469 119 2MB
English Pages 286 [297] Year 2008
INFORMATION SECURITY POLICY, PROCESSES, AND PRACTICES
AdvancesinManagementInformationSystems AdvisoryBoard EricK.Clemons UniversityofPennsylvania ThomasH.Davenport AccentureInstituteforStrategicChange and BabsonCollege VarunGrover ClemsonUniversity RobertJ.Kauffman UniversityofMinnesota JayF.Nunamaker,Jr. UniversityofArizona AndrewB.Whinston UniversityofTexas
INFORMATION SECURITY POLICY, PROCESSES, AND PRACTICES
DETMAR W. STRAUB SEYMOUR GOODMAN RICHARD L. BASKERVILLE EDITORS
AM S ADVANCES IN MANAGEMENT I N F O R M AT I O N S Y S T E M S VLADIMIR Z WASS SERIES EDITOR
M.E.Sharpe Armonk, New York London, England
Copyright©2008byM.E.Sharpe,Inc. Allrightsreserved.Nopartofthisbookmaybereproducedinanyform withoutwrittenpermissionfromthepublisher,M.E.Sharpe,Inc., 80BusinessParkDrive,Armonk,NY10504. LibraryofCongressCataloging-in-PublicationData ReferencestotheAMISpapersshouldbeasfollows: Mattord,H.J.,andWiant,T.InformationSystemRiskAssessmentandDocumentation.D.W.Straub,S.Goodman,andR.L.Baskerville,eds.,InformationSecurity:Policy,Processes,andPractices.AdvancesinManagementInformationSystems.Volume11(Armonk,NY:M.E.Sharpe,2008),69–111. ISBN 978–0-7656–1718–7 ISSN 1554–6152 PrintedintheUnitedStatesofAmerica Thepaperinthispublicationmeetstheminimumrequirementsof AmericanNationalStandardsforInformationSciences PermanenceofPaperforPrintedLibraryMaterials, ANSIZ39.48-1984. ~ IBT(c) 10 9 8 7 6 5 4 3 2 1 ADVANCESINMANAGEMENTINFORMATIONSYSTEMS AMISVol.1:RichardY.Wang,ElizabethM.Pierce, StuartE.Madnick,andCraigW.Fisher InformationQuality ISBN 978–0-7656–1133–8
AMISVol.7:MuruganAnandarajan,ThompsonS.H. Teo,andClaireA.Simmers TheInternetandWorkplaceTransformation ISBN 978–0-7656–1445–2
AMISVol.8:SuzanneRivardandBenoitAubert AMISVol.2:SergiodeCesare,MarkLycett,and InformationSystemsSourcing RobertD.Macredie ISBN 978–0-7656–1685–2 DevelopmentofComponent-BasedInformationSystems ISBN 978–0-7656–1248–9 AMISVol.9:VarunGroverandM.LynneMarkus BusinessProcessTransformation AMISVol.3:JerryFjermestadandNicholas ISBN 978–0-7656–1191–8 C.Romano,Jr. ElectronicCustomerRelationshipManagement AMISVol.10:PanosE.KourouthanassisandGeorge ISBN 978–0-7656–1327-1 M.Giaglis AMISVol.4:MichaelJ.Shaw PervasiveInformationSystems E-CommerceandtheDigitalEconomy ISBN 978–0-7656–1689–0 ISBN 978–0-7656–1150-5 AMISVol.11:DetmarW.Straub,SeymourGoodman, AMISVol.5:PingZhangandDennisGalletta andRichardBaskerville Human-ComputerInteractionandManagement InformationSecurity:Policy,Processes,andPractices InformationSystems:Foundations ISBN 978–0-7656–1718–7 ISBN 978–0-7656–1486–5 AMISVol.6:DennisGallettaandPingZhang Human-ComputerInteractionandManagement InformationSystems:Applications ISBN 978–0-7656–1487–2
AMISVol.12:IrmaBecerra-FernandezandDorothy Leidner KnowledgeManagement:AnEvolutionaryView ISBN 978–0-7656–1637–1
Forthcomingvolumesofthisseriescanbefoundontheserieshomepage. www.mesharpe.com/amis.htm EditorinChief,VladimirZwass([email protected])
CONTENTS SeriesEditor’sIntroduction VladimirZwass
vii
PartI.TheTerrainofInformationSecurity
3
1. FramingtheInformationSecurityProcessinModernSociety DetmarW.Straub,SeymourGoodman,andRichardL.Baskerville
5
PartII.SecurityProcessesforOrganizationalInformationSystems
13
2. InformationSystemsSecurityStrategy:AProcessView RichardBaskervilleandGurpreetDhillon
15
3. ITGovernanceandOrganizationalDesignforSecurityManagement MerrillWarkentinandAllenC.Johnston
46
4. InformationSystemRiskAssessmentandDocumentation HerbertJ.MattordandTerryWiant
69
5. StrategicInformationSecurityRiskManagement RichardL.Baskerville
112
6. SecurityPolicy:FromDesigntoMaintenance MichaelE.Whitman
123
7. BusinessContinuityPlanningandtheProtectionofInformationalAssets CarlStucke,DetmarW.Straub,andRobertSainsbury
152
PartIII.ProcessesforSecuringtheExtra-OrganizationalSetting
173
8. InformationSecurityPolicyintheU.S.NationalContext WilliamJ.Malik
175
9. TheInternationalLandscapeofCyberSecurity DelphineNain,NealDonaghy,andSeymourGoodman
196
v
viCONTENTS
PartIV.ForcesandResearchLeadingtoFutureInformationSecurityProcesses
229
10.EmergingUbiquitousComputingTechnologiesandSecurityManagementStrategy GiovanniIachelloandGregoryD.Abowd
231
11.PromisingFutureResearchinInfoSec DetmarW.Straub,SeymourGoodman,andRichardL.Baskerville
263
EditorsandContributors SeriesEditor Index
271 275 277
SERIESEDITOR’SINTRODUCTION VLADIMIRZWASS
Informationsecurityisnoweveryone’sbusiness.Thewayweliveisunderwrittenbyinformation system(IS)infrastructures,withtheInternet-Webcompoundthemostfoundationalofthem.In ourinformationsociety,informationcoursesasthelifebloodofourdailylives(asinonlinetravel planningande-ticketacquisition)andofourbusinessrelationships(inawiki-basedcollaboration onaprojectbyavirtualteam,forexample).Thefunctioningofourbusinessorganizations(as inthesense-and-respondreactiontothereal-timevariancesfromprojectionsonanewproduct line),themanagementofourmultiorganizationalsupplychains(withmoretimelyinformation substituting for inventories), and the operation of our governments (where a timely report on socialserviceshelpstoservebetterapopulationsegment)dependonthesecureflowsofinformation.Consequently,oursocietieshavebeensubjecttoagreatvarietyofinformation-related risks for decades (Neumann, 1995).These have compounded manifold since the Internet has openedpersonalcomputers,organizationalinformationsystems,andnationalinfrastructuresto theworld.Theglobalnetworkofnetworksisexpandingrapidlyanditscontoursarechanging withtheprogressofthemobileInternet.Allofthismakesoursocieties,ourorganizations,and ourownselvesvulnerabletomyriadofcompoundingthreats.Inanorganizationalenvironment, informationsecurityisanever-endingprocessofprotectinginformationandinformationsystems thatproduceit.Consideringthepotentialeffectsofafailureinthisprotection,informationsecurityprotectsmajorfinancialandotherassetsoftheorganization.Nonfinancialassets,suchasthe brand,reputation,andrelationshipswithcustomers,partners,andsuppliers,cansuffergrievously inacaseofsuchafailure.Spokenplainly,informationsecuritytodayprotectstheabilityofan organizationtofunction. The importance of its subject makes the present volume in the Advances in Management Information Systems (AMIS) the first of several to address the issues of information security. Thevolumeisproperlythefirstinthisseries,asitdealswiththemattersofpolicy,strategy,and processesthatarenecessarytoestablishtheoverallsecuritypostureofanorganization.Therange oftechnologicalandorganizationalmeasuresneededtosupportthisposturewillbecoveredby thesubsequentvolumesoftheserial.Designedasitisbothtopresentandtoservetoexpandthe stateofourknowledgeaboutIS,AMISaimstomakeitscontributiontothisvitalsubdomainof ourfield. Asthewayoflifeinthedevelopedworldis,andinthemanyrapidlydevelopingpartsofthe worldisbecoming,dependentonmultiple,complex,andinterrelatedinformationtechnologies,we needtodesignorganizationalprocessesandbuildinformationsystemsencapsulatingandsecuring thesetechnologiesinatrustworthymanner.TheeditorsofthepresentAMISvolume,DetmarW. Straub,SeymourGoodman,andRichardL.Baskerville,addressthekeyissuesthatservetobuild organizationalinformationsecurityonafirmfoundation.Insuchenvironments,people,information technologies,andprocedurescombinetodeliverinformation,providecollaborativeenvironments, vii
viiiSERIESEDITOR’SINTRODUCTION
offerinformation-basedproducts,andfurnishotherinformation-societybenefitsinarelatively securefashion.Thethreeeditorsofthisvolumehavecontributedovertheyearsattheforefront ofourknowledgeaboutthemanagerialmeansofprotectinginformationsystems. Informationsecurityprotectstheavailability,integrity,confidentiality,andauthenticityofinformationandunderpinssuchsocietalgoodsasprivacy,theprotectionofdigitalidentity,andthe protectionofintellectualproperty.Informationsecuritycomprisesadynamicsystemofmeasures takentoprotectdata,information,andinformationsystemsfromunauthorizeduseoradisruptionduetoahumanagencyoranaturalthreat.Therearemultiplesystematictechnologicaland organizationalcategoriesofsuchmeasures.ThisAMISvolumeconcentratesonthelatter.Assuring informationsecurityisinextricablyintertwinedwiththeprocessofriskmanagement:thereisno totalsecurity,andsecuritypoliciesandprocessesneedtoprioritizeandcontroltherisksdepending ontheirlikelihoodandonthepotentialimpactsofadverseevents. Asthechaptersofthevolumemakeclear,informationsecurityisacontinualmanagerialprocessthatevolvespolicies,strategy,andorganizationalandISarchitecturestobuildresistanceto disruptionsintothewaytheorganizationoperates.Informationsecuritypolicyneedstobealigned withthestrategicISplanofafirminnumerousrespects(DohertyandFulford,2006).Preemptivemeasuresarethefirst,andpreferred,lineofdefense.Contingencyplansforthedisruptions thatneverthelessdotakeplaceneedtoincludeincidentresponseplans,disasterrecoveryplans, andbusinesscontinuityplans.Securitymeasuresareundertakenandmustbeadheredtothrough governancewithinthisfundamentalframework.Thesemeasuresmustworkinharmonywiththe missionoftheorganizations,beitagovernmentagencyorabusinessfirm(Sheffi,2005).Regrettably,thelargestglobalsurveyofthestateofinformationsecurityintheprivate-andpublic-sector organizationsoffiftycountriesindicatesthatonly28percentofthesurveyedonesreportaligning securitypolicieswithbusinessobjectives(Holmes,2006).Mostnotably,only37percenthavean informationsecuritystrategy.The“strategygap”hasbeennoted:afocusontechnologies,rather thanonthestrategiesthathavetodrivetheeffort.Thisispreciselywhythisvolumeisimportant astheopeningtotheAMISsecuritysequence. Thereisadegreeofresistanceinorganizationstospendingoninformationsecurity:assessing thevalueofthissecurityisdifficult(whilethevalueismanifestinabreach).Researchstudiesallow toimputethisvalue.AnnouncingabreachofInternetsecurityhasbeenassociatedwiththeloss of2.1percentofthestock-marketvalueofafirmwithintwodaysoftheannouncement—ahuge losstothestockholdersandanindicatorofadamagetotheconfidenceinthefirm’smanagement (Cavusogluetal.,2004).Inparticular,inthefirmsdeployinginformationsystemsstrategically,the boardofdirectorsshouldexerciseoversightoverISgovernance(NolanandMcFarlan,2005). Researchontheorganizationalaspectsofinformationsecuritytakesmanydirections.New, theory-basedmethodsofriskassessmentarebeingdevelopedtoincludetherelevantriskfactors, aswellasthecountermeasures,andtofacilitatecost-benefitanalysisinriskmanagement(Sunet al.,2006).Economicanalysisisdeployedtoevaluatethecomparativebenefitsanddrawbacksof reactiveandproactiveapproachestointrusionprevention(YueandÇakanyildirim,2007).Technologicalsolutionstomitigatingrisks,suchasreal-timethreatassessmentofanincipientsecurity breach,arebeingproposed(BlythandThomas,2006).Comprehensiveemergency-responsesystems,encompassingmultifacetedorganizationalandtechnologicalmeasures,arebeingmodeled toimprovetheireffectivenessinacrisis(Jennex,2007). Technological developments raise ever new concerns to be contended with. The emerging ubiquitous computing raises a new set of challenges to securing information (Müller, 2006). Amajorinitiative,ServiceOrientedArchitecture,aimingtoconstructlargepartsoforganizationalinformationsystemsofWebservices,componentsdrawnfromtheWeb,furtheropensthe
SERIESEDITOR’SINTRODUCTIONix
organization’ssystemstotheworldatlargeandexposesfirmstonewvulnerabilitiesthatneed newsetsofcontrols.Anumberofmultilateralinitiativesaimtoenhancethetrustinthesecurity ofthisenvironment(Baresietal.,2006). Asthespreadingubiquityofinformationtechnologyevermoredenselypermeatesoursocieties,andastechnologicalchangekeepschangingtherulesofthegame,itispreciselythepolicies, processes, and practices of information security that the editors and the authors of this AMIS volumebringtoyourattentionthatarenecessarytosecurethewaywelive. REFERENCES Baresi,L.;DiNitto,E.;andGhezzi,C.2005.Towardopen-worldsoftware:issuesandchallenges.IEEE Computer,39,10(October),36–43. Blyth,A.,andThomas,P.2006.Performingreal-timethreatassessmentofsecurityincidentsusingdatafusionofIDSlogs.JournalofComputerSecurity,14,6,513–534. Cavusoglu,H.;Mishra,B.;andRaghunathan,S.2004.TheeffectofInternetsecuritybreachannouncements onmarketvalue:capitalmarketreactionsforbreachedfirmsandInternetsecuritydevelopers.International JournalofElectronicCommerce,9,1(Fall),69–104. Doherty,N.F.,andFulford,H.2006.Aligningtheinformationsecuritypolicywiththestrategicinformation systemsplan.Computers&Security,25,1(February),55–63. Holmes,A.2006.Theglobalstateofinformationsecurity.CIO(September15),82–94. Jennex, M. 2007. Modeling emergency response system. Proceedings of the 40th Hawaii International ConferenceonSystemSciences,R.H.Sprague,Jr.(ed.).Waikoloa,BigIsland,Hawaii(January3–6), CD-ROM. Müller,G.(ed.).2006.Privacyandsecurityinhighlydynamicsystems.SpecialSection,Communications oftheACM,49,9(September),28–62. Neumann,P.G.1995.Computer-RelatedRisks.NewYork:ACMPress. Nolan,R.,andMcFarlan,F.W.2005.Informationtechnologyandtheboardofdirectors.HarvardBusiness Review,83,10(October),96–106. Sheffi,Y.2005.TheResilientEnterprise:OvercomingVulnerabilityforCompetitiveAdvantage.Cambridge, MA:MITPress. Sun,L.;Srivastava,R.;andMock,T.J.2006.Aninformationsecurityriskassessmentmodelunderthe Dempster-Shafertheoryofbelieffunctions.JournalofManagementInformationSystems,22,4(Spring), 109–142. Yue,W.,andÇakanyildirim,M.2007.Intrusionpreventionininformationsystems:reactiveandproactive response.JournalofManagementInformationSystems,24,1(Summer),329–353.
INFORMATION SECURITY POLICY, PROCESSES, AND PRACTICES
PARTI THETERRAINOF INFORMATIONSECURITY
CHAPTER1
FRAMINGTHEINFORMATIONSECURITY PROCESSINMODERNSOCIETY DETMARW.STRAUB,SEYMOURGOODMAN,AND RICHARDL.BASKERVILLE
Abstract:Describingthelayoutoftheentirevolume,thischapterexplainshowitspartsemerged fromanorganicconceptionoforganizationsstrugglingtodeterminewhattheirinformationsecurity needswereandhowtocreateviablesecuritypolicies.Organizationalissuesexistwithinthecontext ofbothnationalandinternationaldevelopmentsinInfoSecandthefinalpartdealswiththesecritical arenas.Technologicaltrendswilldictateresponsestothepossibilitiesofsecurityviolations,andthere arecleardirectionsforsuchcircumstancesinthecaseofubiquitouscomputing.Thefinalchapter summarizesandreformulatesthenewdirectionsthatresearchersshouldtakeinInfoSec. Keywords: Information Security Processes, Policies, Practices, Guidelines, TechnicalVersus ManagerialInfoSecResearch,KeyResearchQuestions,FutureResearchDirections,Landscape ofInformationSecurity Thevolumecoversthemanageriallandscapeofinformationsecurity.Itdealswithhoworganizationsandnationsorganizetheirinformationsecuritypoliciesandefforts.Itcovershowtostrategize andimplementsecurity,withaspecialfocuslateinthevolumeonemergingtechnologies. Itshowswhereinlieourstrengths.Italsoshowswherethereareweaknesses.Itpointsoutour wealthofsecuritytechnologies,particularlysincethedawnoftheInternetand9/11.Itlikewise indicatesasclearlyaspossiblethatthelikelyproblemtodayisnotthelackoftechnology,but itsintelligentapplication.Themanagementofinformationsecurityisinitsinfancy,whereasthe developmentofsecuritytechnologieshasreachedamuchmoreadvancedstateofmaturity. Inattemptingtocovertheterrainofabroadsubjectthatalreadyhashadalonghistory(however checkered),itisinevitablethatmuchwillbeleftout.Sothesubjectmatterselectedforthisvolume callsforarationalesincetheremustbereasonswhysometopicswerechosenandotherswerenot, andthetaleofthechoosingsayssomethingaboutwhatshouldbevaluedmosthighly. Beforeengaginginthisexercise,though,itisusefultodefineandelaboratetheterm“information security”(InfoSec).Theterm“information”receivestheinitialstresssincewefeelstronglythatthe renderingofdataintomeaningfulstatementsandcomparisons,whichwetaketobeinformation, hasreceivedlightattentioninboththeacademicandtradepresses.Mostoftheworkonsecurity hasbeenatthetechnologicallevel,thelevelofprotectingdatabitsandbytesfromunauthorized interceptionandmisusewhilelittleworkhasfocusedonprotectingthesebinarydigitsoncethey havebeenmanipulated,formatted,andstoredformanagerialuse.Therearevolumesofworkon encryptionalgorithmsandhowtomaketheseunbreakable,forexample.1Hencetheprevalence 5
6STRAUB,GOODMAN,ANDBASKERVILLE
oftermsinthistechnicalliteratureontechnologiesdescribedunderrubricslike“data/database security,”“computersecurity,”“cyber/Internetsecurity,”and“networksecurity.” Inshort,informationisamanagerialandorganizationaltool,andtheprotectionofinformation fromthemanagers’(andorganizations’)pointofviewhasnotbeensubjecttothesameintense scrutinyashavesecuritytechnologies.Notonlyarethepoliciesthatprotectthisinformationmuch lessfrequentlydiscussed,buttheprocessesthatleadtoeffectivepoliciesareevenlessfavoredby scientistsandpractitioners.Broadsocialissues,suchasinternationallaws,standards,andagreementsthataffectsecurityofinformation,arepartofawiderangeofenvironmentalissuesthatalso receivescantattention.Therearenumeroustechnicalworkingpapersdealingwithsuchmatters,but assessmentsofthisscatteredworkhavenotbeenforthcoming.Manyofthesepapershavedirect organizationalimpacts,buteventhosewithindirecteffectsbearwatchingandunderstanding. Focusingonorganizationalneeds,therefore,isthefirstwayinwhichwescopedthetopics covered.Whatweknowatthistimeandwhereresearchshouldbemovinginthefuturetoaddress lightlyexaminedareasrepresentthebasicgoalsofthevolume. Theterm“security”criesoutforsomedefinitionaswell.Bysecurity,wemostoftenmean theprotectionofassetsfromunauthorizeduse,butthetermisoftenextendedtocoversituations wheremechanismstoprotectassetsaresimilarwhetherthedamagethatisinflictedcomesfrom eitheramalicious,accidental,oranaturalsource.Organizationsneedtoprotectthemselvesfrom informationlosseswhetherthesearecausedbyaterroristoratornado.Eitherwillphysically wipeoutafirm’sdatacenter.Therecoveryproceduresareonlydistinctiveintermsofwhether insuranceorcriminalinvestigationsrequireaforensicanalysis.Inbothcases,therewouldbe lossoflifeofmission-criticalemployeesaswellaslossofinformationandtheabilitytoproduce information.Astragicassucheventsare,itwouldbeafurtherlossifstakeholderswhodependon thefirm—employeesandtheirfamilies,shareholders,suppliers,customers,andthesurrounding communities—weretocontinuetosufferfromorganizationalunpreparedness. Thussecurityaswedefineitincludesbusinesscontinuityplanning,especiallyregardinginformation.Maliciouselementsneedtobeconsideredinscenariosinthisplanningeffort,butequal attentionmustbeplacedonaccidentalandnaturalcauses. PARTSANDCHAPTERS Theperspectivetakeninthisbookisatanorganizationallevel.Whethergovernmental,commercial, not-for-profit,orother,decisionmakersinorganizationsconfronttheneedtospecifyorganizationalpolicies,defineorganizationalprocesses,andmanageorganizationalpracticesthatassuretheorganization’s informationsecurity.Table1.1listsaninventoryofthevariousinfluencesthatdrivethesedecisions. Perhapsatthemostgloballevelaretheregulationsthatemergefromnon-governmentalorganizations.Theseincludetherecommendedstandardsandpracticesofprofessionalorganizations(such astheInformationSystemsAuditandControlAssociation,whichpromotesanInfoSecframework calledCOBIT),industrystandardsandpractices(suchastheMasterCardandVisacollaboration thatmandatedapaymentcardindustrydatasecurityframework),standardssetbyinternational agenciessuchastheInternationalStandardsOrganization,andinternationalagreementsonissues suchaspersonaldataprivacythroughagencieslikeOECDandtheUN. Governments,asidefrombeingorganizationsthatmustsettheirowninternalpolicies,processes, andpractices,areorganizationsthatdrivelawsandregulationsrequiringconformitywithintheir territorial borders. These laws and regulations define computer crimes, including insufficient protection of private personal data and insufficient transparency of information necessary for informedpublicdecisionsaboutorganizations(suchasdisclosureofinvestmentrisks).Withtheir
FRAMINGTHEINFORMATIONSECURITYPROCESSINMODERNSOCIETY7 Table1.1
DriversInfluencingOrganizationalInformationSecurityPolicies,Processes,and Practices Non-governmentalregulation Internationaltreaties Internationalstandards Industrystandardsandpractices Professionalstandardsandpractices Governmentregulation Computercrime Privacyprotection Publicdisclosurerequirements Nationalsecurity Nationalinformationinfrastructures Governmentinternalpolicy Organization Economicsofsecurity Costsandbenefits Functionality—Securitytension(gunsorbutter) Ethicsofsecurity Mandatedoroptional(duecare) Technological Computersecurity Networksecurity Cryptology Viciouscircle
mandatefornationalsecurity,governmentsmayregulateadvancedinformationtechnologieswith militaryapplications(suchascryptography)andsetnationalpoliciestoestablishsufficientinformationsecurityinkeyindustrygroupslikefinance,transportation,andenergy.Suchgovernment regulationdrivesprocesses,policies,andpracticesinaverywidespreadrangeofcommercialand privateorganizations(theeffectsofwhichmayevenbeextraterritorial).Eventhesettingofinternal governmentorganizationalprocesses,policies,andpracticesmayhaveawidespreadeffect,as thesemaydriveconformingrequirementsofgovernmentcontractingorganizations,orbecome regardedasemblematicstandardsof“duecare”inInfoSec. Therearealsointernaldriversthatdetermineorganizationalpolicies,processes,andpractices. Forexample,improvementstoorganizationalInfoSecusuallyrequireresources;aninvestmentin InfoSecisthereforeaneconomicdecision.Costsandbenefitsaremanagedthroughriskanalysis, andlikeanyinvestmentdecision,improvementsinInfoSecmoveforwardundertheshadowof theiropportunitycosts.Shouldtheorganizationinvestinimprovedinformationsystemsperformanceorinsteadinvestinimprovedsecurityforitsexistingsystems?The“gunsorbutter”nature ofthedecisionoftenpitssystemsperformanceadvancesagainstsystemssecurityadvances.These conflictinggoalsbringforwardtheethicaldimensionsofdecisionsaboutorganizationalInfoSec policies,processes,andpractices.WhereInfoSecfeaturesaremandatedbyregulations,theethicalaspectsareclear.ButinorganizationalsystemswhereInfoSecisnotrequiredbyregulation, organizationsarelefttofollowtheirownethicallights:institutingInfoSecpolicies,processes, andpracticesbecausetheserepresentthemeasureofduecarethatawiderangeofstakeholders wouldregardasresponsiblemanagementofinformation. InformationtechnologyisitselfadriverofInfoSecmanagementprocesses.Notonlydonewer
8STRAUB,GOODMAN,ANDBASKERVILLE Table1.2
SituatingthePartsofOurVolumeAmongtheDriversInfluencingOrganizational InformationSecurityPolicies,Processes,andPractices PartI.TheTerrainofInformationSecurity PartII.SecurityProcessesforOrganizationalInformationSystems Organization Economicsofsecurity Costsandbenefits Functionality—Securitytension(gunsorbutter) EthicsofSecurity Mandatedoroptional(duecare) PartIII.ProcessesforSecuringtheExtra-OrganizationalSetting Non-GovernmentRegulation Internationaltreaties Internationalstandards Industrystandardsandpractices Professionalstandardsandpractices GovernmentRegulation Computercrime Privacyprotection Publicdisclosurerequirements Nationalsecurity Nationalinformationinfrastructures Governmentinternalpolicy PartIV.ForcesandResearchLeadingtoFutureInformationSecurityProcesses Technological Computersecurity Networksecurity Cryptology ViciousCircle
technologiesbringchallengingnewproblemsforsecurity,butsecurityforexistingtechnologiesis aviciouscircleoftechnicaldevelopments.NewInfoSectechnologiesleadadversariestodevelop newtechniquestodefeatthenewsecuritytechnologies,forcingtheneedforevennewerandeven betterInfoSectechnologies.Thisisaconstantraceforeffectivetechnicalsolutionsinareaslike computersecurity,networksecurity,andcryptology. Indeed,theviciouscircleinvolvesmorethanjusttechnology.Thecausaldirectionsoftheentiresetofdriversarenotstraightforward.VariousInfoSecevents,likecompromisesandmassive losses,occurwithintheircontemporaryframeworks,includingthedriversnotedinTable1.1and thevariousorganizationalInfoSecpolicies,processes,andpractices.Sucheventsleadtorevisions inregulationsandorganizationalvalues,aswellastechnologies.Asaresult,thesedriversalsoset thestagefortheirownrevisions,aformofself-remakingorautopoisis. Howdoestheworkathandfitintothislandscape?Wecansituatethevariouspartsofthe bookintothecontextshowninTable1.2.Thebookbeginswithanoverviewandrationaleand concludeswithareviewofthetopicsdiscussedinthebookandahighlightingofwhatadditional knowledgeiscriticalforprogressinthefieldoninformationsecurity.Eachofthesecomposesa sectiontoitself.
FRAMINGTHEINFORMATIONSECURITYPROCESSINMODERNSOCIETY9
Giventhatourperspectiveisthatoftheorganizationaldrivers,organizationalprocessesthat createsecuritypoliciesandexecutethemlieattheheartofwhatiscoveredandassessed.Thefirst substantivepart,entitled“SecurityProcessesforOrganizationalInformationSystems,”dealswith thisbroadsubject.Itisdividedintochaptersforstrategy,riskassessment,governance,design, andimplementation.TherationaleforeachofthechaptersinPartIfollowsanexplanationofthe modularcategorization. Becauseorganizationalsecuritymustberesponsivetopolicies,regulations,andactivitiesoccurringatsupra-organizationallevelslikegovernmentandnon-governmentregulation,theworkat handproceedsdeeperthanjusttheorganizationaldrivers.Oursecondsubstantivepart,“Processes forSecuringtheExtra-OrganizationalSetting,”considersinternationallegalconventionsandother forms of international cooperation against unauthorized access to organizational systems that havebeenharmonizedwithnationallawsandgiventeeth,andhavepermittedprosecutionacross borders.Ofinterestarethepossibilitiesforadramaticimpactoncybercriminalbehaviorand ontheextenttowhichorganizationscanlookforredressofwrongs.Theseinfluencestakeplace atthenationallevel,certainly,andincreasinglyattheinternationallevel.Theproblemofcyber crimeisfinallygettingtheworldwideattentionitdeserves.Manyoftheseeffortsarenascent,but atleastthespotlightisnowfocusedontheproblem. Aboveandbeyondtheissueofstructuresandinternalorganizationalisthequestionofmarketplaceforces.ThemostimportantofthesewithrespecttoInfoSecaretechnologicalchanges. Our third substantive part, “Forces and Research Leading to Future Information Security Processes,”placesorganizationalandregulatorydriversinthecontextoftheviciouscircle,the never-endingracebetweenthedriversandevents.Herewesituateandexaminetheissuesarising fromtheburstingofnewtechnologiesonthescene.Wehavemovedintoaworldthatisvastly morecomplicatedthanthesimplepoint-to-pointtelecommunicationsthatcharacterizedsecurity intheoldworld.NotonlyhastheInternetchangedthenatureofconnectivity,butwirelessand ubiquitouscomputinghasopenedupthefloodgatesforpotentialabuse. IneachofthesepartswelearnthatthereisafartoolimitedrangeofcurrentresearchinInfoSecpolicies,processes,andpractices.Muchworkremainstobedone.Inthefinalchapterof thevolume,“PromisingFutureResearchinInfoSec,”wereviewthelessonslearnedandmapout directionsfornewresearch.Thisrepresentsbothasummaryandprioritizationofthecallsfor researchintheearlierchapters. THELOGICOFTHECHAPTERS Chapter2,onsecuritystrategy,beginsthevolumesincethegoalsoftheorganizationwithrespectto securitydriveallotherprocesses.Thischapterwrestleswiththeseriousquestionsofhowsecurity functionscancreateeffectivestrategiesandreturnmorebusinessvaluetotheorganizationthan theycost.Theauthorsbasetheirworkonthestraightforwardassumptionthatitismorevaluable todelineatehowsecuritystrategyismaderatherthanarticulateasetofcookie-cutterstrategies thatwould,withcontingencies,beapplicableacrossmanyorganizations.Thelatterisprobablyan unreachableobjectiveinanycase,butthepointisthattheauthorsfocusonprocessandadvocatea setofpracticesthatshouldleadtorobuststrategy.Indevelopingthistheme,theyshowhowcritical isthealignmentofsecuritystrategywithcorporategoalsandwithgoalsofoutsourcingpartners. Theyextendthisargumentbysuggestingthatcomparableorganizationalstructuresmayalsobe necessary to coordinate inter-organizational information exchanges. Finally, the authors show howproducts,suchasvisionstatements,andcompetencies,suchasthecompetencytodetermine internalthreats,areessentialcomponentsofanoverallsecurityprocess.
10STRAUB,GOODMAN,ANDBASKERVILLE
InChapter3,ongovernanceandthedesignoforganizationalstructure,theprocessofdeterminingusefulstructuresisdevelopedfurther.Whatare“structures”?Theauthorsdefinethemas what“determineswhodoeswhatandhowindividualscollaboratetogettheworkcompleted.” Thekeystructuralissueaddressedinthischapteriscentralizationversusdecentralization.This isplacedwithinthecontextofalignment,asintheprecedingchapter.Eventhoughgovernance hastodowithdecisionrights,itisclearthattheconceptsoverlapsinceanissueaboutwhether thesecurityfunctionshouldbecentralizedordecentralizedinvolvesboththecreationoforganizationalrolesanddepartmentsaswellaswhomakeswhichdecisions.Theauthorsusea detailed case study to illustrate the pros and cons of centralizing versus decentralizing with regardtosecurity. Oneofthefirstactivitiesthatspringfromagoodstrategyandanorganizationaldesignthat alignswellwiththeorganizationisariskassessmentofsecurityneeds,whichiselaboratedupon inChapter4.Theauthorsstartwithacatalogandcriticalassessmentofexistingriskassessment techniques.Themostpromisingoftheseisthreat-vulnerability-asset(TVA)analysis,whichis introducedandthenextendedbytheauthors.ThelogicalextensionoftheTVAmodelisthrough “control,”whichconsistsofwaystoreducethelossesincurredbyspecificcauses.Toevaluaterisks inalargerframework,thechaptergoesontodiscussthevalueofbenchmarkingtheorganization’s securityagainstthatofothers.Establishingabaselineofcurrentabuseisthefirststepinthemetrics thatareneededtoassessprogress. Chapter5stepsbackandconsiderstheprocessofriskassessmentcoveredinChapter4from astrategicpointofview.Oncethereaderisclearontheprocessofanalyzingrisks,thestrategic natureoftheinvestmentthatfollowsthisassessmentcanberaisedanddiscussed.Whereasrisk assessmentatatacticallevel,asinChapter4,isausefulandsignificantresearcharea,thereare questionsastowhatafirmshouldsecureandwhatitshould,forexample,insure.Eitherisa perfectlyacceptablemeansofhandlingrisk,asindividualsknowwhentheyinsuretheirhouses, cars,health,andsoon.2Somesystemsneedtobestrengthened.Othersmaybeinsuredatamore modestandlessexpensivelevelofsecurity. Chapter6coverspoliciesthatdealwithsecuritydesign,implementation,andmaintenance issues,whichisthenaturalconsequenceofathoroughriskassessment.Thefirststepincreating andimplementingcountermeasuresispolicymakingatadetailedlevel.Amongtheelementsof suchpoliciesarestatementsofneedsandmethodstoreducerisk,tyingthischaptereffectively tothepreviouschapters.Differenttypesofpoliciesandhowtohandlethemisanimportantdifferentiatorformanagerialdeploymentinthechapter.Securityawarenessprogramsandeducation oforganizationalstakeholdersaredescribednextastheseformthefrontlineofapproachesfor implementingthesepolicies. WhereasChapter6dealswithsecurityagainstindividualattacksandthreats,Chapter7on takesonthethemeofprotectinginformationassetsatthemacro-level.Theriskfromcatastrophic failurecandoomanenterprise,andtheinadequateprovisionofbounce-backforsystemsisone ofthecentralelementsinaformulaforsuccess.Thechapterstressestheneedtothinkbroadly aboutdisasterplanning,tothepointwhereitmaybepossibletorecoverthedata,systems,and networksthroughaseriesofstrategies.However,withoutaplanthatincludesreplacementofkey personnel,allsuchplanswillleadtofailure. Organizationsoperatewithinasociopoliticalcontext;Chapter8placesthisinthelargercontextofthenationalpolicymakingoftheUnitedStates.Thischaptermaybeofinterestbeyond multinationalsheadquarteredintheUnitedStatesbecauseoftheinternationalramificationsof anychangeinU.S.policy.Theapproachtheauthortakesishistoricalandanalogical.Thebasic argumentisthatlarge-impactinnovationsrequiretimeforsocietytoadjusttotheirimplications.
FRAMINGTHEINFORMATIONSECURITYPROCESSINMODERNSOCIETY11
Theautomobileisaninterestingparalleltocomputersinthatbothrequireaninfrastructure,atleast inthecomputer-to-computer,networkingformofcomputing.Infrastructurefortheprovisionof gasolinewasoriginallyatpharmacies,forexample.Ittookawhilebeforeanationalinfrastructure ofgasolineprovisionwasinplace.Licensingofdriverswassimilarinthisregard.Thebottomline forthehistoryofthedevelopmentofU.S.policyisthatithasbeenpatchyandresponsiveonly tospecificindustryneeds.TherearecurrentlyproposalsthatwouldidentifyindividualcomputersontheInternet,whichmaybeanecessarydevelopmentinthecontrolofcyberspace.Butthe inadequacyofU.S.nationalpolicyisarguedveryconvincinglyinthechapter. Chapter9surveyseffortstodealwithsecurityissuesattheregionalandinternationallevel.A largenumberandgreatvarietyoforganizationshavebeencreatedorexpandedatthenational, regional,andgloballevelsinrecentyearstohelpaddressInfoSecproblemsintheirvariousdimensions.Aretheydoingitwell?Aretheycomingupwithenforceable,scalable,andreadilyusable solutionsthatreducevulnerabilities,determaliciousactivity,andmakecyberspaceasaferand moresecureinfrastructureglobally,oratleastslowtherateatwhichthingsaregettingworse? Sofar,thereislittleinformationthatwouldhelpustoprovideconvincingpositiveanswersto thesequestions.Whereasinternationaleffortsareoftenembryonicandnotnecessarilyconverging,someregionaleffortsarebeginningtomakestrides,especiallyinEurope.Anexampleisthe conventioncoveringcriminalandprocedurallaw,informationcollection,andformsofcooperationregardingcybercrimeacrossmembersoftheCouncilofEuropeandothers.Muchofthisis unevenlydistributedaroundtheworld,withthemostextensiveeffortsinEurope,andnotmuch inAfricaattheotherendofthespectrum.Moremultilaterallegalandcooperativeundertakingsto provideearlywarning,standardsandbestpractices,lawenforcementassistance,training,andso on,andotherwisehelpdealwithcybercrimeareclearlyneededtoaddressthemassivechallenges thatalreadyexistandareworsening. Chapter10analyzesubicomporubiquitouscomputing,whichposesanadditionalchallengetoa worldthatalreadyhasaplethoraoftechnologiesthatareinherentlyinsecureanddifficulttochange. Assumptionsabouttheskillsofpersonneltodealwithnewubicomptechnologies,aboutlawsand regulationsspecifictothem,andinterfacesthatcanmonitortheirusearenearlyallerroneous.Althoughtherangeofubicomptechnologiesisfairlylarge,theauthorsillustratetheirmainpointsby focusingourattentionontwocasestudies,whichrevealdifferentaspectsaboutthegenericubicomp problem.PersonalAudioLoopcapturesaudioandcellphonemessageswhereasCareLogcaptures videoandnotesaswellasaudio.Privacyissuesarethemostobviousconcernwithunrestricteduse ofthistechnology,buttheauthorshighlightmanyotherconceivableproblems. Chapter11wrapsupthevolumebyconsideringthevariousresearchquestionsanddirections forfuturescientificworkthatarediscussedintheprecedingchapters.Itiscriticalthatwehave atleastoneroadmapforwherewemighttakediscoveriesaboutInfoSecandwhatthisportends fororganizations,nations,andtheinternationalcommunity.Thenumberofresearchquestions coveredinthischapterisvoluminous,butasimpleexamplewillshowwhatisinstoreforreaders.DobusinesseshaveplansformajorInfoSecdisasters?Andiftheydo,havetheytestedthese? Whatistheapproachtodevelopingsuchplansandisiteffective?Amongthemanyfailurepoints inmodernInfoSecisbusinesscontinuityplanning,andtheneedformuch,muchmoreresearch inthisareaisparamount. CONCLUSION Thisvolumetakesauniquelyprocess-orientedviewofthemanagementofinformationsecurity. Thisviewpointhelpsustounderstandnotonlyhowmanagementpracticesareevolvingtoday,
12STRAUB,GOODMAN,ANDBASKERVILLE
butwhysuchanevolutionisunfolding.Inparticular,thisorientationhelpsrevealareaswherewe needbetterdevelopmentofinformationsecuritymanagementpractice.Novolumecancoverall thekeyissuesthatcouldbeidentifiedinInfoSec.Evenafterscopingourtopictothemanagerial andbehavioralaspectsoforganizationalsecurity,thegroundcoveredisstillarelativelysmallpart oftheterrain.Weoffertantalizingdirectionsfornew,intensive,andground-breakingresearch. WillthescientificcommunitiesthathaveaninterestinInfoSectakeusuponthischallenge?We obviouslycannotknowtheanswertothischallengeinadvance.Nevertheless,ourdesireisto sketchoutthestate-of-the-artknowledgeineachoftheseareasandtolayoutresearchdirections thatcouldbeprofitableforMISandotherresearchers.Wehopethatthisbookhelpspromotea neweraofworkinthiscriticalarena. ACKNOWLEDGMENTS Someofthechapters/materialinthisvolumeisbaseduponworksupportedbySeymourGoodman’s NationalScienceFoundationGrant#0210644.Anyopinions,findings,andconclusionsorrecommendationsexpressedinthismaterialarethoseoftheauthor(s)anddonotnecessarilyreflectthe viewsoftheNationalScienceFoundation. SeymourGoodman,NealDonaghy,DelphineNain,andGiovanniIachellowouldliketothank theJohnD.andCatherineT.MacArthurFoundationforgenerouslyprovidingfundinginsupport ofthiswork.However,allerrorsandomissionsremainthoseoftheauthors. NOTES 1.Thecomparablemanagerial-levelworkinthisdomainwouldexaminesuchissuesaswhethernew algorithmsworkinpractice,howtheirimplementationcanbehandledbybusymanagers,whethersupplementalformsofprotectionsuchaspoint-to-pointconnectionsareneededorjustanaddedcostwithoutvalue, howmanagerslearnaboutanddecidetoadoptnewalgorithms,andsoon. 2.Ofcourse,thereisalwaystheconsiderationofsafetytohumanlifeinthecaseofhealthinsurance, sotheanalogyisnotperfect.Onewouldpresumablyconductoneselftoensurehealth—byeatingwell,for example—beforeinsuringone’sbody.
PARTII SECURITYPROCESSES FORORGANIZATIONAL INFORMATIONSYSTEMS
CHAPTER2
INFORMATIONSYSTEMSSECURITYSTRATEGY AProcessView RICHARDL.BASKERVILLEANDGURPREETDHILLON
Abstract:Thischapteradoptsaprocessviewofinformationsecuritystrategy.Thatis,itiscentrally concernedwithhowto“make”strategy;thisextendstheconcernaboutwhatstrategy“is.”From aprocessviewpoint,informationsecuritystrategyinvolvesoneormorestrategy-settingprocesses. Suchprocessesrequireanassessmentofthegoalsfororganizationalinformationsecurity.Examplesincludecompliancewithregulatoryrequirements,nationalandinternationalstandards, andprofessionalpractices.Thestrategy-settingprocessmaybeorganizedusingaproductcriterion oraprocesscriterion.Aproductcriterionwouldorganizethestrategy-settingprocessbygrouping activitiesaccordingtotheendproductsoftheprocess.Theproductsofstrategysettinginclude statementsofvision,corevalues,rationale,andstrategicplanssuchasthesecurityorganization structure,securityoperations,andsecuritybudgetingstrategy.Aprocesscriterionwouldorganize thestrategy-settingprocessbygroupingactivitiesaccordingtomajorcomponents,suchasthe alignmentofsecuritywithorganizationalstrategy,theplanningofoperationalstrategies,andthe planningofsecurityorganizations.Thischapterelaboratesnotjustsecuritygoals,butthegoalassessmentprocess;notjustthesecuritycriteria,butthecriterionorganizingprocesses;andnot justtheproductsofthestrategicprocesses,butthestrategy-settingprocessesthemselves. Keywords:InformationSecurityStrategy,InformationSecurityPlanning,InformationSecurity Functions,InformationSecurityRiskManagement,InformationSecurityOrganization,InformationSecurityCompetence,ITRiskManagement INTRODUCTION Ascommercialandgovernmentorganizationshavebecomemoredependentoncomputer-based information systems (IS), they have become better at managing their information security. Downtimeduetocomputerattacks,forexample,hasbeendrivendown.Companiesreporting downtimefromcomputerattacksdroppedfrom26percentin2002to16percentin2003,while lengthydowntimedroppedfrom39percentto26percent(Swartz,2004).Suchimprovementsin informationsecurityarenotduetotechnologyalonebutimprovementsinthemanagementofthe technology.Goodmanagementisoftenfoundedonsoundstrategy. Strategy,however,isatermusedquitefreelyinthemanagementliterature.Indeed,justdefining andexplainingthemeaningofthetermwouldrequireabookuntoitself.Forexample,Mintzberg, Ahlstrand,andLampel(1998)detailfivedistinctviewsofstrategicplanninginthemanagement 15
16 BASKERVILLE AND DHILLON Figure2.1 LayersofStrategy
Strategies for setting security policies Security policies
Strategies for implementing security policies Information security processes and practices
literature:aplanorguideforactionthatleadsthefirmfromacurrentstatetoamoredesirable state;apatternofconsistentbehavior;apositioningofproducts;aperspectiveorphilosophy; a ploy that outmaneuvers or outwits a competitor. Such views unfold in at least ten different “schools”ofstrategy,includingprescriptiveschoolslikedesigning,planning,orpositioning;and descriptiveschoolslikeentrepreneurial,cognitive,learning,power,cultural,environmental,and configuration.Individually,noneoftheseviewsorschoolsseemstocaptureacompleteunderstandingofstrategy,butcollectively,evengiventhestandingcontradictions,wegrowcloserto suchanunderstanding. Giventheencompassingnatureofthestrategyconceptamongmanagers,littlewonderthatthe termsstrategyandpolicyaresometimesconflated.Thisinterchangeabilityeveninhabitsdictionary definitionsoftheterms.StrategyisdefinedbyWebster’sasacarefulplanormethod:theartof devisingoremployingplansorschemestowardagoal(Merriam-Webster,2001).Thedefinitionof policyissimilar:ahigh-leveloverallplanembracingthegeneralgoalsandacceptableprocedures. Evenincommonparlance,itshouldnotbesurprisingthatthetermsbecomeentangled.However, policyisfurtherdefinedasadefinitecourseofactionselectedfromamongalternativesandin lightofgivenconditionstoguideanddeterminedecisions.Forourpurposes,wemustfollow someterminologicalrule,andwilluse“strategy”inatleasttwoways:wecanhaveastrategyfor creatingorganizationalsecuritypolicies,andwecanhaveastrategyforimplementingsecurity policies.Thismeansthatorganizationalstrategywillhelpdeterminethesecuritypolicies(see Figure2.1),andthesepoliciesmayinturnembodyadeterminationforthestrategyforcarrying outthesecuritypolicies.Inthisway,organizationalprocessesandpracticesaredeterminedby layersofsecuritystrategy.Inthischapter,wearemainlyconcernedwiththeformulationprocesses forhigher-levelinformationsecuritystrategies,thatis,thoseorganizational-levelstrategiesthat drivesecuritypolicycreation. Whileusuallythoughttorefertotheplansforattainingorganizationalmissionsandgoals, intendedstrategiesarerarelyachievedasrealstrategies.Consequently,strategytheoristsdifferas towhetherastrategyisadeliberateplancarriedforwardfromanintendedstrategytoarealized
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW17
strategy,orwhetheritisanemergentpatternthatformsandreformscontinuouslyasanorganization adaptstoitsenvironmentthroughalearningprocess(Mintzberg,Ahlstrand,andLampel,1998). Informulatingthestrategyprocess,however,thesedifferingviewsonstrategyoftenresultin remarkablysimilarprocessesinpractice.Thosewhoseestrategyasaprescriptivedesignandplanningprocesswillviewthisprocessasaprojectwithanultimategoalofproducingorganizational strategicplans.Thosewhoseestrategyasadescriptivelearningprocesswillviewthisprocess asachangingexperiencewithanultimategoalofnurturingandgrowingtheorganization.The firstgroupessentiallyfocusesonaone-shotstrategyformulationprocess.Forthem,astrategy frameworksuchastheoneinthischapterprovidesaguideforstrategysetting.Thesecondgroup expectstorepeatthisprocesscontinuouslyandthattheprocesswillchangewitheachcycle.For them,thestrategyframeworksuchastheoneinthischapterprovidesoneexamplethatmightbe usedtoformulateoradaptalivingstrategy-settingprocess. Forexample,theCanadianSecurityEstablishmentwasoncetaskedwithrecommendingoverall informationsecurityriskmanagementforthegovernmentofCanada.TheCSEexaminedstandardsinplaceintheU.S.,British,andothergovernmentsasreferencepointsintheirdecision. TheuniqueprobleminCanadawastheneedtoadoptastandardriskassessmentprocessthat wouldapplyequallywelltoorganizationalcomponentsofwidelyvaryingsizeandculture.The processhadtoworkaswellforacommanderofalargeairforcebaseasfortwopoliceofficers inaremoteoutpost.Accordingly,theCSEdevelopedastrategyofdefiningcriteriafortherisk assessmentprocess,anddeferringtheexactdefinitionoftheriskassessmentprocesstothelocal organizationalchief(Baskerville,1995).Thisisthemeaningofstrategyinourcontext:anoverall planformanaginganddevelopinganorganization’sinformationsecurity. Theremainderofthischapterexploresinformationsecuritystrategyinsevensections.We willbeginbyexploringthreeviewsofinformationsecuritystrategicprocesses.Thenwereview theprocessofgoalsassessmentasappliedindevelopingsecuritystrategies.Wethenexaminethe productsofthestrategy-settingprocess,forexample,documentationproducedforstrategicplans. Next,wediscusstheorganizationofthestrategy-settingprocess,organizingourapproachbyboth productandprocesscriteria.Wealsodiscussthenecessaryorganizationalcompetenciesforinformationsecurityasaconcernforpragmatics:wheresecuritycompetenciesareunavailable,security strategymustbeadjustedfortheorganizationalrealities.Thismeansthatchoicesliketop-down versusfederalstrategy-settingprocessesshouldbeshapedbyanunderstandingofthecompetencies requiredforeachofthedifferentwaysoforganizingthestrategy-settingprocesses. THREEVIEWSOFSTRATEGYPROCESSESFOR INFORMATIONSECURITY Strategyprocesseswillusuallyentailexaminationoforganizationalvaluesandpurpose,alongwith baselinestudiesofboththeexternalenvironmentandinternalcharacteristicsoftheorganization. Ultimatelytheprocessshoulddrivechangesinorganizationalactivities,andthismayinvolve intermediateproductssuchasdocumentsaboutplansandgoals. Thedevelopmentofideasinstrategywithaparticularemphasisoninformationsecurityoperates alongthreegenerallinesofdevelopment.Thefirstlineofdevelopmentresultsinideasthatevolve asmoreorlesscompletelyformulatedstrategiesthatprovidewholeexemplarsorframeworks. Suchframeworksfitnicelywiththeviewofstrategyasaprescriptivedesignorplanningprocess and provide a cookie-cutter strategy for universal implementation in almost any organization. The second line of development results in ideas about fragments of security strategies. Often thesefragmentsarerecommendationsforelementsofaninformationsecuritystrategythatmight
18 BASKERVILLE AND DHILLON Figure2.2 BalancingasInformationSecurityStrategy
Level of protection
Cost of information security
Ease of access for customers and employees
beadvantageousifadaptedoradoptedintoanorganizationalsecuritysetting.Thethirdlineof developmentresultsinideasabouthowtoformulateaprocessforinformationsecuritystrategy andalignswiththeviewofstrategyasadescriptivelearningprocess. UniversalCookie-CutterStrategy Thefirstlineofdevelopmentreachesforcookie-cutterstrategiesforadoptionoradaptationas aninformationsecuritystrategy.Thesestrategiesareparadigmsfortheprescriptivedesignor projectviewofstrategyformulation.ExamplesofsuchstrategiesincludeGaston’ssuccessful informationsecuritymanagementstrategy,andHong’sintegratedsystemstheoryofinformation securitymanagement. Gaston(1996)premisedagoalofintegratingtechnologicalsecuritythroughoutthebusiness withintermediategoalsforprotectingorganizationalassets,assuringquality,fosteringcompetition, eliminatingunnecessaryexpense,andcustomerservice.Thisisabalancingstrategythatoperates withtrade-offsbetweenthelevelofprotection,thecostofinformationsecurity,andeaseofaccess forcustomersandemployees.Inotherwords,securitystrategyfundamentallydependsonwhere theorganizationplacesitspriorities.Improvementsinthelevelofprotectionwillworsencustomer accessand/orsecuritycosts.Improvementsincustomeraccesswillworsenthelevelofprotection and/orsecuritycosts,andsoon(seeFigure2.2).Thisbalanceisthefundamentalstrategicdecision. Thestrategicplanconsistedof(1)formulatingthegoalsofinformationsecurity,(2)positioning informationsecurityinrelationtomanagementandgovernance,(3)mobilizingtheorganization foritssecurity,(4)creatinganinformationsecuritypolicy,(5)tailoringsecuritymeasuressuch thatpolicybecomesimplemented. Hongetal.(2003)premisedtheirgoalsonfivediscretetheoriesthatpermeateinformation security thought. These include security policy theory, risk management theory, control and auditingtheory,managementsystemtheory,andcontingencytheory.Manyoverallinformation
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW19 Table2.1 SummaryofInformationSecurityManagementTheoriesandCharacteristics Theory
Activities
Characteristics
Securitypolicytheory
Policyestablishment Policyimplementation
•Policyisthemainfocus •Emphasizesequential,structured procedures
Riskmanagementtheory
Policymaintenance Riskassessment Riskcontrol
Reviewandmodification Controlandauditingtheory Establishcontrolsystems Implementcontrolsystems Informationauditing Managementsystemtheory Establishsecuritypolicy
Contingencytheory
Definesecurityscope Riskmanagement Implementation Policystrategy Riskmanagementstrategy Controlandauditstrategy Managementsystemstrategy
•Understandandcopewithinsecure environments •Ignoresecuritypolicyandinformation auditmechanisms •Overemphasizestructures •Internalcontrolandinformationaudit isthemainfocus;ignoresecurity policyandriskmanagement •Lackofrequirementsplanningand contingencyfortheunexpected •Informationauditingisignoredand theimplementationisaffected •Lackofperiodiccheck •Lackoffeedback •Considerenvironmentsbothoutside andinsideofanorganization,and chooseappropriatesecuritystrategies •Lackofintegrationandstructures
Source:AdaptedfromHongetal.,2003,p.246.
securitystrategiesseemtobebasedononlyoneofthesefivetheories.However,eachofthefive theoriesbringsitsownuniquecharacteristicsintothesecuritystrategyframework(seeTable2.1). Bymergingthetheoriesintoacohesivesecuritymanagementprocess,weachieveanintegrated strategyforinformationsecurity(seeFigure2.3).Theresultisanoverallstrategicframeworkfor organizinginformationsecurity.Thisframeworkiscalledcontingencymanagement.Contingency managementrespondstoitsenvironmentwithfourinformationmanagementactivities:security policysetting,riskmanagement,internalcontrolmanagement,andinformationauditing. FragmentsofSecurityStrategies Examplesofsecuritystrategyfragmentsthathaveariseninthesecondlineofdevelopmentinclude susceptibilityauditsandtheinformationsecuritychain.Susceptibilityaudits(Hale,Landry,and Wood,2004)involveaprocessofproducingasusceptibilitymap,whichlocatesassetsandrisk inatwo-dimensionalplaneagainstmeasuresofthelikelihoodofsuccessfulattackandtheimpact orcostofsuccessfulattackontheorganization(seeFigure2.4).Thereisathree-stepprocessfor developingasusceptibilitymapconsistingof(1)valuingtheinformationassets,(2)assessing threats,and(3)evaluatingthecostofsecuringassets.Theresultsofeachstepareusedtodevelop
20 BASKERVILLE AND DHILLON Figure2.3 AnIntegratedStrategyforInformationSecurityManagement
Security Policy
Risk Management
Environment
Contingency Management
Organizational Objectives Internal Control
Information Auditing
Source:AdaptedfromHongetal.,2003,p.247. Figure2.4 SusceptibilityMap
Probability of Compromise Ecommerce Operations
Risk
Customer Data
Inventory Data
Internal Information Infrastructures
Cost of Compromise Source:AdaptedfromHale,Landry,andWood,2004,p.62.
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW21 Figure2.5 AdaptingSusceptibilityMappingintotheIntegratedStrategy
Security Policy
Susceptibility Mapping
Environment
Organizational Objectives
Contingency Management
Internal Control
Information Auditing
themap,whichcanthenbeusedinformulatingstrategiesforreducingthelikelihoodofsuccessful attacks.Inthisexample,asusceptibilityauditisafragmentofstrategythatcanbeintegratedinto alargerstrategicframeworkforacompleteinformationsecuritystrategy. Wecanbetterunderstandtherelationshipbetweenstrategyfragments,suchassusceptibility maps,andoverallframeworksbyillustratinghowthefragmentssuchassusceptibilitymapping might be integrated into an overall framework. Suppose, for example, that the organizational managersarekeenontheuseofsusceptibilitymapsasameansofriskassessment.Thisstrategic fragmentcouldbeadaptedtoanoverallframeworksuchasthebalancedsecuritystrategyorthe integratedsecuritystrategy.InFigure2.5,weillustratehowsusceptibilitymappingcanbeadapted totheintegratedstrategybyusingitasthechosenriskmanagementelementinthestrategy. Theinformationsecuritychain(Finne,1996)isaconceptthatinvolvesisolatingandcompartmentalizingsecuritysafeguardelementsintomodulesandsubmodules.Eachmoduleforms alinkinthechainthatshouldcompletelyencompassinformationvulnerabilitiesandprotectthe organizationfromthesurroundingworld.Forexample,inFigure2.6themodulesarenumbered 1through13,forminglinksinthechainaroundinformationsecurity.Eachlink/modulecontains manysubmodules(asillustratedinmodule1).Forexample,module1couldcontainintrusion protection. Within each module or submodule are safeguards like biometric access control, passwords,virusdetection,andthelike.Inthisexample,thesecuritychainconceptprovidesa fragmentofinformationsecuritystrategythatcanbeadoptedintoalargerframeworksimilarto susceptibilitymaps. Forexample,supposetheorganizationmanagersbelievethattheinformationsecuritychain isveryappropriatefortheirorganization.Thesecuritychainconceptcouldbeadaptedintothe
22 BASKERVILLE AND DHILLON Figure2.6 TheInformationSecurityChain
Source:AdaptedfromFinne,1996,p.298. Figure2.7 AdaptingtheSecurityChainConceptintotheIntegratedSecurityFramework
Security Policy
Risk Management
Environment
Contingency Management
Organizational Objectives Information Security Chain
Information Auditing
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW23 Figure2.8 PFIRES:PolicyFrameworkforInformationSecurity
Assess Assess Risk
Assess Policy
Operate
Plan
Manage Events
Develop Policy
Monitor Operations
Define Requirements
Deliver Implement Controls
Define Controls
Source:AdaptedfromRees,Bandyopadhyay,andSpafford,2003,p.102.
integratedstrategyframeworkasamodelforinternalcontrols.ThisadaptationisshowninFigure 2.7.Variousstrategyfragmentscanbeintegratedtogetherwithinanoverallframework,whether theframeworkisacookie-cutteruniversalframeworkoronespecificallydesignedforaparticular organization. FormulatedProcessesforSecurityStrategy Thefinallineofdevelopmentaimstohelpinthecreationofprocessesforsettingorganizational strategy.Suchdevelopmentsadopttheviewthatstrategysettingisacontinuousemergentprocess.An exampleisfoundinPFIRES(PolicyFrameworkforInformationSecurity)(Rees,Bandyopadhyay, andSpafford,2003).Thisframeworkaimstoprovideameansbywhichausablesecuritystrategy canbedevelopedandkeptalignedwiththeoverallinformationtechnologylifecycle.Itdefinesa continuingcycleoffourphasesconsistingof(1)assessphase,(2)planphase,(3)deliverphase,and (4)operatephase.ThiscycleisshowninFigure2.8.Eachphaseconsistsoftwomajoractivities. Theassessmentphaseincludespolicyassessmentandriskassessment.Theplanningphaseincludes policydevelopmentandrequirementsdefinition.Thedeliverphaseincludescontrolsdefinitionand controlsimplementation.Theoperationphaseincludesmonitoringoperations,reviewingtrends,and managingevents.Adoptingoradaptingthisframeworkwillleadtheorganizationtocontinuously redevelopitsinformationsecuritystrategies.Whiletheframeworkisbroaderthanjustacookiecutterstrategy,itdoesincorporateasomewhatcompleteorganizationalsecuritystrategyasastarting
24 BASKERVILLE AND DHILLON
frameworkfromwhichvariousorganizationallearningactivitiesintheassessmentphasecanbegin toenabletheoverallstrategicframeworkandprocesstoadaptandemerge. GOALSASSESSMENT Theinformationsecuritystrategyprocessstartswithanassessmentofthegoalsfororganizational informationsecurity.Thesegoalsarelikelytoincludecompliancewithregulatoryrequirements, nationalandinternationalstandards,andprofessionalpractices.Thegoalsassessmentprocessmust takeintoaccountthetypeoforganizationandincludeactivitiestoalignthesecuritystrategywith thestrategicgoalsoftheorganizationasawhole.Goalsassessmentprocessesmustalsotakeinto accountthetypeofsecurityenvironment.Inparticular,high-riskorganizationalenvironmentslike electroniccommerceorindustriesoperatinginareasofnationalcriticalinfrastructureswillneed morecareandrigorinsecuritystrategyprocesses. Compliance Amajorfocusofthedevelopmentofinformationsecuritystrategicgoalswillbethecompliance requirementsdictatedbytheenvironment.Theorganization’ssituationmayrequirecompliance bylaworbyindustrystandards.Insomecases,theorganizationalsituationmaynotimposelegal requirements,buttheorganizationmaychoosetocomplyinkeepingwithstandardsofduecareor prudentpractice.Ultimately,anycomprehensiveprocessfordefiningstrategicgoalsforinformationsecuritymustreviewpotentialregulatoryrequirements,nationalandinternationalstandards, andprofessionalpractices.Wewillbrieflyrevieweachofthesecategoriesofcompliance. Themostprevalentregulatoryrequirementsareprivacyrequirementsforpersonalinformationrecordedandprocessedincomputersystems.Becausetheserequirementsareestablishedin internationaltreaties,countriesrespondbyestablishingtheserequirementsinlaw.Examplesof suchlawsintheUnitedStatesincludethePrivacyActof1974,thePrivacyProtectionActof1980, RighttoFinancialPrivacyActof1978,theFamilyEducationalRightsandPrivacyActof1974, theChildren’sOnlinePrivacyProtectionActof1998,theElectronicCommunicationsPrivacyAct of1986,theCableCommunicationPolicyActof1984,andDepartmentofHealthandHuman Servicesregulationseffectivein2001protectingtheprivacyofmedicalrecords. Privacyisnottheonlyareainwhichlawshavebeenenactedthatmaydeterminethegoalsto besetbyastrategy-settingprocess.Forexample,theSarbanes-OxleyActof2002definesrequirementsforexternalauditorstoassessthetestingofsecuritycontrolsoncomputer-basedaccounting systems.Compliancewiththisactmeansthatsecuritycontrolsforaccountingsystemsmustnot onlybedesignedandoperated,butalsomustberoutinelytestedforeffectiveness.Thestrategysettingprocesswouldneedtoevaluatesuchcompliance.Forexample,complianceisrequiredby lawforpubliclyheldcompanies.Whilethelawdoesnotrequirecompliancebyprivatelyheld companies,theexistenceofthelawsuggeststhatanystandardofprudentaccountingwillmean suchtestingwillbecomeagoaleveninprivatelyheldcompanies. Compliancewithnationalandinternationalstandardsmustalsobereviewedinsettingsecurity goalsduringthestrategyprocess.ThemostprevalentsuchstandardisISO/IEC17799andISO 27002,InformationTechnology–CodeofPracticeforInformationSecurityManagement(ISO/IEC, 2000).Thestandardsuggestsbestpracticesforsecuritypolicies,infrastructure,assetclassification, physicalsecurity,communicationssecurity,accesscontrol,systemsdevelopment,andbusiness continuity.Theinformationsecuritystrategyprocessmustevaluatesuchstandardsanddetermine thedegreetowhichtheorganizationshouldcomply.Somepartsofthisextensivestandardmaynot
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW25
berelevanttoaparticularorganization.Otherpartsmayberelevant,butinthecarefulopinionof thesecuritystrategiststhealternativesecurityactivitiesmaybemoreprudent.Indeedtheremay beconflictingstandards.Consequently,complianceisnotastraightforwardgoal,butrequiresa carefulprocessforreviewingstandardsanddeterminingwhichstandardsapplyandthedegreeto whichsuchstandardsshouldbeimplemented. Professionalpracticesmayalsobecodifiedinaformforeasyreviewinamannersimilarto compliancewithnationalandinternationalstandards.Suchpracticesaresometimesprovidedas frameworksorguidelinesandmaybespecifictocertainindustriesorcertainkindsofsystems.In somecasessuchframeworksmaybecomeadefactorequirementinarelatedlaw.Forexample, theSarbanes-OxleyActreferencesresponsibleframeworksforpractice.Aneffectivereference forthispurposeisaspecificframeworkdevelopedbytheCommitteeofSponsoringOrganizationsoftheTreadwayCommission(COSO).Thisframeworkprovidesdetailsofrecommended internalcontrols,andhasbecomeareferencetoolforeffortstocomplywiththelaw.TheCOBIT framework(ControlObjectivesforInformationandrelatedTechnology)frameworkisanother detailedframeworkofparticularinterestinsettinginformationsecuritygoals(COBIT,2005).It wasdevelopedbytheInformationSystemsAuditandControlFoundationandcanhaveasimilar impacttoCOSOasareferenceframeworkforprudentpractice. OrganizationStructureandProcesses Animportantstepingoalsassessmentistheclarificationoforganizationalstructuresandprocesses andtheassessmentoftheintegrityofthecommunicationchannels.Thereisalsoafurtherneedtoalign disparateactivitiestoeachothertoprovideadequateassurance.Whenresponsibilityandauthority structuresarenotdefinedwell,thereisariskofbreakdownininternalorganizationalcontrols.The notionofestablishingresponsibilityandauthoritystructuresisnotnecessarilylimitedtothedrawingupofanorganizationchart.Ithasmoretodowithunderstandingtheexistingsocialnormsand designingstructuresandprocessesthatalignwiththedominantnormativestructures. Therearetwofurtheraspectsofstructuresandprocessesthatneedtobeconsidered.Firstisthe alignmentofstructuresandprocesseswiththetechnicalinfrastructure.Secondisthecommunication amongestablishedrolesandkeystakeholders.Itisadocumentedfactthatamajorityofsecurity vulnerabilitiesareaconsequenceoflackofintegritybetweenorganizationalstructuresandaccess controlmechanisms(BackhouseandDhillon,1996).Thisisessentiallybecausethereusuallyisalack ofalignmentbetweenthemannerinwhichorganizationalstructuresandprocessesarecreatedand thedesignoftheinformationtechnologyinfrastructure.Thelackofalignmentgetsmanifestedattwo levels.First,whensecuritycontrolsareinstitutedinthesystems,theyaregenerallyanafterthought, thusleadingtodevelopmentdualityproblems(WhiteandDhillon,2005).Second,thereisusually littlecommunicationbetweenthosedesigningsecuritycontrolsandtherestoftheorganization. Thisresultsinproblemswiththemannerinwhichrolesarecreated,howtheyaremanifestedinthe organization,andthenatureofresponsibilitystructuresmandatedbythetechnicalsystem.Intermsof establishinginformationsystemsecuritygoals,understandingthenatureandscopeoforganizational structures,processes,andtheirrelationshipwithsecuritycontrolstructuresisimportant. Thesecondissuethatneedscarefulunderstandingisthenatureandscopeofcommunicationbetween keystakeholdersandorganizationalsecurityroles.Propercommunicationisessentialacrossorganizationalhierarchies.Thereisareciprocalrelationshipbetweenassessingsecuritygoalsandensuring properimplementation.Communicationisfundamentalinensuringgoodimplementationofthegoals, largelythroughcoordination.Andalackofpredictabilityastohowcoordinationwillmanifestitselfis abarriertocommunication,whichcouldbeacauseofsecurityandintegrityproblems.
26 BASKERVILLE AND DHILLON Table2.2
SecurityStrategyAlignmentwithOrganizationalStrategy Corporategoal
Securitycontribution(alignment)
Qualityassurance Completeness Accuracy Timeliness Authorization Privacyandconfidentiality Authentication Continuityandavailability Logicality
Medium Low Low Nonetolow High Depends High High Medium
Source:AdaptedfromGaston,1996,p.19.
Insummary,boththeresponsibilitystructuresandcommunicationamongkeystakeholdersare importantissuesthatneedtobecarefullyunderstood.Theformalmeansbywhichauthorityis identifiedandsubsequentlydelegatedshouldhaveavisiblerelationtoanorganization’spurpose. Responsibilityofdifferentrolesshouldbefixedsuchthatteamworkisencouragedandsolutions tosecurityproblemsareprovidedclosetothepointofaction.Thereareopportunitiestoshare objectiveswheneverorganizationalstructuresandprocesseshavebeenwelldesignedandcommunicationchannelswellformed.Sharedobjectivesleadtoasettingwhereresponsibilitywill exceedauthority. AlignmentActivities Aninformationsecuritystrategyshouldalsobealignedwiththeoverallorganizationalstrategy. Thesecuritystrategyshouldsupportorganization-widestrategyandpositivelyhelpinreachingan organization’sgoals.Forexample,Table2.2illustratesthedegreetowhichorganizationalstrategic goalsforinformationcanbesupportedbyinformationsecuritystrategy.Acorporategoalofhigh qualitywouldalignwithtypicalinformationsecuritypolicies,whileitmaynotbenecessaryto alignsecuritystrategiescloselywithanorganizationalgoalofaccuracyinitsinformation.Gaston(1996)characterizestherelationshipofsecuritywithaccuracyandcompletenessasonein whichinformationisallowedtobecreatedoralteredonlybythosewiththeknowledgetodoso correctlyandonlybyusingauthorizedapplicationprograms.Otherorganizationalgoals,suchas privacyandconfidentialityofinformation,maybeheavilyrelatedtoinformationsecuritystrategy dependingonthekindofinformationthattheorganizationisprocessingandthelaws,practices, andstandardswithwhichtheorganizationmustcomply.Activitiestoalignthesecuritystrategy withthestrategicgoalsoftheorganizationasawholeshouldbetypical,andmoststrategy-setting processesforinformationsecurityshouldaspiretomaintainthatintegrity. SecurityEnvironment Anappreciationoftheorganizationalcontextisimportantforsettingsecuritystrategygoals.This ismoresothecaseespeciallywhencompaniesareoutsourcingasignificantproportionoftheir informationtechnologyoperations.
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW27
Kalfan(2004)notesthatoneofthemostimportantissuestoconsideristheservicelevelagreement(SLA)betweentheclientandthevendor.Suchanagreementneedstoincludelegalclauses ofnon-disclosureandpenaltiesforviolations.SuchSLAsmay,however,notdissuadesomeinformationtechnologyworkersfromsubvertingthecontrolsandsellingconfidentialinformation forpersonalgain.OnJune23,2005,BritishBroadcastingServicereportedclaimsbythetabloid newspaperTheSunthatitsjournalistsboughtpersonaldetailsincludingpasswords,addresses, andpassportdatafromaDelhiITworkerfor£4.25each. Occurrencesofthiskindcallforincreasedvigilanceforensuringsecurity.Preventivemechanismsneedtobeinstituted.Sherwood(1997)suggestsfourclassesofprinciplesthatshouldguide asecuritystrategy,particularlyinthecontextofoutsourcing: 1. 2. 3. 4.
