secretary of Veterans Affairs Jim Nicholson announced that a VA employee in the VA medical center in Birmingham, Alabama, had reported an external hard drive as missing on January 22. According to Representative Spencer Bachus (R-AL), the backup hard drive contained PII on up to 48,000 veterans—and despite VA regulations promulgated in 2006, as many as 20,000 of those records were not encrypted.31 A week later, the VA admitted that the hard drive actually contained PII about 535,000 patients and 1.3 million doctors.32 It was that loss that led to the letter quoted in the first part of this section.33

A few weeks later, the GAO released the closest thing to an exasperated blast of which government workers are capable. In testimony before the Subcommittee on Oversight and Investigations, Committee on Veterans’ Affairs, House of Repre- sentatives on February 28, 2007, GAO Director of Information Security Issues Gre- gory C. Wilshusen presented a report entitled “Veterans Affairs Needs to Address

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 10 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

Long-Standing Weaknesses.”34 The summary on page 2 of the PDF file includes this commentary:

For many years, GAO has raised significant concerns about VA’s information security—particularly its lack of a comprehensive information security program, which is vital to safeguarding government information. The figure below details information security weaknesses that GAO identified from 1998 to 2005. As shown, VA had not consistently im- plemented appropriate controls for (1) limiting, preventing, and detecting electronic access to sensitive computerized information; (2) restricting physical access to computer and net- work equipment to authorized individuals; (3) segregating incompatible duties among separate groups or individuals; (4) ensuring that changes to computer software were authorized and timely; or (5) providing continuity of computerized systems and operations. The department’s IG has also reported recurring weaknesses throughout VA in such areas as access controls, physical security, and segregation of incompatible duties. In response, the department has taken actions to address these weaknesses, but these have not been sufficient to establish a comprehensive information security programs. As a result, sensitive information has remained vulnerable to inadvertent or deliberate misuse, loss, or improper disclosure. Without an es- tablished and implemented security program, the department will continue to have major challenges in protecting its systems and information from security breaches.

In early March 2007, the VA reacted to the January 22 loss of the portable hard drive. CIO Robert Howard promulgated a policy restricting the use of portable data storage devices. Only flash drives smaller than 2 GB—and only those issued by the VA’s CIO office itself—would be permitted on the VA network or computers. Encryption would be used throughout the system, just like the assurance issued in August 2006 about spending $3.7 million on encryption tools.35 In addition, the CIO announced sweeping changes in security administration, with promotion of five deputy CIOs to the rank of assistant secretaries for these functions: application development, information security, operations and maintenance, resource management, and strategic planning.

As of late May 2007, federal agencies announced that they would stop storing Social Security numbers and other PII wherever possible.36

For an extensive compilation of additional cases of interest, see the “Chronology of Data Breaches: Security Breaches 2005–Present,” managed by the Privacy Rights Clearinghouse.37

63.2 RESPONSIBILITIES. Modern information processing philosophy tran- scends the boundaries of the computer room and demands the consistent delivery and collection of data to and from remote sections of the organization. Once this operating mode is extensively used, the company becomes dependent on its continued availabil- ity. Any shutdown or cutoff in service can be disastrous, unless the company is able promptly to revise operations, in order to continue vital activities. Central computers, local servers, workstations, and the network are essential to the operating environment.

Computer security includes the protection of confidentiality, control, integrity, au- thenticity, availability, and utility of information.38 Computer security encompasses the total infrastructure for maintenance and delivery of information, including physical computer hardware, supporting equipment, communication systems, logical processes defined by software, and the human factors that support and possibly threaten this infrastructure.

Computer security is inseparable from the basic structure of the information pro- cessing system; one cannot and should not design a system without including security as an underlying strategy. The objectives and properties of secure systems must be considered collectively from their inception.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RESPONSIBILITIES 63 · 11

Software, systems, and networks should be designed to ensure information protec- tion that corresponds to business needs. There are many steps that can be taken to do this, but managers must place a high priority on making it happen. Managers are in a position to see what the business needs actually are, much more so than the typical INFOSEC analyst or engineer. A prime example is e-commerce Website management. No reputable site allows transactions without minimal SSL encryption. A savvy IN- FOSEC manager will track all information from the setting up of the SSL tunnel, all the way through the shipping process, and beyond into the storage of information gathered during any transaction, and ensure that security is not lacking at any juncture in the process. If the data are not securely stored while sitting in a database, the whole process falls apart.

The ability of a system to ensure accuracy, reliability, and confidentiality is a basic building block. The collective system (hardware, software, communications, and peo- ple) must be able to maintain and process data correctly, and move traffic (transactions, inquiries, commands, etc.) from its origins to the intended destinations, without unau- thorized modification or disclosure and without misrepresentation, forgery, or other breaches of authenticity. Reliable performance is essential. Any failures should be or- derly and predictable, with adequate detection methods to provide timely evidence of failure and to permit prompt corrective actions. Hardware/software limitations should be known and documented, as should load limits. Bounds checking, at a minimum, should be implemented in all software to avoid buffer overflows. Any inputs that are not checked should be documented, and measures should be put in place to detect possible abuses.

Suspicious user activity should be detectable through appropriate analysis of logfiles. The network and its data should be protected from contamination or outside interference using appropriate gateway security devices and other intrusion prevention systems. Firewalls must be present, updated, and frequently reviewed, along with intrusion detection systems and intrusion prevention systems (IDS/IPS), and all logs should be centralized and scrutinized. Measures should be put in place to ensure that data transmitted are the same as the data received and that error correction is used wherever possible.

Service-level agreements should define goals for efficient response and adequate capacity, in order to support acceptable performance. Systems should be able to recover quickly from either short-term or long-term disruptions. Backup measures, including data backup and equipment backup39 and tested incident response, contingency, and recovery plans, should be in place.40 Appropriate cost recovery measures should also be in place.41 Prevention of harm is of primary importance.

Single points of failures should be avoided. Avoid dependence on single equipment devices or single communications pathways. Web servers should be clustered, and databases should be replicated across various servers and placed in different geographic regions. Avoid overloading the network at peak activity periods. Provide environmental backup (redundant power, air-conditioning, heating and other support systems, limited equipment access, etc.) to reduce other exposures.42

Management should have the capability to limit who can access the systems, how much capacity can be used for each purpose or function, what purposes are allowed, what data are accessible and transmittable for each user, and what connections can be made. Technical measures include access control (system access, resource restrictions), logon password control, alternative identification methods (personal tokens, digital signatures, biometric authentication), callback connections, network isolation from public networks, firewalls, and physical security of system components.43

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 12 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

Administrative measures include publication of policies, standards, and guidelines; screening of personnel; security awareness training; system change control proce- dures, including security criteria in system design; and monitoring system activity and quality.44

In addition, management should use the audit function as an independent arbiter to measure compliance with policies, standards, and guidelines as well as to assess the adequacy of technical protection. The system and its network should preserve and display evidence of use, behavior, and content, and should record deviations from expected use.45

Managers are responsible for specific tasks or functions to the extent that they make decisions about business processes and suffer the consequences or reap the benefits of those decisions.

63.2.1 Policy Management. Managers spend more time on people issues than on technical issues. The right people must be hired for each position.46 Employees who do not work responsibly and competently must either be brought up to the proper standard or let go. Employees who do their jobs properly must be kept satisfied, lest they move to another organization. Management in the IT world must ensure compliance with corporate policies.47 Compliance with policies includes motivation, supervision, judgment, and adaptation.

63.2.2 Motivation. Employees need motivation to pay attention to INFOSEC policies, which often are perceived as a nuisance, interfering with the fundamental goals of the enterprise. Upper management, in particular, must set an example by following enterprise policies; when top managers are seen to ignore policies, the people reporting to them quickly imitate their behavior, and the problem spreads throughout the organization. For example, if the CEO refuses to wear a picture badge, the vice presidents (VPs) will quickly follow suit because they will associate not wearing badges with high status. Similarly, the directors reporting to VPs will start dropping their badges, and so within a few months the entire hierarchy will be convinced that no one but stock clerks should wear badges. Sometime later, the stock clerks will be resisting badges too.

According to Computerworld writer Mary Pratt, writing in 2006:

The risk that employees pose is significant. They can fall prey to social engineering, a fancy term for being conned. They can ignore company policy by failing to encrypt sensitive data. Or they might install unauthorized software that can corrupt the system.

Think you’re well protected? Recent findings from the Computing Technology Industry As- sociation might convince you otherwise. In this year’s CompTIA information security study, 59% of the organizations surveyed indicated that their latest security breaches were the result of human error alone. That’s up from 47% last year.48

A survey by NFO Prognostics highlighted that 66 percent of the companies sur- veyed believe that staff training or certification has improved their IT security through increased awareness and proactive risk identification.49

Since people can be the company’s greatest strength against attacks, training em- ployees should be a high priority in any organization. At Stop and Shop, in February 2007, employees noticed suspicious activity; they saw four people tampering with the keypads for credit/debit card authorization units. The employees notified police at once, and the suspects were arrested. That kind of quick thinking and commitment can make

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RESPONSIBILITIES 63 · 13

an enormous difference in the effectiveness of security systems of all kinds—and it depends on management support and motivation.50

Some managers think that punishment is the only motivation that can change be- havior; but everything known about human psychology shows that reward is more powerful.51 Reward is not limited to salary increases and bonuses; sometimes the most effective way to keep IT employees satisfied and productive is to provide training. The IT world is evolving, and the demand for competent staff has never been higher. Most employees want to feel that their employers value their services and that they are worth an investment to improve staff competence. Training employees, and providing challenging opportunities for the exercise of intelligence, serves the interests of both employer and employee. See Section 63.5.3 for more details about education.

Challenging employees in other ways can be highly motivating. For example, man- agers can encourage staff to prepare and deliver presentations at internal meetings and at security conferences. Some examples of useful conferences are SecureWorld- Expo, InfoSecWorld, and NetSec. Motivated employees can lead special interest group discussions at conferences (such as RSA, SANS, etc.) and so develop a Web of rela- tionships that promote sharing of knowledge, and that enhance their self-image. There are also security contests to test their skills, such as the Honeynet forensics contest.

The Honeynet Project provides archives of past security challenges that allow secu- rity staff to challenge their technical skills, as well as to learn and teach new tricks of the trade. The Honeynet Project posts these challenges on the Web,52 and tasks would- be contestants to unravel what the hacks were and how they were performed. Along with finding out what had happened, judging was also based on how much information was uncovered and how this information was communicated. These challenges have been solved, but they are still valuable lessons for any INFOSEC staff. Many other challenges pop up frequently and easily can be found using Google.

Many journals and Web-based magazines are ready to accept articles written by professionals in the field. Not only does writing solidify employees’ knowledge and build their own confidence, but it also instills confidence in the entire team. Writing and teaching help the enterprise, as well as its clients and partners, to view the security team as a real benefit, at the same time that the organization develops a strong reputation for excellence in security.

Another way for management to make the security team more cohesive is to build camaraderie. A monthly pizza party or an occasional outing to a sports event can do a lot to ease stress and to help everyone to know each other. Having good friends at work can reduce turnover and motivate employees to do their best, not only for the rather abstract goal of doing good for the enterprise, but also because of a commitment to their colleagues.

To help encourage a higher level of expertise and to establish a feeling of belonging, periodic “brown bag” lunch sessions can be effective. At each session, a different team member can be designated to present an informed talk or to lead a discussion on a topic of general interest. There could even be an informal call for papers, giving team members an opportunity to present valuable information in a professional manner.

At the same time, a little friendly competition can help as well. For example, if the enterprise has a training network that can be subdivided into several subnets, managers can organize a “tiger-team challenge.” Each team will be responsible for securing a subnet or host and then given the opportunity to break into the subnet or host of another team. The winners would get both a reward and a responsibility. The reward can be as simple as pizza for the team or a modest trophy. The responsibility would be to present the exploits used and the ways to secure against them to the rest of the teams.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 14 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

Another way to build the team is to support staff in choosing the areas in which they want to excel. There may be some overlap, but overlap can be good. Clearly, if there are two firewall experts, the enterprise is less vulnerable should one of them be absent. Furthermore, the firewall experts can provide better-quality assurance by discussing alternatives when planning a change and better-quality control by checking each other’s work. It can also help to have the security team members switch roles periodically, both to ensure that no one gets into a rut and to contribute to the challenges presented when a change is made.

Last, almost nothing is more infuriating than being expected to accomplish a task without the necessary resources. Adequate time to get a task done is always an important issue, as many people have several tasks to do, and each of the tasks may be seen as critical by someone. A manager should be willing to give the team all of the resources it needs to complete a task in the allotted time, or it should be made clear to other departments, or to higher management, what the realistic expectations are for the completion of such tasks, if required resources are lacking. If expectations are properly managed, there should be less conflict and fewer problems.

It is useful to view management not as separate from the IT security team, but as an integral part of it. This allows management to contribute directly toward the employees’ enthusiasm as well as to detect early warning signals of impending trouble. A manager who does not spend time listening to the team members, or who does not understand what their jobs involve at a technical level, will not be respected by the team. Lack of respect will block communication and keep the department from becoming a solid, effectively functioning unit.

63.2.3 Supervision. What we know about damage to computer systems indi- cates that errors and omissions are a major source of harm. Poorly trained employees make mistakes, but so do trained employees who have become careless. Managers should examine performance records as a normal part of their supervision of the se- curity team. In particular, every incident that damages production systems should be analyzed to identify the reasons for the event. Careful technical support records and log files can help the team spot the crucial weaknesses, whether technical or human, that allowed compromise of the damaged systems.53

Analysis of security breaches of all kinds may reveal that certain employees are associated with unusually high or unusually low frequencies of particular problems. Careful analysis of both types of extremes can be helpful in spotting weaknesses for remediation and strengths from which to learn, so that the knowledge can be spread across the entire unit. However, managers must not assume that disproportionate numbers of problems are necessarily caused by the employees involved; for example, low rates of penetration during the day shift may be associated with lower rates of attack from hackers, who often work in the evenings or nights. Similarly, higher rates of security breaches may, after detailed study, be found to have been caused by factors entirely outside the control of a particular employee.

In addition to monitoring performance, managers must ensure that all employees know that they are being monitored. Warning notices, pre-employment agreements, and yearly policy reviews can ensure that staff develop no unwarranted expectation of privacy about their work.54

One of the most effective supervisory practices an INFOSEC team leader, or any other manager, can use is managing by walking around.55 Managers should set aside time every week to observe the conditions and to absorb the atmosphere of the working areas. Visiting team members and hearing about their specific job experiences, both

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RESPONSIBILITIES 63 · 15

positive and negative, can only improve communications and motivation within the security team.

Not surprisingly, poor communication is a major enemy of effective team develop- ment. This poor communication can exist on multiple levels: among IT staff members, between staff members and IT management, and between IT and internal customers.56

Tools for enhancing communication include production control meetings, regular brief status review meetings, all-hands updates at which group members are required to give updates, and individual staff members to give technical updates, as well as establishing regular and thorough communication with internal customers and top management.

All members of the IT staff should be familiar with all lines of communication and with what behavior is expected of them in every scenario. Pushing communication awareness down through the organization appears to be an effective strategy.

63.2.4 Judgment and Adaptation. Management must not permit policies and procedures to keep the work from getting done. The comic strip Dilbert57 has be- come popular largely because it caricatures managers who apply policy unintelligently; for example, in one real company known to the authors, managers decided to give the marketing department new laptops because of all the traveling they had to do. The managers then decided that to prevent theft, the laptops should be so securely fastened to the employees’ desks that they could not be moved at all.

When security policies interfere with productivity, the correct solution is rarely black and white. Usually, neither dropping the policy nor enforcing it without change is appropriate. A hospital security administrator, for example, might note that a work- station in the emergency room is always logged on for the entire day, using the ID and password of the first person who logged on. Clearly, this violates the principle that everyone using the system must be positively identified and authenticated. Piggyback- ing on the first user damages the credibility of log files and makes it impossible to ascertain exactly which person is retrieving and modifying data at any time during the day. However, cracking down insensitively on the emergency room staff is a bad idea; chances are that the harried medical and support personnel are simply racing to get their work done saving lives. Logging off and on repeatedly is not a good method of identification and authentication in that environment. A reasonable security manager would listen to the employees, understand their point of view and their functional needs, and then explore technical alternatives to the usual ID-password technique. For example, the security manager might find that proximity cards or smart cards could meet the requirements at reasonable cost.58

Management must concern itself with safeguarding the resources under its jurisdic- tion. Just as investors seek both a high rate of return and reasonable safety for their investments, so must managers seek a high rate of return through the effective use of resources under their command and take adequate steps to protect the value of the resources.

The manager’s function is essentially the management of resources: human re- sources and capital resources. In a computer operations environment, capital resources are represented by the investment in equipment and operating programs. Human re- sources are represented by the skills needed to operate and control both hardware and software facilities. Human capital resources are also represented by complete operat- ing programs. Information is another form of resource, one that is often created as a product of data processing or concentrated at the computer facility, in order to utilize equipment resources better.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 16 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

63.2.5 Management Failures. The most pervasive vulnerabilities in com- puter security are due to poor management. Efforts to contain or mitigate computer security exposures often fall short, or fail, because of management inadequacy, either of senior management or of operating management, or both. Sometimes the problem is simply inertia. Equally damaging is management lip service. In far too many instances, computer security is simply not taken seriously by senior management. Some of the most common management errors are listed next59:

� The belief that “if it hasn’t been needed before, it probably will not be needed now.” This is the default frame of mind, which is really self-insurance.

� Competition with other goals. Security measures use resources that are often needed for other activities. If security is regarded as an add-on burden rather than an integral part of the business process, it may be neglected or postponed.

� Lack of contribution to the bottom line. If security needs to be cost justified as an independent activity, it may be regarded as a target for elimination or reduction.

� Unwillingness properly to fund security activities. Far too often management is reluctant to commit all the resources needed for complete protection. A prime example is the lip-service contingency plan, published and display to the auditors, but never fully implemented.

� The explosive growth of the Internet and of the Web has increased the number of novice computer users into the hundreds of millions worldwide, cowering in fear at the latest hoax but cheerfully sending each other joke programs with embedded viruses. Some of these novices have taken on responsibilities for computer system management and have spread havoc within their organizations.

� The common occurrence of laptop theft has shown how vulnerable any kind of unencrypted removable media can be. Several companies have come under fire for not having a laptop encryption policy. This policy should be extended to any type of removable media (such as USB “thumb” drives) for certain types of information.

� Cell phones and PDAs are other technologies that need to be controlled. They are frequently connected to company computers, on the company network, to sync up with Microsoft Outlook email and calendars. These provide another potential point of entry for malicious software.

� Adults such as teachers and parents (many of them violating software copy- rights without realizing they are breaking the law) have too often failed to teach children in their care how to resist the wiles of criminal hackers, virus writers, pornographers, and pedophiles. Some of these children have now grown up and become young managers who tolerate, encourage, or demand illegal acts by their employees.

� Some Websites are being managed by undertrained staff who know nothing about the years-old vulnerabilities they have left invitingly on their systems. These unfortunate people are stuck with inadequate resources and dismissive managers, who nevertheless blame them when the site is plastered with obscenities by teenagers with little or no conscience. Even worse, the Website may be used in a for-profit scheme by the ever-increasing legions of highly skilled professional hackers.

� In addition to the old vulnerabilities, these undertrained (or simply overworked) staff may also be introducing new vulnerabilities to their Websites by using new

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RESPONSIBILITIES 63 · 17

tools or methodologies with no consideration of security. These new methodolo- gies, such as the current AJAX (Asynchronous JavaScript and XML), may make use of old tools, but may do so in a new and insecure way.

� Some Web designers assume that users should trust mobile application programs (Java applets, ActiveX controls) whose origins are uncertain, whose documenta- tion is unavailable, and whose actions may be pathological. Technically incom- petent managers who take credit for their corporate Website may have no idea of what their Webmasters are doing—and failing to do—to protect their site.60

� Software makers, who ought to have known better, have blurred the distinction between document and program by adding automatic execution of macros to their word processors. Emailed Trojan horses are activated automatically when the message is opened. Bloated programs are routinely so full of bugs that consumers now think it is normal to pay money for a service release that fixes what never ought to have been released. Some managers with inadequate training take this situation as a given.

� Not necessarily a failure on just the part of management, software is often written without thought to security at all. Buffer overflows continue to be the “low- hanging fruit” for software hackers. Unfortunately, secure coding has been slow to catch on, but is showing signs of gaining traction today.61 SANS has announced it will offer courses in secure coding, and there is an expanding list of books and papers on the subject. Perhaps as it becomes mainstream, universities will start requiring full courses in secure coding practices for computer programming degrees.

� We collectively continue to use Internet protocols devised decades ago and which have no provision for packet authentication. Criminals forge mail headers and packet headers with impunity, and use them for denial-of-service attacks and email spam. Network managers continue to avoid output filtering, which could reduce such attacks, because it is too low on their list of priorities, or because they have never considered their responsibility to other Internet users.

� Access control still relies largely on the outdated and ineffective use of passwords chosen by untrained users. Conveniently for criminal hackers, many users pick names of family members, people with whom they are having illicit romances, movie stars, pets, favorite sports teams, and the names of objects on their desks or visible from their windows. Some managers contribute to this situation by refusing to follow recommendations for better passwords and by refusing to consider better, or additional, authentication methods, such as tokens and biometrics.

� Some managers are loyal neither to colleagues nor to employers. The boom in firings and job-hopping has led to a shortsighted emphasis on the quarterly bottom line that makes investments in corporate security seem pointless.

� Security specialists still lack reliable data on network and computer intrusions. Al- though there are now some resources for information sharing, such as CERT/CC, many managers resist contributing to the knowledge base for fear that they and their enterprise will be embarrassed by their victimization.

� Social engineering is still one of the largest weaknesses of the security realm. Hackers really do not need to spend much time trying to break through defenses when so many users are perfectly willing to give them free access to go right through. While it is debatable whether training programs will ever be sufficient to overcome this, managers need to pay close attention to the “phishing” attacks that are now becoming more popular and more sophisticated.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 18 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

Some organizations are taking steps to implement creative and memorable security awareness programs such as Jeopardy-style games, where workers compete to supply the right answers to security-related topics. Scavenger hunts on a company’s Website are used to find the answers to 10 security-related questions.62

63.2.6 Risk Management. Part of the data processing management task is to protect information resources and to safeguard the human capital resources that are essential to the services provided. Top management must concern itself with adequate recognition of the risks and must be assured that protective measures relative to these risks are in effect.63

In addition to the problems caused by management failures discussed in Section 63.2.5, managers should be aware of other risks in their work such as:

� Physical hazards. The likelihood of threats, whether accidental or intentional, that can result in physical damage. Fire, water, power loss, explosions, vandalism, terrorism, and civil disorder are all within this category.

� Equipment malfunction. The possibility of failures in computers and supporting equipment, such as printers, disk drives, and air conditioners.

� Software malfunction. The likelihood of loss and failures caused by computer programs, including operating system software and application programs.

� Human error. The threat of disruption or loss due to accidental or intentional action or inaction by employees. Computer operators, programmers, maintenance engineers, and service personnel can all precipitate loss.

� Misuse of data. The capacity for intentional misuse of information or facilities by perpetrators of crime, such as fraud, espionage, misrepresentation, forgery, or theft of data or other assets controlled by the data.

� Loss of data. The intentional or unintentional loss of information through disrup- tion of the physical media on which the data resides, or the corruption or erasure of the data.

In addition to classifying risks by category of threats, it is useful to analyze risks by the magnitude of potential loss, the probability of loss, and the frequency and permanence of occurrence. Although magnitude of loss can be expressed in terms of timeordollars, it ismorepracticaltousedollarcostasacommonbasisformeasurement. Quantifications should be based on reasonable and supportable estimates of the costs associated with the actual occurrences of adverse events.

Threats must be evaluated in terms of probability or occurrence. True risk is difficult or impossible to measure, but a reasonable priority of risks may be established by evaluating the likelihood of occurrence in conjunction with the magnitude of potential loss for each threat. An aggregation of consequential costs for each threat, over a common time period, and based on the likelihood of occurrence for each threat, can serve to prioritize seemingly diverse risks.

Three convenient groupings for permanency of damage are disasters, solid failures, and transient failures. Disasters are serious and lengthy disruptions, usually resulting in costly reconstruction of data, alternative off-premises processing, loss of business, and high cost. Solid failures are those that require shutting down part or all of the system in order to take corrective action. Costs of solid failures may range from simple inconvenience to substantial loss of business. Transient failures are defined as

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LIABILITIES 63 · 19

temporary disruptions that do not recur regularly and therefore may be difficult to correct. Like solid failures, their costs can vary widely.

Quantification of risk is imprecise at best and varies greatly from one organization to another, and even among computer installations in the same organization. Nevertheless, quantification affords the means of ordering the relative importance of various threats and of substantiating the need for expenditure to counteract threats. In summary, even though probability estimates for specific events may represent intuitive feelings about likelihood, rather than actuarial knowledge, they can nonetheless serve as a basis for focusing discussion and planning.

An effective computer security program requires a balance of rationality and pru- dence. It also requires a continuing management commitment. Absolute security is an impossible dream unless one has unlimited resources—and even then, many responses would still have to be post hoc reactions to new threats, vulnerabilities, and attacks. Surprisingly, however, even on a modest budget, it is usually possible to achieve rea- sonable security. Many basic safeguards can be implemented for modest expenditures of time and effort. Many chapters in this Handbook discuss such basic safeguards.

63.3 LIABILITIES. As discussed, security managers focus on minimizing liability by a practice generally known as risk management. Risk management is the tradi- tional model for INFOSEC; ideally, one determines risk by identifying the threats and vulnerabilities and then evaluating the associated costs and probabilities of each type of incident. The probabilities are difficult to define, and as a result, much of risk management is, in practice, an intuitive, nonquantitative process.

Security managers face many liabilities. Some of the possible negative consequences of inadequate security include:

� Loss of revenue � Loss of reputation � Loss of business partner confidence � Loss of consumer confidence � Loss of enterprise valuation � Failure of the entire enterprise

Each of these types of loss also involves a loss of trust. Trust is easy to lose, especially in uncertain economic climates, and it is, unfortunately, harder to regain trust than to establish and maintain it. It is necessary for managers to understand that security and privacy are integral to the services and products offered by the enterprise. Security and privacy must apply to data from customers, business partners, employees, and every other individual or entity with whom the enterprise comes into contact.

63.3.1 Stakeholders. It is easy to think of only stockholders and customers when evaluating the potential costs of security breaches. However, it is useful to enumerate all of the people, and other entities, that are potentially affected by INFOSEC breaches. Such stakeholders can include:

� Stockholders. People and organizations owning stock in a privately held or pub- licly traded enterprise

� Employees. Managers and workers depending on an enterprise for their livelihood

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 20 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

� Customers. People and organizations depending on fulfillment of contractual obligations by the enterprise

� Potential customers. Those who might want to do business with the enterprise � Suppliers. Those depending on the enterprise for acceptance of materials and services followed by payment as per contract

� Data subjects. People or other entities about whom an enterprise stores, manip- ulates, and reports data

� Regulatory agencies and law enforcement. People and organizations devoted to enforcing statutory regulations and laws

� Users of other systems victimized by means of a compromised system. In- nocent bystanders who may be harmed, through no fault of their own, when a compromised system is used as an intermediary to launch attacks on an ultimate target

Managers must explore the potential consequences of specific types of security incidents with respect to all of the stakeholders. This wider analysis contributes signif- icantly to effective risk management.

63.3.2 Due Diligence of Care. Due diligence of care in INFOSEC refers to the research and analysis carried out in establishing that risks have been minimized to an extent consistent with industry standards. Due diligence investigations, typically, are crucial in mergers and acquisitions, where unanticipated liabilities resulting can result in financial disaster and legal culpability.

Unfortunately, just as there is no sound basis for assertions about computer crime rates, there is not even the most rudimentary basis for asserting that any given level of security represents adequate care for information. What, precisely, is the right length for the asymmetric encryption key used in protecting confidential email sent across the Internet? Does failing to update antivirus signatures daily constitute a violation of due diligence, or is once a week good enough? Does due diligence in securing a manufacturing system require installation of an intrusion detection system? What about lacking an IDS in a hospital or a bank? Is a computer emergency response team a requirement to demonstrate due care in protecting information assets?

Attempts at defining security standards have not yet convinced more than a few enterprises to conform to their recommendations; the INFOSEC field is not yet at the point where quality assurance was a decade ago, when the International Stan- dards Organization promulgated ISO 9000 certification, and it became widely used in manufacturing plants around the world.

Sensitivity to due diligence of care should, at a minimum, begin with consideration of legal and regulatory requirements for the protection of information. Contractual obligations with any and all stakeholders will determine the required degree of re- sponsiveness to intrusion, and may help determine whether to cooperate with law enforcement authorities to investigate any breach of security.64

63.3.3 Downstream Liability. In recent years, a growing number of security experts and attorneys have predicted that the doctrine of downstream liability would become a significant factor in pushing management toward better security. Downstream liability is an application of the legal theory of contributory negligence as it applies to INFOSEC. In turn, contributory negligence refers to reckless endangerment of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LIABILITIES 63 · 21

others, “reckless” meaning without consideration of the consequences and endanger- ment resulting from putting others at risk of harm. The term “downstream” refers to the conventional model in which the source of data is viewed as being upstream of the recipient of those data; thus if someone compromises a university computer sys- tem and uses those computers to launch an attack on a bank, the bank is viewed as downstream from the university. Conceivably, the bank’s attorneys could accuse the university administrators of negligence for allowing their computers to be compromised and therefore claim damages.

Keeping in mind that the authors are not attorneys, and that the information being discussed here is in no sense legal advice (for legal advice, consult an attorney), examples of what might be construed in a court of law as downstream liability include:

� Distributing virus-infected documents through email because all antivirus mech- anisms have deliberately been turned off

� Allowing a malefactor to install zombie software on a poorly configured system and involving that compromised system in a distributed denial-of-service attack65

� Failing to install patches for a well-known and years-old vulnerability, thus allow- ing a criminal hacker to attack a third party via a root compromise of the poorly secured system66

� Allowing private information such as credit card numbers belonging to thousands of people to be stolen and distributed on the Internet, for use in credit card fraud

� Providing an unsecured email server that provides an open spam-relay point for junk email, with a forged REPLY-TO address, to flood millions of mailboxes with unwanted email, thereby causing thousands of bounce messages and angry accusations to clog the mail system of the innocent owner of the forged REPLY-TO address

� Having an employee who sends out thousands of fraudulent notices using the em- ployer’s email system to libel a competitor, causing depression of that competitor’s sales and stock price

� Configuring a honey-pot system on the enterprise network to attract the attention of criminal hackers—who then turn around and use the honey pot to attack a third party

It is important to note that honey pots, while used as security measures to attract a hacker to a specific server for the purpose of gathering data on an attack, do in fact introduce security holes. The honey pot is a live server, with intentional vulnerabilities built in, connected to a company’s network. Once penetrated, an attacker may use it as a platform from which to launch future attacks. Special safeguards must be designed to prevent this.

One possible safeguard is to prevent any traffic that leaves the honey pot to actually go anywhere, or to trap it on what might be termed a “honey logger,” a server designed to simply catch all the traffic for the purpose of analyzing it.

As of this writing, there appear to have been no cases in which a plaintiff has suc- cessfully sued an enterprise for damages on the basis of downstream liability linked to inadequate security. However, in December 2000, FirstNet Online (Management) Limited filed a lawsuit in the Court of Sessions in Edinburgh, Scotland, against Nike, Inc., apparently an innocent victim. The incident began in June 2000, when someone hacked the DNS (Domain Name System) by filing incorrect data for resolution of the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 22 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

nike.com domain with Network Solutions, Inc., which is charged with the responsi- bility of managing acquisition and retention of certain classes of domain names. All subsequent attempts to reach nike.com were redirected to the s11.org domain, an ac- tivist site devoted to fighting globalization. The redirection allegedly caused serious harm to the Web-hosting service for s11.org; according to the plaintiffs, FirstNET On- line “experienced an 1800% increase of traffic over the 46 hours it took to correct the problem completely.”67 Blaming Nike administrators for failing to protect the password required for updating the DNS records at Network Solutions, the plaintiffs demanded compensation for the expenses incurred. Nike officials rejected such accusations and blamed Network Solutions for allowing the redirection of Internet traffic to the s11.org site. Readers will want to search the Web for later developments in this interesting case.

63.3.4 Audits. As managers attempt to manage security according to nebulous principles of due care, they must remember that in many enterprises, IT and INFOSEC departments are seen as being equivalent to the police. Many people in these depart- ments have privileged access to other people’s secrets; for example, they can read all email, and can often tell exactly what Websites’ employees have been visiting. In some environments, network monitors allow administrators and security personnel to activate keystroke monitoring and to view in real time the appearance of any given terminal or workstation on the network. Because of the enormous power of these people, managers must ensure that their levels of access are not abused.

Information systems auditors are responsible for keeping the technical and security staff honest. In some larger enterprises, there is a department of internal audit whose director reports to the same level as other officers, such as the CEO and CFO. In other cases, third-party auditors monitor adherence to policy, standards, and procedures.68

Security audits are often feared, and with good reason. In general, many audits are performed with the focus of finding fault. This approach is counterproductive and unnecessarily stressful. The point of an audit should not be to find the maximum number of offenses but rather to assess the level of compliance. The most important outcome of an audit is finding areas of potential improvement. A nonadversarial style facilitates positive results; thus, an auditing team should provide constructive suggestions for improvement wherever possible.

An auditing team also needs to listen to those being audited. Although a particular network may not be configured to full compliance with security policy, there may be reasons for this apparent failure. For example, suppose a specific patch was required by security policy to have been installed on a Solaris server, but a particular Solaris server did not comply. An auditor might report a failure without further investigation even though, in reality, the patch might have been installed but found to be incompatible with a critical application. Just like managers, audit teams need to see the big picture, not just the rules and procedures. The main point is that all audits must be done with the needs of the business in mind. It does no good to have a process that gets in the way of the business at hand. Instead, to enable the business, alternative measures must be found. That is the job of the auditor—to help ensure compliance and to provide another set of eyes that can see to it that all needs are taken care of.

To prove due diligence, auditing is a must. Generally, third-party audits create more trust, as a third party has no bias about the findings. However, it is important to ensure that a third-party audit firm maintains its independence. It can be risky to use a small firm that bases more than a modest fraction of its revenue on income from any one client. However, it may be undesirable to have the same large firm perform accounting or auditing functions while also serving as security consultants.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

COMPUTER MANAGEMENT FUNCTIONS 63 · 23

63.4 COMPUTER MANAGEMENT FUNCTIONS. The job of the manager is to provide leadership, and it must be provided in an organized and creative manner. Management is dynamic, not static, and the manager must deal with change—change in the organizational environment, change in people, and change in the methods of management. Unfortunately, the laws of inertia apply to management as to physics, and change will often be resisted. The challenge to the manager is to manage change.

Even a successful security program will usually result in higher costs, as well as in changes in the organizational structure and in the working environment. To compound the problems, the benefits of the security program are not highly visible. Security is essentially preventive and is often regarded as capital expenses and overhead of questionable value. Too often, upper managers dismiss proposals for better security by pointing out that there have been no breaches of security in the last year; thus the more successful the security program, the less evidence there is to support its usefulness. To counteract this circular and destructive reasoning, security managers should compile evidence of the numbers and types of attempted penetrations identified by intrusion detection systems69 and attempted malfeasance by authorized users identified by system and application logging.70

The tools of the manager include planning, organizing, integrating, and controlling. These are not independent activities that can be completely separated; rather they represent a matrix. Taken as an interrelated process, they achieve balance and direction.

63.4.1 Planning for Computer Security. The planning function of manage- ment includes the determination of objectives, policies, priorities, schedules, standards, and strategy.

It is important to define the scope and purpose of a computer security program in terms of objectives. There should be a clear statement of results to be achieved within a given period of time. Security objectives must be balanced with other organizational objectives, because conflicts may arise. As an example, the need for controlled access will naturally conflict with desires for user flexibility and convenience. Objectives should be imaginative and responsive to change and conflict.

Planning for computer security requires the participation of top management, so that security objectives can be reconciled with general organizational objectives and with financial priorities. It is also necessary to coordinate security activities between data processing and all the other areas of the organization. Auditing, insurance, legal, financial, and other groups are affected by, and should contribute to, a computer security program.71

The objectives, policies, schedules, and standards that result from the planning process need to be communicated throughout the organization. While this is generally true for all planning, it is especially crucial to the success of a security program, which may conflict with existing corporate culture.72 Finally, feedback is essential to permit recognition of failures and departures from plans. Only by monitoring results is it possible to take corrective action or to readjust the objectives, policies, plans, schedules, and standards to the practicalities of the real world.

63.4.2 Organizing. Organization is the process of marshaling resources, group- ing activities and responsibilities, and establishing relationships that will enable people to work together most effectively in determining and accomplishing the objectives of an enterprise.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 24 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

The important elements of organization for computer security include:

� Obtaining resources of personnel, money, and facilities adequate to accomplish the assigned mission

� Fitting responsibly into the organizational pattern � Assigning responsibility and authority to individuals � Formulating supporting methods and procedures � Measuring organizational effectiveness

Traditionally, the organizing function is concerned with grouping activities into manageable components and grouping human resources into logical relationships to accomplish the desired results. It would be unusual to find an enterprise that was designed with an optimum structure to achieve security at the expense of other goals. Security is not an independent activity, nor does it represent the primary goal of a data processing organizational element. Data processing departments are usually organized into units that reflect the nature of the work performed, or user relationships, or some other structure designed to achieve an adequate service level for the end user. Security measures quite often conflict with the service objectives. That conflict is all the more reason why security must be managed in order to be effective. It is also motivation for creating a separate functional activity, particularly in large organizations, so that INFOSEC can be administered independently of competing activities.

63.4.3 Integrating. Computer security is frequently an afterthought to the or- ganization of the data processing function. Security is also perceived as a passive activity. As a result, responsibility for security is often assigned haphazardly. Security should not merely be superimposed but, instead, should be carefully fitted into the organizational structure. Some important considerations are:

� Accountability for specific security tasks should be included in formal job defini- tions of every job level.

