Chapter 4 An Affirmative Model of Defense: Digital Liability Management.

Chapter 4

An Affirmative Model of Defense: Digital Liability Management

Introduction

Chapter discusses 4 defensive tiers of the digital liability management model (DLM)

They are:Senior management support

Acceptable-use policies

Secure use procedures, and

Technology tools

Not Being Met: The Information Security Challenge

Info Sec strategies that are technology-centric or policy-centric will failTechnology-centric strategies are weak w/o strong policies and practicesPolicy-centric strategies are ineffective w/o technology to monitor and enforce themA comprehensive, multifaceted approach w/ senior mgmt support, policy, process, and technology is necessary

Hallmarks of Proper Execution

The following hallmarks are needed for proper execution of security initiatives

Clear and powerful mandate from senior leaders of the orgCommunication and adoption of the strategic vision from snr mgmt throughout every level of the orgA commitment to continuous 2-way communication about policy and proceduresAn ongoing commitment to training employees about policies, practices, and proceduresA system that monitors compliance w/ security practicesPrudent investment in technology to implement and enforce best practices

The Risk and Reward of New Initiatives

Survey in information week of 8,100 tech and security professionals found that 18% report intrusions to watchdogs like CERT or govt authorities,

14% inform their business partners when there is a lapse in security

Read top of pg. 55 (note author)

Higher Standards of Security

2001 subscriber data including credit card info stolen from Ziff Davis’ magazine website

In August of 2002, they paid $100,000 in state fines and $500 per credit card lost to victims

Why is Information Security Poorly Executed?

Mgmt of digital assets and investment in info security are often misunderstood, underfinanced, and poorly executed

In a cost-conscious economy one common mistake is purchase of IT security defenses championed by IT staff in a rapid response to a well-publicized threat or intrusion

Several problems (next page)

Poorly Executed (2)

Shows little senior mgmt

Has no specific economic justification

Requires little or no active participation from employees

Often gets defeated by faulty configuration of the tools, neglected maintenance, or a process failure

Like failing to close out network Ids of terminated employees

The DLM Defense ModelThe DLM model provides a 4-tiered approach that raises the discipline from a technology tactic to higher standards as in a strategic business initiative

Again, the four Tiers are:

Senior mgmt commitment and support

Acceptable use policies and other stmsts of practice (like e-mail and Internet-use)

Secure use procedures

Hardware, software, and network security tools

Look at Fig 4.1 on pg. 57 is this too much info? Is it a security risk?

Tier 1: Senior Mgmt Commitment and Support

Security Awareness Begins and Ends in the Boardroom

Cybersecurity was never a strictly technical issue that could be delegated to network administrators

If the issue does not find its way into the boardroom, the consequences most likely will.

Tier 1 (2)

As U. S. Security laws get tougher and compliance w/ privacy laws becomes more prevalent there will be lawsuits alleging mismanagement, violation of security laws, or other wrongful acts

These violations may cause corporations, directors, and officers to be at risk

See fig 4.2, pg. 58

Overcoming Objections and Adversaries p 58

Security is Unpopular

We’ve discussed much of this (you read)

Look at the @Lert on this page. (58)

Security Requires a Strong Mediator to Resolve Conflicts

Good security can be expensive, and will often require funds that would otherwise go to projects w/ strong political supportComputer Security administrator’s relationship with users and network administrators tends to be adversarialSenior mgmt needs to apply its influence proactively to decide the outcome of these power struggles

Tier 2: Acceptable-Use Policies and Other Statements of Practice

AUPs define Acceptable and Unacceptable BehaviorTwo concerns of employers in designing effective AUPs

Preventing system misuse andAvoiding exposure to subsequent liability

AUP should define responsibilities of every user by specifying acceptable and unacceptable actions and consequences of noncomplianceEmail, Internet, and computer AUPs should be thought of as extensions of other corporate policies like those addressing equal opportunity, sexual harassment, etc.They exist to protect the rights of the employees and limit the liability of the employer

Stakeholders Involved in AUPs

HR managers, traditional stakeholders, managers, and legal counsel, members of IT staff and those responsible for physical securityAlso, accountants and auditors who are concerned w/ practices and policies pertaining to efraud should review AUPsAs with other HR policies, an AUP should require that every employee explicitly acknowledge in writing his or her understanding and compliance w/ the policy

AUPs Define Expectations and Demonstrate Due Diligence

The AUP defines what is expected of all employees when they use company computing devices including PDA’s, phones, voicemail, wireless, etc.AUPs set employee expectations w/ regard to violation consequences and privacyWe’ll see example AUPs in chapter 6

Maintenance and Teamwork

Info Security must become a part of everyone’s job description whether or not they use the computer Helps to make staff more vigilant of possible security problems which they become more likely to reportJust having AUP policies is not enough, if they are deficient or obsolete they put the organization at riskOf 1, 000 U.K businesses 27% had documented security policies, of those though, 76% updated them annually and 31% updated them every six months

Tier 3: Secure Use Policies

This is the transition from documents and policies to actual day-to-day application of policy within the context of business operationsCovered more in chapter 7Provides examples of practices to be encouraged as well as those to be discouraged, or totally prohibitedMuch of this is focused on planning and organization

Tier 3 (2)

Secure Use procedures require a survey and evaluation of digital assets at risk and estimates of the probability of lossThis discipline is fundamental to all types of risk management but is rarely practiced w/ intangible digital assets

Tier 3 (3)

B/c of this, the value of these assets and their replacements is often seriously underestimated and underinsuredUnderestimated replacement costs make it difficult to justify large investments in the protection of these assetsOther main area is the preparation of appropriate response to a major security event when it occursReactions need to be immediate and properly targeted to limit exposure, damages, and legal liability

Tier 4: Hardware, Software, and Network Security Tools

Putting everything in placeDiscussed more in chapter 8End chapterReview Discussion Questions