Properdefinitionofresponsibilitiesandliabilitiesofbothparties Definitionofbusinessprocesseslinkingtheclientandthevendor a. securitypolicymandatedauthorizations b. outsourcingserviceprovidertoactas“custodian,”withimplementationprivileges c. adequateauditprocesses Documentsdescribingprimarysecurityrequirements Supportingdocumentson“securitytarget”implementation
Inimplementingtheprinciples,Sherwoodproposesasecurity-outsourcingmodel(seeFigure 2.9),wherealiaisonismaintainedbetweenthecustomerorganizationandtheserviceprovider throughsomesortofanoutsourcedservicessecurityforum.Desirableasthesemightbe,sucharrangementsareonlybeginningtoevolve.Forinstance,followingthetheftofpersonaldetailsfrom aserviceproviderintheDelhiITworkercase,theapexbodyinIndia(NASSOCOM)steppedup toprovideassurancesandadiscussionforumforpreventingsuchoccurrencesinthefuture. Sherwoodproposessomeessentialstepsthatneedtobeconsideredifapropersecurityenvironmentistobemaintained: • Legallybindingresponsibilities.Anyoutsourcingarrangementshouldidentifyandimplement legallybindingresponsibilities. • Organizationalstructure.Thereshouldbeamutuallyagreedorganizationalstructurefor ensuring proper allocation of responsibilities, liabilities, and subsequently attribution of blame. • Processclarity.Thereshouldbeclarityandagreementaboutthemannerinwhichactionswill betaken,bothtoproactivelysecurethefacilityandafteraneventhasbeendiscovered. • Performancemeasurement.Bothpartiesshouldestablishmeasuresthatwillbethebasisfor evaluatingperformance,especiallywithrespecttoriskmanagement. • Proactivemanagement.Outsourcingsecuritycannotbeassuredafteracontracthasbeen signed.Allaspectsofsecurity,includingpenalties,needtobeelaboratedatapre-contract stage. Animportantaspectofmaintainingagoodsecurityenvironmentistheproperbalancebetweenvariouscompetingforces.Clearly,thesecuritystrategyhastobalancewiththecurrentorganizational capabilitiesandthefutureorganizationalopportunities.Ifthisisnotdoneandanenvironmentto sustainitisnotcreated,itmightresultinalackofalignmentbetweenthegoalsandthemeansof achievingthem.Twootherimportantaspectsforsettingasecuritystrategyincludeconsideration ofthelevelandextentofresourcesavailableandthecorporateobjectives.
28 BASKERVILLE AND DHILLON Figure2.9 Organizationalmodelforoutsourcingsecurity
Service Provider
Customer Organization Internal Audit Department
(Coordinating Communictions)
Outsoucing Working Party
Corp Security Department
Internal Audit Department
Corp Security Department
Outsourcing Security Forum
Outsourcing Security Mgr Service Security Coordinators
(Coordinating Communictions)
(Coordinating Communictions)
Outsourcing Security Mgr Service Security Coordinators
Source:AdaptedfromSherwood,1997.
SECURITYSTRATEGY-SETTINGPRODUCTS Oncethegoalsoftheinformationsecuritystrategyprocessareset,theproductsofstrategysetting mustbedelineated.Theseproductscanincludestatementsofvision,corevalues,rationale,and strategicplans.Inaddition,themajorcomponentsoforganizationalstrategyshouldalsobedelineated.Thesecomponentsincludetheprocessforsecuritystrategy,itssecurityoperationsstrategy, anditssecuritybudgetingstrategy.Theoperationalstrategyconcernswhethertheorganization’s informationsecurityoperationwillbecentralizedordistributed.Thisoperationalstrategywillform thecontextforthebudgetingstrategy.Forexample,itshoulddefinewhetherinformationsecurityis goingtobeacostcenterormanagementoverhead.Anorganizingstrategymustalsobedefinedfor informationsecurityoperations.Thisorganizingstrategywillberelatedcloselytotheoperational strategy.Organizingstrategiesincludehierarchicalorganizationaldesignsthatrespondtostrategic needstocentralizecontroloversecurity,andnetworkorganizationaldesignsthatrespondtoneeds for organizational agility with regard to information security. Matrix organizational strategies respondtoneedsforinformationsecurityportfoliossuchassettingsinvolvingprojects. Statements The central product of any strategy-setting process will be a set of statements that define the organization’sinformationsecuritystrategicplanandinstructorganizationalmembershowthis
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW29 Exhibit2.1
ExampleofanInformationSecurityVision Allorganizationalinformationwillatalltimesberesponsiblyinsulatedagainstallthreatstoinformationintegrity,availability,andconfidentiality.
Exhibit2.2
RochesterInstituteofTechnology’sInformationSecurityVisionStatement RITiscommittedtomakingavailableappropriateinformationinthesupportofitsmissiontoprepare studentsforsuccessfullifetimecareerdevelopment.RITisalsocommittedtoitsstewardshiprole toprotecttheconfidentiality,integrity,andavailabilityofinformationentrustedtoRITbystudents, faculty,staff,alumniandpartnersfromthepublicorprivatesectors,asdeemednecessarybyeducationalneeds,privacyobligations,regulatorycomplianceorcontractualobligation.
Source:RIT,2004.
planistobeimplemented.Examplesofsuchstatementsincludevisionstatements,statementsof corevalues,rationalesforstrategies,strategicmaps,andstrategicplans. Avisionstatementiswhattheorganizationwouldideallyliketobecome.Suchstatementsare oftenfaronthehorizonandaremeanttoprovideanoverallsenseofthedirectionoftheorganizationanditsgrowthanddevelopment.Awell-formedprocessfordevelopinganinformation securitystrategyshouldencompassthestageinwhichthevisionfortheorganization’sinformation securityispronounced.Forexample,suchavisionmightenjoytheprospectofcompleteinformationsecurityforallassets,foralltime,againstallthreats(seeExhibit2.1). Astatementofcorevaluesisanothersomewhatidealisticcomponentofstrategysettinginwhich thethreeorfourkeyorganizationalvaluesbecomepronouncedinsuchawayastodistinguish theorganizationfromitspeers.Awell-formedprocessfordevelopingsecuritystrategiesmaybe improvedwhensuchvalueshavebeenexplicated.Anexampleofsuchacorevalueforasecurity strategycouldbe“Wehighlyrespecttherighttoprivacyofourcustomersandouremployees.” Exhibit2.2isanexampleofavisionstatementthatincludescorevalues. Statementsofstrategicrationaleformconcreteexplanationsfortheselectionofstrategicdirectionsandactivities.Thestatementsarearecordofthethinkingbywhichstrategicplanswere designed.Thestatementsareimportantforexplaininghowthestrategiststranslatedinformation securitygoalsintoinformationsecuritystrategicplans.Forexample,therationaleforthestrategic planthatincludesanimprovementprogramfororganizationalpasswordsmightshowthatpassword compromisehasbeenarecurringproblemthathasledtoviolationofprivacyofcustomerdata. Strategymapscanbeusedasameansfordevelopinganddocumentingstrategicplansandtheir rationale.Suchmapsaresometimesdevelopedinstagesthatbeginwithcognitivemapsdeveloped bygroups,whicharelatercompiledintooverallstrategymaps(EdenandAckermann,2002). Suchmapscanbepartoftheprocessofdeterminingstrategicgoals,programs,andactionsfor informationsecuritypurposes.Forexample,arationalethatexplainswhyapasswordawareness programmustbecontinuous,couldbemappedasinFigure2.10. Strategicplansaregenerallytextdocumentsthatdetailthevision,values,goals,andrationale. Inaddition,theseplansincludedetailsforactivitiesthatwillleadtotheachievementofthegoals andmovetheorganizationclosertowarditsvision.Descriptionsofsuchactivitiesareoftenex-
30 BASKERVILLE AND DHILLON Figure2.10 StrategyMapFragmentforPasswords
Rushed staff forgets the rules for good passwords
Current password training is not sufficient
Need for continuous password training Data are frequently compromised
Passwords are too simple and easily guessed
pressedinaformthatisasmeasurableaspossible.Inthisway,managerscandeterminewhether ornottheactivityhasbeencarriedout.Notonlyistheorganizationplanningtomeasurethe achievementofitsgoals,butitisalsoplanningtomeasuretheactivitiesdevelopedasameansof achievingsuchgoals.Incircumstanceswhereagoalisunmet,managerscandeterminewhether theactivitiesmeanttoachievethatgoalhavebeensuccessfullycompleted. MajorComponentsofOrganizationalSecurityStrategy Thereareanumberofactivitiesthatcometogethertoformanorganization’ssecuritystrategy. Themajoractivitiesareidentifiedanddescribedbelow(BackhouseandDhillon,1996). Activity1:Acknowledgepossiblesecurityvulnerability.Oftentimesthereislittleconsensus thatapossiblesecurityvulnerabilityexists.Thisisusuallyaconsequenceofdifferentperceptions ofindividuals.Thereforeitisimportanttointerviewdifferentstakeholdersanddevelopsomeunderstandingofwhattheiropinionsonsecurityvulnerabilitymightbe.Thisisanimportantstep, particularlywithrespecttolayingafoundationforfurtherconsensusbuilding. Activity2:Identifyrisksandthecurrentsecuritysituation.Withparticularattentiontoexisting structuresandprocesses,adetailedpictureofthecurrentsituationisconsidered.Thestructure relatestothemannerinwhichtheformalreportingstructures,responsibilities,authoritystructures, andformalandinformalcommunicationchannelsexist.Softerpowerissuesarealsomapped. Past research has shown that organizational power relationships play an important role in the managementofinformationsecurity.Processislookedatintermsofatypicalinput,processing, output,andfeedbackmechanisms.Thisinvolvesconsideringbasicactivitiesrelatedtodeciding todosomething,doingit,monitoringtheactivitiesasprogressismadeandtheimpactofexternal factors,andevaluatingoutcomes. Activity3:Identifytheidealsecuritysituation.Identificationoftheidealsituationinvolves understandingthenatureandscopeofimprovementsthataretobedeveloped.Thedetailsofthe idealsituationarethendiscussedwiththeconcernedstakeholderstoidentifyboth“feasible”and “desirable”options.Thisinvolvesahigh-leveldefinitionofbothtechnicalandproceduralaspects. Activity3isrootedintheidealworld.Herewedetachourselvesfromtherealworldandthinkof idealtypesandconceptualizeaboutidealpractices.
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW31 Table2.3
ExampleofMeasuresofPerformance Assessmentmeasure
Basicgoal
Intrusiondetectionexample
Efficacy
Safeguardproducesaneffect
Intrusionsaredetected
Efficiency
Thecostofthesafeguard comparespositivelywiththe valueofitsproduct
Thelossesduetointrusionsare reducedtoalevelthatjustifiesthe costofthedetector
Effectiveness
Safeguardproducesadecided, decisive,anddesiredeffect
Allimportantintrusionsaredetected
Activity4:Modelidealinformationsecurity.Thisstagerepresentstheconceptualmodelingstep intheprocess.Allactivitiesnecessarytoachievetheagreedupontransformationareconsidered andamodeloftheidealsecuritysituationisdeveloped.Inaperfectsituation,thesecurityfeatures shouldmatchtheidealtypesdefinedinActivity3.Animportantconsiderationatthisstageis monitoringtheoperationalsystem.Thefollowingthreeaspectsareconsidered: 1. Definitionofmeasuresofperformance.Thisgenerallyrelatestoassessingefficacy,efficiency,andeffectiveness(seeTable2.3foranexample).Othermetricsbesidesefficacy, efficiency,andeffectivenessmayalsobeused. 2. Monitoringofactivitiesaccordingtodefinedmetrics. 3. Controlactionstaken,whereoutcomesofthemetricsareassessedinordertodetermine andexecuteactions. Activity5:Compareidealwithcurrent.Thisstageinvolvescomparisonofconceptualmodels withreal-worldexpression.ThecomparisonsmayresultinmultiplereiterationsofActivities3 and4.Althoughtheremaybeatendencytoengageinconceptualmodelbuilding,itisprudent tomoveontoActivity5andreturntoActivity4later.Thishelpsinundertakinganexhaustive comparisonoftheactivities,particularlytargeting: 1. Conceptualmodelasabaseforstructuredquestioning.Thisisusuallydonewhentherealworldsituationissignificantlydifferentfromtheonedepictedintheconceptualmodel. 2. Comparinghistorywithmodelprediction.Inthismethodthesequenceofeventsinthe pastarereconstructedwithpossiblepredictions. 3. Generaloverallcomparison.Thishelpsindefiningfeaturesthatmightbedifferentfrom presentreality. 4. Modeloverlay.Therealandconceptualmodelsarecomparedanddifferencesdiscussed. Activity 6: Identify and analyze measures to fill gaps. The desired solutions are reviewed, particularlyinthecontextoftheproblemdomain.Atthisstageitisimportanttodefinetheintent. Solutionsareidentifiedtoaddresstheintent.Forinstance,ifproceduresaretobedefined,the possiblesolutionwouldbetohireinternalcontroldesignconsultantswhomayhaveknowledge oftheSarbanes-OxleyAct. Activity7:Establishandimplementsecurityplan.RecommendationsdevelopedinActivity6 areconsideredandsolutionsformulated.Animplementationplanisdevised.Atthisstage,inte-
32 BASKERVILLE AND DHILLON
grationofsecurityintooverallsystemsandinformationflowsisalsoconsidered.Activity7also ensuresthatthesolutionsaffordeddonotconflictwiththeoverallstrategyorotherprocedures thatmightbeinplace. ORGANIZINGTHESTRATEGY-SETTINGPROCESS Aspreviouslystated,thestrategy-settingprocessmaybeorganizedusingaproductcriterionor aprocesscriterion.Aproductcriterionwouldorganizethestrategy-settingprocessbygrouping activitiesaccordingtotheendproductsoftheprocess.Forexample,activitieswouldincludevision setting,corevaluedetermination,andplanning.Aprocesscriterionwouldorganizethestrategysettingprocessbygroupingactivitiesaccordingtomajorcomponents.Forexample,activities wouldincludealigningsecuritywithorganizationalstrategy,planningoperationalstrategy,and planningsecurityorganization.Thestrategy-settingprocesscanbetopdownorfederal.Atopdownstrategy-settingprocesswouldbeginwithahigh-levelcommitteedelegatingelementsofthe strategytolower-levelcommittees.Afederalprocesswouldbeginwithlower-levelcommittees channelingdraftstrategycomponentsuptohigher-levelcommitteeswherestrategywouldbeassembledbyrationalizingthecollectionoffederatedcomponents. ProductCriterion Theproductcriterionisprobablythemoststraightforwardandintuitiveprinciplefororganizing thestrategy-settingprocess.Underthisprinciple,thegoalsofstrategysettingareusuallyfocused ontheproducts.If,forexample,theproductsareavisionstatement,acorevaluesstatement,and astrategicplan,thenthestrategicplanningprocesswouldbeorganizedinthreestages.Thethree stageswouldalignwiththethreeproducts.Stageonewouldbethecreationofavisionstatement. Stagetwowouldbethecreationofavaluesstatement.Stagethreewouldbethecreationofa strategicplan. Visionstatementsareusuallypronouncedfromtheupperechelonsoftheinformationsecurity managementfunction.Thisprocessmaybesimple,suchasanautonomousstatementcraftedby theorganization’schiefinformationsecurityofficerandsubmittedforapproval.Theprocessmay alsoentailawidespreadeffortbyvariousstakeholdersininformationsecurity.Theorganization’s chiefinformationofficer,chiefinformationsecurityofficer,chiefprivacyofficer,andothersenior managementofficialswithresponsibilityrelatedtoinformationsecuritymayformavisionstatement developmentcommittee.Thevisionstatementmaybesetafteralengthyandin-depthdiscussion thatmayincludereviewsoforganizationalstrategy,peerorganizationvisionstatements,anda retreat-stylemeeting.Inaparticipativeorganization,thevisionstatementsmaybereviewedfor commentbytheentireinformationsecurityorganization. The core values statement is usually developed in a bottom-up and participative process. Membersoftheorganizationareinvitedtoproposestatementsofvaluestheyfeelareofcommon importanceacrosstheentireorganization.Theinformationsecuritymanagementfunctioncollatesthesestatementsandcollapsesthemintothreetofivecommonvaluesthatstretchacrossthe informationsecurityorganization. Usingtheseproductcriteria,theprocessfordevelopinganinformationsecuritystrategicplan thenfocusesonendsandmeans.Thevisionstatementbecomesaguidefordeclaringtheends, whilethecorevaluesstatementsbecomeguidesforselectingthemeans.Inthisfashiontheelementsofthevisionbecometheorganizingprincipleforthestrategy-settingprocess.Forexample, ifthevisiondeclaresthattheorganizationwillachievecustomerdataprivacy,thenthestrategic
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW33
planningprocesswillincludeadevelopmentcommitteeforsettingastrategicplanforachieving customerdataprivacy.Thestrategicplanningorganizationwillbearollupoftheworkingparties necessarytoachieveallelementsofthevisionstatementandthevaluesstatements. Forexample,anorganizationalsecurityvisionmightstatethat“organizationalinformationwill beinsulatedagainstallthreatstodiminishinformationaccuracy,availability,andconfidentiality.” Usingaproductcriterionfororganizingtheinformationsecuritystrategy-settingprocesswould leadtothreeworkinggroupsforsettingthecomponentsofaninformationsecurity:anaccuracy workinggroup,anavailabilityworkinggroup,andaconfidentialityworkinggroup. Finally,anoverviewworkinggroupwouldcompilethestrategiccomponentsdevelopedby theindividualworkingparties.Forinstance,strategiesdevelopedindependentlyforachieving accuracy,availability,andconfidentialitywouldbecompiledintoasinglestrategicdocumentwith anyoverlapsremoved.Mostinformationsecuritystrategydocumentsdevelopedwithaproduct criterionwillcontainatleastsixcomponents: 1. Acknowledgmentofpossiblesecurityvulnerability.Thisdeclarationisnecessarytomotivateanyreasonableriskmanagementstrategy.Withoutthisdeclaration,themotivation toprotectimportantstakeholders,liketheshareholders,ismuted. 2. Riskidentificationandcurrentsecurityanalysisplan.Thiscomponentprovidesabaselineanalysisanddefinitionfromwhichtheinformationsecuritystrategyaimstomove forward. 3. Planfordesigninganidealsecuritysituation.Thiscomponentprovidesthestrategyfor definingthedesiredfutureinformationsecuritystatefortheorganization. 4. Planforcomparativeanalysisofidealandcurrent.Thiscomponentprovidesthestrategy formaintainingcontinuousinformationaboutfutureinformationsecuritystatesofthe organization. 5. Planforanalysisofmeasurestofillgaps.Thiscomponentprovidesthestrategyfordefiningcontinuousimprovementintheinformationsecuritystateoftheorganization. 6. Planforimplementingmeasures.Thiscomponentprovidesthestrategyforfinancingand deployingfutureinformationsecurityimprovements. ProcessCriterion Anintegralpartofthestrategy-settingprocessisthecompetenciesthatmaybenecessaryfor identifyingandgroupingactivitiestogether.Thewaythatmanagersconceiveofinformationsecurityholdsenormousimplicationsforthewaytheythenmanagethetechnologicalcontrols.In general,theearlyliteratureoninformationsecurityreflecteda“mechanistic”conceptualization ofinformationtechnology.Thatis,resourceswereconsideredanassetthatcouldbepurchased andmanagedmuchlikeanytooltoenableatask,somethingakintopurchasinganespeciallyfine hammerforcarpentry.Initialdifficultieswithintegratingsecuritywerethusconsistentlyinterpreted tomeanthatadeficienthammerwaspurchased,orevenmoreoften,thattheorganization’snails andwoodweresomehowjustnotoftheproperqualitytohandlethefinehammer.Thusenergy wasexertedat“fixing”security,oralternatively,properlytrainingpersonnelandrestructuringthe organizationtoaccommodatenewsecuritytoolsandtechniques. Beforeverylong,asecondschool,sometimesreferredtoasthe“Vitalist”school(seeLewin, 1993),reconceptualizedtheexplanationfortheoftentremendousdifficultiesassociatedwith information security implementation. Using a social construction lens, information security wasconsideredanembodimentofthesubjectiveviewsofthemanyorganizationalactors(e.g.,
34 BASKERVILLE AND DHILLON
seeArmstrong,1999)andthusissuesofcontext,situation,andtherelatedtaskofintegrating differentinterestgroupsbecameparamountinaddressinginformationsecurity.Inextending ourabovemetaphor,therealproblemthatorganizationsfaced,then,wasthatactorsviewed theirnewtoolasawrench,screwdriver,orsaw,whiledesignerscreatedtheirversionofahammer.Integrationsuccessbecamedependentontheextentthatthetoolproducedactuallycould accommodatetheusesandconflictsinherentintheorganizationalsystem.Bothoftheseviews provideverydifferentmodelsofmanaginginformationsecurity,andtheyofferusefulprescriptionsinmanycases. Thesetwoviewpointsmaybebridgedbyacceptingthattechnicalcontrolsarebothaphysical artifactandsocialconstruction,andthattheinteractionofhumanswiththeirtechnicalcontrolsleads toadualityofcauseandeffectinunderstandinghowsecuritycontrolsworkinorganizations(Dobson, 1991).Inthismodel,thecreationofmeaning,norms,andpowerhelpspredicthowtechnological controlsareformed,shaped,andusedovertime,aswellashowtheyinteracttoformandshapethe behaviorsandprocessesoftheenvironment(Segev,Porra,andRoldan,1998).Thismodeldirectly impliesthatthecause-effectrelationshipsbetweentechnicalcontrolsandorganizationisnonlinear; thatis,thereexistsattheveryleastaclosedloopthatmaintainsthatorganizationsshapethetechnicalcontrolsandthecontrolsshapetheorganization.Toreturntoourmetaphor,informationsecurity systemsrepresentthematerialsandmachinesfortoolmaking,andthustheirroleistoproducehammersorsawsaccordingtotheorganization’srequirements;atthesametime,theorganizationmust constantlystructureitselftouseandimplementthesematerialsandmachines.Inthissense,then, informationsecurityisnotanasset,butanintegralpartoftheprocessanddynamiccapabilitiesof theorganization,bothshapingandbeingshapedbytheorganization. MARSHALLINGTHECOMPETENCIES Inordertodeliverperformanceoneithertheprocessortheproductcriteria,managementmust ensuretheorganizationhasassembledthenecessaryinformationsecuritycompetencies.Without thenecessarycompetencies,implementationofanystrategymustfail.Wherethecompetencies areunavailable,thestrategiesmustbemodifiedtocompensatefortherealityoftheorganizational situation. Whatthenarethecompetenciesforidentifyingandmanaginginformationsecurityinsuchan environment?Clearlytherehasbeenalotofresearchundertakeninthemainstreamorganizational strategyarena.McGrathetal.(1995)arguethatcompetenciesnecessaryareanidiosyncraticcombinationofindividualskillsandtheunderstandingofthebusinessprocesses.Theprocesscriteria formanaginginformationsecurity,thereforeisintricatelylinkedwiththenotionofcompetenciesthatmaybenecessary.Therestofthissectionidentifiesanddescribeskeycompetenciesfor managinginformationsecurityinorganizations. CompetencytoCreateAdequateBusinessProcesses Anunderstandingofbusinessprocessesandhowtheserelatetoensuringintegrityofinformation flowsisakeycompetencethatisnecessaryforstrategizingaboutsecurity.Thebusinessprocesses areanindicationofhowacompany’svisionandgoalsareidentifiedandcommunicated.Properly designedanddefinedbusinessprocessesareuniversallythoughttobethefoundationforeffective informationsecurity.Organizationsmustbeabletorealizetheirstrategicobjectivesandcreate effectivebusinessprocessesinaccordancewiththoseobjectives.Itisontheseclearandcohesive businessprocessesthatallsecuritystrategiesshouldbebuilt.
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW35
CompetencytoClearlyDefineRoles Animportantsteptowardsecuringinformationliesintheorganization’sabilitytoclearlydefine therolesandresponsibilitiesofallitsmembers.Definitionoffunctionsiscriticalforthehealth ofanyorganization’sstructure(seeSchlenkeretal.,1994). Allemployeesneedtofullyunderstandthepurposeandthescopeoftheirdistinctiveroles withintheorganization.Itisineveryorganization’sinterestnotonlytoassignrolesinaccordance withbusinessprocesses,butalsotoexplainthepurposeofeachroleandtoclarifyindividualresponsibilities.Informationsecuritydesignshouldtakeintoaccountrolesdistributedthroughout theorganization,andalwayssupport,ratherthanlimit,theexecutionofdutiesrelatedtothese roles.Inparticular,informationsecuritydesignmustcarefullyconsidereachrole’srequiredaccesstoinformation.Inorganizationswhererolesareclearlyandpreciselydefinedandemployees understandtheirposition’scontributiontothecompany’soverallstrategy,securityissuesaremuch easiertomanage. CompetencytoRecognizeImportanceandScopeofSecurityConcerns Asdiscussedpreviously,securityprocessesmustbedesignedinaccordancewithanorganization’s strategicandbusinessgoals.Nosecuritysystemwillbeeffectiveunlessitfollowsbusinessprocesses. For successful and effective information protection to be developed, top management mustacknowledgehowcrucialinformationsecurityistobusinesssuccessandunderstandhow severetheoutcomeofasecuritybreachcouldbe.Oncethisisrealized,itismucheasierforthe companytocommenceitsjourneytowarddesign,development,andimplementationofaneffectiveinformationsecurityplan. Over-standardizationofprotectiontoolscanbeanimpedimenttodevelopingasecureenvironment.Allsecurityproceduresandtoolsshouldfollowspecificbusinessprocessesandmustbe adjustedtofitspecificbusinesssettingsandoperations.Thus,foracompanytoproperlydevelop itssecuritypolicies,controls,andprocedures,topmanagementneedstobeabletoidentifymajor threatseveryorganizationalsystemfaces.Itiscrucialthatthoseinchargeofdevelopingastructure toprotecttheinformation,bequalifiedforthetask.Theymustpossesstheknowledgeofsecurity issues,currenttrends,andsolutions.However,securitymanagers’knowledgecannotbelimited totechnologicalissues;theyneedtokeepinmindthecompany’scorebusinessandunderstand thecompany’sbusinessprocesses. CompetencytoIdentifyInternalThreatstoInformationSecurity Thereisanecessityofdistinguishingbetweenemployeescommittingunintentionalbreachesof informationsecurity,andthemalicious,consciousactsthataimtosteal,tamperwith,ordestroy informationpossessedbyanorganization.Inmanycasesemployeesaregenuinelyunawarethatthey arebreachingsecurity.Yet,bothofthesethreatsarerealandbothcanresultinsevereconsequences. However,eachdemandsaslightlydifferentapproachwhendevelopingsecuritycontrolsandprotectiontools.Whendesigninginformationsecuritysystems,everycompanymustbecognizantof theneedtopreventbothmaliciousactsandunintentionalgivingawayordestroyinginformation, andeachmustbeabletoprotectitsinformationfrombothtypesofsecuritybreaches. Accidentalactsthatresultinsecuritybreachescanbeavoidedonlyiftheorganizationacknowledgesthepossibilityoftheoccurrenceofsuchacts.Therefore,organizationalcompetenciesthat arecritical,inthiscontext,consistofthecompany’sabilitytoanticipateandpreventsituationsin
36 BASKERVILLE AND DHILLON
whichinformationcanbeendangeredbyunintentionalannouncementofsensitiveandconfidentialinformationorunintentionaldeletionofdata.Tobeabletopredictallpossible,undesirable scenarios,theorganizationneedstopossessin-depthknowledgeoftherealityinwhichitsbusinessprocessesareperformed.Onlybypossessingthisknowledgecancompaniescreatesecurity systemsthatwillprotectagainstunintentionalabuseordeletionofinformation. Intentionalactsordeliberatesabotageofinformationisanotherthreateverycompanymustbe awareofwhendesigningitsinformationsecuritysystem.Here,theabilitytoconductaccuraterisk analysisisoneofthemostimportantcompetenciesanorganizationmaypossess.Ignoranceofthe needto,ornegligenceinimplementingnecessaryprecautionstoprotectdatatheftandinformation sabotage,mayseriouslyjeopardizeboththefinancialstabilityofacompanyanditscompetitive positionintheindustry.Theabilitytoforeseeallpossiblesituationsinwhichinformationsecurity couldbebreachediscertainlyabaseforproperdesignofprotectionsystems. CompetencytoImplementInformationSecurityPolicies Undeniably,organizationsneedtopossessthecompetencytodesignfunctionalandeffectiveinformationsecuritypolicies.However,thiscompetencyisnotsufficient;itmustbecomplemented bytheorganization’sabilitytoexecutethesepolicies.Organizationsneedtobeabletoactively enforcetheirprocedures.Anorganizationmayexpendgreateffortandresourcestodesignsecurity regulationsandpolicies,yetafterwardfailtoexecutethesepoliciesproperlyandscrupulously. Policiesandcontrolsareusefulonlyifanorganizationisabletodevotethetimeandresources necessarytoutilizethemproperly.Enforcementofsecurityproceduresisequallyvitalinthecontextoftechnologicalsecurityandmanagerialcontrols.Inaddition,evenifbusinessprocessesand informationsecuritycontrolsarecompatible,theendusermustbekeptinmind.Ifprocessesare cumbersome,employeesarelikelytoskipthemorbypassthemtomaketheirjobseasier,unaware ofthepotentialfordamage.Forexample,banktellersmayavoidloggingoffthecomputerevery timetheystepawayfromtheterminalbecausecustomersarewaiting,theyareverybusy,ittakes toolongtologbackon,and/orasupervisor’skeyisrequired. Similarly,fromamanagerialstandpoint,competentindividualsshoulddiligentlyandactively performmanagerialcontrolsandmonitoring.Inaddition,theentireorganizationmusthaveaclear understandingofthelinesofcommandandknowwhoshouldperformwhichcontrolprocedures andtowhomsuspiciousbehaviorsshouldbereported.Furthermore,everyemployeeshouldbe abletoreportsuspiciousbehaviorstoanindividualoutsideofhisorherdepartmentwhodoesnot reporttothesamesupervisors. CompetencytoMaintainPolicyFlexibility Despitetheobviousnecessitytodesigneffectiveandstrongprotectionsystems,flexibilityofestablishedsecuritysystems,controls,andproceduresalsoseemsessential.Flexibilityinthiscontext isunderstoodastheabilityoftherulemakersintheorganizationtoreviseestablishedrulesand procedures.Informationsecuritymanagersneedtobeabletoacceptsuggestions/criticismsfrom themembersoftheorganization.Organizationsdonotoperateinaperfectworld.Unanticipated problemsarelikelytoarise.Therefore,theorganizationshouldhaveamethodofevaluatingand, ifnecessary,revisingitssecuritysystemtoadapttoandmeetthechangingneedsoftheorganization.Iftoomanytimesemployeesdemandmoreaccesstoinformation,itcanmeanthatthecurrent rulesareinhibitingthemfromexecutingtheirrolesefficientlyandeffectively.Insuchsituations, reevaluationandredesignofthesecurityprocessesmaybenecessary.
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW37
CompetencytoRegulatetheFlowofInformation Limitingaccesstosensitiveinformationisoneofthemostfrequentlymentionedissuesininformationsecurity.Thisissueisdirectlyrelatedtotheroledefinitionaspectsdiscussedearlier.Access toinformationshouldbeassignedaccordingtorolesortasks.Employeesshouldhaveaccessonly tothatinformationthatisrequiredforthemtofulfilltheirduties.Therefore,organizationsneedto developthecompetencetoregulateandcontroltheinformationflows,bothwithintheorganization andthroughoutthebusinessnetwork. CompetencytoCommunicatetheNecessityforInformationSecurityProcedures Informationsecurityisnotonlythedomainofthetopmanagement.Itistruethatthoseresponsible forcorebusinesstasksneedtounderstandtheimportanceandthescopeofinformationprotection. However,employeesmustunderstandtheorganizationalprocessesandbusinessgoalsoftheir organizations,andprovideprotectionalongtheentirecourseoftheinformationflow.Therefore, anorganizationmusthavetheabilitytoconveythecriticalityofmaintaininginformationsecurity throughoutthewholeorganization.Topmanagementhastobewillingtoprovidetheresources necessarytodevelopeffectivesecuritysystems,whileemployeesneedtobeconvincedofthe usefulnessandimportanceofthesesystems. Insiderthreatstoinformationsecurityareaseriouscategoryofrisk.Itisalsoimportantto acknowledgethatthisthreatcanbeasmucharesultofaconsciousactasofunintendedactsdue tounawareness,lackofknowledge,orignorance.Oneofthemostimportantbarrierstocreating aneffectiveinformationsecurityplanisthelackofawarenessoftheconsequencesuncontrolled informationexchangecancause.Preventionisfarmoreimportantthancrisismanagement.Therefore,managersneedtobeabletoconductaccurateandrelevantriskanalysis.A“bigpicture” approachiscriticalforeffectiveriskanalysis,aswhatmayseemtobeaninsignificantmistake orinnocentinformationexchangecan,inreality,havemuchmorefar-reachingeffectsthanthe organizationcouldanticipate.Anyinformationhandled,processed,orpassedovershouldalways behandledwiththeunderstandingthatitcouldpotentiallybemisusedorstolen. Generalawarenessofthecompany’sbusinessprocessesandgoalsiscriticaltoensureinformation security.Itisalsoimportantfortheemployeestounderstandboththepurposeandthescopeofinformationsecuritypolicies,controls,andprotections.Organizationsshouldhavetheabilitytoconvince theiremployeesthataccesstoinformationgoeshandinhandwithacorrespondinglevelofliability. Theabilitytocommunicatethislevelofpersonalaccountability,andthewillingnesstocontinually remindemployeesofthisrule,willmakethemlesslikelytodemandunlimitedaccesstodata. CompetencytoFacilitateInformalCommunicationaboutInformationSecurity Competencytofacilitatecommunicationbetweenmanagementandemployeesshouldbepresent atboththeformalandinformallevelsoftheorganizationalenvironment.Writtenpoliciesarethe mostformalformofcommunicationacrosstheorganization.Trainingisanintegralpartofformal communication,althoughorganizationsmustalsoencourageinteractionandopinionexchange ontheinformallevel.Inmanyorganizations,formallevelsofcommunicationareinplace.However,theyarerarelysupportedbymanagement’sabilitytodevelopinformalsettingsthatwould facilitateinteractionbetweenmanagementandemployees,leadingtoeffectiveunderstandingof thesecurityissues(seeTrompeterandEloff,2001).Aninformallevelofcommunication—an equallyimportantlinkincommunicationcompetency—isoftenlacking.
38 BASKERVILLE AND DHILLON
Communication is one of the most important means of increasing employee awareness of informationsecurityissues.Issuesofinformationsecurityinvolvemorethanjustthemannerand channelsanorganizationchoosestousetocommunicatewiththeiremployees.Itisalsoimportant tounderstandwhatkindofinformationshouldbecommunicated.Theabilitytoprovideemployees withpropercontent,througheffectivechannels,asoftenasnecessaryisacombinationofskills andprocessesthatconstituteswhatwedefineasacompetencyininternalcommunication. Intermsofwhattocommunicate,employeesneedtoknowwhyitisimportanttolimitaccess, whyitisimportanttoprotectdata,andwhatcanhappenwhensecurityisbreached.However,one moreissuerequiresclearandstrictannouncement.Inadditiontocommunicatingtoemployees theimportanceofinformationsecurity,itisimportanttoinformthemthattheycanbemonitored. Itisalsonecessarythattheyunderstandwhytheycanbemonitored. TheCompetencytoMonitorAdequately Theabilitytotrackandmonitorbusinessroleexecutioniscriticaltothesecurityofsystems.The processofmonitoringshouldalwaysbeintentionalandthorough.Itshouldbeunconditionally performedbycompetentemployeesabletoverifytheaccuracyandcorrectnessofalltheproceduresconductedbythemonitoredemployee.Attimesitisenoughfortheemployeetoknowthat he/shecanbemonitoredtominimizetheriskofsecuritybreach.Properreportingsystemsand transparencyofthemonitoringprocessandmechanismsforreportingsuspiciousactivitiesare criticalfactorsforachievinggoodsecurity. Monitoring should be a multilevel process. Employees who, due to their roles or external liaisons,couldhaveinterestinbreachingsecurityrulesandnorms(e.g.,thoseindirectcontact withclientsorcompetition)shouldbemonitoredmorecloselythanthosewhoaredetachedfrom externaltemptations.Advantagesofagoodmonitoringsystemgobeyondthepreventionofa securitybreach.Recognizingemployees’behavioralpatterns,understandingofproblemswith businessprocesses,andpotentialtechnologicalflawsaresomeoftheaspectsthatgoodmonitoring canreveal(D’Antoni,2002;O’Rourke,2005). Thesecompetenciesaffecttheorganization’sabilitytooperateanyparticularstrategy.Asa result,astrategymaybeinfeasibleifthecompetenciesareunavailable.Insuchacase,theorganizationmaychoosetoacquirethenecessarycompetenciesbycontracting,hiring,ortraining.It mayalsocompensateformissingcompetenciesbyadjustingitsstrategies. Forexample,wewilldelineatetwofundamentallydifferentapproachestosettingstrategy:topdown,andfederal.Organizationalsecuritycompetencieshaveagreatdealtodowiththeabilityto operateeitherstrategy-settingprocess.Foratop-downapproach,centralizedcompetenciesmaybe sufficientforgeneratingstrategybecausestrategysettingatlowerlevelsoftheorganizationcanbe reviewedcompetentlyatthehigherlevels.Federalstrategysetting,however,requireswidespread competenciesthroughouttheorganization’smanagementstructures.Strategiessetatlowerlevels oftheorganizationmaynotbesubjecttoreviewcentrally. TOP-DOWNSTRATEGY-SETTINGPROCESS Asstatedpreviously,anysecuritystrategyprocessneedstobealignedwithorganizationalchallenges.Itisalsoimperativetoidentifyshort-andlong-termbusinessgoalssincethesecuritystrategyneedstobeinsyncwiththebusinessobjectives.Ultimately,goodsecuritystrategydepends upongoodpoliciesandprocedures.Adequacyofagoodpolicyisdeterminedthroughacomplete internalanalysis.Thestepsinvolvedinthetop-downsecuritysettingprocessinclude:
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW39
• • • •
Internalanalysisandself-assessment Securityproceduredevelopmentandreview Policydevelopmentandformat Administration
InternalAnalysisandSelf-Assessment Differentnameshavebeenattachedtointernalanalysisandself-assessment.Theprocessiscalled securityauditsorsometimesriskassessment(Parker,1981).Theterminologyhasevolvedtomore precision.Riskassessmentusuallymeansthedeterminationoftheneedsorsuitabilityofcontrols, whileauditsarepartofanassuranceprocesstoassesswhethertheselectedcontrols(orthecontrols mandatedbystandards)areinplaceandfunctioning(WhitmanandMattord,2004).Atastrategic level,however,thepurposeisthesame—tounderstandtherangeofactivitiescomingtogetherto formbusinessprocessesandvulnerabilitiesifany.Aformalinternalanalysisandself-assessment exercisehelpsinreviewingthesecuritychallengesanorganizationmightfaceandcoordinating existingsecurityprocedures. Internalanalysisandself-assessmentareusuallyacommittee/teameffort.Particularattention needstobeplacedoncreatingacross-functionalteam.Thisisparticularlyhelpfulinensuring thatalloperatingunitsarebroughtintothefold.Furthermore,itensuresthatsecurityprocedures and the policy is well received by key stakeholders.The stakeholders need to be drawn from beyondtheITdepartment.Thishelpsinmovingtheemphasisfrombeingmoretechnocentricto organizational. SecurityProcedureDevelopmentandReview Sometimessecurityproceduresgetdevelopedinisolationofthenatureofworkanorganization mightbeinvolvedin.Thiscanresultinmisapplicationofrules.Thisisusuallyaconsequenceof aninabilitytomap,forinstance,accesstosystemruleswithorganizationalhierarchies.Clearly, thereisaneedtohaveagoodbalancebetweenstructures,processes,andtechnologicalmeansof controlling.Acompleteassessmenttothiseffectallowsforthedevelopmentandimprovement ofprocedures. Theteamworkingondevelopingproceduresneedstocomeupwitharangeofalternatives.All alternativesshouldbecirculatedtostakeholdergroupsforevaluationandproperbuyin.Basedon theinput,thefinalsetofproceduresshouldbedeveloped.Constantinteractionwithstakeholder groupsisessentialinordertoensureintegrityoftheprocedures. PolicyDevelopment Intop-downstrategysetting,policiesareenactedbyanaggregationofproceduresthathavebeen codifiedinacertainmannertocomplywiththepolicy.Manycriticalorhighlysensitivesecurity proceduresareattimesnotincludedinthepolicy,essentiallybecauseofthepublicnatureofthe document.Oneofthemainpurposesofsecuritypolicyistoactasacommunicationlinkbetween differentmembersoftheorganization.Theremaynotbeanymandatorycompliancewiththe policy,butitcertainlyactsasaguidingdocumentforcompliance. Therearedifferentwaysinwhichasecuritypolicymaybeorganized.Incertaincasesitmay justbeusefultocreateaseparatepolicyforeverytechnologyorsystem.Inothercasesitmaybe usefultohaveasinglecomprehensivesecuritypolicycoveringalltechnologiesemployedand
40 BASKERVILLE AND DHILLON
providingguidanceforarangeofsystems.Insomeothercasesamoremodularpolicymaybe useful.Choiceoforganizingvariouselementsinasecuritypolicyisafunctionofthenatureof theenterpriseandthebusinessneed(Whitman,2003).Ataminimum,thesecuritypolicyshould haveatleastsevensectionscoveringthefollowingtopicareas(WhitmanandMattord,2004): 1. 2. 3. 4. 5. 6. 7.
Statementofpolicy Authorizedaccessandusageofequipment Prohibitedusageofequipment Systemsmanagement Penaltiesforpolicyviolations Reviewandmodifications Limitationsofliability
Administration Thesecuritypolicyonlybecomesworthwhileifpropertraininganduserawarenessareundertaken. Thismeansthatorganizationsneedtoestablishaneducationandawarenessprogramtofulfill thepurposessetoutinthepolicy.Anissuerelatedtotrainingisthatofongoingreviewofthe policy.Clearlyapolicyisgoodinsofarasitisuptodateandremainsacceptabletoorganizational members.Forthisreason,itisessentialthatareviewandevaluationmechanismbesetinplace. Finally,enforcementandcomplianceissuesneedtobesetinplace. Primarily,thismeansthattheinformationsecurityorganizationmustestablishownersforeach elementintheinformationsecuritypolicy.Regardingauthorizedaccessandusageofequipment (item2inthelistabove),itmustbeveryclearinthepolicyexactlywhichorganizationalelement isresponsibleforprovidingauthorizedaccesstoequipment.Itmustbeclearwhatdocumentsand recordsaretobemaintained,andwhowithintheorganizationisresponsibleforthismaintenance. Theattachmentofownershiptoeachelementofthesecuritypolicywillhelptoensurethatthepolicy isproperlyadministeredandnotdepositedinorganizationalrecordswithoutenforcement. FEDERALSTRATEGY-SETTINGPROCESS Afederalstrategy-settingprocessmaynotbethatdissimilarinorganizationfromatop-down strategy-settingprocess.However,theinitiationandpowerconfigurationoftheprocesswillbe quite different. In general, a federal strategy-setting process will begin with lower-level committeesthatproducestrategycomponentsandchannelallofthesecomponentsasfixedstrategy documentstohigher-levelcommitteesinwhichtheorganization-widestrategyisassembledfrom thesecomponentsbyrationalizingthecollectionoffederatedcomponents. Afederalorganizationisoneinwhichpowerisdisseminatedacrossorganizationalunits.An examplewouldbeanorganizationdividedintodivisionsinwhicheachdivisionoperateswitha certaindegreeofautonomy.Insuchanorganizationtheinformationsecurityresponsibilitiesfor eachdivisionwouldfallunderthesupervisionofadivisioninformationsecurityofficer. Eveninorganizationswithcentralizedcontrol,itmaybedesirabletosetupafederalinformation securityorganization.Suchafederalorganizationmaybedesirableinacasewherethesecurity budgetisinadequatetosupportproperorganization-wideinformationsecurity.Thesecurityorganizationcanbelayeredovertherealorganizationusingco-optedmemberstowhomresponsibility hasbeenassignedforinformationsecurity. In addition, it is necessary for federated organizations to maintain clear security standards
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW41
withinwhicheachdivisionandsecuritymanagerwilloperate.Theseoverallorganizationalsecurity standardsconstraintheindividualunitsecuritycomponentsinsuchawaythatthesewillconform witheachotherinordertoensureorganization-wideinformationsecurity.Asaresult,federated securitystrategysettingbeginswithestablishmentoforganization-widesecuritystandards. Oncethestandardsareestablished,theprocessfordevelopingthesecuritystrategywithineach unitisdelegatedtothedivisionsecuritymanagers,ortheco-optedsecurityrepresentativeswithin thefederalorganization.Withineachunit,theprocessesmaybesimilartothetop-downapproach inorganization.Inotherwords,theunitprocesswouldstillinvolveatleastfourmajorelements (viz.,internalanalysisandself-assessment,securityproceduredevelopmentandreview,policy developmentandformat,andadministration). Organization-wideSecurityStrategyStandards Thecentralinformationsecurityauthorityinitiatesthesecuritystrategy-settingprocessbydevelopingtheorganizationalsecuritystrategystandard.Thisdevicemaybeassimpleasdeclaringthat eachunitintheorganizationmustcompleteastrategy-settingprocessthatincludesthefourmajor elementsdescribedinthetop-downstrategyapproach.Insuchacase,thestandardsmustprovidea sufficientlevelofdetailabouttheproductofeachoftheseprocessessuchthatthesecurityacross theorganizationmeetstheminimumgoals. InternalAnalysisandSelf-Assessment In a federated approach, the internal analysis and self-assessment may still be a team effort. However,therewillbemultipleteams,eachlocatedwithinoneofthefederalunits.Theteams willneedtobecross-functionalinthesensethattheymustbedevelopedfrommembersofeach functionwithinthefederalunit.Thefederalstandardshoulddefinetheminimumrequirements forsuchananalysis,includingsuggestedoutlinesandassessmentdocuments. SecurityProcedureDevelopmentandReview Similarly,multipleteamswilldevelopandreviewsecurityprocedureswithineachfederalunit. Alternativeswillbeevaluatedbythestakeholdergroupswithineachunit.Eachunitwillalsodevelopitsfinalsetofproceduresandmaintainconstantinteractionwithitsstakeholdergroups.The federalstandardshouldproviderecommendationsforthekindsofproceduresthatmightemerge fromthisprocessanddefinetheminimumsetofstakeholdersrequiredtoproperlycompletethe developmentandreview. PolicyDevelopment Eachfederalunitwilldevelopitspoliciesfromitsaggregationofprocedures.Thefederalstandard maypermiteachunittodevelopanorganizationforitssecuritypolicies,oritmaydefinearequired outlineofsectionssuchasthatdescribedaboveastheminimumsevensectionsandtopicareas. Administration Theadministrationoftheinformationsecuritypolicywithinafederatedorganizationwilloccurat multiplelevels.Withineachfederatedunit,themanagerstaskedwithresponsibilityforsecuritywill
42 BASKERVILLE AND DHILLON
beresponsibleforadministeringthestrategyinamannersimilartothatdescribedinthetop-down strategy-settingapproach.However,administrationofthesecuritystrategywillalsooccuratthe centrallevel.Inadditiontoitsresponsibilityforsettingtheinformationsecuritystrategystandards, thecentralauthoritywillberesponsibleforcollectingthestrategydocumentsandreviewingthem toensurethattheyconformtothestandard.Thecentralauthoritywillberesponsibleforreportingdeviationsfromthestandardtoboththecentralorganizationandtothemanagerstaskedwith responsibilityforthefederatedunits.Thecentralauthorityisalsoresponsibleformaintainingand extendingthefederalstandardforsecuritystrategysetting. SUMMARYANDOPENQUESTIONS Theinformationsecuritystrategyprocessstartswithanassessmentofthegoalsfororganizational informationsecurity.Thesegoalsarelikelytoincludecompliancewithregulatoryrequirements, nationalandinternationalstandards,andprofessionalpractices.Thegoalsassessmentprocessmust takeintoaccountthetypeoforganizationandincludeactivitiestoalignthesecuritystrategywith thestrategicgoalsoftheorganizationasawhole.Thesecuritygoalsassessmentprocessmustalso takeintoaccountthetypeofsecurityenvironmentinwhichtheorganizationexists.Inparticular, high-riskorganizationalenvironmentslikeelectroniccommerceorindustriesoperatinginareas ofnationalcriticalinfrastructureswillneedmorecareandrigorinsecuritystrategyprocesses. Oncethegoalsoftheinformationsecuritystrategyprocessareset,theproductsofstrategy settingmustbedelineated.Theseproductscanincludestatementsofvision,corevalues,rationale, andstrategicplans.Inaddition,themajorcomponentsoftheorganizationalstrategyshouldalsobe delineated.Thesecomponentsincludetheorganization’ssecurityorganizingstrategy,itssecurity operationsstrategy,anditssecuritybudgetingstrategy.Theoperationalstrategyinvolveswhetherthe organization’sinformationsecurityoperationwillbeeithercentralizedorfederatedandwhetherit isacostcenterormanagementoverhead.Anorganizingstrategymustalsobedefinedforinformationsecurityoperations.Thisorganizingstrategywillberelatedcloselytotheoperationalstrategy. Organizingstrategiesincludehierarchicalorganizationaldesignsthatrespondtostrategicneeds tocentralizecontroloversecurity,andnetworkorganizationaldesignsthatrespondtoneedsfor organizationalagilitywithregardtoinformationsecurity.Matrixorganizationalstrategiesrespond toneedsforinformationsecurityportfoliossuchassettingsinvolvingprojects. Thestrategy-settingprocessmaybeorganizedusingaproductcriterionoraprocesscriterion. Aproductcriterionwouldorganizethestrategy-settingprocessbygroupingactivitiesaccording totheendproductsoftheprocess.Forexample,activitieswouldincludevisionsetting,corevalue determination,andplanning.Aprocesscriterionwouldorganizethestrategy-settingprocessby groupingactivitiesaccordingtomajorcomponents.Forexample,activitieswouldincludealigning security with organizational strategy, planning operational strategy, and planning security organization.Thestrategy-settingprocesscanbetop-downorfederal.Atop-downstrategy-setting processwouldbeginwithahigh-levelcommitteedelegatingelementsofthestrategytolower-level committees.Afederalprocesswouldbeginwithlower-levelcommitteeschannelingdraftstrategy componentsuptohigher-levelcommitteeswherestrategywouldbeassembledbyrationalizing thecollectionoffederatedcomponents. Thesestrategy-settingprocessesarenotuniquetoinformationsecurity.Indeedmostofthe strategy-settingprocessesdescribedaboveforinformationsecurityfollowreasonablycommon modelsthatcanbeusedforanyorganizationalstrategysettingtask.Thisaspectofcurrentinformationsecuritystrategypracticeleavesmanyopeningsfornewstudiestoimprovesecuritystrategysettingpracticesbydevelopingbetterpracticesthatareuniquetosecurity(seeTable2.4).
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW43 Table2.4
OpeningsforNewStudiesintheSecuritySettingProcess Area
Issue
Impact
1.Security strategyand securitypolicy
1.1Howdowedistinguishthetwo conceptswhentheseoperateat differentlevels?
Therearesituationsinwhichsecurity strategydeterminessecuritypolicy andotherswheresecuritypolicy determinessecuritystrategy.
1.2Howdoesthesecurity strategy-settingprocessdifferin settingswherestrategiesmustbe definedaccordingtoasetpolicy?
Adeterministicprocessforcreating securitystrategymaybeapplied whencreativityandinnovationis neededinstead.
2.1Howdoweknowifanewly definedsecuritystrategyisthe rightoneforthesetting?
Bothgoodandbadsecurity strategies,likeother“best”practices, canbemindlesslyreplicatedacross organizationswithoutcriticalregard.
2.2Whatstrategy-setting processesaremosteffectivein knownorganizationalsettingsor conditions?
Standardprocessesforcreating securitystrategiesareadopted withoutregardforthenatureofthe particularorganization.
2.Quality measuresfor securitystrategy
Area1.Aprimaryissueisthedistinctionbetweensecuritystrategyandsecuritypolicy.While weoperatedwithdefinitionsandrecognizedmultiplelevelsofstrategy(forexample,strategies forsettingpoliciesandstrategiesforimplementingpolicies),thisisasourceofmuchconfusion intheliteratureandtheprinciplesandpractice.Becausesecuritypoliciesaresocentraltomost organizationalsecurityoperations,weneednewstudiesthatbetterdeveloptherelationshipbetween strategiesandpolicies.Weseetwomajorissuesinthisarea: Issue1.1—Howdowedistinguishthetwoconceptswhentheseoperateatdifferentlevels? Writersaboutsecuritypolicyintertwinethetwoconcepts,makingitappearacrosstheliterature asiftheyweresynonymous.Theimpactofthisconfusionisthatitisdifficulttorecognizethat therearesituationsinwhichsecuritystrategydeterminessecuritypolicyandothersituationswhere securitypolicydeterminessecuritystrategy. Issue1.2—Howdoesthesecuritystrategy-settingprocessdifferinsettingswherestrategies mustbedefinedaccordingtoasetpolicy?Ifsecuritymustfitapresetframework,adeterministic processforcreatingsecuritystrategymaybeapplied.Thesecuritystrategymayalmostbethe resultofaformulainsuchsituations.However,wherethereisnosetpolicy,thensecuritystrategy mayneedtobedeterminedinawaythatishighlycreativeandinnovative. Area2.Thereisverylittleempiricalresearchthatregardsinformationsecuritystrategyas eitheraprocessoraproduct.Mostinformationinthisareaisfoundinthepracticalliteratureas casedescriptions.Weneednewstudiesthatcomparetheinformationsecuritystrategy-setting processesofsimilarkindsoforganizationsinordertogainsomesenseofwhattheidealstrategysettingprocesseswouldbeforsuchorganizations.Suchstudieswouldsuggestthemostsuccessfulstrategy-settingprocessesforspecificorganizationalsituations.Similarly,weneedstudiesof theidealstrategyproductsfordifferentorganizationalsettings.Linkingsuchstudiesofsecurity strategy-setting processes and products with organizational security compromises would help
44 BASKERVILLE AND DHILLON
illuminatethoseprocessesandproductsthatprovedmostsuccessfulinmeetingorganizational informationsecuritygoals. Issue2.1—Howdoweknowifanewlydefinedsecuritystrategyistherightoneforthesetting? Thereistoolittleresearchthatrevealswhichstrategieshaveworkedandwhichhavefailed.Asa result,bothgoodandbadsecuritystrategiesmaybeviewedandpromotedas“best”practices.In theabsenceofbetterstrategy-settingprocesses,suchpracticescanbemindlesslyreplicatedacross organizationswithoutcriticalregard. Issue2.2—Whatstrategy-settingprocessesaremosteffectiveinknownorganizationalsettings orconditions?Followingcloselyontheissueofourpoorunderstandingofwhichstrategieshave succeededandwhichhavefailed,wesimilarlylackresearchintowhatsecuritystrategy-setting processeshavegoodrecordsfordeterminingeffectivesecuritystrategies.Atthemoment,standard processesforcreatingsecuritystrategieshaveunknowneffectivenesshistories,yetstillmustbe adoptedwithoutregardforthenatureoftheparticularorganization. Whiletherearemanyopenquestionsandissues,thereismuchthatwedoknowaboutthe processesofinformationsecuritystrategy.Itclearlyinvolvesanassessmentofthegoalsfororganizationalinformationsecurity.Theprocessesmaybeorganizedusingaproductcriterionor aprocesscriterion,groupingactivitiesbytheendsorthemeans.Thegoalassessmentprocessis alsoimportant,registeringthestrategicgoalswiththerealityoftheorganizationalconditions, suchastheavailablesecuritycompetencies. REFERENCES Armstrong,H.1999.Asoftapproachtomanagementofinformationsecurity.Ph.D.dissertation,Curtin University,Perth,Australia. Backhouse,J.,andDhillon,G.1996.Structuresofresponsibilityandsecurityofinformationsystems.EuropeanJournalofInformationSystems,5,1,2–9. Baskerville,R.1995.Thesecondordersecuritydilemma.InW.Orlikowski,G.Walsham,M.Jones,and J.DeGross(eds.),InformationTechnologyandChangesinOrganizationalWork.London:Chapman& Hall,pp.239–249. Cherry,S.2000.DoubleClickrecantsonprivacyissue.IEEESpectrum,37,4,63. COBIT.2005.COBITOverview(availableatwww.isaca.org/cobit.htm,accessedonJanuary23,2005). D’Antoni,H.2002.Defensesmountagainstinternalthreats.InformationWeek,896,86. DeLoughry,T.J.2000.DoubleClicktakesitslicksforchangingprivacypolicy.InternetWorld,6,5,20. Dobson,J.1991.Amethodologyforanalyzinghumanandcomputer-relatedissuesinsecuresystems.In K.Dittrich,S.Rautakivi,andJ.Saari(eds.),ComputerSecurityandInformationIntegrity.Amsterdam: ElsevierSciencePublishers,pp.151–170. Eden,C.,andAckermann,F.2002.Amappingframeworkforstrategymaking.InA.S.HuffandM.Jenkins (eds.),MappingStrategicKnowledge.London:Sage,pp.173–195. Finne,T.1996.Theinformationsecuritychaininacompany.Computers&Security,15,4,297–316. Gaston,S.J.1996.InformationSecurity:StrategiesforSuccessfulManagement.Toronto:CanadianInstitute ofCharteredAccountants. Hale,J.C.;Landry,T.D.;andWood,C.M.2004.Susceptibilityaudits:atoolforsafeguardinginformation assets.BusinessHorizons,47,3,59–66. Hong,K.-S.;Chi,Y.-P.;Chao,L.R.;andTang,J.-H.2003.Anintegratedsystemtheoryofinformationsecurity management.InformationManagement&ComputerSecurity,11,5,243–248. ISO/IEC 2000. ISO/IEC 17799: Information Technology—Code of Practice for Information Security Management. International Standard No. ISO/IEC 17799:2000(E). Geneva: International Standards Organization. Kalfan,A.M.2004.InformationsecurityconsiderationsinIS/IToutsourcingprojects:adescriptivecase studyoftwosectors.InternationalJournalofInformationManagement,24,1,29–42. Lewin,R.1993.Complexity:LifeontheEdgeofChaos.London:Phoenix.
INFORMATIONSYSTEMSSECURITYSTRATEGY:APROCESSVIEW45 McGrath,R.G.;MacMillan,I.C.;andVenkataraman,S.1995.Defininganddevelopingcompetence:astrategic processparadigm.StrategicManagementJournal,16,4,251–275. Merriam-Webster2001.CollegiateDictionaryandThesaurus. Mintzberg,H.;Ahlstrand,B.;andLampel,J.1998.StrategySafari:AGuidedTourthroughtheWildsof StrategicManagement.NewYork:Simon&Schuster. O’Rourke,M.2005.Datasecured?Takingoncyber-thievery.RiskManagement,52,10,18–22. Parker,D.1981.ComputerSecurityManagement.Reston,VA:RestonPublishing. Petersen,A.2000.DoubleClickreversescourseafterprivacyoutcry.WallStreetJournal,March3,p.B.1. Rees,J.;Bandyopadhyay,S.;andSpafford,E.H.2003.PFIRES:apolicyframeworkforinformationsecurity. CommunicationsoftheACM,46,7,101–106. RIT[RochesterInstituteofTechnology].2004.RITInformationSecurityVisionStatement,June2(available athttp://security.rit.edu/procedures/00_InfoSec_vision.pdf,accessedonNov.24,2005). Schlenker,B.R.;Britt,T.W.;Pennington,J.;Murphy,R.;andDoherty,K.1994.Thetrianglemodelofresponsibility.PsycholReview,101,4,632–652. Segev,A.;Porra,J.;andRoldan,M.1998.InternetsecurityandthecaseofBankofAmerica.CommunicationsoftheACM,41,10,81–87. Sherwood,J.1997.Managingsecurityforoutsourcingcontracts.Computers&Security,16,7,603–609. Swartz,N.2004.Surveyassessesthestateofinformationsecurityworldwide.InformationManagement Journal,38,1,16. Thibodeau,P.2002.DoubleClicksettlementmayaffectcorporateITpolicies.Computerworld,36,15,7. Trompeter,C.M.,andEloff,J.H.P.2001.Aframeworkforimplementationofsocio-ethicalcontrolsininformationsecurity.Computers&Security,20,5,384–391. White,E.F.R.,andDhillon,G.2005.Synthesizinginformationsystemdesignidealstoovercomedevelopmentaldualityinsecuringinformationsystems.InR.H.Sprague(ed.),Proceedingsofthe38thAnnual HawaiiInternationalConferenceonSystemSciences.LosAlamitos,CA:IEEEComputerSociety,pp. 186–195. Whitman,M.E.2003.Enemyatthegate:threatstoinformationsecurity.CommunicationsoftheACM,46, 8,91–95. Whitman,M.E.,andMattord,H.J.2004.ManagementofInformationSecurity.Boston:Thomsom.
CHAPTER3
ITGOVERNANCEANDORGANIZATIONAL DESIGNFORSECURITYMANAGEMENT MERRILLWARKENTINANDALLENC.JOHNSTON
Abstract:InordertoachievethegoalsofISsecuritymanagement,eachorganizationmustestablish andmaintainorganizationalstructuresandgovernanceproceduresthatwillensuretheexecution ofthefirm’ssecuritypoliciesandprocedures.Thischapterpresentstheproblemandtheframework forensuringthattheorganization’spoliciesareimplementedovertime.Sincemanyofthesepolicies requirehumaninvolvement(employeeandcustomeractions,forexample),thegoalsaremetonlyif suchhumanactivitiescanbeinfluencedandmonitoredandifpositiveoutcomesarerewardedwhile negativeactionsaresanctioned.ThisisthechallengeofcorporategovernanceandITgovernance.A centralissueinthecontextofITsecuritygovernanceisthedegreetowhichITsecuritycontrolsshould becentralizedordecentralized.ThischapterutilizesacomparativecasestudyinwhichITsecurity controlsareconsideredwithinbothacentralizedandadecentralizedITgovernanceenvironment. Keywords:Centralization,Decentralization,Governance,ITGovernance,SecurityPolicy,Procedures,ITArchitecture,CaseStudy Thegoalsofinformationsecuritymanagementareobtainableonlyifthepoliciesandprocedures arecomplete,accurate,available,andeventuallyimplemented.Organizationsmustbecognizant ofthepitfallsthatimpedetechnologydiffusionwithinthefirmandmustdemonstratethisthrough thepurposefulcreationofpolicy.Itisalsocriticalthatfirmsemploymeasurestoensurethatpolicy is translated into effective security management practices.This is obtainable only if effective organizationaldesignsarepresentandifproperinformationassuranceproceduresarefollowed. Additionally,stakeholdercompliancerequiresstringentenforcementofinternalcontrolstoensure organizationalpolicyandprocedureexecution. ITsecuritymanagementgoalsaretomaintaintheconfidentiality,integrity,andavailabilityof datawithinasystem.Thedatashouldbeaccurateandavailabletotheappropriatepeople,when theyneeditandintheappropriatecondition.Whileperfectsecurityisdesirable,itisunfortunately unattainable.Withthisinmind,securityprofessionalsseektoprovidealevelofsecurityequivalent tothevalueoftheinformationtheyareaskedtoprotect. Individuals(includingentrepreneurswhoownsmallfirms)arepresumedtoactintheirown bestinterests,andareexpectedtomanageanddirecttheirpersonalandbusinessaffairsinways thatsupporttheirownobjectives.Largerorganizationsareoftenmanagedbyprofessionalmanagerswhomaynotsharethesameintrinsicmotivationsastheownersofthoseorganizations.All managersshoulddirectandcontroltheactivitiesoftheenterpriseinordertoachievetheobjectivesofthestakeholders.Forgovernmentalorganizations(agencies,etc.),thekeystakeholders arecitizens.For“publiccompanies”(firmsownedbythosewhoholdpubliclytradedsharesof 46
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT47 Figure3.1 SecurityPolicy,Procedure,andPractice
IT Security Policy
Policy
� � � � �
formulated to achieve missions and goals can be both formal and informal should be aligned with IT policy and strategy and IT policy should align with organizational policy must support compliance with regulations & standards
IT Security Procedures & Standards of Performance
Procedure
� � � �
explicit mechanisms, structured specific formalized steps for people and processes standard operating procedures (SOP) (but may exist without formal policy in some cases)
IT Security Practice (or Execution)
Practice
� � � � �
operationalize policy through execution of procedure sometimes termed the “endpoint security problem” starts with IT security policy awareness through training supported with internal controls (behavioral, technical) monitored, enforced with sanctions (rewards, penalties)
stock),theprimarystakeholdersaretheshareholders.Smaller(“closelyheld”)companiesmay alsohaveaseparationbetweentheownersofthefirmanditsmanagers. An organization’s structure and governance procedures enable it to address the issues of responsibility, accountability, and coordination toward the achievement of its purpose and goals.Organizationsarecontinuallyevolvingtoenhancetheirpositionwithintheirbusiness domain.Theseevolutionstypicallyinvolvechangesingovernanceandorganizationaldesign, andarereflectedintheITcomponentoftheorganization.However,oneobjectiveisconstant: toprotecttheinformationassetsoftheorganization.Inthiscontext,therolesofITgovernance andorganizationdesigntowardthefulfillmentofthesecuritymanagementcommitmentare presentedanddiscussed. POLICIES–PROCEDURES–PRACTICE Thepoliciesandproceduresofafirmdictatetheposturethefirmwilltakeinprotectingitsinformationassets.However,successinthisquestisthedirectresultofhowwellthesepoliciesand proceduresaretranslatedintoactions.Ultimately,ifmanagers,developers,andusersarenotaware ofexistingpolicyandprocedures,theywillnotexecutethem.Therefore,anemphasisshouldbe placedontheestablishmentofanenterprisetrainingprogramwithverifiabletrainingprotocols sothatpersonnelaremadefullyawareofsuchpoliciesandproceduresinorderthattheycanbe putintopracticeonadailybasis(seeFigure3.1). ORGANIZATIONALSTRUCTUREANDDESIGN Asoleproprietor“doesitall,”butasorganizationsgrow,itbecomesnecessarytoformulateand implementastructurecapableofcoordinatingtheactivitiesoftheunitssothattheyactincon-
48 WARKENTIN AND JOHNSTON
certtowardachievingtheorganization’smission.Theorganizationdesigncomprisesseveralkey principles,including(1)divisionoflabor(departmentalizationandspecialization),(2)command structure(lineofcommand,unitarycommand),(3)authorityandresponsibilityrelationships(line, staff,power),and(4)spansofcontrol(levelsofcontrol,degreeofcentralization). Itisimperativethattheorganizationalstructureformalizetherolesandreportingrelationships betweenemployeesatdifferentpositionsintheorganization.Thedesignprocessmustbedynamic astheorganizationcontinuallyredefinesitsgoalsandstrategies,astheorganization’senvironment changes,andaschangesintechnologyfacilitatemodificationsintheorganizationalstructure. Indeed,oneofthemostmonumentalimpactsoftechnologyoverthepasttwodecadesisthe“flattening”ofmostlargeorganizationsandtheeliminationofseverallayersofmiddlemanagement. IThasbeenattributedasanenablerofthisleanorganizationalformbyincreasingspanofcontrol andcommunicationsprovidedbymodernnetworkedcomputersystems. Someofthekeyquestionstobeansweredincludethefollowing.Whomakesthedecisionsand howmanydecisionmakersarethere(foreachunitandateachlevel)?Howshouldthecommand structurebepartitioned,andhowshouldtasksbeassigned?Whataretheformalcommunications structuresbetweendecision-makingindividualsandgroups? Theprocessoforganizationaldesignofteninvolvesmakingdeterminationsbetweencompetingdesignformswheretheremaybetrade-offsbetweenefficiency,flexibility,accountability, andotherfactors(Straub,1988).Mostemployeesaremoremotivated(andthereforemoreeffective)iftheyhavemorecontrol(“responsibilitywithauthority”)overtheirwork.Iftheyareable toreacttochangesintheirenvironmentwithoutseekingapprovalorwaitingforoversight,they canquicklysatisfycustomerdemandorrespondtocompetitivepressures.However,thelackof controlmayopentheorganizationtocertainrisks.Forexample,unencumberedemployees,motivatedbylocalizedpriorities,maymakedecisionsthathaveapositiveshort-termbenefitonthe departmentallevel,butanegativelong-termimpactontheorganization.Organizationsmustseek abalancebetweentheseextremesof“spanofcontrol”andfindthat“sweetspot”withmaximum benefitsfortheenterprise. Inaddition,theorganizationshouldbestructuredsothatduplicationofeffortiseliminated. Allspecialorscarceskillsshouldbeeffectivelyutilizedandshared;sometimesthisentailsdistributingtheseresourcesacrosstheorganization.Employeesmustalsobegiventheopportunity todeveloptheirskillsandadvanceintheirpositions.Tothisend,employeesmustbeprovided withthenecessaryinformationtomaintainaglobalperspective.Mostemployeeswanttofeel theyhaveanopportunityto“worktheirwayuptheladder.”Motivationandmoralearecrucial totheorganization’ssuccess,andarehighlyinfluencedbythestructureoftheenterprise.Who evaluatestheirwork?Howistheirworkactivityconnectedtothatofotherindividuals?Howmuch controldotheyhaveovertheirworkproduct?Iscooperationandcoordinationsupportedbythe organization’sstructure? Accountabilityisanimportantconsiderationforallorganizationalmembers(asitisintheIS securityarena).Eachmember’sassignedresponsibilitiesmustnotconflictwithorduplicatethe dutiesofanyotherposition.Eachmembermusthavesufficientdecision-makingauthorityand controltoaffecttheparametersforwhichheorshewillbemeasured.Supervisorystructureisone ofthemostcrucialelementsofanorganizationaldesign.Managersmusthaveasufficientlylarge spanofcontroltoenablethemtocoordinatethe“bigpicture”withintheirdepartments,rather thanisolatedsilosindependentofotherunits.Butthespanofcontrolcanalsoeasilybetoolarge, leadingtoalackofresponsiveness. Organizational structure encompasses the formal structure embodied in the organizational chart(reportinghierarchy,etc.)aswellastheinformalorganization.Furthermore,thestructure
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT49
includestheprocessesthatcombinepeopleintoworkgroupsandteams,teamsintodepartments, anddepartmentsintodivisionsasworkflowswithintheorganizationandbetweentheorganization anditsexternalconstituents(customers,suppliers,regulators,competitors,partners,etc.).The structuredetermineswhodoeswhatandhowindividualscollaboratetogettheworkcompleted. WithinthecontextofITsecurity,theorganizationalstructuretakesonaddedimportanceasadditionallayersofhierarchicalcomplexityareembeddedwithintheorganizationintheformofuser accessprivileges.Oftenthehierarchicalreportingstructurebreaksdownwhentranslatedintothe rightsassignedtousersinsupportoftheirroles.Thisisespeciallytrueforinformationsystems thatmaintainsensitiveinformationatvariouslevelsofconfidentialitythroughoutthesystem.Itis notuncommoninthesesituationsformembersofthesameteamtohavedifferentuserprivileges intermsoftheinformationtheyareabletoaccesswithinthesystem.Simplystated,adigitaluser hierarchydoesnotnecessarilymatchahumanmanagementhierarchy. Thetwoprimarystructuresforlargemodernorganizationsareoftentermed“functional”and“product”structures.Functionalstructureshavedepartmentsorientedbyfunction—finance,accounting, marketing,production,humanresources,IT,andsoon.Theyhavetheadvantageofefficiency(less duplicationofactivities)andprofessionalism(technicalspecializationandexpertise),butthemembers ofeachfunctionalareahaveanarrowperspectivewithlessattentiontotheneedsofeachproductarea anditscustomersandmarkets.Itisalsodifficulttocoordinatetheactivitiesofsuchindividuals. Ontheotherhand,the“product”structure,alsoknownas“divisionalorganization,”isdivided byoutputorproductlines.Aconglomeratemayhaveadivisionforitsaerospaceproducts,another foritsconsumerelectronics,andanotherforitsfinancing(lending)operations.(ThisishowGE andmanyotherorganizationsareessentiallyorganized.)Thisimprovesdecisionmakingandforces greateraccountabilityforspecificperformanceobjectives.Italsoincreasesthecoordinationof functions,becausethemanagersofthefunctionsreporttoadivisionalmanager(e.g.,directorof IndustrialSoapsDivision).Ontheotherhand,thisstructureislessefficient(duplicatedactivities) andmayfosterrivalryamongdivisionsthatisnotalwayshealthy. Athirdorganizationalformisthematrixorganizationalstructure,inwhichthemanagersof functionswithineachdivisionalsohavea“dottedline”reportingrelationshipwiththeirfunctional managers—essentiallytheyhaveatleasttwobosses,thefunctionalmanagerandaprojectmanager,andspendagenerousportionoftimenegotiatingtheirresponsibilities.Assumingagrid-like formation,thematrixorganizationalstructurecanprovidesuperiorperformancecomparedwith traditionalhierarchicalstructuresifitsmemberscanleveragethenaturalconflictofinterestsbetweenthefunctionalmanager’sdesireforqualityandtheprojectmanager’sinterestintimeand service.Thefocusofthisstructuralformistodistributeexpertisetothepartsoftheorganization thatneedthemmost(projectteams)attherighttime.Amatrixstructurecanfacilitateinnovation andefficiency,butcanalsocreateconflictbecauseofitsreducedclarityofauthority. GOVERNANCE Governanceencompassesactivitiesthatensurethattheorganization’splansareexecutedandits policiesareimplemented.Planningleadstostrategiesthatareembodiedinpoliciesthataretranslatedintoprocedures,whichareexecutedandenforcedthroughthegovernanceprocess.Onemight saythatgovernanceisthemethodofensuringthatpoliciesandproceduresareputintopractice. Enterprise governance is the overall framework, which can be decomposed into corporate governance(or“conformance”)andbusinessgovernance(or“performance”).TheInternational FederationofAccountants(IFAC)definesenterprisegovernanceas“thesetofresponsibilitiesand practicesexercisedbytheboardandexecutivemanagementwiththegoalofprovidingstrategic
50 WARKENTIN AND JOHNSTON
direction,ensuringthatobjectivesareachieved,ascertainingthatrisksaremanagedappropriately andverifyingthattheorganization’sresourcesareusedresponsibly”(CIMA/IFAC,2004). Thecorporategovernancestructureistheorganizationaldesignthatassignsrightsandresponsibilitiestovariousplayers,suchastheboardofdirectors,managers,andshareholders.Itprovides guidancefordevelopingreportingrelationships,internalcontrols,checksandbalances,andother meanstoensurethatthecorporation’smissionsareultimatelyfulfilled.Thefundamentalconcerns ofcorporategovernanceareto(1)ensurethatconditionsapplywherebyafirm’sdirectorsand managersactintheinterestsofthefirmanditsshareholders,and(2)ensurethemeansareinplace wherebymanagersareheldaccountabletoinvestorsfortheuseofassets.Theaimofcorporate governanceisto(1)describetherulesandproceduresformakingdecisionsoncorporateaffairs, (2)providethestructurethroughwhichthecorporateobjectivesareset,(3)provideameansof achievingthesetobjectives,(4)monitorthecorporateperformanceagainstthesetobjectives,and (5)establishprocedurestoreduceoreliminatedeviationsfromthepathtowardthesetobjectives, includingsanctionsforemployeeswhodonotsupporttheprocess. Corporategovernanceconsistsofanylawsthatmayapplytotheformulationofcorporatebodies,theofficialbylawsestablishedbythecorporatebody,itsorganizationalstructureordesign, andevenitsstandardoperatingprocedures(SOP)andcorporateculture,totheextentthatthey supportthepurposesofcorporategovernance. Organizationsalsoimplementinternalcontrolsandprocedurestoensurethatrisk(businessrisk, legalrisk,marketrisk,securityrisk,etc.)ismanagedandthatresourcesareutilizedefficiently andeffectivelyinthepursuitoftheorganization’smissionandstrategies.Thisprocessissometimestermedbusinessgovernanceandrefersto“performance”ratherthan“conformance.”By supportingtheprocessofvaluecreation,ITsystemstypicallycontributetoperformance,though recentattentionhasshiftedtowardIT’sroleinconformance.ITcanbecomeacentralguarantor ofaccountability.Recentlegislation(discussedbelow)isaimedatensuringthatelectronicrecordkeepingsupportsthegoalsofconformanceandreducesthechancesthatrecentbusinessscandals (BrandandBoonen,2004)willberepeated. ITGovernance Tosupportthegoalsofcorporategovernance,theremustbeaformalizedprocesstoguidethe acquisition,management,andutilizationofallstrategiccorporateassets,includinginformation resources.ITgovernancedescribesthedistributionofITdecision-makingresponsibilitieswithin thefirmandfocusesontheproceduresandpracticesnecessarytocreateandsupportstrategic ITdecisions(seeTable3.1). TheITGovernanceInstitute(2003)statesthatthepurposeofITgovernanceistodirectIT endeavorsandtoensurethatIT’sperformancemeetsthefollowingobjectives:strategicalignment, valuedelivery,riskmanagement,andperformancemeasurement.Riskmanagementensuresthe appropriatemanagementofIT-relatedrisks,includingtheidentificationandimplementationof appropriate IT security measures.Activity and performance monitoring and measurement are criticaltoensurethatobjectivesarerealized,butrequirefeedbackloopsandpositivemeasuresto proactivelyaddressdeviationfromgoals. TheITGovernanceInstitute(www.itgi.org)hasestablishedtheControlObjectivesforInformation andrelatedTechnology(COBIT)tofacilitateconductingallaudits.Thismethodologyisespecially helpfulinestablishingthescopeandplanforITaudits,andcanguidemanagersinidentifyingappropriatecontrolsandselectingeffectiveinfrastructureprocesses.ThismethodologyofITgovernance andcontrolcanalsoaidinmaintainingcompliancewiththeSarbanes-OxleyActandotherapplicable
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT51 Table3.1
ITGovernanceandCorporateGovernanceResources 1. 2. 3. 4. 5. 6.