� Training programs should include a complete review of security objectives and policies, as well as details relating to assigned security tasks.

� Supervisory and management personnel should be assigned responsibility for both performance and attitude of staff with respect to security.

� Certain line or staff positions could include responsibility for overall security, or a grouping of security tasks, or measurement and monitoring of security. It may be convenient to combine security and control of data processing into a single function. Monitoring of security effectiveness is sometimes assigned to the data processing auditor.

� Primary responsibility for INFOSEC should not be assigned to those with in- herently conflicting priorities; for example, it is a bad practice to assign major responsibility for security to the chief of operations, the director of software development, or the vice president of finance.

� Information systems security should be coordinated and reviewed with security specialists in other areas of the organization. In a manufacturing concern the plant security personnel, or in a bank the bank security officer, should be consulted. It

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SECURITY ADMINISTRATION 63 · 25

may be desirable to assign monitoring responsibility for security housekeeping tasks to these specialists.

� Whenever possible, policies should be translated into written guidelines and pro- cedures to provide the detailed requirements for each task. Standards for perfor- mance of each activity must be formulated and applied.

Initiating and monitoring the accomplishment of objectives according to established plans requires skillful leadership. The integration function has a direct bearing on the success of a security program. Without effective leadership, security can become a farce. With leadership, a security program can overcome its basic passivity and truly enhance the utility of information systems. Management must embrace and inspire the concept of security as an everyday fact of life. But beyond transmitting a positive attitude of acceptance, management must also be concerned with testing and improving security. The security program is dynamic rather than static. Management’s role must be one of continued concern in order to identify, adopt, and adapt better methods to accomplish corporate security objectives.

63.4.4 Controlling. The final process in the management cycle is measuring and controlling. It is the function that is concerned with achieving cost-effective results and includes establishing standards, improving methods, examining results, and adjusting the organizational mechanism for corrective action.

The basis for effective control is the use of consistent techniques for measurement and the application of standards for comparison and interpretation. Results should be analyzed promptly, as feedback to effect corrective action. Control systems need not be burdensome or elaborate, but they should be consistent, and they should allow for flexibility and adjustment. Management action is the end product of control. Mistakes in original objectives and plans are forgivable, but failure to recognize and react to mistakes can only compound the problem, add to costs, and undermine the effective use of valuable resources.

63.5 SECURITY ADMINISTRATION. In large organizations, an independent security administration function is often the most effective method for accomplishing the overall objective of improved INFOSEC.

63.5.1 Staffing the Security Function. The importance of INFOSEC has given rise to a new management specialty, consisting of professionals involved in the planning and administration of protection for the integrity and security of automated information assets. Titles such as INFOSEC administrator, computer security manager, information systems security officer, and chief INFOSEC officer have been used to describe these roles.

Coordination of the INFOSEC function requires a combination of managerial and technical talents. The successful administrator must be a superior communicator capa- ble of selling the concept of security and maintaining security awareness at all levels of the organization. Sufficient technical knowledge is important, so that the INFOSEC administrator can evaluate and initiate appropriate technological solutions to meet corporate INFOSEC policies and to counteract threats. While technical skill, in the form of a data processing background, is important, a broader range of capabilities is needed for maximum effectiveness. The ideal security administrator should possess the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 26 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

ability to communicate with all levels of management and should have good knowl- edge of related functions such as auditing, internal control, and general security. It is also important to have some knowledge of the industry within which the organization operates.

The administration of INFOSEC can be centralized or decentralized, depending on the needs of the organization. Where multiple data center locations are involved, the decentralized approach may be more appropriate to accomplish the details of administration. However, it is important to have one focal point for overall coordination of INFOSEC policy. It is also essential to understand that responsibility for INFOSEC rests with all members of the organization, and not just the security personnel. Security is a shared responsibility, and this concept must be widely promoted by the security administrator and strongly backed by senior management.

63.5.2 Authority and Responsibility. As in all management areas, IN- FOSEC administrators (ISAs) need not only specific responsibilities but also the authority to carry out their duties. Those duties are listed next:

� Establish policy statements and guidelines for information protection. Al- though policy is the primary responsibility of senior management, it is appropriate for the ISA to participate in the delineation of a formal policy statement covering this important organizational goal and to prepare appropriate guidelines.

� Identify vulnerabilities and risks. The ISA serves as a consultant and coordinator in the process of risk analysis. The sensitivity of data resources must be decided by senior management, but with full consensus and agreement by all affected sections of the organization. The ISA has a special responsibility to identify specific risks that affect the automated data resources. The ISA should then coordinate the process of quantifying or otherwise prioritizing the value of the vulnerable data, in order to establish a basis for selection and economic justification of protective measures.

� Recommend protective measures. Major responsibility for identification of eco- nomic solutions to INFOSEC vulnerabilities is usually assigned to the ISA. Requiring a combination of technical knowledge and management analysis, this process entails the evaluation of protective solutions for technological, op- erational, and economic effectiveness. Appropriate recommendations must be coordinated with other affected sections of the organization, including audit, data processing operations, software development, legal counsel, human re- sources, facilities security, public relations, and others. Implementation plans must also be developed, and there must be a management commitment to the implementation.

� Control the implementation of protective measures. Whether the final admin- istration of the day-to-day security procedures is centralized or decentralized, the coordination and control of implementation for major protective measures should be centralized. A prerequisite for implementation is the development of standards for INFOSEC to ensure consistency in the application of protection. Important ar- eas for standardization are security design for application systems, programming development, data sensitivity criteria, database access, and program maintenance. In general, security standards cover the entire systems life cycle.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SECURITY ADMINISTRATION 63 · 27

� Measure effectiveness of security precautions. Feedback is essential to assess how effectively policies are being followed. Since the nature of INFOSEC is defensive, the measures adopted can easily fall into disuse unless there is ongoing confirmation of effectiveness. The ISA should have primary responsibility to conduct security audits for operational systems as well as for systems under development. Backup protection and disaster-recovery procedures are especially sensitive plans that must be tested periodically. Monitoring of variances in security procedures is also important, and is best controlled through the ISA function. In many organizations these activities are coordinated with the auditors. Finally, the ISA should provide senior management with reports on the effectiveness of security policy, with identification of weaknesses, and with recommendations for improvement.

� Promote security awareness and security education. Another important area of responsibility for the ISA is security education and awareness. The concept of security must be actively communicated to all members of the staff to maintain awareness of its importance. An effective program should achieve a workable balance between security and the utility of computer resources.

� Ensure security awareness across cultures. In today’s global economy, many companies are located in various geographic regions. As a result, security pro- fessionals must understand the role that culture plays in the global enterprise. Different cultural perspectives exist regarding security, and these must be taken into consideration when developing a security-awareness program. Understanding the impact of culture on business operations will be very beneficial for the organi- zation. For example, how should global enterprises create cross-border awareness strategies? How might the laws and regulations in various countries help or inhibit the creation of an awareness program?

Although English is still a widely used language of business, U.S. security professionals are well advised to understand the cultural nuances of their foreign counterparts in order to protect their organization against increasing threats. The growing economic power of the European Union, China, and India, should prompt U.S. professionals to begin expanding their language competencies to match those of their global competitors.

63.5.3 Professional Accreditation and Education. Professional accredi- tation can provide managers with a basis of assurance that a common body of knowledge is applied to the requirements of INFOSEC in their enterprise. There are several pro- fessional societies and organizations that offer specialized certification to INFOSEC personnel. Such certification is voluntary, since there are no specific licensing re- quirements for INFOSEC practitioners. However, certification does signify serious professional intent on the part of the individual to acquire and maintain the needed knowledge and skills. In most cases, the certification process requires a combination of education, experience, and knowledge; knowledge is evaluated through written ex- aminations. Once achieved, a professional certificate requires continuing education in the field to maintain its validity.

Unfortunately, some managers fear that after they provide training or support ad- vanced education, their employees will leave and use their new skills to benefit some other organization—perhaps even a competitor. In reality, some employees are more likely to walk out if the investment is not made. Numerous studies have shown that if

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 28 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

employees feel valued, they will be more willing to stay. For example, a summary of changing contributions to employee satisfaction specifically states that:

� Although money is clearly an important consideration, cash is not the primary factor that keeps people in their current job or attracts them away to a new job.

� Opportunity to grow and learn at work is emerging as a primary determinant of attracting and retaining employees. …

� Although employees consistently indicate that education and training are key aspects of their willingness to stay at or leave their current job, employees also typically rank the quality of their employer’s education and training function as low.73

Training need not be expensive, excessively time consuming, or difficult.74 Online security training can be taken anytime and is self-paced. Training videos are also an excellent tool for stimulating employee knowledge and interest. The simplest way to locate such resources is to search on the Web with a good search engine using keywords such as “security training.” A particularly helpful site is CCCure.org, which includes a wealth of self-study materials as well as links to many vendors.75

Another alternative is to have the employer use obsolete equipment for training, equipment that would otherwise lie idle in a storage area. Even small departments may have old PCs lying around dormant, as well as hubs and possibly router/switches. These can be used to create a network for testing and learning at little cost. Companies that do not have spare equipment can buy used equipment for less than the cost of a one-week intensive course. For an employee who wants to learn the basics of firewalls, Linux is a cheap (and even free) operating system that has just recently started supporting firewalls. Setting up a Linux firewall requires no expensive software or appliances. It can provide an effective way of encouraging employees to learn the practical details of configuring firewalls—a valuable skill set in any security department—while rewarding loyal employees by showing confidence in their commitment to learning, and to their continued employment in the enterprise.

Once the firewall is set up, other employees can use the testing and training network to learn about penetration testing, intrusion detection, and other security elements. Different operating systems can be installed, with various applications, all for a minimal investment. As technology, techniques, and tools change, this training network will be valuable in keeping skills up to date.

External, college-level undergraduate and graduate education also provides re- sources for employees and managers. Universities and colleges are increasingly rec- ognizing the value and validity of educational programs centering on information assurance, both at the technical and managerial levels. Some offer noncredit courses or certificate courses in addition to degree programs. Some offer online programs that support the needs of working adults. Managers can take advantage of these opportuni- ties to improve the knowledge base within their organizations and to increase employee loyalty and retention by supporting employees who want to further their careers in in- formation assurance. Some programs include case studies that may, with permission, center on fieldwork within the students’ own work environments, resulting in extensive analysis and recommendations of immense value to their employers.76

63.6 CONCLUDING REMARKS. Society needs the insights of information as- surance specialists. Managers with daily opportunities to think about the strategic

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 63 · 29

implications of vulnerabilities, exploits, and, above all, about the business processes for which they are responsible are in an excellent position to contribute not only to the success of their own enterprises but also to the future of their societies. As Adam Shostack and Andrew Stewart have written in their future-pointing treatise, it is time for a new school of INFOSEC—one that involves:

Learning from other professions, such as economics and psychology, to unlock the problems that stymie the security field. …

Sharing objective data and analysis widely. …

The embrace of the scientific method for solving important security problems. Analyzing real-world outcomes is the best way for information security to become a mature discipline.77

Readers should embrace every opportunity to bring their experience and wisdom to a wider audience, and by speaking and writing they should share their insights with each other and with the general public.

63.7 FURTHER READING Calder, A., and S. Watkins. IT Governance: An International Guide to Data Security

and ISO27001/ISO27002, 5th ed. Kogan Page, 2012. Goddard, J., and T. Eccles. Uncommon Sense, Common Nonsense: Why Some Organ-

isations Consistently Outperform Others. Profile Books, 2013. Kouns, J., and B. L. Kouns. The Chief Information Security Officer. IT Governance

Publishing, 2011. Laplante, P., and T. Costello. CIOWisdomII:MoreBestPractices. Prentice-Hall, 2005. Mellado, D., L. E. Sanchez, E. Fernandez-Medina, and M. Piattini, eds. IT Security

Governance Innovations: Theory and Research. IGI Global, 2012. Moeller, R. R. Executive’s Guide to IT Governance: Improving Systems Processes with

Service Management, COBIT, and ITIL. Wiley, 2013. Patterson, T. Mapping Security. Prentice-Hall, 2005. Rees, M., and M. Kennedy. Fraud and the Human Factor: Fighting the Greatest Threat

to Today’s Corporation. Bloomsbury Information Ltd, 2013. Solms, S. H., and R. Solms. Information Security Governance. Springer, 2008. Swiderski, F., and W. Synder. Threat Modeling. Microsoft, 2004. Talbot, J., and M. Jakeman. Security Risk Management Body of Knowledge, 2nd ed.

Wiley, 2009. Wheeler, E. Security Risk Management: Building an Information Security Risk Man-

agement Program from the Ground Up. Syngress, 2011. Wibbeke, E. S., and S. McArthur. Global Business Leadership, 2nd ed. Routledge,

2013. Wood, C. C. Information Security Roles & Responsibilities Made Easy, 2nd ed. Infor-

mation Shield, 2005.

63.8 NOTES 1. Because this entire Handbook in a sense provides the underlying details for the

management of information assurance, most cross-references to other chapters have been relegated to endnotes to avoid cluttering the text.

2. See Chapters 60 and 62 in this Handbook.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 30 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

3. For an extensive discussion of the role of the CISO, see Chapter 65 in this Hand- book.

4. California State Legislature (2002) Senate Bill SB 1386, http://info.sen. ca.gov/pub/01-02/bill/sen/sb 1351-1400/sb 1386 bill 20020926 chaptered.html

5. G. Lin, “The Tao Perspective,” in D. Lane, ed., CIO Wisdom (Upper Saddle River, NJ: Prentice-Hall, 2003), Chapter 4.

6. NIST, “Information Security System in the Systems Development Lifecycle,” 2004 [Brochure], http://csrc.nist.gov/groups/SMA/sdlc/index.html

7. M. E. Kabay, “The Net Present Value of Information Security: A Paradigm Shift for INFOSEC and E-commerce,” vol. 17 (2006), www.mekabay.com/ infosecmgmt/npvsec.pdf

8. J. Bassett and D. Rothman, A Seat at the Table for CEOs and CSOs: Driving Prof- its, Corporate Performance & Business Agility (Bloomington, IN: AuthorHouse, 2007), p. 111.

9. This section is based on the paper by M. E. Kabay, “The VA Data Insecurity Saga,” 2008, www.mekabay.com/infosecmgmt/vasaga.pdf

10. J. Brodkin, “Rating Apologies: Deep Regrets, from TJX to ChoicePoint, about Data Leaks,” Network World, March 14, 2007, www.networkworld.com/ news/2007/031407-wider-net-apologies-letters.html

11. G. Gross, “U.S. Agency Loses Data Containing 26 Million IDs,” Network World, May 22, 2006, www.networkworld.com/news/2006/052206-us-agency- loses-veterans-data.html

12. G. Gross, “Lawmaker Calls on VA Head to Resign after Data Theft,” Network World, May 25, 2006, www.networkworld.com/news/2006/052506-lawmaker- calls-on-va-head.html

13. “FirstGov.gov,” “Latest Information on Veterans Affairs Data Security,” Mili- tary.com | Money (n.d.) www.military.com/money/personal-finance/credit-debt- management/latest-information-on-veterans-affairs-data-security.html

14. Using keyword “data” in the search field at http://www1.va.gov/opa/pressrel/ index.cfm provides a reasonable chronology

15. U.S. Department of Veterans Affairs, “Secretary Nicholson Provides Update on Stolen Data Incident: Data Matching with Department of Defense Provid- ing New Details,” June 6, 2006, www.va.gov/opa/pressrel/pressrelease.cfm?id= 1134

16. Associated Press, “Data on 2.2M Active Troops Stolen from VA,” USA TO- DAY, June 7, 2006, www.usatoday.com/news/washington/2006-06-06-veterans- data x.htm

17. U.S. Department of Veterans Affairs, “Directive by the Secretary of Veterans Affairs R. James Nicholson to All VA Supervisors on Information Security,” May 26, 2006, www.va.gov/opa/pressrel/pressrelease.cfm?id=1128

18. U.S. Department of Veterans Affairs, “VA Secretary Inserts New Leader- ship in Policy & Planning Office,” May 30, 2006, www.va.gov/opa/pressrel/ pressrelease.cfm?id=1129

19. U.S. Government Accountability Office, “Homeland Security: Guidance and Stan- dards are Needed for Measuring the Effectiveness of Agencies’ Facility Protection Efforts,” Report GAO-06-612, May 2006, www.gao.gov/cgi-bin/getrpt?GAO-06- 612

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 63 · 31

20. U.S. Department of Veterans Affairs, “VA Secretary Inserts New Leadership in Policy & Planning Office.”

21. U.S. Government Accountability Office, “Veterans Affairs: Leadership Needed to Address Information Security Weaknesses and Privacy Issues,” Report GAO-06- 866T, June 14, 2006, www.gao.gov/cgi-bin/getrpt?GAO-06-866T

22. U.S. Government Accountability Office, “Information Security: Leadership Needed to Address Weaknesses and Privacy Issues at Veterans Affairs,” High- lights of GAO-06-897T, 2006, www.gao.gov/highlights/d06897thigh.pdf

23. U.S. Government Accountability Office, “Information Technology: VA and DOD Face Challenges in Completing Key Efforts,” Highlights of GAO-06-905T, 2006, www.gao.gov/highlights/d06905thigh.pdf

24. Department of Veterans Affairs Office of Inspector General, “Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veter- ans,” Report No. 06-02238-163, July 11, 2006, www.va.gov/oig/pubs/VAOIG-06- 02238-163.pdf

25. D. Pulliam, “Report: VA Treated Data Breach with ‘Indifference’,” Government Executive Website, July 11, 2006, www.govexec.com/technology/2006/07/report- va-treated-data-breach-with-indifference/22234

26. “Personal Data for 38,000 Veterans Missing, VA Says,” USA TODAY, Au- gust 7, 2006, www.usatoday.com/tech/news/computersecurity/infotheft/2006-08- 07-veterans-data x.htm

27. G. Gross, “VA to Spend $3.7M on Encryption Tools: The Move Follows the Theft of a VA Laptop in May,” Computerworld, August 14, 2006, www.computerworld .com/s/article/9002447/VA to spend 3.7M on encryption tools

28. R. McMillan, “Update: Unisys Contractor Arrested in VA Theft: Investigators Do Not Believe 21-Year-Old Suspect Sought Agency’s Data,” InfoWorld, Septem- ber 18, 2006, www.infoworld.com/d/security-central/update-unisys-contractor- arrested-in-va-theft-825

29. H. A. Waxman, “Committee Report Finds Data Breaches Throughout Federal Government,” Committee on Oversight and Government Reform, 110th Congress, October 13, 2006, http://oversight-archive.waxman.house.gov/story.asp?ID=1127

30. R. Maze, “VA Reports Two More Data Security Lapses,” FederalTimes, November 3, 2006 (no longer available online).

31. A. Broache, “Hard Drive Vanishes from VA Facility,” C|Net News, February 5,

32. G. Keizer, “Lost VA Hard Drive May Have Held 1.8M IDs: Initially, the Agency Said Just 50,000 Were Potentially Affected,” Computerworld, February 13, 2007, www.computerworld.com/s/article/9011218/Lost VA hard drive may have held 1.8M IDs

33. M. E. Kabay, “PIIssed Off Yet?” Network World | Security Strategies, June 12, 2007, www.networkworld.com/newsletters/sec/2007/0611sec1.html

34. U.S. Government Accountability Office, “Information Security: Veterans Affairs Needs to Address Long-Standing Weaknesses,” Report GAO-07-532T, February 28, 2007, www.gao.gov/new.items/d07532t.pdf

35. G. Gross, “VA to Spend $3.7M on Encryption Tools.” 36. J. Vijayan, “OMB Sets 120-Day Deadline for Fed Breach-Notification Plans: Agen-

cies Have the Summer To Develop and Implement First Phases of Policies,”

2007, http://cnet.news.com/2100-1029 3-6156386.html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

63 · 32 MANAGEMENT RESPONSIBILITIES AND LIABILITIES

May 29, 2007, www.computerworld.com/s/article/9021544/

(2013-07-14), www.privacyrights.org/data-breach 38. Chapters 1 and 3. 39. Chapter 57. 40. Chapters 56, 58, and 59. 41. Chapter 60. 42. Chapters 22 and 23. 43. Chapters 24 through 37. 44. Chapters 43 through 50. 45. Chapters 51 through 55. 46. Chapter 45 for more on employment practices and policies. 47. y issues are discussed in detail in Chapters 44, 45, 47, 48, 49, and 50 of this

. 48. K. Pratt, “Employee Security Training: Beyond Posters,” Computer-

, April 17, 2006, www.computerworld.com/s/article/110494/Employee Training Beyond Posters

49. G. Gross, “Study: Human Error Causes Most Security Breaches,” Com- , March 18, 2003, www.computerworld.com/s/article/79485/Study

error causes most security breaches 50. Dickson, “Could the Arrests in the Stop and Shop Data Breach Indicate

Tie to Armenian Mobsters?” Fraud, Phishing and Financial Misdeeds Blog 28, 2007), http://fraudwar.blogspot.com/2007/02/could-arrest-in-stop-and-

51. Chapter 50 for more information about using social psychology to motivate with security policies.

52. Honeynet Project: Challenges, www.honeynet.org/challenges 53. or more about log files, see Chapters 52 and 53; on postmortem analysis, see

56. 54. Chapters 49 and 50. 55. . J. Peters and R. H. Waterman, In Search of Excellence: Lessons from Amer-

s Best-Run Companies (New York: HarperCollins, 1983). See also H. K. “Does MBWA (Management By Wandering Around) Still Work?” Self-

wth.com, 2007, www.selfgrowth.com/articles/Jones6.html 56. J. Fox, “Communications: Communication Excellence in IT Management,”

D. Lane, ed., CIO Wisdom, (Upper Saddle River, NJ: Prentice-Hall, 2003), 5.

57. Adams, “Official Dilbert Website” (2008), www.dilbert.com 58. Chapter 28. 59. E. Kabay, “A Rant about InfoSec: A Security Veteran in a Bad Mood Dumps

Everyone” (2004,; www.mekabay.com/opinion/rant.pdf 60. Chapter 30. 61. Chapter 38. 62. or more security-awareness ideas, see Chapter 49.

Computerworld,

Clearinghouse See See See See See See See See See Polic Handbook M. world Security G. puterworld Human E. a (Feb shop-data.html See compliance The F Chapter See T ica’ Jones, Gro B. in Chapter S. See M. on See See F

OMB sets 120 day deadline for Fed breach notification plans 37. Chronology of Data Breaches: Security Breaches 2005–Present,” Privacy Rights

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 63 · 33

63. Chapter 62 of this Handbook discusses risk management in more detail. 64. See Chapter 61. 65. See Chapter 18. 66. See Chapters 15 and 40. 67. R. J. McGillivray and S. C. Lieske, “Webjacking,” The Computer & Internet

Lawyer 18, no. 7 (July 2001):1, www.hackerzvoice.net/ouah/webhijack.html 68. See Chapter 54. 69. See Chapter 27. 70. See Chapters 53 and 54. 71. See Chapter 56 for a more extensive discussion of these principles in connection

with the computer emergency response team. 72. See Chapter 50 for a discussion of the psychology of implementing security poli-

cies. 73. L. J. Basai, “Employee Retention.” Learning in the New Economy,” LineZine

(Summer 2000), www.linezine.com/3/themes/hardtalk.htm 74. M. R. Farnum, “Security Awareness Training Does Not Have to Be

Hard,” Hitting the Security Nerve—Computerworld Blogs (2006), http://blogs. computerworld.com/node/4175

75. www.cccure.org 76. For more details of United States–based certification and education in the security

field, see Chapters 74 and 75. 77. A. Shostack and A. Stewart,TheNewSchoolofInformationSecurity(Upper Saddle

River, NJ: Addison-Wesley, 2008), p. xiv.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64CHAPTER

U.S. LEGAL AND REGULATORY SECURITY ISSUES

Timothy Virtue

64.1 INTRODUCTION 64 · 1

64.2 SARBANES-OXLEY ACT OF 2002 64 · 2 64.2.1 Section 404 of SOX 64·4 64.2.2 Management

Perspectives on SOX 64·5

64.3 GRAMM-LEACH-BLILEY ACT 64 · 6 64.3.1 Applicability 64·6 64.3.2 Enforcement 64·7 64.3.3 Consumers and

Customers 64·8 64.3.4 Compliance 64·8 64.3.5 Privacy Notices 64·9

64.3.6 GLBA Safeguards Rule 64·9

64.3.7 Flexibility 64·10

64.4 EXAMINATION PROCEDURES TO EVALUATE COMPLIANCE WITH GUIDELINES FOR SAFEGUARDING CUSTOMER INFORMATION 64 · 14

64.5 CONCLUDING REMARKS 64 · 14

64.6 FURTHER READING 64 · 14

64.7 NOTES 64 · 15

64.1 INTRODUCTION. Since the previous edition of this Handbook was pub- lished in 2009 there have been significant technical, political, economic, legal, and regulatory changes that have complicated efforts to achieve compliance. In addition, the overall global economic downturn has made compliance more difficult.

With the global and U.S. economic downturn, many organizations were chal- lenged to maintain or increase their compliance programs with fewer resources. In periods of economic decline, fraud and other criminal activities have a tendency to increase, requiring security leaders to focus on both security and regulatory issues simultaneously.

The rising use of social media, mobile devices, and cloud computing has compli- cated the application of security controls and strategies and increased regulatory and legal challenges. Security teams must apply flexible, innovative, and adaptive security solutions.

Many organizations are restructuring independent and isolated operational units (sometimes described as silos) and focusing on coordinated strategic risk management for the enterprise. Such changes support business values, achieve compliance, and reduce risk.

64 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64 · 2 U.S. LEGAL AND REGULATORY SECURITY ISSUES

Another recurring theme of today’s regulatory environment is accountability for, and protection of, sensitive or private information. Specific regulatory requirements and how an organization addresses the requirements will vary, based on industry, organizational structure, and internal processes. However, an effective enterprise-wide regulatory-governance model should incorporate two common elements:

1. The senior management team must create a compliance-driven culture by actively exercising leadership by example.

2. The team must actively support this culture of compliance by enabling com- puter security strategies, tactics, and technologies as discussed throughout this Handbook.

Compliance with regulatory requirements must include, but is not limited to, these computer security fundamentals:

� Program management � Policy and procedure design and implementation

� Risk assessment and management � Prevention � Detection � Response

� Implementation of safeguards � Administrative controls � Physical controls � Technical controls

� Awareness and training

Organizations must also keep in mind that vendor due diligence and management may play a more critical role as they adopt social media, mobile, and cloud-computing technologies within the organization. The same levels of management and oversight still need to exist; however, now they need to be applied outward.

Although there are a number of regulations that today’s business leaders may be accountable for, these requirements vary from industry to industry. This chapter fo- cuses on two important U.S. regulations: the Sarbanes-Oxley and the Gramm-Leach- Bliley Acts. These particular acts require a significant level of management involve- ment in order to validate that the organization adequately addresses the regulatory requirements.

64.2 SARBANES-OXLEY ACT OF 2002. The Sarbanes-Oxley Act of 2002 (SOX), also sometimes referred to as the Public Company Accounting Reform and InvestorProtectionActof2002, comprises 11 titles and is administered by the Securities and Exchange Commission (SEC). The main goal of the legislation is to protect the public and shareholders from accounting errors and fraudulent practices by requiring that companies monitor and record any access to sensitive financial data. They must provide reports on their controls, and must respond in a timely and appropriate manner should an incident occur.1

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SARBANES-OXLEY ACT OF 2002 64 · 3

EXHIBIT 64.1 Eleven Titles of SOX with Descriptions

Title # Name Description

I Public Company Accounting Oversight Board

Establishment of a private nonprofit board. Duties of the board include establishing auditing, quality control, and independence standards for public accounting firms.

II Auditor Independence

Prohibits certified public accountants from simultaneously performing audit and nonaudit services.

III Corporate Responsibility

Requires that the Securities and Exchange Commission (SEC) order the national security exchanges and associations to bar the listing of an issuer that does not comply with the specific requirements set forth in Title III.

IV Enhanced Financial Disclosures

Sets forth various requirements to validate the accuracy of financial statements and supporting disclosures.

V Analyst Conflicts of Interest

Defines a code of conduct for security analysts and includes a measure to help restore confidence in their reporting.

VI Commission Resources and Authority

Authorizes the SEC to hire staff to provide additional oversight of auditors and audit services. Also outlines the conditions a person can be prohibited from practicing as a broker, advisor, or dealer.

VII Studies and Reports Provides for research to be conducted for the enforcement of actions against violations by SEC registrants and auditors.

VIII Corporate and Criminal Fraud Accountability

Defines penalties for the destruction of audit reports and the willful destruction, manipulation, or falsification of documents in federal investigations and bankruptcy proceedings.

IX White Collar Crime Penalty Enhancements

Increases the penalties for white-collar crimes and requires that both the CEO and CFO of a corporation certify periodic financial statements.

X Corporate Tax Returns

Requires that the CEO sign the corporation’s federal income tax return.

XI Corporate Fraud and Accountability

Establishes penalties for persons who manipulate or destroy documents or impede an official proceeding.

Exhibit 64.1 offers each title within SOX with a brief description added by the author.

All of the individual components from Exhibit 64.1 that specify the requirements for SOX must have the support and involvement of an organization’s senior leadership team.

No single component of SOX is more important than any other component. However, the remaining discussion focuses on the part of the Act that affects computer security the most: Section 404.

The passage of SOX in 2002 led the way for an important change in how business leaders in today’s public companies look at information security. This change has caused significant impact on today’s information systems, the security that supports them, and management’s perception of how the systems affect financial reporting.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64 · 4 U.S. LEGAL AND REGULATORY SECURITY ISSUES

Although SOX was primarily intended to enhance the integrity of financial reporting, it has broader implications. Specifically, the integrity of financial reporting can be accomplished only by ensuring the integrity of the source information used to com- plete financial reporting requirements. Management must therefore support the design, implementation, and continuous management of strong controls over the information systems that are the primary source for today’s financial reporting requirements.

64.2.1 Section 404 of SOX. Since compliance with SOX is supported by the organization’s ability to develop, implement, and manage a combination of busi- ness reporting requirements and management controls, many of the organization’s information systems are directly or indirectly involved in the SOX-compliance pro- cess. The extent of involvement can range from end-user computing applications (e.g., spreadsheets) all the way to the data center. Business leaders must address these issues and must provide adequate support to achieve continuous compliance with SOX.

SOX addresses a number of areas requiring senior executive leadership and support. However, Section 404 of SOX is most relevant to information-security programs, and requires businesses to:

� Evaluate the adequacy of internal controls that impact financial reporting � Implement new controls as necessary � Annually test and report on the assessment results of internal controls

Section 404 requires the business to implement a comprehensive internal control framework sustainable throughout the enterprise. Furthermore, these controls must not only directly protect the integrity of financial data and indirectly protect the systems that support the data, but the business is also required to show that these controls are operational and are functioning as intended. Since compliance with SOX affects the organization at an enterprise-wide level, information-security protections should be designed, implemented, and managed from a holistic perspective supported by management as part of an overall business strategy, rather than as a single compliance activity.

In most organizations, almost all corporate information, including financial in- formation, is linked to enterprise information systems. Many systems feed or share information with each other. Therefore, the organization must look at data origins, data flows, and data output to validate that they have adequately identified all of the information that could impact financial reporting. Management must provide the ap- propriate level of support for robust controls to protect the data resources of critical corporate information systems, which ultimately act as the primary data source the business must rely on when delivering and validating the integrity of the organization’s financial statements.

With today’s modern technologies pervasively deployed in business environments, organizations are likely to face a variety of SOX compliance challenges. These chal- lenges result from the vast number of information systems, the associated support- ing infrastructure, highly connected and communication intensive networks, and in many cases externally facing Web-based applications that are highly susceptible to exploitation.

Additional challenges come from inside as well. The insider threat is quickly becom- ing one of the most difficult security challenges to overcome, and causes the majority of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SARBANES-OXLEY ACT OF 2002 64 · 5

security problems for many organizations (see Chapters 13 and 45 in this Handbook). Internal data protection challenges are further complicated by the increase in privileged users such as database administrators, system administrators, and a variety of other users with powerful access to critical information systems. Such users often unknow- ingly create significant SOX compliance risks for their organization. These powerful privileges are often overused, and ultimately can be the pathway to noncompliance or malicious activity within the organization. Furthermore, many of these privileged users can manipulate system log files so that their malicious activity goes unnoticed or in some cases becomes untraceable (see Chapter 53).

64.2.2 Management Perspectives on SOX. Properly administered com- pliance initiatives must strike a balance between information security and system usability, to support business and compliance objectives without creating an environ- ment of distrust. Although the insider threat is a significant threat to many businesses, the senior leadership team must accept that employees are a critical component of business operations. Since management controls are intended to protect sensitive sys- tem data and not to create a hostile work environment, SOX-related corporate policies and standards must support the spirit of the act by ensuring that organizations closely monitor and control access to critical business systems while not impeding employee productivity. Achieving this balance is not always an easy task.

Regardless of the specific strategies organizations employ to design, implement, and manage, there are some fundamental operational policies and processes that should be put in place to protect the integrity of both the data and ultimately the organization’s financial reporting.

Fortunately, many organizations may find they already have a majority of the re- quired controls in place, because many of the control requirements can be accomplished through traditional information security best practices. Some of the more common ex- amples include controls that address segregation of duties (e.g., among development, test, and production environments) and appropriate data-security controls and safe- guards.

A list of more common database safeguard components that senior management should focus on when complying with Section 404 of SOX follows.

� Monitor database access by privileged users � Monitor changes in privileges � Monitor access failures � Monitor schema changes � Monitor direct data access

In order to get a better grasp on all of the complexity associated with database compliance challenges, senior leadership teams in many organizations elect to take a back-to-basics approach. One of the most effective strategies to deploying such a simplified approach is to use the traditional five Ws. Specifically, organizations should be asking these questions in terms of database compliance:

1. Who did something to the database? 2. What did they do? 3. Which specific data component?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64 · 6 U.S. LEGAL AND REGULATORY SECURITY ISSUES

4. When was the activity performed? 5. Where was the information accessed?

When members of the organization’s senior leadership team approach the SOX compliance issue in this manner, they are in a better position to understand and ulti- mately to assume the responsibility for the data security and integrity for which they are accountable.

The requirement of having an organization’s senior management work with an external auditor to report on the internal control program is, unfortunately, the most costly requirement of SOX and requires an enormous effort.

However, organizations should also take note that there are a number of benefits from designing, implementing, and managing effective compliance strategies, beyond initial SOX compliance. Establishing a comprehensive internal controls program not only aids in SOX compliance but also forms a foundation for operational improve- ments. Anytime the organization’s senior management team can institute an effec- tive internal controls program, it is not only taking steps to compliance, but also building a solid foundation on which enterprise-wide data governance programs can follow.

64.3 GRAMM-LEACH-BLILEY ACT. One of the most significant pieces of leg- islation to affect the financial services industry was the Financial Services Mod- ernization Act of 1999, commonly referred to as the Gramm-Leach-Bliley Act or GLBA.2 It was enacted in response to the standardization of the U.S. banking and insurance industries in the late 1990s. The financial services industry was undergo- ing substantial change during this period. Since financial institutions and insurance companies were allowed to merge and consolidate their operations, legislators and industry observers were concerned about providing adequate protection of consumer rights and data protection. Specifically, significant concerns developed over the con- solidation of consumer data. There was substantial fear that sensitive consumer data would be openly shared among financial organizations and their subsidiaries. This open environment would likely threaten consumer rights and the security of sensi- tive and personal financial data. The consolidation and reform within the financial services industry was enabling the creation of new financial services holding com- panies that could offer a full range of financial products. Prior to the passage of GLBA, some major financial institutions were selling personal and sensitive detailed customer information to business partners. This type of disclosure often included the disclosure of account numbers and other highly sensitive data to telemarket- ing firms. These telemarketing agencies often used the account numbers to charge customers for products and services they did not want and that had no value to customers.

64.3.1 Applicability. GLBA applies to U.S. domestic financial institutions; it defines financial institutions, as “companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance.” GLBA coverage includes but is not limited to organizations that provide insurance, securities, payment settlement services, check cashing services, credit counselors, and mortgages.

GLBA is intended to address the proper handling of nonpublic financial information. However, senior management teams of financial institutions must acknowledge that the act also includes a wide range of information that is not obviously financial in nature.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

GRAMM-LEACH-BLILEY ACT 64 · 7

This additional coverage is intended to offer further protections to the consumer and properly align with the spirit of the law. The additional types of information that must be protected include the consumer’s name and address. However, protection may extend to:

� Information given to a financial institution in order to receive a financial product or service

� Information generated or remaining as a result of a transaction between a financial institution and a consumer

� Information obtained by the financial institution while providing a financial prod- uct or service to a consumer

GLBA requires financial institutions to safeguard nonpublic personal information (such as a Social Security number, credit card details, or a bank account number) provided by a consumer under various privacy rules or resulting from a transaction or other service performed on behalf of the consumer. This information is not necessarily considered financial information. For example, under GLBA, a consumer’s name iden- tifying a recipient of services from a specific institution is also considered nonpublic information that must be protected under GLBA. Specifically, GLBA mandates:

� Secure storage of consumer personal information � Providing adequate and sufficient notice to consumers regarding how the financial institution shares their consumer personal and financial information

� Providing consumers with the choice to opt out of sharing their personal and financial information

64.3.2 Enforcement. GLBA is enforced by the Federal Trade Commission (FTC), various financial industry regulators, and state attorneys general. More stringent requirements may be placed on the financial institutions by individual states, because GLBA does not preempt state law.

Although current legislation does not offer a remedy of civil action, a financial institution’s failure to comply with notice is considered a deceptive trade practice by both state and federal authorities. Some states do have specific legislation that offers a private right of action for consumers.

