A Taxonomy of Loss
The Value Proposition
Does a detailed security policy for their computer systems add to the worth of an organization?
Can you operate in a connected world without one?
Naturally, it depends on the organization involved. The value of investing in the initial development of a security policy and the on-going costs of implementation and maintenance are determined by the requirements of the particular business.
We can identify different attitudes:
Approaches to security
Small businesses often have no internal network and use only dial-up internet access. They tend to ignore security, relying on personal trust and physical isolation of sensitive data.
Medium sized businesses with substantial internal networks may a permanent internet service and take basic steps to secure their systems. They generally lack the staff to implement or maintain a sophisticated security infrastructure.
Large businesses rely on detailed policies and procedures. Many systems support functions are outsourced to suppliers (with the conflict of interest which this implies). Although large businesses may have the resources to implement good security infrastructure, the complexity and bureaucracy of these environments can restrict the flexibility and responsiveness required to protect
A proper computer systems security policy is part of the organizational infrastructure in the modern world and can be regarded as a type of insurance against the hostile denizens of the internet.
Active management support is essential for any computer systems security policy to be effective.
An appropriate management response to computer systems security concerns includes:
- Recognize the value to the organization of reliable information systems, both internally and externally;
- Create a security policy which is appropriate for your organization;
- Ensure that sufficient resources are available to implement the policy;
- Follow through on the implementation with regular review and update;
The Wrong Response
Don’t be like this:
The 7 Top Management Errors that Lead to Computer Security Vulnerabilities.
As determined by the 1,850 computer security experts and managers meeting at the SANS99 and Federal Computer Security Conferences held in Baltimore May 7-14, 1999 [SANS]
1. Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.
2. Fail to understand the relationship of information security to the business problem – management understand physical security but do not see the consequences of poor information security.
3. Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed.
4. Rely primarily on a firewall.
5. Fail to realize how much their information and organizational reputations are worth.
6. Authorize reactive, short-term fixes so problems re-emerge rapidly.
7. Pretend the problem will go away if it is ignored.
A computer systems security policy must address the organizational value of systems, not just the financial value of the assets themselves.
Adopting a structured approach to security policies can assist in:
- Identifying all the area of potential exposure and the possible methods of addressing these;
- Identifying those groups within the organization with an interest in the operation of the computer system;
- Contributing to an environment which understands the organizational value of computer systems and the need to maintain security procedures.
No computer systems security policy, no matter how detailed and complete, can protect against all present and future threats. However, an appropriately detailed policy, supported by user training and regular review can substantially reduce the level of exposure.
"Defence in depth, and overkill paranoia, are your friends." - Bennett Todd, Mordor.net.
 Lemmings don’t actually throw themselves off cliffs. Populations of the Norway lemming (lemmus lemmus) occasionally migrate in search of food, easily crossing rivers and streams. Mass drownings can result from attempts to cross seas. This blind and sometimes self-destructive herd instinct is perhaps a more appropriate analogy for the internet age.
[Attrition] Web defacement statistics www.attrition.org (possibly no longer current)
[CERT] Computer Emergency Response Team www.cert.org
[FBI] CyberCrime congressional statement www.fbi.gov/pressrm/congress/congress00/cyber032800.htm
[FCA] Fred Cohen & Associates www.all.net
[Netcraft] Web host survey www.netcraft.com/survey
[Robert Graham] Intrusion Detection FAQ www.robertgraham.com/pubs
[SANS] SANS Institute Online www.sans.org/newlook/home.htm
[W3C] World Wide Web Consortium www.w3.org/Security/Faq
- << Prev