ITGovernanceInstitute EncyclopediaaboutCorporateGovernance CorporateGovernanceNetwork InternationalCorporateGovernanceNetwork EuropeanCorporateGovernanceInstitute WorldBankGroup
www.itgi.org www.encycogov.com www.corpgov.net www.icgn.org www.ecgi.org www.worldbank.org/wbi/governance
legislation.Itcanhelpafirm“obtainbenchmarksforassessingautomatedcontrolsembeddedinkey businessprocessesandassessthecontrolactivitiesperformedbythecompany’sapplicationsupport team.”Furthermore,itisdesignedtohelpensurealignmentbetweentechnologyinvestmentsand businessstrategies.(ForanexpandeddiscussionofCOBIT,seeDhillonandMishra[2006].) ITArchitecture ITgovernancecanbeeffectiveonlyiftheenterpriseorganizesitsinformationtechnology(hardware, software,procedures)inamannerconsistentwithitsorganizationalandtechnicalrequirements. Therearenumerousformalizedapproachestoestablishinganappropriateconfigurationforthe organization’sinformationresources.Suchconfigurationsaretermed“ITarchitecture”andare intendedtoefficientlyandeffectivelysupportITgovernancemandatesasarticulatedinpolicy andprocedureandenactedinpractice. ImportantconsiderationsforITmanagersincontemplatingtheappropriateITarchitecturefor theirorganizationarethecharacteristicsoftheusercomponentofthesystem.ItiscriticalthatIT managerspossessafamiliaritywiththeexperiencelevels,technicalproficiencies,oranyothertraits oftheuserswithintheirorganizationthatmaypredicatetheirpotentialforsuccess.Forexample, highlydecentralizedsystemsrequireamoresubstantialcommitmenttoandproficiencyofsystem operationsbytheusercommunity.Byunderstandingtheirusers’limitations,effectivemanagers willbeabletoaligntalentandtechnologyinamannerconducivetosuccess. WithintheU.S.federalgovernment,theClinger-CohenActof1996(40USC1401[3]),also knownastheInformationTechnologyManagementReformAct(ITMRA),wasintended,amongits manyotherpurposes,to“reform...informationtechnologymanagementoftheFederalGovernment.”TheITMRAdefinesinformationtechnologyas“computers,ancillaryequipment,software, firmwareandsimilarprocedures,services(includingsupportservices),andrelatedresources.”The actdefinesinformationtechnologyarchitecture(ITA)as“anintegratedframeworkforevolvingor maintainingexistinginformationtechnologyandacquiringnewinformationtechnologytoachieve theagency’sstrategicgoalsandinformationresourcesmanagementgoals.” Section5125(b)oftheactfurtherassignseachagency’schiefinformationofficer(CIO)the responsibilityof“developing,maintaining,andfacilitatingtheimplementationofasoundand integratedinformationtechnologyarchitecture.”Furthermore,theU.S.WhiteHouseOfficeof ManagementandBudget(OMB)hasissuedamemorandum(OMB-M-97–16)statingthat forthepurposeofconformingtotherequirementsofITMRA,acompleteITAisthedocumentationoftherelationshipsamongbusinessandmanagementprocessesandinformation technologythatensure:
52 WARKENTIN AND JOHNSTON Exhibit3.1
EnterpriseArchitectRole Theroleoftheenterprisearchitectismuchlikethatofacityplanner.Toooften,inacity,buildings areconstructedusingcompletelyindependentdesigns,infrastructureisslappedtogetherovertime, andattemptstobuildcomprehensiveplansforcoherentgrowtharestymiedbycompetinggoalsand unmanageableegos.Inthesameway,businessunitsinorganizationsofanysizeoftenpursuetheir ownindividualbusinessandtechnologygoals,creatingseparateinfrastructuresthatdefyattempts to“federate”theorganization’sbusinessandcomputingresources. Withoutaclearunderstandingofcriticalbusinessrequirements,anyattempttoarticulatestrategic ITplansisdoomed.That’swhy,firstandforemost,anenterprisearchitectureprovidesastructure fordefiningbusinessgoalsandprocesses.Oncethat“businessarchitecture”isexplicitlystatedand widelyagreedon,ITcanthenbeginthetaskofdefiningtheinformationneededtosupportbusiness requirements,andtheITinfrastructureneededtosupportthecreationandmanagementofthat information.
Source:Bolles,2004.
• alignmentoftherequirementsforinformationsystems...withtheprocessesthatsupport theagency’smissions; • adequateinteroperability,redundancy,andsecurityofinformationsystems;and • theapplicationandmaintenanceofacollectionofstandards(includingtechnicalstandards)bywhichtheagencyevaluatesandacquiresnewsystems. Withinthisframework,theOMBguideseachagencytoidentifyandspecifytheorganizational leveltowhicheach“sub-architecture”willbeaddressed(businessprocesses,informationflows, applications,datadescriptions,andtechnologyinfrastructure). Todevelopaneffectiveenterprisearchitecture,theCIOmusthaveaclearpictureofthecurrentstate,avisionforthefuture,andaroadmapforgettingthere.Theenterprisearchitecture createsablueprintthatincludesasetofstandardstowardwhichtheorganizationmigrates,and itintroducesprocessesandcontrolstoensurethatallnewtechnologiesarelinkedtoaspecific businessrequirement(seeExhibit3.1). The Institute of Electrical and Electronic Engineers (IEEE) defines an architecture as “the structureofthecomponents,theirrelationships,andtheprinciplesandguidelinesgoverningtheir designandevolutionovertime.”Inbuildingconstruction,theblueprintestablishesthedesign, andthebuildingistheactualembodimentofthatdesign.InIT,thearchitectureestablishesthe designoftheinfrastructure,whereastheactualhardwareandsoftwareinstallationistheembodimentofthatdesign. INFORMATIONSYSTEMSCENTRALIZATION ANDDECENTRALIZATION Regardlessofspecificorganizationalfunction,therearetrade-offsintermsofthedegreeofcentralizedmanagerialcontrol.Forinstance,functionssuchassupplychainmanagementandpurchasing areheavilytiedtoeconomiesofscale,andassucharegenerallymoreefficientlyoperatedifhighly centralized.Functionssuchascustomersupport,ontheotherhand,mayoperatemoreeffectively andefficientlyifdecentralized.However,mostfunctionsexhibitsomeleveloftrade-offsbetween
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT53 Table3.2
FeaturesofGovernanceStructures Feature
Centralizedgovernance
Decentralizedgovernance
Acquisition/controldecisions
Singlebusinessunit
Allbusinessunits
Primaryconcerns
Control,efficiency,andeconomy
Responsetimes
Chiefadvantage
Leveragingestablishedtechnology Flexibilityandempowerment andvendors
Chiefdisadvantage
Slowertorespond
Conflictsandpolicyclashes
Values
Uniformityandinteroperability
Reliabilityandownership
Initialcosts
Higher
Lower
highlycentralizedandhighlydecentralizedcontrol.InformationsystemsorITfunctionsarealso subjecttothiscontinuum. Afirm’sinformationsystems(IS)willincludehardware(suchasstorageservers),software components(applicationservers,etc.),dataresources(oftenmaintainedindataservers),telecommunications,andpersonnelthatbuildandmaintainthesystem.Theseresourcesmaybehighly centralizedinoneITdepartment,highlydecentralized(inthecontrolofalltheorganization’s departments),orsomewherealongthecontinuumbetweenthetwoextremes.Oneofthemost fundamentalcharacteristicsofafirm’sITarchitectureorstructureisthedegreetowhichitsISis centralizedordecentralized.AkeyroleofITmanagersisdeterminingtheITarchitectureforthe organization’sinformationsystem,andoneofthemostimportantaspectsofthearchitectureis thedegreeofcentralization.Thefocusofthischapterisprimarilyoncontrolanddecision-making centralization,ratherthanonthephysicallocationofITassets.Table3.2providesasummaryof thecomparisonofthefeaturesincentralizedanddecentralizedgovernancediscussedbelow. CentralizedInformationSystems Withincentralizedinformationsystems,informationresourcesanddecisionsconcerningtheiracquisitionandcontrolaretheresponsibilityofoneparticularbusinessunitthatprovidesITservices tothewholefirm.Theprimaryconcernsofacentralizedapproachareofcontrol,efficiency,and economy.WhilesomecentralizedIShavehistoricallybeencentralized,othershaveevolvedfor variousreasons,suchascostsavingsresultingfromtheconsolidationofanorganization’sIS,to oneparticularlocation. Thechiefadvantageofcentralizedsystemsiscentralizedcontrolthroughtheleveragingof establishedtechnologyandvendors(KroenkeandHatch,1994).Hardwareandsoftwarestandards facilitateeconomiesoftimeandmoneyinpurchasing,installation,andsupport,andenablegreater interoperabilityofsystemsandsharingofdatabetweendivisionsanddepartments.ERPandother enterprise-classapplicationsrequireseamlessintraorganizationaldataexchange.Thisuniformityis builtonaformalassessmentoftechnologyrequirementsandaprofessionalevaluationofvarious technologychoices,resultinginlowertechnicalrisks.Approvedsystemcomponentswilltypicallyfunctiontogethermoreeasily,withfewsurprisingsystemcompatibilityissues.Centralized ITdepartmentsaretypicallystaffedbyhighlytrainedandqualifiedITprofessionalswhoemploy
54 WARKENTIN AND JOHNSTON
structuredsystemsdesignandmaintenanceprocedures,leadingtohighlyreliablesystems.ProfessionalITmanagersoftenexcelatselectingsuperiorITstaffmembers. Centralizationalsoenablesefficiencygains,whichincludereducedduplicationofeffort,resources,andexpertise.Savingsarerealizedthroughjointpurchasingproceduresandsharingof systemresources(suchasstoragesolutions,outputdevices,etc.).Furtherefficienciesarerealized fromtheenterprise-wideadministrationofcontractsandserviceagreements,licenses,andasset management.TrainingcostscanbeminimizedwhentheITstaffcanspecializeinasmallsetof hardwareandsoftwarecomponents.PlanningiseasierandITalignmentcanbemoreeasilyaccomplishedwhenallITresourcesareunderonegroup’scontrol.Anorganizationcanmoreeasily affordkeynicheITprofessionalswithspecializedskillswithinalargeITdivisionthanifITstaff isdispersedthroughouttheenterpriseandhassmallerbudgets. Itshouldbenoted,however,thatcentralizedsystemsmayentailaninitialcostdisadvantage (KroenkeandHatch,1994).Consideringthehighsalariesofsystemsprofessionals,theadded bureaucracy,andtheinflexibilityofsuchsystems,itisnotdifficulttoforeseeinitialcostsescalation(Robson,1997).Becauseoftheirpropensitytocommandlargebudgets,centralizedcenters maybeperceivedwithintheorganizationascostcenters(ratherthanprofitcenters).Centralized operations,unlikedecentralizedsystemswhereeachbusinessunithasitsownautonomoussystem forlocaltasks,mayalsoslowvarioustasks(Robson,1997).AutonomytoperformIT-relatedfunctionsissynonymouswithdecision-makingauthorityandcanprovideexpeditedresponsestopressingmatters.Relianceonsinglecentralcomponents(servers,etc.)mayincreasethevulnerability oftheentiresystem,shouldanyofthosecentralcomponentsfail.Furthermore,centralsystems areisolatedfromcustomersandrealbusinessconcerns,leadingtoalackofresponsivenessand personalattentiontoindividualgroups.Relationshipsbetweenthecentralizedsupportunitand otherbusinessunitswithinthesameorganizationbecomemoreformalizedandlessflexible.Any timedecision-makingauthorityistakenawayfromthedepartmentsandgiventotheorganization, disparitiesbetweenthegoalsofdecision-makingactivitiesandtheirresultantoutcomesmayoccur.Thisisbecausetheknowledgeoftheuniquerequirementsofthedepartmentalorindividual elementsiseitherabsentorundervalued. DecentralizedInformationSystems Attheoppositeendofthecontinuum,decentralizedsystemsallowindividualunitstheautonomy tomanagetheirownITresourceswithoutregardtootherunits.Theprimaryadvantagesofthe decentralizedapproacharetheaddedflexibilityandempowermentofindividualbusinessunits. Asaresult,responsetimestobusinessdemandsareoftenfaster.Additionally,theproximitytothe usersandtheiractualinformationrequirementscanleadtocloserfit,andtheaddedinvolvement ofenduserswithsystemdevelopmentcanleadtosuperiorsystemsdesigns. Fordecentralizedinformationsystems,theinitialscostsarerelativelyminimal(Kroenkeand Hatch,1994),asistheeaseatwhichthesystemcomponentscanbecustomizedandscaledtofit theneedsoftheindividualdepartments.Furthermore,thereisincreasedautonomy(Hodgkinson, 1996),leadingtoincreasedflexibilityandresponsiveness.Thisenablesfargreatermotivationand involvementofusersastheyperceiveasenseofownership(Robson,1997).Theredundancyof multiplecomputersystemsmayincreasethereliabilityoftheentiresystem—ifonecomponent fails,othersmayfillthegap.Finally,adecentralizedapproachreducestheconflictsthatmayarise whendepartmentsmustcompeteforcentralizedITresources. For organizations consisting of highly diverse business units that operate in very different marketplaceswithverydifferentbusinessrequirements,decentralizedITmanagementisclearly
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT55
moreappropriate.Ifeachunitissubjecttodifferentregulations,competitivepressures,andtechnologyenvironments,thenacentralizedsystemmayseverelylimiteachunit’seffectiveness.But adecentralizedapproach(whichcanstillachieveinformationsharingthroughnetworking)will alloweachunittoreacttoitsuniqueenvironment. Decentralizedsystemstypicallyhaveincreasedaccountability,motivation,andmanagement responsiveness(Hodgkinson,1996)overcentralizedsystemsbecausethelocusofcontroliscloser tothepointofimpact.However,increasedunderstandingandcustomerfocusisnotwithoutits costs.Alackofcentralizedcontrolcanleadtoconflictsandpolicyclashes.Sourcingfrommultiple vendorscancertainlycreateincompatiblesystems,andinefficienciescanresultfromahighdegree of duplication of resources, effort, and expertise.Additionally, the autonomous actions of the individualunits(andperhapstheuserswithintheunits)canhavedisastrousresultsifthemotivationorefficacyforcompliancewiththepoliciesandproceduresoftheorganizationismissing.In otherwords,thefacilitationofautonomythroughdecentralizedmanagerialcontrolmaypresenta scenarioinwhichincreaseddecision-makingauthorityandITsupportactivitiesarenecessitated, butthedesireorexpertisenecessarytoadequatelyfulfilltherequirementsislacking. ITSecurityManagementCentralization Formostinformationassurancemechanisms,themannerinwhichtheyaredeployedandmanaged isconsistentwiththepreferredlevelofcentralization.Forexample,firewallprotectionmaybe administeredatanenterpriselevelbyasingleadministratororunitwithinthefirm.Itmayalsobe administeredinadecentralizedmannerthroughtheuseofindividuallyoperatedpersonalfirewall solutions.Thelattermaybeappropriateforenvironmentscharacterizedbyahighlyautonomous end-usercommunity.Anti-virusprotectionsoftwareisanotherexampleofasecuritytechnology thatcanbedeployedandmanagedineitheracentralizedordecentralizedmanner.Whilemost organizationswouldprobablychoosetointegrateanti-virusprotectionintotheirenterprise-level protectionstrategies,itispossibletodeployanti-virusprotectionattheend-userlevel.Infact,for manyorganizationsthatallowmobilecomputingorremoteconnectivity,relianceonendusers toappropriatelymanageananti-virussolutioniscommonplace.Manyotherendpointsecurity solutions,suchasanti-spywareprotection,haveyettomaturetothestatusofanenterpriselevel solutionandshareasimilarfate. Atthistime,itisdifficulttoargueagainsttheuseofacentralizedITsecuritymanagement strategyforprovidingthemosteffectiveprotectionforanorganization.Whenconsideredfrom thestandpointofprevention,detection,andremediation,itcouldbearguedthateachofthese linesofdefensecouldbeaddressedmoreimmediatelyandpreciselyattheindividuallevel.Unfortunately,therearenodefinitiveanswerstothisproblembecauseoftheelementofthehuman conditionanditsassociatedcomplexities.Whilemanysolutionsmayappearonthesurfacetobe bestsuitedforenterprise-levelmanagement,issuesofculture,competency,and/orpoliticsmay forceindividual-levelmanagement. Thefollowingcasestudyprovidesinsightintotheoutcomesassociatedwithmalwareattacks ontwodistinctITsecuritymanagementstrategies.Withinthisanalysisisevidenceofthehuman condition’simpactontherationaleforITsecuritymanagementstrategies. THECASEOF“TECHUNIT”VERSUS“MEDUNIT” Inananalysisoftwoorganizationalunitswithverydifferentorganizationalstructures,theauthors haveassessedtheimpactofcentralizationontheunits’abilitytopreventandaddressthethreat
56 WARKENTIN AND JOHNSTON
posedbytwospecificmalwareincidents.1Thiscase(Johnstonetal.,2004)willhelpelucidatethe trade-offsbetweenhighlycentralizedandhighlydecentralizedinformationsystemmanagement functions. Released onAugust 11, 2003,W32.Blaster.Worm (Blaster) quickly infiltrated hundreds of thousandsofunprotectednetworksandinfectedunpatchedsystemsrunningtheWindows2000 andWindowsXPversionsofMicrosoft’soperatingsystem.Onlyeightdayslaterthemass-mailing wormW32.Sobig.F@mm (Sobig.F) was launched.As the worms propagated on the Internet, manynetworksexperiencedextremelatencyandinoperablee-mailsystems(Jaikumar,2003). Thenatureoftheworms,aswellasthecloseproximityofthereleasedates,requiredtimelyand carefulattentionbyindividualsresponsibleforinformationtechnology(IT)security.Onaglobal scale,theseproliferationsofmaliciouscodecausedsignificantdamagetoinformationsystems environments.DamageestimateswereinthebillionsofU.S.dollarsonlydaysaftertheinitial releaseoftheworms(Bekker,2003). Intheaftermathofanysecuritycrisis,stepsaretakentoguardagainstrepeatedaggressionof asimilarform.BytakingabroadperspectiveofthegeneralthreatmaliciouscodesposetoIT, patternsofsecuritymanagementstrategyemergethathaverootsinorganizationaldesign.This studyexplorestheimpactofmaliciouscodeontwodistinctITsecuritymanagementcultures. Specifically,weexaminethesecuritythreatcreatedbyBlasterandSobig.Fwithinafunctional businessunit(FBU)withacentralizedapproachtoITsecuritymanagementandanFBUwitha decentralizedapproach.Theseparticularwormswereselectedduetotheirlargeimpact,national exposure,andtimelinesstothestudy.Followingadetailedpresentationofthecases,comparisons aremadethatarticulatethesuccessesandfailuresoftheseFBUsintheprevention,detection,and remediationofthewormactivity.Additionally,thisstudyprovidesinsightintotheuniquechallengesimposedbyaparticularmanagementphilosophyonITsecuritypractices.Byexamining instancesofextremes,wecanobservetheenvironmentsandidentifyrelevantvariablesinorder tounderstandoftheimpactofBlasterandSobig.FonITsecuritymanagementpractices. Background AdvancesinITtechnologiesallowmanagerstoremainflexibleintailoringtheirorganizational designtofittheneedsofthebusiness(Walker,1993).Whiledealingwithcomplexanddynamic businessenvironmentsisaprimaryactivityfororganizationalmanagement(Milliken,1987),effectivelyorganizingtheITcomponentwithinanorganizationisalsoamajorconcern(Brownand Magill,1994;SambamurthyandZmud,2000;WatsonandBrancheau,1991).Sambamurthyand Zmud(2000)describeenterprise-wideeconomiesandefficiencies,localizedbusinessneeds,and opportunitiesandchallengesasthetypicalforcesthatdrivetheselectionofanITsupportdesign. Theprevailingcorporategovernancearchitecture,thecapabilitiesofthecentralITunitinserving itsclients,andtheabilityandwillingnessoftheclientstoparticipateinself-supportedITactivities arealsofactorsthatinfluencetheselectionofanITsupportdesign(BrownandBostrom,1994; SambamurthyandZmud,1999;SambamurthyandZmud,2000). Priorresearcheffortspointtoatrendinwhichfirmsarecentralizingtechnologymanagement effortswhilesimultaneouslydecentralizingtechnologyusagemanagement(AllenandBoynton, 1991;BrownandBostrom,1994;SambamurthyandZmud,2000;Zmud,1984).Referredtoasa “federalgovernancearchitecture,”thisformofITdesignisacompromisebetweenacompletely centralizeddesignandacompletelydecentralizedstructure.AcentralizedITenvironmentisone inwhichthelocusofresponsibilityrestsonacentralITunit,whileacompletelydecentralizedIT environmentisoneinwhichthelocusofresponsibilityiswithabusinessunit(BrownandBostrom,
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT57
1994).Clearly,thefederalgovernancearchitecturecanbecharacterizedasanITenvironmentthat requiresamoretechnicallyactiveend-usercommunity. Astrendsinorganizationaldesignhaveevolvedfromcentralizedtomoredecentralizedenvironments,suchasthefederalgovernancedesign,thechangeshavebeenreflectedinIT(Mukherji, 2002). Benefits of decentralization include improving response time, increasing effectiveness, andflatteningoftheorganizationinanefforttoaccommodateemployeeempowermentinitiatives (Walker,1993).Furthermore,suchmanagementstructureshavebeenfoundtobemoreconducive tosuccessfullydealingwithrapidlychangingenvironments(Mukherji,2002).However,withan increasingemphasisonITsecuritymanagementinresponsetotheprospectofarapidlychanging threatmilieu,theultimatesuccessofadecentralizedITstructureisunclear. ItcouldbeexpectedthatacentralizedapproachtoITsecuritymanagementismoreeffective. However, given the argument for adequate security practices, a more decentralized approach mayfulfilltherequirementsforsecurityasdeemednecessary.AprimarygoalofanyITsecurity manageristoestablishacomputingenvironmentthathasanadequatelevelofconfidentiality, integrity,andavailabilityofresources(PfleegerandPfleeger,2002).Becausecompletesecurityis unobtainable,theconceptofadequacyissignificant.Conventionalsecuritypracticedictatesthat securityprofessionalsmustallocateonlytheresourcesrequiredforprotectionconsistentwiththe valueofthesystemsanddatatobeprotected(PfleegerandPfleeger,2002).ITmanagersmustassesscurrentandpotentialvulnerabilities,threats,countermeasures,andacceptableriskinorderto promoteanacceptablelevelofsecurityfortheircomputingenvironment.Inadecentralizedsecurity managementenvironment,suchresponsibilityrestsmoreheavilyontheshouldersoftheenduser. Unfortunately,userattitudestowardself-managedcomputersecurityaretypicallynotconsistent acrossanentireusercommunity(Delio,2003;MondsandWang,2003).Thisinconsistencywill ultimatelyimpaireffortstothwartaninstanceofmaliciousactivity,assomeusersareunawareor misinformedofordisinterestedinfulfillingtheirITobligations. Asthreatsevolve,securitymanagementpracticesmustevolveaswell.Thisiscomplicatedin thatITprofessionals,whilefrequentlyawareoftheintrinsicqualityofITsecurity,areoftenobliviousofthethreatsposedtotheircomputerresources(Lochetal.,1992;Whitman,2003).Users areevenlesscognizantthanITprofessionals(Delio,2003).Thedifficultyofthreatassessment isamplifiedbyanever-changingthreatlandscape(LandwehrandGoldschlag,1997).Whitman (2003)identifiesdeliberatesoftwareattacks,ofwhichmaliciouscodeisincluded,asthemost significantthreat,withtechnicalsoftwarefailuresorerrorsrankedsecond.Thesefindingsare significantinthestudyofBlasterandSobig.Fwormsecuritymanagementbecauseofthenature bywhichthewormspropagate. AlsoknownasW32/Lovesan.worm.aorsimplyLovesan,BlasterexploitstheDCOMRPC vulnerabilityinWindows2000andXPmachinesviaTCPport135.Blasteraffectsthosesystems bydownloadingandexecutingmsblast.exe.Thewormcausessevereinstabilitythatisdifficultto tracebecauseofthenatureofthealertmessage(Delio,2003).Primarily,theBlasterwormallows themalicioushackerremoteaccesstotheinfectedsystem.Thewormalsomakesitdifficultfor thesystemadministratortopatchtheoperatingsystembyperformingdenialofservice(DoS) attacksagainsttheMicrosoftWindowsUpdatewebserver.Sobig.Fisamass-mailingwormthat propagatesitselfthroughe-mailmessagedeliverytoalladdressesfoundinfileswithcertainextensions,suchas.htm,.txt,.dbx,and.eml.Sobig.F’sprimarypurposeistooverwhelmnetworks ande-mailsystemswithmassiveamountsofspammessagetraffic. TheidentificationofthreatssuchasBlasterandSobig.FisonlyonepartofaholisticITsecurity managementpractice.AnotheraspectofITsecuritymanagementinvolvesthetimelyevaluation ofvulnerabilitiesinrelationtothethreats(LandwehrandGoldschlag,1997).Thisassessment
58 WARKENTIN AND JOHNSTON
should involve both known and potential vulnerabilities based on information obtained from trustedsecurityresponseorganizations(LandwehrandGoldschlag,1997).Ifavulnerabilityis discovered,theassociatedriskmustbeevaluated.Foreachenvironment,riskassessmenttakes onauniquesignificance.Riskisdirectlyproportionaltothevalueoftheexposedresource.Any responsetothethreatshouldreflectacommensuratelevelofrisk.Unfortunately,reactionstorisks associatedwithmaliciouscodearegenerallyreactiveratherthanproactive(Lochetal.,1992), therebycreatingurgenciesthatITdepartmentsstruggletoovercome. DesignandMethodology Theresearcherschoseaqualitativeapproachtothestudygiventheneedtoexploreanddescribe thecomplexitiesoforganizationalresponsestotheworms.MarshallandRossman(1989)laud theapplicabilityofsuchanapproachsinceit“stressestheimportanceofcontext,setting,and subjects’frameofreference”(p.46).Thisstudydelvesintothedetailsofaparticularsituation facingcontrastingorganizationalenvironments. Specifically,interviewswithkeyinformantswereusedasthedatacollectiontechniquewithin thecasestudystrategy.Bothcasestudysubjectsarefunctionalbusinessunitsatalarge,public universitylocatedinthesoutheasternUnitedStates.Oneofthefunctionalbusinessunitsemploys acentralizedapproachtoITsecuritymanagement.Forthepurposesofthisstudy,wewillreferto thisentityas“TechUnit”orFBU#1.Theotherfunctionalbusinessunit,referredtoas“MedUnit” orFBU#2,utilizesadecentralizedapproachtoITsecuritymanagement. WithineachFBU,threeITsecuritymanagementpersonnelwereinterviewed.Eachinterviewee representsadifferentlevelofmanagement.Inbothcases,hour-longinterviewsessionswereheld withthedirectorofIT,anetworkmanager,andasystemsanalyst. TechUnitcanbecharacterizedasacentralizedorganizationbothintermsofitshumanresource structureaswellasitsITenvironment(seeFigure3.2).Describedashavingasinglepointofcontrol fordecisionmaking,centralizedorganizationssuchastheTechUnitoftenpatterntheirITsupport aftertheirmanagementhierarchy.TheTechUnitisgovernedbyanexecutiveboardthatconsists ofseniorofficialsoftheuniversityaswellasinfluentialmembersoftheresearchcommunity. ThisboardisultimatelyresponsibleforthedirectionandsuccessoftheTechUnitasanentirety. WithintheTechUnit,therearefiveindependentresearchunitsthathaveuniqueresearchagendas andfundingsources.Insupportoftheresearchunitsisanadministrativeofficethatfulfillsany businessandaccountingrequirements.ITsupportisprovidedbyagroupofsevensystemsanalysts underthedirectionofaseniorsystemsanalystwhoalsooverseestheadministrativeoffice. ITsupportfortheorganizationisreflectiveofthecentralizedorganizationalmanagementsupportstructureinthatITpersonnelmaintaindecision-makingresponsibilitieswithminimalinput fromtheend-usercommunity.Thisresponsibilityincludesanythingfromdecisionsrelatedtonew technologyimplementationstothecreationofcomputingresourceusagepolicies. Fromapurelytechnicalstandpoint,thecomputingresourcesatTechUnitaremaintainedinsuch amannerastominimizerelianceonbehavioralcontrols.Eventhoughtheirpoliciesandprocedures arecarefullycraftedandfrequentlyarticulatedtotheusers,themajorityofthecontrolsaretechnical. Forexample,policydictatesthatausermustfollowaprescribedformulaforpasswordcreationand maintenance.Thepolicyrestrictstheuseofdictionarywordsandcharacterornumericalsequential stringsaswellaspasswordsoflessthaneightcharacters.However,insteadofrelyingonusersto complywiththewrittenpolicy,technicalcontrolsintheformofscriptsareinplacetoforcecompliance.Thesetechnicalcontrolsarereflectiveofthewrittenpoliciesandindicativeofthecentralized natureoftheITenvironmentinthatthegoalistominimizeend-userautonomy.
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT59 Figure3.2 TechUnitOrganizationalStructure
Executive Board
Research Unit
Research Unit
Research Unit
Research Unit
Research Unit
Administration
IT Support Group
FindingsofCaseStudy After evaluating the interview data, the following findings were identified. Within FBU #1 (TechUnit),allnewemployeesareaskedtoreadITorientation(policies)andtoparticipatein specificITtrainingprograms.Acommitteecollectivelyformulatesstrictpolicieswithregardto manyaspectsofITmanagementanduse.ThereisacultureofITcontrolinwhichnewemployees areexpectedtoworkwithinastructure,whichisconsistentwiththeirbackgroundandexperience. (Theygenerallyunderstandadvantagesofcentralizedcontrol.)Usersunderstandandexpecta formalizedapproachtoITmanagement.Mostarecareerprofessionals(facultyorfull-timeresearchstaff)withalong-termrelationshipwiththeorganizationalunit,leadingtogreaterloyalty andcommitment.TheITmanager(whoiswellcompensated)reportsto(andisevaluatedby)a committeeoftech-savvyindividualswithengineeringandsciencebackgrounds.Functionally, asidefromInternetconnectivity,TechUnitdoesnotusetheorganization-wideITservicesforany features—theyevenoperatetheirownDNSserverande-mailserver. Aninterestingeventprovidesanexampleoftheoccasionalbreakdownintheunit’sinternal controlsandoftheredundancythatpreventsthreatsfromcausingseriousdamage.Animportant guestwasallowedtobringinalaptopwithouttheinconvenienceofthetraditionalvirusscreening.Butthatlaptopcontainedaworm,whichspreadtootherresourcesinthenetwork.However, theexternalperimetercontrolsarebackedupbyadditionalservercontrolsandprotections,which preventedthewormfromcausingfurtherdamage.Additionally,theinfectedlaptopwasidentifiedthroughnetworkmonitoringandappropriatelypatched.Hadthisincidentoccurredwithin
60 WARKENTIN AND JOHNSTON
MedUnit’senvironment,therewouldhavebeennopossibilityfordeterminingthesourceofthe infection. Ideally,behavioralcontrolswillworkinharmonywithtechnicalcontrols.Traditionallyarticulatedinpolicyanddetailedinprocedure,behavioralcontrolsarethefirstlineofdefenseagainst inappropriateactivity.Theydefinetheboundariesforpracticeandarereinforcedbytechnicalcontrolswhenpossible.However,behavioralcontrolsmaynotbesupportedbytechnicalcontrolsdue toresourceconstraints,governingdynamics,inadequatetechnologies,andthelike.Organizational securityisultimatelyensuredthroughacombinationofbehavioralandtechnicalcontrols. WithinFBU#2(MedUnit),thereisasystemofadhocITadministration.Individualusers primarily address their own technical issues, if possible. Larger issues are addressed as they arise;ITsupportstaff“putoutfires”astheyoccur.Therearefewproactiveprocessestodeflect andblockvarioussecuritythreats.Theunithasnoofficialpoliciesregardingsecurityprocedures; newemployeesarenotrequiredtoundergoIT-relatedtrainingandorientation.Theunitusesthe organization-wide IT services for e-mail and various other IT functions, but is not influenced heavilybyorganizational-levelITplanning,standards,orpolicy.TheITmanageratMedUnit reportstosingleadministratorwithnotechbackground,ratherthantoatech-savvycommittee, asinTechUnit. MedUnitdoesnothaveacultureofITcontrol.Usershavenoexpectationthattheymustconform tostrictusagepolicies.Newmembersoftheunitenterwithexpectationsthattheycancontroltheir ownsystems,andarealsoresponsiblefortheirownITsecurity,includingsoftwareinstallation andmanagement,virusscanning,spamandspywarecontrol,databackup,andsoforth. MedUnit’suserbaseisdiverseandincludeshundredsofindividualswhobringtheirowncomputersintotheorganizationduringtheirfour-yearinvolvement.Thesecomputersaresupported bytheunit’sITstaff.Becauseofthehighturnover,theunitismoredynamicandlessconsistent, sothereislessorganizationalcommitmentandloyalty. Regardless of whether IT security management practices are centralized or decentralized, themechanismsbywhichassuranceisgainedaresimilar.However,themannerinwhicheach protectionmechanismisimplementedisdependentupontheparticularITsecuritymanagement philosophy.Whitman’sstudy(2003)includesadiscussionandrankingofprotectionmechanisms employedbyITexecutiverespondents.Adaptingthisrankingofprotectionmechanisms,wecan presentatabularrepresentation(Table3.3)ofthemannerinwhichvariousprotectionmechanisms aredeployedwithinthetwofunctionalbusinessunits. TechUnitepitomizestheconceptofcentralizedITsecuritymanagement.AsdescribedinTable 3.3,TechUnitmaintainsacentralizedapproachtothedeploymentofthevariousprotectionmechanisms.Fromtheprovisionofservicesinsupportofend-usercomputingtothephysicalinfrastructure andsecuritycontrols,TechUnitpromotesacentralizedITsecuritymanagementdesign. FromtheinterviewswithTechUnit’sITpersonnel,itisclearthattheymaintainaconsistent opinionastotheroleofITwithintheirorganization.Allthreeintervieweesdescribedtheroleof ITasaninstrumentforenablingresearchthroughthesupportoffacilities,computingresources, andpublishing.AsstatedbyTechUnit’sITdirector,“Thestaffprovidesawidevarietyofservices totheusercommunity.[Thesupport]couldbeassimpleasausernotknowinghowtologonto asystemtochangetheirpassword,tosomethingmuchmorecomplexsuchastryingtodebuga parallelFORTRANapplicationortryingtorunanapplicationononeofourcomputationalservers, ortoevaluatenewsoftwarethatmightenable[theuser]toperformtheirresearchmission.” TechUnit’sITpersonnelarephysicallylocatedinthesamefacilityastheusercommunity. Thisdeploymentstrategyisarequirementforthedesiredend-usercomputingsupportefforts. Asdictatedinpolicyandstrictlyadheredtoinprocedure,TechUnit’sendusersarecompletely
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT61 Table3.3
CategoriesofThreatstoInformationSystems Protectionmechanism
“TechUnit”(centralized)
“MedUnit”(decentralized)
Password
Thecentralizedpassword managementpolicyrequiresend userstomaintainasingleuser IDandpasswordforaccesstoall systems.Additionally,endusers arerequiredtoadheretospecific passwordstandards.
Thedecentralizedpassword managementapproachallows userstoestablishtheirownunique passwordschemes.Thereareno specificrequirements.
Mediabackup
ITmanagementpersonnelare solelyresponsibleforinitiatingand monitoringalldataredundancy procedures.
ITpersonnel,aswellasendusers, activelyparticipateinmediabackup efforts.
Virusprotection software
Anti-virusactivitiesareinitiated andsupportedforallenduser andcomputationalsystemsbyIT personnelonly.
ITpersonnel,aswellasendusers, activelyparticipateinanti-virus efforts.
Employeeeducation
Formaltrainingprogramssuch asworkshopsandIntranet supportwebsaredevelopedand implementedbyITpersonnelonly.
Endusersareresponsiblefor handlingtheirspecifictraining requirements.
Auditprocedures
ITpersonnelmonitorallrelevant systemandnetworklogs.
Endusersareaskedtomonitortheir respectivesystemsforinappropriate activity.
Consistentsecurity policy
ITpersonnelestablishsecurity policyfortheentireTechUnit.
Endusersareinstrumentalinthe establishmentofsecuritypolicy. EachunitwithinMedUnitmayhave itsownsecuritypolicy.
Firewall
ITpersonnelmaintainasingle firewallfortheentireTechUnit.
Endusersareaskedtomaintain personalfirewallsfortheirrespective systems.
Monitorcomputer usage
ITpersonnelaresolelyresponsible formonitoringcomputerusageand resourceallocation.
Endusersmaymonitorcomputer usagefortheirrespectivesystems.
Controlof workstations
OnlyITpersonnelhave administrativerightstocomputing resources.Enduseraccessis restricted.
Endusershaveeitherpower-user oradministratoraccountsontheir respectiveworkstationsdepending ontheirrequirements.
Hostintrusion detection
ITpersonnelaresolelyresponsible forhostintrusiondetection.
Endusersareaskedtomaintain theirownhostintrusiondetection mechanisms,suchasZoneAlarm®.
Source:AdaptedfromWhitman,2003.
62 WARKENTIN AND JOHNSTON
reliantonITpersonnelforthelong-termandimmediatesupportoftheircomputingneeds.From softwareacquisitionsanddeploymenttosystemmaintenanceprocedures,ITpersonnelaresolely responsible.Specifically,end-usercomputingresourcesareinitiatedandmaintainedonlybyIT personnel.Whilethissupportstructureinvolvesaconsistentelementofinteractionamongusers andITpersonnelandallowsforinputfromusersregardingoperatingproceduresandpolicies,end usershaveabsolutelynoautonomyindealingwithissuesregardingthesupportoftheirrespectivecomputingenvironments.TheITdirectorforTechUnitexplains,“Sometimestheresearcher mayproposeasolutionthatworksforthem,butitmaynotworkfortherestofthecommunity oritmaynotintegratewellintooursystem.Insuchcases,ourstaffwouldevaluatetherequest andmakeadeterminationastowhetherthesolutioncanbeimplemented,wouldrequiretweakingpriortoimplementation,orshouldnotbeimplemented.Asanexample,wehaveafirewall configurationthatispreventingcertainusersfrombeingabletoaccessournetwork.We’restill determiningtheexactcause...but,inthisparticularcase,oneofouradmin(ITpersonnel)would perhapsopenthefirewalltoallowftpaccessaslongaswearenotcompromisingtheremaining partofoursystem.” ThepracticeofcentralizedITsecuritymanagementprovidedTechUnitwithahighlyeffective frameworkfromwhichtoaddressissuesspecifictotheBlasterandSobig.Fworms.AsthedirectorofITstated,“AllofourPCshaveanti-virussoftwareandmultiplelayersofprotectionand,in termsoftheworms(Sobig.FandBlaster),itwasallhands-offtotheusers.”Thisisaconsistent themeamongtheotherITpersonnel.TheonlyactionstakenbyTechUnitITpersonneltodeal withthewormswereslightmodificationstotheirfirewallande-mailserverfilter.Therewereonly afewobservationsofBlasterorSobig.FwormactivityinTechUnit’scomputingenvironment. TheseinstanceswereidentifiedandresolvedsolelybyITpersonnelwithnoimpactintermsof cost,time,philosophy,orcredibility(userconfidence).TheITdirectornoted,“Ifwehavedone ourjobproperly,theimpactisminimal,ifatallfelt,totheusercommunity.”Perhapstheminimal amountofend-userinteractionrequiredbyTechUnit’sITpersonneltodealwiththewormscould helpexplainthenotableabsenceofspecificknowledgeoftheworms’functionality.Notably,the levelofspecificknowledgeoftheBlasterandSobig.Fwormsincreasedasthelevelofmanagementdecreasedandthedegreeofuserinteractionincreased. AconsistentthreadamongTechUnit’sITpersonnelistheirperceptionofthesignificanceof externalthreatsrelativetointernalthreats.Allinterviewedpersonnelperceivedtheexternalsecuritythreattobemuchgreaterthantheinternalsecuritythreat.TheTechUnitnetworkmanager summarizesthesituation:“Wespendmoretimeandeffortsecuringtheperimeterthanwedothe inside.”BlasterandSobig.Farerepresentativeofanexternalthreat;however,becausetheworms canbeintroducedtoanetworkbyanunsuspectingenduser,theinternalthreatisreal.According toasurveyconductedbythesecurityfirmTruSecure,22.6percentof1,504corporaterespondents acquiredtheBlasterinfectionfromtheinside(Varghese,2003).Inaddressingtheissueofinternal threat,everyoneofTechUnit’sITpersonnelwhowasinterviewedevaluatedhisorherextentof preparednessintermsoftheknowledgeleveloftheendusers.AstheITdirectorexplained,“Our userbaseheretendstobemorecomputersavvythanthetypicaluserbase.”Becauseaccidental orunknowledgeableusererrorisconsideredtobeatop-fivethreattoanorganization(Whitman 2003),thisrationaleforade-emphasisontheinternalthreatpotentialseemsjustified;however, deliberateactsofsabotageorvandalismalsorankhighlyasathreattoanorganization.Amore knowledgeableuserbasehasagreaterpotentialtoinflictdeliberatemaliciousacts;so,itisunclear astowhetheratechnicallysavvyuserbasejustifiesareducedlevelofinternalsecurity. AdecentralizedapproachtoITsecuritymanagementisoneinwhichthereisahighlevelof autonomyforendusersindealingwiththesecurityoftheirrespectivecomputingresources.The
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT63
ITenvironmentofMedUnitishighlyreflectiveofsuchanapproach.Althoughcertainprotection mechanismsaredeployedinamannerconsistentwithcentralizedITsecuritymanagement,such as the use of virus protection software, the majority of IT security management practices are decentralized,asdescribedinTable3.4. LiketheircounterpartsatTechUnit,MedUnit’sITpersonnelsustainahighlevelofinteraction withendusers.Inthisdecentralizedenvironment,however,thetypeofsupportthatisprovided variessignificantlyfromoneclienttothenext.AsstatedbythesystemsanalystforMedUnit, “We’reheretonotonlysupporttheendusersintheuseoftechnology,butwe’realsoresponsible forhelpingthemtoincorporatetechnologyintotheirareaofexpertise.Thisbasicallymeansthatas newtechnologiesbecomeavailable,ourenduserswanttoexperiencethem.We’reheretofacilitate that.”Fromtheprovisionofpricinginformationforthepurchaseofsoftwareandhardwaretothe maintenanceofcomputingresources,MedUnitITpersonnelactasasourceofinformationand resources.Theirendusersareempoweredtoinitiateandmaintainanycomputingandnetwork servicesthattheywarrantnecessaryforthesuccessfulcompetitionoftheirrespectivetasks.The degreetowhichanenduseractsautonomouslyvariesrelativetotheperson’stechnicalinterests andabilities. MedUnitendusersareexpectedtoassessandactonanyinstancesofmaliciousactivitythat theyviewasthreatstotheirpersonalcomputingenvironment.AstheITdirectorstates,“Wepretty muchletthemdowhattheywanttodo.”Fromtheuseofpersonalfirewallstothedeployment ofpersonalwirelessaccesspoints,endusershaveahighdegreeofautonomy.Thesourceofthis freedomisfoundinthecultureoftheFBU.“Overtheyears,certainendusershavedetermined thattheyareabove[policy],andiftheyreallydon’tlikesomethingtheytakeactiontohaveit reversedintheirfavor,”statestheITdirector.ThispoliticalorientationtoITmanagementnotonly createsastrainonITpersonnelandend-userrelationships,italsolaysafoundationforfutureIT securitydisasters. MedUnit’susersdictateITsecuritymanagementpolicyandprocedures.Asexplainedbythe MedUnitsystemsanalyst,“Whilewehavesomeendusersthataretechnicallysavvy,itmakes supportingthosethataren’t,verydifficult.[Endusers]dictatewhatisgoingtohappen.Ifseveral [endusers]wantsomethingtohappen,it’sgoingtohappen.”Whenfacedwithamaliciousepidemic suchasBlasterandSobig.F,thisapproachtosecuritymanagementisnoteffectiveinthediscovery oreradicationoftheworms.“Wewerehitprettyhard.Itjusthitusallofasudden.Forabouttwo weeks,wecouldexpecttocometoworkeverymorningandpatchsystems.” Amongtheend-userpopulationthereexistvariousassessmentsoftherisksposedbythe worms;therefore,aconsistentandcomprehensiveeradicationofBlasterandSobig.Fisdifficult. AsexpressedbytheMedUnitITdirector,“Wecan’talwaysguaranteethatourendusershave anti-virussoftwareontheirmachine.”ThesuccessofadecentralizedformofITsecuritymanagementisdependentontheknowledgeandabilitiesoftheend-usercommunity.Unfortunately fortheunit,theseend-userqualitiesarenotconsistent.TheITdirectorexplained,“Security isnotaconcernforverymanyofourendusers.Unfortunatelyforus,mostofourendusers don’tknowenoughaboutwhatisgoingon,securitywise,toevenhaveaclueastohowtofix theircomputer.” ThelevelofcoordinationamongenduserandITpersonnelwasnecessarilyhigh.MedUnit’s methodofremediationforBlasterandSobig.Finvolvedasystematicevaluationofnearlytwo hundredgeneralpurposecomputersforwhichITpersonnelhaveadirectsupportrole.Additionally,anoticewasdistributedtoendusersstatingthesignificanceofthewormswithinstructions outliningthestepsrequiredtoavoidandremovethewormsandpatchtheoperatingsystems. Thenetworkmanagerstated,“We’vebecomemuchmoreaggressiveontheattentionwegive
64 WARKENTIN AND JOHNSTON Table3.4
CharacteristicsofITEnvironmentasDescribedbyITPersonnel Characteristic
“TechUnit”(centralized)
“MedUnit”(decentralized)
RoleofIT
RoleofITwasclearlyand consistentlyarticulatedbyall interviewedITpersonnel
RoleofITwaslessclearly articulatedbyeachinterviewee asweprogresseddownthe managementchain
End-userinteraction
ITpersonnelfrequentinteractwith endusersandencounterawide varietyofissues
ITpersonnelfrequentlyinteract withendusersandencountera widevarietyofissues
End-userautonomy
Endusershavenoautonomy
Endusershaveahighdegreeof autonomy
End-userinputinto policy
Enduserscanmake recommendationsandrequests, butultimatelydonothavepolicyeditingauthority
Endusersultimatelydictateor ignorepolicywherepolicyexists
Externalvs.internal threatperception
ITpersonneldescribe80percent ofthreatstobeofexternalorigin; 20percentofthreatsareof internalorigin
ITpersonnelbelieve90percentof threatsareofexternalorigin;10 percentofthreatsareofinternal origin
Internalthreat perception
ITpersonnelbelievehighlyskilled andknowledgeableendusers presentlessofathreattosecurity
ITpersonnelbelieveminimally skilledandunknowledgeableend userspresentlessofathreatto security
toWindows’updates.”However,theeffectivenessoftheenhancedpolicyforWindowspatchingwillbedictated,inpart,byhowwelltheITpersonnelarticulatethispolicytoendusers responsiblefortheirowncomputingresources.Thespecificknowledgeofthewormswasgreater forMedUnit’sITpersonnelthanforTechUnit’sITpersonnel.TheamountandtypeofinteractionwithendusersbyMedUnitITpersonnelindealingwithinstancesofBlasterandSobig. Finfectionsmayexplainthisdifference.Foreradicationattemptstobesuccessful,MedUnit’s ITpersonnelwererequiredtobemoreactiveintermsofremediationattemptsandinteraction withendusers.Bycontrast,TechUnit’sITpersonnelwerenotrequiredtointeractwithend usersandwereabletoperformaminimalamountofmodificationstofirewallande-mailfilters toremedythethreat. AswithTechUnit,MedUnit’sITpersonnelperceivethesignificanceofexternalsecuritythreats tobehighrelativetointernalthreats.Asignificantdifferenceexistsintherationalebehindthis perception.WhileTechUnitITpersonnelpointtoanelevatedknowledgeandskilllevelpossessed bytheirendusersasareasonforalowinternalsecuritythreat,MedUnitITpersonnelpointtoa lowend-userknowledgeandskilllevelastherationalforalowinternalsecuritythreat. ThesuccessesandfailuresexperiencedbytheITpersonnelinbothunitsinaddressingthe BlasterandSobig.FwormswereguidedbytheirrespectiveITsecuritymanagementstrategies. WhileTechUnit’scentralizedapproachwasclearlymoresuccessfulintermsofminimizingthe impactofthewormsontheirenvironment,wecanlooktoanumberofcharacteristicsthatpredicatedthisoutcome.Table3.4providesasummarylookatsomeoftheconsistenciesandcontrasts thatbetweenthetwoITenvironments.
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT65 Table3.5
ScientificQuestionsinNeedofFurtherStudy Area
Issue
Impact
1.Governance
1.1MustITsecuritygovernancebe entirelyconsistentwithgeneralIT governance,orcanthetwo approachesdiffer?
Ifthetrade-offsaredifferent,afirm mightchoosedifferentstrategiesforIT governanceandsecuritygovernance, unlesstheymustbethesame.
1.2AretheredifferencesinIT governanceandsecuritygovernance strategiesfromoneindustrytothe next?
Togenerateandsupporteffective governancestrategies,industryspecificnuancesmustbeidentifiedand addressed.
2.1DoesacentralizedITsecurity managementstrategyprovidethe mostassurance?
UnderstandingthemosteffectiveIT securitymanagementpracticeswould allowfirmstoconsidertheirstrategy alternatives.
2.2Aretheredifferencesfromone actiontoanotherintermsofuser discretion?
Effectiveend-pointsecuritydependson aconsistentapproachtoinformation assuranceactions.
2.Degreeof information systems centralization
CONCLUSIONSANDDIRECTIONSFORFUTURERESEARCH Inthecurrentclimate,thesecurityofinformationsystemsneedstobeproperlymanagedinorderto ensureavailabilityofresources.OrganizationsplanningtheirITsecuritymanagementstrategiescan benefitfromthefindingsofthisresearch.Whilethedecentralizedapproachandfederalgovernance architecturefacilitatemeetingend-userrequirements,securitymayneedtobeincreasinglycentrally managed.Thisisnotnecessarilycontradictorytoimprovingfunctionalityforendusers,sinceunder thedecentralizedapproach,endusersareexpectedtotakeanactiveroleinactivitiessuchasauditing andintrusiondetection.Thistakestimeandeffort,andend-userfailuretopracticethesefunctions canpotentiallycompromisethewholenetworkforallusers.UsersmayconsiderhighITactivityin securitybreachremediationasapositivesignofservice,butthismaynotlastwithrepetitivelossof networkavailability.IfMedUnitisindicativeofsecuritymanagementunderadecentralizedapproach, andconsideringtheincreasingexternalsecuritythreats,weexpectashifttowardmorecentrallymanagedsecurityinthefuture.Furtherresearchisnecessarytoexaminehowtocombineadequatesecurity withrealisticexpectationsregardingend-userinvolvementinsecuritypractices.Thisstudyexamines twopolaroppositesofcentralizationanddecentralizationinITsecuritymanagement.Futureresearch endeavorscanincludevaryinglevelsofcentralizationacrossalargernumberofFBUs. Table3.5providesalistofresearchquestionsinareasinneedoffurtherinvestigation.Ifadvances insecuritygovernancearetobemade,moreknowledgeisneededintheareasofgovernance,organizationalstructureanddesign,andIScentralization.Perhapsthesequestionscouldshapetheprogress towardfillingthisvoid.Eachitemdescribedinthetableisaddressedingreaterdetailbelow. DetailsonIssue1.1 Managerialdecisions,includingstrategicdecisionsabouthowtostructuretheorganizationtranscendIT,transcendissuesofsecurityandinformationassurance.Isitpossibletosuccessfully
66 WARKENTIN AND JOHNSTON
deployanITgovernancesystemthatishighlydecentralized(inordertocapturethebenefitsof flexibility,forexample),whilemaintainingahighlycentralizedITsecurityenvironment(inorder tomaintaintightperimetercontrols,forexample)?Mustthetwodecisionsbelinked,orcanafirm implementgreatercentralizationforITsecuritythanitmayforbroaderITissues?Thisquestion mightbeinvestigatedthroughin-depthinvestigationoffirmsthatemployconsistentdesignsversus thosethatdonot.Firmsthathaveexplicitlychosentodeploydifferentposturesmaybeparticularly interestingtoexplore.Whatpromptedthisdesignandwhataretheoutcomes? DetailsonIssue1.2 Manyindustries,suchasbanking,aresubjecttosignificantregulationaffectinginformationasset management.Privacylawsandotherlegislationimposecompliancerequirementsthatimpactfirms differentially.Aframeworkofcomplianceguidelinesthatisindustry-andnation-specificwould provideanormativemodelforsecureITgovernance.Further,comparativecasestudiesacross numerousindustriesmayilluminateimportantmarket-drivendifferencesthatcouldenableother firmstoaltertheirposturetobenefitfromknowledgegainedinotherindustriesthatexperience similarenvironmentalconditions. DetailsonIssue2.1 ITmanagementstrategiesareoftenareflectionofafirm’sbusinessstrategy.AlongtheITmanagementcontinuumfromdecentralizedtocentralized,ITefficienciesarefoundthatworkwellfor certainorganizationalmodelsandnotforothers.However,forsecuritymanagementpurposes,can weassumethatacentralizedmanagementmodelprovidesthehighestlevelofassurance?How dofirmswithdecentralizedITmanagementstructuresachievehighlevelsofassurancewithout reshapingtheirmanagementstrategy?Futureinsightsbasedonempiricalevidencewouldgreatly enhanceourunderstandingoftheseissues. DetailsonIssue2.2 Toensureagainstendpointsecurityvulnerabilities,ITsecuritypoliciesandproceduresshould promoteaconsistentapproachamonguserstaskedwithfollowingassuranceprocedures.However, aretherecircumstanceswherebycertainindividualsorroleswithinafirmmayberequiredtoperformadifferentsetofactionsforthegoodoftheirunit?Inhighlycentralizedenvironments,are theresituationsthatmayrequireuserstoprotecttheirassetsattheirdiscretion?Furtherresearch is required to better understand the benefits and detriments of a user empowered IT security managementapproach. Asidefromtheseopenissues,wecanseethatinformationsystemssecuritymanagersshould establishandmaintainorganizationalstructuresandgovernanceprocedureswithsecuritygoals inmind.Otherwise,securitypoliciesandproceduresmaynotbeproperlyexecuted.Fundamental governanceframeworksdevelopovertime,andrequiretheinvolvementofemployees,customers, andothers.Tomeettheirsecuritygoals,organizationsmustinfluenceandmonitorthesehuman activitiesinordertorewardpositiveoutcomeswhileimposingsanctionsinresponsetonegative outcomes.Suchmonitoringandinfluencingisacomplexprocess.Forexample,fundamentaldecisionsaboutITgovernance,suchasthedegreetowhichITsecuritycontrolsshouldbecentralized ordecentralized,havedeepimpactsonthedegreeandthemannerinwhichITsecuritycontrols aredevelopedandenacted.
ITGOVERNANCE/ORGANIZATIONALDESIGNFORSECURITYMANAGEMENT67
ACKNOWLEDGMENTS ThisresearchhasbeensupportedbytheCenterforComputerSecurityResearchatMississippi StateUniversityandfundedprovidedbyNSAGrantH98230051010105080782andNSFGrant DUE-0513057.ElementsofthischapterareinspiredbyWarkentinandJohnston(2006). NOTE 1.Thiscasewaspreviouslypresentedataconference(Johnstonetal.,2004).
REFERENCES Allen,B.R.,andBoynton,A.C.1991.Informationarchitecture:insearchofefficientflexibility.MISQuarterly,15,4,435–445. Beath, C.M., and Straub, D.W. 1991. Department level information resource management: a theoretical argumentforadecentralizedapproach.JournaloftheAmericanSocietyforInformationScience,42,2, 124–127. Bekker, S. 2003. Sobig damage estimate increased. ENT (available at www.entmag.com/news/article. asp?EditorialsID=5936,accessedonMay1,2005). Bolles, G.A. 2004. Whiteboard: business by design. CIO Insight (available at www.cioinsight.com/ article2/0,1397,1457058,00.asp,accessedonMay1,2005). Brand,K.,andBoonen,H.2004.ITGovernance:APocketGuideBasedonCOBIT,3rded.TheNetherlands: vanHaren. Brown, C.V., and Bostrom, R.P. 1994. Organization design for the management of end-user computing: reexaminingthecontingencies.JournalofManagementInformationSystems,10,4,183–211. Brown,C.V.,andMagill,S.L.1994.AlignmentoftheISfunctionswiththeenterprise:towardamodelof antecedents.MISQuarterly,18,4,371–404. CIMA/IFAC.2004.EnterpriseGovernance:GettingtheBalanceRight(availableatwww.cimaglobal.com/ downloads/enterprise_governance.pdf,accessedonJan.1,2005). Delio, M. 2003. Worm exploits weak link: PC users. Wired News (available at www.wired.com/news/ infostructure/0,1377,59994,00.html,accessedonMay1,2005). Dhillon,G.,andMishra,S.2006.TheimpactoftheSarbanesOxley(SOX)actoninformationsecuritygovernance.InM.WarkentinandR.Vaughn(eds.),EnterpriseInformationSecurityAssuranceandSystem Security:ManagerialandTechnicalIssues.Hershey,PA:IdeaGroupPublishing,pp.62–79. Hodgkinson,S.1996.TheroleofthecorporateITfunctioninthefederalITorganization.InM.Earl(ed.), Information Management: The Organizational Dimension. NewYork: Oxford University Press, pp. 247–269. IT Governance Institute. 2003. Board Briefing on IT Governance (available at www.ITgovernance.org/ resources.htm,accessedonSept.6,2004). Jaikumar,V.2003.ITmanagerssaytheyarebeingworndownbywaveofattacks.ComputerWorld,37,34,1–2. Johnston,A.C.;Schmidt,M.B.;andBekkering,E.2004.ITsecuritymanagementpractices:successesand failuresincopingwithBlasterandSobig.F.Proceedingsofthe2004ISOneWorldInternationalConference.LasVegas,NV. Kroenke,D.,andHatch,R.1994.ManagementInformationSystems.Watsonville,CA:McGraw-Hill. Landwehr,C.E.,andGoldschlag,D.M.1997.Securityissuesinnetworkswithinternetaccess.Proceedings oftheIEEE,85,12,2034–2051. Loch,K.D.;Carr,H.H.;andWarkentin,M.E.1992.Threatstoinformationsystems:today’sreality,yesterday’s understanding.MISQuarterly,16,2,173–186. Marshall,C.,andRossman,G.B.1989.DesigningQualitativeResearch.BeverlyHills,CA:Sage. Milliken,F.J.1987.Threetypesofperceiveduncertaintyabouttheenvironment,state,effect,andresponse uncertainty.AcademyofManagementReview,12,1,133–143. Monds,K.E.,andWang,C.P.2003.CDC’snewepidemic:aninvestigationintoawareness,attitudes,actions, andknowledgeofcomputervirusesamongstudentsutilizingcampuscomputerlabs.JournalofComputer InformationSystems,43,3,118–126.
68 WARKENTIN AND JOHNSTON Mukherji,A. 2002.The evolution of information systems: their impact on organizations and structures. ManagementDecisions,40,5,497–507. Pfleeger,C.P.,andPfleeger,S.L.2002.SecurityinComputing,3rded.UpperSaddleRiver,NJ:Prentice Hall. Robson, W. 1997. Strategic Management and Information Systems: An Integrated Approach. London: Pitman. Sambamurthy,V.,andZmud,R.W.1999.Arrangementsforinformationtechnologygovernance:atheoryof multiplecontingencies.MISQuarterly,23,2,261–288. Sambamurthy,V.,andZmud,R.W.2000.Researchcommentary:theorganizinglogicforanenterprise’sIT activitiesinthedigitalera—aprognosisofpracticeandacallforresearch.InformationSystemsResearch, 11,2,105–114. Straub,D.W.1988.Organizationalstructuringofthecomputersecurityfunction.ComputersandSecurity, 7,Summer,185–195. Varghese,S.2003.Blasterwormtookheavytoll:survey.SydneyMorningHeraldOnline(availableatwww. smh.com.au/articles/2003/09/23/1064082983214.html,accessedonMay1,2005). Walker,K.B.1993.Centralizedinformationsystemsservices:managingthetransitiontodecentralization. IndustrialManagement&DataSystems,93,8,8–12. Warkentin,M.,andJohnston,A.C.2006.ITsecuritygovernanceandsecuritycentralizationvs.decentralization.InM.WarkentinandR.Vaughn(eds.),EnterpriseInformationSecurityAssuranceandSystem Security:ManagerialandTechnicalIssues.Hershey,PA:IdeaGroupPublishing,pp.16–24. Watson,R.T.,andBrancheau,J.C.1991.Keyissuesininformationsystemsmanagement.Information& Management,20,3,213–223. Whitman,M.E.2003.Enemyatthegate:threatstoinformationsecurity.CommunicationsoftheACM,46, 8,91–95. Zmud,R.W.1984.Designalternativesfororganizinginformationsystemsactivities.MISQuarterly,8,2, 79–93.