Title V of the act provides that financial institutions may share practically any infor- mation with affiliated companies but may share information with nonaffiliated compa- nies for marketing purposes only after providing an opportunity for the consumer to opt out of the information sharing process. Management needs to play a proactive role in providing administrative, managerial, and technical support to achieve compliance with Title V of the Act. Consumers must be provided with easy-to-understand and easy-to-use opt-out choices. Organizations that make opting out difficult, or that oth- erwise appear to be duplicitous, are likely to be viewed as noncompliant with Title V of GLBA.

The provisions of Title V do not preempt or supersede state law. If organizations are conducting business in a state that has more stringent requirements, then those state requirements must be met, in addition to GLBA. Section 505 requires that the act and its associated regulations be enforced by various federal and state regulatory agencies having jurisdiction over financial institutions. This requirement of GLBA

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64 · 8 U.S. LEGAL AND REGULATORY SECURITY ISSUES

offers federal enforcement authority to a variety of enforcement agencies. The more common enforcement agencies include:

� Office of the Comptroller of the Currency � Federal Reserve Board � Federal Deposit Insurance Corporation � Securities and Exchange Commission

An organization’s senior leadership team should also note that the FTC has gen- eral enforcement authority for any financial institution that does not fall within the jurisdiction of any of the specific enumerated regulatory agencies.

As previously stated, the intent of GLBA is to offer adequate protection to con- sumers conducting business with financial services firms. Although the hope is that organizations will comply with GLBA on goodwill, the act was created with some serious repercussions to financial institutions that do not comply. GLBA does not in- clude a private right of action, but financial institutions are required to give consumer notice, and they could face liability under deceptive trade practice statutes if the no- tices are determined to be deceptive or inaccurate. Furthermore, financial institutions that fail to comply with GLBA may also be subject to penalties under the Financial Institution Reform Recovery and Enforcement Act (FIRREA). FIRREA contains and offers penalties that range from up to $5,500 for violations of laws and regulations; up to $27,500 if violations are unsafe, unsound, or reckless; and up to $1.1 million for knowing violations. Given the consequences of noncompliance, organizations need to take the appropriate actions to obtain consumer protection and compliance with GLBA.

64.3.3 Consumers and Customers. One common misconception of GLBA is the interpretation of the legislation as it relates to the nonconsumer customers of financial institutions. This is likely to occur since the terms consumer and customer are often used interchangeably. However, in the context of GLBA, the critical distinction must be made. GLBA defines a consumer as “an individual who obtains, from a financial institution, financial products or services which are to be used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.” A customer is a type of consumer who has established some sort of ongoing relationship with an institution accountable to GLBA. An example of a customer would be an individual who has received credit financing to purchase a car. This individual would need to make monthly payments to a financial institution and hence has established an ongoing relationship. Under this definition, a business could not be defined either as a customer or as a consumer (since a business is not an individual3) and therefore does not fall under the protections of GLBA.

64.3.4 Compliance. Compliance with GLBA signifies that financial institutions must comply with a number of the act’s provisions. From a high-level perspective, organizations must adhere to these points when seeking compliance with GLBA:

� Organizations must provide consumers with clear and conspicuous notice of the financial institution’s information-sharing policies and practices.

� This notice must be given at the start of a new customer relationship and maintained on an annual basis.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

GRAMM-LEACH-BLILEY ACT 64 · 9

� Organizations must provide customers with the right to opt out of having their nonpublic personal information shared with nonaffiliated third parties (unless the activity falls under one of the GLBA exceptions).

� They must refrain from disclosing to any nonaffiliated third-party marketer, other than a consumer reporting agency, an account number or similar form of access code to a consumer’s credit card, deposit, or transaction account.

� Financial institutions must comply with the regulatory standards established to protect the security and confidentiality of customer records.

� Financial institutions must also protect against security threats and unauthorized access to such protected customer information.

64.3.5 Privacy Notices. As a part of GLBA, financial institutions are required to disseminate privacy notices to their consumers explaining what information the financial institution will collect about the consumer, whom the information may be shared with, and how the financial institution protects that information. The information the notice must refer to is the consumer’s nonpublic personal information (such as a Social Security number, bank account number, or credit card number) collected, for example, during an application for auto financing. In an effort to help companies comply with this requirement in a consistent and effective manner, the FTC (in conjunction with various other financial regulators) established a GLBA privacy notice standard. Under this standard, financial institutions must provide a privacy notice at the inception of a relationship with a consumer and once a year for as long as the relationship persists. Furthermore, this notice must provide consumers with the option to declare within 30 days after the receipt of the notice that they do not want their information shared with the third parties mentioned in that privacy notice. Financial institutions must also mandate that the privacy notice itself be written in such a way that it is a clear and accurate statement of the company’s privacy practices. Provided these requirements are met by the financial institution’s privacy notice, the institution may share consumer information with its affiliated companies.

A financial institution may also share consumer information with nonaffiliated or- ganizations provided it has clearly disclosed what information will be provided, to whom, and how it will be protected, and provided that consumers have a method of opting out clearly described in their privacy notices. However, GLBA prohibits finan- cial institutions from disclosing consumer account numbers to nonaffiliated companies for purposes of telemarketing, direct-mail marketing (including through email), even if the consumer has not opted out of sharing the information for marketing purposes. There will be special circumstances in which consumers will not have the option to require that their information not be shared. Some of the more common occurrences of these special circumstances are:

� When a financial institution is required to share information with an outside organization as part of fulfilling its customer obligations (e.g., data processing services)

� When a financial institution is legally required to share the information � When the information is shared with an outside service provider that market the products or services of the financial institution

64.3.6 GLBA Safeguards Rule. A significant component of GLBA is the GLBA Safeguards Rule. The Safeguards Rule is intended to support the privacy and

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64 · 10 U.S. LEGAL AND REGULATORY SECURITY ISSUES

protective rules within GLBA. In many organizations, it is the operational driver supporting the other components of GLBA. If the other components of GLBA are the why of the legislation, then the Safeguards Rule is the how.

GLBA contains specific requirements and safeguards that are applicable to both electronic and paper records. Management must protect records in both formats, even though the widespread use of electronic data processing makes it easy to overlook sensitive consumer information in hardcopy format because an increasing number of employees work almost exclusively with electronic representations of the data. GLBA requires financial institutions to develop, implement, and continuously man- age a comprehensive information security program, which it defines as including ad- ministrative, technical, and physical safeguards to protect the security of customer information.

64.3.7 Flexibility. GLBA covers a broad array of financial institutions, and therefore mandates that an information security program be appropriate to the size, complexity, nature, and scope of the activities of each specific financial institution. This level of flexibility offers an organization’s management team the flexibility to balance consumer protection against business objectives. However, it is critical that this flexibility not be abused and that the intent of the act be addressed. Furthermore, an organization’s senior leadership team must not interpret the lack of specific safeguards as an opportunity for noncompliance with GLBA, but rather as an opportunity to provide consumer protection without impeding business operations.

Flexibility aside, certain key requirements must be followed to be compliant with the Safeguards Rule. The foundational security practices include having at least one designated employee to audit systems; determine risks; and develop, implement, and manage procedures to address information security. Specifically, a financial institution must provide three levels of security:

1. Administrative security. Includes program management of workforce risks, employee training, and vendor oversight

2. Technical security. Includes technical controls for computer systems, networks, applications, access controls, and encryption

3. Physical security. Includes safeguarding facilities, corresponding environmental protection, and disaster recovery protections

In order for financial institutions to be fully compliant with the Safeguards Rule, they need to create comprehensive internal controls for strong administrative, technical, and physical safeguards. To help guide an organization’s senior leadership team toward GLBA compliance, some of the major requirements that financial institutions must keep in mind when building an organizational culture founded on consumer protection and GLBA compliance are listed next:

� Validate that consumer information is kept secure and confidential. � Validate that consumer information is protected from likely threats to its security and integrity.

� Validate that consumer information cannot be accessed by any unauthorized en- tities, or accessed in a way that would result in substantial loss or in a way that would inconvenience the consumer.4

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

GRAMM-LEACH-BLILEY ACT 64 · 11

EXHIBIT 64.2 Recommended Evaluation Procedures

Key Questions or Considerations

I. Determine the involvement of the board. A. Has the board or its designated committee approved a written Corporate

Information Security Program that meets the requirements of the Information Security Guidelines?

B. If the board has assigned responsibility for program implementation and review of management reports to an individual or to a committee, is the necessary knowledge, expertise, and authority to perform the task available?

C. Does the program contain the required elements? 1. If more than one information security program exists for the institution,

are the programs coordinated across organizational units? D. Are the reports from management to the board (or its designated

committee) useful? Does the report adequately describe the overall status of the program, including material risk issues, risk assessment, risk management, and control decisions, service provider oversight, results of testing, security breaches and management’s response, and recommendations for program changes?

1. How often does the board (or its designated committee) review reports? E. Overall, do management and the board (or its designated committee)

adequately oversee the institution’s information security program? II. Evaluate the risk assessment process. A. Review the risk assessment program.

1. How does the institution assess risk to its customer information systems and nonpublic customer information?

2. Has the institution evaluated the risk to the entire customer information system?

3. Has the institution used personnel with sufficient expertise to assess the risk to its systems and customer information on an enterprise-wide basis?

4. Is the risk assessment part of a formal risk assessment process with timelines and milestones? If not, how will management ensure timely completion?

5. Does the institution have a process for identifying and ranking its information assets (data and system components) according to sensitivity? How does it use this process in its risk assessment?

B. Assess adequacy and effectiveness of the risk assessment process. 1. Does the institution identify all reasonably foreseeable internal and

external threats that could result in unauthorized disclosure, misuse, alternation, or destruction of customer information, or of customer information systems?

2. Does the institution support its estimate of the potential damage posed by various threats?

3. Review the institution’s existing controls to mitigate risks. Does the institution’s analysis consider the current administrative, physical, and technical safeguards that prevent or mitigate potential damage?

4. Does the institution use test results to support its assessment of the adequacy and effectiveness of those controls?

(continued)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64 · 12 U.S. LEGAL AND REGULATORY SECURITY ISSUES

EXHIBIT 64.2 (Continued)

Key Questions or Considerations

C. Does the institution identify and prioritize its risk exposure, decide on the risks it must mitigate, and create a mitigation strategy? Is the decision to accept risks documented and reported to the appropriate management levels?

1. Does the institution promptly act to mitigate risks that pose the immediate possibility of material loss?

2. How does the institution demonstrate that the mitigation strategy was reviewed by appropriate officials?

3. Does the risk assessment provide guidance for the nature and extent of testing?

4. Does the risk assessment include vendor oversight requirements? III. Evaluate the adequacy of the program to manage and

control risk. A. Review internal controls and policies. Has the institution documented or

otherwise demonstrated, at a minimum, that it considered the following controls, and adopted those it considered appropriate?

1. Access controls, such as controls to authenticate and permit access to customer information systems to authorized persons only.

2. Access restrictions at physical locations, such as buildings and computer facilities, to permit access to authorized persons only.

3. Encryption of electronically transmitted and stored customer data. 4. Procedures to ensure that systems modifications are consistent with the

approved security program. 5. Dual control procedures, segregation of duties, and employee

background checks. 6. Monitoring systems and procedures to detect actual and attempted

attacks on, or intrusions into, customer information systems. 7. Response programs specifying actions to be taken by specific

individuals when the institution suspects unauthorized access (i.e., incident response).

8. Measures to protect against destruction, loss, or damage of information from potential environmental hazards, such as fire and water damage or technological failures.

B. Is staff adequately trained to implement the security program? 1. Obtain from management a listing of the training provided to all users

of the institution’s system. C. Determine whether key controls, systems, and procedures of the

information security program are regularly tested by independent third parties, or by qualified independent staff, in accordance with the risk assessment.

1. Assess whether the nature and frequency of testing is consistent with the risk assessment.

2. Assess whether tests are conducted or reviewed by independent third parties or qualified staff independent of those that develop or maintain the security program.

3. Assess whether management reviews test results promptly. Assess whether management takes appropriate steps to address adverse test results.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

GRAMM-LEACH-BLILEY ACT 64 · 13

EXHIBIT 64.2 (Continued)

Key Questions or Considerations

IV. Assess the measures taken to oversee service providers. A. Determine whether the institution exercises due diligence in selecting

service providers. B. Determine what information is supplied to service providers. C. Obtain a copy of the contract(s) with the service provider(s). Determine

whether contracts require service providers to implement appropriate measures to meet the objectives of the guidelines.

D. If the institution’s risk assessment requires monitoring a service provider, then perform the following steps for each applicable service provider.

1. Determine whether the service provider contract provides for sufficient reporting from the service provider to allow the institution to evaluate appropriately the service provider’s performance and security, both in ongoing operations, and when malicious activity is suspected or known.

2. Determine whether the institution’s actions adequately control information supplied to service providers, ensuring that the information is managed and secured properly.

3. Review financial condition of service provider. V. Determine whether an effective process exists to adjust the

information security program. A. Does the institution have an effective process to adjust the information

security program as needed? Is the appropriate person assigned responsibility for adjusting the information security program?

B. Review procedures that are in place to ensure that when the institution makes changes in technology, and in its business functions, the requirements of the guidelines are also considered. These changes can include:

1. Technology changes (e.g., software patches, new attack technologies, and methodologies).

2. Sensitivity of information. 3. Threats (both as to nature and extent). 4. Upcoming changes to the institution’s business arrangements (e.g.,

mergers and acquisitions, alliances and joint ventures, outsourcing arrangements).

5. Upcoming changes to customer information systems (e.g., new configurations or connectivity, new software).

C. Determine whether appropriate expertise is applied to evaluate whether changes to the information security program are necessary.

D. Determine whether appropriate controls exist to ensure that changes to the information security program are properly implemented in a timely, risk-minimized manner.

VI. Summarize and communicate your findings. A. Discuss issues, conclusions, and potential violations with executive in

charge. B. Discuss findings with institution management. If you have identified

material issues, obtain and document management commitments to address those Issues.

C. Complete work papers. D. Detail findings with support in a Summary Comment.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64 · 14 U.S. LEGAL AND REGULATORY SECURITY ISSUES

Fortunately, for many organizations, implementing the Safeguards Rule does not usually require significant structural changes to their information security program. This occurs because the principle of the Safeguards Rule requires compliance with basic information-security program elements. These elements are based on best practices that should already be a part of an effective information-security program.

Specifically, each financial institution must designate an employee to manage the programs safeguards. Depending on financial institution’s size, culture, and organiza- tional structure, the actual title and responsibilities of the position will vary signifi- cantly. However, at a high level, this function typically requires the identification and assessment of the organization’s risk as it relates to consumer information. Further- more, the organization’s risk management must be carried out diligently, so that each relevant area of the institution’s operation successfully completes a comprehensive evaluation of the effectiveness of its safeguards. In most cases, the effectiveness of the organization’s safeguards can be measured by the organization’s ability to man- age risk successfully by designing, implementing, and managing adequate information security controls. This activity should further be supported by senior management’s ability successfully to monitor and test the information risk-management program on a regular basis.

Finally, it is important that the financial institution’s senior leadership team proac- tively protect customer information, even when working with third parties. Under GLBA, financial institutions must also select the appropriate service providers to sup- port their GLBA requirements and to enter into security-minded agreements. Simply utilizing third parties does not free financial institutions from their GLBA obligations. The organization’s senior leadership team must establish agreements in a manner that adequately protects consumer information and that requires the service provider to implement appropriate and GLBA-relevant safeguards. GLBA stresses that, at a min- imum, the safeguards performed by the third party must be equal to the protections offered internally by the financial institution’s senior leadership team.

64.4 EXAMINATION PROCEDURES TO EVALUATE COMPLIANCE WITH GUIDELINES FOR SAFEGUARDING CUSTOMER INFORMATION. The Of- fice of the Controller of the Currency of the United States Department of the Treasury has published a useful table of recommended evaluation procedures that will help readers apply the principles discussed in this chapter.5 A simplified and edited repre- sentation of the procedures is supplied in Exhibit 64.2.

64.5 CONCLUDING REMARKS. An overall increase in regulatory require- ments is likely to emerge in coming years. Some of these requirements may be industry specific or broad enough to reach all organizations. Good security profes- sionals will build and maintain comprehensive governance, risk, and control pro- grams. This will give their organizations a strong foundation for any future regulatory requirements.

64.6 FURTHER READING Anand, S. Essentials of Sarbanes-Oxley. Wiley, 2007. Aspatore Publishers, eds. Recent Trends in Privacy and Data Security: Leading

LawyersonAnalyzingInformationStorageRegulationsandDevelopingEffective Data Protection Policies. Thomson Reuters Westlaw, 2013.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 64 · 15

Bianco, K. M., J. Hamilton, K. R. Benson, A. A. Turner, and J. M. Pachkowski. Financial Services Modernization: Gramm-Leach-Bliley Act of 1999Law and Explanation. CCH Inc., 1999.

Buchanan, Jim “Cloud Computing: 4 Tips for Regulatory Compliance.” CIO.com 2011. www.cio.com/article/687434/Cloud Computing 4 Tips for Regulatory Compliance

Cohen, H. R., and W. J. Sweet. After the Gramm-Leach-Bliley Act: A Road Map for Banks, Securities Firms, and Investment Managers. Practising Law Institute, 2000.

Cox, F. D. Information Security: Risk Management of GLBA Privacy and Service Provider Oversight. Amazon Digital Services, 2011.

Crosman, Penny. “Compliance Roadmap for Proposed Social Media Rules for Banks” American Banker (2013). www.americanbanker.com/issues/178 102/ compliance-roadmap-for-proposed-social-media-rules-for-banks-1059418-1. html

Dunham, W. B. After the Gramm-Leach-Bliley Act: A Road Map for Insurance Com- panies. Practising Law Institute, 2000.

Greene, E. F., D. M. Becker, and L. N. Silverman. Sarbanes-Oxley Act: Analysis and Practice. Aspen Law & Business, 2003.

Hermann, D. S. Complete Guide to Security and Privacy Metrics: Measuring Regula- tory Compliance, Operational Resilience, and ROI. CRC Press, 2006.

Kearney, E. F., R. Fernandez, J. W. Green, and D. M. Zavada.WileyFederalGovernment Auditing: Laws, Regulations, Standards, Practices, and Sarbanes-Oxley, 2nd ed. Wiley, 2013.

Lekatis, G. Understanding Sarbanes-Oxley: What Is Different after July 2013. Amazon Digital Services, 2013.

Miles, B. L. The Canadian Financial System. Nova Science Publishers, 2004. Moeller, R. R. Executive’s Guide to COSO Internal Controls: Understanding and

Implementing the New Framework. Wiley, 2013. Tarantino, A. Manager’s Guide to Compliance: Sarbanes-Oxley, COSO, ERM, COBIT,

IFRS, BASEL II, OMB’s A-123, ASX 10, OECD Principles, Turnbull Guidance, Best Practices, and Case Studies. Wiley, 2006.

White House. “Consumer Data Privacy in a Networked World: A Framework for Pro- tecting Privacy and Promoting Innovation in the Global Digital Economy.” White House Website, February 2012. www.whitehouse.gov/sites/default/files/privacy- final.pdf

64.7 NOTES 1. American Institute of Certified Public Accountants Center for Audit Quality, www

.aicpa.org/INTERESTAREAS/CENTERFORAUDITQUALITY/RESOURCES/ Pages/Resources.aspx; and see “Section 404(b) of Sarbanes-Oxley Act of 2002,” www.aicpa.org/Advocacy/Issues/Pages/Section404bofSOX.aspx

2. Gramm-Leach-Bliley Act: 15 USC SubChapter 1, §§6801–6809, www.ftc.gov/ privacy/glbact/glbsub1.htm

3. At least, not in this context. For a different perspective on the question of organi- zations as people, see discussions of Citizens United v. Federal Election Com- mission, www.scotusblog.com/case-files/cases/citizens-united-v-federal-election- commission

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

64 · 16 U.S. LEGAL AND REGULATORY SECURITY ISSUES

4. FTC, “Standards for Safeguarding Customer Information: Final Rule,” May 23, 2002, 16 CFR §314 ¶1a, www.ftc.gov/os/2002/05/67fr36585.pdf

5. U.S. Department of the Treasury, Office of the Controller of the Currency, “Exam- ination Procedures to Evaluate Compliance with the Guidelines to Safeguard Cus- tomer Information,” OCC- 2001-35 (2001-07-18). www.occ.gov/news-issuances/ bulletins/2001/bulletin-2001-35.html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65CHAPTER

THE ROLE OF THE CISO

Karen F. Worstell

65.1 CISO AS CHANGE AGENT 65 · 1

65.2 CISO AS STRATEGIST 65 · 3 65.2.1 Reliance on Digital

Information 65·4 65.2.2 Inherent Insecurity of

Systems 65·5 65.2.3 World Trends 65·5

65.3 STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE 65 · 6 65.3.1 Standard of Care 65·6 65.3.2 Governance and

Accountability 65·9 65.3.3 Roles and

Responsibilities 65·11 65.3.4 Reporting 65·13 65.3.5 Monitoring 65·13 65.3.6 Metrics 65·13 65.3.7 Executive Visibility 65·13

65.4 SUMMARY OF ACTIONS 65 · 13

65.5 RECOMMENDATIONS FOR SUCCESS FOR CISOs 65 · 14 65.5.1 Education and

Experience 65·15 65.5.2 Culture of Security

in the Business 65·15 65.5.3 Alliance with

Corporate and Outside Counsel 65·16

65.5.4 Partnership with Internal Audit 65·16

65.5.5 Tension with IT 65·17 65.5.6 Organizational

Structure 65·17 65.5.7 Responsibilities and

Opportunities outside of CISO Internal Responsibilities 65·18

65.6 CONCLUDING REMARKS 65 · 18

65.7 FURTHER READING 65 · 19

65.8 NOTES 65 · 19

65.1 CISO AS CHANGE AGENT. The title of chief information security officer (CISO) has evolved because of the realization that the function of the chief information officer (CIO) is so broad as to require another person to focus specifically on the security elements of information. Another motivation derives from the fact that the CISO can perform functions that are not usually associated with the CIO. Our approach to information security needs to change in response to the disruptive events affecting the network and the boardroom. CISOs should be the change agents to make this happen. This is a shift from the majority of CISOs’ emphasis today as senior managers of information technology (IT) security.

Today, CISOs are in the trust business, due to the need to create and maintain a net- work of trust among all the people, business processes, and technology of an enterprise and its partners. The interconnected ecosystem that developed since the commercial- ization of the Internet has seen dramatic shifts of trust: Consumers are thinking twice

65 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 2 THE ROLE OF THE CISO

before conducting business transactions online, and governments have intervened with regulations to improve the trust environment. The shift has between toward less trust each time we encountered a disruptive event—an event that awakened us to the fact that things were not as they seemed and made us aware that protection of networked information and systems needed to address something we had not anticipated. The timeline of disruptive security events that began in 1986 with the promise of pro- ductivity by Macs and PCs worsened with the Brain virus (1986). Trust continued to decline with the Morris Worm (1988) and the Concept.A macro virus (1995). Our world became flatter,1 and security became an entirely new kind of problem with the commercialization of the Internet and the introduction of the Web. In 1995, we still trusted the networked ecosystem. We saw the malicious works of nefarious individuals and groups, and we saw the future threat, but still did not fully realize how bad it would get.

Throughout this chapter, the author refers to information security and the CISO. This is not to the exclusion of aspects of security that do not deal directly with information systems; rather, it is intended in the broadest possible sense to address the interdependent disciplines that are required successfully to protect information in all its forms. It is in this context that the title CISO is used, inclusive of CI and CSO rather than exclusive.

In 2001, the horrific events of 9/11 rocked the planet, Enron collapsed, trust plum- meted with Slammer (2002), and the insidious stealthy vectors that utilize port 80 to steal everything from personal identities to bank accounts and company data. The networked ecosystem has provided no end of new material for our profession while making computer security, spyware, and identity theft household terms.

Mark Twain once said the definition of insanity is to do the same thing over and over and expect different results. It is clear that we will need to apply a different way of thinking and new roles and responsibilities to the discipline of information security if we are to make progress in enabling the kind of protection that is required by businesses and agencies while enabling business agility and competitiveness. This is the opportunity of the CISO.

Trends reveal that we are just past the cusp of a new kind of disruptive event worldwide—the introduction of legislative and regulatory mandates to ensure effec- tiveness of controls for protection of consumers, critical infrastructures, and share- holder value. We deal today with a myriad of high-impact network-based crimes: extortion, corporate espionage, and massive fraud. Many experienced CISOs believe that a cyber–Pearl Harbor scenario is plausible. Since 2001, we are acutely aware of the vulnerability of critical infrastructures, at least 85 percent of which are owned and maintained by the private sector. Recent figures2 indicate that new home PCs are compromised with anything from spyware to Trojans within 5 minutes of connecting to the Internet (it takes up to 60 minutes to download protective software). Although corporate PCs may enjoy a relative degree of protection, as many as 90 percent of home PCs have some kind of spyware. Corporations with the resources to address informa- tion security have doubled the use of IT security standards and guides since 2003. But the insidious attack on the home user is winning a game with serious stakes: Consumer confidence in the Internet is waning. Once computer security was the domain of techies and geeks; it is now pervasive enough to be a household concern. Security has definitely reached the awareness of the C-level offices (chief executive

officer, chief financial officer, etc.) on mahogany row, and there are articles in the popular press on a daily basis concerning information security around the world. This visibility ensures that no one can hide behind a plea of ignorance of security problems.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CISO AS STRATEGIST 65 · 3

Legislators and regulators are more concerned than ever, and new statutes, codes, regulations, and guidelines have proliferated. In the face of huge threats and the need for a corporate duty of care, network security remains a concern, but compliance to regulations and statutes and the ability to demonstrate adherence have become mandatory.

Penalties for noncompliance to these recently established governing rules are setting breathtaking precedents: $1.2 billion for a large U.S. financial institution, $15 mil- lion for another. The U.S. Veteran’s Administration admitted to the compromise of personal information, including Social Security numbers, of 26.5 million living American veterans.3 It may be noted that even New Zealand was for sale on eBay R©

recently—reportedly the efforts of an unknown party in Queensland—and was taken off line after 22 bids had reached A$2,000.4 The reserve, if any, was probably not met. We live in a new world. Trust is no longer assumed; it is easily broken in the most inadvertent to the most imaginative ways. The case law for settlements and summary judgments in information security matters is providing the basis for the best potential dollar-based impact analysis on business and information-security risk since Basel II, which is the second set of international guidelines on banking laws and regulations recommended by the Basel Committee on Banking Supervision.5

Companies, and clearly U.S. Government agencies, do not have control of intellec- tual property, employee data, or consumer data. The need to retain corporate records in the event of litigation regarding business matters, and to produce such information on demand under discovery, is infeasible for many firms with petabytes or more of struc- tured and unstructured data. Recent legislation, regulations, and case law will drive the need for information security programs to solve this enormous data management and security problem and to demonstrate a level of effectiveness to a standard of care that will stand up to the scrutiny of opposing counsel. It is the role of the CISO to understand fully the implications of these new burdens and to incorporate them into a strategy along with the business strategy of each enterprise. Where information security spending was benchmarked by Gartner Group at 1 to 3 percent of overall IT budget in the mainframe days, and 5 to 7 percent at the dawn of distributed computing, the spending to resolve problems created by past failures to address solid controls and to be prepared for the threats of the future to any degree should well exceed 10 percent of an overall IT budget. This does not include the special allowances that will be required to treat some of the worst offenses. According to the 2004 Information Security survey conducted by PricewaterhouseCoopers and CIO magazine, the best-practices group spent 14 percent of their IT budgets on information security each year.6 Companies must plan for these expenditures; the role of the CISO will be to help clarify obligations, business necessities, and strategic spending.

65.2 CISO AS STRATEGIST. Information is the prize that motivates wrongdoers, perpetrators, and miscreants who tamper with, destroy, and penetrate systems that process, store, and transmit digital information. Phil Condit, former chairman of The Boeing Company, said it well at his keynote to the International Information Integrity Institute in 1995: “Information is the business.”7 His statement was visionary at the time. Indeed, since 1995, it is safe to say that information is the foundation of business, but it is the way it is used, combined, mined, shared, represented, accessed, and manipulated for business logic’s sake that creates competitive advantage. And each of these areas of application logic and information requires rules-based protection to ensure that the business is basing decisions on sound knowledge.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 4 THE ROLE OF THE CISO

There are three main drivers for CISOs to define a new strategy for information security:

1. Systems are inherently insecure as a result of enormous variations in configu- ration, sheer complexity, and volume of vulnerabilities. A risk-based approach using conventional methods is no longer valid (if it ever was).

2. The reach of global business processes, personnel, and business systems intro- duces new considerations into an already complex security problem.

3. The playing field between the protectors and the interlopers is dramatically un- even. There are literally hundreds of thousands, if not millions, of interlopers with a follow-the-sun 7×24×365 factory of attacks. Companies cannot afford any such investment to counter the attacks, even if it were possible with a com- bination of people and automation. The attack vectors change too quickly to be able to get ahead of the curve on the protection side of the equation. Nation- states, organized crime, terrorist organizations, fraudsters, and identity thieves are continuously developing ingenious models to attack, steal, and destroy precious assets of individuals as well as of enterprises.8 Worse, professionals continue to consider trusted insiders as the most significant threat. With a globally distributed workforce of contractors, employees, and suppliers, it is necessary to have an ap- proach to information protection controls that enables a reasonable assurance that both the external and insider threats are appropriately addressed.

The CISO as a strategist will be successful adopting and integrating new methods into the business, such as a rules-based standard of care and due diligence to that standard of care. This will necessarily include existing methods of network protection, data classification, and so forth—the standard of ISO/IEC 17799:2005 provides an excellent framework. It is the decision-making process about priorities that must change.9

As a strategist, the CISO will need to look at the security problem as an executive businessperson would. Adopting the kinds of strategic thinking described in classics such as The Art of the Long View is a key success factor.10 A partial list of things to consider includes the reliance on information, why protection is important, the insecurity of systems, the futility of risk-based security, and world trends.

65.2.1 Reliance on Digital Information. Digital information is the lifeblood of our commerce, financial infrastructure, healthcare, transportation, energy, and even our very identities as citizens. In the United States alone there are 15 distinct critical infrastructures, vital to the interests of the country and to national security:

1. Information technology 2. Telecommunications 3. Chemicals 4. Transportation systems 5. Emergency services 6. Postal and shipping services 7. Agriculture and food 8. Public health and healthcare 9. Drinking water/water treatment

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CISO AS STRATEGIST 65 · 5

10. Energy 11. Banking and finance 12. National monuments and icons 13. Defense industrial base 14. Key industry/technology sites 15. Large gathering sites11

Eight-five percent of the systems that make up these critical infrastructures are owned by private enterprise. The systems that interconnect to deliver services require integrity, availability, the trusted relationships, and confidentiality. If we cannot trust the systems, we cannot trust the information. If we cannot trust the information, we cannot trust decisions based on that information. Information security also now requires us to be able to demonstrate digital ownership and even chain of possession. We have to maintain digital information in such a way that we know where our IP is at all times, what records our company must maintain, and how to store, label, and retrieve them. The definition of information security as CIA—confidentiality, integrity, and availability—is too simplistic.

65.2.2 Inherent Insecurity of Systems. Systems include hardware, soft- ware, utilities, scripts, and transport media, all of which are ultimately created by hu- mans with scheduled deadlines and constrained budgets, and installed by organizations with scheduled deadlines and constrained budgets. It is all flawed. The vulnerabilities that exist today, let alone the ones we are going to learn about tomorrow and the next day, cannot all be addressed. Perfect security is a myth, unattainable, and arguably a waste of time to try. Risk-based methods for identifying required security tactics do not scale, nor is there meaningful data that describe probability and ALE (annualized loss expectancy) realistically for information security.

65.2.3 World Trends. Our world is changing. As summarized in a report titled “Ten Trends to Watch in 2006” published by McKinsey and Company,12 trends that have already had significant implications for security professionals include:

� Dramatic geographic shifts in centers of economic activity, particularly in IT services, where labor and talent are increasing globally. Worldwide, distributed, and devolved security models will be required, as the supply chain and internal processes in a company’s value chain are widely distributed. The implications of physical security, information systems protection, personnel practices, and the diversity of governing regulations and statutes require a much broader, business- based view of asset protection. Use of company-owned, leased, and outsourced facilities will prove to be a challenge to asset protection.

� Technological connectivity will transform the way we live and interact and will completely disrupt current security infrastructures. Enhanced connectivity and mobility using smaller (i.e., less observable), highly capable Internet-enabled devices requires access to enterprise information resources from anywhere, at any time, putting an enormous strain on rule sets designed to filter incoming and outgoing information, and where it travels. Peer-to-peer networking, tiny mass storage devices, blending of personal and enterprise computing on common devices—these are just a few of the near-term changes that will completely alter

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 6 THE ROLE OF THE CISO

the way enterprise rules are handled for information protection. Grid computing, virtual machines, work from home—all are issues that challenge the notion of comprehensive asset protection, both physical and logical.

� New models of in-the-cloud knowledge, including production, access distribution, and ownership are emerging, and fundamental trust models remain to be defined or even described. Software as a service (SAAS) is already enabled for consumers and small businesses, and, probably, enterprise services will follow. The download and introduction of software over the Web, and access to proprietary information in an anywhere-computing environment, requires redefinition of the way we think about intellectual property and data management.

A coordinated, interdisciplinary management approach to a proper set of controls based on business risk is essential to deal effectively with the enormous requirements to protect information in business today. Whether the enterprise is private or public, regardless of nationality, a solid information protection strategy must recognize the implications of that principle.

To summarize, successful use and management of information is the business. Setting priorities that demonstrate due diligence to a properly business-driven standard of care for the confidentiality, integrity, availability, ownership, and proper possession of information is the charge of the CISO. It is essential that the CISO function at the level of executive management and as a business strategist, participating with the executive leadership team to enable the integration of due diligence to a standard of care into all business streams.

65.3 STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE. Rec- ognizing the information security changes that drive the role of the CISO, what should be done to be successful? What are the key focus areas that should define the role of a CISO?

Success for information security professionals will depend on several key factors in this new world:

� Standard of care (e.g., rules-based) strategy � Governance and accountability � Clear roles and responsibilities � Metrics, reporting, and executive visibility

The remainder of this section examines each of these more fully. For a general discussion of management’s role in information assurance, see Chapter 63 in this Handbook.

65.3.1 Standard of Care. A CISO has one vision statement that drives strat- egy: to establish due diligence to a standard of care for the business; that is to say, to put in place the mechanisms (controls, oversight, monitoring, metrics, and reporting) that will enable the business to demonstrate due diligence to that standard of care. Instead such a standard of care is rules based, but it is not prescriptive in itself. The standard of care is the set of documented business risks from an information protection perspective, and the declaration of a set of rules in policy, that effectively mitigate those business risks. The standard of care declares what will be done. It is the governing book of policy to be reviewed and monitored by the executive leadership team, the

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE 65 · 7

audit committee of the board of directors, and senior management. It is the set of rules with which all internal standards and desktop procedures must comply.

Although a complete treatment of the identification of business risk is outside the scope of this chapter, it can be summarized in this way: Prior to identifying the controls within a standard of care, steps must be taken to qualify business risk relatively as high, medium, or low based on magnitude of potential business impact and perceived exposure. It does not use quantitative risk analysis methods such as those found in Octave, FAIR, or any other popular risk-based quantitative methodology. It does not use ALE. It does enable the business to defend the design of the standard of care, the controls of which are derived from the business risk analysis.

The standard of care derives its meaning from two primary sources: internationally accepted standards and the risk analysis that defines the business risks.

The basic set of internationally accepted standards is summarized in Exhibit 65.1. For more detailed analysis of security standards, see Chapters 44 and 51 in this Handbook.

It is important for these standards to be used as a foundation for the policy, to ensure that security policy is recognized by the larger body of security professionals, and to serve as an interchangeable trading partner agreement in the communication and enforcement of security expectations.

It is not in the scope of this chapter to go into the risk assessment methodology in detail; however, a general description will serve to indicate that this is not a vul- nerability assessment. The risk assessment process is one used not to identify system vulnerabilities but to identify potential areas relating to people, process, and tech- nology that could result in an exposure that reaches a defined threshold of business impact. For example, in a technology firm, one might align three major areas of con- cern: major inaccuracies in financial reporting (the domain of the Sarbanes-Oxley Act of 2002); failure to control IP adequately and the subsequent risk to trade secrets, patents, or copyrights; and failure to protect customer data adequately. Each of these slices of business risk can be the foundation for the questions in the risk assessment to ascertain major systems exposure, business process exposure, or exposure caused by people doing things incorrectly, such as human error or even malfeasance. Risk rankings will need to be on the basis of assumptions and figures acceptable to the senior leadership team; the wildcard in any risk ranking is probability. The business impact threshold will vary widely with each business. Thresholds may be set using the financials of the company. A company that has a materiality threshold (i.e., the minimum level of loss that matters significantly to the organization), for example, of $5 million that defines a material weakness in Sarbanes-Oxley compliance will prioritize its risks differently than a firm for which the materiality threshold is on the order of $500 million.13

With the risk analysis to use as a rationale, the road map to tailoring a book of policy derived from the international standards becomes a series of steps to take for each risk, to define the mitigating control, and to map that control to a control statement in, for example, ISO/IEC 17799:2005. Repeating this for all the risk categories and all the risk areas, one will have a foundation to demonstrate to any trading partner or outside party why the standard of care is relevant and appropriate to the company.

The next step is to help provide the translation of the high-level standard of care policy statements into action. Creating a set of implementation standards for the various controls described in the standard of care gives clear direction to all parties charged with ensuring that the needed controls are in place. The implementation standards also provide the foundation for a set of measurements and tests to determine that the controls are working as intended. This is the critical element that enables the executive

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 8 THE ROLE OF THE CISO

EXHIBIT 65.1 International Standards for Information-Security Governance

Basic set of internationally accepted standards includes Useful in this context:

BS 7799 Replaced —see ISO/IEC 27001 ISO/IEC 17799:2005— Information technology. Security techniques. Code of practice for information- security management.

