Strategic Information Security
eBook - ePub

Strategic Information Security

  1. 240 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Strategic Information Security

About this book

The new emphasis on physical security resulting from the terrorist threat has forced many information security professionals to struggle to maintain their organization's focus on protecting information assets. In order to command attention, they need to emphasize the broader role of information security in the strategy of their companies. Until now

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Strategic Information Security by John Wylder in PDF and/or ePUB format, as well as other popular books in Business & Business General. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Auerbach Publications
Year
2003
Print ISBN
9780849320415
eBook ISBN
9781135491697
Topic
Business
Subtopic
Business General
Index
Business

Chapter 1
Introduction to Strategic Information Security

What Does It Mean to Be Strategic?

Recent events have led information security to gain greater importance as part of every business’ risk management strategy. Most businesses today have at least a rudimentary security program in place, and many programs are evolving and growing in maturity. As these programs have grown, so has the need to move beyond the viewpoint that security is just a technical issue. Business is moving to a more mature position that security should be integrated into the very fabric of a business. In doing so, information security programs need to move from tactical implementations of technology to strategic partners in business.
What does it mean to say that security is “strategic?” How is this different than a strategy for an information security program? This book is aimed at answering these questions and will discuss major issues that affect both the security professional and the business person. There are other sources and material that address in greater depth the technical issues and solutions facing security professionals. Those books are important parts of their libraries and are complementary in nature to the information in this book. Rather than just repeat that material, this book also takes a fresh view of the information security world. These issues are viewed here primarily as a business problem and secondarily as a technical one. The goal is to bring together the interests of the business side of a company with those of the security professional and form a complete view of the problems as well as their potential solutions.
While there has been progress in information security, many companies today have not made the commitment to develop a complete information security program. Other companies have begun the process of creating security programs but have not integrated them into the rest of their businesses. Some businesses are trying to find the right reporting structure for security, looking at it as either an information technology function or a control function. All these issues point to an area that is still evolving when compared with more established roles such as auditing and finance. One of the other goals of this book is to educate the executive manager on the need to move his program along in its evolution and find ways to make it a core business function like those other areas.
Some companies, though, have taken an enlightened view of security. They believe that to be successful, they must demonstrate to their customers that security and the protection of information assets are core business functions. Those are companies with strategic information security programs.
One of those companies is Choicepoint, an Atlanta-based firm where information is the product. Choicepoint was created through spinning off a division of Equifax, the credit bureau company, in 1997. Choicepoint performs a variety of services (for example, employment verification) that make use of its extensive database of personal information. The mission statement of Choicepoint is one of the most comprehensive statements of the objectives of a sound information security strategy that can be found anywhere. The company’s goal is “to be the most admired information company worldwide” by:
  • Being the most valuable corporation in our industry
  • Being one of the best places to work
  • Being a demonstrated leader in social contribution
  • Being a leader in the responsible use of information
Choicepoint builds on this theme in its vision statement:
We strive to create a safer and more secure society through the responsible use of information.
The mission and vision show that, to Choicepoint, information protection is part of its corporate strategy and is not an added task. Securing information and protecting it is strategic to who Choicepoint is and what it does. At Choicepoint, according to James Lee, Chief Marketing Officer, this means security starts with embedding the ideals of information protection into the culture of the corporation. When an employee is hired, he is told from the start that information protection is his personal responsibility. Prior to their first day on the job new hires are given training in orientation classes on information security, and the culture of information protection is part of working at Choicepoint. Information security and protection is not something people do in addition to their work, it is their work.
Microsoft Corporation has long been a target in industry for failing to fully embrace the principles of information security and assurance. Many articles have been published that take Microsoft to task for failing in its duties to the public and its customers by not making security a priority. Recently, with its Trustworthy Computing Initiative, Microsoft has begun to send the message that they “get it” and security will now be part of its corporate culture. In a white paper on trustworthy computing, Microsoft defines this as follows:
Secure by design, secure by default, secure in deployment*
Bill Gates, chairman of Microsoft, wrote a memo addressing the issue of security. His letter appears on Microsoft’s Web site (www.microsoft.com) and makes good reading for anyone interested in what it means to make security strategic. Many companies think that all it takes is a letter from the chairman for security to be claimed as a core value. Support from the executive office is where making security strategic starts, but in his letter Gates does more. He shows a road map for the journey it will take to make Microsoft products secure. His letter shows that as a business, Microsoft understands that this goal is important and that it cannot be achieved without the cooperation of everyone in the company.
While it remains to be seen how Microsoft will do in fulfilling this promise, the letters from Gates and their description of trustworthy computing are some of the best summations of what it means to have a strategic view of security. Security by design means that it is not an afterthought in the design process; instead, it is one of the requirements that designers use when starting a project. Secure by default means that a system comes with the security options turned on by default instead of set in the off position. Secure in deployment means that products will be shipped and ready to use in a way that will not compromise the security of the end user or other products. Those are big goals and worthy of any company wanting to achieve a world-class rating as a good business partner.
Not every company will have the same view of information that Choicepoint and Microsoft now have, but all companies can come to understand that information protection is critical to their success in today’s world. Companies now work in a global, interconnected market and that makes the need to understand the power of information and the means to safeguard that information more important than ever.
The goal of protecting information and being a secure partner will not be one that can be achieved overnight. It will take a commitment of financial resources as well as a commitment of spirit. This starts with a thorough understanding of the problem and the risks a business faces. Once that level of understanding is achieved, then the correct steps can be taken to mitigate those risks. The final step in the journey is to measure the success of the security program and monitor it to ensure that it continues to function at the desired level. This book traces that effort and helps provide a road map for success.