CHAPTER4
INFORMATIONSYSTEMRISKASSESSMENT ANDDOCUMENTATION HERBERTJ.MATTORDANDTERRYWIANT
Abstract:Riskassessmentistheprocessofdiscoveringanddocumentingtheriskspresentinan environment.Withinabroadercontext,knownasriskmanagement,riskassessmentisconsidered partoftheduecareanorganizationappliestotheoperationofacomputerizedinformationsystem.Usinganorganizedandsystematicapproachtoriskassessmentisessential.Therearemany modelsproposedandinusetostructuretheriskassessmenteffort.Thischapteridentifiessomeof themorewidelyknownmodelsandexploresawidelyusedapproach. Anapproachthathasbeenwidelyadoptedintheinformationassuranceindustryisknown astheThreat-Vulnerability-Asset(TVA)matrix.Inthemiddlepartofthischapter,thismodelis explored by explaining the processes used to enumerate and characterize assets, discern and evaluatethreatsagainstthoseassets,andidentifytheactiveandlatentvulnerabilitiesthatare presentorlikely.OncethethreeprimarydimensionsoftheTVAmodelareexplained,thechapter continueswithanexplorationofsomeofthemoresalientdetailsregardingassetvaluationand threatandvulnerabilityestimation. InordertoextendtheTVAmodel,thechapteraddsthedimensionofcontrols(orcountermeasures)tothemodel;thisincludestheprocessofidentifyingandexplainingexistingcontrols, exploringtheneedforpossibleadditionalorenhancedcontrols,andplanningformovingthe informationsecurityprogramforwardasthesepossiblecontrolsaredeployed. Afinalsectionaboutdocumentingtheresultsoftheriskassessmentprocesslconcludesthe coverageoftheTVAmodel. Theconclusionofthechapterisareviewofliteratureonthetopicofriskassessmentandsome observationsonthedirectionsfutureresearchmaytake. Keywords:InformationRiskAssessment,InformationThreatVulnerabilityAssetAnalysis,InformationControl,InformationLoss,InformationSecurityBenchmark,InformationAbuse,Information SecurityBaseline,InformationSecurityMetrics INTRODUCTION Manymodelshavebeenproposedtoassesstheriskofoperatinginformationsystems.Theabsolute perfectionofaspecificmethodologychosenbyanygivenorganizationisnotasimportantasthe existenceofafunctionalmethodologythatiscarefullyimplementedtobecomeanintegralpart oftheorganizationalculture.Thefirstsectionofthischapterexploressomeofthemorewidely knownmodels. Thediscussionofriskassessmentthencontinuesbydescribingwhatwillbecalledthecommon 69
70 MATTORD AND WIANT
bodyofknowledgeforriskassessment.Thecoreofthiscollectionofpracticesisrepresentedinthe widelyusedThreat-Vulnerability-Asset(TVA)matrix.Thechapterwillexplaintheprocessesused toenumerateandcharacterizeassets,discernandevaluatethreatsagainstthoseassets,andidentify theactiveandlatentvulnerabilitiesthatarepresentorlikelytobepresent.Oncethethreeprimary dimensionsoftheTVAmodelareexplained,thechapterwillcontinuewithanexplorationofsome ofthemoresalientdetailsregardingassetvaluationandthreatandvulnerabilityestimation. InordertoextendtheTVAmodel,thechapterwilladdthedimensionofcontrols(orcountermeasures);thiswillincludetheprocessofidentifyingandexplainingexistingcontrols,exploring theneedforpossibleadditionalorenhancedcontrolsandtheprocessofplanningformovingthe informationsecurityprogramforwardasthesepossiblecontrolsareimplemented. ThefinalelementinthecoverageoftheTVAmodelwillbeashortdescriptionofmethodsused todocumenttheresultsoftheriskassessmenteffort. Toconcludethediscussionofriskassessment,thechapterwillendwithareviewofliterature onthetopicandpresentsomeobservationsonthedirectionfutureresearchmaytake. CURRENTPRACTICESINRISKASSESSMENT RiskManagementMethodologies ChinesegeneralSunTzuremarked,“Ifyouknowtheenemyandknowyourself,youneednotfear theresultofahundredbattles.Ifyouknowyourselfbutnottheenemy,foreveryvictorygained youwillalsosufferadefeat.Ifyouknowneithertheenemynoryourself,youwillsuccumbin everybattle.”Thisobservation,madeover2,500yearsago,continuestohavedirectrelevanceto thepracticeofriskassessmenttoday.Thepracticeofriskassessmentisstrategicinnatureand isareasonwhyitisakeyfunctionofmanagement.Assessingdefensesisthefoundationofany successfulriskassessmentprogram.Hence,asSunTzurecommends,inordertoassesstherisks itfaces,anorganizationmustknowitselfcompletelyandknowthedangersfacedbyitsassets. Inotherwords,managersofanyorganizationmusttakecaretoidentifytheweaknessesoftheir organization’s operations, how its information is processed, stored and transmitted, and what controlmechanismsareavailable,beforedevelopinganystrategicplanofdefense. SurveyofMethodologies Riskassessmentisaprocessofdiscovering,documenting,andevaluatingtheriskspresentinan environment.Operatinginabroadercontext,knownasriskmanagement,riskassessmentisconsideredpartoftheduecareanorganizationappliestoitsoperationofacomputerizedinformation system.Usinganorganizedandsystematicapproachtoriskassessmentisessentialandmany modelshavebeenproposedandinusetostructuretheriskassessmenteffort. Today,manyorganizationsusetheriskmanagementmethodologiesdocumentedbytheU.S. NationalInstituteofStandardsandTechnology(NIST).Anotherapproachtoriskassessmentis encompassedintheOperationallyCriticalThreat,Asset,andVulnerabilityEvaluation(OCTAVE) approach,whichisbeingadoptedbysomeorganizations.ThemorerecentadoptionoftheISO/ IEC17799,InformationTechnology–CodeofPracticeforInformationSecurityManagement,is challengingorganizationswithinitspurviewtoadoptitsfar-reachinginformationsecuritymodel thatincludesriskassessmentcomponents.Anotherpracticalapproachtoriskassessmentiswell definedintheFacilitatedRiskAnalysisandAssessmentProcess(FRAAP)(Peltier,2005).Another approachthathasbeenpromotedasguidanceforundertakingriskassessmentbytheITGovernance
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION71
Institute(ITGI)andInformationSystemsAuditandControlAssociation(ISACA)istheControl ObjectivesforInformationandrelatedTechnology(COBIT)(COBIT,2005). Manyorganizationsuseasetofcommonindustrypractices,verymuchlikethoselistedabove andpromotedbyprofessionalorganizationssuchastheInternationalInformationSystemsSecurity CertificationConsortium(ISC2)initsCommonBodyofKnowledge(CBK).Thevariousmodels listedabovearedescribedbrieflyinthenextfewparagraphs,whiletheexplanationoftheTVA modelthatisattheheartoftheCBK,occupiesmuchofthebalanceofthischapter. ModelsfromtheNationalInstituteofStandardsandTechnology Riskmanagementandthenecessarystepsforassessingriskareatthecenteroftheinformation security methodologies promulgated by NIST.These broad information security management methodologiesaredescribedinthemanydocumentsavailablefromNIST’sComputerSecurity ResourceCenteroftheNationalInstituteforStandardsandTechnology(csrc.nist.gov). Thesedocumentshavetwonotableadvantagesovermanyothersourcesofsecurityinformation:(1)theyarepubliclyavailableatnocharge,and(2)theyhavebeenavailableforsometime andthushavebeenbroadlyreviewedbygovernmentandindustryprofessionals. Thefirstofthesethatshouldbeconsideredforitsimpacttotheprocessofriskassessmentis RiskManagementforInformationTechnologySystems(NISTSP800–30)(Stoneburneretal., 2002).Thisdocumentprovides: a foundation for the development of an effective risk management program, containing boththedefinitionsandthepracticalguidancenecessaryforassessingandmitigatingrisks identifiedwithinITsystems.Theultimategoalistohelporganizationstobettermanage IT-relatedmissionrisks.(p.1) This55-pageguidecanhelponedeveloporevaluatetheriskmanagementprocess. AnothervaluableresourcefortheriskassessmentprogramisNISTSP800–26,SecuritySelfAssessmentGuideforInformationTechnologySystems.Thischecklistencompassesseventeen areasthatspanmanagerial,operational,andtechnicalcontrols.TheareasarethecoreoftheNIST securitymanagementstructureandcanbeusedtoensurethatallinformationassetsandmethods ofcontrolareconsidered. OtherNISTpublicationsthatrefertothepracticesofriskassessmentare: • • • •
NISTSP800–12,ComputerSecurityHandbook NISTSP800–14,GenerallyAcceptedSecurityPrinciples&Practices NISTSP800–18,GuideforDevelopingSecurityPlans NIST SP 800–37, Guidelines for the Security Certification andAccreditation of Federal InformationTechnologySystems
Anadditionalresourcethatcanbeveryusefulforriskassessmentisthefederalgovernment websiteforgovernmentagencies.Whilenoteveryorganizationisafederalagency,mostorganizationswillbeabletofindusefulexamplesthatcanbeconvertedtotheirenvironment.Sincethis websitewasestablishedforgovernmentagenciestosharebestsecuritypractices(seehttp://fasp. nist.gov),itisknownastheFederalAgencySecurityProject(FASP).Itwastheresultofanefforttoidentify,evaluate,anddisseminatebestpracticesforcomputerinformationprotectionand securityfrommanyU.S.federalagencies.
72 MATTORD AND WIANT
TheOCTAVESMModel AcomprehensiveapproachtoriskmanagementprovidedfromasinglesourceistheOperationally CriticalThreat,Asset,andVulnerabilityEvaluationSM(OCTAVESM)(AlbertsandDorofee,2003). OCTAVEisariskassessmentandevaluationmethodologythatallowsorganizationstobalance theprotectionofcriticalinformationassetsagainstthecostsofprovidingprotectionanddetection controls.Itcanassisttheorganizationbyenablingittomeasureagainstknownoracceptedgood securitypracticestoestablishanorganization-wideprotectionstrategyandinformationsecurity riskmitigationplan. AsnotedbyAlbertsandDorofee(2003): The Operationally Critical Threat,Asset, andVulnerability EvaluationSM (OCTAVESM) Methoddefinestheessentialcomponentsofacomprehensive,systematic,context-driven, self-directedinformationsecurityriskevaluation.ByfollowingtheOCTAVEMethod,an organizationcanmakeinformation-protectiondecisionsbasedonriskstotheconfidentiality,integrity,andavailabilityofcriticalinformationtechnologyassets.Theoperationalor business units and the IT department work together to address the information security needsoftheorganization. Using a three-phase approach, the OCTAVE method examines organizational and technology issuestoassembleacomprehensivepictureoftheinformationsecurityneedsofanorganization. Thephasesare: • Phase1:Buildasset-basedthreatprofiles • Phase2:Identifyinfrastructurevulnerabilities • Phase3:Developsecuritystrategyandplans For more information, the OCTAVE method implementation guide is available at www.cert. org/octave/omig.html. TheISO/IEC17799Model The stated purpose of ISO/IEC 17799 is to “give recommendations for information security managementforusebythosewhoareresponsibleforinitiating,implementingormaintaining securityintheirorganization.Itisintendedtoprovideacommonbasisfordevelopingorganizationalsecuritystandardsandeffectivesecuritymanagementpracticeandtoprovideconfidence in inter-organizational dealings” (National Institute of Standards and Technology, 2001). The InternationalStandardscomponentisactuallythefirstvolumeofthetwo-volumeBritishstandard BS7799.Thefirstofthesevolumesisanoverviewofthevariousareasofsecurity.Volume1 providesinformationon127controlsovertenbroadareasandcontainsasectiondevotedtorisk managementandriskassessment.Volume2providesinformationonhowtoimplementVolume 1(17799)andhowtosetupaninformationsecuritymanagementstructure(ISMS),including structuresspecifictoriskassessmentactivities. In the United Kingdom these standards are used to evaluate organizations as they comply withgovernmentmandatestoobtainISMScertificationandaccreditation,asdeterminedbyaBS 7799certifiedevaluator.Thestandardwasoriginallydevelopedtobeusedbetweenprivateentities,buthasevolvedintoalegislatedrequirement.Manycountries,includingtheUnitedStates,
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION73
Germany,andJapan,havenotformallyadopted17799asnationalpolicy,althoughtheconcepts representedbythestandardaregainingincreasingacceptance.Thisisdemonstratedbythefact thatthestandardsarebeingintegratedintocommonpracticesincludingtheNISTandCBKapproachesdiscussedelsewhereinthischapter. Asthisiswritteninearly2006,anewstandard,ISO27001,hasbeenreleasedinitsfinaldraft version.WhenthefinalversionispublisheditwilldirectlyreplaceBS7799–2:2002intheUK. Thisnewstandarddefinesaninformationsecuritymanagementsystem,creatingaframework forthedesign,implementation,management,andmaintenanceofinformationsystemsprocesses throughout an organization. Just as ISA 17799 was an extension of BS7799–1, ISO 27001 is plannedasaninterpretationofBS7799–2.NotethatISO17799isacodeofpractice,providing detailsofindividualcontrolsforpotentialimplementation,andISO27001definestheinformation managementsystemitself. FRAAP InformationSecurityRiskAnalysis,SecondEdition,abookbyThomasPeltier,proposesaprocess knownastheFacilitatedRiskAnalysisandAssessmentprocess,orFRAAP.Inhisbook,Peltier notes: [FRAAP]hasbeendevelopedasanefficientanddisciplinedprocessforensuringthatinformationsecurity-relatedriskstobusinessoperationsareconsideredanddocumented.The processinvolvesanalyzingonesystem,application,platform,businessprocess,orsegment ofbusinessoperationatatime.(p.69) Theprocessisdescribedinacomprehensivemethodologyandisprovisionedwithsupporting guidanceandusefultechniquesinthebook. COBIT PromotedbytheInformationSystemsAuditandControlAssociation(ISACA)andtheITGovernanceInstitute(ITGI),theControlObjectivesforInformationandrelatedTechnology(COBIT®) providesawidelyapplicableandacceptedstandardforgoodinformationtechnologysecurityand controlpractices.COBITpresentsitselfasareferenceframeworkforITmanagers,ITconsumers, andITpractitionerswhoaudit,create,orsecureinformationsystems. AsnotedbyISACA: COBIT,issuedbytheITGovernanceInstituteandnowinitsthirdedition,isincreasingly internationally accepted as good practice for control over information, IT, and related risks.ItsguidanceenablesanenterprisetoimplementeffectivegovernanceovertheITthat ispervasiveandintrinsicthroughouttheenterprise.Inparticular,COBIT’sManagement Guidelinescomponentcontainsaframeworkrespondingtomanagement’sneedforcontrol andmeasurabilityofITbyprovidingtoolstoassessandmeasuretheenterprise’sITcapabilityforthe34COBITITprocesses.(COBIT,2005) COBITcontinuestogrowinitsnumberofadoptersandinitsinfluenceasnotedinitswideacceptanceasareferenceandasasourceofbestpracticesamongcompaniesengagedinonline commercialactivities.
74 MATTORD AND WIANT Table4.1
SummaryandComparisonofRiskAssessmentModels Model
Perceivedstrengths
NISTSP-800–30
Publiclyavailable;broadly IssuedJune2002,which Canhelpdevelop reviewedbygovernment maymakeitsomewhat orevaluatetherisk andindustry outdatedwiththe managementprocess changesintechnology andthreatstoinformation security
Perceivedweaknesses
Comments
OCTAVE
Focusesonorganizational Requiresateamof riskandstrategic, 3–5personnelwitha practice-relatedissues, broadunderstandingof balancingoperational theorganizationplus risk,securitypractices, problem-solvingability, andtechnology analyticalability,abilityto workinateam;possess leadership,andtimeto investintheprocess
Examinesorganizational andtechnology issuestoassemblea comprehensivepictureof theinformationsecurity needsofanorganization
ISO/IEC17799 andISO27001
Providesacommon basisfordeveloping organizationalsecurity standards,practices,and coordination
Thestandardisa comprehensiveand reasonablycomplex, thereforeguidance, acquiredathighcost, andisoftennecessary tohelporganizations decidewheretostart andwhatpriorities shouldbeappliedtothe implementationprocess
Thesestandardsare beingintegratedinto commonpractices, includingtheNIST
FRAAP
Ensuresinformation securityrelatedrisks tobusinessoperations areconsideredand documented
Nodocumented weaknesseswiththis model
Systems,applications, platforms,business processes,andbusiness operationsareexamined oneatatime
COBIT
Providesawidely applicableandaccepted standardforgood informationtechnology securityandcontrol practices
Areviewof31client assessmentsofCOBIT revealsnoweaknesses
Asourceofbestpractices amongcompanies engagedinE-commerce.
SummaryandComparisonofRiskAssessmentModels Table4.1summarizestheriskassessmentmodelsdiscussedaboveandprovidesasynopsisof someoftheperceivedstrengthsandweaknessesofeachmodel. Sofar,thischapterhaslookedatacross-sectionofthedominantmethodologiesinthefield ofriskassessment,saveone.Thereexistsaconsensusapproach,perhapsbestreferredtoasan industrycommonbodyofknowledge.ThisisknownastheTVAmodelforriskassessment.
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION75 Figure4.1 TheTVAModelMatrix
THETVAMODELFORRISKASSESSMENT TheTVAmodelbeginstheriskassessmentprocesswiththecreationofanorderedinventoryof theorganization’sinformationassets.Next,acomprehensivelistoftheperceivedthreatsagainst thoseassetsisdeveloped.Theinformationassetsandthreatsareorganizedintoamatrixwiththe assetlistarrangedindividuallyincolumnarformontheleftsideofthematrixandthethreatlist organizedindividuallyinarowacrossthetopofthematrix.Attheintersectionofeachoftheassetthreatpairs,thevulnerabilitiesthatareknownorsuspectedtoexistareenumerated.Thisapproach isshowninFigure4.1.Furtheruseofthemodelexamineseachvulnerabilityforitscurrentstate ofcontrolandassessesthecostsandbenefitsofadditionalrequiredcontrols. Theprecedingparagraphusedseveraltermsthatneeddefinitiontogainacompleteunderstandingofhowtheyareusedinthecontextofriskassessment.Thefollowingsectiondefinestheterms “asset,”“threat,”“vulnerability,”and“control.” Assets(orinformationassetsinthiscontext)aretheinformationordatapossessedandusedby theorganizationaswellasthesystemsthatprocess,store,andtransmitthatinformationordata. Inordertoprotecttheseassetsitisimportanttoidentifytheassets,tounderstandthevalueofthe assetstotheorganization,andtounderstandtheimpacttotheorganizationiftheassetsarelostor compromised.Someorganizationsdiscoverthattheirmostvaluableassetsaretheirinformation assets(Whitman,2005). Inthiscontext,athreatisanobject,person,orotherentitythatrepresentsaconstantdangerto anasset.Tounderstandthewiderangeofthreatsthatpervadetheinterconnectedworld,researchers haveinterviewedpracticinginformationsecuritypersonnelandexaminedinformationsecurity literatureonthreats.Whilethecategorizationsmayvary,threatsarerelativelywellresearched and,consequently,fairlywellunderstood. The2004ComputerSecurityInstitute/FederalBureauofInvestigation(CSI/FBI)Computer CrimeandSecuritySurveyisarepresentativestudythatspansmanyindustriesandorganizations. TheCSI/FBIstudyfoundthat79percentoftheorganizationsresponding(primarilylargecorpora-
76 MATTORD AND WIANT Table4.2
ThreatstoInformationSecurity Categoriesofthreat
Examples
Actsofhumanerrororfailure Compromisestointellectualproperty Deliberateactsofespionageortrespass Deliberateactsofinformationextortion Deliberateactsofsabotageorvandalism Deliberateactsoftheft Deliberatesoftwareattacks Forcesofnature Deviationsinqualityofservice Technicalhardwarefailuresorerrors Technicalsoftwarefailuresorerrors Technologicalobsolescence
Accidents,employeemistakes Piracy,copyrightinfringement Unauthorizedaccessand/ordatacollection Blackmailorinformationdisclosure Destructionofsystemsorinformation Illegalconfiscationofequipmentorinformation Viruses,worms,macros,denial-of-service Fire,flood,earthquake,lightning ISP,power,orWANserviceissuesfromserviceproviders Equipmentfailure Bugs,codeproblems,unknownloopholes Antiquatedoroutdatedtechnologies
tionsandgovernmentagencies)identifiedcybersecuritybreacheswithinthelasttwelvemonths,a numberthatisonthedecline.Thestudyalsofoundthat54percentoftheseorganizationsreported financiallosses,totalingover$141,496,560,duetocomputersecuritybreaches.Thenumberof respondentsidentifyingunauthorizedcomputerusewas53percent,downfrom56percentin2003 (Gordonetal.,2004).Itshouldbenotedthatthisstudyisdrawnfromself-selectedrespondents, manyofwhommaybereluctanttodivulgethetypeofinformationthestudycollects. ThecategorizationschemeshowninTable4.2consistsoftwelvegeneralcategoriesthatrepresentaclearandpresentdangertoanorganization’speople,information,andsystems(Whitman, 2003).Eachorganizationmustprioritizethedangersitspersonnel,information,andsystemsface basedonthreecriteria:theparticularsecuritysituationinwhichtheorganizationoperates,the organization’sstrategyregardingrisk,andtheorganization’sexposuretoriskbasedonitsoperationalenvironment.Uponreviewingtheright-handcolumnofTable4.2,onemayobservethat manyoftheexamplesofthreats(i.e.,actsorfailures)couldbelistedinmorethanonecategory. Forexample,anactoftheftperformedbyahackerfallsintothecategoryofdeliberateactsof theft,butisalsooftenaccompaniedbydefacementactionstodelaydiscoveryandthusmayalso beplacedwithinthecategoryofdeliberateactsofsabotageorvandalism. Avulnerabilityisaknown,suspected,oranticipatedweaknessinasystem,wherecontrolsare notpresentorarenolongereffective.Unlikethreats,whicharealwaysinexistence,vulnerabilities existwhenaspecificactoractioncanoccurthatmaycauseapotentialloss. Acontrol(orsafeguardorcountermeasure)isamechanismbywhichanorganizationseeksto reducethelossofvaluetoaninformationassetwhenavulnerabilityisexploited.Controlsmight consistofapolicystatement,atrainingprogram,oranimplementedtechnologythatwillavoid, mitigate,ortransferthenegativeoutcomeofthelossevent. ASSETIDENTIFICATION TheTVAmodel-buildingprocessbeginswiththeidentificationofinformationassets,including people, procedures, data and information, software, hardware, and networking elements.This shouldbedonewithoutprejudgingthevalueofeachasset.Valuesareassessedlaterintheprocess.
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION77 Table4.3
InformationAssetsUsedinSystems ITsystemcomponents People
Riskassessmentcomponents Peopleinsideanorganization Peopleoutsideanorganization
Procedures
Procedures
Data
Data/Information
Software
Software
Hardware
Hardware
Networking
Networkingcomponents
Trustedemployees Otherstaff Peopleatorganizationswetrust Strangers ITandbusinessstandardprocedures ITandbusinesssensitiveprocedures Transmission Processing Storage Applications Operatingsystems Securitycomponents Systemsandperipherals Securitydevices Intranetcomponents InternetorDMZcomponents
Table4.3suggestsanoutlineoftheassetsusuallyfoundinanITsystemandtheassociatedrisk assessmentcomponents.Notethatthisismeantasameanstogenerateanomenclatureandclassificationsystemandnottoimplythatthesecategoriesarefixedwithinindustryusage. Table4.3proposesaclassificationmodelbasedononepossibleapproach;thestandardIT systemcomponents(people,procedures,dataandinformation,software,hardware,andnetwork elements).Thiscouldbeusedtoorganizeanextendedmodelforexaminingsystemscomponents fromariskassessmentperspective.Wheninformationassetsareclassifiedinthismanner,theresult willbeadetailedbreakdownofthecomponentsthatcompriseasystem.Thefollowingsection describesthisbreakdownmorefully. Peoplearedividedintoinsiders(employees)andoutsiders(non-employees).Insiderseither holdtrustedrolesandhavecorrespondinglygreatauthorityandaccountability,ortheyareregular staff,withoutspecialprivileges.Outsidersareotheruserswhohaveaccesstotheorganization’s informationassets. Proceduresaresplitintotwocategories:ITandbusinessstandardproceduresandITandbusiness sensitiveprocedures.Sensitiveprocedureshavethepotentialtoenableanattack,ortootherwise introducerisktotheorganization.Forexample,theproceduresusedbyatelecommunications companytoactivatenewcircuitsposespecialrisksbecausetheyrevealaspectsofaninternalcritical processthatcanbesubvertedbyoutsidersforthepurposeofobtainingunbilled,illicitservices. Datacomponentsaccountforinformationinallofitsstatesoftransmission,processing,and storage.Thesestatesexpandtheconventionaluseofthetermdatafromitsusualassociationwith databasestoincludethefullrangeofinformationusedbymodernorganizations. Softwareelementscanbegroupedintooneofthreecategories:application,operatingsystems, orsecuritycomponents.Softwarecomponentsthatprovidesecuritycontrolsmayfallintooperatingsystemsorapplicationscategories,butaredifferentiatedbythefactthattheyarepartof theinformationsecuritycontrolenvironmentandmustbeprotectedmorethoroughlythanother systemscomponents. Hardwareissplitintotwocategories:theusualsystemsdeviceswiththeirperipheralitems,
78 MATTORD AND WIANT
andthedevicesthatarepartofinformationsecuritycontrolsystems.Thelattermustbeprotected morethoroughlythantheformer. Networkingcomponentsareextractedfromsoftwareandhardwarebecausenetworkingsubsystemsareoftenthefocalpointofattacksagainstasystem.Therefore,networkingcomponents shouldbeconsideredseparately,ratherthancombinedwithgeneralhardwareandsoftwarecomponents. IdentifyingPeople,Procedures,andDataAssets Humanresources,documentation,anddatainformationassetsmustalsobeidentifiedanddocumented.Responsibilityforidentifying,describing,andevaluatingtheseinformationassetsshould beassignedtomanagerswhopossessthenecessaryknowledge,experience,andjudgment.As theseassetsareidentified,theyshouldberecordedintoareliabledatahandlingprocesssuchas theoneusedforhardwareandsoftware. Therecordkeepingsystemshouldbeflexible,allowingthelinkingofassetstoattributesbased onthenatureoftheinformationassetbeingtracked.Thefollowingsectionsidentifysomebasic processesusedtoclassifyassets. IdentifyingHardware,Software,andNetworkAssets Manyorganizationsusepurchasedassetinventorysystemstokeeptrackoftheirhardware,network, andperhapssoftwarecomponents.Thereareamyriadofthesepackagesonthemarkettodayand itisuptotheCISOorCIOtodeterminewhichpackagebestservestheneedsoftheorganization. Organizationsthatdonotuseanautomatedinventorysystemmustcreateanequivalentmanual process. Whetherautomatedormanual,theinformationinventorysystemrequiresacertainamount ofplanning.Itisveryimportanttodeterminewhichoftheattributesofeachinformationasset shouldbetracked.Thiswilldependontheneedsoftheorganizationanditsriskmanagement efforts,aswellasthepreferencesandneedsoftheinformationsecurityandinformationtechnologycommunities. Whendecidingwhichattributestotrackforeachinformationasset,considertheassetattributes showninTable4.4. ClassifyingandCategorizingAssets Oncetheinitialinventoryisassembled,onemustdetermineiftheassetcategoriesitproducesare meaningfultotheorganization’sriskmanagementprogram.Suchareviewmaycausemanagers tofurthersubdividethecategoriesorcreatenewcategoriesthatmoreadequatelymeettheneeds oftheriskmanagementprogram. Thenextstepintheriskassessmentprocesswilladdinformationtoreflectthesensitivityand securityprioritytobegiventoeachinformationassettotheinventory. AssessingValuesforInformationAssets Aseachinformationassetisidentified,categorized,andclassified,arelativevaluemustalsobe assigned.Relativevaluesarecomparativejudgmentsmadetoensurethatthemostvaluableinformationassetsaregivenprioritywhenmanagingrisk.Itmaybeimpossibletoknowinadvance—in
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION79 Table4.4
AssetAttributes Name
Listallnamescommonlyusedforthedeviceorprogram
Function
Identifytheprimaryandallsecondarypurposesoftheasset
IPaddress
Usefulfornetworkandserverdevicesinstaticaddressingsettings—does notusuallyapplytosoftware
MACaddress
Alsocalledanelectronicserialnumberorhardwareaddresssinceall networkinterfacehardwaredeviceshaveauniqueassignednumber
Assettype
Describesthefunctionofeachasset
Serialnumber
Uniquelyidentifiesaspecificdevice.Somesoftwarevendorsalsoassign asoftwareserialnumbertoeachinstanceoftheprogramlicensedbythe organization
Manufacturer’sname
Canbeusefulwhenanalyzingthreatoutbreakswhencertain manufacturersannouncespecificvulnerabilities
Manufacturer’smodel orpartnumber
Identifiesexactlywhattheassetis,whichcanbeveryusefulinlater analysisofvulnerabilities,sincesomeonlyapplytospecificmodelsof certaindevicesand/orsoftwarecomponents
VersionorFCO number
Keepscurrentinformationaboutsoftwareandfirmwareversionsand,for hardwaredevices,thecurrentfieldchangeorder(FCO)number
Physicallocation
Maynotapplytosoftwareelements,butsomeorganizationsmayhave licensetermsthatindicatewheresoftwarecanbeused
Logicallocation
Specifieswhereanassetcanbefoundontheorganization’snetwork
Controllingentity
Identifieswhichorganizationalunitcontrolstheasset
Dependencies
Identifieswhichotherinformationassetsareinterdependentwiththisasset
economicterms—whatlosseswillbeincurredifanassetiscompromised;however,arelative assessmenthelpstoassurethathigher-valueassetsareprotectedfirst. Aseachinformationassetisassignedtoitspropercategory,posingthefollowingquestionscan helpdeveloptheweightingcriterianeededforinformationassetvaluationorimpactevaluation. Onecanuseaworksheet,suchastheoneshowninFigure4.2,tocollecttheanswersforlater analysis.Theimpactevaluationquestionsare: • • • • • •
Whichinformationassetisthemostcriticaltothesuccessoftheorganization? Whichinformationassetgeneratesthemostrevenue? Whichinformationassetgeneratesthemostprofitability? Whichinformationassetisthemostexpensivetoreplace? Whichinformationassetisthemostexpensivetoprotect? Whichinformationasset’slossorcompromisewouldbethemostembarrassingorcausethe greatestliability?
Thereareotherorganization-specificquestionsuniquelyapplicabletoyourorganizationthatyou mayneedtoidentifyandaddtotheevaluationprocess.
80 MATTORD AND WIANT Figure4.2 SampleAssetClassificationWorksheet AnyCompany,Inc.InformationAssetDataCollectionWorksheet SystemName:_______________________________________________________________________ DateEvaluated:___________________ NameofEvaluator:___________________________________________________________________ Information AssetType
Description
Data Classification
Impactto Profitability
Hardware
ApplicationServer#AS489
Confidential
Medium
Network
Router#R67
Confidential
High
Data
ApplicationSupportDownloadsviaFTPserver
Public
Low
Software
NavahoWebServeron#AS489
Conficential
Medium
Data
CustomerServiceRequestsviaEmail
Private
Medium
Data
EDIOrdersfromtradingpartnersforAnyCo. Fulfillment
Confidential
High
ListingAssetsinOrderofImportance ThefinalstepinthepreparationoftheassetdimensionoftheTVAmodelistolisttheassetsin orderofimportance.Thiscanbeachievedbyusingaweightedfactoranalysisworksheetsimilar totheoneshowninTable4.5.Inthisprocess,eachinformationassetisassignedascoreforeach criticalfactor.Table4.5usestheNISTSP800–30recommendedvaluesof0.1to1.0.(Yourorganizationmaychoosetouseanotherweightingsystem.)Eachcriterionhasanassignedweight, showingitsrelativeimportanceintheorganization. Itisnotexpectedthatanyindividualwillbecapableofprovidingtheassessmentofrelative weightforallofanorganization’sassets.Thisprocessisbestaccomplishedbywell-structured groups,workinginacollaborativeenvironmentwithadequatefeedbackbetweenandamongthe groupsandindividualsinvolvedintheprocess. AquickreviewofTable4.5showsthatthecustomerorderviaSSL(inbound)dataflowisthe mostimportantassetonthisworksheet,andthattheEDIDocumentSet2—Supplierfulfillment advice(inbound)istheleastcritical. ThreatIdentification TocontinuethedevelopmentoftheTVAmodel,theseconddimension,thatofthreats,willbe addedtothefirstdimension,theinformationassetsoftheorganization.Theultimategoalofrisk identificationistoassessthecircumstancesandsettingofeachinformationassettorevealany potentialforloss.Withaproperlyclassifiedinventory,onecanassesspotentialweaknessesin eachinformationasset.Thisprocessisknownasthreatidentification. Anyorganizationtypicallyfacesawidevarietyofthreats.Ifoneassumeseverythreatcanand willattackeveryinformationasset,theprojectscopebecomestoocomplex.Tomaketheprocess manageable, each step in the threat identification and vulnerability identification processes is managedseparatelyandthencoordinatedattheend.Ateverystepthemanageriscalleduponto exercisegoodjudgmentanddrawonexperiencetomaketheprocessfunctionsmoothly.
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION81 Table4.5
ExampleWeightedFactorAnalysisWorksheet
Informationasset Criterionweight(1–100)—musttotal100 EDIDocumentset1—logisticsBOLto outsourcer(outbound) EDIDocumentset2—supplierorders (outbound) EDIDocumentset2—supplierfulfillment advice(inbound) CustomerorderviaSSL(inbound) Customerservicerequestviae-mail (inbound)
Criteria1: Impactto revenue
Criteria2: Impactto profitability
Criteria3: Publicimage impact
Weighted score
30 0.8
40 0.9
30 0.5
75
0.8
0.9
0.6
78
0.4
0.5
0.3
41
1.0 0.4
1.0 0.4
1.0 0.9
100 55
Notes: EDI=ElectronicDataInterchange SSL=SecureSocketsLayer
IdentifyandPrioritizeThreats Twelvecategoriesofthreatstoinformationsecurityhavebeenidentified(Whitman,2003),as shownearlierinTable4.2.Eachofthesethreatspresentsauniquechallengetoinformationsecurityandmustbehandledwithspecificcontrolsthatdirectlyaddresseachthreatandthethreat agent’sattackstrategy.Butbeforethreatscanbeassessedintheriskidentificationprocess,each threatmustbefurtherexaminedastoitspotentialtoimpactonthetargetedinformationasset.In general,thisisreferredtoasathreatassessment.Posingthefollowingquestionscanclarifythe threatanditspotentialimpactonaninformationasset: • Whichthreatspresentadangertotheorganization’sinformationassetsinitscurrent environment? • Whichthreatsrepresentthemostdangertotheorganization’sinformationassets? • Howmuchwoulditcosttorecoverfromasuccessfulattack? • Whichthreatswouldrequirethegreatestexpendituretoprevent? Thislistofquestionsmaynotcovereverythingthataffectsriskidentification.Anorganization’s specificguidelinesorpoliciesshouldinfluencetheprocessandrequiretheposingofadditional questions. VulnerabilityIdentification AstheTVAmodel’smatrixbeginstotakeshape,nowhavingthetwodimensionsofAssetsand Threats,thethirddimensionisadded.Thisdimensioniscreatedbyidentifyingthevulnerabilities posedtoeachasset-threatpair.Havingidentifiedtheinformationassetsoftheorganizationand documentedthethreatsposedtotheorganization,onecanbegintorevieweachinformationassetforthevulnerabilitiesthatmayexistforeachpair.Eachpairwillbedeterminedtohavezero,
82 MATTORD AND WIANT Table4.6
ExampleofaVulnerabilityAssessmentforaDMZRouter Threat
Possiblevulnerabilities
Deliberatesoftwareattacks
Internetprotocolisvulnerabletodenial-of-serviceattack OutsiderIPfingerprintingactivitiescanrevealsensitive informationunlesssuitablecontrolsareimplemented
Actofhumanerrororfailure
Employeesorcontractorsmaycauseoutageif configurationerrorsaremade
Technicalsoftwarefailuresorerrors
Vendor-suppliedroutingsoftwarecouldfailandcausean outage
Technicalhardwarefailuresorerrors
Hardwarecanfailandcauseanoutage Powersystemfailuresarealwayspossible
Qualityofservicedeviationsfromservice Unlesssuitableelectricalpowerconditioningisprovided, providers failureisprobableovertime Deliberateactsofespionageortrespass Routerhaslittleintrinsicvalue,butotherassets protectedbythisdevicecouldbeattackedifitis compromised Deliberateactsoftheft
Routerhaslittleintrinsicvalue,butotherassets protectedbythisdevicecouldbeattackedifitis compromised
Deliberateactsofsabotageorvandalism Internetprotocolisvulnerabletodenial-of-serviceattacks Devicemaybesubjecttodefacementorcache poisoning Technologicalobsolescence
Ifnotreviewedandperiodicallyupdated,thedevicemay falltoofarbehinditsvendorsupportmodeltobekeptin service
Forcesofnature
Allinformationassetsintheorganizationaresubjectto forcesofnatureunlesssuitablecontrolsareprovided
Compromisestointellectualproperty
Routerhaslittleintrinsicvalue,butotherassets protectedbyitcouldbeattackedifitiscompromised
Deliberateactsofinformationextortion
Routerhaslittleintrinsicvalue,butotherassets protectedbyitcouldbeattackedifitiscompromised
one,ormorevulnerabilities.Thecellformedbytheintersectionofeachassetforeachthreatwill containthislistofidentifiedvulnerabilitiesforeachpair. Asnotedabove,vulnerabilitiesarespecificfaultsinasystemthatanyspecificthreatcanexploit tocausealossforaninformationasset.Theyarechinksinthearmor—aflaworweaknessrelated toaninformationasset,securityprocedure,design,orcontrolthatcanbeexploitedintentionally orunintentionallytobreachsecurity.Table4.6presentsanexampleanalysisofthethreatsto,and possiblevulnerabilitiesof,aDMZrouter. AlistliketheonepresentedinTable4.6mustbecreatedforeachinformationassettodocument howeachofpossibleorlikelythreatcouldbeperpetrated.Thislistisusuallylongandshowsall ofthemanyvulnerabilitiesoftheinformationassetfromacrossallofthethreatcategories.Some
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION83 Figure4.3 RiskIdentificationEstimateFactors RISK
Likelihood of the occurence of a vulnerabilty
X
Value of the information Asset
–
Percentage of risk mitigated by the current controls
+
Uncertainty of the current knowledge of the vulnerability
threatsmanifestthemselvesinmultipleways,yieldingmultiplevulnerabilitiesforthatasset-threat pair.Theprocessoflistingvulnerabilitiesissomewhatsubjectiveandisbasedontheexperience andknowledgeofthepeoplecreatingthelist.Therefore,theprocessworksbestwhengroupsof peoplewithdiversebackgroundsworktogetherinaseriesofbrainstormingsessions.Forinstance, theteamthatreviewsthevulnerabilitiesfornetworkingequipmentshouldincludethenetworking specialists,thesystemsmanagementteamthatoperatesthenetwork,theinformationsecurityrisk specialist,andeventechnicallyproficientusersofthesystem. Attheendoftheprocess,alistofassetsandtheirvulnerabilitieshasbeendeveloped.Thislist isthestartingpoint(withitssupportingdocumentationfromtheidentificationprocess)forthe nextstep,riskassessment. Assessingtherelativeriskforeachvulnerabilityisaccomplishedinaprocesscalledriskassessment.Riskassessmentassignsariskratingorscoretoeachspecificvulnerability.Whilethis numberdoesnotmeananythinginabsoluteterms,itenablesonetogaugetherelativeriskposed byeachvulnerableinformationassetandfacilitatesthecreationofcomparativeratingslaterin theriskcontrolprocess. AssessingRisk Thefourfactorsthatgointotherisk-ratingestimateforeachofthevulnerabilitiesare(1)the likelihoodoftheoccurrenceofavulnerability,multipliedby(2)thevalueoftheinformationasset,minus(3)thepercentageofriskmitigatedbythecurrentcontrols,plus(4)theuncertaintyof currentknowledgeofthevulnerability(seeFigure4.3.) Thegoalistocreateamethodtoevaluatetherelativeriskofeachofthelistedvulnerabilities.Thenextsectiondescribesthefactorsthatareusedtocalculatetherelativeriskforeach vulnerability. Likelihood Likelihoodistheoverallrating—anumericvalueonadefinedscale—oftheprobabilitythataspecificvulnerabilitywillbeexploited.NISTrecommendsinSpecialPublication800–30(Stoneburner etal.,2002)thatvulnerabilitiesbeassignedalikelihoodratingbetween0.001(low)and1.0(high). Forexample,thelikelihoodofanemployeeorsystembeingstruckbyameteoritewhileindoors wouldberated0.001,whilethelikelihoodofreceivingatleastonee-mailcontainingavirusor worminthenextyearwouldberated1.0.Onecouldalsochoosetouseanumberbetween1and 100,butnotzero,sincevulnerabilitieswithzerolikelihoodhavealreadybeenremovedfromthe asset/vulnerabilitylist. Anumberofratingmechanismshavebeennotedintheindustry.Onemethodforassessing likelihoodcomesfromBruceSchneier,whoproposesamechanismhereferstoasattacktrees,
84 MATTORD AND WIANT
whichinvolvelayereddefensesandthesequenceofdependenciesbetweeninformationassets.As describedbySchneier“attacktreesprovideaformal,methodicalwayofdescribingthesecurity ofsystems,basedonvaryingattacks.Basically,yourepresentattacksagainstasysteminatree structure,withthegoalastherootnodeanddifferentwaysofachievingthatgoalasleafnodes” (Schneier,2005). Whateverratingsystemonechoosesforassigninglikelihood,useprofessionalism,experience, andjudgmentandusethemconsistently.Wheneverpossible,useexternalreferencesforlikelihood values,afterreviewingandadjustingthemforyourspecificcircumstances.Manyasset/vulnerability combinationshavesourcesforlikelihood,forexample: • Thelikelihoodofafirehasbeenestimatedactuariallyforeachtypeofstructure. • Thelikelihoodthatanygivene-mailwillcontainavirusorwormhasbeenresearched. • Thenumberofnetworkattackscanbeforecastdependingonhowmanynetworkaddresses theorganizationhasassigned. AssetValuation Earlier,weightedscoresforthevalueofeachinformationassetwereassessed.Ifthevaluesthat wereassignedtotheassetsarestillmeaningfulandperceivedtobeaccurate,theyareacomponent intheriskestimationprocedure.Ifthevaluesneedtoberevised,revisittheprocessusedintheir initialcreationandupdatethevaluations. PercentageofRiskMitigatedbyCurrentControls Ifavulnerabilityisfullymanagedbyanexistingcontrol,itcanbesetaside.Ifitispartiallycontrolled,estimatewhatpercentageofthevulnerabilityhasbeencontrolled. Uncertainty Itisnotpossibletoknoweverythingabouteveryvulnerability,suchashowlikelyitistooccuror howgreatanimpactasuccessfulattackwouldhaveontheorganization.Thedegreethatacurrent controlcanreduceriskisalsosubjecttoestimationerror.Afactortoallowforuncertaintymust beaddedtotheequation.Thisfactorisanestimatemadebythemanagerusinggoodjudgment andexperience. RiskDetermination TheobjectiveofthispartoftheTVAmodelprocessistodeterminearelativeriskratingscorefor eachidentifiedvulnerability.Whilethenumbersusedmayappeararbitraryandshouldnotbeused inanywaytogenerateabsolutelossestimates,theycanbeusedtocomparethebestestimatesofthe relativeimpactofavulnerabilitywhenitcomesintoplayagainstaspecificinformationasset. Forexample: • InformationassetAhasavaluescoreof50andhasonevulnerability:Vulnerability1hasa likelihoodof1.0withnocurrentcontrols;oneestimatesthatassumptionsanddataare90 percentaccurate. • InformationassetBhasavaluescoreof100andhastwovulnerabilities:Vulnerability2has
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION85
alikelihoodof0.5withacurrentcontrolthataddresses50percentofitsrisk;Vulnerability 3hasalikelihoodof0.1withnocurrentcontrols.Oneestimatesthatassumptionsanddata are80percentaccurate. Theresultingrankedlistofriskratingsforthethreevulnerabilitiesis: • AssetA:Vulnerability1ratedas55=(50×1.0)—0%+10% • AssetB:Vulnerability2ratedas35=(100×0.5)—50%+20% • AssetB:Vulnerability3ratedas12=(100×0.1)—0%+20% IdentifyPossibleAdditionalControls Foreachthreatanditsassociatedvulnerabilitiesthathaveresidualrisk,createapreliminarylistofcontrolideas.Residualriskistheriskthatremainsevenaftertheexistingcontrolhasbeenapplied. Controls,safeguards,andcountermeasuresaretermsforsecuritymechanisms,policies,and procedures. These mechanisms, policies, and procedures counter attacks, reduce risk, resolve vulnerabilities, and otherwise improve the general state of security within an organization. In general,controlsareconsideredpreventiveordetective.Controlsthatseektokeepriskfromloss fromaffectingtheenvironmentarepreventativecontrols.Controlsthatseektodetermineifand whenlossesareoccurringaredetectivecontrols. There are three general categories of controls: policies, programs, and technical controls. Programsareclustersofactivitiesperformedwithintheorganizationtoimprovesecurity.These includesecurityeducation,training,andawarenessprogramsaswellasvariousenforcementand complianceprogramsthatmaybeundertaken.Securitytechnologiesaremanifestedintheimplementationsoftechnologysystemsthatareintegralto,oroverlay,theinformationsystemsofthe organizationandareusedtoimplementthepoliciesdefinedbytheorganization. RiskControlStrategies Whenanorganization’sgeneralmanagementdeterminesthatrisksfrominformationsecuritythreats arecreatingacompetitivedisadvantage,itempowerstheinformationtechnologyandinformation securitycommunitiesofinteresttocontroltherisks.Oncetheprojectteamforinformationsecurity developmenthascreatedtherankedvulnerabilityworksheet,theteammustchooseoneoffourbasic strategiestocontroltheremaining,uncontrolledrisksthatresultfromthesevulnerabilities: • Avoidance/Prevention:applyingsafeguardsthateliminateorreducetheremaininguncontrolledrisksforthevulnerability • Transference:shiftingtherisktootherareasortooutsideentities • Mitigation:reducingtheimpactshouldthevulnerabilitybeexploited • Acceptance: understanding the consequences and accepting the risk without control or mitigation Avoidance/Prevention Avoidanceistheriskcontrolstrategythatattemptstopreventtheexploitationofthevulnerability. Thisisthepreferredapproach,asitseekstoavoidriskratherthandealingwithitafterithasbeen realized.Avoidanceisaccomplishedthrough:
86 MATTORD AND WIANT
• • • •
Applicationofpolicy Applicationoftrainingandeducation Counteringthreats Implementationoftechnicalsecuritycontrolsandsafeguards
ApplicationofPolicy.Asdiscussedelsewhere,theapplicationofpolicyallowsalllevelsof managementtomandatethatcertainproceduresarealwaystobefollowed.Forexample,ifthe organizationneedstocontrolpasswordusemoretightly,itcanimplementapolicyrequiringpasswordsonallITsystems.Notethatpolicyalonemaynotbeenough,andeffectivemanagement alwayscoupleschangesinpolicywiththetrainingandeducationofemployees,oranapplication oftechnology,orboth. ApplicationofTrainingandEducation.Communicatinganeworrevisedpolicytoemployees maynotbeadequatetoassurecompliance.Awareness,training,andeducationareessentialto creating a safer and more controlled organizational environment and achieving the necessary changesinend-userbehavior. CounteringThreats.Riskscanbeavoidedbycounteringthethreatsfacinganassetandby eliminatingitsexposuretothreats.Eliminatingathreatisdifficultbutpossible.Forexample, whenanorganizationbecomessusceptibletocyberactivismorhacktivism(theuseofcomputerrelatedtechnologiestoadvanceapoliticalagenda),itmusttakestepstoavoidpotentialattacks. Recently McDonald’s Corporation sought to reduce risks to its image by imposing stricter conditionsoneggsuppliersregardingthehealthandwelfareofchickens(Greenberg,2002). Thishadbeenasourceofcontentionbetweenanimalrightsactivistsandthecorporationfor manyyears.Thisstrategy,alongwithotherchangesmadebyMcDonald’s,hasledtoimproved relationshipswithanimalrightsactivists,whichhasreducedthecompany’sexposuretothe riskfromcyberactivism. ImplementationofTechnicalSecurityControlsandSafeguards.Intheeverydayworldofinformationsecurity,technicalsolutionsareoftenrequiredtoassurethatriskisreduced.Forexample, systemsadministratorscanconfiguresystemstousepasswordswherepolicyrequiresthemand wheretheadministratorsarebothawareoftherequirementandtrainedtoimplementit. Transference Transferenceisthecontrolapproachthatattemptstoshifttherisktootherassets,otherprocesses, orotherorganizations.Thismaybeaccomplishedbyrethinkinghowservicesareoffered,revising deploymentmodels,outsourcingtootherorganizations,purchasinginsurance,orbyimplementing servicecontractswithproviders.Oneofthemostvisibleoutcomesofatransferencestrategyisto transformthevariablenatureofthecostsfortheseriskstoamorestable,fixedcost. InthepopularbookInSearchofExcellencemanagementconsultantsTomPetersandRobert Watermanpresentaseriesofcasestudiesofhigh-performingcorporations,andassertthatone oftheeightcharacteristicsofexcellentorganizationsisthatthey“sticktotheirknitting.They stay reasonably close to the business they know” (Peters andWaterman, 1982).What does thismean?ItmeansthatKodakfocusesonthemanufactureofphotographicequipmentand chemicals,whileGeneralMotorsfocusesonthedesignandconstructionofcarsandtrucks. Neithercompanyspendsstrategicenergiesonthetechnologyofdevelopingofwebsites.They
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION87
focusenergyandresourcesonwhattheydobestwhilerelyingonconsultantsorcontractors forothertypesofexpertise. Theselessonsshouldbetakentoheartwheneveranorganizationbeginstoexpanditsoperations, includinginformationandsystemsmanagement,andeveninformationsecurity.Ifanorganization doesnothavequalitysecuritymanagementandadministrationexpertise,itshouldhireindividualsorfirmsthatprovidesuchcapabilities.Forexample,manyorganizationswantWebservices, includingWebpresences,domainnameregistration,anddomainandWebhosting.Ratherthan implementingtheirownservers,andhiringtheirownWebmasters,Websystemsadministrators, andevenspecializedsecurityexperts,savvyorganizationshireanISPoraWebconsultingorganization.Thisallowstheorganizationtotransfertheriskassociatedwiththemanagementof thesecomplexsystemstoanotherorganizationthathasexperienceindealingwiththoserisks. Asidebenefitofspecificcontractarrangementsisthattheproviderisresponsiblefordisaster recoveryand,throughservicelevelagreements,forguaranteeingserverandwebsiteavailability. AsnotedbyBoyceandJennings,“Assomeorganizationsrealizethedifficultyofkeepingtrained andqualifiedIAstaff,thedemandforoutsourcingmanagedsecurityserviceshasgrown”(Boyce andJennings,2002). Outsourcing,however,itnotwithoutitsownrisks.Itisuptotheowneroftheinformation asset, IT management, and the information security team to ensure that the disaster recovery requirementsoftheoutsourcingcontractaresufficientandhavebeenmetbeforetheyareneeded forrecoveryefforts.Iftheoutsourcerhasfailedtomeetthecontractterms,theconsequencesmay befarworsethanexpected. Mitigation Mitigationisthecontrolledapproachthatattemptstoreduce,bymeansofplanningandpreparation,thedamagecausedbytheexploitationofavulnerability.Itismostoftenaccomplishedin conjunctionwithotherstrategiestopreparefortheresidualrisksthatremainafterothercontrol mechanismsareimplemented.Itispossibleformitigationtobetheexclusivestrategyundertakenfor somerisks,butthatisnotviewedasagoodpracticeunlessveryspecialcircumstancesapply. Themitigationstrategyinvolvesthreetypesofplans:thedisasterrecoveryplan(DRP),incident responseplan(IRP),andbusinesscontinuityplan(BCP).Mitigationdependsupontheabilityto detectandrespondtoanattackasquicklyaspossible. Table4.7summarizeseachofthethreetypesofmitigationplans,includingcharacteristics andexamples. Acceptance Asdescribedabove,mitigationisacontrolapproachthatattemptstoreducetheimpactofan exploitedvulnerability.Incontrast,acceptanceofriskisthechoicetodonothingtoprotectan informationassetandtoaccepttheoutcomefromanyresultingexploitation.Thismayormaynot beaconsciousbusinessdecision.Theonlyuseoftheacceptancestrategythatindustrypractices recognizeasvalidoccurswhentheorganizationhasdonethefollowing: • Determinedthelevelofriskposedtotheinformationasset • Assessed the probability of attack and the likelihood of a successful exploitation of a vulnerability • Approximatedtheannualrateofoccurrenceoftheexploit
88 MATTORD AND WIANT Table4.7
MitigationPlanSummaries Plan
Description
Example
Incidentresponse planning(IRP)
Actionsan organizationtakes duringincidents (attacks)
Listofstepsto Asincidentor betakenduring disasterunfolds disaster;intelligence gathering; informationanalysis
Disasterrecovery plan(DRP)
Preparationsfor recoveryshould adisasteroccur; strategiestolimit lossesbeforeand duringdisaster; step-by-step instructionsto regainnormalcy
Proceduresforthe Immediatelyafter Short-term theincidentis recovery recoveryoflost data;proceduresfor labeledadisaster thereestablishment oflostservices; shut-down proceduresto protectsystemsand data
Businesscontinuity planning(BCP)
Stepstoensure continuationofthe overallbusiness whenthescaleof adisasterexceeds theDRP’sabilityto restoreoperations
Preparationsteps foractivation ofsecondary datacenters; establishmentofa hot-siteinaremote location
• • • •
Whendeployed
Immediately afterthedisaster isdetermined toaffectthe continued operationsofthe organization
Timeframe Immediate andreal-time reaction
Long-term
Estimatedthepotentiallossthatcouldresultfromattacks Performedathoroughcost-benefitanalysis Evaluatedcontrolsusingeachappropriatetypeoffeasibility Decidedthattheparticularfunction,service,information,orassetdidnotjustifythecostof protection
Thiscontrol,orratherlackofcontrol,assumesthatitmaybeaprudentbusinessdecisionto examinethealternativesandconcludethatthecostofprotectinganassetdoesnotjustifythe securityexpenditure.Forexample,sayitwouldcostanorganization$100,000peryeartoprotect aserver.Thesecurityassessmentdeterminedthatfor$10,000itcouldreplacetheinformation containedintheserver,replacetheserveritself,andcoverassociatedrecoverycosts.Therefore, managementmaybesatisfiedwithtakingitschancesandsavingthemoneythatwouldbespent onprotectingthisparticularasset. Notethatifeveryriskoflossanorganizationidentifiesishandledthroughacceptance,itmay reflectaninabilitytoconductproactivesecurityactivitiesandanapatheticapproachtosecurity ingeneral.Itisnotacceptableforanorganizationtoassumethepolicythatignoranceisblissand hopetoavoidlitigationbypleadingignoranceoftherequirementsofprotectingemployees’and customers’information.Itisalsounacceptableformanagementtohopethatifitdoesnottryto protectinformation,theoppositionwillimaginethatthereislittletobegainedbyanattack.The risksfaroutweighthebenefitsofthisapproach,whichusuallyendsinregret,astheexploitation ofthevulnerabilitiescausesaseeminglyunendingseriesofinformationsecuritylapses.
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION89 Figure4.4 RiskHandlingActionPoints
Nowthatthefourstrategiesthatareusedtocontrolriskareexplained,thenextstepintheprocessis theselectionoftheproperstrategytodefendthespecificvulnerabilityofaspecificinformationasset. RiskControlStrategySelection Riskcontrolinvolvesselectingoneofthefourriskcontrolstrategiesforthevulnerabilitiespresentwithintheorganizationinformedbytheriskassessmentthathasbeenpreparedforinformationassetsinquestion.Figure4.4illustratestheprocessofdecidingamongthefourstrategies. Asshowninthisflowchart,aftertheinformationsystemisdesigned,onemustaskwhetherthe systemhasvulnerabilitiesthatcanbeexploited.Iftheanswerisyes,andaviablethreatexists, examinewhatanattackerwouldgainfromasuccessfulattack.Then,estimatetheexpectedloss theorganizationwillincurifthevulnerabilityissuccessfullyexploited.Ifthislossiswithinthe rangeoflossestheorganizationcanabsorb,oriftheattacker’sgainislessthantheexpectedcosts oftheattack,theorganizationmaychoosetoaccepttherisk.Otherwise,oneoftheothercontrol strategieswillhavetobeselected. Forfurtherguidance,somerulesofthumbonstrategyselectionarepresentedbelow. • Whenweighingthebenefitsofthesedifferentstrategies:Keepinmindthatthelevelofthreat andthevalueoftheassetshouldplayamajorroleinstrategyselection. • Whenavulnerability(flaworweakness)exists:Implementsecuritycontrolstoreducethe likelihoodofavulnerabilitybeingexploited.
90 MATTORD AND WIANT Figure4.5 RiskControlCycle
Identify information assets
Prepare ranked vulnerability risk worksheet
Develop control strategy and plan
Implement control
Plan for maintenance
Assess control
Measure risk to information asset
Adequate controls?
Yes Acceptable risk?
Yes
No No
• Whenavulnerabilitycanbeexploited:Applylayeredprotections,architecturaldesigns,and administrativecontrolstominimizetheriskorpreventoccurrence. • Whentheattacker’sperceivedgainisgreaterthanthecostsofattack:Applyprotectionsto increasetheattacker’sperceptionofcost,orreducetheattacker’sperceptionofgain,using technicalormanagerialcontrols. • Whenpotentiallossissubstantial:Applydesignprinciples,architecturaldesigns,andtechnical andnontechnicalprotectionstolimittheextentoftheattack,therebyreducingthepotential forloss(Stoneburneretal.,2002). Evaluation,Assessment,andMaintenanceofRiskControls Onceacontrolstrategyhasbeenselectedandimplemented,theeffectivenessofcontrolsshould bemonitoredandmeasuredonanongoingbasistodetermineitseffectivenessandtheaccuracy oftheestimateoftheriskthatwillremainafterallplannedcontrolsareinplace.Figure4.5shows howthiscyclicalprocessiscontinuouslyusedtoassurerisksarecontrolled. EXTENDINGTHETVAMATRIX At this point in the description of theTVA model you have developed its matrix in three dimensions (see Figure 4.2). The first dimension is that of the organization’s information assets(A1,A2,A3,...An).Theseconddimensionisthatofthethreatsfacingtheorganization(T1,T2,T3,...Tn).Thethirddimensionisthatofthevulnerabilitiesthatexistforeach threat-assetpair(V1,V2,V3,...Vn). PlanningforFutureControls ThenextstepintheTVAmodelapproachtoriskassessmentistodevelopthecontrolsthatexist orareidentifiedaspossibleimprovementsforeachofthevulnerabilitiesidentifiedinthematrix.
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION91
This process consists of identifying current or anticipated deficiencies, researching possible controlstoaddressthosedeficiencies,andplanningthestepsusedtoselectandthenjustifythe additionalcontrols. IdentifyingCurrentorAnticipatedDeficienciesinControls Itisnecessarytohaveaprocessforidentifyinggapsinthecontrolofvulnerabilities.Anysuch processshouldidentifythecurrentoranticipateddeficienciesincontrols,includingsituations thathavenoexistingcontrols.Attheendofthisprocessalistofalldeficienciesinthecontrol environmentthatposeariskoflosstotheorganizationshouldbeidentified,andinitialoptions forremedyingthedeficienciesshouldbeidentified,. DevelopingthePossibleControlsList Thedeficiencylist,includingvulnerabilitieswherenocontrolscurrentlyexist,nowneedstobe usedtodevelopalistofcandidatecontrols.Thislistofcontrolimprovementswillserveasthe basisforthestepsthatfollowtoestimatecontrolcost,benefitsfromimplementingthecontrol concept,andthecorrelationoftheeffectofvariouscontrolsacrossmultiplevulnerabilities.Itis importanttorecognizethattheprocessdescribedhereisolatesthethreat-assetpairsandyieldslists ofvulnerabilitiesthatmaybecontrollablebycommoncontrolpolicies,strategies,ortechnologies. Thiscross-vulnerabilitysynergyofcontrolswillbecomeanimportantpartofthejustification processasonemovesforward. SelectingandJustifyingPossibleControls Thereareseveralwaystodeterminetheadvantageofaspecificcontrolorgroupofcontrols.The primarymeansistodeterminethevalueoftheinformationassetsthatitisdesignedtoprotect andassignthatassetadollaramountofbenefitforitsbeingprotected.Thiscanthenbecompared withthecostsofprovidingthecontrol.Thisis,however,nottheonlymethodofjustification.Itis truethatthebusinesscommunityoftenfavorstheuseofquantitativeassessmenttechniqueseven whenthereisahighdegreeofuncertaintyintheestimatesthatgointothecalculations.Thereis alsoanextensivefieldofqualitativeassessmenttechniquesforjustifyingvariouscontrolstrategies andtechnologies.Bothmethodsarediscussedinthesectionsthatfollow. Therearealsomanywaystodeterminethedisadvantagesassociatedwithspecificriskcontrols. Thefollowingsectionsdiscusssomeofthemorecommonlyusedtechniquesformakingthesechoices. Someofthesediscussionsinvolvedollarexpensesandsavingsimpliedfromeconomiccostavoidance,andotherdiscussionsdealwithnoneconomicfeasibilitycriteria.Costavoidanceisthemoney savedbyavoiding,viatheimplementationofacontrol,thefinancialimpactofanincident. Cost-BenefitAnalysis(CBA) Thecriterionmostcommonlyusedwhenevaluatingaprojectthatimplementsinformationsecurity controlsandsafeguardsiseconomicfeasibility.Whiletheremaybeanumberofalternativesthat solveaparticularproblem,theymaynotallhavethesameeconomicfeasibility.Mostorganizations canspendonlyareasonableamountoftimeandmoneyoninformationsecurity,andthedefinitionofreasonablevariesfromorganizationtoorganization,andevenfrommanagertomanager. Organizationsareurgedtobeginacost-benefitanalysisbyevaluatingtheworthoftheinforma-
92 MATTORD AND WIANT
tionassetstobeprotectedandthelossinvalueifthoseinformationassetsarecompromisedby theexploitationofaspecificvulnerability.Itisonlycommonsensethatanorganizationshould notspendmoretoprotectanassetthanitisworth.Thisdecision-makingprocessiscalledacostbenefitanalysisoraneconomicfeasibilitystudy. Justasitisdifficulttodeterminethevalueofinformation,itisdifficulttodeterminethecost ofsafeguardingit.Someoftheitemsthataffectthecostofacontrolorsafeguardinclude: • Costofdevelopmentoracquisitionofhardware,software,andservices • Trainingfees(costtotrainpersonnel) • Cost of implementation (installing, configuring, and testing hardware, software, and services) • Servicecosts(vendorfeesformaintenanceandupgrades) • Costofmaintenance(laborexpensetoverifyandcontinuallytest,maintain,andupdate) Benefitisthevaluetotheorganizationofusingcontrolstopreventlossesassociatedwithaspecific vulnerability.Thebenefitisusuallydeterminedbyvaluingtheinformationassetorassetsexposed bythevulnerabilityandthendetermininghowmuchofthatvalueisatriskandhowmuchriskthere isfortheasset.Thisisexpressedastheannualizedlossexpectancy,whichisdefinedbelow. Itisoftennecessarytoassessthevalueofaninformationassettodeterminehowmuchbenefit canbeachievedbyimplementingacontrol.Asdiscussedearlier,assetvaluationistheprocess ofassigningvalueorworthtoeachinformationasset.Inthiscontext,thevalueorworthmustbe expressedinfinancialterms.Somearguethatitisvirtuallyimpossibletoaccuratelydetermine thetruefinancialvalueofinformationandinformation-bearingassets.Perhapsthisisonereason whyinsuranceunderwriterscurrentlyhavenodefinitivevaluationtablesforassigningworthto informationassets. Assessingthevalueofinformationassetsisamongthemostchallengingactivitiesintheinformationsecurityprogram.Thevaluationprocessinvolvesestimationoftherealandperceivedcosts associatedwiththeinformationassetbeingassessed.Thismayincludethedesign,development, installation,maintenance,protection,recovery,anddefenseagainstlossandlitigationincurredin placingtheassetintoservice.Themeasuredcostsorestimatesforthesefactorsarecomputedfor everysetofinformation-bearingsystemsorinformationassets.Somecomponentcostsaresimple todetermine,suchasthecosttoreplaceanetworkswitchorthehardwareneededforaspecific classofserver.Othercostsarealmostimpossibletoaccuratelydetermine,suchasthedollarvalue ofthelossinmarketshareifinformationonnewproductofferingswerereleasedprematurelyand acompanylostitscompetitiveadvantage.Afurthercomplicationisthevaluethatsomeinformationassetsacquireovertimethatisbeyondtheintrinsicvalue—theessentialworth—oftheasset underconsideration.Thishigheracquiredvalueisthemoreappropriatevalueinmostcases. Someofthecomponentsofassetvaluationmayincludethesefactorstodeterminethefinancial valueattributabletoaspecificinformationasset: • • • • • • •
Valueretainedfromthecostofcreatingtheinformationasset Valueretainedfrompastmaintenanceoftheinformationasset Valueimpliedbythecostofreplacingtheinformation Valuefromprovidingtheinformation Valueacquiredfromthecostofprotectingtheinformation Valuetoowners Valueofintellectualproperty
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION93
• Valuetoadversaries • Lossofproductivitywhiletheinformationassetsareunavailable • Lossofrevenuewhileinformationassetsareunavailable Onceanorganizationhasestimatedthefinancialvalueofitsvariousinformationassets,itcan begintoexaminethepotentiallossthatcouldoccurfromtheexploitationofavulnerability.This processresultsintheestimateofpotentialloss.Thequestionsthatmustbeaskedhereinclude: • Whatdamagecouldoccurandwhatfinancialimpactwouldithave? • What would it cost to recover from the attack, in addition to the financial impact of damage? • Whatisthesinglelossexpectancyforeachrisk? Asinglelossexpectancy,orSLE,isthecalculationofthevalueassociatedwiththemostlikely lossfromanattack.Itisacalculationbasedonthevalueoftheassetandtheexpectedpercentage oflossthatwouldoccurfromaparticularattack,asshownbelow. SLE=assetvalue(AV)multipliedbytheexposurefactor(EF) whereEF=thepercentagelossthatwouldoccurfromagivenvulnerabilitybeingexploited. Asdifficultasitistoestimatethevalueofinformation,theestimationoftheprobabilityofathreat occurrenceorattackisevenmoredifficult.Therearenotalwaystables,books,orrecordsthatindicatethefrequencyorprobabilityofanygivenattack.However,therearesourcesavailableforsome asset-threatpairs.Forinstance,thelikelihoodofatornadoorthunderstormdestroyingabuildingof aspecifictypeofconstructionwithinaspecifiedregionofthecountryisavailabletoinsuranceunderwriters.Inmostcases,however,anorganizationcanrelyonlyonitsinternalinformationtocalculate thesecurityofitsinformationassets.Evenifthenetwork,systems,andsecurityadministratorshave beenactivelyandaccuratelytrackingtheseoccurrences,theorganization’sinformationissketchy atbest.Asaresult,thisinformationisusuallyestimated.Inmostcases,theprobabilityofathreat occurringisusuallyalooselyderivedtableindicatingtheprobabilityofanattackfromeachthreat typewithinagiventimeframe(forexample,onceeverytenyears).Thisvalueiscommonlyreferred toastheARO,orannualizedrateofoccurrence.AROissimplyhowoftenoneexpectsaspecific typeofattacktooccur.Forexample,ifasuccessfulactofsabotageorvandalismoccursaboutonce everytwoyears,thentheAROwouldbe50percent(.50),whereassomekindsofnetworkattacks canoccurmultipletimespersecond.Inordertostandardizecalculations,oneconvertstheratetoa yearly(annualized)value.Thisisexpressedastheprobabilityofathreatoccurrence. Oncethevaluesforthelossfromasingleevent(SLE)andthelikelynumberofoccurrences peryear(ARO)valuesaredetermined,theequationcanbecompletedtodeterminetheoverall potentiallossperrisk.Thisisusuallydeterminedviaanannualizedlossexpectancy,orALE,usingthevaluesfortheAROandSLE. ALE=SLE×ARO WithanexampleofanSLEof$100,000andanAROof.50,then: ALE=$100,000×0.50 ALE=$50,000
94 MATTORD AND WIANT
Thisindicatesthatunlessoneincreasesthelevelofsecurityonone’swebsite,theorganization canexpecttolose$50,000peryear,everyyear.Thisfigureisusedalongwiththeanticipated expensesforcontrolimprovementsforplanningandjustificationpurposes.Sometimesnoneconomicfactorsareconsideredinthisprocess,sothatinsomecasesevenwhenALEamountsare nothuge,controlbudgetscanbejustified. TheCost-BenefitAnalysis(CBA)Formula Put simply, CBA (or economic feasibility) determines whether or not a control alternative is worthitsassociatedcost.CBAsmaybecalculatedbeforeacontrolorsafeguardisimplemented, todetermineifthecontrolisworthimplementing.Or,theycanbecalculatedaftercontrolshave beenimplementedandhavebeenfunctioningforatime.Observationovertimeaddsprecision totheevaluationofthebenefitsofthesafeguardandthedeterminationofwhetherthesafeguard isfunctioningasintended.WhilemanyCBAtechniquesexist,theCBAismosteasilycalculated usingtheALEfromearlierassessments. CBA=ALE(priortocontrol)–ALE(postcontrol)–ACS • ALE(priortocontrol)istheannualizedlossexpectancyoftheriskbeforetheimplementation ofthecontrol. • ALE(postcontrol)istheALEexaminedafterthecontrolhasbeeninplaceforatime. • ACSistheannualcostofthesafeguard. • CBAmustbezeroorlarger. Oncethecontrolsareimplemented,itiscrucialtocontinuetoexaminetheirbenefits,todetermine whenthecontrolsmustbeupgraded,supplemented,orreplaced.AsFrederickAvoliostatesinhisarticle “BestPracticesinNetworkSecurity”:“Securityisaninvestment,notanexpense.Investingincomputer andnetworksecuritymeasuresthatmeetchangingbusinessrequirementsandrisksmakesitpossible tosatisfychangingbusinessrequirementswithouthurtingthebusiness’viability”(Avolio,2000). DecisionMakingUsingRiskAssessment Thevariousmethodsofdecisionmakingregardingriskmanagementingeneralcanbediscussed intwobroadcategories:quantitativemethodsandqualitativemethods.Whilesomeofthemethods discussedbelowarecategorizedasqualitative,othersmayhaveconsideredthemquantitativeinother discussions.Thecriticalfactorusedinthiscategorizationisthatinordertobeconsideredquantitative, anapproachmustuseobjective,mutuallyagreedupon,andrepeatableprocessesthatwillarriveat thesameconclusionwithoutregardtowhopreparestheanalysis.Anymethodsubjecttoananalyst’s subjectiveassessmentwillthennecessarilybeconsideredinthischapterasqualitative. QuantitativeApproaches ThepreviousdiscussionoftheTVAmodelconcludedwithaself-styledquantitativeandeconometriccalculationtouseanticipatedannuallossesfortheoperationofunprotectedorunder-protected informationassetsasabasisforjustification.Quantitativeapproachesusedinthismannerare oftenperceivedasinaccurateorsimplywrong.Whenusedimproperly,someofthequantitative processes discussed may not operate as expected. In general, risk assessment techniques that
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION95
uselossexpectancies,annualizedratesofoccurrence,andestimateannuallossesshouldnotbe construedasaforecastofplannedeconomiclossorbenefit;rathertheyshouldberelieduponto producenumbersthatcanbeusedforassessingrelativeprobabilities. Therefore,ifagivenvulnerabilityisforecasttohaveanALEof$20,000andanotherisestimated tohaveanALEof$40,000,ratherthanbudget$60,000forplannedlosses,theprudentbusiness mangerwillusethenumberstomakedecisionswhenallocatingresourcestoreducethetotalrisk oflosstotheorganization’sinformationassets. Whiletheapproachofusingquantitativeassessmenthasalongtrackrecordinthebusinesscommunity,therearealwaysvariationsinapplicationthatoftenmaketheprocedure,asputintopractice,a qualitativeexercise.Ashortfallisthefrequentfailuretoincludeallaspectsofexpensesintheestimates forlossandestimatesofcostsforcontrol.Whenallaspectsoftheacquisitionandoperationofacontrol strategyortechnologyareincludedintheestimate,itisknownasusingthetotalcostofownership (TCO)approach.TheuseofTCO-derivedvaluesisaprerequisiteforanyquantitativeapproach. Anotherconsiderationthatisbroughttobearoncontrolstrategyandtechnologyimplementation estimatesistheconceptofthetimevalueofmoney.Itisoftenthecasethatcontrolimplementation projectsspanmanymonthsoryearsinlargeorganizations.Occasionally,organizationalprocedures requirethatthetimevalueofexpensesandinvestmentcostsbefactoredagainsttheanticipated scheduleofbenefitsfromtheplannedproject. LimitationsofQuantitativeApproaches Atthepresent,therearenotrulyquantitativeriskassessmentapproachesavailable.Asopposedtothe insuranceunderwritingofcommercialorresidentialbuildingsagainstloss,wherethereisasignificant abilitytoempiricallyderivelossestimatesformostsituations,informationsystemriskassessmenthasalmostnoreliableempiricalestimateinfrastructureandisalmostalwaysdoneinaqualitativefashion. QualitativeApproaches Whenjustificationsthatusefactorsotherthanpurelyfinancialorstatisticalmodelsareimplemented, itisqualitativemodelsthatarebeingutilized. StandardsofDueCare/DueDiligence Forlegalreasons,anorganizationoftenadoptsacertainminimumlevelofsecurity.Whenorganizationsadoptminimumlevelsofsecurityforalegaldefense,theymayneedtoshowthattheyhave donewhatanyprudentorganizationwoulddoinsimilarcircumstances;thisisknownasastandard ofduecare.Implementingandmaintainingcontrolsatthisminimumstandarddemonstratesthatan organizationhasperformedduediligence.Duediligencerequiresthatanorganizationensurethat theimplementedstandardscontinuetoprovidetherequiredlevelofprotection.Failuretosupport astandardofduecareorduediligencecanopenanorganizationtolegalliability,provideditcan beshownthattheorganizationwasnegligentinitsapplicationorlackofapplicationofinformationprotection.Thisisespeciallyimportantwhentheorganizationmaintainsinformationabout customers,includingmedical,legal,orotherpersonaldata. Theinformationsecurityprotectionenvironmentanorganizationmustmaintaincanbelargeand complex.Itmay,therefore,beimpossibletoimplementbestpracticesinallcategories.Basedonthe budgetassignedtotheprotectionofinformation,itmayalsobefinanciallyimpossibletoprovide securitylevelsonalevelwithorganizationsthatcanspendmoremoneyoninformationsecurity.