This universal standard provides a complete set of guidelines for an effective Information Security Management System (ISMS). It is essential guidance to help manage an effective information- security policy. It offers a common language and a common understanding to enable an organization to develop, implement, and measure effective security management practice, providing confidence in intercompany trading.

ISO/IEC 17799 details a number of individual security controls, which may be selected and applied as part of the ISMS. ISO/IEC 17799, again based on a British standard, is scheduled to become ISO/IEC 27002 in a couple of years.

BS 7799-2:2005 (ISO/IEC 27001:2005) Information technology. Security techniques. Information- Security Management Systems. Requirements.

ISO/IEC 27001 specifies the requirements for the security management system itself. It is this standard, as opposed to ISO/IEC 17799, against which certification is offered. ISO/IEC 27001 has also been harmonized to be compatible with other management systems standards, such as ISO/IEC 9001 and ISO/IEC 14001. Organizations already certified under BS 7799- 2:2002 need to prepare for transition to ISO/IEC 27001 in order to meet its requirements.

BS ISO/IEC 13335-1:2004 Information technology. Guidelines for the management of IT security. Concepts and models for information and communications technology security management

This standard is useful to: � Define and describe the concepts associated with the management of IT security.

� Identify the relationships between the management of IT security and management of IT in general.

� Present several models that can be used to explain IT security.

� Provide general guidance on the management of IT security.

IT Governance Institute’s Control Objectives for IT (CoBIT R©)

CoBIT R© is a way to implement governance. It provides a tailorable set of controls.

ITIL—IT Infrastructure Library ITIL R© provides a cohesive set of best practice, drawn from the public and private sectors internationally. It is supported by a comprehensive qualifications scheme, accredited training organizations, and implementation and assessment tools. The best practice processes promoted in ITIL R© support and are supported by the British Standards Institution’s standard for IT service Management (BS15000). (OGC - ITIL)

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE 65 · 9

team and the CISO to demonstrate that the controls are not only the right ones, but that they are working properly.

The CISO does not get involved in monitoring firewall rules or router configurations. This is work that is the domain of an operations security manager who is carrying out the standards established by the CISO. The CISO should review the reporting (once it is established) to ensure that the controls described for all Internet connectivity are in place and working, and to ensure that the handling of technical details is delegated to specialized technical staff and management.

65.3.2 Governance and Accountability. A recent research project com- pleted by Booz Allen Hamilton reveals several factors that are changing the face of protecting enterprise assets, and ultimately adjusting the roles of the security profes- sion. The information protection strategy is undergoing convergence, defined by ASIS International as “the identification of security risks and interdependencies between business functions and processes within the enterprise and the development of man- aged business process solutions to address those risks and interdependencies.”14 The role of the successful CISO is not only converging into an interdependent set of security specialties; it is also blending into business functions, intertwined into the fabric of decision-making processes throughout the life cycle of business strategy, plans, and execution.

Given the need for managing all the complexity recently introduced, security pro- fessionals must also adopt a different outlook—a more business-oriented than a pro- tectionist position. Tim Mather, CISO of Symantec Corporation, describes it this way:

For many information-security professionals, the urge is to promote information security—zealously. Many times too zealously. We often come to believe that security aware- ness equates to zealous promotion of information-security objectives, especially the deploy- ment of (information) security technology—often at the “expense” of people, and policies and processes. However, that zealous promotion of information-security objectives tends to cloud our judgment as to the business considerations of the risks involved. Our information-security– colored glasses are polarized to security and tend to filter out business unit considerations. This leads to a loss of credibility with business unit personnel, hindering our ability to accomplish our information-security goals.

Our challenge is to articulate our information-security objectives in terms of business risk that business unit personnel can understand and appreciate. That being said, it does not mean being “soft” on our objectives. We are not paid to install the “speed bumps” in enterprise hallways, but that articulation does mean translating information-security objectives into “business- speak.” Only the combination of articulate translation and polite but firm emphasis on our information-security objectives will gain us the credibility that we need to accomplish our enterprise information-security goals. And that effort has to begin, and continue, at the top of the enterprise—with its executives.

Part of the reason security managers have had to take such hard positions in the past is that information-security practices have had a strong tendency to be in organizational silos: executive protection, IT, physical security, local business practices, policy man- agement, HR investigations, fraud, and so on. Each of these practice areas is a specialty, to be sure, and will continue to require specialization. Independence can no longer be effective. Privacy, information security, data management, mobility, supply chain man- agement, workforce management, human resources, facility management—the pro- tection elements of these business domains, and so much more, must be coordinated to avoid weak links in the protection strategy that could prove disappointing if not devastating to a business, or to individuals.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 10 THE ROLE OF THE CISO

With the need for an interdisciplinary approach at an executive level, with a broad reach across an enterprise, one might argue that the centralization of primary informa- tion security functions under a CISO would be one way to ensure that all information- security practice would be consistent and easily measured; on the contrary, the temp- tation to ensure the fidelity of an organizational mission through assembling affected functions under a single manager should be resisted. In a successful information- security strategy, it is far too easy for all enterprise management to think of security as security’s business or as the CISO’s job. In fact, the function of security should be emphasized as a business function, with accountability distributed in the business across all business unit executives, led by an executive-level security team. This has five advantages.

1. There will never be a security organization large enough to do the entire job of securing information assets in the new world. Security truly has to be everyone’s job, in ways that are measured and tracked. Putting security accountability into the business units will leverage resources effectively.

2. Accountability is a good way to get someone’s attention. Management is attentive to scorecards that are read at the top, with expectations for improvements that have been assigned to a responsible individual or group.

3. The interdisciplinary approach needed for the rapidly emerging challenges and competing priorities can best be addressed by an interdisciplinary team, including functions such as supply chain management, that have no reason to be merged into a security organization.

4. Being closely tied to the business allows for upstream integration into business processes, allowing security to be built in [versus an afterthought] when new business initiatives, strategies, and ventures are being designed.

5. The funding for proper protection of information assets is no longer a security problem or an IT problem, but it is a business problem, with the proper business visibility of what is and is not getting done, and what is the residual risk from funding decisions.

A simple policy-driven governance structure has been effective in many large- scale organizations to establish the necessary linkages with the business, to ensure consistency in strategy and approach, to gain executive buy-in on strategy through collective priority setting, and to gain visibility of progress and of unresolved issues on an ongoing basis. A basic governance structure can be tailored to fit corporate culture such as the number of representatives, and the layers of working groups. What is essential is the creation of a governance body to ensure corporate due diligence and to avoid conflicts of interest, such as are described further in Section 65.5.5.

A policy-driven approach to security and disaster recovery governance includes these components:

� Senior Leadership Team (C-level executives) � Authority for policy � Governance body � Program oversight

� Policy � Establishes accountability

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

STRATEGY, GOVERNANCE, AND THE STANDARD OF CARE 65 · 11

� Establishes programs and program authority � Establishes governance processes � Publishes under authority of the senior leadership team

� Principles � Five to six high-level statements at a descriptive level � Separate from policy � Establishes guidance for business unit standards

� Business Unit Team � Provides staff support � Facilitates governance process � Provides technical leadership for security across business units � Consists of representatives from each business unit plus audit � CISO is chair � Coordinates policy principles for senior leadership team approvals � Establish standards at the prescriptive level � Implements standards � Monitors effectiveness of implementation (provides metrics and reports to se- nior leadership team)

� Coordinates key initiatives for security and recovery improvement across busi- ness units

In this structure, the CISO can function as an agent of change for driving broad, funded, prioritized initiatives with true business impact.

Joel Scambray, coauthor of Hacking Exposed and senior security strategist at Mi- crosoft, sees the need for CISOs as change agents:

Information security is now such a very broad topic, the role of the senior security professional has to move away from implementation of the security technology to the role of change agent. Network issues are diminishing: so much can go through port 80 inbound and then by proxy to the application, the themes in the attack community are shifting and will always continue to do so as technology evolves. Attackers will strike a business through the path of least resistance and that is going to be throughout the business, not just in the network and applications. It is essential to have business group accountability to address risks in all areas, for each executive to think about risk and ensure they are taking informed steps to bring it to within acceptable levels.

The CISO has to move up in the corporate structure—it’s a revenue-protecting job and has to be supported at the highest levels of the company to get the company to focus on the right risks.15

65.3.3 Roles and Responsibilities. In general terms, there are a set of roles and responsibilities that support accountability that have been shown effective in prac- tice. Some would require substantial change in the organizational responsibilities within a company or agency. That ISO is the change agent to make things better; once the foundation for security governance is in place, this should be a discussion topic. Outside professional opinions can be solicited. Refer to the practices documented at Institute of Internal Auditors (IIA), Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). Evaluate them in the context of your com- pany; you may not be able to implement all 10 of these principles for accountability

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 12 THE ROLE OF THE CISO

and reporting, but even some of them would demonstrate progress. The 10 principles for effective information-security control follow. For each item involving security, the CISO is the leader, or receives and acts on reports, or merely a participant and observer.

1. The CISO does not own IT assets but manages them on behalf of the business. Governance processes are in place for effective business management of IT.

2. An independent third party regularly reviews the implementation of each of these principles to verify control design and control effectiveness.

3. The expenditures on IT security are justified in terms of business value according to parameters established between the CISO and the business units.

4. IT security is actively monitored by an IT governance board consisting of IT, business management, and the CFO, and adjusted according to business needs.

5. Security, information assurance, and cybersecurity rules are tied to business rules in ways that are traceable, understandable, and agreed to by the business.

6. All IT security change is authorized by specifically designated IT management change boards.

7. Application development processes verify that applications perform only as in- tended, throughout the life cycle of the application, under the supervision of IT governance boards.

8. All IT security operations and processes are standardized, documented, and reviewed regularly for consistency by IT management and independent third parties.

a. New processes are developed to accommodate business change. b. Existing processes are reviewed regularly for update, to accommodate business

change. Consider having legal counsel review the documentation to determine if the records present unexpected legal risks or if they can provide legal advantage in any dispute over the standard of care.

9. All information systems assets (data, infrastructure, applications, processes, and services) have clear business owners with accountability to ensure:

a. Assets are used only as intended. b. Assets are accessed only by those who are authorized according to defined

business rules. (Access is defined as ability + opportunity.) c. Assets are available for use according to defined business rules.

10. Business and IT employees, contractors, vendors, and third parties have necessary documentation and training on a regular basis to carry out these principles in an effective, verifiable manner for the businesses in which they are engaged, and they have proof of training on a timely basis.

Generally, the business does not want to own IT. They see IT as a utility, the domain of IT staff, and too much work to understand. This is the major hurdle to be overcome in the change agent role of CISO. Remember, IT is the business. That is to say, IT today governs the systems that process the information that is the lifeblood of the business. Without the information, the business will stop. The logic applied to the information on behalf of the business should be owned by the business. It is worth the effort; once the business realizes its own accountability for the confidentiality, availability, integrity, ownership, and possession of business information, as well as

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

SUMMARY OF ACTIONS 65 · 13

for information-security practices and improvements, it will enjoy a whole new level of interest in, and responsibility for, the enterprise.

65.3.4 Reporting. With the governance structure established, the ability exists to assign accountability to the right places in the organization. The senior leadership team should identify how management will be held accountable. This is not a choice of if but of how. Without clear accountability, governance and policy will mean nothing because they will not be implemented or enforced effectively. The primary tools for enabling executive accountability are reporting, monitoring, and metrics.

65.3.5 Monitoring. Monitoring in the context of the standard of care is the set of processes, human resources, and automated and manual tools needed to ascertain how well the controls established by the standard of care are functioning. Key to monitoring success is to monitor meaningfully—monitor to determine that the set of controls established is, or is not, working as intended. This is a function that can easily be coordinated and shared with internal audit, and care must be taken to ensure that the monitoring is appropriate for the applicable standard of care rules. Monitoring should be done with an objective degree of proof—hearsay is not adequate monitoring. Monitoring will usually need to be automated to handle the scale and frequency required in most information systems environments.

65.3.6 Metrics. Metrics have been a difficult challenge for all CISOs. The generic advice is this: Choose metrics for reporting that are essential to (a) give the business a set of key performance indicators and (b) make a difference in a needed control area. We often measure something in security just because we can. This is a mistake. Measuring the number of viruses or number of penetration attempts is not meaningful because they are high-volume certainties. The measurement system has to ensure that good results could not be achieved from failing to look; a decline in security incidents from outside attacks may be truly declining, based on 100 percent visibility of the problem, or the problem may have shifted to a space that is not monitored. In most cases it is probably, the latter, given the changing vectors in the network attack space.

65.3.7 Executive Visibility. For executive visibility, experience indicates that a CISO executive scorecard, published with the support of the CEO, CFO, COO, or other executive sponsor, will drive behavior according to the metrics that are chosen and reported. Reporting should be at least quarterly—more frequent would be de- sirable, but may be difficult to achieve. Quarterly frequency allows for continuity of program management in making security improvements that require executive support for implementation.

65.4 SUMMARY OF ACTIONS. In summary, the strategy for information secu- rity has to balance vulnerability management with a standard of care that is appropriate to all stakeholders. These stakeholders include business owners, trading partners, con- sumers, regulators, auditors, shareholders, and information owners whose membership in the interconnected community puts them at risk if any member has a breach. This requires coordination among diverse specialists and organizations. Security as a state of being is not feasible; due diligence to a standard of care is the approach CISOs should adopt.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 14 THE ROLE OF THE CISO

The CISO has to develop a standard of care that answers to many demands. The Federal Information Security Management Act of 2002, EU Data Protection Act, Gramm-Leach-Bliley, HIPAA, Sarbanes-Oxley Act of 2002, Senate Bill 1386, BS 7799 certification, FIPS 199 and 200, as well as various NIST publications, and a host of local codes and statutes around the world greatly complicate the compliance func- tion. It is best to adopt a standard-of-care approach that provides, based on international standards, a single comprehensive response to all queries. Expectations of records man- agement, compliance with e-discovery, business continuance, disaster preparedness, IP and trade secret protections, sanctions for unfair information practices or advertising, and a burgeoning library of case law in matters related to security and privacy have become the drivers to which information-security professionals must respond. Clearly, information security has become a risk management role worthy of a C-level executive, working in a structured governance role to involve the business. Today, the transition from security director or even from today’s CISO is not complete to the C-level role that the CISO name implies. The points made thus far indicate a real need to pursue this as a professional group and to adopt some generally accepted principles and standards so that businesses and agencies can enjoy the level of information protection that is required in this new world.

65.5 RECOMMENDATIONS FOR SUCCESS FOR CISOs. For all the inter- views that I did at RSA in 2006, only one quote made it into the press. Under the title “Microsoft CISO Has a Sense of Humor,” the reporter indicated that I had answered all their detailed questions with serious thoughtfulness. But when they asked me what would be the best advice to someone who aspires to be a CISO, they quoted, “Have a stiff drink until the feeling goes away.” I actually said, “Have a lie-down somewhere,” but no matter—the quip hit the papers.

It was seen as funny, but there is also a real need to consider the demands made on an individual who aspires to a C-level role in security, where there is so much at stake. Many technical security managers are chosen to fill the role but are ill equipped to transform into executive management. Even worse, a CISO who does understand the executive role and moves to perform it in an organization where CISO roles are not understood can easily fail. To quote Machiavelli:

Let it be noted that there is no more delicate matter to take in hand, nor more dangerous to conduct, nor more doubtful in its success, than to set up as a leader in the introduction of changes. For he who innovates will have for his enemies all those who are well off under the existing order, and only lukewarm supporters in those who might be better off under the new.16

In this section, several pointers based on input from various CISOs are offered to help you assess whether an organization is ready for a CISO and whether you are ready. The areas include:

� Education and experience � The culture of security in the business � The alliance with corporate and outside counsel � The partnership with internal audit � The tension with IT and dealing with the potential conflict of interest � Organizational structure � Responsibilities and opportunities outside of CISO internal responsibilities

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RECOMMENDATIONS FOR SUCCESS FOR CISOs 65 · 15

65.5.1 Education and Experience. First and foremost, do you have appro- priate background to be able to lead with wise counsel and appropriate judgment? Do you feel you are better at tactical detail, or do you prefer the big picture? In a panel during a plenary session at RSA 2005, LJ (Lisa) Johnson, CISO of Nike, related that her MBA degree was very helpful in her role as CISO, and this sentiment echoes across others in similar positions; however, successful leaders in this space do not all have advanced degrees—life experience is a significant contributor. Reading the wealth of books on various aspects of business management, information systems, and information security is also a good way to expand one’s background. Conferences are beginning to focus on the role of CISOs as the role is described in this chapter, but, for the most part, conferences are best at keeping up with technical or auditing trends.

One way to evaluate the background that is necessary, whether it be by experience, reading, or the classroom, is to evaluate the various stakeholders with whom a CISO must effectively communicate to one degree or another. Internal audit, legal counsel, business executives, and IT staff are the core stakeholders. Within the business units, finance, supply chain, and HR are areas with which the CISO will have frequent discussions. Do you know your company’s value chain? Do you understand the major business processes? Have you read the company’s disclosure statements, and annual report? Do you understand the major cost concerns and the revenue streams? What are the key risks, outside of security, that occupy the executive team’s time? If you know the answers to these questions, you are in the minority of security professionals. If you do not create your own action plan to network with key individuals, then read, take a course, and create a career plan that will give you experience in these areas. Do not be afraid to admit that you are learning and interested in getting more information from the experts in a particular area.

Whether your education is a BS in computer science, an MBA, or high school, you can get a great education on the job in preparation to taking a leadership role in information security. Evaluate what it will take for success, and then make your plan to get that information on the job or in school.

Each company is unique, so each CISO job will have unique elements built on the ba- sic CISO job description. A word of warning: As a new CISO, take the time to absorb the culture before launching major changes or initiatives. Remember Machiavelli—people need to know you care before they care what you know.

65.5.2 Culture of Security in the Business. The culture of security can be very difficult to ascertain. In a centralized security model that lends itself to top-down management, one at least knows where to look. In a company where security may be part of the company’s core business, and many think of themselves as CISOs, the role is much more challenging. The culture can be defined as the set of attitudes toward accepting direction, allowing time and resources to be used in order to put proper controls in place. The next points will help you take a pulse check on culture and could be used for some due diligence prior to accepting a CISO role:

� Risk appetite. What is the materiality threshold (minimum significant loss) for risk management? It is important to understand this so that you can properly ascertain the importance of the issues you will encounter and thereby know whether they require an FYI or escalation as an urgent matter.

� Cultural norms and attitudes. Is the workforce dynamic, high rate of job turnover, low threshold of tolerance for change, autonomous? You would work

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 16 THE ROLE OF THE CISO

with this kind of workforce and the culture it engenders much differently than a company with a by the rule-book, policy-driven bureaucracy. There is no right answer, but you need to know how people receive security direction. Most people favor a carrot over a stick; it is a question of what kind of carrot.

� Relevant regulations and statutes. You will need an inventory and at least a basic understanding of the way regulations and statutes affect information security. If the company is multinational, this requires an understanding of local jurisdictions, local statutes, and local regulations as well. Find the people who can share with you what they know about this area.

� Influence and awareness of the court of public opinion. The court of public opinion is essentially a form of reputation risk and the impact that it can have on the organization. A decision about security, such as fixing a security bug in an online application, may not be governed by specific laws, but it could definitely create the perception of poor security practices in a way that influences other security issues that the company may have in the public eye. This area may be a major influence for highly visible companies, or less of a concern for others.

� Influence of risk to reputation. With consumer confidence at an all-time low for Internet security, this is an element of the company’s risk profile that it is essential to define explicitly as much as possible. Would the company go so far as to achieve full transparency of its security controls and privacy statements as an approach to building trust as a competitive advantage? Or is it willing to take more reputation risk by obscuring the privacy statement because the security controls are not quite what they should be? As you discover security issues, knowing the company’s posture relative to transparency and associated reputation risk will be useful to determine what to escalate.

� Who else manages various aspects of risk? Make it a point to build and maintain an active network of peers in these areas: � Financial � Legal � Corporate strategy and planning � Marketing � Other areas of security (consulting, product, customer support)

� How is your role seen in relationship to those managers? Who else should you be talking to? Keep asking the questions.

65.5.3 Alliance with Corporate and Outside Counsel. There are a few roles that merit special mention. Corporate counsel and outside counsel are becoming increasingly interdependent with the information security team. Historically, company policy, investigations, contracts, and incidents have all (or should be) coordinated with counsel. New developments in records management, e-discovery, third-party manage- ment, privacy, and case law relating to information-security breaches and losses have created a new role for counsel in defining protection of consumer and employee data and company IP. Counsel will be necessary to navigate the rule of law as it pertains to information, information systems, and associated business practices. This is an organization with which the CISO needs to be close.

65.5.4 Partnership with Internal Audit. While it is not uncommon to find IT personnel who assume that what audit does not know cannot hurt them, this attitude

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

RECOMMENDATIONS FOR SUCCESS FOR CISOs 65 · 17

is a grave mistake. Internal audit is another special relationship for the CISO. A close IT–audit partnership is essential for these key reasons, and it should be the responsibility of the CISO to ensure that this partnership is in place and working smoothly:

� The rules for standard of care require demonstration that the controls are working effectively as designed. There is no better organization to provide clarity on what that entails than internal audit.

� Internal audit can collaborate with information security on the standard of care monitoring and reporting, thus effectively extending information protection re- sources.

� The CISO is accountable to ensure that control processes and policies that pertain are in place and working well. Internal audit should have full access to information- security processes to ensure compliance and to provide independent assurance against potential conflict of interest.

� By cultivating a close partnership (yet maintaining the arm’s-length relationship), the CISO and an organization can exchange information, set priorities for the audit and security improvement programs, and provide support for each other on core issues to escalate.

65.5.5 Tension with IT. Many CISOs report to IT, and therein lies a potential for conflict of interest, or the appearance of conflict of interest. This is an area of increasing concern. The issue resides with the CISO needing to identify the security concerns and strategies for the company, including scope that extends beyond IT control, but doing so may be perceived as reflecting poorly on the IT management chain. Also, having a CISO report to the CIO creates an impression that the CISO is the IT security manager. Further, IT budgets are often calculated on the basis of run rates, assuming that it is an operational utility. Funding all the security effort out of an IT budget is a mismatch in two ways: Security is not a run-rate type of function, and taking what amounts to 10 percent or more of the IT budget for security is generally a significant hardship on other parts of IT that are critical to the business.

To address the conflict of interest concern, one could move the CISO role out of IT and have it reporting at the CFO, COO, or CEO level. The CISO in this regard would be a peer of the CIO. This has an advantage of removing the conflict of interest and the impression of IT security manager, but it also introduces the possibility of the CISO losing touch with the IT organization. Another alternative, if the CISO reports to the CIO, is to establish the governance structure and provide dotted-line relationships to the senior leadership on the governance board. Internal audit can monitor the relationships and processes to ensure that conflicts of interest are not developing. Politics being what they generally are, the latter choice seems the most difficult to implement well.

65.5.6 Organizational Structure. Organizational structure for the CISO will, of course, be heavily influenced by the company. We have already discussed some independent factors that argue against the CISO reporting to the CIO. Companies are moving away from the traditional model of having the senior information-security manager, or in some cases CISO, report directly to the CIO, opting instead to have the CISO report to the CEO, COO, or, in some cases, the CFO. In addition, a cross- functional, dotted-line relationship to key stakeholders may be required for adequate reporting and oversight.17

Aside from the question of to whom should the CISO report, what should the CISO manage? How should that be structured? The CISO’s role as an executive should be

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 18 THE ROLE OF THE CISO

focused on governance, policy management, and compliance monitoring and reporting. The CISO should establish parameters for IT security operations, information-security investigations, forensics and incident handing, identity and access management, busi- ness continuance, records management, and e-discovery but need not necessarily handle the day-to-day oversight of those functions. The CISO could also be responsible for physical security and executive protection or have oversight of those roles with other security managers.18 The role has grown to become more than any single person can track if all these functions report directly to the CISO. It is incumbent on the CISO to set the strategy and the structure for all these related security functions and to monitor their progress against predefined performance objectives.

65.5.7 Responsibilities and Opportunities outside of CISO Internal Responsibilities. In this chapter, we have described CISOs as change agents and strategists, adopting a standard of care and strategies that both implement that standard of care and demonstrate due diligence to it. Such individuals have much to contribute to the profession, to the community at large, to the technical community, and even to the definitions being established by governing bodies at the local, state, federal, and international levels.

It would be unreasonable to try to prescribe what CISOs should do outside their direct internal responsibilities. Suffice it to say that CISOs should subscribe to a professional ethic to share what they have experienced, to codify security practice, and to bring about a better understanding of the problem space, so that defined problems can be solved with best practices that ultimately become standard protocols. Make it a practice to participate in professional organizations, to write, and to speak to community, professional, and trade organizations. Get the word out. Work to eliminate confusion. Define the role. There is much at stake for those who choose to wear this mantle—in the words of Theodore Roosevelt, “It behooves every man to remember that the work of the critic is of altogether secondary importance, and that in the end, progress is accomplished by the man who does things.”

65.6 CONCLUDING REMARKS. CISOs are strategic, executive agents of change for the protection of information that is the lifeblood of critical infrastructures and private enterprise. The realm of disciplines that CISOs must manage is expanding as the scope of security has broadened—an interdisciplinary approach that involves all aspects of the business to provide digital, physical, and personnel security is required with input from vital stakeholders.19

This role is different from that of technical security management in the near past, and involves tools that are different. The complexity and sheer insecurity of the inter- connected ecosystem requires that we adopt a standard of care and that we be able to demonstrate due diligence to that standard of care—this is the mission of CISOs.

CISOs, to be successful, depend on strong governance, roles, and responsibilities; management accountability; and strong reporting practices (including monitoring, met- rics, and executive visibility) to be successful. CISOs would necessarily provide over- sight, direct or indirect, of functional roles such as technical security management functions.

CISOs are a rare breed and need to make their contributions to their respective organizations as well as to the larger set of professional, community, and industry groups that need guidance, clarity, and judgment in their movement forward to a trusted, interconnected ecosystem.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 65 · 19

The challenge is huge—that is why CISOs like it. It is ever-changing, touches every part of business and technology, and is ultimately a people job. It is a very difficult job and, under the right circumstances, is a very rewarding one. It is a high position of trust and responsibility, and it finally has come into its own.

65.7 FURTHER READING Brotby, W. K. Information Security Governance: A Practical Development and Imple-

mentation Approach. Wiley, 2009. Brotby, W. K., and G. Hinson. PRAGMATIC Security Metrics: Applying Metametrics

to Information Security. Auerbach Publications, 2013. Fitzgerald, T. Information Security Governance Simplified: From the Boardroom to the

Keyboard. CRC Press, 2011. Fitzgerald, T., and M. Kraus. CISO Leadership: Essential Principles for Success.

Auerbach Publications, 2007. Harkins, M. ManagingRiskandInformationSecurity:Protect toEnable. Apress, 2012. Kouns, J., and B. L. Kouns. The Chief Information Security Officer. IT Governance

Publishing, 2011. Oberlaender, M. S. C(I)SO—And Now What?: How to Successfully Build Security by

Design. CreateSpace Independent Publishing Platform, 2013.

65.8 NOTES 1. Thomas L. Friedman, The World Is Flat: A Brief History of the Twenty-First Century (Farrar, Straus, and Giroux, 2005).

2. Eugene Spafford, “Information Security: Insanity Rules,” AusCERT2006, AusCERT, Royal Pines Resort, Gold Coast, Australia, May 24, 2006.

3. Larry Greenemeier, “VA Had Many Security Warnings before Its 26.5 Million- Person Breach,” Information Week, www.informationweek.com/va-had-many- security-warnings-before-its/188500807

4. T. Cooper, “NZ ‘definitely not for sale’: Ocker∗ tries to flog God’s Own on eBay” The Register, May 12, 2006, www.theregister.co.uk/2006/05/12/nz auctioned on ebay

5. Bank for International Settlements, “Basel II: Revised International Capital Frame- work” (2006), www.bis.org/publ/bcbsca.htm

6. Scott Berinato, with Lorraine Cosgrove Ware, “Six Secrets of Highly Secure Orga- nizations,” CIO Magazine, September 15, 2005, www.coresecurity.com/content/ six-secrets-of-highly-secure-organizations

7. P. Condit, Keynote Speech, International Information Integrity Institute Forum 25, The Boeing Company, Seattle, WA (January 1995).

8. United States, Office of the National Counter-Intelligence Executive, Annual Re- port toCongressonForeignEconomicCollectionandIndustrialEspionage—2004 (Washington, DC: ONCIX, 2005). www.fas.org/irp/ops/ci/docs/2004.pdf

9. Donn Parker, “Making the Case for Replacing Risk-Based Security,” ISSA Journal (May 2001): 6–10.

10. P. Schwartz, The Art of the Long View: Planning for the Future in an Uncertain World (Doubleday, 1991).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

65 · 20 THE ROLE OF THE CISO

11. P. W. Parfomak, “Guarding America: Security Guards and U.S. Critical Infrastruc- ture Protection,” Congressional Research Service Report for Congress, November 12, 2004, Order Code RL32670; http://ftp.fas.org/sgp/crs/RL32670.pdf

12. Ian Davis and Elizabeth Stephenson, “Ten Trends to Watch in 2006,” McK- insey Quarterly, http://blog.jackvinson.com/archives/2006/01/19/the mckinsey quarterly ten trends to watch in 2006.html

13. The concept of materiality threshold is widely used in accounting. For example, see the “Accounting Terminology Guide” from the New York State Society of CPAs, www.nysscpa.org/prof library/guide.htm

14. Booz Allen Hamilton, “Convergence of Enterprise Security Organiza- tions,” ASIS (Alliance for Enterprise Security Risk Management) Interna- tional, November 8, 2005, http://iris.nyit.edu/∼kkhoo/Fall2008/755/Convergence EnterpriseSecurityOrg 08Nov05.pdf

15. Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5th ed. (Emeryville, CA: McGraw-Hill Osborne, 2005).

16. Niccolo Machiavelli, The Prince (1513), Chapter VI, Para 5, www.gutenberg.org/ files/1232/1232-h/1232-h.htm

17. Scott Berinato, with Lorraine Cosgrove Ware, “Six Secrets of Highly Secure Organizations.”

18. See, for example, Fran Howarth, “The Convergence of Physical and IT Security,” IT-Director.com, September 11, 2006, www.it-director.com/business/regulation/ content.php?cid=8743

19. Thomas L. Friedman, The World Is Flat.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66CHAPTER

DEVELOPING SECURITY POLICIES

M. E. Kabay and Sean Kelley

66.1 INTRODUCTION 66 · 2

66.2 COLLABORATING IN BUILDING SECURITY POLICIES 66 · 2

66.3 PHASE 1: PRELIMINARY EVALUATION 66 · 3 66.3.1 Introduction to the

Study 66·4 66.3.2 State of Current

Policy 66·5 66.3.3 Data Classification 66·5 66.3.4 Sensitive Systems 66·5 66.3.5 Critical Systems 66·6 66.3.6 Authenticity 66·6 66.3.7 Exposure 66·6 66.3.8 Human Resources,

Management, and Employee Security Awareness 66·6

66.3.9 Physical Security 66·7 66.3.10 Software

Development Security 66·7

66.3.11 Computer Operations Security 66·8

66.3.12 Data Access Controls 66·9

66.3.13 Network and Communications Security 66·9

66.3.14 Antimalware Measures 66·10

66.3.15 Backups, Archives, and Data Destruction 66·10

66.3.16 Incident Response 66·11 66.3.17 Business

Resumption Planning and Disaster Recovery 66·11

66.4 PHASE 2: MANAGEMENT SENSITIZATION 66 · 11

66.5 PHASE 3: NEEDS ANALYSIS 66 · 12

66.6 PHASE 4: POLICIES AND PROCEDURES 66 · 12

66.7 PHASE 5: IMPLEMENTATION 66 · 13 66.7.1 Upper

Management 66·13 66.7.2 Technical Support 66·14 66.7.3 Lower-Level Staff 66·14 66.7.4 Other Technical

Staff 66·14

66.8 PHASE 6: MAINTENANCE 66 · 14

66.9 CONCLUDING REMARKS 66 · 14

66.10 FURTHER READING 66 · 15

66.11 NOTES 66 · 15

66 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66 · 2 DEVELOPING SECURITY POLICIES

66.1 INTRODUCTION. This chapter reviews methods for developing security policies in specific organizations. Some of the other chapters of this Handbook that bear on policy content, development, and implementation are listed next:

� Chapter 23 provides an extensive overview of physical security policies. � Chapter 25 discusses local area network security issues and policies. � Chapter 39 reviews software development policies and quality assurance policies. � Chapter 44 presents resources and standards for creating effective security poli- cies.

� Chapter 49 looks at methods for enhancing security awareness. � Chapter 45 provides guidance on employment policies from a security standpoint. � Chapter 47 makes explicit recommendations about operations management poli- cies.

� Chapter 48 reviews specific recommendations for email and Internet usage. � Chapter 50 presents concepts and techniques from social psychology to make security policy implementation more effective.

� Chapter 52 discusses the policies that apply to application design. � Chapter 72 looks at censorship and content filtering on the Internet.

66.2 COLLABORATING IN BUILDING SECURITY POLICIES. Policies are the foundation of effective information security, but the task of policy creation is complicated by human and organizational resistance. Technology alone does not work. In changing human behavior, rationality and substance are not enough: The process of development affects how people feel about policies and whether they see these rules as needless imposition of power or as an expression of their own values.

Security is always described as being everyone’s business; however, in practice, security interferes with everyone’s business. For example, network managers work hard to make networks user friendly. They do everything they can to make life easier for users; they provide network access routines with a graphical user interface, client/server systems with hot links between local spreadsheets and corporate databases, and a gateway to the Internet for their users. Superficially, one might think that implementing network security would simply involve defining access controls, applying encryption, and providing people with handheld password generators. Unfortunately, as discussed in Chapter 50, security policies offend deep-seated self-conceptions. People form close- knit work groups in which they trust each other; they do not lock their desks when they leave them for a few minutes, so why should they obey the network security policy that dictates locking their sessions? They even lend people car keys in an emergency; why should it be such a terrible breach of security to lend access codes and passwords to trusted colleagues in an emergency?

Security policies challenge users to change the way they think about their own responsibility for protecting corporate information. Attempting to impose security policies on unwilling people results in resistance, both because more stringent security procedures make people’s jobs harder and because people do not like being told what to do—especially by security officials perceived as being outside the chain of command.

The only approach that works in the long run is to present security to everyone in the organization in a way that causes recognition that each one, personally and pro- fessionally, has a stake in information protection. Security managers, to be successful,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PHASE 1: PRELIMINARY EVALUATION 66 · 3

must involve employees from throughout the enterprise in developing security poli- cies. Users must justifiably feel that they own their security procedures; employees with true involvement in the policy development process become partners, rather than opponents, of effective security.

66.3 PHASE 1: PRELIMINARY EVALUATION. Studies of the extent to which information-security policies are in place consistently show that relatively few of the respondents have adequate policies in place. For example, the 2007 Global Security Survey run by CIO Magazine and PricewaterhouseCoopers was based on interviews and questionnaires involving 7,200 executives, security professionals, and technology managers “across all industries and more than 100 countries” about their organization’s security and privacy policies and practices. According to the summary on page 2 of the report:

1. Only 6 out of 10 respondents worldwide (57 percent) say their organization has an information-security strategy in place. Only another 13 percent, however, consider putting one in place a “top priority.”

2. Almost half of all respondents worldwide (48 percent) say their organization does not actively engage both business and information technology decision makers in addressing information security.

3. More than 7 out of 10 security managers, administrators, and technicians world- wide believe that their organization’s security policies and spending can be improved.1

In what follows, it is assumed that a specific officer or manager (or group of officers or managers) in the enterprise has taken on the task of developing security policies. The group will be called the policy development group.

Before attempting to formulate policies, the policy development group needs formal authorization to use corporate resources in such a project. It should not be too difficult to obtain a short memorandum from top management to everyone in the organization that lays out the reasons for asking for their time and energy in gathering information about the current state of security. Such authorization and continuing top-level support are essential tools in convincing people to cooperate with the policy development group.

In the absence of existing or adequate security policies, a preliminary inventory is the first step in providing upper management with the baseline information that will justify developing a corporate information-security policy. The preliminary evaluation should be quick and inexpensive—perhaps days of work by a few people. There is no point in wasting time in expensive detail work before getting approval, support, and budget from upper management.

The goal of the preliminary evaluation is to ask the people who work with informa- tion resources what they believe are their most important-security needs. Even though they may not be conscious of security as a distinct need, in practice, employees and managers do have valuable insights that transcend theory and generalizations. Data entry clerks may tell the security staff about security violations that no one else has observed or even thought about; for example, they may observe that a bug in a particu- lar program makes the previous operator’s data entry screen available for unauthorized entries when the shift changes and a new operator sits at the same terminal.

The policy development group should work closely with human resources (HR) personnel in developing the research instruments for interviewing staff. HR members

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66 · 4 DEVELOPING SECURITY POLICIES

are likely to know the key managers to contact in each department. The managers have to be convinced to support the effort so researchers can interview willing staff. Some of the HR people are likely to have the professional skills and experience required to provide accurate and cost-effective evaluations of beliefs, attitudes, and behavior affecting security. They may be able to help construct unbiased questionnaires, organize focus groups, and guide interviews.

However, if the security staff and the HR staff are not confident about being able to handle this preliminary data collection, the policy development group should see if it can obtain authorization to hire a consultant with proven expertise in collecting and analyzing social attitudes. The policy development group might want to discuss such a study with a firm specializing in security audits and organizational analysis. If no one knows where to start looking for such resources, the policy development group can contact information security associations, security magazines, security Websites, and local universities and colleges to ask for suggestions.

These key issues should be part of the preliminary study:

� Introduction to the study � State of current policy � Data classification � Sensitive systems � Critical systems � Authenticity � Exposure � Human resources, management, and employee security awareness � Physical security � Software development security � Computer operations security � Data access controls � Network and communications security � Antimalware measures � Backups, archives, and data destruction � Business resumption planning and disaster recovery

The next sections suggest some typical questions that would be helpful in gathering baseline data about the current state of security. All these questions (and more site- specific topics) should be asked of all the respondents in the preliminary evaluation. Applicable questions are not necessarily repeated in each section; instead, questions in the earlier parts of this list may be adapted for use in later sections. These suggestions are not intended to limit creativity but rather to stimulate development of more questions that would be particularly useful for a specific enterprise.

