A Taxonomy of Loss

Article Index

Page 5 of 5

The Value Proposition

Does a detailed security policy for their computer systems add to the worth of an organization?

Can you operate in a connected world without one?

Naturally, it depends on the organization involved. The value of investing in the initial development of a security policy and the on-going costs of implementation and maintenance are determined by the requirements of the particular business.

We can identify different attitudes:

Approaches to security

Small businesses often have no internal network and use only dial-up internet access. They tend to ignore security, relying on personal trust and physical isolation of sensitive data.

Medium sized businesses with substantial internal networks may a permanent internet service and take basic steps to secure their systems. They generally lack the staff to implement or maintain a sophisticated security infrastructure.

Large businesses rely on detailed policies and procedures. Many systems support functions are outsourced to suppliers (with the conflict of interest which this implies). Although large businesses may have the resources to implement good security infrastructure, the complexity and bureaucracy of these environments can restrict the flexibility and responsiveness required to protect

Management Response

A proper computer systems security policy is part of the organizational infrastructure in the modern world and can be regarded as a type of insurance against the hostile denizens of the internet.

Active management support is essential for any computer systems security policy to be effective.

An appropriate management response to computer systems security concerns includes:

  • Recognize the value to the organization of reliable information systems, both internally and externally;
  • Create a security policy which is appropriate for your organization;
  • Ensure that sufficient resources are available to implement the policy;
  • Follow through on the implementation with regular review and update;

The Wrong Response

Don’t be like this:

The 7 Top Management Errors that Lead to Computer Security Vulnerabilities.

As determined by the 1,850 computer security experts and managers meeting at the SANS99 and Federal Computer Security Conferences held in Baltimore May 7-14, 1999 [SANS]

1.  Assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job.

2.  Fail to understand the relationship of information security to the business problem – management understand physical security but do not see the consequences of poor information security.

3.  Fail to deal with the operational aspects of security: make a few fixes and then not allow the follow through necessary to ensure the problems stay fixed.

4.  Rely primarily on a firewall.

5.  Fail to realize how much their information and organizational reputations are worth.

6.  Authorize reactive, short-term fixes so problems re-emerge rapidly.

7.  Pretend the problem will go away if it is ignored.

Conclusions

A computer systems security policy must address the organizational value of systems, not just the financial value of the assets themselves.

Adopting a structured approach to security policies can assist in:

  • Identifying all the area of potential exposure and the possible methods of addressing these;
  • Identifying those groups within the organization with an interest in the operation of the computer system;
  • Contributing to an environment which understands the organizational value of computer systems and the need to maintain security procedures.

No computer systems security policy, no matter how detailed and complete, can protect against all present and future threats. However, an appropriately detailed policy, supported by user training and regular review can substantially reduce the level of exposure.

"Defence in depth, and overkill paranoia, are your friends." - Bennett Todd, Mordor.net.

References

[1] Lemmings don’t actually throw themselves off cliffs. Populations of the Norway lemming (lemmus lemmus) occasionally migrate in search of food, easily crossing rivers and streams. Mass drownings can result from attempts to cross seas. This blind and sometimes self-destructive herd instinct is perhaps a more appropriate analogy for the internet age.

[Attrition] Web defacement statistics www.attrition.org (possibly no longer current)

[CERT] Computer Emergency Response Team www.cert.org

[FBI] CyberCrime congressional statement www.fbi.gov/pressrm/congress/congress00/cyber032800.htm

[FCA] Fred Cohen & Associates www.all.net

[Netcraft] Web host survey www.netcraft.com/survey

[Robert Graham] Intrusion Detection FAQ www.robertgraham.com/pubs

[SANS] SANS Institute Online www.sans.org/newlook/home.htm

[W3C] World Wide Web Consortium www.w3.org/Security/Faq

 

Search Tags

software  analysis  documentation  programming  testing  process  implementation  email  website  joomla  wireless  open source  owncloud  audit  security  moodle  psychology  browser  office  vba

Features Articles

Beyond the Blackboard

Considerations when designing or specifying an on‑line learning environment.

For many organisations, the provision of training to staff and customer represents a significant cost. As the processing power and network bandwidth available to desktop PCs increases, the performance and features of on‑line learning systems have improved to the point where the delivery of training via a computer has become a viable option.

While on‑line learning is not an appropriate solution for all training needs, it does provide an effective training delivery mechanism in the right circumstances.

This article discusses some of the issues involved in creating an on‑line learning environment, viewed from the perspective of the different interest groups involved. The information and concepts shown here are not definitive; you should carefully consider your own specific requirements before implementing any computer system.

Network Security

External Network Scanning

One of the core mechanisms for protecting networks is to install a firewall to mediate traffic between systems on the internal network, publicly accessible systems is a DMZ (from the military term demilitarised zone) and the internet.

Open Source

You shouldn't be using open source software because it's cheaper (although it is), you should be using it because of its features and flexibility and the fact that it doesn't lock you in to restrictive license agreements.

A Taxonomy of Loss

The widespread commercial use of the internet has led to an increasing focus on systems security. Media driven hype and a lack of independent information can make the true level of threat to an organization difficult to determine. Adopting a structured approach to the analysis of computer system security risks and allows an organization to more effectively balance their operational requirements against the potential for loss, whether that loss involves physical equipment, information or reputation.

This article discusses the components of a computer system, the types of attack to which they are exposed, some typical defence mechanisms and some weaknesses in the standard defences. The information and concepts shown can form a starting point for the development of suitable security and operational strategies to assist organizations to obtain the maximum value from their investments in computer systems.

Documentation

It might be the last thing you want to read, but not having a well documented IT infrastructure (servers and networks) can lead to surprising events like critical systems running on unsupported servers.

Documentation must not only be accurate at the time it was created it should also meet these additional criteria:

  • Available The people who need the information must be able to get at it.
  • Editable Any documentation in the IT industry is quickly out of date, so it is essential that information is able to be correctly updated as soon as a change is required. Ideally the client or end-user should be able to do this, rather than waiting on the 'approved editor'.
  • Current 'Out of date' is just a nice way of saying 'wrong'. The date on which the underlying information was updated should be shown on any reports either printed or viewed online.

Online surveys

How do you know what your customers want? Perhaps you should ask them.

Surveying your internal or external customers gives you hard information on which to base decisions about product development, marketing campaigns, resourcing or any other area where you organisation or department interacts with another group (which means in nearly everything you do).

Latest blog posts

"I don't know the key to success, but the key to failure is to try to please everyone."
Bill Cosby

IP:18.117.107.90

FacebookTwitterLinkedinRSS Feed

Hosted at Panthur web hosting.

© Dropbear Consulting Pty Limited
Privacy policy