Information Security Defined

In the broadest definition, an information security program is a plan to mitigate risks associated with the processing of information. The security profession has defined the basics of security as three elements:
  1. Confidentiality: The prevention of unauthorized use or disclosure of information. Privacy is a closely related topic that has lately been getting more and more visibility.
  2. Integrity: Ensuring that information is accurate, complete, and has not been modified by unauthorized users or processes.
  3. Availability: Ensuring that users have timely and reliable access to their information assets.
These three elements—CIA—are the basics around which all security programs are developed. The three concepts are linked together in the idea of information protection. The idea that information is an asset that requires protection, just like any other asset of the business, is fundamental to understanding these concepts.
There has been a good deal of discussion among security professionals about updating this model and replacing the word “availability” with “authenticity.” The idea behind these discussions is that availability is part of a separate discipline, business continuity planning, and that information security should stand alone as a distinct role. The security profession in general has stayed with the current definition. The concept of availability is a cornerstone of the profession to most people, as it addresses issues such as recovery from all types of incidents, not just disasters. Protecting information and information technology and making it available remains an accepted part of the security profession.

The Security Professional’s View of Information Security

A broader view of what makes up the three elements of confidentiality, integrity, and availability can be found in looking at the ten domains of information security that make up the Common Body of Knowledge (CBK) maintained by the International Information Systems Security Certification Consortium (ISC2). The domains that make up the CBK further define the elements that make up CIA and help the business person and security professional understand the depth of the issues that guide the development of an effective information security program. The ten domains are:
  1. Access control systems and methodology: These are the core application systems that people think of when discussing information security.
    This area addresses the use of information systems and how to manage and restrict access to a system or application.
  2. Telecommunications and network security: This is similar to the first domain but addresses issues regarding transmission of information and the transport mechanisms regarding networks and connectivity.
  3. Security management practices: This domain addresses policies and management practices, including risk management.
  4. Applications and systems development security: This domain deals with the system development life cycle (SDLC) and data management from an information security perspective.
  5. Cryptography: Covered in this domain are the principles and methods used to protect information through the use of codes and secrecy.
  6. Security architecture and models: As the name indicates, this domain has to do with the design and architecture of computers and networks and how to protect them.
  7. Operations security: This domain addresses the controls involved in the operation of a data center, and the management issues resulting from applications as they are used in a business environment.
  8. Business continuity planning (BCP) and disaster recovery planning (DRP):
    This domain covers the policies and procedures needed to ensure that a business protects information resources from the effects of system failures and outages.
  9. Laws, investigations, and ethics: This domain covers the legal and ethical issues for business.
  10. Physical security: This domain covers the physical security measures that are involved in protecting the assets of the company.