66.3.1 Introduction to the Study. Employees may perceive many of the ques- tions as threatening. The preamble or introduction to the study, whether it is by survey or by interviews, should make it clear that this is not an audit and that its purpose is to

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PHASE 1: PRELIMINARY EVALUATION 66 · 5

establish the framework for an appropriate set of security policies—policies suited to the needs of the organization and its stakeholders. The information should be anonymized so that no person will be targeted for reprisal if the study discovers problems. Every effort should be made to reassure employees that the study is designed to learn about the facts of security with a view to improvement, rather than a search for culprits who will be punished.

66.3.2 State of Current Policy. The questions that follow not only gather baseline information about security policies but also determine whether employees have any idea about who is responsible for formulation of those policies.

� Does the enterprise have any security policies at all? � Who developed them: an individual? a group? � Where and how are the security policies available (paper, electronic)? � When were the policies last updated? Last disseminated? � Who, if anyone, has explicit responsibility for maintaining security policies? � Who implements security policy at the enterprise level? � To whom does the chief information security officer report within the enterprise? � Who monitors compliance with security policies, standards, and compliance?

66.3.3 Data Classification. Questions to ask include:

� Are there levels of security classification that apply to your work? If so, what are they called?

� Are there rules for determining whether information you handle should be classi- fied at a particular level of confidentiality?

� Are documents or files labeled to show their security classification? � What is your opinion about the value of such classification? � Do people in your group pay attention to security classifications? � Do you have any suggestions for improvement of how data are classified?2

66.3.4 Sensitive Systems. The questions in this section focus on information that ought to be controlled against unauthorized disclosure and dissemination.

� In your work, are there any kinds of information, documents, or systems that you feel should be protected against unauthorized disclosure? If so, name them.

� How do you personally protect sensitive information that you handle? � How do others in your department deal with sensitive information? No names, please.

� To your knowledge, have there been any problems with release of sensitive infor- mation in your department?

� Do you have any suggestions for improving the handling of sensitive data in your area?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66 · 6 DEVELOPING SECURITY POLICIES

66.3.5 Critical Systems. The questions in this section focus on information that requires special attention to availability and correctness.

� In your work, are there any kinds of information, documents, or systems that you feel are so critical that they must be protected against unauthorized modification or destruction? If so, name them.

� Are there any special precautions you use, or know of, to safeguard critical data in your area?

66.3.6 Authenticity. Questions to ask include:

� Do you know of any cases in which anyone has used someone else’s identity in sending out messages such as letters, faxes, or email? If so, were there any consequences?

� Does everyone in your group use digital signatures on electronic documents? � Does anyone in your group make or use unauthorized copies of proprietary soft- ware? If so, do you think there is any problem with that?

66.3.7 Exposure. Questions to ask include:

� What are the worst consequences you can realistically imagine that might re- sult from publication in the newspapers of the most sensitive information you control?

� What might happen, in your opinion, if key competitors obtained specific confi- dential information that you use or control in your area?

� Can you estimate monetary costs associated with the scenarios you have just described?

� What would be the worst consequences you can foresee if critical information you work with were to be altered without authorization, or through accidental modification?

� What might happen if you could not access critical information quickly enough for your work?

� Can you estimate the costs of such breaches of data integrity and data availability? � Could there be trouble if someone forged documents in your name, or in the enter- prise’s name? Can you sketch out some scenarios and associated costs resulting from such breaches of authenticity?

66.3.8 Human Resources, Management, and Employee Security Awareness

� As far as you know, who is responsible for developing security policies? � Do you know where to find the security policies that apply to your work? � When, if ever, did you last sign any documents dealing with your agreement to security policies?

� Who is responsible for monitoring compliance with security policy in your work- group? In the enterprise as a whole?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PHASE 1: PRELIMINARY EVALUATION 66 · 7

� Have you ever received any training in security policies? If so, when was the last time?

� Have you ever seen any written materials circulating in your workgroup that discuss information security?

� Do you think of protecting corporate information as one of your official responsibilities?3

66.3.9 Physical Security

� Does anyone check your identity when you enter the building where you work? Always?

� Are there any electronic access-control systems limiting access to your work area? What are they?

� Do people hold a secured door open to let each other into your work area? Do you let people in after you open a secured door?

� Have you ever seen a secured door into your area that has been blocked open (e.g., for deliveries)?

� Do people leave your work area unlocked when everyone leaves? � Do staff members wear identity badges at work? Are they supposed to? Do you wear your badge at work?

� Do visitors wear badges? � Have you ever seen strangers in your area who are not wearing visitor badges? � What would you do if you saw a stranger in your area who was not wearing a visitor’s badge?

� Do you lock any parts of your desk when you leave your workspace? � What would you do if you heard the fire alarm ring? � Where is the nearest fire extinguisher? � Who is the fire marshal for your floor? � What would you do if someone needed emergency medical attention? � Is there an emergency medical station in your area or on your floor? � Do you know who is qualified in cardiopulmonary resuscitation (CPR) in your group or on your floor? Do such people wear identifying pins?

� Have you had recent training in what to do in the event of an emergency? Have you been trained in how to evacuate the building?

� Is there anything that comes to mind that you would like to see to improve physical security and safety in your work area?4

66.3.10 Software Development Security. These questions would be asked only of the software development team:

� Are there any security policies that apply to your work? What are they? � Have you ever discussed security policies in your group? � Is security viewed positively, neutrally, or negatively in your group? And by yourself?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66 · 8 DEVELOPING SECURITY POLICIES

� Do you and your colleagues discuss security during the requirements analysis and specification phases when developing software?

� How do you see quality assurance as part of the development process? � Do you use automated software testing tools? � Do you use automated version control software? If not, how do you exercise control?

� How do you document your systems? � Do you think that your source code is adequately protected against unauthorized disclosure and modification?

� What is your opinion about Easter eggs (unauthorized code for an amusing picture or game)?

� Could anyone plant an Easter egg or a logic bomb (unauthorized, harmful func- tions) in code being developed in your group?

� Have you ever seen an Easter egg or a logic bomb in code from your group? Did it get through to production?

� Can you think of ways you would like to see better security in your work?5

66.3.11 Computer Operations Security. These questions would be asked only of the computer operations team:

� How long do you wait after initial release before installing new operating system versions on your production machines?

� How do you put new software into production? � Can development personnel access production software? Production data? � How do you handle problem reports? Do you have an automated trouble-ticket system?

� Can people from outside the operations group enter the operations center? � Are contractors, including repair technicians, allowed to circulate in operations without being accompanied?

� Does the cleaning staff ever circulate within the secured areas of operations without operations staff present?

� Are system components labeled? � Is there an emergency cutoff switch for main power to the entire data center? Does it include air conditioning?

� Are there uninterruptible power supplies for critical components of your systems?

� Do you keep records of system downtime? What is your downtime over the last three months? The last year?

� What accounts for most of the downtime? Have remedies been implemented? � Who monitors system resource utilization? Are there automated reports showing trends in disk space usage? CPU utilization? Network bandwidth usage?

� What improvements in security would you like to see in operations?6

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PHASE 1: PRELIMINARY EVALUATION 66 · 9

66.3.12 Data Access Controls

� Do you have to identify yourself to the computers and networks you work with? � Do you have a user name (ID) that no one else shares? � Are you required to use a password, passphrase, or personal identification number (PIN) as part of your routine when starting to use your computer?

� Have you ever shared your unique user ID and password or PIN with someone else? Or have you borrowed someone else’s user ID and password to get some work done? If so, how often does this happen?

� Do you use a token, such as a physical key or a smart card, to prove who you are to the computer system? If so, have you ever lent or borrowed such tokens? What for? How often?

� In your work, are there any limitations on the data you are allowed to see, modify, add to, or delete?

� Are there data you can see but not change? � Do you use encryption on any of the data you work with? � Do you or members of your group use laptop computers? If so, do you encrypt sensitive data on the disks of those portable systems?

� Do you or anyone in your group take work home? If so, do you put corporate data on your own, personal (noncompany) computers? Does anyone else have access to those computers? Are there any controls on accessing corporate data on the home computers?7

66.3.13 Network and Communications Security. Most of the next ques- tions would be appropriate only for network managers, administrators, and technicians. However, some of the questions are suitable for everyone.

� As a user, do you know what the rules are about using your employer’s email system and Internet access?

� Do you know anyone who regularly violates system usage restrictions? No names, please.

� Have you ever seen pornography on corporate systems? Child pornography? Racist and other objectionable materials? If so, did you know what to do? And what did you do?

� Has anyone ever discussed rules for secure email with you? Do you know how to encrypt sensitive messages? Do you ever encrypt messages?

� As a network manager, do you have up-to-date network diagrams, or can you produce them on demand?

� Do you know which services are running on your Internet-connected systems? Are all of the running services needed?

� How do you determine which patches are appropriate for installation on your systems? How often do you check? Who is responsible for managing patches? How long does it take between notification of a vulnerability and installation of an appropriate patch?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66 · 10 DEVELOPING SECURITY POLICIES

� Does your security architecture include firewalls? If so, what determines the security policies you instantiate in the filtering rules?

� Do you have egress filtering enabled on your firewalls? � Do you have intrusion detection systems? If so, who responds to apprehended intrusions? How are the responsible people notified of an intrusion?

� What are the procedures for responding to an intrusion? � If your organization uses passwords, how do you handle requests for new pass- words?

� Do you have centralized remote-access controls? � Do remote users use virtual private networks (VPNs) to access corporate systems from outside the firewalls?

� Are your users supposed to use encryption for sensitive email that traverses the Internet? Do they? How do you know?

� Do your users apply digital signatures to all communications? � Are your Web servers protected against intrusion and vandalism? � Have you kept sensitive information off your Web servers? � Do you encrypt all sensitive information stored on your Web servers? � How long would it take you to recover a valid version of the Website if it were destroyed or vandalized?

� Do your telephone voicemail boxes have unique, nonstandard passwords? How do you know?

� How do you find out if an employee is being fired or has resigned? How long does it take between termination of employment of such an employee and deactivation of all system and network access?

66.3.14 Antimalware Measures

� Do you and all of your users have antimalware products installed on every work- station?

� How often are antimalware products updated? How are they updated? � How long does it take for all vulnerable systems to be brought up to date? � Do you or your users open unexpected, unsolicited email attachments?8

66.3.15 Backups, Archives, and Data Destruction

� How often do you do backups of your electronic data? � Where do you store backup media? Are current copies retained off site as well as on? How do you know which media to use to restore a specific file?

� How long do you keep different types of backups? Why? � How do you prevent unauthorized access to backup media? � If you keep data backups for several years, how do you ensure that the old media will be readable and that the data developed for old applications will be usable?

� How do you dispose of magnetic and optical storage media after their useful life is over? Are the discarded media readable?

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PHASE 2: MANAGEMENT SENSITIZATION 66 · 11

� Do you make backup copies of paper documents? Where are these copies kept? How would you locate a specific document you needed?

� How long do you keep various types of papers? Why? � When you dispose of paper documents, does their content influence how they are destroyed? How do you dispose of sensitive paper documents?9

66.3.16 Incident Response

� Do you know what to do if you see a security problem such as strangers without badges in secured areas, threats of violence arriving by email, damaged company Web pages, bad data in files you use, missing files or data, or forged messages?

� Is there a specific team dedicated to responding to computer security breaches? � Are you part of a computer security incident response team (CSIRT)? If so:

� Is this a long-term assignment? � Do you have documentation and training on how to respond to specific types of incidents?

� How are out-of-hours incidents handled? � Does your CSIRT hold practice drills? � Are there incident postmortems? � Do you have relations with local law enforcement officials? If so, which levels (municipal, state, federal)?

� Have you ever experienced pressures from management to suppress incident reports of criminal activity to law enforcement?10

66.3.17 Business Resumption Planning and Disaster Recovery

� Do you have business resumption planning (BRP) or disaster recovery plans (DRP)? If so, where are they kept?

� Who is responsible for keeping BRP and DRP up to date? � Have you ever participated in a BRP or DRP testing? If so, how long ago was the last one? When is the next scheduled test?

� During BRP and DRP tests, does anyone use video cameras or tape recorders to keep track of critical steps in the recovery?

� After a test, have you participated in analyzing the results of the tests to improve the plans?11

66.4 PHASE 2: MANAGEMENT SENSITIZATION. Support from upper management is essential for further progress. The goal in this phase is to get approval for an organization-wide audit and for a policy formulation project. In conjunction with the rest of the information-security project team, the responsible managers should plan on a meeting that lasts no more than one or two hours. The meeting should start with a short statement from a senior executive about the crucial role of information in the organization’s business.

Professional aids, such as management-oriented training videos, are helpful to sen- sitize managers to the consequences of poor information security. For an up-to-date list of such videos, enter the keywords “information-security training video” into a

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66 · 12 DEVELOPING SECURITY POLICIES

search engine such as Google. After the video film, the team can present its findings from the preliminary evaluation. The immediate goal is to constitute an information protection working group to set priorities, determine an action plan, define a timetable and milestones, and formulate policies and procedures to protect corporate information resources. The presenters should name the people you want to see in your working group; all of these people should be contacted before the meeting to be sure that they have agreed in advance to participate in the working group.

The presenters should provide estimates of the time involved and the costs of in- house, and consulting, services, and software. To end the briefing, it is useful to offer upper managers a range of background reading about security. Some managers may be intrigued by this field; the more they learn, the more they will support security efforts. One of the best resources for such sensitization is “Managing Risk from Information Systems: An Organizational Approach.”12 This 67-page summary provides “guidelines for managing risk to organizational operations and assets, individuals, other organizations, and the nation resulting from the operation and use of information systems.” The authors state: “The guidelines provided in this special publication have been broadly developed from a technical perspective to be generally useful across a wide range of organizations employing information systems to implement mission and business processes.” They also provide extensive cross-indexing to other public documents issued by the National Institute of Standards and Technology (NIST), all of which are freely available online.13

66.5 PHASE 3: NEEDS ANALYSIS. The information protection working group should include representatives from every sector of the enterprise. As the group inves- tigates security requirements, the participants’ wide experience and perspective will be crucial in deciding which areas to protect most strongly. More important, their in- volvement is a concrete expression of corporate commitment to a fundamental attitude change in the corporate culture: Security is to be an integral part of the corporate mission.

For example, in a manufacturing firm, the team would include managers and staff from the factory floor, the unions, engineering, equipment maintenance, shipping and receiving, facilities management (including those responsible for physical security), administrative support, sales, marketing, accounting, personnel, the legal department, and information systems. Each of these members of the working group will help improve enterprise security.

If the organization is very large, the group may have to set up subcommittees to deal with specific sectors. Each subcommittee evaluates to what degree the systems and networks are vulnerable to breaches of security. For example, one group could focus on local and campus communications, another on wide area enterprise networks, and a third on electronic data interchange with clients and suppliers.

A typical audit covers the facilities, personnel policies, existing security, application systems, and legal responsibility to stakeholders (owners, shareholders, employees, clients, and the surrounding community). Based on the findings, the subcommittees formulate proposals for improving security. This is where the specialized knowledge obtained from information security specialists and information-security courses will prove especially useful.14

66.6 PHASE 4: POLICIES AND PROCEDURES. Once the information pro- tection working group has built a solid floor of understanding of enterprise information security needs, the members are ready to construct the policies and procedures that

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

PHASE 5: IMPLEMENTATION 66 · 13

meet those needs. The process should start from existing templates and normally takes weeks to months to complete a workable draft.15

Genuine participation by all the representatives from every sector of the enterprise is a critical element of success; without a thoroughgoing sense of ownership of the policies, working group members will fail to internalize the new policies. All the members of the working group must become enthusiasts for their collective efforts; in some sense, these people become missionaries engaged in the long-term conversion efforts of phase 5, the implementation of the policies.

66.7 PHASE 5: IMPLEMENTATION. Once the working group members have defined the new or improved security policies, they are about halfway to their goal. The hardest part is ahead: explaining the need for security and the value of the new policies to fellow employees and convincing them to change. Even if they agree intellectually, there is a good chance that their ingrained social habits will override the new rules for at least months and possibly years. The challenge is to overcome these habits.

Chapter 50 shows in detail how to use the insights of social psychology to change corporate culture by working on beliefs, attitudes, and behavior. In addition to the suggestions in that chapter, the information protection working group should organize and deliver awareness and training sessions for all levels of the enterprise:

� Upper management � Technical support � Lower-level staff � Other technical staff

The next sections offer some simple agendas for such preliminary sessions.

66.7.1 Upper Management. Security policies and procedures require man- agement support and sanctions. The transformation of corporate culture should begin at the top. Although it is difficult to coordinate the presence of top executives, the work- ing group should try to organize a half-day executive briefing session on enterprise security. In practice, the group may be able to convince upper management to attend for one or two hours. The focus should be intensely practical, and should show execu- tives how to protect themselves and the enterprise against common dangers. Suggested topics:

� A review of the business case for improving security. Industrial espionage, nat- ural and manmade disasters, vandalism

� Network security. Protection against eavesdropping and tampering � Access controls. Tokens, biometrics, passwords � Encryption. Email, laptops, provision for emergency data recovery � Backup policies for PCs, networks, and mainframes � Security agreements. Summaries of the policies and procedures to be read and signed annually

� Need for total support to convince other staff to comply with security policies

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66 · 14 DEVELOPING SECURITY POLICIES

66.7.2 Technical Support. The next target is the technical support group, the people who help explain security policies to users. In a one-day training session, the presentations can cover:

� Everything covered in the executive briefing � Operating system security provisions � Security software features � Changes in operations to comply with new procedures

66.7.3 Lower-Level Staff. Lower-level staff need a half-day session that an- swers these questions in terms that apply directly to their own work:

� Why should I care about information security? � What are my obligations as an employee? � How do I protect the PC I am responsible for against viruses? � How do I back up my data? � How do I manage my passwords? � What must I do if I see someone violating our security policies?

The class ends with participants signing the security agreement.

66.7.4 Other Technical Staff. More intensive training and education are needed for technical staff, such as members of the software development, operations, and network administration groups. More in-depth, specific material will have to be incorporated into their training; however, such training can be spread over a longer time than that for the groups already discussed, because of the rhythm of work and the crucial importance of technical competence for implementation of the policies. Most enterprises rely on outside trainers, specialized off-site or online courses, and certification programs to raise their staff to the appropriate levels of competence.

66.8 PHASE 6: MAINTENANCE. Once the enterprise has begun to integrate a concern for security into every aspect of its work, the issue must be kept fresh and interesting. As described in Chapter 49, successful security awareness programs include amusing posters, interesting videos, occasional seminars on stimulating security topics such as recent frauds or computer crimes, and regular newsletters with up-to-date information. Finally, every employee should regularly reread and sign the annual security agreement. This practice ensures that no one can argue that the organization’s commitment to security is a superficial charade.

66.9 CONCLUDING REMARKS. For a secure installation, three things are es- sential:

1. Sound policies that have been developed with the cooperation of everyone con- cerned and that are updated periodically

2. Widespread dissemination of those policies, with ongoing observation of their implementation and with frequent training and continual reinforcement

3. Commitment to security on the part of everyone, from top management on down

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 66 · 15

When these essential elements are in place, the entire organization will function at a more productive level, one at which the possibilities of disruption and damage will have been reduced to a minimum. Nothing less is acceptable.

66.10 FURTHER READING Barman, S. Writing Information Security Policies. New Riders Publishing, 2001. Brotby, K. Information Security Governance: A Practical Development and Imple-

mentation Approach. Wiley, 2009. Calder, A., and S. Watkins. IT Governance: An International Guide to Data Security

and ISO27001/ISO27002, 5th ed. Kogan Page, 2012. Fugini, M. G., and C. Bellettini. Information Security Policies and Actions in Modern

Integrated Systems. IGI Global, 2004. Greene, S. Security Policies and Procedures: Principles and Practices, 2nd ed. Pearson

IT Certification, 2013. Howard, P. D. FISMA Principles and Best Practices: Beyond Compliance. Auerbach

Publications, 2011. Jacobs, S. Engineering Information Security: The Application of Systems Engineering

Concepts to Achieve Information Assurance. Wiley-IEEE Press, 2011. Johnson, R., and M. Merkow. Security Policies and Implementation Issues. Jones &

Bartlett Learning, 2010. Peltier, T. R. InformationSecurityPoliciesandProcedures:APractitioner’sReference,

2nd ed. Auerbach Publications, 2004. Smith, R. The Definitive Guide to Writing Effective Information Security Policies and

Procedures. CreateSpace Independent Publishing Platform, 2010. Williams, B. L. Information Security Policy Development for Compliance: ISO/IEC

27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2.0, and AUP V5.0. Auer- bach Publications, 2013.

Wood, C. C. Information Security Policies Made Easy, 12th ed. Information Shield, 2012.

Wood, C. C. Information Security Roles & Responsibilities Made Easy, 2nd ed. Infor- mation Shield, 2005.

66.11 NOTES 1. S. Berinato, “The Fifth Annual Global State of Information Security.” CIO, August 27, 2007. www.cio.com/article/133600/The Fifth Annual Global State of Information Security

2. See Chapter 67 in this Handbook. 3. For additional ideas in framing questions about security awareness, see Chapter

49. For ideas on appropriate questions dealing with employment practices and policies, see Chapter 45.

4. For more detail about physical security and additional ideas on appropriate ques- tions, see Chapters 22 and 23.

5. For much more information suitable for devising questions about development security, see Chapters 38 and 39.

6. For more information suitable for devising questions about operations security, see Chapter 47.

7. For additional ideas on looking at identification and authentication, see Chapters 28 and 29.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

66 · 16 DEVELOPING SECURITY POLICIES

8. See Chapter 41 for more ideas on checking for appropriate levels of antimalware precautions.

9. For additional suggestions to help in framing questions about data backups, see Chapter 57.

10. See Chapter 56. 11. For more ideas on questions that are appropriate in quickly evaluating the state of

business resumption planning and disaster recovery, see Chapters 58 and 59. 12. R. Ross, S. Katzke, A. Johnson, M. Swanson, and G. Stoneburner, “Managing Risk

from Information Systems: An Organizational Perspective,” National Institute of Standards and Technology NIST SP 800-39, Second Public Draft (April 2008), http://csrc.nist.gov/publications/drafts/800-39/SP800-39-spd-sz.pdf

13. The Further Reading sections of chapters in this Handbook (as well as sections of the chaptersthemselves) provide a wealthof material for management sensitization.

14. Chapters 54, 63, and 62 have information that will help the information protection working group develop an evaluation plan.

15. Chapter 44 contains many practical suggestions and resources for the content and style of security policies.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67CHAPTER

DEVELOPING CLASSIFICATION POLICIES FOR DATA

Karthik Raman, Kevin Beets, and M. E. Kabay

67.1 INTRODUCTION 67 · 1

67.2 WHY PERFORM DATA CLASSIFICATION? 67 · 2

67.3 DATA CLASSIFICATION’S ROLE IN INFORMATION SECURITY 67 · 2

67.4 LEGAL REQUIREMENTS, COMPLIANCE STANDARDS, AND DATA CLASSIFICATION 67 · 3 67.4.1 Privacy Act of 1974 67·3 67.4.2 Family Educational

Rights and Privacy Act (FERPA) 67·3

67.4.3 Health Insurance Portability and Accountability Act (HIPAA) 67·4

67.4.4 Gramm-Leach-Bliley Act 67·4

67.4.5 Sarbanes-Oxley Act 67·5 67.4.6 The Federal Rules of

Civil Procedure 67·5 67.4.7 Compliance

Standards 67·6

67.5 DESIGNING AND IMPLEMENTING DC 67 · 6

67.6 DATA CLASSIFICATION SOLUTIONS 67 · 6 67.6.1 General

Observations 67·7 67.6.2 Varonis: Five Steps to

Faster Data Classification 67·7

67.6.3 Microsoft’s Data Classification Toolkit 67·8

67.7 EXAMPLES OF DATA CLASSIFICATION SCHEMAS 67 · 8 67.7.1 Universities 67·9 67.7.2 U.S. Federal

Government 67·9 67.7.3 State Governments 67·12

67.8 CONCLUDING REMARKS 67 · 15

67.9 FURTHER READING 67 · 16

67.10 NOTES 67 · 17

67.1 INTRODUCTION. A figure appears from the bushes on a dark and stormy night. Silently, this figure slips past two crisscrossing guards marching in lock-step. Once past the guards and inside the building, a flashlight flickers to life and begins a slow dance around a cluttered office. The beam freezes. It illuminates an envelope that is stamped with large red letters:

TOP SECRET

67 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 2 DEVELOPING CLASSIFICATION POLICIES FOR DATA

The Top Secret label is likely the most recognized part of an oft-used schema for specifying the confidentiality requirements of data. This labeling is known as data classification. Data classification (DC) characterizes data so that its custodians can decide how to organize, view, edit, value, share, use, and protect data in compliance with security requirements.

Historically, data classification has been used by the government and military. Today however, DC has increasingly become a necessity for businesses as well.1 The use of computers has only served to escalate this necessity. With data becoming available more readily and going to and from many widespread sources, it is imperative to be able to understand the aspects of these data so that they can be stored and controlled easily and securely.

This chapter highlights why DC is necessary, how it relates to information security, its design and implementation in an enterprise, hardware and software solutions that can assist in performing it, and some points to consider when implementing it.

67.2 WHY PERFORM DATA CLASSIFICATION? Information life cycle man- agement (ILM) is a combination of processes and technology that allow for the control of data throughout its life cycle.2 This procedure ensures that information technology (IT) professionals can manage data from the point of its inception until the time the data has outlived its usefulness. DC is an important part of ILM.

For a real-world example, consider an audit on a business as part of a HIPAA- compliance check. If a data administrator has not spent the time to classify data, not only will the audit take longer than it should, but the company may be fined for lacking controls on this data simply because they do not understand what their data consists of. An example of such a sticky violation would be the posting of patient records by a clinic on a public-facing Website. If data custodians have not classified data types, how can they be expected to know what to protect and how to disseminate it securely and reliably?

Although legal requirements and compliance fines are a major reason that DC is performed, they are by no means the only motivators for a business to carry out DC. A business stands to gain increased productivity and cost savings using DC. Allowing data to flow freely yet securely is critical to business objectives and success.

One proposed solution to the problem of growing data volumes (and the energy required to run the systems that store the data) has been to reduce the amount of data being accessed on these hosts by purging the unnecessary and using only the requisite data. ILM including DC are essential to determine if a particular set of data has outlived its usefulness.

In summary, DC can bring an organization the following benefits:

� Compliance with data standards and legal requirements � Streamlined and secure sharing of data � More efficient data storage and retrieval � Tracking of data through ILM

67.3 DATA CLASSIFICATION’S ROLE IN INFORMATION SECURITY. In- formation security, including data classification, must consider the value of data. In addition to the operational value of data for the organization depending on it, data may be valuable to competitors or rapacious nation states with a policy of systematic industrial espionage. Disgruntled and dishonest employees may be able to sell it to a

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LEGAL REQUIREMENTS, COMPLIANCE STANDARDS, AND DATA 67 · 3

competitor. Data regarding an organization’s clients and other data subjects, including personally identifiable information (PII) (e.g., credit card data) must be safeguarded against loss or theft; failure may result in legal action against that company. Data loss prevention (DLP) strategies and compliance hinge on accurate DC policies and DC implementation.

Guidelines such as those from the Federal Financial Institutions Examination Coun- cil (FFIEC) highlight the need to secure data as an integral part of DC:

Classifying data allows the institution to ensure consistent protection of information and other critical data throughout the system. Classifying systems allows the institution to focus its controls and efforts in an efficient and structured manner. Systems that store or transmit data of different sensitivities should be classified as if all data were at the highest sensitivity. Classification should be based on a weighted composite of all relevant attributes.3

DC is an essential means to assist the data custodian to determine the type and value of specific data categories. DC thus helps determine how data will be protected during transport and in storage.

67.4 LEGAL REQUIREMENTS, COMPLIANCE STANDARDS, AND DATA CLASSIFICATION. Legal requirements and compliance standards may make the marriage of DC and security a mandatory step for some businesses. A brief overview of such standards and compliance codes follows.

The amount of data that passes through an average-sized enterprise’s computers and networks daily can run into terabytes. Regulations and compliance standards may make it necessary that the enterprise’s IT staff be able to manage all of this data. Whatever the regulation or standard, an enterprise will need to be able search through all its data, no matter where it lies in the enterprise’s computers, networks, or storage, to discover, preserve, and produce the data to meet a legal request or compliance requirement.

The use of DC to meet legal requests and for compliance has been hastened by the advent of the paperless office. Just 20 years ago, an enterprise could reasonably manage its data for compliance if its (physical) filing system were well organized. In today’s digital office, however, an enterprise’s data can be scattered over any number of hosts, in several geographic locations, across Storage Area Networks ensconced in offsite data centers, or any combination of each of these. Without a concerted enterprise-wide automation and DC implementation, meeting regulatory requirements will be nearly impossible.

Compliance to a number of laws and standards is facilitated by DC. Some of the key laws and standards requiring data classification are enumerated below.

67.4.1 Privacy Act of 1974. The Privacy Act of 1974 aims to regulate the disclosure of records by government agencies. The Computer Matching and Privacy Protection Act of 1988 was grafted into the Privacy Act of 1974 and introduced provi- sions for “agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunities to receive notice and to refute adverse informa- tion before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.”4

67.4.2 Family Educational Rights and Privacy Act (FERPA). Educa- tional institutions that receive U.S. Government funding have to contend with the requirements of FERPA, which regulates the handling of educational data. There are

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 4 DEVELOPING CLASSIFICATION POLICIES FOR DATA

many sections of FERPA on information disclosure that are relevant to DC. Here are some examples5:

� 99.12 What limitations exist on the right to inspect and review records? � 99.33 What limitations apply to the re-disclosure of information? � 99.34 What conditions apply to disclosure of information to other educational agencies or institutions?

� 99.35 What conditions apply to disclosure of information for Federal or State program purposes?

� 99.36 What conditions apply to disclosure of information in health and safety emergencies?

� 99.37 What conditions apply to disclosing directory information?

67.4.3 Health Insurance Portability and Accountability Act (HIPAA). One of the most important regulations that medical organizations must consider is the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Title II of HIPAA, “Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform,” mandates a set of standards for the management of health information. The contents of Part C of Title II, “Administrative Simplification” address security6:

� Sec. 1171. Definitions. � Sec. 1172. General requirements for adoption of standards. � Sec. 1173. Standards for information transactions and data elements. � Sec. 1174. Timetables for adoption of standards. � Sec. 1175. Requirements. � Sec. 1176. General penalty for failure to comply with requirements and standards. � Sec. 1177. Wrongful disclosure of individually identifiable health information. � Sec. 1178. Effect on State law. � Sec. 1179. Processing payment transactions.

67.4.4 Gramm-Leach-Bliley Act. The Gramm-Leach-Bliley Act (GLBA) of 1999 introduced reform for the financial sector. Title V of GLBA imposes privacy requirements on the handling of information by financial organizations: “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” The contents of “Title V—Privacy” are as follows7:

� Subtitle A—Disclosure of Nonpublic Personal Information � Sec. 501. Protection of nonpublic personal information. � Sec. 502. Obligations with respect to disclosures of personal information. � Sec. 503. Disclosure of institution privacy policy.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

LEGAL REQUIREMENTS, COMPLIANCE STANDARDS, AND DATA 67 · 5

� Sec. 504. Rulemaking. � Sec. 505. Enforcement. � Sec. 506. Protection of Fair Credit Reporting Act. � Sec. 507. Relation to State laws. � Sec. 508. Study of information sharing among financial affiliates. � Sec. 509. Definitions. � Sec. 510. Effective date.

� Subtitle B—Fraudulent Access to Financial Information � Sec. 521. Privacy protection for customer information of financial institutions. � Sec. 522. Administrative enforcement. � Sec. 523. Criminal penalty. � Sec. 524. Relation to State laws. � Sec. 525. Agency guidance. � Sec. 567. Reports. � Sec. 527. Definitions.

67.4.5 Sarbanes-Oxley Act. The Sarbanes-Oxley (SOX) Act was introduced in 2002 in the wake of a slew of accounting scandals involving a few large U.S. corporations. The scope of SOX is broad and many of its sections may have relevance for DC. For example, section 404, “Management assessment of internal controls,” makes it the responsibility of management for “establishing and maintaining an adequate internal control structures and procedures for financial reporting.”8

67.4.6 The Federal Rules of Civil Procedure. The Federal Rules of Civil Procedure (FRCP) are a set of rules for the trial of noncriminal cases in federal courts in the United States. The most recent editions of the FRCP include sections that address electronically stored information (ESI).9

Rule 26, “General Provisions Governing Discovery; Duty of Disclosure,” states that a party should be able to provide10:

… a copy of, or a description by category and location of, all documents, electronically stored information, and tangible things that are in the possession, custody, or control of the party and that the disclosing party may use to support its claims or defenses, unless solely for impeachment; …

Rule 34, “Production of Documents, Electronically Stored Information, and Things and Entry Upon Land for Inspection and Other Purposes,” states:

… Any party may serve on any other party a request (1) to produce and permit the party making the request, or someone acting on the requestor’s behalf, to inspect, copy, test, or sample any designated documents or electronically stored information …

Further, Rule 34 states, “… a party who produces documents for inspection shall produce them as they are kept in the usual course of business or shall organize and label them to correspond with the categories in the request …”

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 6 DEVELOPING CLASSIFICATION POLICIES FOR DATA

67.4.7 Compliance Standards. Many of the standards discussed in various chapters in this Handbook explicitly support DC. Examples include:

� ISO/IEC 27000 family of standards � Control Objectives for Information and related Technology (COBIT) � Federal Financial Institutions Examination Council (FFIEC) regulations for fi- nances

� Department of Defense (DoD) issuances for defense contracting � Media, Telecom: Federal Communications Commission (FCC) regulations � Food and Drug Administration (FDA) regulations for the life sciences

67.5 DESIGNING AND IMPLEMENTING DC. In this section we outline how a business can design and implement DC. Both tasks must be carried out by IT or INFOSEC staff with the support and collaboration of management. These tasks should be iterative.

The process to design DC can be modeled as follows:

� Obtain management approval. � Study the organization’s business continuity plan (BCP) and note the organiza- tion’s current IT assets and storage-management processes.

� Present the benefits of DC to the heads of business units (BUs). � Survey users in various BUs about how they store, retrieve, and edit data and how they would like to see their data organized and labeled.

� List the revenue-generating and mission-critical usage of each BU’s data. Under- stand how each unit uses and manipulates data specific to their needs, and how those data may be shared across other units.

Once the above steps are undertaken, the DC team can devise a data-labeling scheme that takes into account all BUs and their interactions.

The process of implementation of DC can be modeled as follows:

� Obtain management approval � Map data-labeling scheme to available hardware, networks, systems, and storage � Apply automation or DC tools where relevant � Guide users through adoption of new DC scheme and solicit feedback

Finally, the DC team should report the results of DC design and implementation to management. A refined data classification report would include a service-level agreement (SLA) for data usage as well as a comprehensive model of costs.11 One of the major costs to announce would be for new hardware, networks, storage, or software needed to implement DC.

67.6 DATA CLASSIFICATION SOLUTIONS. Software solutions for DC have been driven mostly by the advances in data-storage optimization. Some

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

DATA CLASSIFICATION SOLUTIONS 67 · 7

examples of the storage advances that helped to spark these solutions include the following:

� Virtualization—the ability to logically organize multiple physical locations � De-duplication—technology to reduce duplicate data � Serial Advanced Technology Attachment (SATA)-based disk arrays—cost- effective storage media

67.6.1 General Observations. Knowing the type of data being managed is imperative when deciding how to secure it, store it, and manage its information life cycle. This process can be involved and extremely time consuming.

There are several vendors who provide software solutions to assist in this classifica- tion process. Most of these solutions run on rack-mounted appliance. In fact, an entire market has sprung up—information and classification management (ICM)—to provide tools and consultation for DC.

Some of the features that a data custodian may want to consider when making a software solution decision include:

� Policy-based data-type discovery—DC based on the policies outlined by the data custodian. These policies can later be used to automatically enforce a business’s storage policies

� File metadata classification—DC using a file’s metadata and file content � Multiple file system management—seamless classification across multiple file system types

� Compliance and legal considerations—DC that includes usage of legal metadata, retains file ownership chains, and uses pattern-matching for sensitive data such as Social Security numbers

� Report style—DC based on the utility of the reports on data that has been discov- ered, labeled, and classified

67.6.2 Varonis: Five Steps to Faster Data Classification. In a white paper, Varonis Systems, makers of the Varonis Data Governance suite, summarize their proposed five-step DC approach as follows:

1. Identify Data Owners: Use Varonis DatAdvantage to identify and assign data owners for important data without a known owner. In this example, we’ll say “Dave Smith” was determined to be the owner for the SharePoint site “Project X Resources.”

2. Define Data of Interest: Work with Dave Smith to define what he considers sensitive. In this example, Dave says data containing the phrase “Project Budget” or the word “Secret” is sensitive.

3. Use Meta-Data to Focus and Accelerate: Dave says the sensitive data on his site should not be accessible to the Marketing or Operations teams. Use Varonis IDU Data Classification Framework to find data on the Project X Resources SharePoint site that is accessible by the Marketing or Operations teams, and contains sensitive content.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 8 DEVELOPING CLASSIFICATION POLICIES FOR DATA

4. Report and Remediate: Dave receives reports about sensitive data that is acces- sible by the Marketing and Operations team and works with IT Staff to change data permissions.