96 MATTORD AND WIANT
Informationsecuritypracticesareoftenviewedrelatively,asnotedbyAvolio:“Goodsecurity now is better than perfect security never” (Avolio, 2000). Some organizations might wish to implementthebest,mosttechnologicallyadvancedcontrolsavailable,butforfinancialorother reasons,cannot.Itiscounterproductivetoestablishcostly,state-of-the-artsecurityinonearea, onlytoleaveotherareasexposed.Organizationsmustmakesuretheyhavemetareasonablelevel ofsecurityinallareas,andhaveadequatelyprotectedallinformationassets,beforeimproving individualareastothehigheststandards. Benchmarking Insteadofdeterminingthefinancialvalueofinformationandthenimplementingsecurityas anacceptablepercentageofthatvalue,anorganizationcouldtakeadifferentapproachtorisk management,andlooktopeerorganizationsforbenchmarks.Benchmarkingistheprocess of seeking out and studying the practices used in other organizations that produce results onewouldliketoduplicateinone’sorganization.Anorganizationtypicallybenchmarksby selectingameasurewithwhichitmaycompareitselftotheotherorganizationsinitsmarket. Theorganizationthenmeasuresthedifferencebetweenthewayitconductsbusinessandthe waytheotherorganizationsconductbusiness.TheindustrywebsiteBestPracticesOnline putsitthisway: Benchmarkingcanyieldgreatbenefitsintheeducationofexecutivesandtherealized performanceimprovementsofoperations.Inaddition,benchmarkingcanbeusedtodeterminestrategicareasofopportunity.Ingeneral,itistheapplicationofwhatislearned inbenchmarkingthatdeliversthemarkedandimpressiveresultssooftennoted.Thedeterminationofbenchmarksallowsonetomakeadirectcomparison.Anyidentifiedgaps are improvement areas. Benchmarking can take several forms. Internal benchmarking studies the practices and performance within the client organization. External benchmarkingdeterminestheperformanceofother,preferablyworld-class,companies.(Best Practices,LLC,2004) Whenbenchmarking,anorganizationtypicallyusesoneoftwotypesofmeasurestocompare practices:metrics-basedmeasuresorprocess-basedmeasures. Metrics-basedmeasuresarecomparisonsbasedonnumericalstandards,suchas: • • • • • •
Numbersofsuccessfulattacks Staff-hoursspentonsystemsprotection Dollarsspentonprotection Numbersofsecuritypersonnel Estimatedvalueindollarsoftheinformationlostinsuccessfulattacks Lossinproductivityhoursassociatedwithsuccessfulattacks
An organization uses numerical standards like these to rank competing organizations that are similartoitinsizeormarkettodeterminehowitcomparestoitscompetitors.Thedifference betweenanorganization’smeasuresandthoseofothersisoftenreferredtoasaperformancegap. Performancegapsprovideinsightintotheareasthatanorganizationshouldworkontoimprove itssecurityposturesanddefenses. Theothermeasurescommonlyusedinbenchmarkingareprocess-basedmeasures.Process-
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION97
basedmeasuresaregenerallylessfocusedonnumbersandmetrics-basedmeasuresandmoreon strategicmeasures.Foreachoftheareastheorganizationisinterestedinbenchmarking,processbasedmeasuresenableittoexaminetheactivitiesitperformsinpursuitofitsgoal,ratherthan thespecificsofhowgoalsareattained.Theprimaryfocusisthemethodtheorganizationusesto accomplishaparticularprocess,ratherthantheoutcome. BestSecurityPractices Securityeffortsthatseektoprovideasuperiorlevelofperformanceintheprotectionofinformationarereferredtoasbestbusinesspracticesorsimplybestpractices.Someorganizationsrefer totheseasrecommendedpractices.Securityeffortsthatareamongthebestintheindustryare referredtoasbestsecuritypractices(BSPs).Thesepracticesbalancetheneedforinformation accesswiththeneedforadequateprotection.Bestpracticesseektoprovideasmuchsecurityas possibleforinformationandinformationsystemswhiledemonstratingfiscalresponsibilityand ensuringinformationaccess.Companieswithbestpracticesmaynotbethebestineveryarea; theymayonlyhaveestablishedanextremelyhighqualityorsuccessfulsecurityeffortinonearea. Aswasnotedpreviously,U.S.federalagencieshaveaccesstoawebsiteprovidingthemwiththe opportunitytosharebestsecuritypracticeswithotheragencies(seefasp.nist.gov).Thisproject isknownastheFederalAgencySecurityProject.Itwastheresultof: theFederalChiefInformationOfficerCouncil’sFederalBestSecurityPractices(BSP)pilot efforttoidentify,evaluate,anddisseminatebestpracticesforcomputerinformationprotectionandsecurity....TheFASPsitecontainsagencypolicies,proceduresandpractices;the CIOpilotBSPs;and,aFrequently-Asked-Questions(FAQ)section. Whilefewcommercialequivalentsexistatthistime,manyoftheBSPsusedintheFASPprogramareapplicabletotheareaofinformationsecurityinboththepublicandprivatesector. TheGoldStandard Best business practices are not sufficient for organizations that prefer to set the standard by implementing the most protective, supportive, and yet fiscally responsible standards possible. Theystrivetowardthegoldstandard.Thegoldstandardisamodellevelofperformancethat demonstratesindustrialleadership,quality,andconcernfortheprotectionofinformation.The implementationofgoldstandardsecurityrequiresagreatdealofsupport,bothinfinancialand personnelresources.Whilethereissomepublicinformationonbestpractices,therearenopublishedcriteriaforthegoldstandard.Thegoldstandardisalevelofsecurityoutofreachformost organizations.Manyvendorsclaimtoofferagoldstandardinoneproductorservice,butthisis predominantlymarketingpropaganda. SelectingBestPractices Choosingwhichrecommendedpracticestoimplementcanposeachallengeforsomeorganizations.Inindustriesthatareregulatedbygovernmentalagencies,governmentguidelinesareoften requirements.Forotherorganizations,governmentguidelinesareexcellentsourcesforidentifying bestpracticestocontrolinformationsecurityrisksthataremostsuitabletotheorganization.When consideringbestpracticesforyourorganization,considerthefollowing:
98 MATTORD AND WIANT
• Doesyourorganizationresembletheidentifiedtargetorganizationofthebestpractice? • Areyouinasimilarindustryasthetarget?Astrategythatworkswellinmanufacturing organizationsmighthavelittlerelevancetoanonprofitorganization. • Doyoufacesimilarchallengesasthetarget?Ifyouhavenofunctioninginformationsecurity program,abestpracticetargetthatassumesyoudowillnotbeofgreatvalue. • Isyourorganizationalstructuresimilartothatofthetarget?Abestpracticeproposedfora smallofficeisnotapplicabletoamultinationalcompany. • Aretheresourcesyoucanexpendsimilartothosecalledforbythebestpractice?Abest practiceproposalthatassumesunlimitedfundingisoflimitedvalueifyourprogramhas budgetconstraints. • Areyouinasimilarthreatenvironmentastheoneassumedbythebestpractice?Bestpractices ofmonthsorevenweeksagomaynotanswerthecurrentthreatenvironment.Considerthe bestpracticeforInternetconnectivityrequiredinthemodernorganizationattheopeningof thetwenty-firstcenturycomparedtobestpracticesoffiveyearsago. AnothersourceforbestpracticesinformationistheCERTwebsite(www.cert.org/securityimprovement/),whichpresentsanumberofsecurityimprovementmodulesandpracticesinHTML andPDFformat.Similarly,Microsofthaspublishedasetofbestpracticesinsecurityatitswebsite (www.microsoft.com/mscorp/twc/).Microsoftfocusesonfourkeyareas: • • • •
Security Privacy Reliability Businessintegrity
Anotherconsiderationistojoinprofessionalsocietiesthatprovideinformationonbestpractices fortheirmembers.TheTechnologyManager’sForum(www.techforum.com)hasanannualbest practiceawardinanumberofareasincludinginformationsecurity.TheInformationSecurity Forum(www.isfsecuritystandard.com)hasafreepublicationtitled“StandardofGoodPractice” thatoutlinesinformationsecuritybestpractices. Manyorganizationshaveseminarsandclassesonbestpracticesforimplementingsecurity.Forexample,theInformationSystemsAuditandControlAssociation(www.isaca.com)hostsseminarsona regularbasis.Similarly,theInternationalAssociationofProfessionalSecurityConsultants(www.iapsc. org)hasalistofbestpractices,asdoestheGlobalGridForum(www.gridforum.org).Onecanalsoperuse Webportalsforpostedsecuritybestpractices.Thereareseveralfreeportalsdedicatedtosecuritythat havecollectionsofpractices,suchasSearchSecurity.comandNIST’sComputerResourcesCenter. Thesearebutafewofthemanypublicandprivateorganizationsthatpromotesolidbestsecuritypractices.InvestingafewhourssearchingtheWebrevealsdozensoflocationsforadditional information.Findinginformationonsecuritydesignistheeasypart.Sortingthroughthecollected massofinformation,documents,andpublicationscanrequireasubstantialinvestmentintime andhumanresources.Theresultofthiseffortshouldbeaframeworktodevelopandimplement asecuritysystemthataddressespolicy,educationandtraining,andtechnology. Baselining Relatedtotheconceptofbenchmarkingistheprocessofbaselining.Abaselineisalevelof performanceagainstwhichchangescanbeusefullycompared.Anexampleisabaselineforthe
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION99
numberofattacksperweekanorganizationexperiences.Inthefuture,thisbaselinecanserve asareferencepointtodetermineiftheaveragenumberofattacksisincreasingordecreasing. Baseliningistheprocessofmeasuringagainstestablishedstandards.Ininformationsecurity, baseliningisthecomparisonofsecurityactivitiesandeventsagainsttheorganization’sfuture performance.Thusbaseliningcanprovidethefoundationforinternalbenchmarking.Theinformationgatheredforanorganization’sfirstriskassessmentbecomesthebaselineforfuture comparisons. Whenbaselining,itisusefultohaveaguidetotheoverallprocess.TheNationalInstituteof StandardsandTechnologyhastwopublicationsspecificallywrittentosupporttheseactivities: • SP 800–27 Engineering Principles for InformationTechnology Security (A Baseline for AchievingSecurity),June2001. • SP800–26SecuritySelf-AssessmentGuideforInformationTechnologySystems,November 2001(discussedelsewhereinthischapter). Bothofthesedocumentsareavailableathttp://csrc.nist.gov/publications/nistpubs/index.html. Baseliningandresearchingbestpracticesprovidelessdetailforthedesignandimplementationofasecurityprogramthandoesacompletemethodology.However,bybaseliningandusing bestpractices,onecanpiecetogetherthedesiredoutcomeofthesecurityprocess,andthuswork backwardstoaneffectivedesign. LimitationsofQualitativeApproaches The biggest problem with benchmarking in information security is that organizations do not talktoeachother;asuccessfulattackisviewedasanorganizationalfailure,andiskeptsecret, insofaraspossible.Asaresult,theentireindustrysuffersasvaluablelessonsarenotrecorded, disseminated,andevaluated.However,moreandmoresecurityadministratorsarejoiningprofessionalassociationsandsocietiesliketheInformationSystemsSecurityOrganization(ISSO)and sharingtheirstoriesandlessonslearned.Analternativetothisdirectdialogueisthepublication oflessonslearned.Individualsecurityadministratorsarebeginningtopublishinsecurityjournals sanitizedversionsoftheattacksontheirorganizationsandinformationinanefforttosharewhat theyhavelearned. Anotherproblemwithbenchmarkingisthatnotwoorganizationsareidentical.Eveniftwo organizations are producing products or services in the same market, their size, composition, managementphilosophies,organizationalculture,technologicalinfrastructure,andbudgetsfor securitymaydifferdramatically.Eveniforganizationsdoexchangeinformation,theymaynotbe abletoapplythestrategiesoftheother.Whatorganizationsseekmostarelessonsthatcanhelp themstrategically,ratherthaninformationaboutspecifictechnologiestheyshouldadopt.Rememberthatsecurityisamanagerialproblem,notatechnicalone.Ifitwereatechnicalproblem,then implementingthesametechnologywouldsolvetheproblemregardlessofindustryororganizational composition.Asamanagerialandpeopleproblem,thenumberandtypesofvariablesthatimpact thesecurityoftheorganizationdifferradicallyinanytwobusinesses. Athirdproblemisthatbestpracticesareamovingtarget.Whatworkedwelltwoyearsago maybecompletelyworthlessagainsttoday’sthreats.Securityprogramsmustkeepabreastofnew threatsaswellasmethods,techniques,policies,guidelines,educationalandtrainingapproaches, and,yes,technologiestocombatthem. Onelastissuetoconsideristhatknowingwhatwashappeningafewyearsago,asinbench-
100 MATTORD AND WIANT
marking,doesnotnecessarilytellonewhattodonext.Whileitistruethat,insecurity,thosewho donotpreparefortheattacksofthepastwillseethemagain,itisalsotruethatpreparingforpast threatsdoesnotprepareoneforwhatliesahead.Itisimportanttobeaspreparedaspossibleto containthethreatsoneknowsabout,andthenfocuseffortsonmonitoringthecommunications andnewlistingsdirectedtowardsystemsandsecurityadministratorstodeterminewhatiscoming andhowtoprepareforit. BlendedApproaches Therealityofthecurrentstateofthepracticeinriskassessmentistheuseofablendedapproach. Thiscombinationofqualitativeandquantitativemethodscanbeseeninmostdominantpractices today, but is especially obvious in the TVA and FRAAP models, as discussed earlier in this chapter. DOCUMENTINGRESULTSOFRISKASSESSMENT Thegoaloftheriskassessmentprocessistoidentifyinformationassetsandtheirvulnerabilities, rankthemaccordingtotheneedforprotection,andthenidentifycontrolstrategiesandtechnologiesthatmayhelpincontrollingtheexposuretolossthatallorganizationsface.Inpreparingthis listawealthoffactualinformationabouttheassetsandthethreatstheyfaceiscollected.Also, informationaboutvulnerabilitiesandcontrolsiscollected.Afinal,summarizeddocumentprovidingarankedvulnerabilityriskworksheetshouldbeprepared,similartotheexampleshownin Table4.8.Areviewofthisworksheetshowssimilaritiestotheweightedfactoranalysisworksheet showninTable4.5. Table4.8isusedasfollows: • Asset:Listeachvulnerableasset. • Assetimpact:ShowtheresultsforthisassetfromtheWeightedFactorAnalysisWorksheet. Intheexample,thisisanumberfrom1to100. • Vulnerability:Listeachuncontrolledvulnerability. • Vulnerabilitylikelihood:Statethelikelihoodoftherealizationofthevulnerabilitybyathreat agentasindicatedinthevulnerabilityanalysisstep.Intheexample,thenumberisfrom0.1 to1.0. • Risk-ratingfactor:Enterthefigurecalculatedfromtheassetimpactmultipliedbythelikelihood.Intheexample,thecalculationyieldsanumberfrom0.1to100. LookingatthesampleresultsshowninTable4.8,itmaybesurprisingthatthemostpressing riskrequiresmakingthemailserverorserversmorerobust.Eventhoughtheimpactratingof theinformationassetrepresentedbythecustomerservicee-mailisonly55,therelativelyhigh likelihoodofahardwarefailuremakesitthemostpressingproblem. Nowthattheriskidentificationprocessiscomplete,whatshouldthedocumentationpackage looklike?Inotherwords,whatarethedeliverablesfromthisstageoftheriskmanagementproject? Theriskidentificationprocessshouldincludedesignatingwhatfunctionthereportsserve,whois responsibleforpreparingthereports,andwhoreviewsthem.Therankedvulnerabilityriskworksheetistheinitialworkingdocumentforthenextstepintheriskmanagementprocess:assessing andcontrollingrisk.Table4.9showsasamplelistoftheworksheetsthathavebeenpreparedby aninformationassetriskmanagementteam.
Asset Customerservicerequestviae-mail(inbound) Customerservicerequestviae-mail(inbound) Customerorderviasecuresocketslayer(SSL) (inbound) CustomerorderviaSSL(inbound) Customerservicerequestviamail(inbound) Customerservicerequestviae-mail(inbound) Customerservicerequestviae-mail(inbound) CustomerorderviaSSL(inbound) CustomerorderviaSSL(inbound) CustomerorderviaSSL(inbound) 100 55 55 55 100 100 100
Asset impact 55 55 100
ExampleRankedVulnerabilityRiskWorksheet
Table4.8
LostordersduetoWebserverISPservicefailure E-maildisruptionduetoSMTPmailrelayattack E-maildisruptionduetoISPservicefailure E-maildisruptionduetopowerfailure LostordersduetoWebserverdenial-of-serviceattack LostordersduetoWebserversoftwarefailure LostordersduetoWebserverbufferoverrunattack
Vulnerability E-maildisruptionduetohardwarefailure E-maildisruptionduetosoftwarefailure LostordersduetoWebserverhardwarefailure
0.1 0.1 0.1 0.1 0.025 0.01 0.01
10 5.5 5.5 5.5 2.5 1 1
Vulnerability Risk-rating likelihood factor 0.2 11 0.2 11 0.1 10
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION101
102 MATTORD AND WIANT Table4.9
RiskIdentificationandAssessmentDeliverables Deliverable
Purpose
TVAmatrix
Documentassets,threats,vulnerabilities,controlstrategies andtechnologiesandtheassociatedvaluesandcosts Informationsetclassificationworksheet Assemblesinformationaboutinformationassetsandwhat impactorvaluetheyhavetotheorganization Weightedcriteriaanalysisworksheet Assignsrankedvalueorimpactweighttoeachinformation asset Assignsriskratingrankedvalueforeachuncontrolled Rankedvulnerabilityriskworksheet asset-vulnerabilitypair
ComprehensiveInformationSecurityOperationalRiskAssessment Akeycomponentusedtodocumenttheresultsofriskassessment(andlaterusedinongoingactivitiesforriskmanagement)isthecomprehensiveinformationsecurityoperationalriskassessment (RAforshort).TheRAisamethodofidentifyinganddocumentingtheriskthataproject,process, oractionintroducestotheorganizationandmayalsoinvolveofferingsuggestionsforcontrolsto reducethatrisk.Theinformationsecuritygroupisinthebusinessofcoordinatingthepreparation ofmanydifferenttypesofRAdocuments,including: • NetworkconnectivityRA:Usedtorespondtonetworkchangerequestsandnetworkarchitecturaldesignproposals.Maybepartoforsupportabusinesspartner’sRA. • DialedmodemRA:Usedwhenadial-upconnectionisrequestedforasystem. • BusinesspartnerRA:Usedwhenaproposalforconnectivitywithbusinesspartnersisbeing evaluated. • ApplicationRA:Usedatvariousstagesinthelifecycleofabusinessapplication.Content dependsontheproject’spositioninthelifecyclewhentheRAisprepared.Usually,multiple RAdocumentsarepreparedatdifferentstages.Thedefinitiveversionispreparedastheapplicationisreadiedforconversiontoproduction. • VulnerabilityRA:Usedtoassistincommunicatingthebackground,details,andproposed remediationasvulnerabilitiesemergeorchangeovertime. • PrivacyRA:Usedtodocumentapplicationsorsystemsthatcontainprotectedpersonalinformationthatneedstobeevaluatedforcompliancewithprivacypoliciesoftheorganization andrelevantlaws. • AcquisitionordivestureRA:Usedwhenplanningforreorganizationasunitsoftheorganizationareacquired,divested,ormoved. • OtherRA:Usedwhenastatementaboutriskisneededforanyproject,proposal,orfaultthat isnotcontainedintheprecedinglist. The RA process identifies risks and proposes controls. Most RA documents are structured to includethecomponentsshowninTable4.10. Ariskassessment’sidentificationofthesystemicorlatentvulnerabilitiesthatintroduceriskto theorganizationcanprovidetheopportunitytocreateaproposalforaninformationsecurityproject. Whenusedaspartofacompleteriskmanagementmaintenanceprocess,theRAcansupportthe
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION103 Table4.10
RiskAssessmentDocumentationComponents Component
Description
Whenandhowused
Introduction
AstandardopeningdescriptiontoexplaintheRA toreaderswhoareunfamiliarwiththeformat.The exacttextvariesforeachRAtemplate.
FoundinallRA documenttemplates
Scope
AstatementoftheboundariesoftheRA.
FoundinallRA documenttemplates
Disclaimer
Astatementthatincludeslanguagethatidentifies limitsintheriskassessmentbasedonwherein theprojectlifecyclethereportwasdeveloped.The informationavailableatdifferenttimesinthelife oftheprojectwillaffecthowcomprehensiveand accuratethereportis.Often,riskassessments arethemostimpreciseattheearlieststagesofa project,anditisimportantthatdecisionmakers aremadeawareofthelackofprecisioninthe riskassessmentwhenitisbasedonincomplete information.Thisstatementissometimesremoved inthefinalRAwhenallinformationaboutthe projectisavailable,butitmaybeleftinorderto provideawarenessthatsomeimprecisioninthe assessmentofriskisinherentintheprocess.
FoundinalldraftRA documenttemplates; someissuesmay remaininthe disclaimerinsome finalRAtemplates
Information security resources
Alistofthenamesoftheinformationsecurityteam FoundinallRA memberswhocollectedinformation,analyzedrisk, documenttemplates anddocumentedthefindings.
Otherresources
Alistofthenamesoftheotherorganization memberswhoprovidedinformation,assistedin analyzingrisk,anddocumentedthefindings.
FoundinallRA documenttemplates
Background
Adocumentingoftheproposedproject,including networkchanges,applicationchanges,andother issuesorfaults.
FoundinallRA documenttemplates
Plannedcontrols
Adocumentingofallcontrolsthatareplannedin theproposedproject,includingnetworkchanges, applicationchanges,andotherissuesorfaults.
FoundinallRA documenttemplates
IRPandDRP planningelements
Adocumentingoftheincidentresponseand disasterplanningelementsthathavebeenorwill bepreparedforthisproposedproject,including networkchanges,applicationchanges,andother issuesorfaults.
Recommendedinall documenttemplates
Opinionofrisk
Asummarystatementoftherisktothe FoundinallRA organizationintroducedbytheproposedproject, documenttemplates networkchange,application,orotherissueorfault.
Recommendations
Astatementofwhatneedstobedoneto implementcontrolswithintheprojecttolimitrisk fromtheproposedproject.
Information securitycontrols recommendations summary
Asummaryofthecontrolsthatareplannedor Recommendedinall needed,usingthesecurityarchitectureelementsof documenttemplates thesystemasanorganizingmethod.
FoundinallRA documenttemplates
104 MATTORD AND WIANT
informationsecurityprogramasapowerfulandflexibletoolthathelpsidentifyanddocumentrisk andremediatetheunderlyingvulnerabilitiesthatexposetheorganizationtorisksofloss. PREVIOUSRESEARCHINTHEFIELDOFRISKASSESSMENT ExploringPastResearchinRiskAssessment Currentresearchinriskassessmentappearstobedividedintosixdistinctareas.Theseare:analysis techniques,softwaresecurity,securityinvestment,documentation,motivation,andaudits.The topicsarepresentedinthefollowingparagraphs. AnalysisTechniques Reliableriskassessmentinvolvesdatacollectionofallfacetsinfluencingsystemrisk(Fungetal., 2003).Anotabledifficultywhenperformingariskanalysisistodeterminetheinputparameters to the analysis, which may include facts and opinions concerning threats, vulnerabilities, and costs(Josangetal.,2004).Theremayormaynotbestatisticalinformationoneachofthesethree areaswhichinturnmaycausedecisionmakerstorelymoreheavilyonsubjectiveopinionswhen performingtheirriskanalysis(Josangetal.,2004). Itthenmustbenotedthatinthecurrentresearchofriskassessment,atopicofinterestisrisk analysistechniquesinwhichthereappeartobetwodistinctschoolsofthought.Ontheonehand therearethosewhobelievethatthecomputationalcomplexityofriskanalysisissodifficultthat itrequiresappropriatesoftwaretoeliminatetheineffectivenessofcurrentsimplifiedmethodsof riskassessment(HamdiandBoudriga,2003).HamdiandBoudrigaproposeanalgebraicmethodology that states that attacks are irreversible and that security decisions can be regarded as pseudo-inversesforthoseattacks. Josang,Bradley,andKnapskog(2004)proposethatriskanalysisshouldusesubjectivebeliefs aboutthreatsandvulnerabilitiesasinputparametersandthenusethebeliefcalculusofsubjectivelogictocombinethoseparameters.Theyfurthercontendthatbeliefcalculusconsidersthe uncertaintyaboutthreatandvulnerabilityestimatesandreflectsmorerealisticallythenatureof eachestimate.Theintentofthissubjectiveapproachtoriskanalysisistoallowfortheconsiderationofignoranceintheanalysisprocess.Theresultsofsuchananalysisrevealthedegreeof ignorancetheanalysiscontains. Farahmand,Navathe,Sharp,andEnslow(2003)reviewedtheexistingtaxonomyofthreatsto informationsystemsanddiscussedsubjectiveanalysisforaprobabilityassessmentofthreatstoinformationsystems.Theirworkprovidedafive-stageriskmanagementmodeldesignedtohelpmanagers identifybusinessassets,recognizethreats,assessthelevelofbusinessimpactifathreatmaterialized, analyzevulnerabilities,suggestcountermeasures,andrecommendanimplementationplan. SoftwareSecurity WangandWang(2003)notesoftwaresecurityasanotherareaofinterestinriskassessment.They statedthattherearethreecategoriesofsoftwarerisksandthreatsbasedonthetargetofattack: application layer, platform layer, and network layer. They presented an evaluation of current individualsecuritytechnologiesforthesethreelayersandaneffectivenessevaluationforeach technology.Riskmustbesystematicallyassessedtoeffectivelymanageitandmustalsoinclude thesoftwaredevelopmentphase(Cavusogluetal.,2004).
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION105
AnotheraspectofsoftwaresecurityisWebapplicationsecurityasexploredbyHuang,Huang, Lin,andTsai(2003).Theydescribeanumberofsoftwaretestingtechniquestoincludedynamic analysis,black-boxtesting,andbehaviormonitoringandthenpresenttheirtooltheynamedthe WebApplicationVulnerabilityandErrorScanner(WAVES).TheirstudydeterminedthatWAVES isaviabletooltoassessWebapplicationsecurity. SecurityInvestment Littlestudyhasbeenattemptedthataddressestheeconomicaspectsofinformationsecurity(GordonandLoeb,2002).Thismaybebecausethecostsassociatedwithcomputersecurityarehardto assessduetothelackofaccuratemetrics.Exacerbatingtheproblemofcostanalysisisthefactthat traditionallyindustryhasappearedwillingtowriteoffadegreeofcomputerservicedowntimeand lossofaccessto,ormisuseof,informationandequipmentasastandardbusinesspractice.This practicemaysoonchangeduetotheincreasedrelianceoncomputationservicesandthefactthat informationhasbecomeincreasinglycriticaltobusinessdailyoperations(Mercuri,2003). Toolssuchascost-benefitanalysis,comprehensiveanalyticalmodels,andeconomicmodels havebeenconsideredtoassistintheinvestmentanalysisdecision.Threesuchtoolsaredescribed brieflyinthefollowingparagraphs. Recently,cost-benefitanalysis(CBA)techniqueshavebecomethemostpopularmetricsappliedtotheassessmentofcomputerrelatedrisks.Mercuri(2003)pointsoutthatCBAmodels maybemoreeffectiveastheyincorporatetheuseofrisk-adjustedcashflowsinordertoexamine internalrateofreturn(IRR)andthemaximumnetpresentvalue(NPV)computedasapercentage ofinformationsecurityexpenditures. Thecost-benefitanalysisandsecurityauditinformationshouldbeincludedinaformalreportto providemanagementwiththeinformationitneedstoselectappropriatecountermeasures.Asample cost-benefitanalysisisavailableintheNISTRiskManagementGuide(DarkandPoftak,2004). Cavusoglu,Mishra,andRaghunathan(2004)proposedacomprehensiveanalyticalmodelto evaluatesecurityinvestmentdecisions.TheirgoalwastocreateamodeltoanalyzeITsecurity investmentproblemsthatincorporatesspecificfeaturesofITsecuritytechnologiestoassistin decisionmakingatalllevelsofanITsecuritysetting. GordonandLoeb(2002)soughttoderiveaneconomicmodeltodeterminetheoptimalamount toinvestininformationsecurity.Theresearchersconstructedamodeltospecificallyconsiderhow thevulnerabilityofinformationandthepotentiallossfromsuchvulnerabilityaffecttheoptimal amountofresourcesthatshouldbedevotedtosecuringthatinformation.GordonandLoebcontend thatmanagersshouldnormallyfocusoninformationthatfallsintothemidrangeofvulnerability tosecuritybreaches.Thisactionwouldalsorequireorganizationstogrouptheirinformationinto variouslevelsofsecuritybreachvulnerability. Documentation InadditiontoCBAandauditinformation,itisrecommendedthatorganizationsmaintainarunning,annotated,andcurrentdocumentationfilethatsupportstheirdecisionmakingrelativetoall securityimplementationspecifications(JohnsonandSchulte,2004)ascomprehensiveandcurrent,informationsecuritydocumentationisakeystoneofgoodinformationsecuritymanagement. Documentation,alongwithassociatedriskassessmentstrategiesisevidencethatsecurityofficers haveactedwithahighlevelofprofessionalcompetence(Fungetal.,2003). Lund,denBraber,andStølen(2003)notethetimeandcostrequiredforsecurityauditsandpropose
106 MATTORD AND WIANT
amethodologytoaddressthemaintenanceofsecurityassessmentresultsandacomponent-oriented approachtosecurityassessmentingeneral.Themethodologyispresentedwithinthecontextof model-basedsecurityassessmentasdevelopedbytheEU-projectCORAS,withaprimaryfocuson maintenance.CORASaddressessecuritycriticalsystemsingeneralbutplacesanemphasisonIT security.AnITsystemtoCORASincludestechnology,theinteractionofhumansandtechnology,plus allrelevantorganizationalandsocietalfactorsthatsurroundtechnologyandhumaninteraction. Motivation Thequestionofwhatmotivatesanyindividualtoengageininformationsecuritybreachesisa topicofongoingdiscussion.Togainabetterunderstandingofmotivationalfactors,researchhas beenconducedusingattackerintent,objectives,andstrategies(AIOS)andsocialidentitytheory toaidintheexplanationofmotivationalfactors. TheabilitytomodelandinferAIOSmayadvancetheliteratureofriskassessment,harmprediction,andpredictiveorproactivecyberdefense.However,accordingtoLiuandZang(2003), existingAIOSinferencetechniquesareadhocandsystemorapplicationspecific.Theypresenta generalincentive-basedmethodtomodelAIOSandagametheoreticAIOSformalizationthatcan capturetheinherentinter-dependencybetweenAIOSanddefenderobjectivesandstrategiesinsuch awaythatAIOScanbeautomaticallyinferred.Theresultsoftheirworkfoundthattheconcept ofincentivescanunifyalargevarietyofattackerintents;theconceptofutilitiescanintegrate incentivesandcostinsuchawaythatattackerobjectivescanbepracticallymodeled. InastudyofWebdefacementsbyWoo,Kim,andDominick(2004),socialidentitytheorywas usedtotrytodeterminethemotivationalfactorsbehindWebdefacement.Thetheorysuggeststhat individualshaveaninnateandpowerfultendencytoorganizethemselvesintogroups.Theextent towhichpeopleassociatethemselveswithgroupsestablishestheirsocialidentities.Thegroups maybefoundeduponpolitical,religious,ethnic,orsocialconcerns.Theirfindingssuggestthat hackersaremembersofanextensivesocialnetworksthatareeagertodemonstratetheirreasonsfor hackingandoftenleavecallingcards,greetings,andtauntsonWebpages.While,approximately 30percentofWebdefacementshadsomepoliticalmotivewiththeremaining70percentbeing classifiedasaprank,theconcernisthatwhatbeginsasaprankmaybecomepoliticallymotivated andescalateintocyberterrorism. Audits Asecurityauditshouldbetreatedasanessentialmanagementfunction(DarkandPoftak,2004). Supportingthisargument,in2004Hale,Landry,andWoodproposedathree-stepsusceptibility audit designed to assist executive management develop a comprehensive information security strategy.Thestepsoftheauditare:valuinginformationassets,assessingthreats,andevaluating thecostofsecuringassets.Thesusceptibilityauditisthepointofdepartureforevaluatingan organization’svulnerabilitytocyberattack.Theendresultisapicturethatallowsmanagersto visualizetheirfirm’soverallinformationsecuritystatus,thenatureofitsvulnerability,thecosts ofpreventinglosses,andthepotentialfinancialimpactofthreatstothefirm. DIRECTIONSFORFUTURERESEARCHINRISKASSESSMENT Togainanunderstandingofthepresentstateofinformationsecurityriskassessmentandtoglean futureresearchtopics,theresultsoffiveinformationsecuritysurveyswerereviewed(CIOMaga-
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION107
zine,2003;Gordonetal.,2004;Ernst&Young,2003;KPMG,2002;PriceWaterhouseCoopers, 2004).Ingeneral,therearefivepossibleresearchareaspresentedinTable4.11andinthefollowingsections:educationandtraining;informationsecurityculture;reporting;aligninginformation securityandbusinessstrategy;andperceptions. Organizationsareinfluencedbyabroadspectrumoffactorsthatincludeopportunities,threats, and benefits when addressing information security.The very high level of importance survey respondentsassignedtoinformationsecurityisnotsupportedbytherelativelylowself-assessment amongrespondingorganizations.Virusesandwormsaretheleadinginformationsecurityconcerns andcontinuetogeneratethemostmediaandpublicattention.However,CIOsandotherITexecutivesareincreasinglyrecognizingthesignificanceofinternalthreatssuchasemployeemisconduct involvinginformationsystems(Ernst&Young,2003). Thethreattoinformationsecurityisseenasbeingexternalinthatvirusesandwormsarethe leadinginformationsecurityconcerns(Ernst&Young,2003;PriceWaterhouseCoopers,2004), whileinternalthreatsarebeingneglected.Forexample,wirelessnetworksarenotbeingcontrolled (PriceWaterhouseCoopers,2004).Also,organizationalcontrolofe-mailandWebbrowsinghas decreasedduetothenumberofnewusers(PriceWaterhouseCoopers,2004).Thenetresultofthis apparentinattentiontoallinformationsecuritythreatsisthatorganizationssuffereddowntimeof 8+hoursoverinformationsecurityincidents(CIOMagazine,2003). EducationandTraining Thegeneralfindingofonestudyindicatesthatcompaniesrespondedtonewandemergingthreats intheyearpriortothesurveywitheducationandcommunicationcampaigns,tightenedpolicies andproceduresforoverallsecurity,anddisasterrecoveryplans(CIOMagazine,2003).Thevast majorityoftheorganizationsviewsecurityawarenesstrainingasimportant;although(onaverage)respondentsfromallsectorsdonotbelievetheirorganizationinvestsenoughinthisarea (Gordonetal.,2004). Q: Whatisthesignificanceofanorganization’sinformationsecurityeducationandtraining program,toincludetimeallocated,fundsallocated,andpersonnelrequiredtoattend,inreducing thenumberandseriousnessofinformationsecurityabuseincidents? InformationSecurityCulture Thecultureofinformationsecuritywasnotedtobeone-dimensionalandreactiveinnature.Security initiativesarestilldriveninlargepartbyexternalfactorslikeregulationsandindustrypractices andnotfromariskassessmentperspective(CIOMagazine,2003;Ernst&Young,2003).Senior managementandboardsofdirectorsareundergreaterscrutinyforriskmanagementoversight. Yet,theoverallresponsesgatheredinthissurveyseemtosuggestthatmanyorganizationsare continuingtotakeapiecemealapproachtoinformationsecurity(Ernst&Young,2003).Despite thewidelyheldviewsabouthowcriticallyimportantriskassessmentis,only27percentofsurvey respondentsplaced“addressinginformationsecurityassessmentfindings”amongthetopthree influentialfactorswhentheirorganizationsconsideradoptingnewinformationsecuritysolutions (Ernst&Young,2003). Largecompaniessufferthegreatestnumberofsecurityincidents,butmanyorganizationswait untilanincidenthasoccurredbeforeputtingcountermeasuresinplace(PriceWaterhouseCoopers, 2004). Most respondents were pessimistic about the future for information security incidents
108 MATTORD AND WIANT Table4.11
ResearchAreasinRiskAssessment Area
Issue
Impact
Education Whatisthesignificanceof andtraining anorganization’sinformation securityeducationand trainingprogram?
Determinethedegreeofinfluencefroman organization’sinformationsecurityeducationand trainingprogram,toincludetimeallocated,funds allocated,andpersonnelrequiredtoattendinreducing thenumberandseriousnessofinformationsecurity abuseincidents.
Information Doestheapproachto informationsecurityaffect security informationsecurityabuse culture incidents?
Determinethedegreeofinfluenceaholisticand proactiveapproachtoinformationsecurityhasin anorganization’sabilitytoreducethenumberand seriousnessofinformationsecurityabuseincidents.
Doessecurityassessment reducethenumberand seriousnessofinformation securityabuseincidents?
Determinethedegreeofinfluenceofsecurity assessmentfindingswhenadoptingeffective informationsecuritysolutionsinreducingthenumber andseriousnessofinformationsecurityabuse incidents.
Doesself-assessmentreduce Determinethedegreeofinfluenceanorganization’s engaginginaninformationsecurityself-assessment informationsecurityabuse playsinreducingthenumberandseriousnessof incidents? informationsecurityabuseincidents.
Reporting
Doesalignmentofinformation securityspendingwithitskey businessobjectivesreduce thenumberandseriousness ofinformationsecurityabuse incidents?
Determinethedegreeofinfluencethatan organization’salignmentofitsinformationsecurity spendingwithitskeybusinessobjectiveshasin reducingthenumberandseriousnessofinformation securityabuseincidents.
Doeshavingformalized informationsecurityabuse incidentreportingaffect informationsecurityabuse incidents?
Determinethedegreeofinfluencethatanorganization havingformalizedinformationsecurityabuseincident reportingproceduresinplaceisabletoreducethe numberandseriousnessofinformationsecurityabuse incidents?
Doeshavingformalized procedurestomeasure andreportinformation securityperformanceaffect informationsecurityabuse incidents?
Determinethedegreeofinfluencethatanorganization achievesfromhavingformalizedproceduresto measureandreportinformationsecurityperformance onthenumberandseriousnessofinformationsecurity abuseincidents.
Howcanreportingof Identifymechanismsthatorganizationscanimplement intrusionstolawenforcement andincentivesthatmaybeadoptedtoencourage beincreased? reportingintrusionstolawenforcementwithout incurringnegativepublicityovertheincident. Doesmanagerarticulation Aligning information regardinginformationsecurity securityand affectinformationsecurity business abuseincidents? strategy
Towhatdegreedoesaninformationsecuritymanager beingabletoarticulatetherelevanceofinformation securityandinformationsecurityspendingtothe broad,overallbusinessstrategyreducethenumber andseriousnessofinformationsecurityabuse incidents?
Perceptions Doindividualandgroup perceptionsaffectthe implementationofinformation securityprograms?
Towhatdegreedoindividualandgroupperceptions concerningthenumberandseriousnessofinformation securityabuseincidentsaffecttheimplementationof aneffectiveinformationsecurityprogram?
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION109
(PriceWaterhouseCoopers,2004).However,barelyhalfsaytheyaligntheirspendingwellwith theirkeybusinessobjectives(Ernst&Young,2003). Q: Whatsignificancedoesaholisticandproactiveapproachtoinformationsecurityhave inanorganization’sabilitytoreducethenumberandseriousnessofinformationsecurityabuse incidents? Q: Whatisthesignificanceofaddressinginformationsecurityassessmentfindingswhen adoptingeffectiveinformationsecuritysolutionsinreducingthenumberandseriousnessofinformationsecurityabuseincidents? Q: Whatisthesignificanceofanorganization’sengaginginaninformationsecurityselfassessmentinreducingthenumberandseriousnessofinformationsecurityabuseincidents? Q: Whatisthesignificanceofanorganizationaligningitsinformationsecurityspending withitskeybusinessobjectivesinreducingthenumberandseriousnessofinformationsecurity abuseincidents? Reporting Thepercentageoforganizationsreportingcomputerintrusionstolawenforcementisonthedecline duetoconcernsovernegativepublicity(KPMG,2002).Only60percentofrespondentstothe samesurveyhaveanyformofsecurityviolationreporting(KPMG,2002).Whenaskedwhether theirorganizationmeasuresandreportsonsecurityperformance,only35percentofrespondents saidthattheydidsonow,andonlyafurther17percentsaidtheyplannedtointhefuture(KPMG, 2002). Q: Whatisthesignificanceofanorganizationhavingformalizedinformationsecurityabuse incidentreportingproceduresinplaceinreducingthenumberandseriousnessofinformation securityabuseincidents? Q: Whatisthesignificanceofanorganizationhavingformalizedprocedurestomeasureand reportinformationsecurityperformanceonthenumberandseriousnessofinformationsecurity abuseincidents? Q: Howcanorganizationsbeencouragedtoreportintrusionstolawenforcementwithout reapingnegativepublicityovertheincident? AligningInformationSecurityandBusinessStrategy Informationsecuritymanagersareharderpressedthanevertoformulateandpresentagoodbusinesscasebecauseoftheirinabilitytoexplaintherelevanceofinformationsecuritytothebroad, overallbusinessstrategy(Ernst&Young,2003). Q: Whatisthesignificanceofaninformationsecuritymanagerbeingabletoarticulatethe relevanceofinformationsecurityandinformationsecurityspendingtothebroad,overallbusiness strategyinreducingthenumberandseriousnessofinformationsecurityabuseincidents? Perceptions Manyorganizationsareoverconfidentinthemeasurestheyusetoprotectthemselves,withthe mostsuccessfulorganizationsadoptingalayeredsecurityapproachusingaseriesofoverlapping
110 MATTORD AND WIANT
controls(KPMG,2002).Ofthoseorganizationsthatsaidthattheystronglyagreedthattheywere reasonablyprotectedthefollowingfactsarepresented(KPMG,2002): • 10percentdonottesttheirsecuritymeasuresandthereforecannotknowifthesemeasures areeffectiveinpractice. • 52percenthavenoformofintrusiondetectionsystem. • 87percenthavesufferedsomeformofsecuritybreachthisyear,including: •61%fromvirusincidents, •28%formunwantede-mailintrusions, •15%fromdenialofserviceattacks, •13%fromlossofsoftware,and •12%fromwebsiteintrusion/hacking. Inaddition,mostorganizationscontinuetohavemajorgapsinriskcoverage,whiletheimpactof informationsecurityfailuresonmarketvaluehasgrownexponentially(Ernst&Young,2003). Q: Whatisthesignificanceofindividualandgroupperceptionsconcerningthenumberand seriousness of information security abuse incidents on implementing an effective information securityprogram? CONCLUSION Whilethereismuchworkremainingtobedoneintheareaofriskassessment,thecurrentprocessesofdiscoveringanddocumentingtheriskspresentinanenvironmentarewidelyknownand practiced.Partoftheduecareinoperatingmoderninformationsystemsrequiresasystematic approachtoriskassessment.Organizationscanchoosefromawidevarietyofmodelsforstructuringtheirefforts;wehavesummarizedabovethemostwidelyknownofthesemodels.Prominent amongtheseisThreat-Vulnerability-Asset(TVA)matrixthatwehavefeaturedabove.Byadding thedimensionofcontrols(orcountermeasures)tothemodel,amorecompleteriskmanagement processbecomesmoreavailable.Butthisprocessstilldoesnotprovideacompletemanagement solution.Organizationsneedcompleteriskmanagementprogramsthatincludeforexample,carefuldocumentationoftheriskmanagementprocesses. REFERENCES Alberts,C.,andDorofee,A.2003.ManagingInformationSecurityRisks:TheOCTAVEApproach.Boston: Addison-Wesley. Avolio,F.2000.Bestpracticesinnetworksecurity.NetworkComputing,5(April),60–66. BestPractices,LLC.2004.WhatIsBenchmarking?(availableatwww.best-in-class.com/site_tools/faq.htm, accessedonMarch20,2004). Boyce,J.,andJennings,D.2002.InformationAssurance:ManagingOrganizationsITSecurityRisks.Amsterdam:Butterworth&Hineman. Cavusoglu,H.;Mishra,B.;andRaghunathan,S.2004.AmodelforevaluatingITsecurityinvestments.CommunicationsoftheACM,47,7,87–92. CIOMagazine&PricewaterhouseCoopers.2003.WorldwideInformationSecurityStudy.Securitywithout theHype:It’sHardWork(availableatwww.cio.com/article/29841/The_State_of_Information_Security, accessedOctober27,2007). COBIT.2005.ControlObjectivesforInformationandRelatedTechnology(availableatwww.isaca.org/cobit. htm,accessedonJuly17,2005).
INFORMATIONSYSTEMRISKASSESSMENTANDDOCUMENTATION111 Dark,M.,andPoftak,A.2004.Howtoperformasecurityaudit.Technology&Learning,24,7,20–22. Ernst &Young. 2003. Global Information Security Survey (available at www.ey.com/global/download. nsf/UK%20/Survey_-_Global_Information_Security_03/$file/EY_GISS_%202004_EYG.pdf,accessed onJuly15,2005). Farahmand,F.;Navathe,S.B.;Sharp,G.P.;andEnslow,P.H.2003.Managingvulnerabilitiesofinformation systemstosecurityincidents.ACMICEC2003.Pittsburgh. Fung,P.;Kwok,L.;andLongley,D.2003.Electronicinformationsecuritydocumentation.Australasian InformationSecurityWorkshop2004(AISW2004).Dunedin,NewZealand. Gordon,L.,andLoeb,M.2002.Theeconomicsofinformationsecurityinvestment.ACMTransactionson InformationandSystemSecurity,5,4,438–457. Gordon,L.;Loeb,M.;Lucyshyn,W.;andRichardson,R.2004.2004CSI/FBIComputerCrimeandSecurity Survey. Greenberg,J.2002.Corporatepressrelease:McDonald’sCorporation—FirstWorldwideSocialResponsibility Report (available at www.mcdonalds.com/corporate/press/corporate/2002/04152002/index.html, accessedonApril15,2002). Hale,J.;Landry,T.;andWood,C.2004.Susceptibilityaudits:atoolforsafeguardinginformationassets. BusinessHorizons,47,3(May–June),59–66. Hamdi,M.,andBoudriga,N.2003.Algebraicspecificationofnetworksecurityriskmanagement.FMSE ’03.Washington,D.C. Huang,Y.;Huang,S.;Lin,T.;andTsai,C.(2003).Webapplicationsecurityassessmentbyfaultinjection andbehaviormonitoring.WWW2003.Budapest. Johnson,L.,andSchulte,J.2004.Jobsecurity:7stepsforHIPAAcompliance.HealthcareFinancialManagement,58,10(October),46. Josang,A.;Bradley,D.;andKnapskog,S.2004.Belief-basedriskanalysis.AustralasianInformationSecurity Workshop2004(AISW2004).Dunedin,NewZealand. KPMG2002.GlobalInformationSecuritySurvey(availableatwww.kpmg.com/microsite/informationsecurity/ isssurvey.html,accessedJuly15,2005). Liu,P.,andZang,W.2003.Incentive-basedmodelingandinferenceofattackerintent,objectives,andstrategies.Proc.ofthe10thACMComputerandCommunicationsSecurityConference(CCS’03).Washington, D.C.,October,pp.179–189. Lund, M.; den Braber, F.; and Stølen, K. 2003. Maintaining results from security assessments. Seventh EuropeanConferenceonSoftwareMaintenanceandReengineering(CSMR03).Benevento,Italy. Mercuri,R.2003.Analyzingsecuritycosts.CommunicationsoftheACM,46,6(June),15–18. NationalInstituteofStandardsandTechnology.2001.InformationSecurityManagement,CodeofPractice forInformationSecurityManagement.ISO/IEC17799. Peltier,T.2005.InformationSecurityRiskAnalysis,2nded.BocaRaton,FL:CRCPress. Peters,T.,andWaterman,R.1982.InSearchofExcellence:LessonsfromAmerica’sBestRunCompanies. NewYork:Harper&Row. PriceWaterhouseCoopers Ltd. 2004. Information Security Breaches Survey (available at www.pwc. com/extweb/pwcpublications.nsf/docid/C18B9A7D47B764ED802570BA0044D7C5,accessedJuly15, 2005). Schneier,B.2005.AttackTrees(availableatwww.schneier.com/paper-attacktrees-ddj-ft.html,accessedJuly 17,2005). Stoneburner,G.;Goguen,A.;andFeringa,A.2002.RiskManagementGuideforInformationTechnology Systems.SP800–30.NationalInstituteofStandardsandTechnology. Wang,H.,andWang,C.2003.Taxonomyofsecurityconsiderationsandsoftwarequality.Communications oftheACM,46,6(June),75–78. Whitman,M.2003.Enemyatthegates:threatstoinformationsecurity.CommunicationsoftheACM,46, 8,91–96. Whitman,M.,andMattord,H.2005.PrinciplesofInformationSecurity.Boston:CourseTechnology. Woo,H.;Kim,Y.;andDominick,J.2004.Hackers:militantsormerrypranksters?Acontentanalysisof defacedwebpages.MediaPsychology,6,63–82.
CHAPTER5
STRATEGICINFORMATION SECURITYRISKMANAGEMENT RICHARDL.BASKERVILLE
Abstract:Riskmanagemententailsmorethantraditionalriskanalysisorriskassessment.These traditionaltoolsarelimitedinfundamentalways,suchasthelackofreliablefrequencydataabout pastriskeventsandtherelativerarityofmanykindsofrisksthatmuststillbemanaged.Risk managementinvolvesfourtypesofrisktreatments:self-protection,risktransfer,self-insurance,and riskavoidance.Thischapterintroducesanapproachtoriskmanagementinwhichtherisksand risktreatmentsarestrategicallymanagedusingaportfolioapproach.Withaportfolioapproach, differentriskportfoliosaremanagedthroughaportfolioofrisktreatments. Keywords:InformationSecurity,ComputerSecurity,RiskAnalysis,RiskAssessment,RiskTreatment,Insurance,SecurityControl INTRODUCTION Riskanalysisisoneofthecentraltechniquesusedinmanaginginformationsystemsrisks.As partofariskassessmentprocess,riskanalysisprovidesthebasiccost-benefitjustificationforthe acquisitionofsecuritysafeguards.Itisawell-establishedtechniquewithalonghistory. Thelimitationsofriskanalysishavebeenwidelyrecognizedformanyyears.Forexample,its bestcharacteristiciscertainlynotitsaccuracyinpredictingprobabilitiesandlossesfromrecognizedthreats.Indeed,attemptstoimprovethesophisticationofthetechnique,forexamplewith Bayesianstatisticaloperations,canevencapsizeitsvalidity(Baskerville,1991a).Perhapsitsbest characteristicisitsabilitytocommunicatetogeneralmanagementtheexpertopinionsaboutan organization’sinformationriskprofileintermsofthreatsandsafeguards(Baskerville,1991b). Thereareatleasttwointractableproblemsthatlimittheeffectivenessofcommonriskanalysis practices:(1)thelackofreliableempiricaldataaboutthefrequencyandamountoflossesattributabletoinformationsecuritycompromises,and(2)therelativerarityofmanykindsofinformation securitycompromises. Reliableempiricaldatathatwouldbenecessaryforpropercalculationofriskanalysisprofiles areverydifficulttofindinpractice.Therearetwobasicreasonswhythesedataseemsounavailable.Thefirstisbecausemostorganizationsdonotcollectorretainsuchdata.Whenlossesdue tosecuritycompromisearise,thereoftenfollowsaperiodofratherchaoticactivitynecessaryto recoverfromthecompromise.Duringthisperiod,itisdifficulttojustifytheresourcesnecessaryto maintainadatabaseofexactlywhatthecompromiseiscosting.Theresourcesoftheorganization areoftentotallydedicatedtotherapidrestorationoffullbusinessprocessingcapability.Wheresuch dataarecollected,itisoftendoneafterthefactwithquestionablecompletenessandaccuracy. 112
STRATEGICINFORMATIONSECURITYRISKMANAGEMENT113
Thesecondbasicreasonwhythesedataareunavailableisbecauseoftheextremesensitivityand confidentialityattachedtothedata.Managementisoftenconcernedthatdisclosureofalargeloss duetoinadequatecomputersecuritypracticeswillnotonlybeembarrassingtotheorganization, butalsounderminethepublicconfidenceintheorganization.Thelossofsuchpublicconfidence canimpactthevalueoforganizationalsharesonthemarket,creatingpotentiallygreaterlosses fortheorganization’sownersthanweredirectlyattributabletothesecuritycompromise.Thereis verylittlemotiveforanyorganizationtodisclosedataaboutthecostsandfrequencyofinformationsecuritycompromises. Asecondintractableproblemininformationsecurityriskanalysisisrelatedtoboththefundamentalarithmeticassumptionsbeingmadeinprobabilitycalculationsandtherelativerarity ofeventsthatarebeingmeasured.Manysecuritycompromiseeventsare,bytheirverynature, intendedtobeunusualandverynearlyunique.Anexampleisinsiderfraud.Peopleveryoften realizedthattheperpetrationofacommonplacefraudismoreeasilydetectedbyorganizational authoritiesthanonethatisinventedtobeuniqueandunexpected.Thismeansthatanimportant sectionofthedatabeingusedinriskanalysiscomprisesdataaboutnonrandomevents. Probabilitycalculationsrepresentabranchofthearithmetictheoryofevidencethatdepends uponrandomeventsthatexhibitarandomlydistributedstatisticalcurve(Klir,St.Clair,andYuan, 1997).Asaresult,allprobabilityarithmeticisappropriateonlyforsecuritycompromiseeventsthat canbeconstruedtoberandomlydistributed.Currentexamplesofsucheventsincludeattacksby virusesandworms,websitedefacements,andotherrelativelyhighfrequency,randomlytargeted kindsofattacks.Wheretheattacksareuniquelytargeted,andofarelativelylowfrequency,probabilityarithmeticisaltogetherinvalid. Thesetwointractableproblemsmeanthatmostriskanalysistechniquesincommonusetoday havelittlerelevanceasafact-basedpredictionofthebenefitsofsecuritysafeguards.Theunderlyingdatadonotprovideanyrealmeasuresofactualevents.Thecalculationsappliedtothesedata arenotaltogetherlegitimate.Theresultsofthesecalculationsaretrustworthyonlytotheextent thatthedatausuallyrepresenttheinformedestimatesofexpertsininformationsecurity,andthe resultsofthecalculationsareusuallyreviewedbytheseexpertsinaholisticwayforreasonableness.Fromthisperspective,riskanalysisprovidesausefultechniqueforformulatingandcommunicatingtheopinionsofexperts. Anyway,itisnotaltogetherclearjusthowwidespreadistheuseofriskanalysisforinformation securitymanagement.Theserioususageofriskanalysistechniquesrequirescompoundcalculationsonafairlylargedatabaseofthreats,frequencydata,andlossdata.Thereareanumberof software-basedtoolsavailabletohelpmanagethecalculationsandthecomplexdatabase.Itappearsthatonlyabout25percentoforganizationsareusingthesevenmostcommonoftheserisk analysistools(Baskerville,2005).Thisevidencesuggeststhatmostorganizationsarenotusing riskanalysisforinformationsecuritydecisionsinanyrigorousway. Inthischapterwewillreviewacomprehensiveframeworkthatprovidesamoreexpansiveapproachtoriskmanagementthanthroughthestand-aloneuseofriskanalysis.Likeriskanalysis,this frameworkalsorecognizesthatthetwoessentialfeaturesoftherisklandscapearethefrequency andtheimpactofloss.However,thesefeaturesareusedtoconstructarisktreatmentframework ratherthandirectlyusedinthecalculationoflossexpectancies. RISKMANAGEMENT:FOURBASICTYPESOFTREATMENTS Figure5.1illustratesacommonriskmanagementframeworkconstructedfromthetwomajor dimensionsoforganizationalinformationrisk.Theverticaldimensionisrepresentedastheimpact
114 BASKERVILLE Figure5.1 RiskTreatmentsFramework
High Impact
L o w
Transfer (e.g. Insurance or Outsourcing)
Avoid
H i g h
F r e q u e n c y
F r e q u e n c y Self-Protection (e.g. Safeguards)
Self-Insure
Low Impact Source:AdaptedfromJonesandAshenden,2005.
ofinformationsecuritycompromiseintermsofthecostofloss,lossofreputation,lossofshareholdervalue,andsoon.Thisimpactisrepresentedonacasualscalerunningfromlittleimpact (bottom) to high impact (top).The horizontal dimension is represented as the frequency with whichinformationsecuritycompromisesoccur.Attheleftsideofthediagramorlow-frequency compromisesinthescalerunscasuallyfromlefttoright,withhigh-frequencycompromisesrepresentedontherightsideofthediagram. Each quadrant within the diagram represents one of the four combinations of impact and frequency.Inthelowerleft-handcorner,wewouldlocateinformationsecuritycompromisesthat occurwithlowfrequencyandlowimpact.Forsomeorganizations,anexamplemightbethesmall, relativelyrare,occurrencesofoutsidertheftofserviceinwhichanoutsiderbreaksintoaconsulting organization’sorganizationalnewsletterserviceinordertoaccesstheinformationwithoutpaying fortheservice.Thequadrantisrepresentedbyaboxdrawnwithasolidline.Theedgesofthebox areroundedtoindicatethatedgesofsuchcategoriesarenecessarilysoft. Intheupperleft-handquadrant,wewouldlocateinformationsecuritycompromisesthatoccur withlowfrequencyandhighimpact.Thesearerelativelyunusualoccurrencesofcompromises
STRATEGICINFORMATIONSECURITYRISKMANAGEMENT115
thatindividuallyrepresentlargelossestotheorganization.Forsomeorganizations,anexample mightbealarge-scaledenialofserviceattackonanessentialprocessingsystem.Suchanattack mightinterruptbusinessaltogether,therebycausinglargerevenuelosses.Theboxrepresenting thisquadrantisdrawnwithdashedlines. Intheupper-right-handquadrant,wewouldlocateinformationsecuritycompromisesthatoccur withhighfrequencyandhighimpact.Thesearerelativelycommonoccurrencesofcompromises thatindividuallyrepresentlargelossestotheorganization.Forsomeorganizations,anexample couldbeacompromiseinvolvingphishingspamintendedtogleanfromtheorganization’scustomerstheiraccountloginpasswordsinordertotransferfunds.Thisquadrantisrepresentedby aboxofdrawnwithdottedlines. Inthelower-right-handquadrant,wewouldlocateinformationsecuritycompromisesthatoccur withhighfrequencyandlowimpact.Thesearerelativelycommonoccurrencesofcompromisesthat individuallyrepresentonlysmalllossestotheorganization.Forsomeorganizations,anexample mightbecommoncomputervirusesthatinfectanindividualworkstation.Theboxrepresenting thisquadrantisdrawnwithlinesthatalternatebetweendottedanddashedlines. Thegeneralcategoriesoftypicalrisksolutionortreatmentsarerepresentedbylabelsineachof thequadrants.Forexample,itistypicaltotreatlow-impactlow-frequencyrisksbyself-insurance. Low-frequency,high-impactrisksareoftentreatedbytechniquesthattransfertherisktootherorganizations,forexamplethroughinsuranceoroutsourcing.High-frequency,high-impactrisksarethose thatareusuallyavoidedifatallpossible.Self-protection,forexample,throughtheuseofsecurity controlsonsafeguardsaretherisktreatmentusuallyappliedforhigh-frequency,low-impactrisks. Thefourarrowsinthediagramindicatethedegreetowhichthesecategoriesofrisktreatments inhabiteachquadrant.Forexample,themoreextremethehigh-impacthigh-frequencyrisks,the moreavoidancestrategiesareusedtotreattherisk.Itisalsoafeatureofthisdiagramthateach ofthequadrantsoverlapseachoftheotherquadrants.Thisoverlappingismeanttorepresentthat therisktreatmentsusedineachquadrantareavailableandfrequentlyusedincombinationwith treatmentsfromotherquadrants.Thisillustrateshowrisksthatoccupythemiddleofthediagram, thatis,risksthataremoderateinimpactandmoderateinfrequency,willinevitablybetreatedwith acombinationofallfourtypesofrisktreatments.Similarly,high-frequencymoderate-impactrisks willbetreatedwithacombinationofself-protectionandavoidance. Self-Protection Thebasicideabehindself-protectionisthattheorganizationimplementspracticesthatprevent risksinthiscategoryfromhavinganimpactontheorganization.Thiscategoryofrisktreatment representstheapproachtomanagingriskthatmostcommonlycomestomindwhenmanaging informationsecurity.Thesafeguardsemployedinthiscategoryarecommonlypreventativein nature.Itisinthiscategorythatinformationsecuritysafeguardsandcontrolswouldbeusedto providetheself-protection.Technologiessuchasintrusiondetection,firewalls,virusprotection software,andVPNs,representtheimplementationofrisktreatmentsinthisarea. RiskTransfer Asanalternativetoself-protection,risktransferinvolvesdistributingallorpartoftheimpactof certainrisksacrossmultipleorganizations.Thisisprobablythesecondmostcommoncategoryof risktreatmentthatcomesintomindwhenmanaginginformationsecurity.Mechanismsavailable toreduceriskinthiscategoryincludethepurchaseofinsuranceonthemarket,suchasbusiness
116 BASKERVILLE
interruptioninsurance,ortheuseofoutsourcingtotransferpartsoftheriskyinformationsystems tootherorganizations.Well-constructedoutsourcingcontractswillcontainclausesthatspecify responsibilitiesforsecurityperformanceandlosses.Suchspecificsmayincludeeitherrisksharing bybothpartiesorstraightforwardriskassignmenttotheoutsourcingvendor. Self-Insurance Itisamistaketoregardthiscategoryofrisktreatmentasa“do-nothing”option.Althoughthe risktreatmentmaynotinvolveeitherself-protection(safeguards,controls,etc.)orrisktransfer (insuranceoroutsourcing),itdoesinvolvevariousactiveformsofpreparedness.Themostcommonexampleisthemaintenanceofsavingsaccountstoprovidethefundsnecessarytorestore properoperationsaftertheoccurrenceofsomeinformationsecuritycompromise.Suchsavings accountsareaformofeconomicbufferonwhichtheorganizationcandrawintheeventofaloss. Thereareotherformsofbufferthatmightbecategorizedasself-insurance.Examplesinclude maintainingexcesscapacityininformationprocessinginordertopermitthesystemstooperateeffectivelyevenwhencompromisedandloadedwithunauthorizedprocessing.Manyrobust networkconfigurationswouldbecategorizedasself-insurance.Self-insurancemayalsoinclude somekindsofdetectivecontrolsthatenabletheorganizationtodiscovercompromisesquickly enoughtolimitthedamagetoaminimum. Avoidance Thiscategoryofrisktreatmentencompassesthebasicbusinessdecisionnottoengageincertain formsofinformationprocessingbecauseofthethreatofcompromisethatmightresultfrequently inhighlosses.Forexample,anorganizationmayregardaWeb-basedbusiness-to-consumeroperationasentirelytooriskybecauseofthehighfrequencyofintrusionattacksandhighpotential impactofsuchsuccessfulintrusions.Itmaychoosetoentirelyavoidgoingintobusinessinthis area,therebyavoidingtheriskentirely. Otherformsofavoidanceinvolverisktreatmentsthateffectivelymovetheriskfromtheavoidance quadrantintooneoftheotherquadrants.Acommonexampleisfoundinbusiness-to-consumerecommercesystemsthatconfronttheriskofhavingcustomercreditcarddatacompromisedthroughan intrusionintothecustomerdatabase.Intrusionattacksonconsumerwebsitesarefrequentandthelosses thatcanfollowdisclosureofbankinginformationcanbeveryhigh.Themostcommonrisktreatment inthisareaissimplytoavoidprocessingorretainingcustomercreditcarddata.Thisavoidanceis accomplishedbytransferringthetransactioninteractionfromtheconsumersitetoabankingservice forthefinalexecutionofcreditcardcharges.Theconsumersiteneverhasanyprocessingretention ofthecreditcarddata.Thisriskresidesentirelyatthebank.Inthiswaytheriskisavoidedentirely bynotengaginginthisformofcustomerdataprocessingandtransferringtheriskstothebank.This treatmenteffectivelymovestheriskfromtheavoidancequadranttothetransferquadrant. ROLEOFRISKANALYSISANDSECURITYSTANDARDS Theuseofarisktransferframework,suchasthatillustratedinFigure5.1,doesnotnecessarily eliminateeconomicriskanalysisfromthetoolboxofinformationsecuritymanagers.Costand benefitvaluationofrisktreatmentoptionswithintheframeworkmaybesensible.Forexample, riskanalysismightbeusedtodeterminevaluesandparametersforinsurancepolicies.Withinthe self-protectionquadrant,riskanalysismightbeusedtodeterminetheeconomicvalueofcertain
STRATEGICINFORMATIONSECURITYRISKMANAGEMENT117 Figure5.2 TheCOBITFramework
Business Objectives & IT Governance
Information
Control Objectives
Control Objectives
Planning & Organization
Monitoring
IT Resources
Control Objectives
Control Objectives
Delivery & Support
Acquisition & Implementation
Source:Adaptedfrom“COBIT—Overview,”2005.
safeguards.Inmorecomplexdecisions,riskanalysismightbeusedtodeterminetheoptimum levelofinvestmentsinsafeguardsversusinvestmentsininsurance. Similarly,theuseofarisktreatmentframeworkdoesnotnecessarilyeliminatetheneedfor informationsecuritystandardswithintheorganization.Indeed,informationsecuritystandards maybelegislatedbygovernmentordefinedasnecessarybyindustryorprofessionalguidelines. IntheUnitedStatesforexample,suchlegislationincludestheSarbanes-OxleyActof2002andthe HealthInsurancePortabilityandAccountabilityActof1996.Anexampleofanindustryguideline wouldbethePaymentCardIndustryDataSecurityStandard(PCI). InternalandexternalauditorsinvolvedinorganizationsthatneedtocomplywithsuchlegislationorguidelinesmayadoptsecuritystandardssuchasISO/IEC17799orCOBIT(COBIT,2005; ISO/IEC,2005).Asaresult,decisionstoadoptsuchexternalstandardsmaybecomprehensive. Standardssuchastheseprovideanencyclopedicinventoryofsafeguardsandcontrols.Thisinventoryisnecessaryinorderforthesecuritysafeguardstobecomprehensiveanduniversal.This kindofuniversalityrequiresthestandardstohaveasolidarchitecturalframework.Theoverall architectureofCOBIT,forexample,isillustratedinFigure5.2. Riskanalysisorstandardscanbeusedwithintherisktreatmentframeworkasdecisionaidshelping todetermineexactlywhichsafeguardsorcontrolswillbeusedwithintheframeworktotreatvarious risks.However,thesetwovehiclesrepresentdiametricallyopposedapproachestosuchadetermination.Riskanalysis,inaveryessentialway,operateswithadefaultdecisionnottoadoptanyparticular safeguardorcontrol.Inotherwords,theadoptionofasafeguardmustbejustifiedthroughriskanalysis.
118 BASKERVILLE Table5.1
RiskandTreatmentPortfolioLayout Portfoliocategory
Portfolioofrisks
Portfoliooftreatments
Lowfrequency,lowimpact
RiskOne RiskTwo RiskThree ... RiskOne RiskTwo RiskThree ... RiskOne RiskTwo RiskThree ... RiskOne RiskTwo RiskThree ...
Self-insuranceTreatmentOne Self-insuranceTreatmentTwo Self-insuranceTreatmentThree ... RiskTransferTreatmentOne RiskTransferTreatmentTwo RiskTransferTreatmentThree ... Self-ProtectionTreatmentOne Self-ProtectionTreatmentTwo Self-ProtectionTreatmentThree ... AvoidanceTreatmentOne AvoidanceTreatmentTwo AvoidanceTreatmentThree ...