Security as described by the information security profession takes on a decidedly technical look. Security professionals tend to be more comfortable looking at their problems from a highly technical perspective. For example, if a business wants to connect to the Internet to communicate using e-mail, the business person might assume that this is now a commonplace process that requires little thought to implement. The security professional, though, will want to discuss the e-mail system and any filtering rules on e-mail, and how the network itself is to be protected. If the company wants to move financial information across the same network, the security professional will bring up additional issues regarding the protection of confidentiality and the integrity of the message. The business person will tend to assume that the answers to these issues are simple and that they do not affect the business drivers, but the security professional believes that the opposite is true.
These two viewpoints can be a source of friction in a business. It is important to resolve these potential conflicts quickly and move forward with a joint view of the importance of securing information and developing a sound information security program. One approach to resolving the conflict of business security is to develop an information assurance program. In Building a Global Information Assurance Program,* Curtis and Campbell describe in detail what this means and what it takes for a business to fully develop an effective information protection program. Their proposal is to have essentially a life cycle approach, instead of a more simple patchwork program that many technical people are comfortable pursuing.
The technical view of security focuses on solutions, product features, and implementation issues. Following are some of the questions asked by the security professional in this area:
Do we encrypt the message?
Do we use strong authentication or a simple user ID and PIN?
How should the network connect to outsiders? Should we build a
separate network for the Internet, or should we connect our existing
one using firewalls?
To the security professional these are important questions that require in-depth knowledge of the issues. The security professional wants to make the right decision because he understands the consequences of making the wrong one.
Most business people, though, are not as interested in how their information assets are protected. They want to ensure that the protection is cost-effective and takes into account business issues such as productivity and ease of use. The goals of the business person cannot be ignored, as he is the one who has to pay for security either in the form of product pricing or by explaining to a business partner that the added steps in a process are adding value to the product.

The Business View of Information Security

The CIA triad is one that most business managers can appreciate. With the recent explosive growth in privacy legislation, the confidentiality component gets a lot of interest today. Privacy to some business executives has become the core issue, sparking their interest in security information. In some cases this is reinforced by legislation and regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). Those two acts have made accountability for protecting privacy a major issue for executives. These are not the only issues, though, facing the executive.
The business executive adds in additional components to security, such as cost-effectiveness and ease of use, that often do not appear directly in the information security view of the problem. Risk to the business manager is not a binary “yes” or “no” process; it requires an understanding of the cost of protection, and a review of what alternatives exist and how to determine which is the best one to use. This is also a part of the evolution of the information security profession. Integrating the business view with the technical view is essential to moving security to a strategic role.
The business executive approaches issues such as those surrounding information security from the standpoint of risk management. Most executives are familiar with the principles of identifying risks, looking at risk mitigation strategies, and choosing the cost-effective approach to risk minimization. This is true whether we are talking about financial risks, investment risk, or product risk; in each case the business executive takes a standard approach to risk management. First comes an assessment phase. During this phase all relevant information is gathered regarding potential risks, outcomes, and probabilities of their occurrence. The next step is to prioritize those risks and addres...

Table of contents

  1. Cover Page
  2. Title Page
  3. Copyright Page
  4. Preface
  5. Chapter 1: Introduction to Strategic Information Security
  6. Section I: Organizational Issues
  7. Section II: Risk Management Topics
  8. Section III: Information Security Principles and Practices