5. Rescan Data: The Project X Resources site is rescanned weekly, and Dave gets reports showing whether any newly added or modified data violates his specified access policies.12

67.6.3 Microsoft’s Data Classification Toolkit. Microsoft makes available a free “Data Classification Toolkit,”13 which it introduces as follows:

The Data Classification Toolkit for Windows Server 2012 is designed to help organizations:

� Identify, classify, and protect data on file servers in private and public clouds. � Take advantage of new features and technologies in Windows Server 2012, as well as support hybrid environments with file servers running Windows Server 2012 and Windows Server 2008 R2 SP1.

� Easily configure default central access policy across multiple servers. � Build and deploy policies cost-effectively to protect critical information.

Use the Data Classification Toolkit to help your organization successfully plan and maintain data classification programs in these critical areas:

� Identifying applicable IT GRC authority documents. � Defining corresponding classification policies. � Preserving evidence that demonstrates the implementation of effective controls.

When used with the IT GRC Process Management Pack SP1 for System Center Service Manager, organizations can easily map classification requirements from various authority documents, such as PCI DSS and NIST 800-53. In addition, your organization can build and deploy its data classification policies, implement controls through Windows Server 2012 File Classification Infrastructure, and provide evidence of data classification policies to auditors… .

Streamline your compliance experience with new features in the Data Classification Toolkit that will help you identify, classify, and protect data in private and public clouds. The toolkit supports file servers running Windows Server 2012 and Windows Server 2008 R2 SP1. In addition to configuring File Classification Infrastructure (FCI), the latest version of the toolkit allows you to manage Central Access Policy across file servers. The toolkit enhances the user experience by providing scenario-based wizards that you can use to configure, export, import, and compare file classifications, as well as manage central access policy on your file servers. It provides tools to provision user and device claim values and central access policy across a forest to help simplify configuring Dynamic Access Control in Windows Server 2012. The toolkit also provides a new report template that you can use to review existing central access policy on file shares… .14

The Microsoft Data Classification Toolkit (the “software”) is intended to help organizations simplify their ability to search, identify, and apply rules to data they specify. The software provides sample search expressions and rules that can be used to assist with compliance activities conducted by your organization’s IT professionals, auditors, accountants, attorneys, and other compliance professionals. The software does not replace those professionals… .15

67.7 EXAMPLES OF DATA CLASSIFICATION SCHEMAS. Security policy and practice can vary widely in design and implementation across different organiza- tions. So too can DC design and implementations.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EXAMPLES OF DATA CLASSIFICATION SCHEMAS 67 · 9

67.7.1 Universities. For example, here are some differences in the implemen- tation of DC in four U.S. universities:

� The George Washington University’s Data Classification Security Policy states, “Data isa critical asset of the University. All membersof the Universitycommunity have a responsibility to protect the confidentiality, integrity, and availability of data generated, accessed, modified, transmitted, stored, or used by the University, irrespective of the medium on which the data resides and regardless of format (such as in electronic, paper, or other physical form).” Three categories of data are defined, “Public,” “Official Use Only,” and “Confidential.” The policy gives examples of each category.16

� Stanford University’s Data Classification Guidelines Web page states the case for the classification of the University’s data clearly and concisely. It defines three categories of data, “Public,” “Sensitive,” and “Restricted,” and tabulates some legal requirements, reputation risks, other risks, access restrictions, and examples against these categories.17

� The University of Missouri’s DC policy outlines the case for DC and defines four categories of data, “Public,” “Confidential,” “Restricted,” and “National Security Interest.” It lists three network zones, each with its own security requirements. It tabulates various set up and usage requirements for each data category.18

� Angelo State University’s DC policy asks for three DC policies, provides examples of how data in each category can be lost, and sketches what the impact of losses could be.19

For each of the above examples, we can see that the DC policies and procedures could vary based solely on the labels chosen. Those entities that use fewer labels will most likely have fewer policies and procedures across a broader spectrum of data as opposed to those who choose to divide their data into more categories. For example, if a business chooses to label all data as “Classified,” a single policy would be in place that all users would need to follow, as opposed to a business that chose to label data with many different labels. In practice, the number of labels or categories would most likely be somewhere between three and six.

67.7.2 U.S. Federal Government. The Federal Information Processing Stan- dards Publication 199, “Standards for Security Categorization of Federal Information and Information Systems,” provides the baseline for all U.S. Federal-Government agencies in their DC programs.20 The standard is based on the outmoded C-I-A model (Confidentiality, Integrity, Availability)21 and weighs the potential impact as low, mod- erate, or high. These levels are defined as follows:

The potential impact is LOW if—

—The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 10 DEVELOPING CLASSIFICATION POLICIES FOR DATA

The potential impact is MODERATE if—

—The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life threatening injuries.

The potential impact is HIGH if—

—The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

AMPLIFICATION: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

Federal departments have references to internal policies that explicitly address data classification. Here are a few examples:

� Agriculture: “Sensitive Security Information means unclassified information of a sensitive nature, that if publicly disclosed could be expected to have a harmful impact on the security of Federal operations or assets, the public health or safety of the citizens of the United States or its residents, or the nation’s long-term economic prosperity… .”22

� Defense (DoD): A sample policy template available from the Defense Information Systems Agency has the following “Data Rules” governing the treatment of sen- sitive data from “Large Service Applications (LSAs).” The guidelines explicitly state that the references to LSA may be modified to suit each agency.

� All LSA data/information is highly sensitive and should be dated and marked as such. External labeling shall include special handling instructions (e.g., log/inventory identifiers, controlled access, special storage instructions, release, or destruction dates).

� All LSA information transported through the mail or courier/messenger service shall be double-sealed, the second envelope shall be marked “CONFIDENTIAL Designated Official Only.”

� The receipt and delivery of sensitive data must be monitored and accounted for to ensure that data is not lost and potentially compromised while in transit.

� Sensitive data shall only be given to those employees with a need to know and who have authorized access in the performance of their official duties.

� Sensitive information must not be left unattended, even temporarily. Sensitive data must remain in the employee’s physical control at all times. Sensitive material should be kept in a secure safe or a locked cabinet and returned to the safe each evening or during any lunch periods or breaks greater than 30 minutes.

� Sensitive information shall be turned over or be put out of sight when visitors are present. � Physical, environmental protection controls shall be provided for sensitive data contained in a media storage vault or library.

� Sensitive information shall not be discussed outside LSA restricted areas. � Sensitive information being hand-carried must be kept with the individual and protected from unauthorized disclosure… .23

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EXAMPLES OF DATA CLASSIFICATION SCHEMAS 67 · 11

� Energy (DoE): “Security Framework for Control System Data Classification and Protection … presents a data classification process that gives utility administrators, control engineers, and IT personnel a cohesive approach to deploying efficient and effective process control security.”24 The Executive Summary introduces the classification scheme as follows: “This document presents a data classification process that gives utility administrators, control engineers, and IT personnel a cohesive approach to deploying efficient and effective process control security. The fundamental goal is a clear delineation of control system data that will enable effective implementation of security techniques and technologies so the control system can function as required in the face of threats. Once created, the data classification security framework will help reduce the risk of energy disruptions due to control system failure by securing data critical to the operation of the control system.”25

� Health and Human Services (HHS): The Federal Register included a discussion in the “Health Insurance Reform: Security Standards” report in 2003 in which “One commenter stated that a data classification policy, that is a method of assigning sensitivity ratings to specific pieces of data, should be part of the final regulations.” The response from HHS was, “We did not adopt such a policy because this final rule requires a floor of protection of all electronic protected health information. A covered entity has the option to exceed this floor. The sensitivity of information, the risks to and vulnerabilities of electronic protected health information and the means that should be employed to protect it are business determinations and decisions to be made by each covered entity.”26

� Homeland Security (DHS): Some of the relevant language pertaining to data classification includes the following definitions and orders:

� Confidential: A level of classification applied to information, the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.

� Secret: Level of classification applied to information, the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.

� Top Secret: Level of classification applied to information, the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.

� Top Secret Document Register: A TOP SECRET Document Register will be maintained by the TSCO to record the receipt, disposition, and destruction of TOP SECRET information. DHS Form 11000-03, Document Control Register, Top Secret National Security Information, may be used for this purpose. Other forms or automated registers created by an organizational element may also be used, but, at a minimum, must contain the information included in DHS Form 11000-03. Electronic registers must be backed up after each transaction to ensure no loss of accountability.

� Secret and Confidential: Except as required by the originator or as specified for certain cat- egories of SECRET and CONFIDENTIAL information, there is no requirement to maintain accountability records or conduct inventories for SECRET and/or CONFIDENTIAL infor- mation. However, heads of organizational elements may mandate the use of accountability records within their respective elements at their discretion.27

� State: In the Department of State’s “IT Strategic Plan: Fiscal Years 2006–2010,” the authors discussed changes in the data-classification policies and access to different classification levels as follows:

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 12 DEVELOPING CLASSIFICATION POLICIES FOR DATA

The following list exemplifies the types of decisions that must be made now and in the future:

� Wireless laptops and networks, providing access from home and on travel � Integration of voice mail and e-mail � Cell phone access to e-mail � Re-examination of data classification policies and practices to ensure that information is as accessible as possible

� Classified Instant Messaging � PDA access to unclassified networks for e-mail and document browsing � Laptop access to classified and unclassified networks � PDA access to classified networks � Inclusion of Sensitive But Unclassified (SBU)/NOFORN on OpenNet � Inclusion of EXDIS on ClassNet � Protection of Personal Identifiable Information; particularly on laptops and other remote devices28

67.7.3 State Governments. The following shows extracts from a few state government documents on DC.

New York:

This document includes both the Information Classification and Control Policy and the In- formation Classification and Control Standard. The Policy is part of the broader Information Security Policy (P03-002) and is included in this document for ease of reference.

In order to facilitate the process of classifying information assets an Information Classification Manual, Information Asset Classification Worksheet, Information Control Charts and Glossary of Information Security Controls are provided in the Appendices. The Information Classifica- tion Manual, in conjunction with the Worksheet, provides a process for classifying information assets and contains the minimum mandatory questions that must be answered when classi- fying information. The Control Charts contain the mandatory baseline controls that must be implemented based on the information classification. The Glossary contains explanations for each control. A SE [State Entity] may add more questions and/or controls but may not alter or remove the original questions and controls.

Please note the Worksheet and the Control Charts and Glossary are available in an automated tool called the Information Asset Classification System (IACS). This application is available to all New York State governmental entities utilizing NYS Directory Services… .

The classification of information pursuant to this Policy and application of appropriate controls to that information do not alter the responsibility of the SE to comply with the records retention and disposition requirements of the Arts and Cultural Affairs Law or its responsibility to make records available for public inspection and copying under the provisions of the Freedom of Information Law. The process of classifying information pursuant to this Policy may, however, serve as a basis for a SE to evaluate the retention and disposition schedules currently in effect for its records and, where appropriate, consider revising those schedules as a means of managing the records that must be protected by the SE. Similarly, the classification process can facilitate the accurate and efficient application of the exemptions from disclosure enumerated in the Freedom of Information Law by providing a framework for the comprehensive assessment of the SE’s information assets.

A. All information assets must have an information owner established within the SE’s lines of business. The information owner will be responsible for assigning the information classification, determining access privileges of users or groups of users based on job duties, and overseeing daily decisions regarding information asset management. Periodic reviews will be performed by the information owner to confirm the classification of, or reclassify, the information asset.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

EXAMPLES OF DATA CLASSIFICATION SCHEMAS 67 · 13

B. Each classification will have an approved set or range of controls. If SE information is stored by a third-party, the information owner’s SE is responsible for communicating requirements of this Policy and Standard to the third-party and addressing them in third-party agreements as they relate to the SE’s data.

C. An information asset must be classified based on the highest level necessitated by its individual data elements.

D. All Personal, Private, or Sensitive Information (PPSI) shall be classified with a confiden- tiality of high.

E. Merging of information which creates a new information asset or situations that create the potential for merging (e.g., backup tape with multiple files) must be evaluated to determine if a new classification of the merged data is warranted.

F. If the SE is unable to determine the confidentiality classification of information stored on electronic storage media, the information must be assumed to have a high confidentiality classification and, therefore, is subject to high confidentiality controls.

G. All reproductions of information in its entirety must carry the same confidentiality clas- sification as the original. Partial reproductions need to be evaluated to determine if a new classification is warranted.

H. A written or electronic inventory of all SE information assets must be maintained.29

Ohio:

This state policy provides a high-level data classification methodology to state agencies for the purpose of understanding and managing data and information assets with regard to their level of confidentiality and criticality. Accurate identification provides a basis to employ an appropriate level of security… .

State agencies shall establish a data classification policy in compliance with this state policy. Each agency shall serve as a classification authority for the data and information that it collects or maintains in satisfaction of its mission… .

Data Classification Labels. The classification of data is a critical tool in defining and imple- menting the correct level of protection for state information assets. Such classifications are a prerequisite to establishing agency guidelines and system requirements for the secure generation, collection, access, storage, maintenance, transmission, archiving and disposal of state data. Data classification shall be part of the agency’s overall risk assess- ment process as outlined in Ohio IT Policy ITPB. 1, “Information Security Framework.”

Agencies shall label data for both confidentiality and criticality. Such classification labels are defined at a high level and represent broad categories of information. State and federal law may also require specific labels.

Confidentiality. The confidentiality label identifies how sensitive the data is with regard to unauthorized disclosure. Data shall be assigned one of three labels for confidentiality: � Public. The “public” label includes information that must be released under Ohio public records law or instances where an agency unconditionally waives an exception to the public records law.

� Limited Access. The “limited-access” label applies to information that an agency may release if it chooses to waive an exception to the public records law and places conditions or limitations on such a release.

� Restricted. The “restricted” label applies to information, the release of which is prohibited by state or federal law. This label also applies to records that an agency has discretion to release under public records law exceptions but has chosen to treat the information as highly confidential.

Criticality. The criticality label identifies the degree of need for data to maintain its integrity and availability. Data shall be assigned one of four labels for criticality: � Low. The loss of data integrity or availability would result in insignificant or no financial loss, legal liability, public distrust, or harm to public health and welfare.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 14 DEVELOPING CLASSIFICATION POLICIES FOR DATA

� Medium. The loss of data integrity or availability would result in limited financial loss, legal liability, public distrust, or harm to public health and welfare.

� High. The loss of data integrity or availability would result in significant financial loss, legal liability, public distrust, or harm to public health and welfare.

� Very High. The loss of data integrity or availability would result in catastrophic financial loss, legal liability, public distrust, or harm to public health and welfare.30

Texas:

Data Classification provides a framework for managing data assets based on value and associ- ated risks and for applying the appropriate levels of protection as required by state and federal law as well as proprietary, ethical, operational, and privacy considerations. All [AGENCY] data, whether electronic or printed, should be classified. The data owner, who is responsible for Data Classification, should consult with legal counsel on the classification of data as Confi- dential, Agency-Sensitive, or Public. Consistent use of data classification reinforces with users the expected level of protection of [AGENCY] data assets in accordance with [AGENCY] security policies.

The purpose of the [AGENCY] Data Classification Policy is to provide a foundation for the development and implementation of necessary security controls to protect information ac- cording to its value and/or risk. Security standards, which define these security controls and requirements, may include: document marking/labeling, release procedures, privacy, transmis- sion requirements, printing protection, computer display protections, storage requirements, destruction methods, physical security requirements, access controls, backup requirements, transport procedures, encryption requirements, and incident reporting procedures.

Data shall be classified as follows:

� Confidential. � Sensitive data that must be protected from unauthorized disclosure or public release based on state or federal law (e.g. the Texas Public Information Act) and other constitutional, statutory, judicial, and legal agreements.

� Examples of “Confidential” data may include but are not limited to: � Personally Identifiable Information, such as: a name in combination with Social Security Number (SSN) and/or financial account numbers

� Student Education Records � Intellectual Property, such as: Copyrights, Patents, and Trade Secrets � Medical Records

� Agency-Sensitive. � [optional AGENCY defined category that may be identified as: Agency “Security- Sensitive,” “Privileged,” or “Protected”].

� Sensitive data that may be subject to disclosure or release under the Texas Public Infor- mation Act, but requires additional levels of protection.

� Examples of “Agency-Sensitive” data may include but are not limited to: � [AGENCY] operational information � [AGENCY] personnel records � [AGENCY] information security procedures � [AGENCY] research � [AGENCY] internal communications � Public. Information intended or required for public release as described in the Texas Public Information Act31

West Virginia:

All State data requires classification, which is mandatory for more confidential and critical classes of data… .

� Level 1—Extremely Sensitive Data � Extremely sensitive data is the most sensitive data to integrity and confidentiality risks. Disclosure or corruption of this data could be hazardous to life or health… .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CONCLUDING REMARKS 67 · 15

� Access is tightly restricted with the most stringent security controls at the system as well as the user level. Failure to maintain the integrity and confidentiality could have severe financial, health, or safety repercussions. Individuals must adhere to very strict rules in the usage of this data… . � Examples of extremely sensitive data may include the following: Contents of State law enforcement investigative records;

� Child and adult protective services client data. � Level 2—Very Sensitive Data

� This data is only made available to authorized users and may be protected by federal and State regulations.

� Access to very sensitive data is restricted to authenticated and authorized individuals who require access to that information in the course of performing their job duties. These are the data elements removed from responses to information requests for reasons of privacy.

� Examples of very sensitive data may include the following: � Social Security numbers; � Credit card numbers; � Food assistance programs data; � Comprehensive law enforcement data; � Foster care data; � Health, mental health, acute medical care, and medical data; � Social Service or Temporary Assistance data; and � Tax information.

� Level 3—Sensitive Data � This data is made available through open record requests or other formal or legal processes; it includes the majority of the data contained within State government electronic databases.

� Direct access is restricted to authenticated and authorized individuals who require access to that information in the course of performing their job duties.

� Examples of sensitive data may include the following: � Most data elements in State personnel records; � Driver history records; � State/federal contracts data; � Employment and training program data; � Permits data; and � Historical records repository data.

� Level 4—Unrestricted Data � This data is characterized as being open, public data with no distribution limitations and to which anonymous access is allowed.

� This type of information is: (1) actively made publicly available by State government; (2) published and distributed freely, without restriction; and (3) available in the form of physical documents such as brochures, formal statements, press releases, reports, web pages, and bulletin boards accessible with anonymous access.

� Examples of unrestricted data may include the following: � Occupational licensing data excluding social security numbers; � Agency public websites; and � Statewide policies.32

67.8 CONCLUDING REMARKS. This chapter has introduced DC, why it is relevant, how it relates to compliance and legal requirements, how one may design and implement it, and provided some examples of how a handful of entities have implemented their DC labeling schema.

In conclusion, here are some important points to remember when dealing with DC:

� A complete solution will most likely not be achieved by using software solutions alone. Since DC is still evolving, these solutions may require customization to fit what a business must accomplish. Thorough research will be required to find a best-fit solution.33

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 16 DEVELOPING CLASSIFICATION POLICIES FOR DATA

� In order to determine what type of data is used across an entire business, it is imperative to interview users from all segments of the business using surveys.

� Locations of data must be written into a DC policy. Since data can reside in many different locations, a policy must be drafted to account for geography and allow for proper storage and retrieval of these data from varied locations.

� An educational policy for users will need to be created for the “Important” data type (or equivalent) level and above. Creators and users of valuable data types must be educated about the policies and procedures that are put into place for the storage, retrieval, and use of their data.

� A complete DC solution will take some time to implement. Because of the com- plexity of DC, a complete and well-designed implementation will not happen overnight. A realistic estimate should be provided to management when under- taking a DC project.

� Compliance and legal requirements need to be understood well for a particular business. There are several compliance standards that make a business legally liable for certain data types. It is imperative that one understand which of those standards apply to their data when taking on the DC task. Remember too, that legal requirements may also cover investigations that require this data, so understanding data-handling laws is also important.

67.9 FURTHER READING Anonymous. “Data Classification Methods and Policy.” ComputerWeekly, April 2009.

www.computerweekly.com/report/Data-classification-methods-and-policy Anonymous, “Sensitive Data Classification and Protection: Overcoming the Challenges

to Classify and Protect Sensitive Data at Federal Government Agencies.” SE- CURE|IT, 2008. www.secureit.com/resources/WP Data Class and Protect.pdf

Buckley, S. “Data Classification.” Internal Auditor, March 2011. www.theiia.org/ intAuditor/itaudit/2011-articles/data-classification

Etges, R., and K. McNeil. “Understanding Data Classification Based on Business and Security Requirements.” ISACA Journal Online, August 10, 2006. www.isaca .org/Journal/Past-Issues/2006/Volume-5/Documents/jopdf0605-understanding- data.pdf

Fowler, S. “Information Classification—Who, Why, and How.” GIAC Security Es- sentials Certification, February 28, 2003. SANS Reading Room. www.sans .org/reading room/whitepapers/auditing/information-classification-who 846

Heiser, J. “Data Classification Best Practices: Techniques, Methods and Projects.” SearchSecurity, March 2009. Requires membership to view. http://searchsecurity .techtarget.com/magazineContent/Data-classification-best-practices- Techniques-methods-and-projects

Libicki, M. C., D. R. Frelinger, B. A. Jackson, B. E. Lachman, and C. Ip. What Should Be Classified? A Framework with Application to the Global Force Management Data Initiative. Rand Publishing, 2011.

Murray, W. H. “Classification and Labeling of Data.” Thinking About Security blog, March 13, 2012. http://whmurray.blogspot.com/2012/03/classification- and-labeling-of-data.html

Reed, B. “Data-classification best practices.” NetworkWorld, January 18, 2007. www.networkworld.com/news/tech/2007/012207-techupdate-data-classification. html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 67 · 17

Vogel, V. “Data Classification Toolkit.” In Information Security Guide: Effec- tive Practices and Solutions for Higher Education. Internet2, last edited December 22, 2010. https://wiki.internet2.edu/confluence/display/itsg2/Data+ Classification+Toolkit

67.10 NOTES 1. Dataglobal, “Dataglobal Announces dg classification 2.0, the Industry’s First

Unified Data Classification Solution,” Press release via PRWeb, June 11, 2012, www.prweb.com/releases/2012/6/prweb9590296.htm

2. S. Duplessie, N. Marrone, and S. Kenniston, “The New Buzzwords: Information Lifecycle Management,” Computerworld, March 31, 2003, www.computerworld.com/hardwaretopics/storage/story/0,10801,79885,00.html

3. Federal Financial Institutions Examination Council, “Information Security Book- let,” July 2006, http://ithandbook.ffiec.gov/it-booklets/information-security.aspx

4. 5 U.S.C. §552a, U.S. Congress, The Privacy Act Of 1974, December 31, 1974, http://www.justice.gov/opcl/privstat.htm

5. 20 U.S.C. §1232g, U.S. Congress, Family Educational Rights and Pri- vacy Act (FERPA), August 21, 1974, www.access.gpo.gov/nara/cfr/waisidx 04/ 34cfr99 04.html

6. 42 USC §201 et seq, U.S. Congress, Health Insurance Portability And Accountability Act of 1996, August 21, 1996, www.cms.hhs.gov/ HIPAAGenInfo/Downloads/HIPAALaw.pdf

7. 15 USC §6801 et seq, U.S. Congress, Text of the Conference Report of Gramm-Leach-Bliley Bill, November 12, 1999, http://banking.senate.gov/ conf/somfinal.htm

8. 15 U.S.C. §7241, 18 U.S.C. §1350, U.S. Congress, Sarbanes-Oxley Act of 2002, July 30, 2002, http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname= 107 cong bills&docid=f:h3763enr.tst.pdf

9. Kahn Consulting, Inc., “The Federal Rules of Civil Procedure: Meeting the IT and Legal Challenges of the New E-Discovery Rules,” Law.com, May 1, 2007, www.law.com/jsp/legaltechnology/detailWP.jsp?id=1190797378589 (registration required)

10. Committee on the Judiciary, One Hundred Ninth Congress, “Federal Rules of Civil Procedure,” December 1, 2006, http://judiciary.house.gov/media/ pdfs/printers/109th/31308.pdf

11. K. Langdon and J. Merryman, “Data Classification: Getting Started,” TechTarget, July 1, 2005 http://searchstorage.techtarget.com/magazineFeature/ 0,296894,sid5 gci1258224,00.html (registration required).

12. Varonis, “5 Steps to Faster Data Classification,” Varonis Website, January 22, 2010, www.varonis.com/go/resources/#Whitepapers (registration required).

13. R. Smith, “How to Use Microsoft’s Data Classification Toolkit,” Biztech, De- cember 1, 2011, www.biztechmagazine.com/article/2011/12/how-use-microsofts- data-classification-toolkit

14. Microsoft, “Data Classification Toolkit,” September 10, 2012, http:// technet.microsoft.com/en-us/library/hh204743.aspx

15. Microsoft, “Important Information about the Data Classification Toolkit,” Septem- ber 10, 2012, http://technet.microsoft.com/en-us/library/hh367453.aspx

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

67 · 18 DEVELOPING CLASSIFICATION POLICIES FOR DATA

16. CIO, George Washington University, “Data Classification Security Policy,” De- cember 6, 2005, http://my.gwu.edu/files/policies/DataClassificationPolicy.pdf

17. Stanford University, “Classification of Data,” November 6, 2007, www.stanford.edu/group/security/securecomputing/dataclass chart.html

18. Division of Information Technology, University of Missouri, MU Data Classifica- tion System, August 3, 2007, http://doit.missouri.edu/security/data-classification/

19. Angelo State University, “Data Classification Standard,” March 25, 2012, www.angelo.edu/services/technology/it policies/dataClassificationStandard.php

20. NIST, “Standards for Security Categorization of Federal Information and Infor- mation Systems,” FIPS PUB 199, February 2004, http://csrc.nist.gov/publications/ fips/fips199/FIPS-PUB-199-final.pdf

21. This model omits consideration of control, authenticity, and utility as defined in Chapter 3 in this Handbook.

22. U.S. Department of Agriculture, “Control and Protection of ‘Sensitive Se- curity Information,”’ Departmental Regulation 3440-002, January 30, 2003, www.fas.org/sgp/othergov/usda3440-02.html

23. NIST, “Sample Generic Policy and High Level Procedures for Marking, Han- dling, Processing, Storage, and Disposal of Data,” August 2, 2000, http:// csrc.nist.gov/groups/SMA/fasp/documents/production io controls/marking.doc

24. U. S. Department of Energy, “Security Framework for Control System Data Classification and Protection,” Office of Electricity Delivery & Energy Relia- bility, 2013, http://energy.gov/oe/downloads/security-framework-control-system- data-classification-and-protection

25. B. T. Richardson and J. Michalski, “Security Framework for Con- trol System Data Classification and Protection,” Sandia National Labo- ratories Report SAND2007-3888P, July 2007, http://energy.gov/sites/prod/ files/oeprod/DocumentsandMedia/21-Security Framework for Data Class.pdf

26. “45 CFR Parts 160, 162, and 164 Health Insurance Reform: Security Standards; Final Rule.” Federal Register 68, no. 34 (February 20, 2003):8345, note m, www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityrulepdf.pdf

27. U. S. Department of Homeland Security, “Protection of Classified National Security Information: Accountability, Control, and Storage,” Management Directive System MD Number 11045, October 4, 2004, www.dhs.gov/ xlibrary/assets/foia/mgmt directive 11045 protection of classified national security information accountability control and storage.pdf

28. U. S. Department of State, “IT Strategic Plan: Fiscal Years 2006–2010,” Infor- mation Resource Management, Department of State Publication Number 11455, December 2007, www.state.gov/m/irm/rls/92497.htm

29. T. D. Smith, “Cyber Security Policy & Standard PS08-001: Information Classification and Control,” Office of Cyber Security, New York State Di- vision of Homeland Security and Emergency Services, revised February 7, 2012, www.dhses.ny.gov/ocs/resources/documents/PS08-001-V1.2-February- 7-2012.pdf

30. State of Ohio, “Data Classification.” Statewide IT Policy Number ITP-B.11, March 19, 2008, www.oit.ohio.gov/IGD/policy/pdfs policy/ITP-B.11.pdf

31. Texas Department of Information Resources, “IS Security Policies: Data Classifi- cation” template (Word .DOC file), Chief Information Security Office, March 30,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 67 · 19

2010, http://www2.dir.state.tx.us/SiteCollectionDocuments/Security/Policies and Standards/data classification policy.doc

32. State of West Virginia, “Policy: Data Classification,” Office of Tech- nology Policy WVOT-PO1000, January 6, 2010, www.technology.wv.gov/ SiteCollectionDocuments/ITC Policy Guidelines/Data Class PO.pdf

33. B. Reed, “Data-Classification Best Practices,” Network World, Jan- uary 18, 2007, www.networkworld.com/news/tech/2007/012207-techupdate-data- classification.html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68CHAPTER

OUTSOURCING AND SECURITY

Kip Boyle, Michael Buglewicz, and Steven Lovaas

68.1 INTRODUCTION 68 · 2 68.1.1 Definitions 68·3 68.1.2 Distinctions 68·3 68.1.3 Insourcing 68·4 68.1.4 Nearshoring 68·5 68.1.5 Offshoring 68·5

68.2 WHY OUTSOURCE? 68 · 6 68.2.1 Effectiveness

versus Efficiency 68·7 68.2.2 Being Effective 68·7 68.2.3 Being Efficient 68·8

68.3 CAN OUTSOURCING FAIL? 68 · 8 68.3.1 Why Does

Outsourcing Fail? 68·9 68.3.2 Intended and

Unintended Consequences of Outsourcing 68·10

68.3.3 Universal Nature of Risk 68·11

68.3.4 Clarity of Purpose and Intent 68·12

68.3.5 Price 68·13 68.3.6 Social Culture 68·14 68.3.7 International

Economics 68·14 68.3.8 Political Issues 68·15 68.3.9 Environmental

Factors 68·16 68.3.10 Travel 68·16 68.3.11 Labor 68·17 68.3.12 Intellectual

Property Risks 68·17 68.3.13 Additional Risks 68·18

68.4 CONTROLLING THE RISKS 68 · 19 68.4.1 Controls on What? 68·19 68.4.2 Controlling

Outsourcing Risk 68·19 68.4.3 Availability

Controls 68·19 68.4.4 Utility Controls 68·21 68.4.5 Integrity and

Authenticity Controls 68·21

68.4.6 Confidentiality and Possession Controls 68·22

68.4.7 Making the Best of Outsourcing 68·23

68.5 OUTSOURCING SECURITY FUNCTIONS 68 · 23 68.5.1 Who Outsources

Security? 68·24 68.5.2 Why Do

Organizations Outsource Security? 68·24

68.5.3 What Are the Risks of Outsourcing Security? 68·26

68.5.4 How to Outsource Security Functions 68·27

68.5.5 Controlling the Risk of Security Outsourcing 68·30

68.6 CONCLUDING REMARKS 68 · 30

68.7 FURTHER READING 68 · 31

68.8 NOTES 68 · 31

68 · 1 Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 2 OUTSOURCING AND SECURITY

68.1 INTRODUCTION. Since this chapter was first written in 2008, the world has seen significant transformation, driven to a large extent by economic factors, social networking phenomena, the cloud, and the increasingly pervasive need for always-on, always-available information and entertainment.

Global economic leadership is in transition. Europe and the European Union (EU) are locked in a struggle to remain economically viable, and EU leadership is forced into making decisions regarding who can stay in the EU. The BRIC countries (Brazil, Russia, India, and China) are all facing serious economic and political challenges and all the while unemployment in the United States remains at levels not seen since the Great Depression.

Global, regional, and local businesses around the world everyday work in this dy- namic environment. Current multiyear contracts with outsourcers were likely executed in circumstances differing from today’s rapidly evolving environment. Outsourcing and security can mean outsourcing certain corporate activities to a

third party and doing so in a security-conscious fashion; for example, business A hires business B to be business A’s helpdesk. A second interpretation is that business A hires business B to provide corporate technology security.

The term “outsourcing” has come to identify several distinct concepts, each requiring a different risk-management strategy. In this chapter, we examine today’s practice of outsourcing and the effects and considerations it has, or should have, on the work of information assurance professionals.

Organizations (companies, nonprofits, government agencies, etc.) outsource to gain efficiencies and effectiveness. The efficiencies gained, however, do have consequences. An outsourcing strategy of implement-it-and-forget-it is unwise, as the outsourcing en- vironment can change quickly and dramatically. Within very recent history, outsourcing primarily referred to the movement of tasks from within a corporate environment to another corporation perhaps better suited or more efficient at those tasks. Now the term outsourcing also refers to transferring operations and ownership of portions of a corporate infrastructure, including key computing functions, to a cloud vendor, a solutions integrator, or other entity providing computing services. Thus, outsourcing no longer refers to a call center or provider, but instead covers data possession, move- ment, processing, protection, and retirement all done in a cloud spread across multiple servers in multiple data centers in multiple areas of the world.

Michael Cooney points out some of the significant considerations and problems facing the outsourcing world at end of the first decade of the twenty-first century:

� Security problems � China’s rise � India’s growth � India’s turmoil � Blunders � H-1B visa trials � Small business outsourcing � Managed services1

Despite the negative overtones that sometimes accompany the practice of outsourc- ing, there can be great benefits. Here are a few:

� A corporation’s self-knowledge improves dramatically when it is compelled to articulate, explain, and define its corporate mission to others.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTRODUCTION 68 · 3

� Outsourcing clarifies and institutionalizes roles, goals, and measures of success. � One of the largest and most important aspects is that outsourcing done success- fully demands risk identification and formalized mitigation activities that might otherwise not occur within the corporation.

� Outsourcing allows a company to focus on corporate core competencies, thus making gains in: � Effectiveness (i.e., doing the tasks for which you have the potential to produce the desired results)

� Efficiencies (i.e., using an optimal amount of time and energy to complete a task)

� Focus (i.e., concentrating on key business objectives) � Discipline (i.e., holding the corporation accountable for corporate objectives, and holding the vendor to clearly and contractually defined objectives)

� Appropriate utilization of high-value employees performing high-value busi- ness functions

� An organization gains or intends to gain financial improvements by moving work to vendors that can perform the work at a lower cost and/or at a greater level of specialization.

The outsourcing of operational computing functions to the cloud or solution providers allows a company to focus less on the tactical production of data for business analysis. Rather, when an organization doesn’t need to focus on the tactical opera- tion of keeping farms of data servers and complicated data storage techniques, that organization can focus on consumption and analysis of the data and the maturation of business knowledge and theoretically, business advantage.

68.1.1 Definitions

Vendor or contractor—an arm’s-length entity providing an outsourced service Organization or business—the entity contracting for its products or services with

a vendor

Outsourcing—the fulfillment of a specific business function or functions by con- tracting with a vendor to perform within the vendor’s own facilities

Insourcing—the commonplace use of contract or noncompany employees to fulfill certain business functions within the physical and logical corporate boundaries

Cloud services—data center and or software services offered by commercial com- puting corporation such as email, communications, collaboration technologies, and data services

68.1.2 Distinctions. The risks and considerations of outsourcing an inbound call center, outsourcing a corporate IT function, insourcing a corporate finance function, insourcing an HR function, outsourcing corporate email functions, or a combination of insourcing and outsourcing of a corporate security function all require different perspectives and tactical activities. Despite the commonalities among outsourcing functions (e.g., connectivity, user management, definition of task, measurements of effectiveness, goals and objectives), the same outsourcing blueprint for an inbound

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 4 OUTSOURCING AND SECURITY

call center would not serve for outsourcing corporate security. The objectives, rules, policies, risks, and rewards for each scenario are distinct and require customized attention.

Outsourcing decisions depend on which functions an organization decides it should perform for itself to maintain effectiveness and which functions would be performed more efficiently or more effectively by a vendor. Outsourcing also implies that an organization does not have, does not want to have, and cannot or will not have a specific expertise as part of its core business missions.

68.1.3 Insourcing. Insourcing is an accepted business practice; the government and many of today’s large corporations hire contractors who work as insourcers within the physical and logical boundaries of their organization.

Insourcing poses risks to an organization because the place of work for the insourcer (vendor) is often within the physical boundaries of the organization—well within the physical perimeter, and in many cases, inside the logical perimeter defenses of the corporation. The contract worker is not an employee, but in most cases the contractor enjoys the same accesses as employees for the duration of the contract.

The defenses used for external protection are not as effective (if at all) against an insider with malicious intent. Security considerations regarding an insourced contractor require a different approach, more similar to layered security strategies employed for internal company resources.

Besides traditional IT security concerns, for these outsiders with insider access, the problems of human error, omissions, or complete bungling must be addressed. Security from external sources does not normally include internal human-error considerations. Before considering insourcing, an organization should already have a formal risk- management strategy (quality control) for internal human errors as well as for insider espionage and other insider threats.

An insourced contractor is not a full-fledged member of an organization and fre- quently resides somewhat outside of internal controls, thus requiring a separate and recognized classification and specific handling appropriate to the role. The General Accounting Office recently conducted a study of four federal agencies that rely on con- tractors to collect certain data on American citizens. The study found that “[a]gencies often do not limit the collection or use of information as required by the Privacy Act of 1974, … agencies don’t ensure the accuracy of information … [and] contractors are not bound by those fair information practices and they often don’t comply with all of them.”2

Sound risk management requires acknowledgment and recognition that significant and substantial risks exist when insourcing. Attention to detail, a reality-based risk assessment, clearly articulated risks, attainable observations, and concrete audit points are all essential to manage successfully the insourced contractors and their mission. (See Chapters 13 and 45 in this Handbook.)

With the proliferation of mobile devices (smartphones, tablets) as well as indepen- dent data connections via USB data cards that connect to major telecommunications companies (e.g., ATT, T-Mobile, etc.), an insourced vendor is able to communicate externally without any oversight or examination of the content of those communica- tions. Thus, trade secrets, competitive advantage information, future marketing plans, or even mundane operations details that could be examined and potentially exploited are free to leave the confines of the corporation without the knowledge of anyone in the corporation.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

INTRODUCTION 68 · 5

It might be prudent to expand our consideration of insourcing to include any situation where an individual who is not a direct employee of a corporation or entity is granted the ability to work within a corporate environment. This could include interns, volunteers, and even maintenance staff. With the economic downturn late in the first decade of the twenty-first century, many corporations have learned to rely on interns and volunteers who are hopeful that their efforts will be duly noted and potentially result in an offer of permanent employment. However, the flip side of such an arrangement is that the intern or volunteer could indeed be keenly observant and equipped with a smartphone, tablet, or laptop with a camera and an independent data connection; some of these temporary workers may make more money by selling a corporation’s intellectual property, marketing information, or financial data to the highest bidder. (See Chapter 13 for more details of insider threats.)