Lowfrequency,highimpact
Highfrequency,lowimpact
Highfrequency,highimpact
Withoutafavorableriskanalysis,orindeedwithoutanyriskanalysisandall,thesafeguardwillnot beadopted.However,whenstandardsareused,thebasisofthedecisionistheexactopposite.Most standardsspecifyanencyclopedicinventoryofsafeguardsandcontrols.Thedecisionnottoadopt oneofthesafeguardsandcontrolsmustbejustifiedinthefaceofthestandard.Thedefaultdecisionis changedbystandards:nowthedefaultisadoptionofstandardsafeguards.Withoutsomeriskanalysis basisfordecidingnottofollowthestandard,everysafeguardwillbeadopted. PORTFOLIOSOFRISKSANDRISKTREATMENTS Therisktreatmentframework,togetherwithappropriateuseofriskanalysisandsecuritystandards,providesthebasisonwhichinformationsecuritymanagerscanformulatesoundriskstrategiesthatinclude themostappropriatetreatmentsforthevariousinformationsecuritythreatstheorganizationconfronts. Thebasicriskandrisktreatmentportfoliocanbeorganizedaccordingtotherisktreatment frameworkinFigure5.1.Variousorganizationalriskscanbecharacterizedaccordingtotheirgeneral impactandfrequency.Theportfolioofrisktreatments,includingsafeguardsforself-protection, risktransfer,andself-insurance,canbeequallyorganized.Inthisway,aportfolioarrangesthe differentkindsofinformationsecurityrisksfacedbytheorganization,andorganizesanappropriatecollectionoftreatmentsthatbalancetheportfolio(seeTable5.1). Fivebestpracticeshavebeenidentifiedasaprocessfordevelopingtherisktreatmentportfolio (Baskerville,2005): 1. Defineanoverallorganizationalriskmanagementstrategy.Suchastrategycanbeconstructedfromtherisktreatmentframeworkandincorporateprocessesforidentifying risksindevelopingrisktreatments.Theseprocessescanincludesecuritystandardsand riskanalysis,asdetailedbelow. 2. AdheretooneoftheprevalentITsecuritystandards.Thispracticeisusuallyagood
STRATEGICINFORMATIONSECURITYRISKMANAGEMENT119 Table5.2
OctaveMethod Phase1:Buildasset-basedthreatprofiles Process1:Identifyseniormanagementknowledge Process2:Identifyoperationalareaknowledge Process3:Identifystaffknowledge Process4:Createthreatprofiles Phase2:Identifyinfrastructurevulnerabilities Process5:Identifykeycomponents Process6:Evaluateselectedcomponents Phase3:Developsecuritystrategyandplans Process7:Conductriskanalysis Process8:Developprotectionstrategy
substituteforthedevelopmentofanoverallITsecurityarchitecturebecausesuchanarchitectureistypicallycodedintothestandard.However,adoptingsuchasecuritystandard shouldbedonewithcriticalconsiderationfortheencyclopedicnatureofthecontrols andsafeguardsinventory.Mechanisms,suchaseconomicriskanalysis,shouldbeconsideredthatpromotethebestpossibledecisionmakingwithregardtowhichsafeguards andcontrolsarenottobeadopted.Inthisway,thestandardandriskanalysisbecome adialecticinwhichsafeguardsandcontrolsareadoptedasaresultoftheinterplayand thetensionbetweentheuniversalinventoryofcontrolsandtheeconomicjustificationof eachcontrolthroughthecost-benefitoperationofriskanalysis. 3. Developanddeploysafeguardsandcontrolsthatprovidetheoptimalcombinationofrisk treatments.Thesewillincludecombinationsofsafeguardsthatcollectivelyprovideboth preventativeandrecoverymeasures.Suchmeasureswilloperateacrosstherisktreatment quadrants,includingself-insurance,self-protection,andtransfer. 4. Providesystemriskreviewmechanisms.Thesereviewsshouldbeformulatedsuchthat decisionscanbetakentocanceldevelopmentofriskysystems,orriskypartsofsystems, ortootherwiseoptoutofriskyinformationsystemcomponentsthatareunnecessaryto theorganization’smission. 5. Testallrisktreatments.Thecommontestingmechanisms,suchaspenetrationtesting, areimportant.However,testingandassurancepracticesshouldincludeallrisktreatment quadrants,includingself-insurance,self-protection,andtransfer. Thesefivepracticesprovideanoverallriskmanagementframeworkwithinwhichriskanalysis playsanappropriatefunction.Inthisframework,riskanalysisisnottheprimarymeansfordeterminingtheappropriatesafeguards,butratheritisatoolforfinetuningdecisionsaboutindividual treatmentsappropriateforthecategoriesofrisksandtreatments. Basicriskmanagementconceptsareinadequateasastand-aloneapproachtoITriskmanagement, althoughmanyexistinginformationsecuritymethodologiesadoptjustthisapproach.Inorderto becomeadequate,astrategicriskframeworkisneededthatadoptsaportfolioviewofrisktreatment strategies.Wherethesemethodologieshaveastrategicorientation,theiradoptionismadeeasier.For example,theOCTAVEapproach(describedinChapter4)hasthreemajorphasesinitsmethod(see Table5.2).IntheOCTAVEapproach,Process7,inphase3is“Conductriskanalysis”(Albertsand Dorofee,2001).Becausethemethoddoesagreatdealofresearchleadinguptothisanalysis,theuse ofastrategicrisktreatmentportfolioasacomponentinOCTAVEfitsquitewell.
120 BASKERVILLE Figure5.3 TheITILSecurityManagementProcess Customer
Minimum Security Baseline Requirements Feasibility Analysis
Initial Security Effort: Risk Analysis
Negotiate & Define SLA
Security Requirements
SLA Modify
IT Service Org. Negotiate & Define OLA Report
Monitor
Implement
OLA
Source:AdaptedfromWeil,2004.
Similarly,thestrategicriskframeworkintegrateswellintothebestpracticesdefinedbythe securitymanagementvolumeoftheITInfrastructureLibrary(ITIL).ThisalignmentisnotsurprisingsinceITIL,likethestrategicriskframework,isdevelopedwithbestpracticesasaguideand takesabusiness-strategyfocus(althoughITILisorientedtowardITservicedelivery).TheITIL securitymanagementapproachdevelopsfourkindsofproducts:policies,processes,procedures, andworkInstructions(Weil,2004).Thesecorrespondtoprocessesatthestrategic,tactical,and operationallevel.ThemethodfordevelopingtheseproductsisillustratedinFigure5.3. InthecaseofITIL,unlikeOCTAVE,theriskanalysisisconductedaspartofabaselinestudy ofsecurityrequirements.Theserequirementsmustthenbeanalyzedwitharequirementsfeasibility study.Suchfeasibilitystudiesareinherentlyeconomicinnature,andthismeansthattheeconomics ofrisktreatmentremainsakeypartofthedecisionmaking.Thefeasibilitystudythendrivesthe negotiationsforservice-levelagreementsandoperations-levelagreements.Afterimplementation ofthesecurityservices,thequalityandcost-effectivenessoftheservicesaremonitoredandused inmodifyingfurthersecurityrequirementsdefinitions.Again,theeconomicsfocusmeansthat therisktreatmentframeworkfitswellintotheITILapproach. FUTURERESEARCH Table5.3detailspossiblefutureresearchareas. DetailsonTable5.3,Issues1.1and1.2 Therearenopublishedinventoriesofsecuritysafeguardsorcontrolsthatarecategorizedbythe risktreatmenttype.EveryITriskmanagermustdecidewhichcontrolsfitwithineachriskcategory, andthendeterminewhetherornoteachcontrolshouldbeincludedinaparticularportfolio.Each
STRATEGICINFORMATIONSECURITYRISKMANAGEMENT121 Table5.3
FutureResearch Area
Issue
Impact
1.Securitysafeguards andcontrols
1.1Nopublishedinventoriesof securitysafeguardsorcontrols classifiedbyrisktreatmenttype
Everydesignermustinnovate controlsthatfiteachcategory
1.2Noclearinghousefornew kindsofsafeguardsandcontrols
Diffusionofsecuritycontrolsand safeguardsisinhibited
2.Successofrisk controlsandsafeguards
2.1Fitbetweensafeguardsand risksettings
Wedonotknowwhatorganizational characteristicsbestdefineideal settingsforcertainrisktreatments
3.Poorlyexplored categoriesoftreatments
3.1Whatarethestrategiesfor self-insurance?
Self-insuranceneedstobeelevated fromits“do-nothing”assumptions
managermust“reinventthewheel”intermsofdecidingthecharacterofthecontrolswiththe creationofeachriskportfolio.Intheprocess,managersmaydiscovernewkindsofsafeguards orcontrolsbythoughtfulsearchofthesolutionspacefordifferentcategoriesofrisktreatments. Extensiveresearchisneededtoprovideinventoriesofexistingandnewsafeguards,bothtechnical andmanagerial,thatfitinthedifferentrisktreatmentcategories.Suchinventorieswillmakethe jobofconstructingriskmanagementportfoliosmuchmorestraightforward. DetailsonTable5.3,Issue2.1 Thefitbetweentherisktreatmentinventoriesandtheorganizationneedsfurtherstudy.Whatare thecharacteristicsofdifferentkindsoforganizationsthatmakethemconducivetotheeffective useofdifferentkindsofrisktreatments?Abetterunderstandingofgeneralrelationshipsbetween organizationcharacteristics(size,industrysegment,leadershipstyle,etc.)willhelpriskmanagementstrategiststobemoreeffectiveinselectingITriskmanagementportfolios. DetailsonTable5.3,Issue3.1 Oneofthemostpoorlyunderstoodcategoriesofrisktreatmentisself-insurance.Therearemany differentwaysinwhichorganizationscanreducethefinancialimpactofariskoccurrenceaside fromdepositingreservemoneyintoasavingsaccount.Furtherstudyisneededtoexpandourunderstandingofthiscategory,andtoexploreandinnovatenewsafeguardsthatenactthiscategory ofrisktreatmentforfuturestrategicITriskmanagementportfolios. ThischapterhasexploredthewaysinwhichITriskmanagementcanmovebeyondthedirect activitiesofriskanalysisorriskassessment.Whilecommonlydiscussed,thesetraditionalrisk managementtoolsarelimitedinfundamentalways,makingthemdifficultinpractice.Beyond riskanalysis,operationalriskmanagementcanbeseentoinvolvefourtypesofrisktreatments: (1)self-protection,(2)risktransfer,(3)self-insurance,and(4)riskavoidance.Anexampleofan approachtoriskmanagementthatgoesbeyondriskanalysisandassessmentinvolvesmorestrategicmanagementwithaportfolioapproach.Suchaportfolioapproachmanagesdifferentrisk portfolioswithamatchingportfolioofrisktreatments.
122 BASKERVILLE
REFERENCES Alberts,C.,andDorofee,A.2001.OCTAVECriteria,version2.0,December.SoftwareEngineeringInstitute (availableatwww.sei.cmu.edu/publications/documents/01.reports/01tr016.html). Baskerville,R.1991a.Riskanalysisasasourceofprofessionalknowledge.Computers&Security,10,8, 749–764. Baskerville,R.1991b.Riskanalysis:aninterpretivefeasibilitytoolinjustifyinginformationsystemssecurity. EuropeanJournalofInformationSystems,1,2,121–130. Baskerville,R.2005.BestpracticesinITriskmanagement:buyingsafeguards,designingsecurityarchitecture,ormanaginginformationrisk?CutterBenchmarkReview,5,12,5–12. COBIT.2005.COBIT—Overview(availableatwww.isaca.org/cobit.htm,accessedonJanuary23,2005). ISO/IEC.2005.ISO/IEC17799:Informationtechnology—Securitytechniques—CodeofPracticeforInformationSecurityManagement.InternationalStandardNo.ISO/IEC17799:2005(E).Geneva:International StandardsOrganization. Jones,A.,andAshenden,D.2005.RiskManagementforComputerSecurity:ProtectingYourNetwork& InformationAssets.Oxford:Butterworth-Heinemann. Klir,G.J.;St.Clair,U.H.;andYuan,B.1997.FuzzySetTheory:FoundationsandApplications.UpperSaddle River,NJ:Prentice-Hall. Weil, Steven. 2004. How ITIL can improve information security. Security Focus (available at www. securityfocus.com/infocus/1815).
CHAPTER6
SECURITYPOLICY FromDesigntoMaintenance MICHAELE.WHITMAN
Abstract:Thedevelopmentofeffectiveinformationsecuritypolicyisessentialtoanyinformation securityprogram.Thelegalpitfallsassociatedwithineffectivepolicycanundermineeventhemost well-intentionedprocess.Thischapteroverviewsthedevelopmentofinformationsecuritypolicy: theinvestigation,analysis,design,implementation,andmaintenanceandchangeofthepolicy documents.Italsoexaminestherequirementsofeffectivepolicyinensuringthatthedeveloped policyisdistributed,read,understood,andagreedtobyemployees,anduniformlyappliedbythe organizationinordertostanduptoexternalscrutinyandpotentiallegalchallenge. Keywords:InformationSecurityPolicy,InformationSecurityPolicyDevelopment,Design,ImplementationofInformationSecurity INTRODUCTION Thischapteranalyzesthecomplexprocessassociatedwithdesigning,implementing,andsupportinginformationsecuritypolicy.Itisawell-documentedpointthatqualitysecurityprograms beginandendwithpolicy(FulfordandDoherty,2003;WhitmanandMattord,2005;Wood,2000). Information security is a function that is the responsibility of an organization’s management, supportedbythetechnicalstaffoftheorganization.Asinformationsecurityisprimarilyamanagementproblem,notatechnicalone,policyguidespersonneltofunctioninamannerthatwill assurethesecurityofanorganization’sinformationassets,ratherthantoactasathreattothose sameassets.Securitypoliciesareoneoftheleastexpensivecontrolstoexecute,butareamong themostdifficulttoproperlyimplement.Theyarethelowestcostinthattheyinvolveonlythe timeandeffortofthemanagementteamtocreate,approve,andcommunicatethem.Evenifthe managementteamdecidestohireanoutsideconsultanttoassistinthedevelopmentofpolicy,the costsareminimalcomparedtoalmostanytechnicalcontrols. Shapingpolicyisdifficultbecauseitmust:(1)neverconflictwithlaws;(2)standupincourt, ifchallenged;and(3)beproperlyadministered,includingthoroughdisseminationanddocumentationbypersonnelshowingtheyhaveread,understood,andagreedtothepolicies(Whitman andMattord,2005).Thischapterintroducestheconceptofthepolicydevelopmentlifecycle, demonstratingthestagesofdevelopmentfrombusinessneed,throughtheimplementationand maintenanceofpolicy. Thischapterbeginswithacleardefinitionofpoliciesandthenoverviewsthechallengesassoci123
124 WHITMAN
atedwithcreatingthem.Thechapterthenenumeratesthevarioustypesofpolicies,documenting thebestpracticesusedintheircreationandimplementation.Itcontinueswithanoverviewof workpublishedonthedevelopmentofpolicyandconcludeswithadiscussionofareasinwhich additionalresearchisneeded. INFORMATIONSECURITYPOLICY Theterm“securitypolicy”willvaryinmeaningdependingonthecontextofitsusage.Apolicyis “aplanorcourseofaction,asofagovernment,politicalparty,orbusiness,intendedtoinfluence anddeterminedecisions,actions,andothermatters”(Merriam-Webster,2002).Theconceptof securitypolicywithingovernmentalagenciesaddressesthesecurityofnationsandtheirdealings withforeignstates.Inthecontextofthischapter,securitypoliciesareestablishedrulesthatprovide guidanceintheprotectionofanorganization’sassets.Withintheorganization,policiesspecify acceptableandunacceptablebehavior,inessenceservingasorganizationallaws—dictatingto theemployeesoftheorganizationwhattheymayandmaynotsay,andhowtheymayormaynot act,withinthescopeoftheprofessionalassociationandwithinthecontextoftheorganizational culture.Similarindesignandimplementationtolaw,policyisformulatedbyanauthorizedentity, ratifiedintoanenforceablecode,madepublicknowledge,andenforcedwithclearpenaltiesand proceduresforviolations.Aninformationsecuritypolicyprovidesrulesfortheprotectionofthe informationassetsoftheorganization.Thepurposeofaninformationsecurityprogramisto“protect theconfidentiality,integrity,andavailabilityofinformationandinformationsystems,whetherin transition,storageorprocessingthroughtheapplicationofpolicy,educationandtrainingprograms, andtechnology”(WhitmanandMattord,2005).Informationhasconfidentialitywhendisclosure orexposuretounauthorizedindividualsorsystemsisprevented.Confidentialityensuresthatonly thosewiththerightsandprivilegestoaccessinformationareabletodoso.Informationhasintegritywhenitiswhole,complete,anduncorrupted.Theintegrityofinformationisthreatenedwhen theinformationisexposedtocorruption,damage,destruction,orotherdisruptionofitsauthentic state.Availabilityenablesauthorizedusers—personsorcomputersystems—toaccessinformation withoutinterferenceorobstruction,andtoreceiveitintherequiredformat. Policy’sroleinthisregardistheiterationoftheintentofmanagementintheprotectionanduse oforganizationalinformationassets.Policiesshouldbeconsideredlivingdocuments,meaningthat theywillrequireconstantmodificationandmaintenanceastheneedsoftheorganizationandthe environmentinwhichtheorganizationoperatesevolve.Policiesarewrittentosupportthemission, vision,andstrategicplanningofanorganization.Policiesshouldnotbeconfusedwithstandards, practices, procedures, or guidelines, although they are commonly combined in organizational documents.Standardsareeffectivelythemeasurementcriteriabywhichpolicycomplianceisassessed,andcarrythesamerequirementforcomplianceaspolicy.Practicesprovideexamplesof howtocomplywithpolicies,withproceduresprovidingdetailedstep-by-stepguidance.Guidelines providepracticaladviceonhowtoeffectivelycomplywithpolicy. Exactlyhowtheorganizationwillbeaffectedbyapolicyisinpartdictatedbythetypeofpolicyin question.Ingeneral,therearethreetypesorlevelsofinformationsecuritypolicy,eachwithaspecific focusandaudienceandeachwithaclearlydefinedpurpose.AsillustratedintheNationalInstitute ofStandardsandTechnology(NIST)SpecialPublication800–14(1996)andWhitmanandMattord (2005),thesetypesincludetheenterpriseinformationsecuritypolicy(EISP)orsecurityprogram policy;theissue-specificsecuritypolicy(ISSP),andthesystem-specificsecuritypolicy(SysSP). Thisthree-leveldelineationofpolicyisreflectedinotherstudies,includingBaskervilleandSiponen (2002)andAbramsandBailey(1995).Eachofthesetypesofpolicyisexaminedingreaterdetail.
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE125
EnterpriseInformationSecurityPolicy TheEISPisalsoknownasthesecurityprogrampolicy,generalsecuritypolicy,ITsecuritypolicy, ormostsimply,informationsecuritypolicy.Thispolicysetsthestrategicdirection,scope,andtone forallsecurityeffortswithintheorganization.TheEISPisanexecutive-leveldocument,usually draftedby,orincooperationwith,thechiefinformationofficeroftheorganization.Thispolicyisa briefdocumentusuallyonlytwotofivepageslong.TheEISPisdesignedtoshapethephilosophy ofinformationsecurityintheorganization.TheEISPisbasedonanddirectlysupportsthemission, vision,andethicsoftheorganization.TheEISPservestoguidethedevelopment,implementation,andmanagementofthesecurityprogram,andtheprocessesusedtoassuresafeandsecure operationsoftheorganization’sinformationassets.Itcontainstherequirementstobemetbythe informationsecurityblueprintorframework,aswellasdefinesthepurpose,scope,constraints, andapplicabilityofthesecurityprogramintheorganization.Italsoassignsresponsibilitiesfor thevariousareasofsecurity,includingsystemsadministration,maintenanceoftheinformation securitypolicies,andthepracticesandresponsibilitiesoftheusers.Finally,itaddresseslegal compliance.TheEISPtypicallyaddressescomplianceintwoareas: 1)Generalcompliancetoensuremeetingtherequirementstoestablishaprogramandthe responsibilitiesassignedthereintovariousorganizationalcomponentsand2)theuseof specifiedpenaltiesanddisciplinaryaction.(NIST,1995) WhentheEISPhasbeendeveloped,thechiefinformationsecurityofficer(CISO)beginsformingthesecurityteamandinitiatesdevelopmentorreviewofaninstitutionalsecurityprogram. TheEISPisarelativelystabledocumentandusuallydoesnotrequirecontinuousmodification, unlessthereisachangeinthestrategicdirectionoftheorganization.Aperiodicupdatingofkey personnelandcontactinformationisusuallyallthatisrequired. AtypicalEISPwillcontainthesectionsshowninTable6.1.Thisframeworkissimilarin designtothemodelproposedbyForchtandAyers(2000),whichrecommendsthefollowing sections: A. Scope B. Definitions C. Responsibilities D. Riskprofile E. Corporaterequirements F. Othersecuritymeasures G. Disasterrecovery H. Internetsecurity I. Enforcement J. Policycoordinator Therelevantsectionsofthisframework,basedonanassessmentofexistingfederalandindustry recommendationforpolicystructure,sharecommonalitywiththepreviousframework,savefor sectionsonriskprofile,disasterrecovery,andInternetsecurity,whicharedeemedinappropriatefor thestrategicinformationsecuritypolicy(EISP)asthesetopicsaresodetailedastoprecludetheir inclusionexceptinverygeneralsummation.Thesesubjectsaremoreappropriateinsubordinate policiesspecificallycraftedfortheirownpurposes.
126 WHITMAN Table6.1
ComponentsoftheEISP Component
Description
Statementofpurpose
Answersthequestion,“Whatisthispolicyfor?”Providesa frameworkthathelpsthereaderunderstandtheintentofthe document.Canincludetextsuchasthefollowing: “Thisdocumentwill: Identifytheelementsofagoodsecuritypolicy Explaintheneedforinformationsecurity Specifythevariouscategoriesofinformationsecurity Identifytheinformationsecurityresponsibilitiesandroles Identifyappropriatelevelsofsecuritythroughstandardsand guidelines Thisdocumentestablishesanoverarchingsecuritypolicyand directionforourcompany.Individualdepartmentsareexpected toestablishstandards,guidelines,andoperatingproceduresthat adheretoandreferencethispolicywhileaddressingtheirspecific andindividualneeds.”(WUSTL,n.d.)
Informationtechnology securityelements
Definesinformationsecurity.Forexample: “Protectingtheconfidentiality,integrity,andavailabilityofinformation whileinprocessing,transmission,andstorage,throughtheuseof policy,educationandtraining,andtechnology...” Thissectioncanalsolayoutsecuritydefinitionsorphilosophiesto clarifythepolicy.
Needforinformation technologysecurity
Providesinformationontheimportanceofinformationsecurityinthe organizationandtheobligation(legalandethical)toprotectcritical informationwhetherregardingcustomers,employees,ormarkets.
Informationtechnology securityresponsibilities androles
Definestheorganizationalstructuredesignedtosupportinformation securitywithintheorganization.Identifiescategoriesofindividuals withresponsibilityforinformationsecurity(ITdepartment, management,users)andtheirinformationsecurityresponsibilities, includingmaintenanceofthisdocument.
Referencetoother informationtechnology standardsandguidelines
Listsotherstandardsthatinfluenceandareinfluencedbythispolicy document,perhapsincludingrelevantlaws(federalandstate)and otherpolicies.
Source:FromWhitmanandMattord,2004.ReprintedwithpermissionofCourseTechnology,adivision ofCengageLearning:permissions.cengage.com.Fax(800)730–2215.
Issue-SpecificSecurityPolicy(ISSP) Astheorganizationexecutesvarioustechnologiesandprocessestosupportroutineoperations, certainguidelinesareneededtoinstructemployeestousethesetechnologiesandprocessesproperly. Ingeneral,theISSP(1)addressesspecificareasoftechnologyaslistedbelow,andasaresult,is
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE127 Table6.2
Issue-SpecificPolicyStatement 1.Statementofpolicy Scopeandapplicability Definitionoftechnologyaddressed Responsibilities 2.Authorizedaccessandusageofequipment Useraccess Fairandresponsibleuse Protectionofprivacy 3.Prohibitedusageofequipment Disruptiveuseormisuse Criminaluse Offensiveorharassingmaterials Copyrighted,licensed,orotherintellectualproperty Otherrestrictions 4.Systemsmanagement Managementofstoredmaterials Employermonitoring Virusprotection Physicalsecurity Encryption 5.Violationsofpolicy Proceduresforreportingviolations Penaltiesforviolations 6.Policyreviewandmodification Scheduledreviewofpolicy Proceduresformodification 7.Limitationsofliability Statementsofliability Otherdisclaimers
Source:Whitman,Townsend,andAlberts,1999.Usedwithpermission.
closelylinkedtothattechnologyimplementationwithintheorganization,(2)requiresfrequent updates,and(3)containsastatementontheorganization’spositionregardingappropriateuseof thetechnology.SometimestheISSPmaybereferredtoasan“appropriateuse”ora“fairand responsibleuse”policy.AnISSPaddressesoneormoreofthefollowingtopics: • • • • • • • •
Electronicmail UseoftheInternetandWWW Specificminimumconfigurationsofcomputerstodefendagainstwormsandviruses Prohibitionsagainsthackingortestingorganizationsecuritycontrols Homeuseofcompany-ownedcomputerequipment Useofpersonalequipmentoncompanynetworks Useoftelecommunicationstechnologies(fax,phone) Useofphotocopyequipment
Table6.2presentsanoutlineofasampleISSP,whichcanbeusedasamodel.Whatmustbe addedaboveandbeyondthisstructurearethespecificdetailsdictatingwhatthesecurityprocedures areforindividualissuesnotcoveredbeyondthegeneralguidelines.
128 WHITMAN
Eachmajorcategorypresentedinthesampleissue-specificpolicyaboveisexplainedbelowin ordertoelaboratethecomponentsinvolvedineachsection.Whilethedetailsmayvaryfrompolicy topolicy,andsomesectionsofamodularpolicymaybecombined,itisessentialformanagement toaddresseachsectioninordertoformulateacompletepolicy. StatementofPolicy TheISSPshouldbeginwithaclearstatementofpurpose.Theintroductorysectionshouldoutline thescopeandapplicabilityofthepolicy,specificallynoting:Whatdoesthispolicyaddress?Who isresponsibleandaccountableforpolicyimplementation?Whattechnologiesandissuesdoesthe policydocumentaddress? AuthorizedAccessandUsageofEquipment Thissectionofthepolicystatementaddresseswhocanusethetechnologygovernedbythepolicy, andwhatitcanbeusedfor.Remember,inmostorganizations,especiallyprivatecompanies,the organization’sinformationsystemsaretheexclusivepropertyofanorganization,andusershave noparticularrightsofuse.Eachtechnologyandprocessisprovidedforbusinessoperations.Use foranyotherpurposeconstitutesmisuseofequipment.Thissectiondefines“fairandresponsible use”ofequipmentandotherorganizationalassetsandshouldalsoaddresskeylegalissues,such asprotectionofpersonalinformationandprivacy. ProhibitedUsageofEquipment Whilethepolicysectiondescribedimmediatelyabovedetailedwhattheissueortechnologycan beusedfor,thissectionoutlineswhatitcannotbeusedfor.Unlessaparticularuseisclearly prohibited,theorganizationcannotpenalizeitsemployees.Thefollowingactionscouldbeprohibited:personaluse,disruptiveuseormisuse,criminaluse,offensiveorharassingmaterials,and infringementofcopyrighted,licensed,orotherintellectualproperty. AppropriateUse TheISSPdocumentsnotedabove(“AuthorizeAccessandUsageofEquipment”and“Prohibited UsageofEquipment”)maybemoreefficientlypresentedunderasinglepolicythatcouldbetitled “AppropriateUsePolicy.”ManyorganizationsuseanISSPwiththatnametocoverthepolicy needsandissuesforbothsubjectareas. SystemsManagement TheremaybesomeoverlapbetweenanISSPandasystems-specificpolicy(SysSP),butthissectionofthepolicystatementfocusesontheusers’relationshiptosystemsmanagement.Specific rulesfrommanagementabouthowtousee-mailandotherelectronicdocumentsmayberequired toregulatetheuseofe-mail,thestorageofmaterials,authorizedemployermonitoring,andthe physicalandelectronicsecurityofthecontentsofe-mailandotherelectronicdocuments.Itis importantthatallresponsibilitiesbedelegatedtoeitherbetheuser’sorthesystemsadministrator’s accountability,otherwisebothpartiesmayinferthattheresponsibilityfortakinganactionbelongs totheotherparty.
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE129
ViolationsofPolicy Onceguidelinesonequipmentusehavebeenoutlinedandresponsibilitieshavebeenassigned,the individualstowhomthepolicyappliesmustunderstandthepenaltiesandrepercussionsofviolatingthepolicy.Violationsofpolicyshouldcarryappropriatepenalties:donotimposethedeath penaltyforparkingviolations.Notonlyshouldthissectionofthepolicystatementcontainthe specificsofthepenaltiesforeachtypeorcategoryofviolation,itshouldalsoprovideinstructions onhowindividualsintheorganizationcanreportobservedorsuspectedviolations,eitheropenly oranonymously.Manyindividualsfeelthatpowerfulindividualsintheorganizationcoulddiscriminateagainst,singleout,orotherwisegetbackatsomeonewhoreportsviolations.Anonymous submissionsareoftentheonlywaytoconvinceindividualusers,especiallylower-levelemployees andlaystaff,toreporttheunauthorizedactivitiesofother,moreinfluentialemployees. PolicyReviewandModification Whenpoliciesareperceivedasout-of-date,theyarenottakenseriously.Therefore,eachpolicy shouldcontainproceduresandatimetableforperiodicreviewtovalidatethetimelinessofthe document.Astheneedsandtechnologieschangeinanorganization,somustthepoliciesthatgovern theiruse.Thissectionshouldcontainaspecificmethodologyforthereviewandmodificationof thepolicy,toensurethatusersdonotbegincircumventingitasitgrowsobsolete. LimitationsofLiability Thefinalsectionisageneralstatementofliabilityorsetofdisclaimers.Ifanindividualemployee iscaughtconductingillegalactivitieswithorganizationalequipmentorassets,managementdoes notwanttheorganizationheldliable.Sothepolicyshouldstatethatifemployeesviolateacompanypolicyoranylawusingcompanytechnologies,thecompanywillnotprotectthemandthe companyisnotliablefortheiractions.Itisinferredherethatsuchaviolationwouldbewithoutthe knowledgeoforauthorizationbytheorganization(Whitman,Townsend,andAalberts,1999). ThereareanumberofapproachestowardcreatingandmanagingISSPswithinanorganization. Threeofthemostcommonare: 1. CreateanumberofindependentISSPdocuments,eachtailoredtoaspecificissue 2. CreateasinglecomprehensiveISSPdocumentattemptingtocoverallissues 3. CreateamodularISSPdocumentthatunifiespolicycreationandadministration,while maintainingeachspecificissue’srequirements TheindividualpolicyapproachtocreatingandmanagingISSPstypicallyresultsinashotgun effect.Eachdepartmentresponsibleforaparticularapplicationoftechnologycreatesapolicy governingitsuse,management,andcontrol.ThisapproachtocreatingISSPsmayfailtocover allofthenecessaryissues,anditcansufferfrompoorpolicydistribution,management,and enforcement.Thecomprehensivepolicyapproachiscentrallymanagedandcontrolled.With formalproceduresforthemanagementofISSPsinplace,thecomprehensivepolicyapproach establishesguidelinesforoverallcoverageofnecessaryissuesandclearlyidentifiesprocesses for their dissemination, enforcement, and review. Usually, technology providers within the organizationthatcentrallymanagetheinformationtechnologyresourcesdevelopthesepolicies.Thisapproachmaybesufficientforsmallerorganizationsbutcanbecomeunwieldyfor
130 WHITMAN
medium-to-large organizations. The optimal balance between the individual ISSP and the comprehensiveISSPapproachesisthemodularapproach.Itisalsocentrallymanagedandcontrolled,butcustom-tailoredtotheindividualtechnologyissues.Themodularapproachprovides a balance between issue orientation and policy management. The policies created with this approachincludeindividualmodules,eachcreatedandupdatedbycapableindividualseachof whomisregardedasasubject-matterexpertandisresponsiblefortheissueaddressed.These individualsreporttoacentralpolicyadministrationgroupthatincorporatesissuespecificsinto anoverallcomprehensivepolicy. Systems-SpecificPolicy(SysSP) Whileissue-specificpoliciesareformalizedaswrittendocuments,distributedtousers,andagreed toinwriting,SysSParefrequentlypresentedashybriddocumentsthatcombinepolicyfactorswith thearticulationofasystemforstandardsandproceduresusedwhenconfiguringormaintaining systems.Anexampleofasystems-specificpolicyistheaccesscontrollistthatdefineswhichusers mayandmaynotaccessaparticularsystem,completewithlevelsofaccessforeachauthorized user.Systems-specificpoliciescanbeorganizedintotwogeneralgroups:managerialguidance SysSPs,andtechnicalguidanceSysSPs. ManagerialGuidanceSysSPs Forasystemsadministratortoproperlyconfigureapieceoftheorganization’sinformationsecurity technology,aspartofanactivesecurityposture,theadministratormustfirstreceiveclearguidance outliningtheorganization’sintentwithregardtothatimplementation.Forexample,beforeafirewall administratorrestrictsaccesstotheorganization’sintranetbyfilteringallexternalFTPconnectionrequests,heorshemusthavebeenadvisedbymanagementthatsuchanactionisneededand desired.Ifadministratorsarenotprovidedwiththisspecificguidance,thentheymaytakeitupon themselvestoconfigurethetechnologyaccordingtotheirownpersonalbeliefsandexperiences ratherthanasaresultoftruemanagerialguidance.Whiletheformatandstructureofthisdocument willvarywidelybetweenimplementations,thecommoncomponentsareasfollows. OverviewoftheScopeandPurposeoftheSysSP.Similartotheprevioussections,thissection providesthetoneandfocusforthisdocument. ManagerialandOrganizationalIntentoftheImplementationoftheTechnology.Focusingon thespecifictechnologyforwhichthepolicyisissued,thissectionenforcesthephilosophicalintent oftheorganization’sleadershipandaddressesthelogicandreasoningbehindthepolicy.Itisthis additionaljustificationthatprovidessupporttothesystemsadministratorwhenchallengedbyother managersandusers.Specificimplementationrequirementsintheformofpermitsanddenies: 1. Permitthefollowingactions:... 2. Denythefollowingactions:... This section specifically outlines the shoulds and should nots of the technology: what the technologyshouldandshouldnotallow.Thissectioncouldbewritteninthecontextofspecific technologiesorprotocols,asin“shouldallowSMTPorPOP3traffic,”oritcouldbeintermsof generalusage,asin“shouldallowalle-mailbasedcommunications.”
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE131
GuidanceforPermittingExceptions.Witheveryrulethereisinevitablycauseforexceptions. Intheeventthatauserrequestsanexceptiontoarule,theremustbeaprocedureinplacefor processing,reviewing,andapprovingordenyingsuchrequests.Thissectionspecifiesthewhat, what,when,andhowofsuchaprocedure. TechnicalGuidanceSysSPs ThesecondcategoryofSysSPsaddresssystemsconfigurationsbysystemsadministrators.These guidancesarefrequentlysystemsconfiguration,ratherthanprintedpolicies.Asafirewalladministratorconfiguresafirewall,theadministratorcreatesthistechnicalguidanceSysSP,justasa systemsadministratordoeswhensettingupuseraccounts.TechnicalguidanceSysSPscommonly fallintotwosub-categories:ACLsandconfigurationrules.Accesscontrollists(ACLs)consist oftheaccesscontrollists,matrices,andcapabilitytablesgoverningtherightsandprivilegesofa particularusertoaparticularsystem.Asindicatedearlier,anACLisalistofaccessrightsused byfilestoragesystems,objectbrokers,orothernetworkcommunicationsdevicestodetermine whichindividualsorgroupsmayaccessanobjectthatitcontrols.Asimilarlist,referredtoasa capabilitytable,isassociatedwithusersandgroupstospecifywhichsubjectsandobjectsauser orgroupcanaccess.Thesespecificationsarefrequentlycomplexmatrices,ratherthansimple listsortables.IngeneralACLsregulatethewho,what,when,where,andhowofaccess: • Whocanusethesystem • Whatauthorizeduserscanaccess • Whenauthorizeduserscanaccessthesystem • Whereauthorizeduserscanaccessthesystemfrom • Howauthorizeduserscanaccessthesystem Configurationrulescomprisethespecificconfigurationcodesenteredintosecuritysystemsto guidetheexecutionofthesystemwheninformationispassingthroughit.Rulepoliciesaremore specifictotheoperationofasystemthanACLs,andmayormaynotdealwithusersdirectly. Manysecuritysystemsrequirespecificconfigurationscriptstellingthesystemswhatactionsto performoneachsetofinformationtheyprocess. OtherreferencestodesigningsecuritypoliciescanbefoundintheworkofCharlesCresson Wood(2003),andthereferencesavailablethroughNISTsuchasSP800–12(1995)andtheFederal AgencySecurityPractices(FASP,n.d.). InformationSecurityPolicyDevelopment Designinginformationsecuritypolicyisfrequentlytheworkofasinglesecuritymanager,CISO, orsecurityadministrator.Thisisunfortunatebecausetheworkofanyindividualisunlikelytobe ascomprehensiveasitmightbeiftheinformationsecuritypoliciesweredevelopedbyateam representingthedisparateconstituenciesoftheorganization.Italsomaysufferifthesingle individualresponsibleforthedesignandmaintenanceofthepolicyleavestheorganization. Infact,thedevelopmentofaneffectivepolicycloselymirrorsthatofaninformationsystem, withclearinvestigation,analysis,design,implementation,andmaintenanceandchangephases. ThesephasesaresummarizedinTable6.3anddiscussedinadditionaldetailinthefollowing sections. Policydevelopmentbeginswithaninvestigationoftheproblemfacingtheorganization,con-
132 WHITMAN Table6.3
PhasesofthePolicyDevelopmentLifeCycle Phase
Action
Investigation
Anexaminationoftheeventorplanthatinitiatestheprocess.Includes thespecificationoftheobjectives,constraintsandscopeofthepolicy.
Analysis
Anassessmentoftheorganization,thestatusofcurrentpolicies,and theanticipatedperceptionofthosetowhomthepolicywillbeapplied.
Design
Theselectionofpolicycomponentsthatspecificallyaddresstheneeds oftheusersandoftheorganization,andcreation,review,andapproval ofdraftpolicy.
Implementation
Thedistribution,reading,understanding,agreementanduniform enforcementofpolicy.
Maintenanceandchange Thesupport,review,andmodificationofpolicyfortheremainderofits usefullifecycle.
tinueswithananalysisofcurrentorganizationalpracticesandextantpolicies,andthenproceeds intothelogicalandphysicaldesignphases.Inthedesignphases,draftsoftheproposedpolicyare createdandreviewedbytheappropriateauthorities.Next,intheimplementationphasepolicies arepublished,individualusersarebriefedonthepolicyandareprovidedtheappropriatesecurity awarenessandtrainingtoreinforcethepolicy.Finally,thepolicymovesintoitsmaturityphase, whereitismaintainedandmodifiedovertheremainderofitsoperationallife.Liketheinformationsystemsimplementation,thepolicydevelopmentlifecyclemayhavemultipleiterations,as overtimethecycleisrepeated.Onlythroughconstantexaminationandrenewalcananysystem, especiallyasecuritypolicy,beexpectedtoperformtostandardintheconstantlychangingenvironmentinwhichitisplaced. Investigation Thefirststepisthemostimportant.Whatistheproblemthepolicyisbeingdevelopedtoaddress? Theinvestigationphasebeginswithanexaminationoftheeventorplanthatinitiatestheprocess. Duringtheinvestigationphasetheobjectives,constraintsandscopeofthepolicyarespecified.Preliminarydiscussionswithkeymanagementofficialswillhelptoensurethepolicyisinfactbeing draftedtoresolvetheactualissueathand,andnotsimplyasymptomofanunderlyingproblem.If anorganizationisexperiencingaproblemwithemployeesdownloadingunauthorizedsoftware,will apolicyprohibitingthisresolvetheproblem,orcouldtheunderlyingproblembetheemployeesdo nothavethenecessarysoftwaretoaccomplishtheirtasks?Investigationsintothisproblemcould preventunnecessaryeffortinanunproductivedirection.Theinvestigationstagealsoinvolvesthe formulationofthepolicyteamasmentionedearlier.Beginningwiththechampion—theexecutive levelofficialwhowillsanctiontheworkofthepolicyteam,andmandateitsenforcement—ateam ofrepresentativesfromacrosstheorganizationatalllevelsisassembled.Itisimportantthatthis teamincludeusersaswellasmanagers,technicalaswellasadministrativestaff.Thisteamwill alsoincludekeyrepresentativesfromtheinformationsecuritycommunitiesofinterest—managerial representativesfromtheinformationsecurity,informationtechnology,andgeneralmanagement communities—whohavebeentaskedwithassistinginthedevelopmentandimplementationof
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE133 Table6.4
StagesofPolicyImplementation Phase
Action
Dissemination(distribution)
Deliveryofpolicyinhardcopyorelectronicformat,ensuringthe employeereceiveseachpolicydocument
Review(reading)
Ensuringtheindividualtowhomthepolicyappliescananddoes readthedocument,includingthoseliteracychallenged
Comprehension(understanding) Assessmentofemployeegraspofpolicycontentandmeaning Compliance(agreement)
Documentationofpoliciesagreementbyactoraffirmation, indicatingwillfulcompliance
Uniformenforcement
Organizationalenforcementofpolicyequallyandwithoutprejudice
informationsecurityingeneral.Attheendoftheinvestigationphase,theprojectmanager,most typicallytheCISO,orotherinformationsecuritymanagertaskedwiththeauthoringofthepolicy documentitself,shouldhavegainedabetterunderstandingoftheproblemathand,howthepolicy willfitintotheorganizationalculture,andthescopeandpurposeofthepolicy. Analysis Theanalysisphasebeginswithareviewoftheinformationlearnedduringtheinvestigationphase. Analysisconsistsprimarilyofanassessmentoftheorganization,thestatusofcurrentpolicies,andthe anticipatedperceptionofthosetowhomthepolicywillbeapplied.Thepurposeofthepolicyisfocused andrefinedandotherpoliciesarereviewedtoensurenounintentionaloverlapwilloccur.Thepolicy teamshouldalsoexaminecurrentlegislationtoensurenoconflictbetweenpolicyandlawisintroduced. Thisphaseendswiththedocumentationofthefindingsandafeasibilityanalysisupdate. Design Inthisphase,theinformationgainedfromtheanalysisphaseisusedtobegindraftingtheproposed policy.Inanypolicysolutionitisimperativethatthefirstanddrivingfactoristhebusinessneed. Then,basedonthebusinessneed,theteamselectspolicycomponentsthatspecificallyaddressthe needsoftheusersandoftheorganization,andcreatesadraftpolicy.Duringthedesignphase,the draftpolicyispresentedtovariousapprovalauthoritiesforreviewandcomment.Oncemanagementapprovesthepolicy,implementationcancommence. InformationSecurityPolicyImplementationandMaintenance Thedetailsoftheimplementationofpolicycaneithersupportorhindertheuseofthepolicyinthe organization.Theimplementationofapolicywillinvolvemultiplestagesandwillvarydepending onpolicytype.Ingeneral,policyisonlyenforceableifitisproperlyimplementedusingaprocess thatassuresrepeatableresultsandavoidslegalchallenges.Oneapproachknowntobeeffective istousethefollowingfivestages:dissemination(distribution),review(reading),comprehension (understanding),compliance(agreement),anduniformenforcement.Thesephasesareoverviewed inTable6.4,anddiscussedinsubsequentsections.
134 WHITMAN
DisseminationofInformationSecurityPolicy Thedisseminationordistributionofaninformationsecuritypolicy,whileseeminglyself-evident, canrequireasubstantialinvestmentbytheorganizationinordertobedoneeffectively.Some organizationspreferhard-copydistribution,inwhichaprintedcopyofthedocumentmustbe deliveredtotheindividualtowhomthepolicywillapply.Whilethemostcommondistribution ofpolicyisbymail(externalorinternal),thereisnoguaranteethattheindividualwillactually receivethedocument,unlessitisphysicallydeliveredwithproofofreceipt.Asmanyinformation securitypoliciesmaycontaininformationthattheorganizationdoesnotwantpubliclydisclosed, itmaybetotheorganization’sadvantagetolabelthedocumentusingadevelopedclassification scheme,andcontrolitsdissemination.Documentclassificationschemesvarydependingonthe organizationandtherelativesensitivityoftheinformationinquestion.“Asimpleschemecanallow anorganizationtoprotectitssensitiveinformationsuchasmarketingorresearchdata,personnel data,customerdata,andgeneralinternalcommunications,suchas: • Public:Forgeneralpublicdissemination,suchasanadvertisementorpressrelease. • Forofficialuseonly(FOUO):Notforpublicreleasebutnotparticularlysensitive,suchas internalcommunications. • Sensitive:Importantinformationthatcouldembarrasstheorganizationorcauselossofmarket shareifcompromised. • Classified:Essentialandconfidentialinformation,disclosureofwhichcouldseverelydamagedthewell-beingoftheorganization.(WhitmanandMattord,2004) Fororganizationspreferringelectronicdocumentdistribution,thereareanumberofoptions. Publicationviasecureintranetisacommonexample.Organizationswithsecureintranetscan electtostorethesedocumentsontheintranetinHTMLorPDFformat.Whilethissimplifiesthe distribution,itcancausedifficultiesinensuring100percentdistribution,withproofofreceipt. Analternatemethodtoensureeffectivedeliverywithreceiptandcomplianceisthroughelectronic policydistributionsoftware,asdescribedinalatersection.Thissoftwarecanbeusedtomanage theentireimplementationprocess,documentingeachstage,alongwithapproval,postinginformation,anduserreceipt,comprehension,andcompliance.Oncetheorganizationhasdocumented thedistributionofthepolicy,thenextstageisreadingorreviewofthepolicy. ReviewofInformationSecurityPolicy Astheuserreceivesthepolicy,whetherinhard-copyorelectronically,thenextstagetheorganization mustimplementtosupportenforcementisrevieworreading.Inthisstagetheorganizationmustensure theindividualtowhomthepolicyappliescananddoesreadthedocument.Thisreadingrequirement maybeafunctionofliteracyortechnology.Fromaliteracystandpoint,organizationsmayemploy individualswithoutfunctionalreadingskills.Manyjobsintheorganizationareopentothosewithpoor literacyskills,fromcustodialtoproductionline.Evenifindividualshavephysicalaccesstothepolicies, itisimportanttoensurethatallmembersoftheorganizationhavetheopportunityandabilitytoread policydocuments,evenifthismeansthatsomepolicieswillhavetobereadtotheindividuals. Thesecondchallengeinreviewalsopertainstoliteracy,butfromalanguagestandpoint.Asorganizationsincreasinglybecomemultinationalinscope,languagebarriersmayimpacttheabilityofindividualstoreviewthepolicy.Simpletranslationsofpolicymaynotresolvetheproblem,asthelanguage barriermayextendbeyondthesimplegrammarofthedocument.Languagebarriersininternational
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE135
communications(whilebeyondthescopeofthischapter)havelongcreatedchallengesinbusiness.For example,atranslationmiscueoccurredin1989whenNikeCorporationrananadvertisementshowing aSamburutribesmanspeakinginhisnativelanguageappearingtoechothecompanyslogan—“Justdo it.”Hereallysays“Idon’twantthese.Givemebigshoes”(Ricks,1993).Thusitbecomesimportant toenlisttheassistanceofappropriatelanguagespecialistswhenimplementingpoliciesthatapplyto individualsspeakinglanguagesotherthantheorganization’snativetongue. ComprehensionofInformationSecurityPolicy AstheChineseproverbstates,“Tellme,andIforget;showme,andIremember;letmedoandI understand”(Confucius,n.d.).Inthepolicycontext,thismeansthatsimplydistributingadocumentthatanindividualcanreadmayormaynotguaranteethattheindividualwillunderstandthe content.Whiletheresearchandstudyofhumancomprehensionisbeyondthescopeofthischapter, comprehensioncanbedefinedas“theabilitytograspthemeaningofmaterial.Thismaybeshown bytranslatingmaterialfromoneformtoanother(wordstonumbers),byinterpretingmaterial (explainingorsummarizing),andbyestimatingfuturetrends(predictingconsequencesoreffects). Theselearningoutcomesgoonestepbeyondthesimplerememberingofmaterial,andrepresent thelowestlevelofunderstanding”(Bloometal.,1964).InthiscontextofBloom’staxonomyof learning,comprehensionissynonymouswithunderstanding(ECSA,2003).Thusitisnecessary butnotsufficientfortheindividualstowhomthepolicyappliestobeabletograspthelanguage ofthepolicydocument.Itisequallyimportanttoensuretheycangraspitsmeaning. Thereareseveralwaystogaugecomprehension.Oneofthesimplestisassessmentthrough testing.Itwouldthereforebeintheorganization’sbestinteresttoevaluatetheabilityofanemployeetofullycomprehendthepolicybyquizzingtheemployeeonthepolicy’skeypoints.Next, thespecificsofcomprehensionaredeterminedbytheidentificationofatargetgoalcommensurate withcommonlyacceptedpractices—forexample,scoresof70percentorbetterindicatesuccessful completion.Justasthepolicydocumentcouldbehard-copyorelectronic,socouldthequiz.The importantpointisthatthepolicyisassessed. CompliancewithInformationSecurityPolicy Policiesmustbeagreedtobyactoraffirmation,indicatingwillfulcompliance.Agreementbyact occurswhentheemployeeperformsanactionthatindicatesacknowledgmentandunderstandingof thepolicypriortouseofatechnologyororganizationalresource.Networkbanners,end-userlicense agreements,andpostedwarningscanassistinmeetingthisburdenofproof.However,theseinand ofthemselvesmaynotbesufficient.Agreementbyaffirmationoccurswhentheemployeesignsa documentindicatingthatheorshehasread,understood,andwillcomplywithaspecificpolicy. Thedirectcollectionofasignatureortheequivalentdigitalalternativecanassisttheorganization inprovingthatithasobtainedanagreementtocomplywithpolicy.Thiscanbeaccomplishedby includingarenewalofpolicycomplianceduringthesigningofemployeecontracts.Thepolicy documentscanbeissuedtotheemployeewhenthecontractisupforrenewal,andemployment canbemadecontingentonagreement.However,inanemployment-at-willenvironment,where therearenoformalcontracts,oratleastnoannuallyrenewedcontracts,compulsoryagreement canbecomeanissue.Theorganizationmaybefacedwiththelastresortoptionofthreatening terminationordenialofuseforfailuretoagreetopolicy. Akeypartoftheinformationsecurityprogramisnewemployeeorientationoninformation securitypolicies.Duringanewhire’sin-briefings,securitytrainingandawarenessprogramsalso
136 WHITMAN
includeindoctrinationintotheorganization’sinformationsecurityculture.Newemployeesshould immediatelyreceivecopiesofexistingpoliciesandcompleteanynecessarycomprehensionand compliancemeasures,includingneedednondisclosureagreements(WhitmanandMattord,2004; Tursi,2003).Oncetheorganizationbeginsformalizingthedocumentationofcomplianceagreement,itmaybeabletousethesevaluestoreportthesefacts. Compliancemayalsobeassessedthroughthecollectionofdataonthenumbersofviolations ofpolicyorofdataonthenumberofincidentsdetectedorreportedtotheappropriateagency withintheorganization.Ifthenumberofproblemsassociatedwiththeuseofatechnologydecline considerablyafterapolicyhasbeenimplemented,thisfactcanassisttheorganizationindeterminingtheeffectivenessofthepolicy. UniformApplicationofInformationSecurityPolicy Enforceabilityofpolicyissimilartotheenforceabilityoflawinthatitmustwithstandtherigor ofexternalscrutiny.Ifanorganizationfailstoenforceapolicyequallyandwithoutprejudice,it maybeopeningitselftolitigation.Forinstance,ifanorganizationhasaclearpolicyrequiring namebadgestobeprominentlydisplayedanduppermanagementdecidesnottocomplywiththis policy,otheremployeesshouldnotbesanctionedfortheirnoncompliance.Iftheyareandthenare abletoproduceevidencethatthepolicywasnotuniformlyapplied,thentheorganizationmaynot onlybeheldliableforcompensatorydamagesbutpunitivedamagesaswell. Enlistingallemployeesintheenforcementofpolicycanhelpassuageconcernoveruniform applicationofpolicy.Inareal-worldexample,amanagerissuedanamebadgepolicy,butwithin twoweekswasseenviolatingthepolicyhimself.Anemployeespiedhimwalkingaroundarestrictedareawithouthisnamebadgebeingclearlydisplayed.Thecolleagueinjest,butwithan undertoneofsincerity,askedifthemanagerwereavisitor,sinceallemployeeswererequired bypolicytodisplaytheirnamebadges.Themanagerreachedintoajacketpocketandproduced thenamebadge,alongwitha$20bill,whichhepromptlygavetheemployeeasarewardforhis diligentenforcementofthepolicy.Withinweekstheentirestaffwasenergeticallychallenging anyandallindividualsinaccordancewiththenewlyimplementedpolicy. ThisconceptisreiteratedbyNosworthy(2000),whorecommendsseniormanagementshould “beseentobedoing”;thatis,supportingtheprogramandpolicybyovertcompliance.Thiscan providedirectmotivationtotherestoftheorganization,increasingnotonlythecompliancelevel butalsotheacceptanceofandattitudestowardthesecuritypolicy. In1990,EloffandBadenhorstexaminedtheroleofseniormanagementcommitmentinimplementinginformationsecurity(thenreferredtoascomputersecurity).Theirfindingsidentified managementcommitmentasakeysuccessfactorintheimplementationofsecurityingeneral. Theyalsofoundtheinversetobetrue,thatthelackofseniormanagerialsupporttobealeading causeoffailureintheimplementationofsecurity.Theirfindingsalsosuggestthatfailuresinthe implementationofinformationsecurityweredirectlylinkedtofailuresintheimplementationof securitypolicy,illustratingtheplightofthe“rudderlessship”analogy.EloffandBadenhorstproposedasecuritymethodology,verysimilartothepolicydevelopmentlifecycleillustratedhere, withsecuritypolicyconstitutingthesecondphaseintheprocess(EloffandBadenhorst,1990). MaintenanceandChange Inthepolicydevelopmentlifecycle,themaintenanceandchangephaseisthelongestandmost expansivephaseoftheprocess.Thisphaseconsistsofthetasksnecessarytosupportandmodifythe
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE137
policyfortheremainderofitsusefullifecycle.Eventhoughformaldevelopmentandimplementationmayconcludepriortothisphase,thelifecycleoftheprojectwillcontinueindefinitely,until suchtimeasitisdeterminedthattheprocessshouldbeginagainfromtheinvestigationphase.At periodicpoints,thepolicyisreexaminedforcompliance,andthefeasibilityofcontinuanceversus discontinuanceisevaluated;updatesandchangesaremanaged.Astheneedsoftheorganization change,thepoliciesthatsupporttheorganizationmustalsoadapttothechange.Itisimperative thatthosewhomanagethepolicies,aswellasthosetowhomtheyapply,continuallymonitorthe effectivenessofthepoliciesinrelationtotheorganization’senvironment.Whenitisdetermined thatacurrentpolicycannolongersupportthechangedmissionoftheorganization,thepolicyis broughtupfordramaticredevelopmentandanewpolicyisimplemented.Maintenanceofpolicy involvesfourkeyfunctions: • • • •
Supportforpolicy-violationsreporting Equitableadjudicationofviolations Periodicreviewandrevision Destructionofpolicydocuments
Eachoftheseisdiscussedinthefollowingsections. SupportforPolicy-ViolationsReporting.Asindicatedearlier,effectivepolicydocumentsshould containprovisionsbywhichemployeescanreportsuspectedviolationsofpolicy.Whetheranonymousornot,itisimportantthateveryuserbeemployedastheeyesandearsoftheorganization toserveasdetectionandearlywarningofpolicyviolations.Oncetheseemployeeshavedetected violations,theyshouldhaveameansofreportingthem.Someoptionstoconsiderinviolations reportinginclude: • • • • •
Anonymouse-mailforms, E-mailto[email protected], Anonymousphonereporting, Paperformdropboxes, Reportingproceduresthroughsupervisorychannels,amongothers.
Theadvantagesofanonymousreportingincludeanincreasedwillingnessforemployeesto reportviolationswithout“beinginvolved.”Mostemployeesdonotwanttobeinvolvedinconflict, andassuchmaynotbewillingtobecomeinvolvedinadispute.However,anonymousvenues,in whateverformatdesired,canincreasetheprobabilityofviolationsbeingreported.Disadvantages includetheincreasedprobabilityof“falsepositives”wheredisgruntledemployeescouldreport falseallegationsoraccusationsinanattemptto“geteven”withapeerorsupervisor.Supervisory channels,whileimportant,mayresultinsomeviolationsnotgettingreportedtotheproperauthorities.Supervisorsmayfeelthatthereportingofoneoftheiremployeeswouldreflectbadlyontheir managerialcompetence,andthusmayattempttoresolvetheissues“in-house.”Thismayormay notbeintheorganization’sbestinterest.Ataminimumitservestocompartmentalizeinformation andpreventsabetterassessmentofproblemsoccurringacrosstheorganization. EquitableAdjudicationofViolations.Asindicatedearlier,policiesmustbeapplieduniformly. Policies,inadditiontobeinguniformlyapplied,mustbeswiftandfair.Theorganizationmust preparefortheinevitabilityofdealingwithpolicyviolators.Someorganizationsmaychooseto
138 WHITMAN
allowtheimmediatesupervisordealwiththeproblems,whileothersmayprefertheexecutivelevelmanagerresponsibleforthedivisiontohandlethematter.Wherevertheorganizationchooses toplacetheresponsibilityfordealingwithpolicyviolators,theremustbeclear-cutpoliciesand methodsforprocessingpolicyviolators.Feworganizationsprefertrialscenarios,withwitnesses, testimony, and reasonable doubt, opting instead for summary judgments by a single manager withapredefinedsetofdiscretionarypenalties,whoonlyhastomeetareasonablepreponderanceofevidencecriteria.Organizationsmayopttoimplementanappealprocess,whethertothe nexthigherlevelofmanagementortosomecentralombudsman.Thereasoningbehindsucha complexprocessistoensurefairnessandequityintheprocessandreducearbitrarybehaviorin theorganization,sothatiftheaccusedemployeedecidestotransferthemattertocivilcourt,the organizationcandemonstratereasonableprocessandpolicy. PeriodicReviewandRevision.Policydocumentsinevitablylosetheirrelevanceandapplicabilitywithtime.Effectivepolicydocumentsshouldcontainprovisionsindicatingthereviewand revisionprocess.Policydocumentsshouldbereviewedatleastannually,andataminimumbyan individualknowledgeableinthepolicyprocessaswellastheinformationsecurityenvironment, suchastheCISOorotherseniorinformationsecuritymanager.Duringthereview,thedocument shouldbescrutinizedforpassagesandprovisionsthatdifferfromthecurrentoperationsofthe organization.Technologiesevolve,processesandmarketschange,andthepoliciesthatregulate employeebehaviormustchangewiththem.Aspolicyisrevised,itmustbereviewedbyacentral policycommitteetodetermineiftherevisionsareacceptabletotheorganization,andfinallyapprovedbyanappropriateauthority. DestructionofPolicyDocuments.Onceapolicyhasoutliveditsusefulness,andhasbeen supersededorretired,itisimportanttorequireproperdestructionofthesepotentiallycompromisingdocuments.Asaclassifieddocument,evenFOUOpoliciescannegativelyimpactthe organizationifobtainedbyacompromisingindividual.Assuchtheorganization’smanagement ofclassifieddocumentspolicyshouldspecifytheproperdestructionofthesedocuments.The organizationmaychoosetocombinethedistributionofthenewpolicywithacollectionprocess inwhichasecurityrepresentativecollectstheoutdatedpolicyasthatpersondistributesthenew policy.Someorganizationmaysimplywishtoadvisetheindividualtoproperlydestroytheold policies,throughshreddingorplacementinacentralcollectionpointforoutsourceddocument destruction. InformationSecurityPolicyReinforcement—SETAProgram Oneofthemostwidelyrecognizedmechanismsforinformingemployeesonpolicy,assessingcomprehension,andgatheringcomplianceagreementisthesecurityeducationtrainingandawareness program(SETA)(Nosworthy,2000;WhitmanandMattord,2004;WhitmanandMattord,2005). TheSETAprogramisdesignedtoinfluenceemployeebehaviorasacontrolbybetterpreparing employeestoperformtheirdutiesincompliancewith(ratherthaninignoranceof)securitypolicy andcontrols.Oneofthetopthreatstoinformationsecuritycomesfromactsofhumanerroror failure(Whitman,2003),andrepresentstheindividualuser’sinabilityto(a)performataskcorrectly,makingmistakesandthusputtinginformationatrisk,or(b)followpolicyandprocedures, thusconsciouslyandpossiblyintentionallyriskingthesecurityofinformation.Ineithercase, SETA programs can reinforce the organization’s policies (and penalties) for the protection of information.SETAprogramscanprovidetwomajorbenefits:
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE139
1. Theycanimproveemployeebehaviorthroughtheprovisionofpropermethodsofusing technologyandcomplyingwithpolicies,and 2. Theyenabletheorganizationtoholdemployeesaccountablefortheiractionsbyillustratinganddocumentingtheinstructionofproperproceduresandorganizationalpolicies, thusnegatingthedefenseofignorancebytheemployee(WhitmanandMattord,2004). Nosworthy(2000)iteratestheneedforinformationsecurityeducationandtrainingprogramsas amethodofcommunicatingtheprogram“tothepeople”aswellastobusinessandITmanagers. SheadvocatestheuseofaSETAlifecycletomanagetheSETAprocess,usingstepsincluding (1)definingobjectives;(2)identifyingrequirements;(3)identifyingtrainingsources;(4)definingtheinformationsecuritymanagementeducationandtrainingprogram;(5)implementingthe program;and(6)monitoringandtestingtheeffectivesoftheprogram.Thisapproachissimilar totheonediscussedinlatersections. Accountabilityisakeyfacetofinformationsecurity.Itisimportant,however,thatemployees recognizethenecessityofaccountability,notasapunitivemeasure,butasapreventativeone. Usingaccountabilitytoprotecttheviabilityoftheorganizationisessentialtoensuringitwillhave sustainableoperations,unimpededbynegligenceormisconduct.Afailuretomaintainaccountabilitycanresultintheorganizationsufferingunrecoverablefinancialoroperationallosses,and thusaterminationoffunction. SETAprogramconsistofthreefunctionsdesignedtoincreasesecurity: • Bybuildingin-depthknowledge,asneeded,todesign,implement,oroperatesecurityprogramsfororganizationsandsystems • Bydevelopingskillsandknowledgesothatcomputeruserscanperformtheirjobswhile usingITsystemsmoresecurely • Byimprovingawarenessoftheneedtoprotectsystemresources(NIST,1995). INFORMATIONSECURITYEDUCATION Security educationconsists of those actions taken to provide formaleducation in information securityforinformationsecurityprofessionals,ITprofessionals,orotherswithformalinformationsecurityresponsibilities.Assecurityeducationisbestlefttotheeducationalinstitutions,the detailsofhowtoimplementasecurityeducationprogramisnotdiscussedinthischapter.For organizationsseekinginstitutionsqualifiedtoprovidesecurityeducation,resourcesthatdescribe informationsecuritytrainingprogramsincludetheNISTtrainingandeducationsiteathttp://csrc. nist.gov/ATE/training_&_education.html, theVirginiaAlliance for Security Computing and Networking (VA SCAN) at www.vascan.org/training.html, and the National SecurityAgency (NSA)–identifiedCentersofAcademicExcellenceinInformationAssuranceEducation(CAEIAE) atwww.nsa.gov/isso/programs/nietp/newspg1.htm. InformationSecurityTraining Securitytraininginvolvesprovidingmembersoftheorganizationwithdetailedinformationand hands-oninstructiontoenablethemtoperformtheirdutiessecurely.Managementofinformation securitycanchoosewhetheritwilldevelopcustomizedin-housetrainingoroutsourceallorpartof thetrainingprogram.Anumberoftrainingoptionsareavailable,rangingfromformaloutsourced trainingthroughnationalorganizationslikeISC2(www.isc2.org)andSANS(www.sans.org)and
140 WHITMAN
throughlocaltrainingagencies.Organizationmayalsoselecttoconducttrainingin-houseusing existingstaffastrainers.Thesetrainersmayborrowfromestablisheddocumentslikethosefound attheComputerSecurityResourceCenteratNIST(csrc.nist.gov),ortheCommitteeonNational SecuritySystems’library(www.cnss.org).Ausefuldocumentforinformationsecuritypractitioners andthosedevelopingtrainingprogramsisNISTSP800–16.Thismanualdescribestrainingwithan emphasis“ontrainingcriteriaorstandards,ratherthanonspecificcurriculaorcontent.Thetraining criteriaareestablishedaccordingtotrainees’role(s)withintheirorganizations,andaremeasuredby theiron-the-jobperformance.Thisemphasisonrolesandresults,ratherthanonfixedcontent,gives theTrainingRequirementsflexibility,adaptability,andlongevity”(Wilsonetal.,1998). Forfederalagencies,suchtrainingismandatory.TheComputerSecurityActof1987requires federalagenciestoprovidemandatoryperiodictrainingincomputersecurityawarenessandacceptedcomputerpracticestoallemployeesinvolvedwiththemanagement,use,oroperationof theircomputersystems.Otherfederalrequirementsforcomputersecuritytrainingarecontained inOMBCircularA-130,AppendixIII,andOPMregulations.Trainingismosteffectivewhenit isdesignedforaspecificcategoryofusers,thatis,general,managerial,andtechnical.Themore closelythetrainingisdesignedtomatchthespecificneedsoftheusers,themoreeffectiveitis,as incustomizingtrainingbasedontechnicalbackgroundorlevelsofproficiency.Trainingincludes teachingusersnotonlywhattheyshouldorshouldnotdo,butalsohowtheyshoulddoit(Whitman andMattord,2004).AccordingtoWood(2004),manyorganizationsuseadecentralizedapproach toinformationsecuritytraining,receivingpiecemealtrainingfromconstituentdepartments. InformationSecurityAwareness Ofextremeimportanceintheprocessofimplementinginformationsecuritypolicyistheneed tokeepthepoliciesfreshintheemployees’minds.Whiletheemployeesmaybemindfulofthe policieswhentheyarefirstimplemented,eventuallytheday-to-dayoperationsoftheorganizationwillcausetheemployeestobecomelessattentivetothepoliciesunlesstheyareconstantly reinforced.Thisreinforcementcomesintheformofinformationsecurityawareness.Employee awarenessisrecognizedasoneofthegreatestchallengesinimplementingsecurityingeneral (Ernst&Young,2001;Siponen,2000). AsnotedintheNISTdocumentSP800–12,securityawarenessprograms:“(1)setthestagefor trainingbychangingorganizationalattitudestorealizetheimportanceofsecurityandtheadverse consequencesofitsfailure;and(2)remindusersoftheprocedurestobefollowed”(NIST,1995). Thesecurityawarenessprogramservestoconstantlyremindtheemployeesoftheirresponsibilities intheareaofinformationsecurity.AccordingtoWhitmanandMattord(2005),“Whendeveloping anawarenessprogram,therearecertainimportantideastokeepinmind: • • • • • • • •
Focusonpeoplebothaspartoftheproblemandaspartofthesolution. Refrainfromusingtechnicaljargon;speakthelanguagetheusersunderstand. Useeveryavailablevenuetoaccessallusers. Defineatleastonekeylearningobjective,stateitclearly,andprovidesufficientdetailand coveragetoreinforcethelearningofit. Keepthingslight;refrainfrom“preaching”tousers. Don’toverloadtheuserswithtoomuchdetailortoogreatavolumeofinformation. Helpusersunderstandtheirrolesininformationsecurityandhowabreachinthatsecurity canaffecttheirjobs. Takeadvantageofin-housecommunicationsmediatodelivermessages.
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE141
• Maketheawarenessprogramformal;plananddocumentallactions. • Providegoodinformationearly,ratherthanperfectinformationlate.” AsSusanHansche(2001)indicatedinherarticle“DesigningaSecurityAwarenessProgram,” goodsecurityawarenessprogramsshouldbe“supportedandledbyexamplefrommanagement, simpleandstraightforward,acontinuouseffort.Theyshouldrepeatimportantmessagestoensure theygetdelivered.Theyshouldbeentertaining,holdingtheusers’interestandhumorouswhere appropriateinordertomakesloganseasytoremember.Theyshouldtellemployeeswhatthedangersare(threats)andhowtheycanhelpprotecttheinformationvitaltotheirjobs.”Hanschealso notesthatawarenessprogramsshouldfocusontopicsthattheemployeescanrelateto,including “threatstophysicalassetsandstoredinformation,threatstoopennetworkenvironments,[and] federalandstatelawstheyarerequiredtofollow,includingcopyrightviolationsorprivacyact information.Itcanalsoincludespecificorganizationordepartmentpoliciesandinformationon howtoidentifyandprotectsensitiveorclassifiedinformation,aswellashowtostore,label,and transportinformation.Thisawarenessinformationshouldalsoaddresswhotheyshouldreport securityincidentsto,whetherrealorsuspect”(Hansche,2001). Thepurposeofsecurityawarenessandsecuritytrainingistomodifyemployeebehaviorso thattheindividualperformsaccordingtoorganizationalstandards.Thesestandardsaredesigned toensureaharmoniousandproductiveworkenvironment.Bypreparingemployeestoproperly handleinformation,useapplications,andoperatewithintheorganization,theorganizationcan minimizetheriskofaccidentalcompromise,damage,ordestructionofinformation.Bymaking employees aware of, and constantly reinforcing awareness of, threats to information security, thepotentialdamagethatcanresultfromthesethreats,andwaysthatthesethreatscanoccur, theorganizationcanreducethechancethattheindividualswillnottakesuchthreatsseriously. Bymakingemployeesawareofpolicy,thepenaltiesforfailuretocomplywithpolicy,andthe mechanismbywhichpolicyviolationsarediscovered,theorganizationcanreducetheprobability thatanemployeewilltrytogetawaywithintentionalmisuseandabuseofinformation. Effectivetrainingandawarenessprogramsalsomakeemployeesaccountablefortheiractions. Demonstratingduecareandduediligencebywarningemployeesthatmisconduct,abuse,and misuseofinformationresourceswillnotbetoleratedandthattheorganizationwillnotdefend employeeswhoengageinthisbehavior,canhelpindemnifytheinstitutionagainstlawsuits.Under thelegalconceptof“deeppockets,”lawyerstendtopreferlegalactionagainstorganizationsand employerswhotypicallyhavegreaterassetsthanindividualemployees.Theywillattempttoprove thattheallegedconductwasnotclearlyprohibitedbyorganizationalpolicy,therebymakingthe organizationliableforit. AwarenessTechniques.TheNISTSP800–12alsodescribestheessentialsofdevelopingeffective awarenesstechniques:“Awarenesscantakeondifferentformsforparticularaudiences.Appropriateawarenessformanagementofficialsmightstressmanagement’spivotalroleinestablishing organizationalattitudestowardsecurity.Appropriateawarenessforothergroups,suchassystem programmersorinformationanalysts,shouldaddresstheneedforsecurityasitrelatestotheirjob. Intoday’ssystemsenvironment,almosteveryoneinanorganizationmayhaveaccesstosystem resourcesandthereforemayhavethepotentialtocauseharm”(NIST,1995). Informationsecurityawarenessprogramscanusemultipletechniquestodelivertheinformation securitymessage.Thesetechniquesincludetheuseofnewsletters,posters,bulletinboards,flyers, presentations,computer-basedtrainingvideos,andahostofotheroptions.Awarenessprograms canbeintegratedintotrainingprograms,whereemployeesreceivetrainingonnewapplications ormethodsandarethenremindedofthereasonstheproperuseoftheseareessential.Unless
142 WHITMAN
constantlyreinforced,employeescan“tune-out”theinformationsecuritymessage,andforthis reasonpostersandbulletinboardsshouldbechangedfrequently,newslettersrevised,andnew methodstoreinforcethesecuritymessageconstantlyreviewed(NIST,1995). Thecostsofdevelopinginformationsecurityawarenessprogramsisrelativelynegligible,savefor thecostsofacquiringtrinkets.Ifpurchasedexternallyoroutsourced,informationsecurityawareness programscanbequiteexpensive,withprofessionallydevelopednewsletterscostingthousandsof dollarsannually.However,withaminimalinvestmentintime,aWeb-basedintranetinformation securitynewsletter,highlightingupcomingsecurityevents,describingcurrentthreatstotheorganization,andprovidingremindersofcontactinformationininformationsecurity,canbedevelopedand implementedeffectively.Similarly,posters,bulletinboards(physicalorelectronic),andflyerscan bedevelopedanddistributedatlowcost,toserveasconstantandchangingremindersofthethreats toinformationsecurityandthemethodsemployeescanadopttocombatthesethreats. SuccessofInformationSecurityTrainingandAwareness FulfordandDoherty(2003)examinedtheapplicationofinformationsecuritypoliciesinlargeUKbasedorganizations,finding76percentofrespondentsindicatingthepresenceofadocumented informationsecuritypolicy,with43percentofrespondentsdisseminatingthesepoliciesthrough a staff handbook and 60 percent through an intranet (multiple responses possible). Employee awarenesstrainingwasusedtoreinforcethesepoliciesinmanyotherorganizations. TheannualCSI/FBIstudyexaminedtheuseofsecurityawarenessintheorganization:“First, respondentswereaskedtoratethedegreetowhichtheyagreedwiththestatement,‘Myorganization investstheappropriateamountonsecurityawareness.’...Onaverage,respondentsfromallsectors donotbelievethattheirorganizationinvestsenoughinsecurityawareness.Surveyparticipantswere alsoaskedtoratetheimportanceofsecurityawarenesstrainingtotheirorganizationsineachof severalareas.Forfiveoftheeightsecurityareaslisted,theaverageratingindicatedthattrainingfor [securityawareness]wasveryimportant”(Gordonetal.,2004).Inthisreportawarenessforinformationsecuritypolicyrankedthehighestat70percent(cryptography—28%,investigationandlegal issues—43%,securitysystemsarchitecture—48%,economicaspectsofcomputersecurity—51%, securitymanagement—63%,accesscontrolforms—64%,networksecurity—70%). InformationSecurityPolicyAutomation Electronicpolicydistributionsoftwareprovidesacontrolledmechanismtofacilitatethedistribution ofandcompliancewithapolicy.Thesoftwarefrequentlyallowsanindividualpolicycreatorto draftpolicy,submitittoamanagementrepresentativeforreviewandapproval,andthenpostthe policyinauserarea,whereuseraccess,comprehension,andcompliancecanbemeasured.Atypicalpolicymanagementtoolwouldprovidetheusingorganizationwiththefollowingsupport: • • • • • • • •
Facilitatethecreationofinformationsecuritypolicy. Facilitatethereviewandapprovalofinformationsecuritypolicy. Facilitatethepublicationofpolicy. Facilitatethecreationofquizzesonpolicycontenttogaugecomprehension. Documentuseraccesstopolicy. Documentuseracceptanceofpolicy(compliance). Documentuserperformanceonpolicycomprehensionquizzes. Trackpolicyrevisiondatesandremindpolicyadministratorswhenupdatesarescheduled.
