Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University
Discussion Questions Identify some reasons why cyber attacks have been on the rise? What is your opinion about government, academic institutions and industry collaborating to provide cyber security solutions? What do you think should be management’s role in information security?
Imperative Need for Secure Communication Reported Security Incidents up to 1995 Source: CERT.ORG
Reported Security Incidents 1995 – 2003 Source:
What is Management’s role? Management ties everything together Responsibility Ownership Technology Infrastructure Organization Management Security is a Mindset, not a service. It must be a part of all decisions and implementations.
Why cyber attacks have been on the rise? Worldwide diffusion of Internet –Adversaries of unknown origin and intent distributed worldwide Hackers, virus writers Criminal groups, terrorists Disgruntled current or former employees Foreign intelligence services, information warfare by foreign militaries and governments Corporate espionage
Why cyber attacks have been on the rise? Hacking tools readily available on Internet (Scores of hacker publications, bulletin boards and web sites dealing with “hacking tips”). Extensive partnering network –More difficult to define boundaries of IS –Java applets – enhances interaction with customers and suppliers –this technology capability requires programs created by external entities to run on organization’s machines –not possible to determine the full impact of each and every applet prior to running it
Why cyber attacks have been on the rise? Lack of good security policy –Lax attitude towards security account of a dismissed employee not deleted after employee has left organization Protecting content during transmission – but not after transmission –George Mason University »Moved from SSN to SID – ID theft of 30,000 SSN –Bank of America (backup tapes lost) –Intrusion detection logs not maintained –Virus signature files/security patches not updated
Why cyber attacks have been on the rise? Organizational characteristics –Lack of structure –Business environment –Culture –Lack of Standard Operating Procedures –Lack of Education, Training, and Awareness –Lack of understanding/appreciation of technology –Lack of leadership from senior management
Three Cornerstones: Technology Have an understanding/appreciation of technology –Firewalls –IDS/IPS systems –Antivirus/Security Patches –Symmetric and Public Key Cryptography towards confidentiality, authentication, integrity and non- repudiation –Secure servers –VPNs –Evaluation of potential technology acquisitions based on their impact on security
Three Cornerstones: Organization Organizational characteristics – typically under the control of organization –Structure –Business environment –Culture –Policies and Responses –Standard Operating Procedures –Education, Training, and Awareness
Three Cornerstones: Critical Infrastructure Infrastructure that are so vital that their damage or destruction would have a debilitating impact on the physical or economic security of the country –Telecommunications –Banking –Energy
Why should government/academic institutions/industry collaborate? In each other’s interest CI in large part is owned by the private sector, used by both private and public sectors, and protected in large part by public sector. Need to discuss problems and exchange ideas and solutions to cyber attacks/misuse Resource/cost/information sharing Opportunity to play a role in the evolution of “best practices” Help shape legal and government policies in areas of mutual concerns; Appropriate guidance for rapid additional protection measures
CERT Source: / /
What does CERT do?
What is Management’s role? Management ties everything together Responsibility Ownership Technology Infrastructure Organization Management Security is a Mindset, not a service. It must be a part of all decisions and implementations.
Management’s Role in Information Security Total/Perfect security is a myth Critical Asset Identification Initial Risk Assessment Risk Assessment as a continuous process Creating a security team Initiate and actively participate in planning/ design/documentation/testing of security policy Initiate and actively participate in planning/ design/documentation/testing of recovery/response policy
Management’s Role in Information Security Actively involved in establishing standard operating procedures Developing and maintaining an appropriate organizational culture Ensure employees are educated and trained regarding importance of following security policy Have an understanding of what each security tool proposed by IT team can do or cannot do
Management’s Role in Information Security Have a good control environment –Physical controls –Data/Content control –Implementation control (outsourcing) –Operations/Administrative Control –Application Controls specific to individual system components/applications (e.g., Limiting attachments)
Management’s Role in Information Security Recognize that security is a socio- technical issue Recognize that security requires an end- to-end view of business processes Achieve a balanced approach to security – one that does not solely focus on technological solutions Recognize that security rests on three cornerstones