68.1.4 Nearshoring. Nearshoring is the outsourcing of a specific discrete busi- ness function to a vendor located within the same, a nearby, or a bordering geographic region.

In some cases, an international outsource vendor will place components of its business in a specific country to acquire work within that country. For example, a United States–based outsource vendor will often position its operations in the United States to fulfill contracts from companies in the United States. Nearshoring can also include outsourcing to a bordering or regional country that shares a common cultural knowledge and understanding, as when a U.S. organization outsources to a group in Canada or Mexico.

Many of the largest technology companies in the world are some of the largest nearsourcing vendors. “Productized offerings from the large outsourcers include service desks, desktop management, and specialized network offerings. Examples include EDS Agile, HP SMB Services, and IBM Express Advantage.”3

During the opposition to outsourcing that occurred in the first few years of the twenty-first century, the negative connotations of outsourcing were sometimes blunted when organizations nearshored their outsourcing work. The move toward globaliza- tion, and the painful lessons it taught certain nation-centric IT organizations, seemed easier to comprehend and accept if those jobs went to vendors located within relative proximity.

68.1.5 Offshoring. Offshoring is the outsourcing of specific, discrete business functions to a vendor whose corporate headquarters, or employees who fulfill the out- sourced function, reside and work on another continent, as when a European company outsources to a company based in India.

Perhaps the most controversial kind of outsourcing, offshoring evokes a strong response, both in countries that move work offshore and in offshoring destinations. Nationalism, job security, self-interest, and a host of other emotions, both rational and irrational, seem to be part of every discussion. Those concepts, along with many others, are examined in Thomas Friedman’s cornerstone book on outsourcing, The World Is Flat.4 Friedman’s perspective organizes the many disparate elements converged to “flatten the world” and to create a truly global work environment.

Regardless of the reasoning behind the decision, offshoring involves different con- siderations from insourcing and nearshoring. Fundamental business tasks taken for granted in a single geopolitical environment require different considerations when

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 6 OUTSOURCING AND SECURITY

offshoring. Many of the questions should be asked and answered long before address- ing the ability of the offshore vendor and its employees simply to do the job.

Despite all of these complications, offshoring is an established business practice and successfully accomplished every day. However, the rules that make offshoring successful will make any other business successful:

� Clearly understand your business. � Clearly articulate your outsourcing (insourcing, nearshoring, and offshoring) goals.

� Possess a razor-sharp understanding of all risks, and managing those risks in an effective and reasonable manner.

68.2 WHY OUTSOURCE? There are two main drivers behind the growth of outsourcing today: the never-ending quests for greater organizational effectiveness and for greater efficiency. These drivers have come to the forefront of our economy because of the shift in strategic business thinking, begun in the 1990s, that is still affecting the way organizations are managing their businesses and serving their customers.

With the economic downturn that occurred late in the first decade of the twenty-first century, the impetus to outsource at a more rapid rate to low cost labor markets reached a fever pitch. In an effort to squeeze out costs within the corporation in many cases simply for economic survival, outsourcing became even more frenzied, bordering on the desperate.

In an article published April 19, 2011, entitled “Top ‘US’ Corporations Outsourced More Than 2.4 Million American Jobs Over The Last Decade,” author Zaid Jilani states that contrary to trends in the 1990s where large U.S. corporations were creating jobs in the United States, these same large corporations “… have been adding more jobs abroad than at home,” as is illustrated here:

1999

Where the Jobs Are Going U.S.-based multinational companies added jobs overseas during the 2000s and cut them at home. Cumulative change since 1999

–3.0

–1.5

0

1.5

3.0 million

2001 ′03 ′05 ′07 ′09 (preliminary)

Jobs in U.S.

Jobs

outside U.S.

Source: Zaid Jilani, “Top ‘US’ Corporations Outsourced More Than 2.4 Million America Jobs over the Last Decade,” Think Progress Economy, April 19, 2011, http:// thinkprogress.org/economy/2011/04/19/159555/ us-corporations- outsourced-americans/?mobile=nc

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

WHY OUTSOURCE? 68 · 7

Mr. Jilani’s article continues:

Another question asked of the executives found that the top reason for companies to outsource was to “reduce operating costs” (46 percent of respondents). Only 12 percent of respondents said their reason for outsourcing was “access to world class capabilities.” This means companies are outsourcing to save themselves money, not to make better products.

In addition to sending jobs overseas, Mr. Jilani as well points out that many of the large corporations who have sent jobs overseas are as well attempting to repatriate the profits they’ve made overseas at a reduced tax liability. Mr. Jiliani gives the example of Cisco Systems.

… which had 26 percent of its workforce abroad at the start of the decade but 46 percent of its workforce abroad by the end, is currently involved in a lobbying campaign titled “Win America” calling for a tax repatriation holiday that would let big corporations “bring money they have stashed overseas back to the US at a dramatically lower tax rate.5

68.2.1 Effectiveness versus Efficiency. Being efficient implies using an op- timal amount of time and energy for getting a task done. In contrast, being effective means accomplishing the intended consequences of the task.

68.2.2 Being Effective. Historically, management has been primarily interested in increasing the efficiency of important business processes. But since the late 1980s, enlightened managers have realized that it can be very wasteful to try to optimize a process that does not lie within the core competency of the organization.

What are an organization’s core competencies? A core competency is a mission- critical task or function that an organization is good at. “Mission-critical” refers to functions that are directly related to the strategic goals of the organization; for exam- ple, a hospital or a restaurant will consider cleanliness a mission-critical goal, whereas an automobile repair facility probably would not. Examples of core competencies may include reliable processes (e.g., Procter & Gamble’s consumer brand management or Toyota’s mantra of continuous improvement); a unique way of relating to customers (Nordstrom’s superior retail service) or to suppliers (Boeing’s supply chain manage- ment); or the particular look and feel of products or services (Apple’s computers and iPods). A core competency also must meet these three conditions:

1. It can be used to develop entirely new products and services. 2. It provides significant customer benefits. 3. It is difficult for competitors to duplicate.6

If all three conditions are met, then a core competency can provide an organization with a true competitive advantage, which is a highly prized organizational asset, and which must be continuously guarded lest the competitive advantage be lost. A corollary is that all other functional areas, which are not within the core, are candidates for outsourcing.

By delegating tasks to vendors, an organization’s management may concentrate more fully on its core business. Ideally, this will allow the organization to use its limited financial, talent, and other resources in the most productive manner. Knowing which activities an organization should perform, and which it should not, is the heart of being effective.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 8 OUTSOURCING AND SECURITY

68.2.3 Being Efficient. Assuming one is doing the right things (i.e., being effective), the next logical question is whether one is doing them as efficiently as possible? Is the organization using the optimal amount of resources while still achieving quality and quantity goals? This question is important to both outsourcing organizations and to vendors performing outsourced work.

How can one measure efficiency? An often-sought-after outcome of efficiency is direct cost minimization. The idea of using outsourcing to achieve direct cost cutting is attractive. For example, according to a 2005 article appearing in Mortgage Strategy, British companies can save up to 40 percent by outsourcing all kinds of jobs to India. These companies report savings of a minimum £10 million pounds each year for every 1,000 jobs they outsource.7

In addition to direct cost reduction, other financial benefits of outsourcing to increase efficiencies include:

� Decreased capital expenditure. Because vendors utilize their own tools and infrastructure, there is no need for organizations to borrow money to purchase these items.

� Decreased fixed costs. Fewer fixed, lower, recurring payments allow an organi- zation to manage its cash more easily because it would need less of it; fixed costs must be paid even when sales decrease, which may lead to a shortage of cash that could eventually bankrupt an organization.

� Increased variable costs versus fixed costs. If an organization pays a vendor based on units of work performed, then the costs of production become more variable, which is easier to manage as costs rise or fall based on the volume of goods or services required.

Another positive outcome of outsourcing is increased speed or work cycle time. By hiring a vendor located in India to test the quality of software written in the United States, an organization can perform software development work nearly 24 hours per day. Each morning on return to work, U.S. programmers would have the results of testing in India and could begin making corrections right away. By using this “follow the sun” approach, an organization can gain a speed advantage over its rivals.

Possibly the greatest aspect of efficiency that outsourcing can deliver is management focus. There can be great value in focusing a company’s management team directly on those activities that differentiate it from the competition. Whenever a management team is focusing on noncore functions, it is usually operating not from a position of strength but from one of weakness. By definition, the team is not expert at noncore activities. In these cases, the team can spend too much time trying to understand and manage something that does not differentiate the organization from its competitors. If the noncore activities require too much management time and attention, there is a real risk that the core competencies of the organization may decrease in value. In the most serious of cases, an organization can lose its competitive edge completely, driving down sales, revenue, and profits.

68.3 CAN OUTSOURCING FAIL? Yes, outsourcing can fail. For example:

In 2004, J.P. Morgan Chase & Co. reassumed main technology functions following its merger with Bank One Corp., abandoning a US$5 billion pact with International Business Machines Corp. The same year, Electronic Data Systems Inc. abandoned a US$1 billion deal to run Dow Chemical Co.’s phone and computer networks.8

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CAN OUTSOURCING FAIL? 68 · 9

Deloitte Consulting’s 2005 study, “Calling a Change in the Outsourcing Market,” offers evidence that large organizations do not always achieve great efficiencies from outsourcing. The study, based on personal interviews with 25 of the largest organiza- tions across eight industry sectors, reveals that:

� Seventy percent of participants have begun looking more cautiously at outsourcing after having negative experiences with outsourcing projects.

� One in four respondents have brought functions back in-house when outsourcing failed to deliver on promises of lower cost and more efficient operations.

� Forty-four percent of participants saw no cost savings as a result of outsourcing.9

It is important to keep in mind however, that for every outsourcing failure there are many other outsourcing successes. So then what separates successful from unsuccessful outsourcing/? Core to success are the following:

� A clear understanding of the corporation’s business mission, and how the task to be outsourced contributes to that mission

� Rational and well-thought-out expectations of the outsourced function. If a cor- poration couldn’t fully control the business function and continuously underper- formed at the function, then don’t expect outsourcing will be the panacea—unless there is corporate will (and dollars) to improve the function and the outsourcing includes hiring outside functional expertise for the function.

� Engagement with a world-class outsourcer. Unless a corporation has deep skills, knowledge, and insights in outsourcing, the risks of going with an untested or unknown outsourcing solution are simply too great. From infrastructure to data handling and security, there are simply too many moving parts for outsourcing to be a trivial task.

68.3.1 Why Does Outsourcing Fail? There are many risks to outsourc- ing, but direct cost reduction, often a top goal of outsourcing, can create the great- est risk of all. Indeed, “outsourcing deals most frequently stumble when they fo- cus primarily on reducing costs.”10 Despite this observation, in a set of recent sur- veys, the rate of cost reduction as a driver for offshoring has been growing. From 2004 to 2006, the rate went from just over 70 percent of respondents to just over 80 percent.11

Total expenditure on outsourcing can meet or exceed the baseline of spending established prior to outsourcing. Although this may not be an inherently bad situation, management may perceive the experiment as a failure if the organization approaches outsourcing opportunities primarily to cut costs. However, if seen from a perspective of effectiveness rather than simply of efficiency, the outsourcing activities may be quite successful.

There are many other business reasons why outsourcing can fail. Looking more closely at the organization’s perspective within the typical loss scenarios, in many cases the failure occurs because of one or more of these reasons:

� Monitoring and evaluating the performance of an outside vendor is a difficult task for many reasons, often due to inadequate selection and to monitoring of performance metrics.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 10 OUTSOURCING AND SECURITY

� The outsourcing organization did not work hard enough to create a “win/win” opportunity for both itself and the vendor.

� Aligning the goals and priorities of the outside vendor with the organization’s goals and priorities is rarely easy.

� Outsourcing requires an organization to master new and more complicated forms of communication, especially when outsourcing to a vendor in another country.

� It is challenging for an organization to ensure that the vendor’s employees maintain sufficient knowledge and skill levels to do the work that has been delegated.

� Outsourcing usually introduces insecurity to the workforce and to the unions, as fear of job losses dominates their thinking. Terminating a contract usually requires a disruption in service continuity, and the quality of service can suffer, sometimes visibly to customers.12

Even when outsourcing appears to succeed from an operational perspective, there may be hidden inefficiencies in information protection that can decrease the overall value of the activity.

68.3.2 Intended and Unintended Consequences of Outsourcing. Now that the corporate world has experienced well over a decade of outsourcing, what in fact have we learned? In a lecture entitled “The Future of Outsourcing—Impact on Jobs,” Patrick Dixon says:

Outsourcing incentives are huge—and can lead to falls in service costs of 50–60%. Up to half of the $19 trillion spent every year by European companies on sales and administration could be outsourced.

However, during 1995–2011 there has been a large migration of skilled, semi-skilled, and unskilled jobs from high-cost to low-cost nations. Outsourcing has produced labour shortages in many emerging economies. For example, China is now seeing 100% salary inflation at top end and India is not far behind—acute shortage of experienced business leadership. Some companies are now thinking of moving operations to places like Pakistan (50% lower costs and over 200,000 IT graduates looking for work), Bangladesh, or Vietnam. Changes are happening very quickly. But other corporations are already moving jobs back home—because cost savings have narrowed, and because outsourcing carries risks—in supply chain delays, language and culture challenges, distance management, loss of intellectual capital, and so on.13

Conversely, Mr. Dixon points out that many economists believe that while out- sourcing does indeed move jobs to low-cost labor countries, there are subsequent higher-value jobs created in the original corporate country. Other cogent factors are:

� Outsourcing allows a company to control costs and by so doing stay in business. � By staying in business the company can return value to shareholders. � If the company remains economically viable it can as well live up to its obligations to its pensioners.

� By investing in low-cost labor markets, we are in effect helping those economies evolve and potentially become customers for our goods and services.14

� Reality, direct observation, and common sense tell us that moving from high-cost to low-cost labor markets creates the following cycle: � Technically skilled labor tasks move from high-cost (and experienced) labor markets to low- and mid-cost labor markets (with lower skills/less experience).

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CAN OUTSOURCING FAIL? 68 · 11

� The cost savings of moving from high-cost to low-cost labor can be significant on an hour to hour comparison, but because of the lack of experience and skill in the low-cost labor market, early savings are not as significant as expected. With less experienced labor, it simply takes longer to accomplish the same task as accomplished by experienced labor.

� Low-/mid-cost labor markets skills improve with experience. Those in high-cost labor markets that still remain focus on higher-level functions and much deeper technical expertise, and deeper skills transfer to the low-cost labor markets.

� As low-cost labor markets gain in experience and technical expertise, the high- cost labor teams grow smaller and smaller, and because the high-cost labor teams are no longer involved in the day-to-day technical operations, high-cost labor skills (especially experiential) begin an erosion cycle.

If we follow this cycle to its conclusion, given time, the technical and intellectual insights of a particular business now reside with an outsourcer, and the originating company has lost internal expertise to help lead and evolve the company into a viable future.

68.3.3 Universal Nature of Risk. Risk is inherent in virtually every human activity. One of the distinct advantages of an organized society is the ability of that society to distribute risk. Thus, not every member of society need manage every single risk.

When outsourcing, the greatest cost is that of ignorance, and the ultimate price is failure. Poorly defined expectations and poor planning resulting from a fundamental ignorance of a business will doom any corporate project, including outsourcing.

During early planning phases of the outsourcing project, it is prudent for the in- formation assurance team to assess the entirety of the outsourcing project. However, information assurance does not have to own all aspects of the project; it is enough that the information assurance group should possess an end-to-end perspective, so that it can appropriately assess risk.

To relegate information assurance only to technical security tactics and practices is a serious error. Regardless of the vendor, the ultimate accountability (referred to as res- ponsibility) stays with the firm. “One thing that can’t be outsourced—responsibility … . Everything from employee policies to customer satisfaction to ethical and legal issues roots back to the impact on shareholder value. These responsibilities stay with the firm regardless of the functions that have been outsourced.”15

The vendor, however, is accountable for carrying out all elements of the contractual agreement.

Thus, at the earliest planning stages, an information assurance review includes the overall scope of the outsourcing project. Questions should include:

� What information assets are at risk? � What is the value and sensitivity of those assets? � What current and future “risk shadow” will the outsourcing project cast on those corporate information assets?

The responses to these questions provide the foundation for the outsourcing project, as well as the degree of involvement from the information assurance community after that preliminary review.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 12 OUTSOURCING AND SECURITY

Planning complex endeavors normally proceeds by careful identification and exam- ination of concepts that move from general to specific. The sections that follow include broad categories for consideration at the onset of the outsourcing project. These cat- egories require in-depth examination, as they relate to the specifics of each unique outsourcing project.

The outsource plan must include not only those tasks and security elements that are well known, but must as well consider the unthinkable. Amazon Corporation is an absolute pioneer and power in the cloud-computing world, providing hosting services to businesses large and small. As a cloud-computing provider, Amazon’s Web services can have a direct impact on a business’s revenue stream.

In an article entitled “Modern life halted as Netflix, Pinterest, Instagram go down” author Chris Matyszczyk describes how Netflix, Pinterest, and Instagram were com- pletely unavailable: “The cause was reportedly an outage at Amazon’s Elastic Compute Cloud in North Virginia, brought on by a thunder and lightning show.”16

We need not look much further than very recent history to find other epic security incidents that involved corporations and outsourcers:

…Sony shut down its PlayStation Network and mustc-streaming service Qriocity after an attacker made off with passwords and personal data from 77 million customer accounts and possibly 10 million encrypted credit card files. The information was in an AT&T data center in San Diego but controlled by Sony, which on Monday also pulled its Sony Online Entertainment site and Station.com gaming site after discovering an issue while investigating the intrusions.17

Alex Pham of the Los Angeles Times provides us a glimpse into the fiscal impact of the breach:

In addition to losing an estimated revenue stream of about $10 million a week, Sony will probably have to reimburse customers who pay for its premium service, rebuild its computer systems, and beef up security measures, said Michael Pachter, an analyst with Wedbush Securities who said the incident could cost the company $50 million.

That doesn’t take into account the cost of defending against lawsuits, including two filed in California that are seeking federal class-action status.

“Even if everyone loses just $1, that’s $70 million,” said Mark Rasch, director of cyber- security and privacy at CSC, a computer networking and security firm in Falls Church, Va. Rasch, a former federal prosecutor who prosecuted Kevin Mitnick, a once notorious computer hacker, added, “If it’s $2, you’re looking at $140 million. Even lawyers can do that kind of math.”18

Explaining those volumes of losses to a Board of Directors and shareholders is not an easy or pleasant task—thus a very clear understanding of risk and risk man- agement in any outsourcing agreement is key. As the Sony incident as well as the Amazon–Netflix/Pinterest/Instagram examples demonstrate, even when dealing with world-class outsourcing leaders, bad things can and do happen; thus, a well-thought-out mitigation plan is not only essential, it is a matter of survival.

68.3.4 Clarity of Purpose and Intent. To outsource, one must possess the ability to articulate the task and to focus on creating a mutually beneficial vendor relationship. Poorly defined tasks lead to frustration and to unstructured attempts to meet inchoate needs instead of to measurable objectives—limitations that cause both organization and vendor to fail.

Corporations should associate with outsourcers that possess depth expertise in the particular business function intended to be outsourced. If a corporation outsources a

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CAN OUTSOURCING FAIL? 68 · 13

business function to an outsourcer that has to be told specifically how to fulfill the certain task, there is likely a disconnect. The purpose of outsourcing is to pay to have the function fulfilled by someone who can perform the function at more efficient and effective levels than the corporation itself.

Corporations depend on current employees to articulate the soon-to-be-outsourced task again, not the specific details of how they will attain the expected outcomes. Ironically, those employees best suited to articulate the task are frequently those whose jobs are most at risk after the successful implementation of the outsourcing project. This conflict of interest is a risk consideration.

Several phases of outsourcing include, but are not limited to, the collection and documentation of task knowledge for outsourced functions, vendor solicitation such as the request for information (RFI) or the request for proposal (RFP), vendor selection, and training.

Vendor selection is itself a key and integral part of the risk management of outsourc- ing, hence the importance of identifying, articulating, and quantifying the outsourcing goals. Once vendor selection occurs, corporate employees train vendor personnel on the outsourced functions. When the vendor personnel are trained and functional, most outsourcing results in the redeployment or release of corporate employees who fulfilled the specific task prior to outsourcing.

Risks related to clarity of purpose and intent include:

� Poor identification and definition of the outsourced task as well as clearly articu- lated success metrics results in an ineffective outsourcing program.

� Employees involved in the outsourcing project are aware that in many cases they are training their replacements.

� Any reduction in force regardless of the cause is a traumatic corporate event bringing unease and unrest to other employees.

� Unease and unrest can translate into lost productivity, poor morale, malaise, and corporate insider sabotage, all of which ultimately cause lost revenue.

Once outsource personnel are trained, especially if the technology/task is in high demand, the vendor must have safeguards in place to stem their attrition caused by their employees ‘job hopping’ to a more lucrative outsourcer.

68.3.5 Price. One of the largest risks of outsourcing is the formation of an unstable relationship with the vendor. When margins are paper thin, overall security practices often become the first victim. Recent findings from IT research firm Gartner indicate that a significant number of CIOs still look at outsourcing in terms of near-term profitability.

As a result, they’re setting themselves up for failure … . By 2008, more than 2.3 million offshore service workers will be employed by U.S. companies. But according to a recent Dun & Bradstreet survey, 20% of those outsourcing relationships will fail in the first two years, and 50% within five years.19

Risks related to price issues include:

� The vendor’s culture must at least absorb, if not improve on, the originating company’s corporate culture and do so in a fiscally responsible way.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 14 OUTSOURCING AND SECURITY

� Defining outsourcing success by cost reduction alone introduces ongoing and increasing risk throughout the outsourcing relationship.

� Price and pricing are dependent on the ability to forecast business accurately. If the outsourced business does not have a perspective of historical trends, driving prices down at a vendor can actually have a negative effect on the outsourcer’s outcomes and efforts.

Because outsourcers, like most businesses, seek to maximize profits in a low-margin industry, it is important to understand if the outsourcer actually outsources parts of their infrastructure (including security) to an even lower-cost outsourcer. For example, does an Indian outsourcing company outsource parts of their work (coding, reporting, train- ing) to vendors in China, Vietnam, or other lower-cost labor markets? Understanding your outsourcer’s business model and strategy is a key decision point.

68.3.6 Social Culture. The vendor must understand and address the social cul- ture of the outsourced task and the differences from its own. Vendors must understand, absorb, and fulfill the outsourced task, under the same social norms as the sponsor organization. Cultures around the world have different societal norms, expectations, and nuances regarding confidentiality, possession, integrity, authenticity, availability, and utility. Vendors must be able to respond, react, and live within both the social culture they serve and their home culture.

Risks related to social culture include:

� Failure of the vendor to adapt to the social culture of the society served can result in lost money, wasted effort, potential legal issues, and customer dissatisfaction.

� Failure of organizations and vendors to anticipate, recognize, and mitigate prob- lems arising from cultural differences regarding security, whether insourced or outsourced, poses a potentially catastrophic risk.

� Failure of the outsourcing corporation to understand the cultural nuances of the intended outsourcing country’s social norms or the cultural nuances of the coun- tries served by the outsourcer can drive out any potential gains of outsourcing with greater dissatisfaction in the outsourcing company, the outsourcer and the customer segments served

68.3.7 International Economics. The organization not only needs to under- stand its corporate and customer economics; it also must have a very deep and forward- looking view into the economic horizon of the vendor’s geopolitical economy.

There are many willing vendors in emerging and low-cost labor markets. Without a clear understanding of the economic future of the vendor’s country, a corporation can easily find itself tied to a vendor in an eroding or imploding economy.

Risks related to economic issues include:

� When the economy of a country collapses, any contractual relationship to an outsourcing vendor in that country will not survive.

� Forced into an evanescent relationship, a corporation may not have the ability to pull the outsourced task in-house, or to another vendor, quickly enough to save its own business.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CAN OUTSOURCING FAIL? 68 · 15

In the second decade of the twenty-first century, China’s economy contracts and wage growth increases, several European nations and the EU itself teeter on the verge of insolvency, and Vietnam and the Philippines see robust growth. Companies with long-term outsourcing contracts in highly changing regions may find themselves con- tractually locked into a difficult business climate for years to come.

68.3.8 Political Issues. Regardless of whether the vendor is nearshore or off- shore, the client organization must have clear understanding, perspective, and accep- tance of the political nuances in the vendor’s country.

Political nuances and practices differ in every country. Acceptable behavior in one country may be reprehensible in another. Corporations must consider how political nuances intertwine with corporate objectives and policies.

Corporations must also be aware of and acknowledge the new risks and instabilities of the new century, and factor them into every nearshoring and offshoring outsourcing effort.

The terrorist attacks Tuesday on trains in the western India city of Mumbai appeared unlikely to dampen investments and outsourcing to India … . The government also found evidence from terrorists killed in an encounter last year that they were targeting India’s successful outsourcing industry.20

Risks related to political issues include:

� Are graft and bribery accepted or expected within the local political system? If so, how will such practices accord with national restrictions on the contracting organization? Will the outsourcing entity need to sponsor or participate in the political system of the vendor’s country? How will such involvement be perceived nationally and internationally?

� Is the country politically stable? What are the opposing forces, and how do they see outsourcing vendors?

� Does the nearshoring or offshoring country possess an environment compatible with terrorist activities? What assurances of business continuity can the vendor make under such circumstances?

In mid-April 2012, the president of Argentina, Cristina Fernandez de Kirchner, announced “… a government plan to take YPF back through legislation that would expropriate a 51% share of the company. Through a decree, Fernandez immediately placed the leadership of YPF in the hands of Julio De Vido, the country’s minister of planning and public investment.”21 Thus, the Spanish oil company Repsol lost its investment and purchase of Argentina’s YPF, an oil and gas company. If a company outsources into a country where government seizures are acceptable and expected, the outsourcing company faces many risks related to infrastructure and, perhaps more importantly, intellectual property.

An energy crisis in India is having a significant impact on the Indian people and businesses. Contributing factors to the energy crisis include India’s dependence on Iran for oil, yet U.S. and European sanctions are diminishing Iran’s ability to deliver fuel to India. The diminished flow from Iran to India, as well as competition for oil and other fuels with China, Japan, and South Korea, leads commentators to suggest, “At stake is India’s ability to bring electricity to 400 million rural residents—a third of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 16 OUTSOURCING AND SECURITY

the population—as well as keep the lights on at corporate office towers and provide enough fuel for 1.5 million new vehicles added the roads each month.”22

68.3.9 Environmental Factors. Site selection is one of the fundamental build- ing blocks in any outsourcing project and a topic worthy of careful examination by itself. (For additional details, see Chapter 23 in this Handbook.)

Risks related to environmental factors include:

� If nearshore or offshore, will the vendor’s regional infrastructure predictably and reliably support the expected and required service levels for the outsourced task?

� How susceptible is the nearshore/offshore location to natural disaster? � Could a natural disaster trigger debilitating political or economic events in the host country?

� Does the host country possess the ability to recover from an environmental disas- ter?

� Could the outbreak of an easily transmitted disease or illness affect the location? And does the host country have the medical, technical, and communications infrastructure to deal with a pandemic?

� Is the area prepared for the actual weather it receives? For example, it is well known that the monsoon season comes to India. One of the causes of absenteeism in monsoon season in Mumbai is street flooding.

� Does the proposed outsourcing location have the external technology infrastruc- ture that would support a remote workforce? If an employee cannot go to work because of street flooding or a pandemic, does the outsourcing country’s telecom- munications infrastructure support continuity of operations?

68.3.10 Travel. Whether nearshore or offshore, outsourcing will likely, and with regularity, send employees to the vendor for training, quality control, and other man- agement functions. Important travel considerations focus on the costs of travel as well as on employee safety and health, addressing such issues as travel safety, food safety, medical preparations (immunizations, malaria pills, etc.), and locally available medical care.

Risks related to travel include:

� Will foreign workers be able to obtain required travel documents (e.g., exit per- mits from their home country, working visas for the outsourcing organization’s country), allowing them to work in the client’s organization?

� Extensive travel is grueling, takes a toll on employees’ personal lives, and can cause productivity and management issues.

� Travel is expensive. Failure to budget for appropriate amounts of travel to the vendor will result in budget overruns.

� Inthe post-9/11world, the risksandstressestotravelershave increased. Depending on the vendor’s location, exposure of corporate employees to terrorist threats, or the fear of terrorist threats, is a significant consideration.

� With the advent of airport body scanners, controversy still occurs as to the long- term health risks of multiple scans by frequent travelers

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CAN OUTSOURCING FAIL? 68 · 17

� Keeping employees on the road traveling for long periods of time leads to physical, mental, and family stresses, all of which can contribute to employee turnover.

Common sense reveals that in most companies, it is the more senior and experienced personnel who do in fact travel in support of outsourcers. However, by traveling, those senior personnel face more and more nonproductive hours in airports and airplanes. Given that more and more major airlines have wireless availability while in flight, productivity can increase. Conversely, the ability to eavesdrop and intercept corporate communications increases in public places like airports, and in a small, enclosed, and public Wi-Fi network on an airplane, the chances for corporate espionage increase significantly.

68.3.11 Labor. Labor and workforce risks occur everywhere from Detroit, Michigan, to the Philippines and Bangalore, India. Without a clear understanding of the risks particular to the vendor’s region, a corporation could find itself in a quagmire of constant turnover, escalating wages, work stoppages, and unfettered cost growth.

Careful examinations of current and forecasted workforce trends are core to the ven- dor selection process. As outsourcing sites gain in popularity, wages escalate driven by competition for workers. Once a corporation moves key functions to a vendor, if workforce conditions negatively change, previous cost savings could be lost. Impor- tant considerations include current and forecasted worker supply, the vendor’s ability to retain employees (as evidenced by annual turnover rates), a propensity for collec- tive bargaining in the vendor’s country, and the stability of the government and the opposition’s tactics.

Additionally, understanding the history of strikes or work stoppages in the vendor’s location is a necessary preparation. For example:

Political strife led to a shutdown Oct. 4 of most major outsourcing companies in Bangalore … . In April, Bangalore shut down for two days when citizens rioted following the death of Indian film icon Rajkumar. Published reports said the country’s software companies lost $40 million in revenue.23

As mentioned in Section 68.3.7, the economic conditions in the offshore location should be followed carefully. Some countries suffering inflation may push workers toward collective action. For example, in April 2008, 20,000 Vietnamese workers at a factory making shoes for Nike went on strike to demand increased wages to keep pace with inflation.24

Another issue is whether worker exploitation (e.g., wages below a reasonable min- imum, child labor, slave labor, unhealthful working conditions) exists in the offshore location or is practiced by the outsourcing vendor. Do such practices pose a threat to morale and reputation of the outsourcing organization?25

As we examine years of outsourcing experience, it is not uncommon for those work- forces originally involved in lower-skill call-center positions to acquire experiences and skills over time which should lead to better paying and more challenging positions. However, if those more challenging positions don’t materialize in an outsourcing lo- cation, the workforce can become disillusioned and migrate to another environment where the potential to advance both career and salary are possible.

68.3.12 Intellectual Property Risks. Outsourcing can and does include work which itself contains corporate intellectual property. By exposing intellectual property

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 18 OUTSOURCING AND SECURITY

to the outsourcer, that intellectual property can be easily copied and stolen. The U.S.- China Business Council noted,

According to the release, six product areas are eligible for National Indigenous Innovation Product accreditation: computing and application hardware, telecom hardware, modern office equipment, software, new-energy products, and highly efficient energy-reducing products. These are the same six product areas outlined in the Notice Regarding the Launch of the National Indigenous Innovation Product Accreditation Work for 2009 (Circular 618), which was released in November 2009 … .

Though the revised accreditation requirements are a step forward, several significant issues in China’s indigenous innovation policies remain. In particular, the notice does not address the use of the product list or its link to government procurement preferences. Moreover, the proposed changes to the National Indigenous Innovation Product qualification criteria do not clear up questions about the relationship between the national product list and the continued validity and use of provincial- and local-level product lists that have been compiled based on discriminatory accreditation criteria. Finally, though the accreditation criteria no longer mention import substitution as a policy goal, the notice apparently does not change the November circular’s application form, which asks whether an applicant’s product can substitute for imports.26

In 2012, commentators reported that,

It’s no secret that China has been pressing multinationals to transfer more technology for accessing its huge market. Beijing now is turning another screw in its localization bid: requiring Chinese to run local operations of some foreign businesses.

China in May ordered the Big Four auditors, Deloitte, PricewaterhouseCoopers, Ernst & Young, and KPMG, to have Chinese nationals manage their local units in three years … .

As part of its “indigenous innovation” drive, Beijing in 2010 ordered that the technology of foreign firms must be registered in China, developed in China and, in some cases, made in China … .

“We’re fighting enough ghosts in China trying to protect our IP without having to intention- ally share it,” said Thomas Moga, an attorney at Shook, Hady & Bacon’s Intellectual Property Section in Washington D.C … .

While many emerging markets impose local content rules, none boasts China’s economic weight. If Beijing continues to press, it could have a big impact on U.S. companies that rely on China for sales and manufacturing.27

Because foreign governments may have differing perspectives and practices around intellectual property, an assessment should be made of the financial consequences of losing control over intellectual property. A comparison of the size of the potential loss to the financial gains of outsourcing should be part of every outsourcing evaluation.

68.3.13 Additional Risks. Although the preceding lists may seem expansive, there are still many other fundamental and significant elements that must be part of any outsourcing decision-making process. Other complex and, in some cases, deeply fundamental considerations are:

� Loss of corporate expertise over tasks � Loss of direct control � Internal changes in corporate purpose (i.e., moving from a company of doers to a company that manages those who are doers)

� Overhead of ongoing contract management issues

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CONTROLLING THE RISKS 68 · 19

� Currency fluctuations negatively impacting either the outsourcing corporation or the outsourcer

� Outsourcing staff turnover/retention � Training (both failure to train, and failure to maintain training) � Visa policies and the immigration of outsourced, highly skilled personnel to countries with permissive immigration policies for skilled labor

� Corporate espionage either directly or indirectly at an outsourcer

Understanding all of the risks allows the prepared organization to knowingly accept, mitigate, transfer, or ignore risks associated with the outsourcing project.

68.4 CONTROLLING THE RISKS. Outsourcing is an area in which the motto “Security transcends technology”28 holds particularly true. Almost none of the threats to information itself, or information technology, is unique to an outsourced environ- ment, although perhaps some may grow more dangerous in far-removed or foreign locales. Outsourcing does involve some serious security issues, but most—at first glance—might appear indirect threats to information assurance.

68.4.1 Controls on What? Most of the security issues of outsourcing involve people, corporations, societies, and governments. Security controls to mitigate the risks of outsourcing have little to do with technology such as computers and a great deal to do with organizational behavior. Since contractors perform crucial tasks but often are geographically far removed from those ultimately accountable for the tasks, the policies, contracts, agreements, and trust relationships that the organization has set up in advance will dictate the success of the endeavor. In particular, the organi- zation’s information-technology security policy takes on a much more visible role. The technological controls involve the assurance of interpersonal notions like trust and accountability, and are perhaps overshadowed by concern with legal matters, site selec- tion, contractual obligations, politico-economics, and the impact of social networking and separation of duties.

68.4.2 Controlling Outsourcing Risk. Many of the risks described in Section 68.4 transcend the boundaries of individual risk types but are similar to other risk areas in the way they map to the six foundation elements of information security (the Parkerian Hexad).29 It seems appropriate, then, to couch the discussion of controls in terms of the security foundations. This section focuses on controls that mitigate, for instance, confidentiality concerns in outsourced environments, touching on how the controls might affect the risk classes differently. Since part of the scope of this chapter is the outsourcing of security functions, some of the controls mentioned do not immediately appear to relate to information assurance but may affect other success metrics.

68.4.3 Availability Controls. When resources are local, the primary source of problems that can lead to a loss of availability has to do with physical and logical infrastructure. When resources are remote, the infrastructure issues are still important, and can indeed be more problematic. A good example of this difference is the February 2007 trans-Pacific cable cut that made much of Asia inaccessible over the Internet.30

The farther the vendor from the home company, the more difficult and expensive it can be to acquire an alternate route for communications.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 20 OUTSOURCING AND SECURITY

On June 29, 2012,

…[L]ightning in Virginia took out part of Amazon’s cloud computing service, called Amazon Web Services, which hundreds of companies use for data storage and computation. Well- known sites like Netflix, Pinterest, and Instagram were not accessible for hours. There was little information for customers about what had happened, or even whether user data was safe.

The interruption underlined how businesses and consumers are increasingly exposed to unforeseen risks and wrenching disruptions as they increasingly embrace life in the cloud. It was also a big blow to what is probably the fastest-growing part of the media business, start-ups on the social Web that attract millions of users seemingly overnight … .

The weekend’s disruption happened after a lightning storm caused the power to fail at the Amazon Web Services center in Northern Virginia containing thousands of computer servers. For reasons Amazon was still unsure of on Sunday, the data center’s backup generator also failed … .

It was at least the second major failure for Amazon in that area. In April 2011, a problem in Amazon’s networking at a nearby data center took down a number of applications and popular Websites, including Reddit and Quora, for more than a day … .31

Mitigation of availability risk revolves around planning. Sound backup strategies and business continuity plans should already be in place for the organization; the outsourcing project should also have these plans, both for the vendor site and for the staff at the home organization responsible for vendor communications. Given the economic, political, and environmental concerns that could lead to total (and possibly permanent) unavailability of the outsourced site, a backup vendor should be in place for disasters. These kinds of controls would be appropriate for natural disasters, labor strikes, terrorism, and a variety of other risks to availability. With the advent of cloud computing and, when ideally implemented, the geographical diversity of cloud computing providers, business continuity can benefit from the cloud computing platform, provided there are redundancies of path and infrastructure. (For details of backups, business continuity planning, and disaster recovery, see Chapters 57, 58, and 59 in this Handbook.)