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE143
There are a number of products available that can assist in this process, such asVigilEnt Policy Center (VPC) from NetIQ (www.netiq.com/products/vpc/default.asp#).VPC provides twokeyfunctions:adesignfacilitytosupportthecreation,review,andapprovalofpoliciesand comprehensionquizzesandadistributioncenterforthepublication,evaluation,andcompliance ofpoliciesandtheirsupportingquizzes.Thekeybenefitsthatcanemergefromusingautomated policysoftwareincludetheabilityto: • • • • • •
Developbestpracticespoliciesmorequickly Centralizeinformation Improvepolicyenforcement Streamlinepolicycreationprocesses Improvepolicydistribution Provideacompletesolution(NetIQ,2005).
PreviousResearchinInformationSecurityPolicy Informationsecuritypolicyisanunderdevelopedfield,withlittleresearchdedicatedtotheexaminationofpolicy(FulfordandDoherty,2003).Asnotedbymanyauthors,effectiveinformation securitymanagementispredicatedoneffectivepolicy(HoneandElof,2002;FulfordandDoherty, 2003;Whitman,2003;amongothers),whichformsthebasisfortheentiresecurityprogram.Many articlesoninformationsecuritycallforsecuritypolicyasarecognizedmeanstoprovidesafeguards toinformationassets(seeHofferandStraub,1989;StraubandNance,1990;Whitman,2003). Theproblemisthateveninorganizationswithinformationsecuritypolicies,thedegreeof successineffectivedesignandthedegreeofcomplianceoftenmakethemerepresenceofpolicy anineffectivecontrol(MouleandGiavara,1995).Asstatedearlier,however,withoutpolicy,securitywouldbeimplementedatthewilloftheadministratorandwouldlackclearobjectivesand responsibilities(Higgens,1999;FulfordandDoherty,2003). In1990,BergeronandBérubéstudiedthepresenceandperceptionsofend-userpolicies,includingmicrocomputersecuritypolicy.Thisstudyaskedtwoquestions:(1)Whatpoliciesarein forceinorganization?and(2)Areenduserssatisfiedwiththesepolicies?Theirfindingsindicated thatonly68percentoforganizationshadformulatedmicrocomputersecuritypolicies(whichfall underthecategoryofISSPs).Theyalsoidentifiedaninverserelationshipbetweenthenumber ofpoliciesingeneralandtheoverallsatisfactionoftheendusers.Aspartoftheirfindings,they makethefollowingrecommendationsfortheformulationofpolicies: 1. Allpoliciesmustcontributetothegrowthoftheorganization; 2. Ensuretheadequatesharingofresponsibility;and 3. Endusersshouldbeinvolvedwiththeformulationofmicrocomputerpolicies. They also found that there can be an inverse relationship between the number of policies implementedandthesatisfactionoftheusers,withexcessivepoliciesperceivedasanincreased impositionuponthedutiesoftheusers.Theauthorsdoemphasize,however,thatsomepolicies arenecessaryfortheeffectiveprotectionofinformation(BergeronandBérubé,1990).Thisstudy representsoneoftheearliestexaminationsofcomputersecuritypoliciesinorganizations. Thelargestchallengesinthedesignofsecuritypolicylieinthewillingnessofmanagementto formallyendorseinformationsecuritypolicies,andintheorganization’sdiligenceinreviewingand updatingthem.Inordertoeffectivelydesignsecuritypolicy,theorganizationshouldbeginwith
144 WHITMAN Table6.5
FactorsAffectingtheSuccessofInformationSecurityPolicy Visiblecommitmentfrommanagement Agoodunderstandingofsecurityrisks DistributionofguidanceonITsecuritypolicytoallemployees Agoodunderstandingofsecurityrequirements Effectivemarketingofsecuritytoallemployees Providingappropriateemployeetrainingandeducation Ensuringsecuritypolicyreflectsbusinessobjectives Anapproachtoimplementingsecuritythatisconsistentwiththeorganizationalculture Comprehensivemeasurementsystemforevaluatingperformanceinsecuritymanagement Provisionoffeedbacksystemforsuggestingpolicyimprovements
(4.60) (4.48) (4.36) (4.35) (4.26) (4.26) (4.11) (3.93) (3.56) (3.52)
Source:AdaptedfromFulfordandDoherty,2003. Note:FactorsrankedfrommosttoleastimportanttothesuccessfulimplementationofITsecuritypolicy, valuesindicatedinparenthesisona5-pointscale.
“(1)gatheringkeymaterials,(2)definingtheframeworkforthepolicies,(3)preparea‘coverage matrix’layingoutthetopicstobecoveredineachdocument,andthencreatethepoliciesinsuch awayastobalancethetradeoffsbetweencostsandsecurity,betweenflexibilityandsecurityand ease-of-useandsecurity”(Wood,1995). ImprovingtheEffectivenessofInformationSecurityPolicyDevelopment In2003,FulfordandDohertyidentifiedtenfactorsthataffectedthesuccessofinformationsecurity policy.ThesearepresentedinTable6.5. Thetopitem,visiblecommitmentfrommanagement,isechoedinotherrecommendations: Kabay(1996)identifiedfiveproceduresintheestablishmentofsecuritypolicy:(1)toassessand persuadetopmanagement;(2)toanalyzeinformationsecurityrequirements;(3)toformanddraft apolicy;(4)toimplementthepolicy;and(5)tomaintainthepolicy.Kabaylikensthismethod toasecuritypolicylifecycle(Kabay,1996).Thissameapproachisrepresentedinanothermethodologyknownas PFIRES(policyframeworkforinterpretingriskine-businesssecurity)(Rees,Bandyopadhyay, andSpafford,2003).ThePFIRESmodelwasalsodesignedasaframeworkfordesigningand implementinginformationsecuritypolicy.Themodelusesafour-phaselifecycletoassess,plan, deliver,andoperatemoreasariskassessmentandimplementationmodel,withclearinformation securitypolicydevelopmentandassessmentactivities. NetIQ’sAdrianDuigan(2003)offers“10stepstoasuccessfulsecuritypolicy”fromanautomatedpolicymanagementvendor’sperspective: 1. 2. 3. 4. 5. 6.
Identifyyourrisks. Learnfromotherswhendevelopingpolicy. Makesurethepolicyconformstolegalrequirements. Levelofsecurityequalslevelofrisk. Includestaffinpolicydevelopment. Trainyouremployeesonthepolicy.
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE145
7. 8. 9. 10.
Getitinwriting(employeesread,signedandunderstoodthepolicy). Setclearpenaltiesandenforcethem. Updateyourstaffonchangesinpolicy. Installthetoolsyouneedtoenforceinformationsecuritypolicies.
FulfordandDoherty(2003)identifiedseveralfactorsdeterminedtoaffectthesuccessofinformationsecuritypolicy,providedinTable6.5.Theyconcludedthat“althoughsecuritypolicies appearwidelyimplemented,thereislittlecommonalityintermsofthescopeofsuchpolicies” (FulfordandDoherty,2003).HoneandEloff(2002)concur,addingthatevenrenownstandards forinformationsecurityfailtospecifythespecificsofwhatshouldbecontainedinaneffective informationsecuritypolicy. LichtensteinandSwatman(1997)intheirstudyofInternetacceptableusagepoliciesfound that“inadequaciesinguidelinesandpoliciesincluded:highlygeneralsubpolicieswhicharenever madespecific;ambiguity;theomissionofreferencetoanyunderlyingcorporateInternetstrategy; andadhoc,limitedidentificationoftheInternetrisksfacedbytheorganization.”Smith’s(1993) examinationofpolicies’effectinmeetingexpectationswithrespecttousersofpersonalinformationfoundthatpolicywascommonlydevelopedinresponsetosomeexternalthreat—thatis, negativepublicityorlegislativescrutiny—andasaresulttendedtoserveasareactionratherthana proactivestrategy.Thisresponsewasmostcommonlyaseniorexecutivelevelaction,andfocused mostonimmediateprotectionagainstnegativesituations,ratherthanthelong-termprotectionof informationandprivacy. PolicyShouldBeTailoredtotheUser In his work on “Building Effective, Tailored, Information Security Policy,” Pescatore (1997) advises:“Thegoalistoinfluencebehavior;youneedtoenable,notjusttodenybehaviorasusers canroutearoundcontrolsalltooeasily.Securitypolicyshouldfocusonthebusinessneedsby understandingthefollowingquestions.Whatdatawillbehandled?Howcanthatdatabeaccessed? Whatisyourorganization’sparanoialevel?Whatcontrolsarerequiredonthatdata?”Pescatore alsostates,“Securitypolicyneedstomatchtheriskacceptanceprofileofanorganization:for instance,identifyingtherealisticthreats,understandingthelevelofvisibilityoftheorganization, understandingtheconsequencesofanincidentandidentifyingthelevelofrisksensitivityofthe organizationtothecostsofanincident(bothtangibleandintangible)”(Pescatore,1997).When writingsecuritypolicy,onemustmatchthepolicytotheorganization’sculture,useseveralsources fortemplates,involvelegal,HR,andpublicaffairs,andattempttoissuethepolicyfromashighin theorganizationaspossible.Lindup(1995)foundseveralsimilaritiesbetweenthedevelopment ofpolicyinorganizationsandthedevelopmentoftreatiesingovernment,furtherparallelingthe preferredmodelfordevelopingpoliciesasadecentralizedmethod,similartothatofafederation ofstates. Steinke(1997)proposesthat“securitypolicybasedonuser’sneedtoknowandneedtodo shouldbespecifiedonthebasisofauser’stasks.”Heappliesataskmodelingapproachindefining agroupsecuritymodel,designedtorestrictauser’saccesstoinformationonthis“needtoknow basis”butrequiresthattheselectionoftheinformationthattheuserdoesneedtoknowmustbe effectivelybasedonananalysisofthetaskstheuserisexpectedtoperformintheobservance ofhisorherduties.Thistypeofpolicyisrepresentativeoftheconfigurationrulesofasystemsspecificsecuritypolicy,andillustratestheneedforpolicytoguideIT’simplementationofsecurity configurationsinsystems,basedonanadministrativeassessmentoftheuser’stasks.
146 WHITMAN
Asmentionedearlier,oneoftheearliestexamplesofrecommendationsfortheuseofpolicy toreinforcepositiveemployeebehaviorandreducetherisksassociatedwithcomputerfraudand abuseisHofferandStraub(1989).Inthispaper,theauthorsconcludethat“certainactionseffectivelydetercomputerabuse...[specifically] • Establishingadataandsystemssecurityorganization • Communicatingclearlythatappropriatepenaltieswillbeimposedonabusers • Definingandcommunicatingtoallpersonnel,usingawidevarietyofmeans,whattheorganizationconsidersimproperbehavior;and • Using security software packages and making users aware that these mechanisms are in place.” Theauthorsalsorecommendformulatingasecurityadministrativefunctionincluding: • Developingaplanforsecurityanddisasterrecovery. • Developinganddistributingsystemguidelines. • Conducting regular orientation programs that communicate policies and penalties for violations. • Classifyinginformation,programsandallvitalrecords. • Designing/selectingandimplementationsoftwarepackagesformonitoringandpreventing abuses. • Constantlymonitoringtheeffectivenessofsecuritypolicies,procedures,softwareandtraining.(HofferandStraub,1989) SecurityPolicyFrameworks Whendesigningsecuritypolicy,itishelpfultohaveestablishedframeworkstoprovideablueprint. Theoutlinesprovidedearlierwerebasedonananalysisofhundredsofsecuritypoliciesofvarious typesaswellastheworksrepresentedintheNISTSP800–12(1995),RFC2196(Fraser,1997) andothers,suchasForchtandAyers(2000)andWhitman(2003). BaskervilleandSiponen(2002)proposeaninformationsecuritymeta-policyseekingtoprovide guidanceforemergentorganizations.Thepurposeoftheirmeta-policyisto“controlpolicymaking: howpoliciesarecreated,implementedandenforced.”BaskervilleandSiponenrecommendtheuse ofthismeta-policyto“specifyprocessesbywhichpolicymakerswilldetermineandspecifyhow policiesaretobeimplemented.”Whileimplementationwillbeorganizationallyspecific,theuse ofthispolicydevelopmentandimplementationguidancecanfacilitytheeffectiveimplementation ofpolicies.Themeta-policyapproachincludesthefollowingsecuritypolicyfeatures: • Policyrequirements—Identificationandclassificationofsecuritysubjectsandobjects. • Designprocesses—Creationofpolicyandsub-policyhierarchy,adjustingthelevelsofabstractionandenforcementneeded. • Implementationspecifications. • Testingrequirements(BaskervilleandSiponen2002). Itistheauthors’intentthatthismeta-policystructureserveasaframeworkforsubsequent research,recommending,forexample,theempiricalevaluationandusabilityoftheframework. Severalstudieshaveindicatedthatmanyorganizationshaveimplementedinformationsecu-
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE147
ritypolicies(FulfordandDoherty,2003;Whitman,2003;DTI,2002;Andersen,2001;Ernst& Young,2001;amongothers).Whatthesestudiesdonotreportisthetypeofpoliciesinvolved,the effectivenessindesignofthesepolicies,andthedegreeofcompliancewiththepolicies(Moule andGiavara,1995;HoneandEloff,2002;Whitman,2003).Thuswhilemanyorganizationsmay indicatepolicyimplementation,thesepoliciesmaybeineffectiveinprovidingguidanceforinformationsecurityprograms.Interestingly,intheAndersen(2001)study,therewasadiscrepancy betweenthereportedlevelofpolicyimplementationbybusinessmanagers(82percent)andIT managers(66percent),indicatingalackofcommunicationaboutpolicy.Thestudiescitedabove doalludetoatrend,withareportedincreaseinthenumbersoforganizationsreportinghaving securitypolicies,from65percentintheAndersen(2001)to76percentinFulfordandDoherty (2003).Howeverotherstudies,likeWhitmanandMattord(2004),findtheuseofsecuritypolicy consistentlyreportedatapproximately63percent.Thedifferencesinthesestudiescouldbeattributedtoquestionnairewording,subjectaudience,orrespondentbias. AreasforFutureResearchinInformationSecurityPolicy Thereareahostoftopicsyettobeexploredininformationsecuritypolicydesignresearch.The firstandforemostisanopenexaminationofthecriticalsuccessfactorsinthedesignofeffective securitypolicy.TheCSFapproachwasfirstdefinedbyRockart(1982),andlaterredefinedby BoyntonandZmud(1984)asinvolving“thosefewthingsthatmustgowelltoensuresuccessfor amanageroranorganization,and,therefore,theyrepresentthosemanagerialorenterpriseareas, thatmustbegivenspecialandcontinualattentiontobringabouthighperformance.”Thisapproach, originallydevelopedforanenterpriseperspective,canbeadaptedtoassesscriticalfactorsforthe implementationofthekeyareasofpolicy,asdescribed. Thechallengesinthistypeofstudybeginwiththedefinitionofeffectivesecuritypolicy.The hostofpossiblefactorsthatcoulddefineandinfluencethedevelopmentofinformationsecurity policyarealsoundefined.Whilesocietalfactorsidentifiedinstudiesdescribedabovecertainly playacriticalrole,untiltheresearchercandefinethedifferencebetweenaneffectiveandanineffectivepolicy,littlecanbedonetodelineatethefactorsthatcontributetosuccess.Manyexperts (e.g.,CharlesCressonWood)arequalifiedtodescribethecomponentsandstructureofeffective policy;however,thesearemerelyarchitecturalfactorsthatneedtobeadaptedandexaminedin thecontextoftheenvironment.Onecanrecommendthedesignofaneffectivebuilding,yetthe samebuildingwillrequiresubstantialmodificationtobeconstructedwithinsevereenvironmental regions,likeCalifornia’searthquakeregions,orAlaska’sseverecoldregions,oranother“nonstandard”region.Infact,allorganizationscanbedefinedasnon-standardtosomeextentorother, andassuchrequiremodificationbeyondanoriginalframeworkormodel.Thusresearchmust beginwithdefiningeffectivepolicyandthencontinuetoexaminewhatorganizationsdotoadapt thesepolicyframeworksandmodelstoachieveeffectivenesswithintheirparticularenvironments. Oncethisiscomplete,theidentificationoffactorscriticaltothesuccessofthispolicycreation andmodificationwillserveasguidanceforotherorganizationstoconsiderastheytacklesimilar problems. Similarly,additionalresearchisneededintheidentificationofcriticalsuccessfactorsinthe implementationofinformationsecurity.Whilethischapterpresentedfivefactorsthatmustbe presentforpolicytowithstandexternal,legalscrutiny,thesefactorsalonewillnotguarantee effectivepolicy.Foreachoftheareasdiscussed(distributed,read,understood,agreed-to,and uniformlyapplied),anexaminationofwhatfactorswilldirectly,andindirectly,contributeto successfulcompletionofthecorrespondingareaisneeded.BuildingontheworkofEloffand
148 WHITMAN
Badenhorst(1990)andothersinbetterunderstandingthesefactors,wecanbegintoimprove our ability to implement policy, increasing the awareness of the organization’s personnel, andreducingtheprobabilityofloss,damageorunauthorizedmodificationtoorganizational information. Thenextareaoffutureresearchbuildsonthewell-researchedtheoriesineaseofuseandusefulnessandthetechnologyacceptancemodel(Davis,1989),extendingthisresearchintotherealmof policydevelopmentanduse.Anumberofrelatedtangentsarise,includingthefundamentalease ofuseandusefulnessofthetemplatesforinformationsecuritypoliciespresentedearlier.While thesetemplatestechnicallyarenottechnology,itwouldbeinterestingandhelpfultofindoutif thesetemplates,basedonfederalstandardsandotherrelatedresearch,resultindocumentsthat arebothvaluabletotheorganizationinprotectingtheinformationandeasytounderstandand complywithonthepartoftheusers.Whenconsideringautomatedpolicymanagementsoftware, onecanapplythetraditionalmetricsforeaseofuse,andsoon,todetermineifthesematerials assistnotonlyinthedevelopmentofinformationinsecuritypolicies,butalsointheimplementationandcompliance. Anotherareaforfutureresearchininformationsecuritypolicydevelopmentistheeffectof aclearchampioninthedevelopmentandimplementationofinformationsecuritypolicy.Itisa welliteratedstatementthatachampion—orsponsoringseniorexecutive—isnecessarytosupport systemsdevelopment,butthedocumentationfortheapplicationofthisconcepttopolicydevelopmentisanecdotalatbest. Oneofthekeyareasofinteresttoinformationsecurityprofessionals,especiallychiefinformationsecurityofficers,isthedegreeofpolicycompliancewithinandbetweenorganizations. Withtheincreasedinterestinmeetinginternationalstandards(seeHoneandEloff,2002), itisinsufficienttodemonstrateimplementationofpolicywithoutthefollow-upassessment ofdegreeofcompliance.While,asdiscussedearlier,organizationsmayclaimownershipof policy,untilthecomplianceisassessedattheuserlevel,a“differencegap”betweenmanagerialexpectationanduserperformancemayexistandmaybemuchlargerthanorganizations wanttoadmit. Anotherareaofinterestforfutureresearchistheactualeffectofpolicyonuserbehavior.Does policy deter user behavior?What aspects of the policy most contributes to this deterrence, if any?Isitthepresenceofpenalties,theawarenessofexpectationsofperformance,orsimplyan understandingofthe“rightandwrongwaysofuserbehavior”?Untilbothmanagersandusers areinterviewed,aswasaccomplishedatthemicrocomputerlevelinthe1990sbyBergeronand Bérubé(1990),thisdifferencegapwillcontinuetobeunknown. Afurtherareaofinterestisalegalassessmentoflawsandcodesofconductassociatedwith legalandregulatoryissuesinpolicyimplementation:compliance,enforcement,andemployment impact.Whiletheareasoflegalrequirementpresentedherewerebasedonanassessmentofcase lawandotherresearch,recentlegislativeandcaselawmayhavechangedtheperceptionsofthe courtstotheimplementationofpolicy.Iscurrentlawmoreorlessrestrictiveontheorganization’s interpretationof“legallyenforceable”policy?Whatlawsatthenationalorstateleveldirectlyimpact anorganization’sabilitytoregulateandcensureitsemployees?Howdoprivacylawsimpactan organization’sability,ormakeitnecessary,tocraftandenforcepolicywithitsemployees?With itscustomers?Anassessmentofthelegalissueswillprovideadditionalanswersinthisarena. Finally,anassessmentoftheimpactoforganizationalchange—structural,technological,market, orenvironmental—onthedevelopmentandimplementationofinformationsecuritypolicywould provideadditionalinsightintothenatureofthepolicydevelopmentlifecycleandthechallenges associatedwithmaintainingpolicyinsuchadynamicenvironment.
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE149
CONCLUSIONS Asisevident,thedevelopmentandimplementationofeffectiveinformationsecuritypolicyisa complexbutnecessaryfoundationforanyinformationsecurityprogram.Onlythroughestablished designmethodologies,likeapolicydevelopmentlifecycle,cantheorganizationensurethepolicies developedwillprovidethestructureandguidancetheorganizationneeds.Onlythrougheffective implementationtechniquescantheorganizationensurethatthepolicieswillprovidemore“good thanharm”andwillwithstandbothinternalandexternalscrutiny.Itisimperativethatorganizationsdevelop“goodpolicynow,ratherthanperfectpolicynever”andworkwithrepresentative groups of users to implement information security policy that will protect the confidentiality, integrity,andavailabilityofcriticalinformationandsupportaproductiveandincident-freework environment. REFERENCES Abrams,M.,andBailey,D.1995.Abstractionandrefinementoflayeredsecuritypolicy.InM.Abrahms,S. Jajodia,andH.Podell(eds.),InformationSecurity:AnIntegratedCollectionofEssays.NewYork:IEEE ComputerSocietyPress,pp.126–136. Andersen, I.T. 2001. Sicherheit in Europa. Status Quo, Trends, Perspektiven, Studie 2001. Dusseldorf: Andersen. Backhouse,J.,andDhillon,G.1995.Managingcomputercrime:aresearchoutlook.ComputersandSecurity, 14,7,645–651. Baskerville,R.,andSiponen,M.2002.Aninformationsecuritymeta-policyforemergentorganizations. LogisticsInformationManagement,15,5/6,337–349. Bergeron,F.,andBérubé,C.1990.Enduserstalkcomputerpolicy.JournalofSystemsManagement,41, 12,14–32. Bloom, B.S.; Mesia, B.B; and Krathwohl, D.R. 1964. Taxonomy of Educational Objectives. NewYork: DavidMcKay. Blumstein,A.1978.Introduction.InA.Blumstein,J.Cohen,andD.Nagin(eds.),DeterrenceandIncapacitation:EstimatingtheEffectsofCriminalSanctionsonCrimeRates.Washington,D.C.:National AcademyofSciences. Boynton,A.,andZmud,R.1984.Anassessmentofcriticalsuccessfactors.SloanManagementReview,25, 4,17–27. CERIAS. n.d. E-Commerce Information Security Policy Life Cycle. Purdue Center for Education and Research in InformationAssurance and Security (available at www.cerias.purdue.edu/about/history/ andersen_consulting/slide3.php,accessedonJanuary14,2005). Confucius.n.d.Chineseproverb,KungFu-tse(availableatwww.geocities.com/Athens/Oracle/6517/learning. htm,accessedonFebruary4,2005). Davis,F.1989.Perceivedusefulness,perceivedeaseofuse,anduseracceptanceofinformationtechnology. MISQuarterly,13,3,319–340. DTI.2002.InformationSecurityBreachesSurvey.UKDepartmentofTradeandIndustryTechnicalReport. London. Duigan,A.2003.10stepstoasuccessfulsecuritypolicy.ComputerWorld,October8(availableatwww. computerworld.com/printthis/2003/0,4814,85583,00.html,accessedonJanuary8,2005). ECSA.2003.DefinitionofTermstoSupporttheECSAStandardsandProceduresSystem.EngineeringCouncil ofSouthAfricaStandardsandProceduresSystem,January8(availableatwww.ee.wits.ac.za/~ecsa/ gen/g-04.htm#Comprehension,accessedonJanuary10,2005). Eloff,J.,andBadenhorst,K.1990.Managingcomputersecurity:methodologyandpolicy.InformationAge, 12,4,213–219. Ernst&Young.2001.InformationSecuritySurvey.London. Executive Order 12958. n.d. Classified National Security Information (available at www.dss.mil/seclib/ e012958.htm,accessedonSeptember15,2003). FASP.n.d.FederalAgencySecurityPractices(availableatfasp.nist.gov,accessedonDecember10,2004).
150 WHITMAN Forcht,K.,andAyers,W.2000.Developingcomputersecuritypolicyfororganizationaluseandimplementation.JournalofComputerInformationSystems,41,2,52–57. Fraser,B.1997.SiteSecurityHandbook—RFC2196,September(availableatwww.faqs.org/rfcs/rfc2196. html,accessedonOctober15,2003). Fulford,H.,andDoherty,N.F.2003.TheapplicationofinformationsecuritypoliciesinlargeUK-based organizations:anexploratoryinvestigation.InformationManagementandComputerSecurity,11,2/3, 106–114. Gordon,L.;Loeb,M.;Lucyshyn,W.;andRichardson,R.2004.AnnualCSI/FBIComputerCrimeandSecurity Survey.ComputerSecurityInstitute(availableatwww.gocsi.org,accessedonOctober15,2004). Hansche, S. 2001. Designing a security awareness program: part I. Information Systems Security, 9, 6, 14–23. Higgens,H.1999.Corporatesystemssecurity:towardsanintegratedmanagementapproach.Information ManagementandComputerSecurity,7,5,217–222. Hoffer,J.,andStraub,D.1989.The9to5underground:areyoupolicingcomputercrimes?SloanManagementReview,30,4,35–43. Hone,K.,andEloff,J.2002.Informationsecuritypolicy:whatdointernationalinformationsecuritystandards say?ComputersandSecurity,21,5,402–409. Kabay,M.1996.TheNCSAGuidetoEnterpriseSecurity.NewYork:McGraw-Hill. Lee,J.,andLee,Y.2002.Aholisticmodelofcomputerabusewithinorganizations.InformationManagement andComputerSecurity,10,2,57–63. Lichtenstein, S., and Swatman, P. 1997. Internet acceptable usage policy for organizations. Information ManagementandComputerSecurity,5,5,182–187. Lindup,K.1995.Anewmodelforinformationsecuritypolicy.ComputersandSecurity,14,691–695. Merriam-Webster.2002.Policy.Merriam-WebsterOnline(availableatwww.m-w.com/cgi-bin/dictionary, accessedonJune24,2002). Moule,B.,andGiavara,L.1995.Policies,proceduresandstandards:anapproachforimplementation.InformationManagementandComputerSecurity,3,3,7–16. NetIQ.2005.VigilEntPolicyCenter:KeyBenefits(availableatwww.netiq.com/products/vpc/default.asp, accessedonFebruary10,2005). NIST.1995.AnIntroductiontoComputerSecurity:TheNISTHandbook.SP800–12.NationalInstituteof Standards and Technology, October (available at csrc.nist.gov/publications/nistpubs/800–12/800–12html/index.html,accessedonDecember5,2004). NIST.1996.GenerallyAcceptedPrinciplesandPracticesforSecuringInformationTechnologySystems. SpecialPublication800–14.NationalInstituteofStandardsandTechnology,September(availableatcsrc. nist.gov/publications/nistpubs/800–14/800–14.pdf,accessedonDecember5,2004). Nosworthy,J.2000.Implementinginformationsecurityinthe21stcentury.ComputersandSecurity,19,4, 337–347. Pescatore,J.1997.BuildingEffective,Tailored,InformationSecurityPolicy.NISSCpresentation(available atcsrc.nist.gov/nissc/1997/panels/isptg/pescatore/html,accessedonDecember20,2004). Plous. S. 2000. Tips on creating and maintaining an educational web site.Teaching of Psychology, 27, 63–70. Rees,J.;Bandyopadhyay,S.;andSpafford,E.2003.PFIRES:APolicyFrameworkforInformationSecurity (availableatwww.cba.ufl.edu/dis/papers/021ist_files/0211102.pdf,accessedonJanuary14,2005). Ricks,D.A.1993.BlundersinInternationalBusiness.Cambridge,MA:Blackwell. Rockart,J.1982.Thechangingroleoftheinformationsystemsexecutive:acriticalsuccessfactorsperspective.SloanManagementReview,24,1,3–13. Siponen,T.2000.Aconceptualfoundationfororganizationalinformationsecurityawareness,Information Management&ComputerSecurity,8,1,31–41. Skinner,W.,andFream,A.1997.Asociallearningtheoryanalysisofcomputerabuseamongcollegestudents. JournalofResearchinCrimeandDelinquency,34,4,495–518. Smith,H.1993.Privacypoliciesandpractices:insidetheorganizationalmaze.CommunicationsoftheACM, 36,12,105–122. Steinke,G.1997.Ataskbasedapproachtoimplementingcomputersecurity.JournalofComputerInformationSystems,38,1,47–54. Straub,D.,andNanceW.1990.Discoveringanddiscipliningcomputerabuseinorganizations:afieldstudy. MISQuarterly,14,1,45–60.
SECURITYPOLICY:FROMDESIGNTOMAINTENANCE151 Straub,D.,andWelke,R.1998.Copingwithsystemsrisk:securityplanningmodelsformanagementdecisionmaking.MISQuarterly,22,4,441–469. Tursi,S.2003.InformationSecurity/UserPoliciesSANS-GIACCertification-SecurityEssentials,November10 (availableatwww.giac.org/practical/GSEC/Steven_Tursi_GSEC.pdf,accessedonFebruary4,2005). Whitman.M.2003.Enemyatthegate:threatstoinformationsecurity.CommunicationsoftheACM,46,8, 91–95. Whitman,M.E.,andMattord,H.J.2004.ManagementofInformationSecurity.Boston:CourseTechnology. Whitman,M.,andMattord,H.2005.PrinciplesofInformationSecurity,2nded.Boston:CourseTechnology. Whitman,M.;Townsend,A.;andAalberts,R.1999.Considerationsforaneffectivetelecommunications-use policy.CommunicationsoftheACM,42,6,101–109. Wilson, M., et al. (eds.). 1998. Information Technology Security Training Requirements: A Role- and Performance-BasedModel.NationalInstituteofStandardsandTechnology,April(availableatcsrc.nist. gov/publications/nistpubs/800–16/800–16.pdf,accessedonJune15,2005). Wood,C.1995.WritingInfoSecpolicies.ComputersandSecurity,14,8,667–674. Wood,C.2000.Integratedapproachincludesinformationsecurity.Security,37,2,43–44. Wood,C.2003.InformationSecurityPoliciesMadeEasy,9thed.Houston:Pentasafe. Wood,C.2004.KeytoPolicySuccess:CentralizedInformationSecurityTraining(availableatsearchsecurity. techtarget.com/tip/1,289483,sid14_gci961081,00.html,accessedonNovember15,2004). Wood,C.2005.InformationSecurityPoliciesMadeEasy,v.10.Houston:InformationShield. WUSTL.n.d.InformationSecurityPolicy.WashingtonStateUniversityinSt.Louis(availableatwww.wustl. edu/policies/InfoSecurity.html,accessedonApril12,2003). Zajac,B.1988.Personnel:theotherhalfofdatasecurity.ComputersandSecurity,7,2,131–132.
CHAPTER7
BUSINESSCONTINUITYPLANNINGANDTHE PROTECTIONOFINFORMATIONALASSETS CARLSTUCKE,DETMARW.STRAUB,ANDROBERTSAINSBURY
Abstract:TheterroristattacksofSeptember11,2001,thenortheastU.S.powerblackout,and Katrinaandothernaturaldisastersaredrivingmanagerstoreconsiderorganizationalriskand theneedforbusinesscontinuityplanning.Inthisnewenvironment,organizationsneedtoseebusinesssurvivabilityasacriticalimperativethatmotivatesanupdatedenterpriseriskmanagement strategy.Thischapterintroducesandexaminestheconceptsofbusinesscontinuityplanningand disasterrecoverywithinoverallriskandcrisismanagement.Bestpracticesandselectmodelsare illustrated.Adiscussionoffutureresearchtopicsanddirectionsconcludesthechapter. Keywords:BusinessContinuityPlanning,DisasterRecovery,InformationAssets,RiskAssessment andManagement,AssetDispersal,Survivability,InformationSecurity INTRODUCTION Itistemptingtorestrictthediscussionofinformationsecurityandinformationassetprotectionto thebasicneedtorecoverhardwareandsoftwareafteradisaster,whetherthedisasterisnaturalor man-made.Buttherearegoodreasonswhythisistoolimitingandwhyweneedtoalwaysmove ourthinkinguptotheleveloftheentireorganization.Theliteraturetodateindicatesquiteclearly thattheprotectionofinformationassetscannotbeachievedinavacuum.Andsothislargerscope shouldbeourvenueforthoughtandaction. Apoignantexampleillustratesthiskeypoint.On9/11anumberofbusinessesphysicallylocated intheWorldTradeCenterhadplansinplaceforrecoveringfromdisasters(Castillo,2004).The bestoftheseplansevenanticipatedtheneedforremote“hot”sitesthatwouldbeunaffectedby thelossofinfrastructure,includingelectricity,water,andaccessibility,inlowerManhattan.But theplansdidnotincludethelossoflifeandthelossofexpertiseofemployees.Thustheability totransferoperationstoalternativesiteswashamperedorinsomecasesrenderedimpossibleby thislackofforesight(Castillo,2004;ZuckermanandCowan,2001;Zuckermanetal.,2001). Isthisbeingtooharsh?Weremanagerstrulysolackinginvisionthattheydidnotanticipate thepossibilityofsuchadisaster?Itisimportanttorememberthatpreviously,in1993,theWorld TradeCenterhadcomeunderattackandhadmiraculouslysurvived.Prudentmanagersmight haveanticipatedanotherattackofsomesortsincetheTwinTowersweresuchapotentsymbolof capitalismintheWestandthetargetofhatredforfanaticsandterroristsaroundtheworld. Sincetheintentofthe1993attackwastocollapsetheentiretower,itwouldhavebeenrelatively straightforwardtoforecasttheextentofdamagetothebusinessesinthetowerandtothesurroundingarea.Forstarters,itisclearthattheothertowerwouldhavebeenseverelydamagedevenifit 152
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS153
hadnotalsocollapsed.It,likethebusinesseswithinalargeareaoflowerManhattan,wouldhave beeninaccessibleformonthsoruptoayear.Therepairoftheinfrastructureisonlyapartofitif therewerecriticalrecordshousedinaremainingintacttowerbutnoonecouldgettothem. Whatwasneeded,andwhatfewbusinessesintheTwinTowershad,werecontingencyplans thateasedatransitionofoperationstoothersitesandtherapidrestorationofrelativelynormal business activities.The tragic loss of key employees was compounded by the inability of the business that did survive to recover operations, and, also important, to meet customer needs. Katrina,thenortheastblackout,andtheSoutheastAsiatsunamiallheightentheurgencyofthis kindofplanning. Thisexampleillustratestwopoints.First,protectinginformationassetsaloneisinadequate. Informationassetrecoverymustbeseeninalargercontext:theoverallcontingencyplanthatallowsforbusinesscontinuity.Second,businesscontinuityrequiresback-upstrategiesforlossof morethanjustphysicalandsoftwareassets.Strategiesforreplacementofemployeeexpertiseare likewiseessential.Knowledgeofworkflowsandbusinessprocessesneedstobeavailabletosustain businessfunctionor,ifnecessary,forthebusinesstopickitselfupandresumeservice. KEYDEFINITIONS BCPandDR Several essential definitions need to be delineated before any in-depth discussions of businesscontinuityplanning(BCP)anddisasterrecovery(DR)—thatis,recoveryofinformational assets—cantakeplace.Castillo(2004)definesBCPas“theabilitytomaintainarevenuestream throughacrisis(p.18).1ThisisasreasonableandbriefadefinitionofBCPintheprofit-making sectorasonefindsintheliterature.2Abroaderorganizationalviewcouldspeakofmaintaining orofrestoringmission-criticalfunctionality,andthatdefinitioncouldalsobeuseful.DRhasa narrowerfocus,andisorientedtowardinformationtechnology(IT)andrestoringtheITcapabilitiesofanorganization(Herbaneetal.,2004).Ittendstofocusonrecoveryor“remedies”more thanonpreventionordeterrence,whicharepriorstagesinthesecurityactioncycle,asshownin Figure7.1.ThisactioncycleisderivedfromearlierworkbyStraubandWelke.Hereonemight deterfutureabusebystrongenforcementofsanctionsforperpetratingabuse.Forthosewhowill notbedeterredandwhoattemptabuse,safeguardsareerectedtohalttheseattempts.Ideally,the effectivenessofdeterrenceandpreventionismaximized.Detectionmechanismsarenecessarysince deterrenceandpreventionwillnotbecompletelyeffective.Whenabuseisdetected,remediesare enacted,includingsanctionstoincreasedeterrence,strongersafeguardstothwartabuseattempts, betterdetectionmechanisms,andimprovedprosecutiontechniquestominimizeabuserswhogo unpunished.Thiscompletesthecycle. Catastrophic events are typically immediately detected, but the broader detection process involvesfindingouthowandwhysomethinghappened(incaseactionscouldbetakensosucha catastropheeitherwouldnothappenagainorwouldhavealessenedimpact).Thereforethissecurity actioncyclewithitsprocessimprovementfeedbackloopalsoprovidesaprocessimprovement feedbackloopmodelforplanningandprevention(andrecovery)activitieswithinBCPandDR. Nemzow(1997)providesanenlighteningcomparisonbetweenthetwo.AsseeninTable7.1,he comparestheshorter-termDRmechanismswiththebroader,moreautomatic,longer-term,andless disruptiveBCPconfigurationsandtechniques.Afewparentheticalcommentshavebeenadded. Focusingforamomentonreplacementofemployeeexpertisehighlightsthisdifference.Disasterrecoverywouldtendtoplanforasearchforareplacementthroughthejobmarket.Butthis
154 STUCKE, STRAUB, AND SAINSBURY Figure7.1 TheSecurityActionCycle Process Improvement Feedback Loop
Deterrence Prevention
Detection Deterred Abuse
Remedies Prevented Abuse
Objective: Maximize
Undetected Abuse Unpunished Abuse
Objective: Minimize
Source:AdaptedfromStraubandWelke,1998.
processwouldtakealotoftimeandiftheemployeewereinstrumentalenoughand,ineffect, acorecompetencyoftheorganization(Huber,1993),thislosscouldleadtoseveredamageor failureofthefirm.Nemzow(1997)arguesthatcross-trainedemployeesorpersonswhocould backupthelostemployeecouldmeettheimmediateneedandrunlessofariskfortheorganization.ThisgoesbeyondthenarrowerscopeofDR,andthusifDRplanningweretheentireeffort ofanorganization,itcouldconceivablynotbeenoughinsuchacase. CrisisManagement OthercommentatorsremarkonsimilardifferencesbetweenDRandBCP,buttakethisfurtherby pointingoutthatBCPisevenpartofalargerefforttermed“crisismanagement”(Castillo,2004; Herbaneetal.,2004;Karakasidis,1997).Crisismanagementappliestoaverywiderangeofmajor problemsthatorganizationsmaysuffer,fromapublicrelationsdisastertoevacuationofemployees asaresultofacivilwar.Itcanalsorefertodisastersthatstrikeatthefirm’sfacilitiesandemployees, planningforwhichwehavetermedBCP/DR.Crisismanagement,generallyspeaking,isasetof measuredresponsestochallengesthatcouldthreatentheexistenceofindividuals,organizations, orsocieties.Crisismanagementthinkingispervasiveinactualdisastermanagement.Thisleads Herbaneetal.(2004)todescribetheirhigher-orderviewofBCP/DRasmanagingacrisis,namely asoccurringinthethreestagesofpre-crisis,trans-crisis,andpost-crisis. BC/DRPlanningversusPlanExecution ThisstagedviewofhowDRandBCPfitintoasetofevent-responsephasesleadstoanelaborated modelinCastillo(2004)thatseparatesplanningfromexecutionofplans(seeFigure7.2). Castillo’smodelwillbediscussedingreaterdetaillater.Forthemoment,itisusefultodefine whatsheseemstomeanby“preparedness.”“Preparedness”ofeithertheDRplansorBCPcan
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS155 Table7.1
ComparisonofDisasterRecoveryandBusinessContinuityPlanning DR
BCP
Batterybackup
Shadowedoperations
Sootcleanup(takestime)
Useoffsiterecords;trasheverythingelse(continue functioning)
Advertise,interview,hireareplacement manager(afterevent)
Movethebackup(orcross-trained)personintothenew role(readytogo)
Sueforpossessionofrolodexes
Usealternativesalesrecordsandcontactlists
Backuptapes
Backuptapesandtapereaders;commonformatCDROMs;RAID(redundantarrayofindependentdisks)
Phonecompanyforwardsphonelinesto newnumbers(afteryougetthenumbers)
Call-forwardlines(alreadyconfigured)
Build(orrebuild)anewsite
Salvageandactivatewarehouse
Sendsalespeopletoanewterritory
Expandproductlineinotherterritories
Trytoreaddamagedbackupmedia
Viewrecordsonmicroficheorelectronicimages
Splicedamagedlinesinconduit
Switchovertoalternativedelivery(rerouteorsatellite)
Source:BasedonNemzow,1997.
bethoughtofthereadinessoftheorganizationtoresumeoperations,ateitherthetechnical(IT) levelorthebusinesslevel.Organizationscanrangewidelyonhowpreparedtheyarebyhaving plansinthefirstplaceand,second,howpreparedtheyareinactuality(Castillo,2004).Thissame distinctionintheliteratureisoftenmadebetweenthecreationandthetestingofplans.Itisclear thatpreparednessistheresultofaplanningprocessandthatthisprocessmayormaynotbeeffectivewhenadisasteroccurs.Theexecutionoftheplanisadistinctsetofactivitiessuchas“DR andBCresponse,”“ITrecovery”“stabilizationofbusiness,”“assessment,”and“resumptionof normalbusiness.”Theserepresenttheimplementationoftheplans,andthequalityoftheBCP canonlybemeasured,inthefinalanalysis,byhowwelltheplanswork. “Hot”Sitesversus“Cold”Sites Anothersetofdefinitionsisusefulforthischapter.Off-siterecoveryfacilitiesaregenerallyclassifiedaseither“hot,”“cold,”oraninbetween“warm.”Straub(2004)definesandexplicatesoff-site ITrecoveryfacilitiesasfollows: You have a contract with a cold site disaster recovery outsourcer that will allow you to beginreorganizingyouroperations.Necessarynetworkconnectionsarepresentatthissite, aswellasbackupcopiesofyoursoftwareanddata,butthereisnocomputerhardware. Theplancallsforbringinginrentedequipment,includingfurniture,desks,workstations, andsoforth,fromathreestatearea.Contractswiththeserentalfirmsandotheroutsourcingfirmsspecifythattherequisitematerialswillbeon-siteandinstalledwithin24hours. Althoughtheburdenontheremainingphysicaldistributioncenterwillbesevere,themain problemistheWebconnection.However,withsuccessfuldeploymentoftheplan,thefirm
156 STUCKE, STRAUB, AND SAINSBURY Figure7.2 IntegratingBCPandDR
Event
DR Preparedness
Response Recovery
BCP Preparedness
Response Stabilization of Business Assessment
Resumption of Normal Business
Source:AdaptedfromCastillo,2004.
cancontinueitscomputing....Yourcompanymighthaveconsideredamorecostlyplan calledahotsite.Hotsitesalsohaveduplicatesofthehardwareyouarerunning,aswellas thenetworkconnections.Hotsites(andcoldsites)areshared;inthesensethatifallclients oftheoutsourcerwereinneedofservicesatthesametime,thefacilitiescouldnotusually accommodatethedemand.Inotherwords,thereisnotalargeroomreadyandwaitingfor afirmatthehotsite,withthenameofthefirmstenciledonthedoor. Additional options include mobile, shared, and mutual backup where two corporations are preparedtobetherecoverysiteforeachother(WhitmanandMattord,2004). MTBU MTBUisatermandconceptthataskshowlonganorganizationcansurvivewithoutarecoveryof essentialfunctionality.Theacronymstandsfor“maximumtimeforbellyup,”whichintheparlanceof standardAmericanEnglishmeanstheperiodoftimebeforeacompanygoesbankrupt.MTBUgives usinsightintohowvulnerableafirmis.Justhowlongcanaparticularorganizationsurvivewithout informationassetsandtheconcomitantpersonneltorunthem?Orhowlongcanitsurvivewithout itscallcenters,whichtakeordersaswellasperformotherservicefunctions?Fromthebeginningof theinformationrevolution,commentatorshavebeenpuzzlingoverthesequestions. OneoftheoriginaldiscussionsofthisissueintheITcontextwasaworkingpaperattheUniversity ofMinnesota’sMISResearchCenter(Aasgardetal.,1978).TheconceptofMTBUthatevolved afterthatpaperemphasizedthesurvivabilityoforganizations,especiallyprofit-makingorganizations.
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS157 Figure7.3 MTBUforTwoTypesofFirms
250,000
Revenues
200,000
150,000
100,000
50,000
0 Day 1
Day 2
Day 3
Day 4
Day 5
Day 6
Information- Intensive Firm
Day 7
Day 8
Day 9
Day 10
Day 11
Day 12
Day 13
Day 14
Noninformation Intensive Firm
Source:FromStraub,2004.
Straub(2004)arguesthattherewillbeamarkeddifferenceinfirmsthatarehighlyinformationintensive,suchasfinancialinstitutions,andthosethatarenot(seeFigure7.3).Nevertheless,without mission-criticalresourcesallmodernfirmswillfailwithinarelativelyshorttime. Nemzow(1997)estimatedthatby1997theaveragetimeperiodthatanyfirm,irrespectiveofinformationintensity,couldsurvivewasfourdays.Moreover,theliteratureindicatesthat80percentof firmsthathaveexperiencedamajordisasterdonotsurviveforayearandthatoverafive-yearperiod, only10percentarestillinexistence(Nemzow,1997).SoitisobviousthatknowingtheMTBUof one’sorganizationisanimportantmacro-levelnumberforplanningforworst-casescenarios. RISKANDRISKASSESSMENT Technicallyspeaking,theriskofaneventistheprobabilityoftheeventtimestheexpectedloss. Insuranceactuariesandunderwriterscalculatetheriskofanautomobileaccidentforacertain specificdriverbyexaminingthepasthistoryofdriversincertaincategoriessuchasthosewith DUIsandthosewithincertainageranges,andsoon.Thehistoryofaveragelossesisalsoavailable tothemandso,takingintoaccountnumerousotherfactors,theycandeterminethattherisktoday ofanindividualsustaininganaccidentthatthecompanywouldhavetopayonis,say,$1,000per annum.Sincethecompany’sriskis$1,000toinsureanindividual,thefirmmustchargemore thana$1,000premiumtoensurethattheaccountwillbeprofitable. Whereastherearemanyexamplesofautomobileaccidentsandotherareasforinsuranceare wellunderstood,suchaslifeexpectancies,disastersarebytheirverynaturerareevents.Inthat
158 STUCKE, STRAUB, AND SAINSBURY
thecalculationofriskisafunctionofbothprobabilityofadisasterandtheexpectedlossesfrom adisaster,wewouldneedareliableassessmentofbothvariablesinordertoaccuratelyassessrisk inthiscase.Onemightcomeclosetoassessingmonetarylossesinthecaseofspecificdisasters. Butthedifficultywithrareeventsisthattheydonotoccurwithenoughfrequencytoshowadistinctpatternand,therefore,yieldaviableprobabilityfigure.Withoutbelievablequantities(probabilities)toworkwith,theassessmentofriskinBCP/DRtendstobequalitative.Whiletoolsare emergingforquantitativeriskassessment,theirutilityislimitedtoareaswheresufficientactuarial informationexiststomodelrisk.Suchinformationisscarce,especiallyinareaswheredivulging eventspecificsmightendangerthepublic’strustinthereportinginstitution. RiskandtheNeedforBCP/DR Most organizations have never had and may never experience a catastrophe. Thus one might thinkthatanyandallriskassessmentswouldbenecessarilylow(Nemzow,1997)andthetypicalmanagerialresponsemightbetocovercriticalareasallowingafirmwhoseassetsarenottoo badlydamagedtolimpalongtoarecovery,andthentouseinsuranceasariskmitigationstrategy fortheremainderofanorganization’svulnerabilities.Butitispossibletolosetheentirebusiness withoutgoodrecoveryplanning,andeventhoughthelossesmightbecoveredmonetarily,andthe shareholdersreimbursed,thelossofjobsandlivelihoodscouldbedauntingforthelargergroup ofstakeholders.Stakeholdertheory(Freeman,1984)haspushedorganizationstothinkbeyond thenarrowviewthatprofit-makingorganizationsareentirelydefinedbyhowmuchwealththey bringtotheirowners.Employees,customers,suppliers,governmentalagencies,organizational beneficiaries,andthecommunitiesinwhichorganizationsexistalsohaveastakeinthesurvivalof organizationsandtheirneedsarenotmetbythefinancialcompensationsofferedbyinsurance. Nemzow(1997)alsocautionsagainstapplyingtraditionalriskassessmentapproachestopossible organizationaldisaster:“Becausetheyaresorare,isitrightnottoplanforthem?Evenamonetary analysismightshowthattheexpectedlossesfactoredbytherisklikelihood(thetypicalactuarial methodforinsuranceanddisasterplanning)maycreatethefalseimpressionoftheinsignificance ofadisaster.Nonetheless,beware”(p.130).However,acceptanceofriskmaybeavalidstrategy ifthecostofproperpreparationexceedstheexpectedloss. ValueofPlanningEfforts Assumingforthemomentthatthereisacasetodosomethingaboutdisasters,inspiteofthelow risk.Butwhyshouldorganizationsplanfordisasters?Thequestionisnotasfrivolousasitmight firstappear.Itmightbemorecosteffective,forexample,towaitforaneventtooccurandthento mobilizearesponsedynamically. Thedifficultywitharesponse-onlystrategyisthatonecannotpredictallthethingsthatcango wrong,andwithoutaplantohandlewhatcanbepredicted,theextentofthelossesandthedelays inrecoverywillbeevenlonger,sometimescatastrophicallyso.Ifafirm’sMTBUissevendays,and predictableeventsrecoverytakesfivedayswithplanningandtwelvedayswithoutit,thefirmwill gobankruptwithoutaplan.Butifafirm’sMTBUissixdays,predictableeventsrecoveryonlytakes threedayswithaplanandsixdayswithoutaplan,wemightbetemptedtothinkthatthefirmhad escapedinthiscase.Notnecessarilytrue.Assumethatunpredictableeventsrecoverytakesanother twodays.Thefirmwithnoplanwillgobelly-up,butthefirmwithplanningwillsurvive. Theseareperhapsfancifulscenarios,butthepointoftheanalysisisstraightforward.Planning canshortenthetimetorecoveryandthiscanmeanthedifferencebetweenlifeanddeathfora
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS159
firm.Thedeterminationofhowmuchthisplanningshouldcosttobeareasonableinvestmentis notaneasymanagerialdecision.Butwhenthefirm’ssurvivalisatstake,itcouldbeconsidered amatterofduediligencetoinvesttoatleastameasuredextentinBCP/DR. Areunpredictableeventsthatdangerous?Therearenumerousanecdotesinthecasehistory thatareilluminatinginthisrespect.NASDAQwasdramaticallyaffectedtwotimesbysquirrels chewingthroughtelecommunicationslinesthatwereservingthetradingfloor(Nemzow,1997). Whereasrodentdamagemighthavebeenpredictedandpreparedfor,theNASDAQmanagers alsosufferedalossofelectricityandfoundoutwhentheytriedtorefuelbybringinghosesinto theirbuildingsthattheywereinviolationofabuildingcode.Thecombinationofeventswasnot predictableandthreatenedNASDAQ’sabilitytoofferatradingenvironment. Duringthe1993terroristbombingoftheWorldTradeCenter,manybackupsystemswereinplace, butfirmsdidnotanticipatethattheywouldnotbeallowedtoretrieverolodexes,chartsofaccounts, andsoforth(Nemzow,1997).Theneedtogetatthesephysicalassetswashamperedbydamagethat occurredinthebasementnotimmediatelyaffectingmostfirms’facilities.Theironywasthatthetight securitythatsurroundedtheareaprohibitedsomefirmsfromcarryingoutnormalbusinessactivities. HurricaneAndrewcreatedsimilarproblems.Insomecases,thedestructionwastotal(Nemzow, 1997).Workstations,marketingreports,diskandtapebackups,andcabinetswerescatteredacross theEverglades,milesaway.Officeswerecompletelydevastated.Andmostrecently,Hurricane KatrinabroughtdevastationtotheGulfCoastoftheUnitedStates.Whiledamagefromahurricane isexpected,theextentofthedamageinboththesecaseswasasurprisetomany. TheDistributionofDisasters Whataretheformsofcatastrophethatcanovertakeanorganization?Knowingthebasicsofwhere threatsarecomingfromisacrucialelementforplanning.Nemzow(1997)assertsthatonly1 percentofdisastersarenatural.Hegoesontosaythathotsitescoverhardwareandevensoftware, buthumansideimpacts,includinglossofemployees,customerdissatisfaction,andothermarket effects,arenotgenerallycoveredinplanning. Other commentators also discuss the issue of man-made acts such as sabotage. Rodetis (1998)doesnotbelievethatthatterrorismandotherman-madedisastersarelargeroccurrences percentage-wisethannaturaldisasters,butthattheirimpactcanstillbehuge.AftertheOklahoma Citybombing,fortysquareblockswerecordonedoffand210ofthe4,000businessesinthatarea wentoutofbusiness.Thisisa5percentlossrate. Definingman-madeeventsasbothnormalandabnormalcrises,Castillo(2004)makesthesame point,showingthatabnormalandnormalbusinesscrisesaccountforalargerproportionofloss overthelastdecadethannaturaldisasters.Normalcrisesincludepoweroutages,strikes,turnover ofkeypersonnel,recession,andeveneventsliketheColumbiaShuttleloss.Abnormalcrisesare criminalactslikethoseatEnron,cyberattacks,andproducttampering.Thereasonthismakesa differenceisthatbusinessestendtoplanfornaturaldisasters,butdependonriskmitigationand recoveryeffortsforman-madeevents.Thisbeingthecase,many/mostBCPsdonotanticipate respondingtoproducttamperingoracyberattack,forinstance. PlanningversusAdaptability The9/11terroristattackcouldbecategorizedasanabnormalcrisis,andiftheobservationthat thiskindofeventisgenerallynotplannedforbyorganizations,thenwewouldexpectmoread hocsolutionstobereported.Thisseemstobethecase.
160 STUCKE, STRAUB, AND SAINSBURY
IntheirstudyofBCP,Herbaneetal.(2004)saythatafter9/11,“overhalfofLehmanBrothers’staffworkedfromhomeintheimmediateaftermathasresultofthepreviousrolloutofan extensiveremoteaccessprogramme.Oneofitsseniormanagerscommentedthat‘crisisadaptabilityisthekeytocontinuity’”(Herbaneetal.,2004,p.436).LehmanBros.wasfortunatethat theywerepositionedtoadapttheirtelecommutingoptiontorespondtothiscrisis,butthiswas, apparently,notactuallypartoftheirBCP.Thisexplainswhytheirseniormanagerusestheterm “adaptability”inthequotationabove. Inourview,thismanagerialstanceworksagainstthebasicunderlyingconceptofBCP:that a thorough (i.e., “good”) plan will meet most contingencies. It undermines the belief that an organizationcanbewellpreparedforadisaster,whetherintentionalorunintentional,andthat traininginbestpracticescanleadtoaquickandfelicitousrecovery.Ifthemajorrequirement forrecoveringfromdisasterisadaptability,thenplanningisofmarginalusefulness.Itwouldbe betterinsuchcasestosendmanagersforoutwardboundtrainingthantraininginhowtorapidly movetheorganizationtotemporarybutfunctioningoperationalreadiness.Addressingthispoint above,undertherubricofpredictableandunpredictableevents,itisourpositionthatadaptability iscertainlyindispensableinacrisis,butthat,overallandprimarily,organizationsshoulddepend ontheirwell-testedplansforrecoveryandnotoningenuity. AftertheWorldTradecenterbombingin1993,itshouldhavebeenobvioustoLehmanmanagementthatacatastrophicfailureinthevicinitywouldhavewipedoutbackupfacilitiesaswell astheprimaryoperationscenter.AsolidBCPwouldhaveanticipatedthisandmovedthebackup facilitiestoanotherboroughofNewYorkCity,or,evenbetter,anotherstateorcountry. ManagerialCommitmenttoBCP/DR Few organizations have BC and DR plans in place and even fewer test them (Castillo, 2004; Nemzow,1997;PittandGoyal,2004).Nemzow(1997)assertsthatonly1percentoforganizations havedisasterrecoveryplans.Itisclearthat,aswithmanyotheraspectsofinformationsecurity, managersdonotviewthisformofprotectionasverymission-critical(StraubandWelke,1998).3 Butisthisareasonableresponse,giventheenormouschallengesthatprofit-makingfirmsespecially faceinthecurrentera?Howimportantisitthatorganizationsengageinthistypeofplanning?We havemadetheargumentagainandagaininthischapterthattheriskofnotsurvivingintheevent ofadisasterwherethemanagershavenotplannedistoohigh.Importantstakeholdersofthefirm requireduediligenceinthisarea. Herbaneetal.(2004)alsomakethepointthatarecoveryadvantagecouldbeacompetitive advantage,whichisasubtleandevenprofoundpoint.Sinceitisclearthatorganizationscanbe harmedorfatallydamagedbypoorBCP(ZuckermanandCowan,2001;Zuckermanetal.,2001), itisakeytosurvivaland,hence,astrategicnecessity.Firmsvieweditthiswayinthefourcases discussedinHerbaneetal.(2004),butisthereatheoreticallinkagebetweenviewingBCasa strategicgoalanditssuccessfulimplementation?Wehaveonlycasestudydatatomaketheconnectionatthispoint. CreatingBC/DRPlans There are standard approaches that have been articulated for how an organization goes about creatingaBCP/DRplan(Karakasidis,1997).Table7.2showsatypicalsetofsteps(Karakasidis, 1997).TheNationalInstituteofStandardsandTechnology(NIST)specialpublication800–34 alsocontainsanexcellentprocess.
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS161 Table7.2
TheBCPlanningProcess Step Action 1 2 3 4 5 6 7 8 9 10 11
Obtaintopmanagementapprovalandsupport Establishabusinesscontinuityplanning(BCP)committee Performbusinessimpactanalyses Evaluatecriticalneedsandprioritizebusinessrequirements Determinethebusinesscontinuitystrategyandassociatedrecoveryprocess Preparebusinesscontinuitystrategyanditsimplementationplanforexecutivemanagement approval Preparebusinessrecoveryplantemplatesandutilities,organize/developthebusiness recoveryprocedures Developthetestingcriteriaandprocedures Testthebusinessrecoveryprocessandevaluatetestresults Develop/reviewservicelevelagreement(s)(SLAs) Update/revisethebusinessrecoveryproceduresandtemplates
Source:Karakasidis,1997.
Thestepsareintuitive,butashortdescriptionofeachisnotunwarranted.ProjectsneedmanagementsponsorshipandBCPisnotanexception.Karakasidis(1997)recommendsthatthekeyactivitiesintheprocessbecarriedoutbyarelativelyhighlevelcommitteeforgreaterfirmbuy-in. Oncetheprocessisinmotion,itiscriticaltofirstseewherethebusinesswouldbeimpacted bydifferentdisasters.Thishelpstoprioritizetheresponses.Foreachareathatisidentifiedas critical,arecoveryproceduremustbespecified.Thesecanbetemplatedandstandardizedsothat itissimpletomaintainthem. Testingisanabsolutelyessentialelementintheplanningprocess.Specificationsonhowto testaswellasthetestingitselfarebothcomponents.Thefinalthreestagesoftheprocess(9–11) areiteratedinthesensethattestsshouldberunandrerun,servicelevelagreementsshouldbe sculptedandre-sculptedforoutsourcersastheyassistintheprocess.SLAs,infact,arebasedon thetestresultstoalargeextent.Planningupdatesarealsoacontinuousprocessandwillrequire themanagerstoexaminetheplanonaregularbasis. BESTPRACTICES Zsidisinetal.(2003)studiedfourfirmsthatwerereputedtohavereasonable-to-excellentBCP fortheirsupplychainsanddeterminedthatthefifteenpractices(seeTable7.3)werethemeans bywhichfirmscouldrecoverrevenuesquicklyafteradisaster.Manyormostifthesepractices canbegeneralizedtootherfirmprocesses. Thefirstfivebestpracticesarerelatedtoriskandtheidentificationofwheretheorganizationis vulnerable.OrganizationsthatweresuccessfulaccordingtoZsidisinetal.(2003)performedrisk auditstoprioritizetheriskthefirmwasfacingindifferentareas.Thesetendedtobegeneralized riskassessmentsthatdidnotnecessarilyrequirelossestimates.Atleastaqualitativeassessment offullriskwasundertakeninthethirdbestpractice,lookingcloselyatextremecaseswherethe firmwouldbeseriouslyindanger. Practices6through13dealwithensuringthattheBCPisaccurateandtimelyandwilleventually
162 STUCKE, STRAUB, AND SAINSBURY Table7.3
EffectiveBusinessPracticesaccordingtoZsidisinetal.(2003) #
Bestpractices
1 2 3 4 5 6 7 8 9 10 11
Supplychainriskaudits Assessingprobabilityandimpact—expectedvaluesandextremevalues Supplierriskprofiling Differentiatingbetweencurrent-stateriskandtransitionalrisk Supplierpreparednessasapartofregularsupplierassessment Supplychaincontinuitycreatedaspartofalargerstrategy SupplychaincontinuityincludedinITcontingencyplans Relationshipsandbusinesscontinuity Supplychainmapping1 Importanceofvisibility Managingcostandtimeofdisruptions,includingmulti-sourceriskmonitoringandqualitymanagement/riskmanagement Dualsourcingpolicy Productandprocessstandardization Developing,implementing,andmonitoringBCP-specificmetrics DevelopingandmonitoringpredictiveBCPmetrics2
12 13 14 15 1
“Supplychainmappingisatechniquefrequentlyusedbymanagementtolayoutthestructureofthe supplychain”(Zsidisinetal.,2003). 2“Predictivemetricsaremeasuresthatareusedtoidentifypotentialproblemsbeforetheyoccur.Inthe caseofBCP,predictivemetricscapturesupplierbehaviorthatindicatesfinancialdistress,whichsubsequently affectsthecontinuedviabilityofthesupplier”(Zsidisinetal.,2003).
work.Strategicissuesheadthelist.DoesthetopmanagementconsiderSCMtobecriticaltothe survivalofthefirm?Ifnot,educationoftopmanagementmayberequiredbeforeaviableplancan beturnedout.Themanagersmustseethesharingofinformation(visibility)andtherelationships withinthesupplychainascriticalelementsintheoverallplan.Supplychainmappingshouldbe conductedtogainacompleteunderstandingofthesupplyprocesssothatwhenacatastropheoccurs,thereisnodoubtabouttheeffectivenessoftheplansindealingwithit. Certainpracticesarejustgoodmanagementpracticeswithrespecttosupplychainefficiency, suchasmultisourceriskmonitoringandatotalqualitymanagement(continuousimprovement) approach.Dualsourcingoptionslowerriskbymakingsuppliesmorereliable.Finally,standardizingonproductsandprocessesnotonlymakesthesupplychainsmoother,butitalsomakesit easiertorestoreittoseamlessoperationshoulditbedisrupted. ThefinaltwobestpracticesareimportantifthefirmistolearnfromwhereBCPworksand whereitdoesnot.Thesedealwithmetricsthataffectoperations,thosethatmonitoroperations, andthosethatpredictperformance.Benchmarksaidintherestorationoffullcapacityandprovide valuableinformationforareassessmentandadjustmentprocessafteradisasteroccursandthefirm recovers.ThisfeedbackloopwillbediscussedunderBCP/DRmodelslaterinthechapter. GENERICPRINCIPLESANDSOLUTIONS Boththebestpracticesjustcoveredandotherargumentsputforthsofarsuggestthatorganizationscanuseasetofprinciplestoguidetheirplanning.Theonedominantprinciplewithrespect
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS163
toprotectingafirm’sassetsisdispersionandpartialduplicationofthemostessentialresources (Snowetal.,2005).AsstatedinSnowetal.(2005),“whileindividualfirms’strategieswillvary intheextentandtypeofdecentralization,theoveralltendencyshouldbetowardfurtherdispersal ofpeople,technology,andphysicalassets....Thesefutureriskmitigationstrategiesmayresult intheimplementationofdispersalstrategiesinorganizationaldesignandmoregeographically distributedorganizations”(p.1). Whatisthereasoningforthismostbasicconcept?Ifanorganizationisspreadoverfivelocationsthatarenotgeographicallycontiguous,thelossofanyonenodeisalimitedexposurefor theorganization.Inthecaseofinformationalresources,itisalsopossibletoduplicatemanyof thematarelativelylowphysicalcost,andthecoordinationcostsneedtobefactoredintoreach somehappymedium.Nemzow(1997)makesessentiallythesamepointwhenhesays:“Ideally, thebestplanninglookstodiversificationasastrategyforprotectinganorganizationevenwitha directdisasterhit”(p.133). SPECIALIZEDORGANIZATIONALSTRUCTURES Computersecurityincidentscanbesufficientlydestructivetoinvokeanorganization’sBC/DR plan.Andcomputersecurityincidentscanbeparticularlycomplicatedtohandleandtoproperly collectandpreserveevidencethatenablesprosecution.Thismotivatestheincreasingpopularity ofaspecificteam-basedapproachtorecoveryfromsecurityviolations.Thisspecializedorganizationalstructureshouldbeconsideredtobeageneralprincipleinthesensethatscientificevidence showsthatdedicatedpersonnelarecorrelatedwithsignificantlylowercomputerabuse(Straub, 1990).WithoutafocusedmanagementeffortinBCP/DR,theresultingplansaremuchlesslikely tobesuccessful. Withrespecttoincidentsthatareprimarilymajorbreachesofcomputersecurity,orwhere computer security lies at the heart of the disaster, Carnegie Mellon University has pioneered theconceptofCSIRT,or“computersecurityincidentresponseteams”(Killcreceetal.,2003). Theseareteamsoftrainedexperts,spreadworldwideatthispoint(Killcreceetal.,2003),who canrapidlyassessdamage,plugvulnerabilities,andassisttheorganizationinitsrecoveryefforts. Theseteamscanbeeithertrainedandcertifiedwithinorganizationsorhired.IBMhasapractice inthisvein,forexample.ForadditionalCSIRTinformation,seeCMU’sCERTCSIRTwebsite atwww.cert.org/csirts/. TheCSIRTconcepthasbeenexpandedtoincludeanetworkofCSIRTsthatalloworganizations to share their knowledge and tie into assistance, in some cases. The Forum of Incident ResponseandSecurityTeams(FIRST)functionsasavirtualknowledgemanagementsystemto helpinrecoveryefforts(Killcreceetal.,2003).AsofJanuary2006,ithadover170membersand awebsiteat:www.first.org. OneofthepossibleresponsibilitiesforCSIRTsisBCP/DR(Killcreceetal.,2003).Becauseof thesharedexperienceofotherCSIRTsandtheFIRSTnetwork,itisworthwhileconsideringthe establishmentofaCSIRTtohandlethiscriticalriskdomainforthefirm. MODELSFORBCP/DR Thesetofactivitiesthatprecedeandsurroundadisasterarefairlywelldocumentedanddonotdiffersubstantiallyfromoneanotheracrosscommentators.Specifictechniquesandimplementations willdiffersignificantly,however,andthiscanspawnresearchthatwouldassesstheeffectiveness ofvaryingapproaches.Beforeexaminingoneortwosuchmodels,wecanstepourwaythrough
164 STUCKE, STRAUB, AND SAINSBURY Figure7.4 ParallelModelofBCP/DRActivities
Event
1.0 Business Continuity Plans
2.0 IT Disaster Recovery Plans
1.1 Scoping
2.1 Scoping
1.2 Recovery/Remediation
2.2 Recovery/Remediation
1.3 Re-assessment
2.3 Re-assessment
1.4 Adjustment
2.4 Adjustment
Resumption of Normal Activities
theeventsandseewhythestagesofBCPandDRaresosimilarfromauthortoauthorandfrom yeartoyear. AsshowninFigure7.2,Castillo(2004)hasamodelthatstartswiththeeventthenmovesto operationalrecovery(DRactivity)thentobusinessstabilization(BCandthereafter)thentodamageassessmentandthentoBCPfeedback.Thereshouldbetwoplanningstagesthatleadtothe DRrecoveryandbusinessstabilization.Thesearetermed“preparedness”inCastillo(2004). Clearly,thereareplanningprocessesthatleadtotheplanned-foractivitiesintheIT/DRstages andtheBCstages.Thisgoeswithoutsaying.Butthenaturalresponsetoaneventistoengage inarapidevaluationoftheproblembeforebeginningtherecovery.ThisistrueforboththeIT recoveryaswellasthebusinessrecovery.Commentators(e.g.,Zsidisinetal.,2003)frequently envisionapost-recoveryevaluationofthesuccessoftheprocesses.Thisstageaidsorganizational learningandhelpstoimprovetheprocessofresponseforthenextdisaster. OurownmodelofBCPandDRrecommendscarryingoutITandbusinessassessmentand recoveryphasesinparallel,asshowninFigure7.4.OurmodelisconsistentwithHerbaneetal. (2004),whomakeanicedistinctionbetweenBCPasaone-offprocessorasembedded.Their datashowadistributionacrossseveraldimensionsaboutwhichfunctionalarealeadstheprojectin disasterrecoveryplanning,versusBCP,versusBCmanagement.Theirfindingsarealsoconsistent withWhitmanandMattord(2004). Theparallelmodelaccountsforthefactthatmanyormostdisastersdisablefunctionsacross thefullgamutofthefirm’sprocesses.Thefirststageistheplanningprocess(1.0and2.0),which
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS165
specifiesindetailhowscoping(1.1and2.1),recovery/remediation(1.3and2.3),andadjustment (1.4and2.4)shouldtakeplace.Phases1.1–1.4and2.1–2.4aretheexecutionphases. Thefirstphaseintheresumptionofnormalbusinessactivitiesistofindtheplans,1.0and2.0, andreadtherelevantpassagesthatdescribewhatshouldhappen.Theplansshouldbeconsidered tobeguidelinesthataregenerallyfollowedtotheletter,butinspecialcasescanbesetaside. Thescopingactivityinphases1.1and2.1dealswithdeterminingthenatureoftheproblem andtheextentofdamage.Itisaninformation-gathering,decision-making,andcommunication activitycarriedoutbypersonnelareinchargeoftheexecutionoftheplans.Oncetheextentof thedamageisknown,forinstance,decisionshavetobemadeaboutwhoshouldbeinvolvedin therecoveryandhowtherecoveryshouldproceed.Alistofrelevantkeyexecutivesshouldbe informedandapublicrelationsstanceoutlined. ThedifferencesbetweenthebusinesscontinuityactivitiesandtheITDRactivitiesineachof thephasesisreasonablyclearandneedslittleexplication.Personnelassignmentswillbeaprimary differentiator,buttheunderlyingprincipleisthattherestorationofsystemsandtherestorationof thebusinessneedtobecoordinated,asshowninthemodel. Oncescopingiscompleted,remediationperse(1.2and2.2)canbegin.Ifpersonnelareinvolved, thereshouldbeproceduresforassistancewithmedicalcareandinformingfamilymembers.Employeeswhoareunhurtbutunabletousetheoriginalfacilitiesneedtobeinformedaboutwhat theyshoulddo.Arrangementsforreplacementoffacilitiesandcomputerhardwarewouldbepart ofthisphase.Ifamovetoahotorcoldsiteiscalledfor,thenthiswouldbecarriedoutduringthis phase.Ifthisphaseissuccessful,thefirmhasrestoreditsessentialprocessesbeforeMTBU. Inphases1.3and2.3,amoredetailedassessmentofthescopeoftheproblemandthedamage thathasresultedtakesplace.Organizationsfrequentlyskipthislearningphase,butitiscriticalto engageinthisassessmentinordernottorepeatthemistakesthatwillhaveundoubtedlyoccurred inthepriorexecutionphases.Moreover,theadjustmentstage(1.4and2.4)willonlybepossible iftheorganizationhaslearnedhowtorefinetherecoveryprocedures. ApplicationoftheModeltoaHypotheticalExample Considerasituationwhereafirmadherestothisparallelmodelinadisaster.Imagineaterrorist actthatdestroysafirm’smaindatacenterfacilitywhichalsohousesacentralbranchoftheonlinesalesorderdivision.Keypersonnelhavebeeninjuredorkilled.Thereiswidespreadphysical damagetothefacilitiesthemselves. Inthiscaseasinmanyothers,restorationofcomputerequipmentandsystemsisanactivity thatmusttakeplaceinparallelwiththerestorationofbusinessprocesses.BCPandtheDRplan, up-to-datecopiesofwhicharepresentinnumeroussitelocations,specifyhowthefirmshould restore services. The DR plan says that distributed databases are housed in the firm’s online division.Thesearefullyrecoverablefromsitesthatwerenotsubjecttothedestruction,andthe handlingofbusinesstransactionscanbeswitchedtothenewlocations.Activitiestorestorethe revenuesofthefirmneedtoconsiderpersonnelandfacilities,aswellassystems.Fortunately, personnelinthefirm’sundamagedfacilitiesinremotelocationshavebeencross-trainedtohandle customersforbothtraditionalandonlineorders.Detailedworkflowdiagramsarealsoavailable toassistthetemporarypersonneluntilfull-timereplacementscanbefound.Activitiestoreplace thefacilitiesandthepersonnel,who,note,spantheITandsalesdepartments,arelikewisespecifiedintheBCplan. Oncethebusinesshasstabilized,thefirmengagesinananalysisofhowwellitsstaffdid.They learnthatthedatabaseswerenotfullyrecoverableattheancillarysitesandthatsomecustomer
166 STUCKE, STRAUB, AND SAINSBURY
orderswherelost.Theyalsolearnthattheback-upfacilitiesdidnothavecompleteworkflowsand thatsomeoftheemployeeswhohadbeencross-trainedhadforgottentheprocedures.Methodsfor dealingwitheachofthesedeficienciesareidentifiedandcorrectionsmadesothatshouldanother emergencyoccur,thefirmwillbeevenbetterprepared. Theremaybeoccasionswhenadisasteratfirstseemstoberestrictedtosystems,butturns outtobebroaderthanthat.Inthiscase,onecanconceiveoftheactivitiestakingplaceserially, inthemannersuggestedbyCastillo(2004).Thefirstactivitywhenaneventinvolvingcomputer systemsorpersonneloccursistorespondwitharapidassessmentofdamageandactionsto ensurethatnofurtherdamageoccurs.Thisresponse“phase”isfollowedbyarepairingofthe damagecreatedbytheevent.Theintentionhereistorestorenormalinformationprocessingas soonaspossible. Letusconsiderashortexamplethatillustratesthevariousdimensionsoftherecoveryprocess. Supposethatahackerhassuccessfullyattackedafirm’se-mailsystemanddestroyedcurrentfiles ontheserverandplantedvirusesinothers.Employees,suppliers,andcustomerscannotnowconnectwitheachotherandthebusinessissufferinglossesofnewordersaswellasgoodwillfrom currentcustomersexpectinginformation. ITmanagersandprofessionalsmustfirstassesswhichfileshavebeendestroyedandwhythe systemhasceasedtofunction.Actionstosecurethee-mailsystemagainstfurtherabusearenow relevantasareactionstorecoverthesystemthroughloadingofbackupfilesandsoftwareinto thesystem. Letusfurthersupposethatthemanagerofthenetworkresponsibleforthesystemhasbeen unabletorestorethesystemafteraweekoffranticwork.Thefirm’scustomersareextremelydissatisfiedandthefirm’sexecutiveshaveterminatedtheemployofthenetworkmanager.TheBC planisactivatedatthispointandaninterimmanagerisappointedwhohasbeencross-trainedin networkmatters.Thispersonisabletorestorethesystem,butnotwithouthiringfairlyexpensive consultantswhohadbeenvettedaspartoftheBCP.Archivesthathadbeencreatedtheweekbefore thesystemwentdownwerealsocorrupted,apparently,andtheinterimmanagerandtheconsultants discoverthisproblemandretrieveandrestoreuncorruptedfilesandreactivatethesystem. Thus what at first seems to be a problem restricted to the IT unit soon involves personnel mattersthatgobeyondwhatiscoveredintheDRplan.Thisisthepowerofalwaysthinkingof recoveryasaparallelprocess. NEWSTUDIESTOINCREASEUNDERSTANDINGOFBCP/DR TheoverridingprobleminthedomainofBCP/DRisthelackofscientificeffortinthisvein. Therehavebeenimportanttechnicalsolutionsregardingrestorationofsystems,andthetechnologiestomirrorsystemsordistributethecomputingneedsarewellunderstoodatthistime. Systemsdevelopmentprocessesincorporatingsecurityconcerns,includingBCandDR,arestill fairlyrare,4andthatcontinuestobeaserioustechnicalissue.Butthetechnologytoguaranteea fullrecoveryisalreadypresent.TheprimaryissuesthatremaininBCPandDR,are,therefore, managerial. ItiseasiertopresentwhatwedoknowratherthanwhatwedonotknowaboutthemanagementofBCandDR.Asstatedearlier,thereissomeempiricalevidencethatorganizationsare ill-preparedfordisasters.Evenwhentheyhaveplans,whichmayberare,theseplanstendnotto bethoroughlytested.Organizationshaveadoptedastrategyofdeployingscantresourcesinthis areaandtomakeuplosses,intherareeventthattheydooccur,withinsurance. Table7.4presentsasetofquestions,theanswerstowhichcouldmakeahugedifference
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS167 Table7.4
ScientificQuestionsinNeedofFurtherStudy Area
Issue
Impact
1.OverallBCP/DR
1.1Areorganizationsthatplanfor recoveryofbusinessandsystems andtesttheirplansbetterableto cope?