If the vendor is in a foreign country where laws and contracts are enforced differently (or not at all), a service-level agreement incorporated into disaster planning might turn out to be a hollow, unenforceable contract.32 Part of the evaluation of any outsourcing decision should be a visit to the site, including inspection of policy documents and physical tours of facilities. The organization needs to be sure that controls at the vendor site really do mirror the vendor’s policy and contract documents and that the controls are instantiated contractually in an official statement of work. For example, it is a fairly common practice in outsourcing call centers that call center employees may not bring into the call center USB drives, recording devices, and the like. Yet, it has been these authors’ first-hand experience that even in tightly controlled call centers, call-center employees routinely carry cell phones with gigabytes of memory and high-resolution cameras. Thus, not only is it important for controls to be contractually in place, but there must be the will and willingness on the part of the outsourcer to enforce the controls.

Beyond making sure that plans are in place against unavailability, the organization must be able to check up on the performance of the vendor. The agility required to switch to a backup vendor becomes much more possible with advance notice for at least some of the possible outages; however, this possibility must be evaluated with the knowledge that switching volumes or work between vendors is a complex task and should be field tested and validated on a regular basis. For instance, if the availability of a site relates to escalating economic problems causing workforce shortages, a periodic analysis of the regional news media, and of the vendor’s work performance, might give

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

CONTROLLING THE RISKS 68 · 21

hints of problems on the horizon. Automated checking is appropriate as well, especially to keep track of network resources when access traverses the public Internet. Ultimately, for both people and technology, mitigating the risks of outsourced availability comes down to planning and monitoring.

68.4.4 Utility Controls. The utility of information (and of remote resources) hinges mostly on communication—both format and process. Careful version control avoids incompatible data. Encryption recovery agents can avoid the loss of utility if a user forgets a decryption password, but national and international restrictions on encryption must be kept in mind when planning the use of encryption across national borders.33 These utility issues are common to any organization. With outsourcing, incompatible formats become more of a problem, especially with offshoring. If an application written in the United States uses ASCII encoding, but the vendor has applications that use Unicode, format issues can arise that need to be accounted for and solved. Although these problems may not become apparent immediately, planning for them must occur well in advance.

Human communication is also an issue with outsourcing. Even if the organization’s native language is spoken by employees in the outsource vendor’s site, it may not be their first language. Spoken communication (e.g., at a helpdesk) can suffer greatly if a technician’s accent is too difficult for employees and customers of the client organization to understand. Similarly, written documentation and regular reports can lead to misunderstandings if language skills are not adequate. Either of these situations becomes manageable through advance planning for workforce training and through onsite liaison from the home organization, especially early in the relationship.

Utility of information also hinges on the type of data and the location of the data. Some government entities around the world require that data particular to that gov- ernment or government constituents reside only within that country. Although the information may indeed be held within a specific country, there are additional con- siderations if those accessing the information are not within the country boundaries. Thus, the information may indeed be useful, but may not be useful to all based on their location.

68.4.5 Integrity and Authenticity Controls. The risk that the organiza- tion’s data might be changed unknowingly, or replaced with other data, hinges on trust. Any time crucial business functions are given to an outside entity, trust issues arise. The organization must understand how much information is being shared, and with whom. Role-based access control and the principle of least privilege are appropriate here: Based on its role of supporting a particular business function, what is the minimum amount of privilege the vendor needs to do its job? Nevertheless, to be an effective support organization, the vendor may need access to corporate information that could prove damaging if misused.

From the perspective of integrity and authenticity controls, the decision to outsource must be accompanied by a decision about levels of trust. This trust should include an analysis of the vendor’s history and reputation as well as a visual inspection of the site. The “trust infrastructure,” which would include access-control mechanisms as well as division of labor and delegation of responsibilities, must be designed by the organization. Importantly, the vendor must not be able to make changes in this structure. Changes to trust relationships must be driven by the organization.

Given fluctuation of economies, job markets, and international relations, the decision to trust the outsourced personnel and processes should not be a one-time event. Ongoing

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 22 OUTSOURCING AND SECURITY

monitoring could reveal occasional lapses that might grow into bigger problems. How easy is it for the home organization to check up on the integrity and authenticity of data? Where are logs kept? Are backup copies of the logs (or the originals) sent to the home organization? What about change tracking on servers? How do technical personnel troubleshoot deeply technical issues that require access to protected information? Are all accesses of protected information logged and audited? What happens to protected customer information used in troubleshooting after it is no longer needed? Each of these questions should be addressed, and the answers should be written into the contractual language.

68.4.6 Confidentiality and Possession Controls. Merely making the de- cision to outsource partially compromises the confidentiality and possession of corpo- rate information, just as the strength of a secret is decreased as soon as it is shared—even with a trusted confidante. The home organization must decide whether the loss of confi- dentiality and possession is balanced by the benefits of outsourcing. Within the United States, and in many countries with strong legal systems, laws protecting physical and intellectual property can help support this decision. The penalties enforced by the legal system serve as a deterrent to thieves and also serve to compensate damages in the event of a successful compromise. In countries where laws protecting intel- lectual property are weak (or absent), or where the rule of law is nominal or absent, this level of deterrent and compensation is not available, and the balance of risk shifts.

In June 2006, an employee at the HSBC bank call center in Bangalore, India, was arrested and charged with hacking into the bank’s computers, breaching confidentiality agreements and privacy laws, and helping to steal £233,000. The accused was discov- ered to have been hired on the basis of forged school transcripts. According to news reports, the only criterion for hiring personnel into that call center was English-language skills.34

In the absence of strong legal backing, the organization can replace some of the deterrent normally provided by laws with language in the contract linking contractual compliance with payments and ongoing business relationships. The vendor should be required to meet security expectations, and the contract should specifically state that parts of the agreement (or the entire agreement) might be voided if security proves inadequate. Coupled with ongoing monitoring to catch problems before they become habitual or endemic, contractually tying security performance to the future of the relationship might prevent a damaging, large-scale loss of confidentiality or possession. And, although this kind of contractual language might not help in a foreign court, it should help protect the organization if the vendor manages to bring suit against the organization in the organization’s home jurisdiction.

Outsourcing contracts should as well include specific requirements on the use of per- sonal, portable electronic devices (smart phones, tablets, laptops, cameras) all of which are capable of independent data connections outside the purview of an outsourcer’s technical infrastructure.

Additionally, rules regarding data exposure through social and professional net- working sites should be written into outsourcing contracts. The personal use of sites such as Facebook or LinkedIn and the types of information that can be exposed by outsourced employees should be carefully considered as part of confidentiality and possession considerations in outsourcing contracts.

There are laws in the United States and other countries where governments may have access to confidential information when appropriate. Consider, for example,

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OUTSOURCING SECURITY FUNCTIONS 68 · 23

cloud-computing outsourcers operating with a global footprint and managing data for a European company, in a European data center, yet managing the data center in the United States using U.S. employees. In those situations, the European companies may not understand U.S. laws; because they are used to the stricter privacy controls defined by the European Privacy Directive, they may think that the U.S. Government could have easy access to European corporate data because of U.S. laws. Similar issues arise for U.S. corporations with respect to other nations. The outsourcing provider and the outsourcing client must clearly delineate the impact of local laws the countries involved in the business relationships.

68.4.7 Making the Best of Outsourcing. Controlling the risks of outsourc- ing any function involves planning and careful implementation, primarily focused on trust and monitoring. The advice to trust, but verify applies particularly to outsourcing situations, in which a vendor necessarily gains at least some level of access to the organization’s internal information and systems. Planning for risks to availability re- quires adequate business continuity and disaster recovery planning. Training, liaison, and careful planning well in advance of the outsourcing move are required to mitigate risks to utility. Integrity and authenticity controls, as well as confidentiality and posses- sion controls, hinge on monitoring and enforcement, which can become problematic in different legal climates. Making contracts include business consequences for falling short of security requirements can help control the shortfalls of foreign jurisdictions. The ability to quickly recognize and contain evolving risk is key to long-term success in outsourcing.

68.5 OUTSOURCING SECURITY FUNCTIONS. Delegating security func- tions to an outside vendor can increase the quality of an organization’s overall security posture. This is done by leveraging the vendor’s security expertise and perspective, which presumably it has acquired by providing a number of in-depth services to a large number of organizations.

Despite the media attention surrounding the outsourcing of some IT security func- tions, the use of a contracted guard force by organizations has been a common practice for years. As mentioned in Section 68.1.3, this is an example of insourcing: the use of contract or noncompany employees to fulfill certain business functions within physical and logical corporate boundaries.

In the last few years, organizations such as financial institutions have been nearshoring complex and costly IT security functions. This work is challenging for any organization, as the goal is to guard production networks against a never-ending stream of continuously changing threats. Also, these security functions usually do not pass the core competency tests described in Section 68.2.2, meaning they are good candidates for outsourcing. A leading example would be 24-hour-per-day monitoring and management of firewalls and intrusion-detection systems.

A new twist on a mature outsourcing tactic is offshoring software testing for security vulnerabilities. Assuming the vendor has the necessary tools and talent, outsourcing this function appears to make sense for many of the same reasons that organizations outsource quality assurance testing for any software development project. Not only is it an opportunity to gain effectiveness, but the efficiencies (e.g., faster cycle time and lower cost) can be compelling as well.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 24 OUTSOURCING AND SECURITY

68.5.1 Who Outsources Security? A May 2013 report discussed the growth in security-outsourcing services:

Despite some tumult, IT security outsourcing has been growing slowly but steadily during the last three years, with 38% of organizations outsourcing at least some element of this function in 2012. This growth will likely continue. More than one-fifth of survey respondents expect their IT security outsourcing to increase in the next year. At the same time, our outsourcing study shows strong cost benefits and service benefits to security outsourcing. In fact, the percentage of organizations that find outsourcing improves service is very high at 94%, tied for first place among the 11 IT functions included in our survey.

Clearly, improving service is a strong factor motivating organizations to outsource their IT security functions. Why aren’t more enterprise organizations doing so? Organizations are taking a measured approach to outsourcing the function because it is critical to the enterprise. The highly competitive outsourcing landscape could also be sowing uncertainty. Outsourcing partners need to do a better job of demonstrating their usefulness before the outsourcing of this vital IT function gains wider traction.35

68.5.2 Why Do Organizations Outsource Security? According to Levine, the top two reasons why organizations outsource network security are as a strategy for dealing with staffing challenges (effectiveness) and a desire for financial savings (efficiency).36

68.5.2.1 Staffing Challenges. Getting the most value from a security staff is an enduring challenge. Not only must talented people be found and retained, but they must be deployed so as to gain the greatest benefits. The highest value work for a security team includes those tasks that must be done from deep within the business context, such as policy setting, architecture, design, and risk management. These tasks require in-depth knowledge of a business’s strategies, strengths, weaknesses, organizational structure, and culture. They are the core competencies of the corporate security team.

Given this situation, one of the best ongoing exercises a security officer or manager can perform to maximize the value of their team is to ask regularly, “Are my people exclusively working on tasks that cannot be delegated to anyone else?” Another way to ask this is, “Are my people doing any tasks that someone with less experience and organizational knowledge could perform at the same level of competency?”

Generally, such tasks are not mission-critical; they are infrastructure duties that support the key, distinguishing aspects of the organization’s mission.

An example of a situation that can benefit from outsourcing security is protecting the network in an organization with limited technical resources.

Protecting the organizational network is a demanding job. Securing network con- nected digital assets (i.e., information systems) requires robust defenses against ma- licious hackers, viruses, worms, spyware, keystroke loggers, and denial of service attacks, just to name a few specific online threats. It may be difficult or impossible to find and employ enough security staff members who are both effective and efficient at dealing with all these threats. As well, threats and risk don’t simplistically occur only during business hours. Maintaining adequate staff to manage and monitor 24 × 7 × 365 is both physically and financially challenging.

In addition, understanding and defending against the latest threats requires constant education of staff, proactive monitoring, maintenance, and patching of the organiza- tion’s network defenses. The capital expenditure for the care and feeding of specialized software and equipment can be very high.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OUTSOURCING SECURITY FUNCTIONS 68 · 25

Due to the nature and rapid pace of the threats, and a chronic shortage of talented people, there is an ongoing need to replace security staff. This adds additional expense for contract workers, decreased productivity, and increased risk of mistakes. Keeping information assurance specialists around after you have trained them is not easy; other organizations want and need them too. Outsourcing offers one way to transfer the burden of staff training and retention to another organization.

Finally, security service providers offer competent handling of routine security activities (i.e., monitoring and maintenance of hardware and software), and they can prepare the many reports required to document compliance with corporate policies and outside regulations. With these tasks being taken care of by a vendor, organizations can focus their internal efforts and personnel on more critical, high-value IT security functions.

68.5.2.2 Financial Savings. Despite our admonition in Section 68.4.4 to avoid outsourcing as a primary means to achieve direct cost reduction, a managed security service provider (MSSP) can offer tremendous economic efficiencies. For example, full-time security monitoring can be outsourced for significant cost savings.

A substantial challenge for all but the largest organizations is monitoring IT security 24 hours per day, seven days a week. For financial institutions in particular, this level of monitoring has become the de facto standard of due care. But providing that kind of constant vigilance is nearly impossible for many small organizations, such as community banks.

To provide 24-hour-per-day coverage with internal staff, organizations have to hire at least three full-time professionals, but would likely require twice as many to prevent staff burnout and a high turnover rate over the long term. Having backup coverage in place would require even more employees.

Managing an average week of 24-hour-per-day monitoring and response takes a minimum of five fully trained people. To begin with, you need one person for each of the three 8-hour shifts during the week. For weekends, the most economical approach is to have one person for each of two 12-hour shifts. Realistically, due to sickness, vacation, holidays, training, and other demands on staff, there would need to be between 8 and 10 employees to provide reliable coverage. In addition, should an actual security event occur, with the minimal coverage model as described here, there simply will not be enough hands to manage and contain the event. Thus, the affected company may indeed appreciate the scope and impact of the event, but be quite limited in their response.

The economics of this situation are straightforward. In the United States, a nearshore vendor can be hired to manage a small organization’s firewalls, as well as run host intrusion detection and perimeter intrusion detection, for between US$25,000 and $50,000 a year.37 In contrast, any organization in the United States would likely spend at least six times that amount on salaries alone to perform those functions with minimal staff. It is common for a highly skilled, in-house security professional to be paid between US$70,000 and US$180,000 a year in salary alone.38 Add money for benefits (20 to 50 percent of base salary) as well as facilities, equipment, and other employment costs (80 to 150 percent of base salary), and the fully burdened cost for each employee can be almost two times what they are paid in direct salary.

At one of our organizations, the fully burdened cost of all employees is calculated every quarter by taking their direct salary and adding 184 percent.39 Using this formula, the fully burdened cost of a security professional paid US$100,000 a year in direct salary is US$284,000.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 26 OUTSOURCING AND SECURITY

68.5.2.3 Threat Intelligence and Additional Perspectives. An organi- zation is best positioned to make decisions regarding IT security when it has the freshest, most complete intelligence (information concerning an enemy or possible enemy40) about emerging threats.

However, the tremendous volume of threat data being released every day can over- whelm all but the largest organizations. Even national governments struggle to keep up, and they usually have dozens or hundreds of people dedicated to gathering and analyzing data. Beyond problems of volume, there is the question of scope: It is difficult to know how any given vulnerability will be applicable to a specific system, if at all. A software maker’s estimation of vulnerability severity is generic in nature; it may be more or less severe within the context of another organization. This is where an MSSP can really help.

MSSPs typically have the ability to gauge severity and spot trends based on what is happening to its other customers. One MSSP advertises that it

… process[es] over a billion security events every day across more than 7,000 devices, giving our security research group unprecedented internal and external threat visibility across the globe. Using this visibility, [this vendor] maps the latest vulnerabilities and real-world threats to your infrastructure, enabling your team to prevent attacks.41

In Section 68.3.11, “the loss of corporate expertise over tasks” was mentioned as one of the risks of outsourcing. If your organization takes advantage of an MSSP’s intelligence capability, and you have the opportunity and resources, a valuable provision in an outsourcing contract would be to transfer the vendor’s intelligence-gathering skills to one or more employees of your organization. However, vendors may view such knowledge as proprietary.

68.5.3 What Are the Risks of Outsourcing Security? Trust is at the heart of the question of outsourcing risks. Can you trust the vendor to whom you are outsourcing, and its employees? Internal employees cannot typically gain the kind of intimacy with these people that they can with each other. This is a barrier to the human desire and tendency to build trust with others through direct interaction and observation.

If trust is at the heart of outsourcing security, the remainder of the vital organs consists of competency, capability, scope, and the rapid adaptability of the outsourcer. Trust is of course key, but the ability of the outsourcer to remain cutting-edge relevant in the light-speed world of security threats must be present.

There are specific risks in outsourcing security functions. Total control of an organi- zation’s security should never be transferred to an outside vendor. Although it may be possible to delegate (i.e., outsource) some operational duties, most companies find that keeping control of critical functions is vital to a successful security program. Examples of critical functions include firewall administration, direct control over all administra- tive/root accounts, and direct control over security logging. However, depending on your ability to manage the risk to your organization, you may feel comfortable dele- gating any of these functions. At the end of the day, outsourcing IT security is a very personal decision.

Some specific risks for IT security outsourcing include:

� An intrusion-detection system (IDS) monitoring vendor is more profitable as the number of events it responds to decreases. If the vendor is also responsible for

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OUTSOURCING SECURITY FUNCTIONS 68 · 27

tuning your IDS, will your vendor tune the devices to produce the least number of events regardless of the actual threat environment?

� How can you ensure that in a significant customer-wide event, your organization will not be ignored or placed at a lower priority by your vendor?

� Is the vendor paid by “event” rather than by alert? If the answer is yes, what safeguards are in place to monitor potential abuse?

� Where are the outside vendor’s personnel located: onshore, nearshore, offshore? Each would require specific contract language to accommodate language, cultural, and legal distinctions.

� Is the vendor vigilant about the background and expertise of its personnel? � Who is monitoring the activities and behavior of the vendor’s employees when they access your organization’s data?

� Some countries are known as hotbeds of corporate espionage. Do you have strong control of your source code to ensure that the vendor’s employees do not share the code with any other persons or entity?

� What are the vendor’s source country’s governmental policies on privacy and intellectual property?

� What is the vendor’s employee turnover rate? � What training takes place for each of the vendor’s employees? Is the training frequently updated and refreshed? Do existing employees have access to the training as needed?

� An IT security outsourcer obviously serves many customers. In the case of a large- scale event, where will your corporation rank in order of importance, urgency, and response? Will your IT security outsourcer first attend to their largest clients, and eventually get to your corporation?

68.5.4 How to Outsource Security Functions. Although not very different from outsourcing any business process, there are some unique aspects to outsourcing IT security functions. This section describes what is different and provides specific examples. We encourage you to consult with your contracting office or other reputable and knowledgeable sources for a more thorough treatment.

68.5.4.1 Where to Begin. As with any outsourced work, first gather your business requirements and use them to define the outcomes you expect the vendor to deliver. Normally, this information is delivered to the vendor as a statement of work (SOW). Include in your SOW only those functions that do not require intimate knowledge and experience of the specific, mission-critical functions of the organization. As discussed in Section 68.2, outsourcing should allow management to focus on its mission-critical functions; thus it is inappropriate to outsource functions that require great experience and insight in those areas.

The following discussion includes examples from a specific case study on outsourc- ing user-account management.

68.5.4.2 Brief Case Study, Part I. One author of this chapter recently dele- gated responsibility for resetting passwords and creating user accounts to an outside vendor. The business driver to delegate was the result of an analysis of effective- ness of his internal team: There was just too much work to do for the number of

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 28 OUTSOURCING AND SECURITY

employees authorized. In addition to asking whether a less experienced (i.e., less ex- pensive) team could accomplish certain tasks, the security team also considered the risks to the organization if the work were not done correctly.

In a team decision meeting, we determined that resetting passwords and creating accounts for nonadministrative users was of sufficiently low risk that we could delegate those tasks. In contrast, we determined that performing these tasks on administrative and service accounts was too risky to delegate, so we continued to do that work. The fact that the daily volume of administrative account work was relatively low compared to nonadministrative accounts helped justify keeping those tasks in house.

68.5.4.3 Determining Desired Outcomes. Whendefiningoutcomesforop- erational IT security tasks, focus on the urgency and severity levels of the responses. This is typically driven by the response times required by the organization.

68.5.4.4 Brief Case Study, Part II. Once we decided to delegate resetting passwords and creating user accounts, we then asked operational business leaders what responsiveness they required. Based on their input, we assigned password resets as severity level 1, requiring no more than four hours to complete on receipt of request. User account creation is severity level 2, requiring no more than one business day to complete on receipt of request.

68.5.4.5 Choose a Reliable Vendor. Once your SOW is complete, choose a reliable IT security vendor. Consider these points before you make your final decision42:

� Financial health (e.g., annual revenues, longevity) � Reliable infrastructure (e.g., state-of-the-art tools; disaster resistant) � Competent staff (e.g., sufficient experience; appropriate credentials; access to global intelligence; original training plans; ongoing refresher training)

� Satisfied customers (e.g., talk with MSSP references; ask what they like the least about the MSSP)

� Vendor independence (e.g., no hidden financial motives to sell you solutions that are not appropriate for your organization; third-party attestations of effectiveness)

� Appropriate service-level agreement (e.g., contains requirements, outcomes de- sired, response times, roles and responsibilities, and metrics)

� Legal safeguards (e.g., recourse for your organization in the event of vendor breach of contract; if offshored, the applicable laws in the host country that might prevail in a contractual issue, or in a government “nationalization” situation)

68.5.4.6 Service-Level Agreements. Once a reliable vendor is chosen, a strong, precise service-level agreement (SLA) is required. The SLA must specify outcomes desired, response times, roles and responsibilities, metrics, and other re- quirements. Ideally, the SLA should be written to remain relatively stable over time. Realistically, an SLA needs reliable provisions for change and conflict resolution because the requirements will change over time, no matter how much homework you do.

SLAs need to be realistic given both the scope of the SLA and the financial under- pinnings of the contract and statement of work. Demanding an SLA that could never be met, given contractually agreed-to staffing levels, would be useless.

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

OUTSOURCING SECURITY FUNCTIONS 68 · 29

68.5.4.7 Metrics. Include metrics in the SLA that will allow you to measure outcomes; install an independent monitoring system to validate reported metrics and to detect unauthorized behavior by vendor staff. Periodically (weekly at first, then monthly if performance warrants), review the metrics and activities with the vendor’s management to ensure that work performed matches the requirements of the SLA; adjust the SLA as necessary to drop metrics that are not useful and add new metrics that are.

It is key to select performance metrics with great care. Reviewing metrics snapshots on a daily basis is important, but even more important is the trends in metrics over time. Many security incidents are not a “big bang,” but instead are slowly expanding and growing “under the radar.” Having carefully considered metrics that allow a window into both the vendor’s adherence to the contract and a perspective of the health of the corporation are the ultimate goals.

68.5.4.8 Brief Case Study, Part III. We monitor the vendor response times for resetting passwords and creating user accounts by examining the time stamps in the vendor’s ticketing system correlated with the events written in the system logs. To ensure the vendor does not tamper with the system logs, we have many events immediately forwarded to a centralized logging server to which the vendor has no access.

68.5.4.9 Gaining Maximum Efficiency. Unless you have a good reason not to do so, allow the vendor to determine how it will deliver your desired outcomes. This gives the vendor the ability to determine how to achieve maximize efficiency. Of course, a vendor is inherently motivated to do this in order to be competitive and maximize profits. Be aware that this also means the vendor has incentives to cut corners, which could result in security incidents for you.

Be clear on expected results while still allowing the vendor the flexibility to deter- mine how they plan to deliver those results. However, you as the outsourcing corporation do have a responsibility as well to review and accept the final “how” the vendor will deliver to your result specifications.

68.5.4.10 How the Vendor Does the Work. Once the vendor has created its procedures, be sure to review and approve how the vendor will do the work. After all, security is based not just on what things you do but how you do them. The ultimate authority in the matter will be your organization’s information-security policy. Be careful, though, not to criticize vendors just because they do not do things the way your team would. Your priorities are to get the right outcomes with the least risk at an affordable price. Be very careful not to upset your priorities over nothing more than personal preferences.

68.5.4.11 Brief Case Study, Part IV. In outsourcing password resets and account creation, we allowed the vendor to devise its own procedures. In our case, it made sense to permit this level of freedom because the vendor had tools and know-how that our team did not. For instance, we did not have an incident ticketing system, and the vendor already had one up and running. This allowed the vendor to receive, log, and assign work more efficiently than we could.

However, after some time, one of the risks we noted in Section 68.6.3.10 reared its ugly head. We found that the vendor sometimes placed passwords in the ticketing

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 30 OUTSOURCING AND SECURITY

system because doing so saved time (it did not have to reset the passwords every time it went into an account) and allowed the ticket to be closed more quickly. Clearly, we were not as motivated by their profit motive as by preserving our security posture. This is why we regularly monitored the vendor’s ticketing system by having a console installed directly in our work area.

68.5.4.12 Holding the Vendor Accountable. Finally, be sure to include a strong penalty provision in your SLA to deter careless mistakes by the vendor. If your monitoring tools are effective, you will know about mistakes before the vendor does. Be thoughtful, though, because you do not want to deter the vendor from reporting those mistakes. The point of discussing a mistake should not be to punish as a first recourse, but to correct the vendor in the hope that it will grow in competence and become a better steward of your security work.

68.5.5 Controlling the Risk of Security Outsourcing. Organizations should consider their decision to outsource security in terms of their organization’s overall outsourcing strategy, and should determine if their organization has the skill sets and tools necessary to manage the outsourcing relationship. Also, they must re- alize that contract management skills will be the primary management tool, not IT management expertise.

Ongoing monitoring by the outsourcer will be required. Organizations cannot take for granted the presence and effectiveness of monitoring activity. Provisions must be made to ensure that organizations get the services they are paying for. Should the vendor fail to deliver the services, the organization should be prepared to perform the work once again, quickly and effectively. Once confidence in an IT security vendor has been lost, the vendor’s administrative access should be revoked as soon as possible.

Refer to Section 68.4 of this chapter, controlling the risks of IT outsourcing, for more advice.

68.6 CONCLUDING REMARKS. Outsourcing is a new term for an old concept: We humans have always liked to do what we are good at doing, relying on the skills of others to fill in the gaps in our competencies. We outsource tasks to concentrate on being more effective at our core skills, and we hope to become more efficient as a result. Types of outsourcing—insourcing, nearshoring, offshoring, cloud computing—differ based on how far from the parent organization the outsourcing vendor operates, but there are other much more significant differences when evaluating the risks of outsourcing.

Many organizations have saved significant amounts of money by outsourcing some functions both task and infrastructure. Hindsight, however, shows that many organi- zations that outsource solely to save money find themselves with significant problems caused by a lack of careful evaluation of outcomes and risks. Proper planning should include:

� Being clear about the purpose of the outsourcing � Avoiding the tendency to focus only on cost � Adequately understanding social culture � Accounting for differences in politics and economics � Analyzing potential problems in infrastructure and environment � Anticipating travel and labor issues

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 68 · 31

Any organization that looks at all these issues well in advance of an outsourcing decision stands a good chance to succeed, despite the potential pitfalls.

The keys to mitigating risks in any outsourcing project—careful planning and con- stant vigilance—are particularly applicable if security functions are the subject of an outsourcing decision. Depending on the security stance and regulatory environment of the home organization, some security functions may be able to be outsourced in a way that does not put the organization at unacceptable risk. In the end, the great care required to outsource security functions properly has the potential to improve security throughout the organization, and perhaps even make security easier to do well at a vendor site than at the home organization.

68.7 FURTHER READING Axelrod, C. W. Outsourcing Information Security. Artech House, 2004. Carmel, E., and P. Tjia. Offshoring Information Technology: Sourcing and Outsourcing

to a Global Workforce. Cambridge University Press, 2005. Cohen, L., and A. Young. Multisourcing: Moving Beyond Outsourcing to Achieve

Growth and Agility. Harvard Business School Press, 2005. Cooney, M. “Can You Trust China for Outsourcing?” Network World, May 29, 2006.

www.networkworld.com/columnists/2006/052906edit.html Cullen, S. Intelligent IT Outsourcing: Eight Building Blocks to Success. Butterworth-

Heineman, 2003. Dara, N. “Cyber Crime Comes of Age as Foreign Plugs Sell Secrets,” DNA India,

October 19, 2005; www.dnaindia.com/india/6411/report-cyber-crime-comes-of- age-as-foreign-plugs-sell-secrets

Grance, T., J. Hash, M. Steven, K. O’Neal, and N. Bartol. Guide to Information Technology Security Services. NIST Special Publication SP 800-35 (October 2003). http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf

Greaver, M. F. StrategicOutsourcing:AStructuredApproachtoOutsourcingDecisions and Initiatives. AMACOM, 1999.

Jansen, W., and T. Grance. Guidelines on Security and Privacy in Public Cloud Computing. NIST Special Publication SP 800-144 (December 2011). http://csrc.nist.gov/publications/nistpubs/800-144/SP800-144.pdf

Kendrick, R. Outsourcing IT: A Governance Guide. IT Governance Publishing, 2009. Koulopoulos, T. M., and T. Roloff. Smartsourcing: Driving Innovation and Growth

Through Outsourcing. Platinum Press, 2006. Power, M. J., K. Desouza, and C. Bonifazi. The Outsourcing Handbook: How to

Implement a Successful Outsourcing Process. Kogan Page, 2006. Sood, R. IT, SoftwareandServices:OutsourcingandOffshoring. AiAiYo Books, 2005. Stees, J. Outsourcing Security: A Guide for Contracting Services. Butterworth-

Heineman, 1998. Vashistha, A. The Offshore Nation: Strategies for Success in Global Outsourcing and

Offshoring. McGraw-Hill, 2006.

68.8 NOTES 1. M. Cooney, “Outsourcing Bonanza 2006: 8 Outsourcing Trends You Need to

Know About,” Network World, December 13, 2006; www.networkworld.com/ news/2006/121306-outsourcing-trends.html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 32 OUTSOURCING AND SECURITY

2. M. Cooney, “Government Agency Outsourcing Firms Don’t Respect Private Data, GAO Reports,” Network World, April 5, 2006; www.networkworld.com/ news/2006/040506-gao-outsourcing.html

3. Dan Twing, “10 Reasons Why Small Businesses Should Consider Out- sourcing,” Network World, July 5, 2006; www.networkworld.com/newsletters/ asp/2006/0703out1.html?page=1

4. T. L. Friedman, The World Is Flat: A Brief History of the Twenty-First Century (Farrar, Straus, and Giroux, 2006), 48–172.

5. Zaid Jilani, “Top ‘US’ Corporations Outsourced More Than 2.4 Million America Jobs Over The Last Decade,” Think Progress Economy, April 19, 2011, http://thinkprogress.org/economy/2011/04/19/159555/us-corporations- outsourced-americans/?mobile=nc

6. G. Hamel and C. K. Prahalad, “The Core Competence of the Corporation,” Harvard Business Review 68, No. 3 (May–June 1990): 79–93.

7. “Tempted by the Call of the East,” Mortgage Strategy (August 22, 2005), 3. 8. S. Thurm, “Behind Outsourcing: Promise and Pitfalls,” Wall Street Journal (Febru-

ary 27, 2007). 9. D. E. Levine, “Farming Out Network Security: Outsourcing Might Save You

Money If You Choose Your Provider with Care,” Security Technology & Design, May 2005, www.highbeam.com/doc/1G1-133132842.html

10. D. E. Levine, “Farming Out Network Security.” 11. Duke University/Archstone Consulting LLC Offshoring Research Network

2004 and 2005 surveys; Duke University/Booz Allen Hamilton Offshoring Research Network 2006 survey. As reported by Mary Brandel, “Offshoring Grows Up,” Computerworld, March 12, 2007, www.computerworld.com.au/ article/174894/offshoring grows up

12. D. Winkelman, D. Dole, L. Pinkard, J. Molloy, D. Willey, and M. Davids, “The Outsourcing Source Book,” Journal of Business Strategy 14, No. 3 (May–June 1993): 52.

13. P. Dixon, “The Future of Outsourcing—Impact on Jobs,” Global Change.com; www.globalchange.com/outsourcing.htm

14. P. Dixon, “The Future of Outsourcing.” 15. D. Twing, “Reviewing the Security Aspect of Outsourcing,” Network World Out-

sourcing Newsletter (September 7, 2005). 16. Chris Matyszczyk, “Modern Life Halted as Netflix, Pinterest, Instagram Go Down,”

C|Net, June 30, 2012, http://news.cnet.com/8301-17852 3-57464342-71/modern- life-halted-as-netflix-pinterest-instagram-go-down

17. Donna Howell, “Security, Outages Gray Areas for Cloud Computing,” Investor’s Business Daily (May 3, 2011), A5.

18. Alex Pham, “PlayStation Network Security Break Will Cost Sony Much More than Money,” Los Angeles Times, April 28, 2011, http://articles.latimes.com/2011/ apr/28/business/la-fi-0428-ct-sony-hack-20110428

19. K. Evans-Correia, “Outsourcing on Verge of Cultural Evolution,” SearchCIO.com, April 18, 2006, searchcio.techtarget.com/news/1179791/Outsourcing-on-verge- of-cultural-evolution

20. “Mumbai Blasts Should Not Affect Investments to India,” IDG News Service, July 12, 2006, www.itworld.com/Man/2701/071206mumbai/pfindex.html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

NOTES 68 · 33

21. CNN Wire Staff, “Argentina, Spain at Odds over Oil Company Expropriation,” CNN, April 17, 2012, http://articles.cnn.com/2012-04-17/americas/world americas argentina-ypf-repsol 1 ypf-julio-de-vido-argentine-government? s= PM:AMERICAS

22. A. Sharma and M. Bahree, “Grinding Energy Shortage Takes Toll on India’s Growth,” Wall Street Journal (July 2, 2012), 1.

23. M. Cooney, “No Outsourcing Today: Strike Closes India’s Tech Center,” Net- work World, October 5, 2006; www.networkworld.com/news/2006/100506-strike- closes-india-tech-center.html

24. “20,000 Vietnamese Workers Go on Strike at Nike Contract Factory,” Associated Press, April 1, 2008, usatoday30.usatoday.com/money/industries/retail/2008-04- 01-vietname-nike-strike N.htm

25. A. Fallone, “Overview Child Laborers,” IHS Child Slave Labor News, 2005, http://ihscslnews.org/view article.php?id=54

26. The US–China Business Council, “China Proposes Partial Solution to Indigenous Innovation Issues; USCBC Seeks Member Comments,” USChina.org Website, April 12, 2010, https://www.uschina.org/public/documents/2010/04/indigenous- innovation-memo.html (URL inactive)

27. Doug Tsurruoka, “China Goes ‘Local’ On US Firms’ Units,” Investor’s Business Daily (July 2, 2012), 1, http://finance.yahoo.com/news/china-goes-local-u-firms- 222400546.html

28. (ISC)2, International Information Systems Security Certification Consortium: www.isc2.org

29. We owe a lot to Donn Parker for this new way to look at information as- surance. See Chapter 3 in this Handbook for his description of these security elements.

30. H. Timmons, “Cut Cable Disrupts Web and Phones in India and Middle East,” International Herald Tribune, January 31, 2008, www.nytimes.com/2008/01/31/ technology/31iht-net.4.9648965.html

31. Q. Hardy, “A Storm’s Disruption Is Felt in the Technology Cloud,” The New York Times, July 1, 2012, www.nytimes.com/2012/07/02/technology/amazons-cloud- service-is-disrupted-by-a-summer-storm.html

32. See, for example, A. Eunjung Cha, “New Law Gives Chinese Workers Power, Gives Businesses Nightmares,” Washington Post, April 14, 2008; www.wash ingtonpost.com/wp-dyn/content/article/2008/04/13/AR2008041302214.html

33. See, for example, J. Markoff, “Encryption Tool Rekindles Security Debate,” International Herald Tribune, May 21, 2006, www.nytimes.com/2006/05/21/ technology/21iht-privacy.html

34. K. V. Subramanya, “HSBC Scam: U.K. recipient of data is of Indian ori- gin,” The Hindu, June 30, 2006, www.hindu.com/2006/06/30/stories/200606 3002920700.htm

35. “IT Security Outsourcing Shows Steady Growth,”ComputerEconomics(2013-05), www.computereconomics.com/article.cfm?id=1831

36. Levine, “Farming Out Network Security.” 37. C. Costanzo, “Internet Security: Outsource or Go It Alone?” Community

Banker 14, no. 6 (June 2005), http://findarticles.com/p/articles/mi qa5344/is 200506/ai n21373311/pg 1

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .

68 · 34 OUTSOURCING AND SECURITY

38. “Information Security Officer Salaries,” Glassdoor.com, July 2013, www .glassdoor.com/Salaries/information-security-officer-salary-SRCH KO0,28.htm

39. This calculation was current in March 2007. The formula described and the 184 percent figure are the result of our consultation with the finance department at one of the authors’ employers. The name of the employer is being withheld to protect their confidentiality.

40. Merriam–Webster’s Collegiate Dictionary, 11th ed., 2004, p. 650. Also online at www.merriam-webster.com/dictionary/intelligence

41. Dell SecureWorks, “Threat Intelligence Service,” www.secureworks.com/services/ threat intelligence.html

42. J. Mears, “Is Security Ripe for Outsourcing?” Network World, August 23, 2004, www.networkworld.com/news/2004/082304outsecure.html

Bosworth, S., Kabay, M. E., & Whyne, E. (Eds.). (2014). Computer security handbook, set. Retrieved from http://ebookcentral.proquest.com Created from apus on 2018-03-11 21:33:03.

C o p yr

ig h t ©

2 0 1 4 . Jo

h n W

ile y

& S

o n s,

I n co

rp o ra

te d . A

ll ri g h ts

r e se

rv e d .