Knowingabreak-evenpointin ordertogainacomfortlevelof protectionwouldhelporganizations managethisactivity.
1.2Whataretheirrelativelevelsof investment?
2.ModelsofBCP/DR
1.3Docustomersandsuppliersof thefirmviewanintegratedeffortof thefirmforhighpreparednessto bestrategic?
Insightsintowhetherpreparedness isonlyacostorcouldbe positionedasastrategicadvantage wouldstrengthenbusinesscases forBCP/DR.
2.1Whataresuccessfulmodels ofthephasesofrecovery?
Knowingwhetherthereisa standardmodelwouldaidfirmsin thenormativedevelopmentoftheir ownplans.
2.2Whatfactorsleadtogreater awarenessandcommitmentof managers(andotherstakeholders) totheconceptofBCP/DR?
BCP/DRinvolveslarge-scale investments.Gainingexecutive supportiscritical,butatthe moment,itisunclearhowthis shouldbedone.
3.OutsourcingofBCP/DR 3.1Whataretherisksandbenefits Securityplanningandexecution tooutsourcingtheentireeffortor functionsforBCP/DRaredifferent selectedpartsoftheeffort? enoughfromotheroutsourcing domainsthattheycallforseparate researchefforts. 4.DeploymentofBCP/DR 4.1Whatarethedifferentialcosts andbenefitsofcoldsitesversus hotsitesversusdistributed processing?
Organizationscurrentlylack guidelineswithrespecttofacilities solutions.
inthecreationandimplementationofcontingencyplans.Eachofthemwillbediscussedin detailbelow. DetailsonIssues1.1–1.2 BeforeastudyoftheoveralleffectsofBCP/DRcantakeplace,weneedtoknowtherelative levelsofinvestmentofdifferentindustries.Thereissomeevidence(McEachern,2002)thatthe largerplayersinfinancialservicesarespendingsignificantfundsinthiseffort,butthisislikelya functionofthestringentregulatoryenvironment,intheUnitedStatesatleast.Organizationsthat arenotrequiredtoinvestmaynotbedoingso.Anecdotalevidencesuggeststhatthisisthecase, butourrealknowledgeofthestateofaffairsislackingatthistime. Riskmanagementexpertisewouldseemtobeanaturalinapplyingschoolsofthoughtthatcan pitlevelsofinvestmentandriskagainstoutcomeslikeadequacyofresponseandnon-survival. TheunderlyingquestioniswhetherBC/DRplansthathavebeenexercisedmakearealdifference ornot.OnecouldspeculatethatthereisaU-shapedcurveaboutinvestmentsinthisarea.Ifone spendstoomuch,theremaybenojustificationfortheexpensesandthefirmbecomesuncompeti-
168 STUCKE, STRAUB, AND SAINSBURY
tive.ThisistheoppositeoftheargumentofHerbaneetal.(2004),whichisthatBCPcanbeseen unreservedlyasastrategicadvantage. DetailsonIssue1.3 ItisonethingtoarguethatBCP/DRiscostbeneficial.Itisanothermattertoarguethatitactually confersastrategicandcompetitiveadvantage.Theoriesofcompetitioncouldbeveryrelevantin exploringthisangle.Isthepresenceofawell-builtsetofplansaresourceinitsownright?Ifit isperceivedthatwaybysuppliersandcustomers,aswellasotherstakeholders,thenmanagers wouldneedtomarketthiscapabilitybesidesjustdevelopingit.Knowingtheanswerstosuch questionshelpstopositionBCP/DRamongthevariouscompetingprojectsthatareattemptingto gettheattentionofmanagement. DetailsonIssues2.1 Casestudiesandevenfieldstudieswithalimitednumberoforganizationscanonlytakeussofar inourabilitytogeneralizeandtotheorizeaboutmodelsofBCP/DRprocesses,asintheworkof Zsidisinetal.(2003).DotheBC/DRplanningandexecutionmodelsthathavebeenputforth(and discussedabove)proveoutinpractice?Arethesemodelsnormative,mappingouthowagoodset ofplanscanleadtohigher-performingorganizations?Orarethesemodelsdescriptive,underthe assumptionthat,overall,organizationsalreadyknowwhatisintheirownbestinterest?Inany case,larger-scaleempiricalworkwouldhelptoaddresssuchpressingissues. DetailsonIssue2.2 ThereislittletonoknowledgeaboutwhycertainexecutivesembraceBCPandothersignoreit; thus,desperatelyneededareintellectualinnovationstolearnwhyitisthatmanagersaresowoefullyunderpreparedtoholisticallyprotecttheirinformationassets.Isitculturalfactorsorlackof asevereincidenttheproblemasinthecaseofcomputerabuse(Straub,1990)?Wesimplydonot knowforsureinthatscholarshavenotpursuedtheseissues. Thereareawidevarietyofotherarenaswherepsycho-sociologicaltheoriescanandshouldbe appliedtoBCP/DR.Awarenessoftheproblemofcatastrophesisanimportantfirststep,according tothecasestudyworkofZsidisinetal.(2003)andothersurveys(McEachern,2002).Building onpreviousworkbyGoodhueandStraub(1991),StraubandWelke(1998)offeredatheoretical modeloftheeffectofawarenessonmanagerialperceptionsofsecurityrisk(seeFigure7.5),but whiletheirhypothesistestsweresignificant,theexplainedvariancewaslow.Researchersneedto rejointhestreamofworkandexaminethis“managerialperceptions”modelinnewandvarying contexts. DetailsonIssue3.1 MostcommentatorsacknowledgethatthereisalargeoutsourcingcomponentinBCP/DRefforts. Therehasbeenalarge-scalescientificpushtounderstandthisphenomenon,especiallyintheIS arena(Dibbernetal.,2004).Onemightbetemptedtobelievethatoutsourcingisnotafruitful arenaforfurtherinquiryinBCP/DR.Wewouldargue,however,thatBCP/DRposechallenges thatgofarbeyondtheworkininformationsystemstodateinthattheeffortcrossesfunctional linesandengagesthevitalquestionofwhatpartofthefirmshouldorcouldnotbeoutsourced.
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS169 Figure7.5 ModelforManagerialPerceptionsofSecurityRisk
Organizational Environment Beliefs about industry susceptibility to industry risk
IS Environment
Manager Perceptions
Beliefs about actions already taken to secure systems effectively
Managerial concern about systems risk
Individual Characteristics Awareness / knowledge of systems and local systems risk
Source:FromStraubandWelke,1998.
Inshort,thescaleofinquiryismuchlargerthanthetypicalISoutsourcingresearchproject.And theresultsareexceedinglyimportant. Thisisafallowfieldatthemoment.Weareawareofnoworkthathaspursuedthesecritical questions.Thetheorybasesarereadilyapparentintheliterature(Dibbernetal.,2004).Whatis requiredisthecommitmentofanewgenerationofscholarstoaddresstheneed. DetailsonIssue4.1 Traditionallythesolutiontoalossoffacilities,eitherbusinessordatacenterfacilities,hasbeen “cold”or“hot”sites(Straub,2004).Coldsitesarelessexpensivebecausetheyprovideaccess toonlythebasicinfrastructure,suchasheated/air-conditionedspace,electricity,loadingdocks, networkconnections,andsoon.Inahotsite,officefurniture,filecabinets,printers,workstations, large-scalemainframesandservers,andsoforth,areaddedtothebasicinfrastructureataprice. Whatwedonotknowaboutthesetwooptionsiswhetheroneoutperformstheother,especially undercertaincircumstances.Istheextracostofahotsiteworthwhile?Onecleardisadvantageof acoldsiteisthatittakestimetopurchasethefurnitureandworkstations,havetheminstalled,and then,inthecaseofrestoringthecomputingenvironment,reloadingalltherelevantsoftwareand dataonthem.Aretheopportunitycosts,lostcustomers,anddisgruntledsuppliersandemployees worththedifferenceincost?Theanswertothesequestionsisnotclearinthattherehasbeenno significantscientificworkalongtheselines. Anotherviablequestionishowwellthethirdmajorsolution,distributedcomputing,works.
170 STUCKE, STRAUB, AND SAINSBURY
AsSnowetal.(2005)argue,therewouldbefewoccasionswhereadistributedcomputingoption wouldnotwork,andthecostsinthiscaseareembeddedintheredundanciesinh/w,s/w,and personnelrequiredatmultiplesites. CONCLUSION BCP/DRhasbeenasubjectofsomeinterestinthetradepressfordecades.Therehasbeenasmatteringofacademicinterestinthetopic,butbeyondafewcasestudies,thescientificeffortinthe domainhasbeenslight.Thecurrentmodelsforhowtoorganizetheeffort,howtodevelopgood plans,andhowtoexercisethemhavebeenarticulated,butremain,forthelargepart,unexamined fromascientificstandpoint. Researcherswhoareinterestedintheintersectionbetweenorganizations,systems,andmanagementwouldprofitfromconductingresearchinthisincreasinglyindispensablearea.Whereasthis researchisfraughtwithproblems,particularlybecauseorganizationsarebeingaskedtodivulge theirinternalsecurityarrangements,itisimportantforsocietyandtheacademyitselfthatthe initiativebeseizedandthatacommitmentbemadetothescientificendeavor. NOTES 1.HerbaneandElliott(1997)defineBCPasaprocessthat“seekstoassessandpreparefordisruptions inallbusinessactivities.”ThisdefinitionstresseswhathappensinBCP,whereasCastillo’sdefinition(2004) focusesonBCP’sprimarygoal:tomaintainrevenues. 2.Thisdefinitionaccordswellwithotherdefinitionsandconceptualizationsincurrencyinthisdomainfor alongtime.SmithandSherwood(1995)saythat“theobjectiveofthebusinesscontinuityplanningexercise istoensuretherecoveryinanacceptabletimeframeofthebusinessasawhole,followinganincidentwhich causesmajordisruptiontobusinessoperations”(p.15). 3.Thesituationismuchbetterinfinancialservices,asmightbeexpectedgiventheintensiveregulatory environmentforthisindustry(McEachern,2002).Evenhere,smallerfirmsweremuchlesspreparedfor emergenciesthanlargerfirms,withtheirsurplusresources. 4.TheseminalworkonthiswascarriedoutbyBaskerville(1993).Inspiteofthisearlieridentification oftheproblem,littlehasbeendonetorectifytheissuesincethe1990s.
REFERENCES Aasgard,D.O.;Cheung,P.R.;Hulbert,B.J.;andSimpson,M.C.1978.AnEvaluationofDataProcessing“Machine Room”LossandSelectedRecoveryStrategies.MISRC-WP-79–04.Minneapolis:UniversityofMinnesota. Barney, J.B. 1991. Firm resources and sustained competitive advantage. Journal of Management, 17, 1, 99–120. Barney,J.B.1996.Theresource-basedtheoryofthefirm.OrganizationScience,7,5,469. Baskerville,R.1993.Informationsystemssecuritydesignmethods:implicationsforinformationsystems development.ComputingSurveys,25,4,375–414. Castillo,C.2004.DisasterpreparednessandbusinesscontinuityplanningatBoeing:anintegratedmodel. JournalofFacilitiesManagement,3,1(June),8–26. Dibbern,J.;Goles,T.;Hirschheim,R.;andJayatilaka,B.2004.Informationsystemsoutsourcing:asurveyand analysisoftheliterature.DATABASEforAdvancesinInformationSystems,35,4(December),6–102. Eisenhardt, K.M., and Martin, J.A. 2000. Dynamic capabilities: what are they? Strategic Management Journal,21,1105–1121. Freeman,R.E.1984.StrategicManagement:AStakeholderApproach.Boston:Pitman. Goodhue,D.L.,andStraub,D.W.1991.Securityconcernsofsystemusers:astudyofperceptionsofthe adequacyofsecuritymeasures.Information&Management,20,1(January),13–27. Herbane,B.,andElliott,D.1997.Contingencyandcontinua:achievingexcellencethroughbusinesscontinuityplanning.BusinessHorizons,40,6,19.
CONTINUITYPLANNING/PROTECTIONOFINFORMATIONALASSETS171 Herbane,B.;Elliott,D.;andSwartz,E.M.2004.Businesscontinuitymanagement:timeforastrategicrole? LongRangePlanning,37,5(October),435–457. Huber, R.L. 1993. How Continental Bank outsourced its “crown jewels.” Harvard Business Review, (January–February),121–129. Karakasidis,K.1997.Aprojectplanningprocessforbusinesscontinuity.IndustrialManagement&Data Systems,97,8,320–326. Killcrece, G.; Kossakowski, K.-P.; Ruefle, R.; and Zajicek, M. 2003. State of the Practice of Computer SecurityIncidentResponseTeams(CSIRTs).CarnegieMellonUniversityTechnicalReportCMU/SEI2003-TR-2001,ESC-TR-2003–2001. McEachern,C.2002.BCPsurveyyieldsfirstlookatWallStreet’spostSept.11preparedness.WallStreet &TechnologyOnline,October31. Nemzow, M. 1997. Business continuity planning. International Journal of Network Management, 7, 127–136. Pfeffer,J.,andSalancik,G.R.2003.TheExternalControlofOrganizations:AResourceDependencyPerspective.Stanford,CA:StanfordUniversityPress. Pitt,M.,andGoyal,S.2004.Businesscontinuityplanningasafacilitiesmanagementtool.Facilities,22, 3/4,87–99. Rodetis,S.1998.Canyourbusinesssurvivetheunexpected?JournalofAccountancy,(February),27–32. Sambamurthy,V.;Bharadwaj,A.;andGrover,V.2003.Shapingagilitythroughdigitaloptions:reconceptualizingtheroleofinformationtechnologyincontemporaryfirms.MISQuarterly,27,2(June),237. Smith,M.,andSherwood,J.1995.Businesscontinuityplanning.Computers&Security,14,1,14–23. Snow,A.P.;Straub,D.;Baskerville,R.;andStucke,C.2005.Thesurvivabilityprinciple:IT-enableddispersal oforganizationalcapital.GeorgiaStateUniversityworkingpaper. Straub,D.W.1990.EffectiveISsecurity:anempiricalstudy.InformationSystemsResearch,1,3,255–276. Straub,D.W.2004.FoundationsofNet-EnhancedOrganizations.Hoboken,NJ:JohnWiley&Sons. Straub,D.W.,andWelke,R.J.1998.Copingwithsystemsrisk:securityplanningmodelsformanagement decisionmaking.MISQuarterly,22,4(December),441–469. Swanson,S.;Wohl,A.;Pope,L.;Grance,T.;Hash,J.;andThomas,R.2002.ContingencyPlanningGuide for Information Technology Systems. NIST Special Publication 800–34 (available at http://csrc.nist. gov/publications/nistpubs/800–34/sp800–34.pdf,accessedonFebruary4,2006). Teece, D.J.; Pisano, G.; and Shuen,A. 1997. Dynamic capabilities and strategic management. Strategic ManagementJournal,18,7,509–533. Wheeler,B.C.2002.Thenet-enabledbusinessinnovationcycle:adynamiccapabilitiestheoryforassessing net-enablement.InformationSystemsResearch,13,2(June),125–146. Whitman,M.E.,andMattord,H.J.2004.ManagementofInformationSecurity.Boston:Thomson. Zahra, S., and George, G. 2002.Wheeler’s net-enabled business innovation cycle and a strategic entrepreneurshipperspectiveontheevolutionofdynamiccapabilities.InformationSystemsResearch,13,1 (March). Zsidisin,G.A.;Ragatz,G.L.;andMelnyk,S.A.2003.Effectivepracticesinbusinesscontinuityplanningfor purchasingandsupplymanagement.MichiganStateUniversityworkingpaper. Zuckerman,G.,andCowan,L.2001.Atthetop:CantorFitzgeraldtookprideinitspositionattheWorld TradeCenter.WallStreetJournal,September13,C11. Zuckerman,G.;Davis,A.;andMcGee,S.2001.Inthewakeofcarnageofterrorattacks,theCantorthatwas willneverbeagain.WallStreetJournalOnline,October27.
PARTIII PROCESSESFORSECURINGTHE EXTRA-ORGANIZATIONALSETTING
CHAPTER8
INFORMATIONSECURITYPOLICYIN THEU.S.NATIONALCONTEXT WILLIAMJ.MALIK
Abstract:Thischapteraddressesthehistory,currentstate,andlikelyfutureevolutionofinformationsecuritypolicyinthenationalcontext.Thefirstsectionsurveyseventsoverthepastforty yearsthathadsignificantconsequencesforthedevelopmentofinformationsecuritypolicies.The secondsectionevaluatesthecurrentstateofinformationsecuritypolicyintheUnitedStates.The thirdsectionexaminesgapsbetweenwhataneffectiveinformationsecurityprograminanational contextmightrequireandwhatisavailablenow,withsomesuggestionsastofutureareasrequiringattention. Keywords:InformationSecurityPolicy,InformationSecurityNationalPolicy,InformationSecuritySocialImpact,InformationSecuritySocietalImpact,InformationSecurityPoliticalImpact, CyberspacePolicy INTRODUCTION Throughout the history of computing, the people involved have chosen one of four strategies forgovernance(asdefinedbyLessig,1999).Thesechoicesweremadeunconsciously.Nowthat computingisavailabletosocietyatlarge,themechanismsforgovernancerequireenhancement toaddresstheneedsandchallengesthatalarger,untutoredpopulationfaces. Informationsecurityisprimarilyamatterofeconomics,nottechnology:Ifthevalueofthe informationisgreaterthanthecostofobtainingit,theinformationisnotsecure.Information securitypolicyisthesecondelementofaninformationsecurityprogram.Theprimaryelementis effectivegovernance.Theremainingelementsarediscussedbelow. Governanceismorethanlaw.Withinanenterprise,informationsecuritygovernanceconsistsof thosemanagementmechanismsdesignedtoassuretheexecutiveleadershipteamthattheemployees are(1)awareoftheinformationsecuritypolicyand(2)inconformancewithit.Whiletheprimary sanctionforviolationofanycorporatepolicymaybejobloss,enterprisesrarelyfireindividuals. Instead,througheffectivegovernancemechanisms,theemployeesperformtheirbusinessfunction whilemaintainingconformancewithpolicy. Incivicsociety,governanceisagainmorethanlaw.Thischapterexploresthepossiblegovernancemechanismsavailabletonationalleadershiptoensurethatcitizensgenerallyare(1)aware ofinformationsecuritypolicyand(2)inconformancewithit.Theprimarysanctionimposedby governmentmaybelegal,butpolicerarelyarrest—andprosecutorsrarelyprosecute—citizensfor informationsecuritybreaches.Itistheintentofthischaptertoexplorethefullrangeofeffective governancemechanismsapplicabletocivicsociety. 175
176 MALIK
U.S.INFORMATIONSECURITYPOLICYEVOLUTION Aninformationsecuritypolicyshouldguidepeopletocorrectbehaviorwhenusinginformation technologies.Effectiveguidancetakesmanyforms.Lessig(1999)observesthattherearefour waystogovernbehavior: • • • •
Economics Socialpressure Architecture Law
Heillustratesthisbydiscussinghowthismightapplyinaschoolwherestudentsspeedinthe parkinglot.Theuseoflawwouldmeanpostingaspeedlimitsign,withtheimplicationthatspeederswhencaughtmightfacelegalsanctions.Economicpressuremightmeanassigningamonitor thetaskofobservingtraffic:Whensomeonedrivestoofast,themonitorwouldnotethecarand assessasurchargeontheowner’sschoolfees.Socialpressuremightmeanaskingtheteachersto mentionthatspeedingintheparkinglotsisdangerous.Finally,anarchitecturalsolutionmight meaninstallingspeedbumps. Forthepurposesofthisdiscussion,wewillobservehowvariousformsofbehavioralgovernance comeintoplayacrossthehistoryofinformationtechnologyuse,wheretheywork,andhowthey fail.Thedecisiontodeployoneoranotherofthesetechniquesisanexpressionofgovernance, embodiedinpolicy. ITGovernancethroughEconomics Socialinformationsecuritygovernancepresentsdistinctproblemscomparedwithgovernancein corporations.Awell-craftedcorporateinformationsecuritypolicymayhaveastatementsimilar tothis: Theinformationtechnologyresourcesofthisfirmaretobeusedformanagement-approved purposesonly.Anyotherusemayleadtodisciplinaryaction,possiblyincludingtermination ofemploymentorlegalaction. Corporationsexerciseeffectiveeconomicpressureovertheiremployees.Civicsocietylacksthis capability.Forthatreason,socialgroupsrelyontheotherforcesofgovernance. Inaddition,corporationscanexerciseeconomicpressureovertradingpartners,requiring,for example,adherencetominimumsecuritypolicies.Forexample,therushbybothstartupand establishedcompaniesintoInternetcommerceledtoincreasedconcernsabouttheadequacyof securitypolicies.Businesseswereeagertoexploitthelow-costchanneltheInternetprovided, buttherewereconcernsthat,withoutatrustworthyplatform,consumerswouldnotbewillingtopurchasegoodsandservicesovertheInternet.Duringthelate1990stherateoffraud forInternettransactionsparalleledtherateforcard-not-presenttransactions,suchascatalog ordersoverthetelephone.Inresponse,Visacommissionedastructuretogovernmerchants wantingtouseVisacardsontheInternet.MandatedinJune2001,Visa’sCardholderInternet SecurityProgram(CISP)(Visa,2005)settechnicalandproceduralstandardstominimizethe riskoffinancialfraud.FirmswishingtouseVisacardsmustcomplywithCISP.Visaaudits merchantcomplianceoccasionally.In2005,aconsortiumofpaymentcardprocessorsdefined
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT177
the Payment Card Industry (PCI) Data Security Standard (DSS), which mandates security measuresthatmerchantsmustfolloworrisklosingtheirabilitytoprocesscreditanddebit cards(PCI,2007). ITGovernancethroughSocialPressure In1977,personalcomputersliketheAppleII,theTandyTRS-80,andCommodorePetarrivedon theretailmarket,andby1979SoftwareArtswasformedtomarketVisiCalc,soonacknowledged tobethe“killerapplication”forpersonalcomputers.By1981,IBMaddedsubstantialrecognition ofpersonalcomputersasseriousbusinesstoolswiththeIBMPersonalComputer.Eventually, cheapPCmodemsdrovee-mailtoovertakespreadsheetsasthe“killerapp.”Theseearlypersonal computersevolvedrapidlytoofferhobbyistswidespreadpublictelecommunicationsconnectivity tobulletinboardservicesandelectronicmail.Thesepersonalcomputerhobbyistsformedsmall, self-organizingcommunitieswhereinsocialpressureservedtogovernbehavior. Aslocalareanetworking(LAN)forpersonalcomputersflourishedintheearly1980s,relatively smallworkgroupsalreadygovernedbyorganizationalpoliciesandpeerpressuresuppressedaberrantbehavior.Securityissueswerelimitedtotheaccidentalintroductionofavirusviaafloppy disk.Smallgroupsinformallysettheiracceptableusepoliciesbyconsensusandenforcedthem withsocialpressure. Alsointhemid-1980s,PacificBellexperiencedaseriesofhacksthatultimatelyweretraced toanindividualintheNetherlands.CooperationbetweenU.S.andDutchauthoritieseventually locatedthehacker,asixteen-year-oldboy.TheNetherlandshadnolawcriminalizingtheacts. Theinvestigatorsspokewiththeboy’smother,whotoldhimtostophackingPacificBell.Where lawfailed,socialpressureactuallyworked! In 1986 USENET undertook the “Great Renaming” in response to the concerns of some ARPANETuserswhowereuncomfortablewithtransmittingunconventionalcontent.Long-time usersobservedaninformalcodeofconductthatpreservedanonymityandprivacy—despitethe easewithwhichthosecharacteristicscouldbeviolated.However,thesesamelong-timeusers weredisturbedbythebehaviorofnewerusers,andthekindsofcontenttheseneweruserswere distributing.TheearlierstructureofUSENEThadthreehigh-levelqualifiers:net.*forunmoderatedgroups,mod.*formoderatedgroups,andfa.*fortopicsfromARPANET.Thespecific capabilityintroducedwasthe“alt.*”qualifier,forcontentthatfelloutsidethenorms.Derivedas anabbreviationfor“alternative,”thealt.*hierarchybecameinformallyknownastheacronymfor “anarchists,lunatics,andterrorists”(TheGreatRenaming,2005).Socialpressureasamechanism formaintaininginformationintegrityeroded. ITGovernancethroughArchitecture PoliciesofPhysicalAccessControl Inthe1960sandbefore,computerswereexpensive,solitarydevicessecurelylockedinguarded facilities.Someorganizations,wantingtodisplaytheirmulti-million-dollarinvestment,builtlarge interiorwindowsopeningontothecomputerroom,givingrisetothename“glasshouse.”Access controlsincludedpassingaguard,presentingcredentials,andsigningin.Work,intheformofa deckofkey-punched80-columncards,wasdeliveredtoascheduler’swindow.Jobswereprocessed inbatchesovernight,withtheoutputlistingsdeliveredthenextmorning.Manyofthesetermsin usetodayincorporatemeaningsdevelopedinthoseearlydays.
178 MALIK
PoliciesofLogicalAccessControl Inthelate1960s,commercialcomputersbegantooffernon-programmableterminals.Thesenetworks werestatic,withchangescontrolledcentrally.Computersecuritywasentirelyprovidedbyrestrictingphysicalaccesstothecomputeritselfandtotheterminals.Jobsranoneatatime,withaccessto datagovernedbytheoperator,whomountedtapeorDASDvolumesinresponsetorequestsfrom thebatchjob.Storagewasexpensive,solittleinformationwaspermanentlyon-line.Innovationsin systemdesignallowedmultiprocessingsystems,inwhichmultiplejobscouldrunconcurrently.This presentedtheproblemthatjobAmightbeabletoaccessdatabeingusedbyjobB.Manyvendors tookmeasurestopreventthispossibility,andaccesscontrolrequirementsbecamewellunderstood. InOctober1981IBMissuedastatementofsystemintegrity(IBM,1981)committingtofixwithin twenty-fourhoursanysituationallowinganyusertoaccessanotheruser’sinformation. PoliciesofNetworkPerimeters Withthedevelopmentofthenetworking,theproblemofcomputersecuritygrewbeyondtheproblem ofphysicalaccesstothecomputer.Tensionsdevelopedbetweentheproblemofdataconfidentiality versuseaseofaccessforenhancedcollaboration.Therewasnoeffectivemodelandcommercial informationsecurityreliedonphysicalisolationandthepreservationofaperimeter. Internet-connectedcomputersbydefaultwereopenonallportsandrespondedtoallprotocols. Thisopennesswasidealforresearchbutinappropriateforcommerce,whereprotectionofintellectualpropertyisparamount.Eventually,aportfoliooftechnologyemergedtomanageriskfrom Internetconnectivity,forexample,firewalls(CheswickandBellovin,1994). WhiletheopeningtechnologiesfortheWorldWideWebwererelativelyunsecured,by1994 MosaicCommunicationsreleasedNetscape(Mosaic,1994).Asidefromitsgraphicalinterface,the productincludedsecurityfeaturessuchasencryptionandserverauthentication.Commercialservices likeonlineshoppingandbankingbecamefeasible.ItacceleratedInternetuseandbroadenedthe numberanddiversityofusers.Opportunitiestousesocialpressuretoestablishmoresofbehavior declined.Thelackofgovernanceofcontentoruseofinternet-basedmaterialsenabledawide diversityofexpression(sometimescausingconcernamongvarioussub-communitiesofusers). PoliciesEstablishedonExternalStandards In1984aseriesofstandardsdesignatedISO7498describedtheseven-layerOSIreferencemodel andmappedcoresystemsmanagementfunctionsagainstthatmodel.Thesestandardscollectively definedbasicqualityofservicerequirements.ISO7498–2mappedsecurityrequirementsagainst theOSIreferencemodel.Thisstandardidentifiedfivecoreinformationsecurityfunctions: • Identificationandauthentication(useridentification) • Accesscontrol(whatrightsdoesanidentifieduserhave) • Dataconfidentiality(usuallyencryption) • Dataintegrity(howtoverifythatinformationhasnotbeenaltered) • Non-repudiation(alegalconceptmeaningthattheauthorofamessagecouldnotdeny authorship) Notethatthesefunctionsrepresenttheimpactofnetworkingoncomputing.Inastand-alone mainframe,theonlyrelevantsecurityfunctionsareI&A,andaccesscontrol.Thereislittlereason
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT179
toencryptdataonamainframe(baringhardwareorsoftwarefailures,suchasafailureintheaccesscontrolmechanism);dataintegrityissuesonlyarisewhendatamovefromonelocationto another;andwithouttransmissionofinformation,non-repudiationistrivial. Themechanismstodefineandmaintainthesefunctionsgaverisetopolicieswithinvarious organizationalcontexts—enterprisesorgovernmentalagencies,forinstance.However,computing hadnotyetattractedamassaudience,whichwouldhaverequiredgovernmentalinfluenceover citizens.Mostpeoplewhointeractedwithcomputersdidsothroughthoseformalorganizational contexts,andthegovernanceandpolicymechanismsdefinedforthoseorganizationsweresufficient.NothingintheISOstandardssuggestedanysystematicapproachtothegovernanceof informationtechnologyasawhole. Therainbowserieswaspublishedfrom1983(theoriginalOrangeBookonTrustedComputer SystemEvaluationCriteria—TCSEC)throughFebruary1994(thePurpleBook,coveringcontract andprocurementguidelinesforsecuresystems).Therainbowseriesdiscussesaspectsofthesoftwaredevelopmentlifecycleforsecuresystems,althoughtheapproachdidnotactuallyprovide anoverallcritiqueofthesoftwaredevelopmentlifecycle.TCSECdefinedfourlevelsofsecurity withincreasingstrength,andsubordinategraduations: A1Verifieddesign B3Trustedrecovery,securitydomains B2Structuredprotection B1Mandatoryaccesscontrol,labeledprotection C2Controlledprotection C1Discretionaryaccesscontrol D Minimalprotection TheU.S.governmentattemptedtouseitsleverageasalargeconsumerofinformationtechnology todrivevendorstoimproveinformationsecurityintheirproducts.Therallyingcrywas“C2in’92!” Somevendorsfollowedthatlead;IBMreleasedaseriesofproductssupportingB1levelsecurity forthemainframeenvironmentinlate1990(IBM,1990).Ingeneral,however,thecommercial uptakewasverylimitedbecauseoftheextracostandcomplexity.Regardless,therefolloweda proliferationofnationalcomputersecuritypolicyinitiativesstyledaftertheU.S.rainbowseries, suchastheBritishWhiteBookandtheGermanGreenBook.Recognizingthatmultiplenational approachesdidnotresolvetheglobal,borderlessnatureofcomputersecurity,inJanuary1996 theUnitedStates,theUnitedKingdom,Germany,France,Canada,andtheNetherlandsjointly publishedtheCommonCriteriaasagreedjointcriteria(NSA,2005;CommonCriteria,2005). UltimatelythisjointcriteriastatementevolvedintoISO/IECstandard15408. In1993agroupofBritishbusinesspeoplemetinformallyinLondontoderiveasetofbaselineinformationsecurityfunctionsusefulforbusiness,wheredataconfidentialitywasone,but nottheonlyormostimportant,concern.ThisinformalgroupeventuallydevelopedBS7799, originallypublishedin1995,whichofferedindependentsecurityevaluationforthesevarious functions,ratherthanoneratingforanentireenvironment.ThisstandardbecameISO17799 inDecember2000.1 Atthesametime,agroupinEuropesoughtabetterwaytoorganizetheinformationsecurity programbymakingexplicittheorganizationalcontextinwhichpolicywasapplied.Thisgroup, includingtheheadofsecurityfortheSWIFTnetwork(Europe’sequivalenttoFedWire),developed astandardcalledCOBIT(ControlObjectivesforInformationandrelatedTechnology).COBIT requiredaclearstatementofnotonlywhatwastobedonebutwhoperformedthetask,where
180 MALIK
theinputscamefrom,wheretheoutputswent,andwhoverifiedthecompletionofthetask.This standardwassponsoredbytheInformationSystemsAuditandControlAssociation(ISACA).By makingtheauditfunctionanintegralpartoftheworkflow,thestandardmaderegulatorycompliancestraightforward(ISACA,2005).Themostrecentversionsofthesestandardsreachpast theexistingframeworkforconventionalaudittosuggestgovernanceandpolicyapproachesfor managinginformationsecurityrisk. ITGovernancethroughLaw InNovember1983FredCohenshowedaself-replicatingsoftwareprogramtoaweeklyseminar oncomputersecurity.LenAdleman,leadingtheseminar,namedtheprogramavirus(Cohen, 1984).Hisrequestsforresourcestoperformfurtherexperimentsweredeniedbytheuniversity. Theirrationalewasthatanysuccessfulsecuritybreechweakenedthesecurityofthesystem.This conceptualerrorresultedfromtheadministration’srelianceonthenotionofaperimeter—abreech inaphysicalwallonlyexistsafterithasbeencreatedbyanattack.Infact,Cohen’ssubsequent workinhisdoctoraldissertation(Cohen,1986)showedthatsystemsthatperformusefulwork willbevulnerable.Hedemonstratedthatthereisnoperimeter.Theclosingsentencesofhis1984 reportstate: Theproblemswithpoliciesthatpreventcontrolledsecurityexperimentsareclear;denying userstheabilitytocontinuetheirworkpromotesillicitattacks;andifoneusercanlaunch anattackwithoutusingsystembugsorspecialknowledge,otheruserswillalsobeable to.Bysimplytellingusersnottolaunchattacks,littleisaccomplished;userswhocanbe trustedwillnotlaunchattacks;butuserswhowoulddodamagecannotbetrusted,soonly legitimateworkisblocked.Theperspectivethateveryattackallowedtotakeplacereduces securityisintheauthor’sopinionafallacy.Theideaofusingattackstolearnofproblemsis evenrequiredbygovernmentpoliciesfortrustedsystems.Itwouldbemorerationaltouse openandcontrolledexperimentsasaresourcetoimprovesecurity.(Cohen,1984) Fromapolicyperspectivethispositionwasuntenable;policyonlycoveredaclosedsetof individuals—thosewithphysicalornetworkaccesstoacomputer.Otherswerenotcoveredand soconsideredtrespassersorcriminals.Fromacivicgovernanceperspective,theabsenceoflaw forelectroniccrimewasseenasamajorimpediment.Suchprosecutionsasdidtakeplacewere basedonotheracts—illegalwiretaps,theft,extortionorembezzlement—thatfollowedfromthe hack,notforhackingitself. In1984theU.S.SenatepassedthefirstversionoftheComputerFraudandAbuseAct(18USC 1030).Initiallyitintendedtodefinepenaltiesforunauthorizedaccesstoclassifiedinformation onfederalgovernmentcomputers,aswellasfinancialrecordsandcreditinformationonfederal computersoroncomputersbelongingtofinancialinstitutions.Theoriginalmotivationwasto deterhackersfromattackinggovernmentcomputers.Thelawwasamendedin1986toinclude anyprotectedcomputer.TheActsetjailtermsandfinesformisusingcomputerstocommitfraud, toviolateprivacy,ortodisruptlegitimateactivities.Prosecutionrequiredtotaldamagesinexcess of$5,000,anddamagescouldbeaggregatedacrossvictims(ComputerCrimeandIntellectual PropertySection,2003).Thegovernanceissueherewaslimitingtheaccessofprivateinformation. Noactualtransferofdatawasrequirednorwasanyactualconversionofinformationforgain required.Thislawaddressedprivacyissuesforcomputer-basedinformation.Lawbegantoform thebasisforsocialgovernancewiththisact.
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT181
Duringthissameperiod,ascandalknownasthe“IranContraAffair”includedattemptsto destroydamagingevidencecontainedine-mail.ThenCISdirectorAdmiralJohnPoindexterand WhiteHousestafferLt.Col.OliverNorthcollectivelydeletednearly6,000messages.Unknown tothem,aback-upsystemwasavailablethatretainedtheevidence,andinvestigatorswereableto retrievecopiesofthedeletedmessagesforuseincourt(Walsh,1994,ch.3). Thetwomenhadattemptedtodestroyevidencebutwerethwartedinthatattemptbytheexistence ofbackuptapes(Walsh,1994).Thisincidentunderscoredthecriticalityofinformationintegrity, andtheneedforexplicitorganizationalrecordsretentionpolicies,consistentlyapplied.Thelesson wouldbelearnedagainwhenorganizationsattemptedtodestroycomputer-basedevidence(along withthemassiveshreddingofdocuments)intheEnronscandalin2001. InOctober1988,RobertMorrisreleasedhis“worm”ontheInternet.Soon10percentofthe 60,000+hostsontheInternetwereinfected.RobertMorriswasprosecutedundertheComputer FraudandAbuseAct,andwassentencedtothreeyearsprobation,400hoursofcommunityservice,andfined$10,050inFederalcourt.Followingthisincident,DARPAcreateditsComputer Emergency Response Team (CERT) at Carnegie Mellon University (Longstaff et al., 1997). WhileCERTdidreceiveincidentreportsandprovideanalysisonsolutions,itfunctionedasa clearinghouse for technical information shared among systems administrators. CERT did not addresspolicyissues. In1990,thehackerclubMastersofDeceptioncrackedintoCitibankovera9,600baudmodem.EventuallyataskforceundertheU.S.SecretServicecapturedtheresponsibleparties.They servedjailtermsoftenmonthsandup.Onememberofthattaskforce,BobWeaver,startedthe U.S.SecretServiceNewYorkElectronicCrimeTaskForceafewyearslater. AsITsecuritytechnologiesimproved,earlyattemptstoregulateITsecurityitselfemerged. TheNSAclassifiedstrongencryptionasregulatedundertheITAR(InternationalTrafficinArms Regulations),andprohibiteditsexportfromtheUnitedStates.Thispolicywasintendedtokeep strongencryptionoutofthehandsofregimesthatmightposeathreattotheUnitedStates.While perhaps well intentioned, the regulation encompassed both innocent and socially progressive softwaresuchasPrettyGoodPrivacy(PGP),apeer-structuredencryptionproduct(Zimmerman, 1995).PhilZimmermanreleasedPGPdrivenbyhismotivationtogivesecurecommunications capabilitiestoindividualsworkingforchangeinrepressivesocieties.Anotherunintendedconsequenceofthisregulationwasthatothercountriesenactedlegislationtoimpedetheattemptsof foreign(usually,U.S.-based)companiestoprotecttheirownproprietaryinformation.Unilateral traderestrictionsdonotusuallyresolveglobalpolicyconcerns. Inresponsetocommercialpressure,theencryptionexportrestrictionswereshiftedtotheU.S. DepartmentofCommerce,wheretheyweredroppedin2000.U.S.-basedbusinessescouldnot protecttheirsecretsoverseasbecauseforeigngovernmentsenactedretaliatoryregulations.For example,ShellOil’sdiscoveryofoilundertheCaspianSeain1997wasannouncednotbyShell butbythegovernmentofAzerbaijan,whichrequiredthatforeigncompaniesprovideacopyof anypasswordsandencryptiontoolsusedinitsterritory.Thegovernmentknewofthediscovery atthesametimeasShell’sheadquarters. ThegovernmentofFranceprohibitedtheuseofencryption(citingpre-WWIImisuseofpersonal informationasgrounds)withoutthepermissionofthepresidentandNationalAssembly.Howdid firmscope?Oneexecutivefromalargemanufacturerrevealedthathedidnotencryptinformation,sincethatwouldviolatethelaw.Instead,hisfirmuseda“simpledata-maskingalgorithm”to preservetheprivacyofcertaincriticalinformation.2Thisindicatesafailureofgovernance—when aruleisoverlybroad,peoplewillfindwaysofcircumventingit. InDecember1992,MarcAndreesenwroteMosaicatNCSAoverChristmasbreak.Theproduct
182 MALIK
wasreleasedinFebruary1993andquicklybecamethefaceoftheWorldWideWebandthereby oftheInternetitself(Anonymous,2005).Withintwoyears,ahackerontheWestCoastofthe UnitedStateswasfoundnotguiltyoftrespassingonanothercomputerbecausethehomepagesaid “Welcome!”—anditwastakenasaninvitation.Thevaguenessoflawinthisareapermittedthis interpretation,eventhoughnohousebreakerwaseverfound“notguilty”bynotingthepresence ofadoormatofferingasimilarinvitation.Thisledtovigorousdiscussionofpolicystatementson websites.Followingthisincident,corporatewebhomepagesread:“Thissiteisthepropertyof XYZCorp.Ifyoudonothavepermissiontoenter,youaretrespassingandshouldgoaway.”The effectofthispolicyrealignmentwastotransformwhathadbeenasocialconvention,respectfor thepropertyofothers,intoapossibletortoftrespass. Inlate1993andearly1994,DavidLaMacchia,thenastudentatMIT,distributedcopiesof certaincopyrightedprogramswithoutcharge.Sincethecopyrightlawsprohibitedviolationof copyrightforgain,thisactwasnotprosecutableundercopyrightviolation.Hewasindictedunder the1952wirefraudstatute,butthejudgedismissedthecasebecauseofthebadfitbetweenthe activitiesMr.LaMacchiaundertookandtheintentofthestatute(Hylton,1995). In1994theU.S.SecretServiceNewYorkfieldofficestooduptheElectronicCrimeTaskForce (NYECTF)underSpecialAgentRobertWeaver.Theunit’sinitialworkloadwasinvestigating phonefraudandtheftofcableservices.Then-SpecialAgentWeaverrecognizedthattheSecret Serviceitselfcouldnotcopewiththepaceoftechnologicalinnovation;hisinsightwastodevelopa forumwherelargecompanies(typicallythosethatcouldbecomevictimsofelectroniccrime),law enforcement,prosecutorsfromvariousjurisdictions,privateinvestigators,vendorsofinformation securityandtechnologyproductsandservices,andindustryanalysts(butnotthepress)would meetanddiscusstopicsofcommoninteresttounderstand,thwart,andhelpsolvecriminalacts. Thefirstmeetinghadelevenpeople;thelastonebeforeSAWeaver’sretirementin2003hadover 400.3Hisactivitiesidentifiedlimitationsandgapsinthelegalsystemthatrequiredarethinkingof therelationshipbetweenpoliceagenciesandthepublic.Hisinnovativesolutiontoresolvethose incongruitiesbecameamodelforotherinitiativesnationally.TheNYECTFwascitedasamodel forpublic-privatepartnershipintheUSAPatriotAct(Thieme,2001). InOctober1995,theEuropeanUnionissuedEUDirective95/46/EC,commonlyknownas theEuropeanDataProtectionDirective.Thisdirectiveproposedamodellawprotectingpersonal privacy, following a tradition dating back over a century (European Parliament and Council, 2002).Inthe1880sthedevelopmentofportablecamerasallowedforphotographingindividuals withouttheirpriorconsent.Lawsuitsallegingaviolationofprivacyagainstnewspaperspublishing embarrassingphotographsfollowed.InDecember1890JusticesWarrenandBrandeispublished “TheRighttoPrivacy”intheHarvardLawReview(WarrenandBrandeis,1890).Theydefined threefundamentalprinciplesthatcollectivelycreateprivacy:first,anindividualhastherightto knowwhatinformationisbeinggatheredabouthim;second,anindividualhastherighttogovern howthatinformationisused;andthird,anindividualhastherighttobeleftalone.Thesethree principlesreappearintheEUdirective,inCanada’sPIPEDA(GOC,2000),andinthenational legislationinEUmembercountriesenactingnationallawstomeettheEUdirective. ThePresident’sCommissiononCriticalInfrastructureProtection(1997)identifiedvulnerabilitiesoftheU.S.economybasedonthedegreetowhichinformationtechnologywasincorporated inbusinessandgovernment.Thiscommission,organizedinthefaceofthegrowingcommercial importance of the Internet and information technology generally, and the vulnerabilities this dependencybrought,soughttopairfederaldepartmentswithrepresentativeindustrygroupsto addressinformationsecurityrisks.Forinstance,thefinanceindustry(representedbytheFinancial ServicesRoundtable’sBITS)wasalignedwiththeTreasuryDepartment(BITS,2005).Public-
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT183
privatepartnershipslikethisarethecurrentmodelforgovernanceofinformationsecurityissues atthenationallevel.However,suchpartnershipsstillfacelimitationsandconcerns(seebelow). FollowingtherecommendationsofthePCCIP,PresidentialDecisionDirective63,datedMay22, 1998(PDD63,1998),expandedCERTandimbeddedCERTfunctionsineachfederalagency.PDD 63identifiedeightleadagenciesaddressing19criticalinfrastructures.Thedocumentincludes: 6.EducationandAwareness:ThereshallbeVulnerabilityAwarenessandEducationProgramswithinboththegovernmentandtheprivatesectortosensitizepeopleregardingthe importanceofsecurityandtotraintheminsecuritystandards,particularlyregardingcyber systems. Despitethisnationalpolicy,asofthiswritingnosuchprogramshavebegun. InCleveland,Ohio,in1996,theFBIfieldofficefoundedInfraGardtolinktheFBIwithlocal businesses,inamodelsimilartotheNewYorkECTF(InfraGard,2002).FBIagents,otherlaw enforcementagents,prosecutors,andbusinessownersmeetregularlytodevelopmutualunderstandinganddialogbeforeacomputercrimeoccurs.TheDepartmentofHomelandSecuritywasmade aco-partnerwiththeFBIinInfraGardin2004.MostInfraGardactivitynowconsistsofproviding informationtotheFBIandDHS,anddistributingalertsfromthoseagenciestothecurrent8,000 orsoInfraGardmembersacross76orsochaptersnationally.InfraGardmightbecomearegional orlocalresourceforgovernanceorpolicy,buttodatenosuchinitiativeshavebegun. In1999,ElliotTurrini,thenUSADAforNewJersey,successfullyprosecutedDavidSmithfor authoringtheMelissavirus.Hiscaseincludedacomprehensiveeconomicanalysisofthedamagecausedbythevirusglobally(U.S.DepartmentofJustice,1999).Themethodheused(the prosecutionhiredaneconomisttodeveloptheanalysis)hashelpedotherprosecutorsassessthe economicdamageresultingfrombroad-basedcomputerincidents.Thedefendantpledguilty,so theeconomicanalysiswasneverproducedincourt. Inthemid-1990sorganizationsbegantoworrythatcertaincodingpractices(specificallyencodingyearswithonlythelasttwodigits)couldleadtocomputerfailures.ThiswastheY2Kbug.As ithappened,littleactualdamageoccurred.(Ghanasufferedanationalpowerblackout,twosafety systemsatnuclearpowerplantsinJapanfailedbutnocriticalsystemswereinterrupted,andsome firmsreportedthattheirprinteddocumentserroneouslydisplayeddatesintendedtobe“2000”as “1980”untiltheunderlyingdefectwasfixed.)TheSecuritiesandExchangeCommissionenacted aregulationstatingthatfirmshadtoattesttothemagnitudeoftheirexposuretoY2Kfailuresin theirannualreports,10Kfilings,andquarterlyfilings,asofcalendaryear1998.Asaresult,some firmstooktheY2KorMillenniumBugasanopportunitytorestructuretheirITinfrastructure, movefromlegacytocontemporaryplatforms,upgradeorreplacekeyapplications,oroutsource maintenanceofpotentiallyvulnerablesystems. UsefuldiscussionstookplaceoverthepossibilityofproductliabilitylawsuitsforY2K-related failures,butassuchfailuresdidnotmaterialize,thediscussionsdidnotleadtoregulatoryorlegal proceedings.Concernsovercodequalitybrieflyenteredpublicdiscussion,andsomeorganizations reviewedtheirapplicationdevelopmentmethodstoavoidsimilarvulnerabilitiesinthefuture.The basicconcernsthatwereleftunansweredincluded: • Shouldsoftwaredevelopersbeprofessionallycertifiedlikearchitects,doctors,ormassage therapists? • Shouldinformationsecurityprofessionalsbeprofessionallycertified? • Doesthestatehavethecompetencetograntsuchcertifications?
184 MALIK
• Whatprofessionalcertificationsexistnow?(CISA/CISMfromISACA,CISSPfromISC2, vendorspecificcertifications—MSCE,CSNE,etc.) • Howeffectivearesuchcertifications? • Howoftenareindividualsexpelledfornoncompliance(asopposedtobeingdroppedfornot renewingtheirlicenseorpayingtheirdues)? Reacting to the events of September 11, 2001, Congress enacted the USA PatriotAct of 2002.This compendium of measures granted law enforcement additional powers for search andseizure,permittedwiretapswithoutjudicialsupervisionbasedonthejudgmentoflawenforcementpersonnelalone,andpromotedgreatercooperationbetweentheprivatesectorand thepublicsector,butwithfewerprotectionsforindividuals.TheChiefPrivacyOfficerofSun Microsystems,MichelleDennedy,referredtoitasa“badlaw”duringawebcastonPrivacy, IdentityandInformationSecurityinJune,2003.4Amongotherproblems,itgrantedpoliceinvestigatorssubpoenapowerswithoutjudicialoversight,requiredlibrariestodivulgethelending historyofcitizens,andrequiredbooksellerstodisclosethepurchasinghabitsofbuyers,without anyspecificcause(PatriotAct,2001). With the publication of the National Strategy to Secure Cyberspace in February 2003, the federaladministrationsoughttoprovideguidancetoindividuals,smallbusinesses,stateandlocal governments,andbusinessesforinformationsecurityandriskmanagement(WhiteHouse,2005). RichardClarke,thencybersecurityczarunderPresidentGeorgeW.Bush,ledthedevelopment ofthisdocument,withthesupportofacommitteeofindustryrepresentatives(Evers,2002).Its practicalvalueasanationalpolicyisdebatable.Itlacksanorganizingprinciple,providesnogovernanceorpolicydevelopmentguidance,andisdiffuse—thevarioussectionsareunrelatedand uncoordinated.Whileitoffersinformationsecurityhintsandtips,itdoesnotprovideacoherent statementofpolicy.Whiletherearesuggestionsforspecificactions,thedocumentprovidesno mechanismtoverifythattheyaredoneproperly,howonemightlearntodothemcorrectly,and whomonemightturntoforguidanceincaseofasuspectedproblem.Inotherwordsthereisno effectivegovernance. Inresponsetoincreasingidentitytheftincidents,theU.S.Senateheldhearingsonidentitytheft in2000andagain2002.TheCountyofLosAngelesreportedthatidentitytheftwasthemostrapidly growingcrimeinitsjurisdictionin2002,andtheFTCreportsthatitisthemostreportedproblem itreceivedin2003.AdditionalU.S.SenatehearingswereheldonMay10,2005,intheaftermath oftheChoicePointincident(Specter,2005).FurtherhearingsbeforetheU.S.SenateSpecialCommitteeonAgingwereheldonJuly18,2005.AttorneyFredChrisSmith,formerAUSAforNew MexicoandauthorofNewMexico’scybercrimebill,spentayeartoreverseafamilymember’s identitytheftproblems(Smith,2005).Currentlyindividualvictimsofidentitytheftmustdevote theirowntimeandresourcestoresolveandcorrecttheconsequencesoftheirvictimhood. NATIONALINFORMATIONSECURITYPOLICYASOF2005 WhiletheeffortstodevelopwidespreadandeffectiveformsofITsecuritygovernancehavebeen extensive,particularlyintheareaoflaw,theultimateimpactisquestionable.Speakingatthefirst GartnerInformationSecurityConferenceinChicagoinJune,1994,ScottCharney,thenAssistant U.S.AttorneyforComputerCrimesunderAttorneyGeneralJanetReno,announcedtheCharney Theorem:“Atanypointintime,acertainnumberofpeopleareuptonogood.”5Generally2to3 percentofthepopulationwillengageinaberrantbehavior;asthepopulationofnetwork-connected usersincreases,thelikelihoodthatatalentedandamoralindividualwillemergeincreases.Social
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT185
pressurefailsasagovernancemechanismbecausethepopulationissolargethatsuchindividuals canremainanonymous.Architecturaldesignchoicesmadeinthe1960sand1970sprohibitstrong security.Technologicalfixes(forinstance,IPversion6forstronguserandplatformidentification) takeextensiveamountsoftimetodeployeffectively. Thealternativegovernancemechanismsareeitherlegaloreconomicapproaches.Economic motivationsrequirealevelofuseridentificationandauthentication,andcorrespondingauditingand logging,whichtheInternetlacks.Legalsanctionscanonlybebroughtintoplayafteracrimehas beencommitted.Aberrantbehaviorandcriminalactivityflourishuntilsomeonegetscaught. Inthissectionwewillassessthestatusofinformationsecurityprogramsoutsidecorporate organizationalstructuresintheUnitedStates.Therearegrowingissuesthatinvolveconsumersof informationtechnologyinitsvariousforms.Forexample,homecomputerusersarefacingrising risksofidentitytheft.Theeconomicandemotionalconsequencesofidentitytheftaresubstantial anddamaging.Todatetherehasbeennoinformationtechnologyproductliabilitylawsuitsuccessfullyconcludedfortheplaintiff.Shouldsuchalawsuitcometolight,itseemslikelythatthe civicgovernanceofinformationtechnologywillevolvetowardregulation,includingcertification andlicensingofusersandmanufacturers.Theserepresentthelegalaspectofgovernance.Inthe architecturaldomain,IPv6willintroduceimprovedauthentication,dataintegrity,andconfidentiality capabilitiesthatshouldcurtailclassesofinformationsecurityproblems.TheIPv6authentication headerwilleliminatehostspoofing.Theencapsulationsecurityheaderwillprovideencryption forthepacket’scontents.Thiswillstopinadvertentdisclosureofnetworktraffic. Governance Atnolevelofgovernmentisthereanyofficeofferingoversightorrecommendationsregarding informationsecuritynoranyofficethatwelcomestheexpressionofconcernsaboutinformation security.Sporadic,adhocSenatehearings;uncoordinatedDepartmentofJusticeandFTCprosecutions;anemicfunding;anddegradationoftheFederalcybersecurityleadershipmarkthecurrent politicallandscape.FollowingRichardClarke’sresignation,AmitYouranofSymantecaccepted thepost.UnlikeClark,hedidnotreporttotheNationalSecurityAdministrator,CondoleezzaRice. AmitwasthreelevelsdownfromtheSecretaryoftheDHS.Heleftin2004(Hulme,2004). ThefederalbudgetforcybertrainingforlawenforcementinFY1999was$20M.TheClinton administrationproposed$170MforFY2000,butthefundswereneverdisbursed.Thereareabout 16,000 city, state, and federal law enforcement agencies needing cybersecurity training.Total disbursedfundsaverage$600peragencyannually.OftheFY2000budget,80percentwentto theFBI.Whileadditionalmandatesforcybersecurityactivitieshavebeenpassedsincethen,they havegenerallynotbeenaccompaniedwithcomparablefunding,leavingthosegoalsremote.From agovernanceperspective,thenationalleadershipdesiresimprovementsbutisneitherproviding fundingnoramodelstructuretoachievethoseimprovements. Policy ThecurrentU.S.approachtopolicyistoaddressindustryspecificconcernsasopposedtoblanket regulation:comparetheUSAPatriotAct,GLBA,Sarbanes-Oxley,HIPAA,21CFRpart11,and COPPAwiththeEuropeanDataPrivacyDirectiveorCanada’sPersonalInformationProtection andElectronicDocumentsAct(PIPEDA).Industryspecificordataspecificmeasuresleavegaps andloopholesinthepolicy.Disjointedpolicyisgenerallyineffectiveeveninarigidcorporate structure.Inthepublicpolicysphere,disjointedpolicyisutterlyineffective.“Friendsdon’tlet
186 MALIK
friendsdrivedrunk”isaneffectiveexhortationwhenbackedbylawspunishingdriverswhoare intoxicated.Todatethereisnotevensomuchasasloganalongthelinesof“Nicepeopledon’t connectweakcomputerstotheInternet,”muchlessanylegal,economic,orarchitecturalstructure toenforcethesentiment. Architecture TheclosestnationalguidanceoninformationsecurityarchitectureavailableconsistsofgleaningsfromPDD63,ISO17799,theNationalStrategytoSecureCyberspace,andtheCommon Criteria.Agreatdealhastobeinferred.Noneofthesestandardsordocumentsexplicitlydefines aninformationsecuritybusinessarchitecture.Thereisnoconsistentorevennascentmappingof basicsecuritypolicydirectivestocommonlyunderstoodinformationsecurityprimitives. IPv6willeliminatespoofing,butthatarchitecturaltransformationwillalsoeliminateacornerstoneofanonymity.LawrenceLessigdiscussesthisprobleminhisbookCode.(1999).Todate noeffectiveproposalprovidingacompensatingcapabilityforpseudonymity(partialanonymity) hascomeforward,althoughtherearevariousinitiativesunderdiscussion. AwarenessandTraining ComputertraininginK–12—inconsistent,nomodelcurriculumforsecuritypolicy(Alexander andRackley,2005).Someschoolshavecomputerlabs,withvolunteersofvaryingcompetence providingsuchguidanceasmightoccurtothem. UndergraduateCurriculum—informationsecuritypolicyandprograminformationisscattered amongvariouscomputerscienceprograms.Currentlythereisgreatvariabilityamongeducational institutionsastothequalityoftheirownoperationalinformationsecurityprograms. Advanceddegreecurriculum—fewuniversitiesofferPhDlevelclassesininformationsecurity policyintheUnitedStates. TheUnitedKingdomlaunched2/23/2005ITSAFE(SecurityAwarenessforEveryone)(ITSafe, 2005).ComparethistotheU.S.government’sprogram(CERT2005),withitstentoptipsfor safecomputingathome. Thereisnoconsistentunderstandingofwhatbasicprinciplesusersshouldfollowtousethe Internetsafely.Variousinformationsecurityvendorsofferpiecemealguidance,butevenahighly skilledinformationtechnologyprofessionalwillbebaffledbythecomplexityanddisorganization ofthemultitudeofinformationprotectionsolutionsoffered,theircompeting,unverifiable,and unregulatedclaims,theabsenceofanywarrantyorbaselinestandardofprotection,andthelack ofanymechanismtofindhelpshouldaproblemoccur. Technology Currently no software or systems vendor faces the risk of product liability lawsuits for poor quality.Thereisnoeconomicmotivationtoexcelinquality;consumersmayspeakofquality asafundamentalrequirement,yettheycontinuetopurchasesubstandard,althoughtheshiftto opensourcealternativestoMicrosoftinsomecasesmaybedrivenbyqualityconcernsasmuch asbyeconomicones.In1965,RalphNaderpublishedUnsafeatAnySpeed,exposingtheauto
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT187
manufacturer’sculpabilityfordeliveringpoorqualityproducts.Thisbookgaverisetoawaveof productliabilitylawsuits,andthecarindustrysoughtregulationtoshielditselffromliability.Itis farfromclearthattheregulationsintroducedthen,andfollowingtheoilcrisisoftheearly1970s (CorporateAverageFuelEconomy,CAFÉ),stifledinnovationintheautomotiveindustry.Infact, theoppositemaybethecase. In2004,theU.S.DepartmentofHomelandSecurityproposedincludingchipsinpassports containingdigitizedidentifyinginformationtospeedatravelerthroughcustoms.Howeverthe chip’sinformationisnotencrypted.Anyindividualwiththerightreadercouldgetenoughinformationfromapassporttostealthepassportholder’sidentity.OnAugust14,2006theU.S.DepartmentofStateissuedthefirsttouristelectronicpassport.Toreduce“skimming”(illegalreading oftheinformationonthepassport’sRFIDchip)thepassporthasmetallicfiberswovenintothe passport’scovers,creatingaFaradaycagearoundthechip,soitcanonlybereadwhenopened (U.S.DepartmentofState,2007).Heretechnologiststakearchitecturalconstraintsforgranted, relyingontechnologytofixapolicyproblem.Thegoaloftheprogramwasforgottenwhenthe firsttechnicalimpedimentappeared(Zetter,2005). Logging,Reporting,andAuditing Attemptstogatherdataaboutsecuritybreecheshavenotgatheredmuchmomentum.Thepublic-privatepartnershipstillhasopenissuesthatimpedecooperationandprogress.Threeconcernsare: 1. SomespeculatethattheDepartmentofJusticemayviewcooperationamongcompeting industriesasapossibleantitrustviolation.However,theDepartmentofJusticeapproves offirmsworkingtogethertocombatcrime.Evenso,corporateconsulhasdoneagood jobtrainingemployeestoavoidanyforumthatmighthavetheappearanceofantitrust, somostorganizationsarereluctanttoparticipateininformationsharing. 2. Ifafirmuncoversevidenceofabreechandsubmitsittoacentralclearinghouse,will thatinformationbediscoverableunderaFreedomofInformationActlawsuit,leadingto damagetothereputationofthevictimizedfirm?Thissituationiscomplex.FOIAlawsuits cannotrevealinformationpertinenttoanongoingcriminalinvestigation.Duringatrial, theprosecutioncanrequestthecourtroombeclosedduringpresentationofevidencethat includescorporatesecrets.Atonemootcourtcompetitionthejudgedeclinedtoclosethe court.Thejudgeruledthatsincetheindividual’sfreedomwasatstake,thedefendant’s righttoafairandopentrialwasmoreimportantthanacorporation’ssecretsorreputation.6 Also,organizationsfearthepossibilitythataninadvertentbreechcouldstillcauseharm.A simplewaytominimizethisandthepreviouspotentialexposuresistoprovidesufficient informationtoanalyzethetechnicalorproceduraldefectthatopenedthebreechwithout providingsufficientinformationtodeterminetheidentityofthefirmsufferingtheattack. 3. Ifafirmdiscoversabreechanddevelopsinternalmechanismstoreacttoit,butdoesnot revealittooutsiders,coulditbesubjecttoa10-Blawsuitfromstockholdersseeking redressforthefirmwithholdinginformationthatmighthaveamaterialimpactonearnings?Properhandlingismandatory:areportcommissionedbyanauditfirmneednot bekeptbythecommissioningorganization.Withouttheexistenceofsuchareport,the firmcanlegitimatelyrefutesuchaclaim. Itappearsthattheconcernsaregenerallynotvalid.Byfollowingappropriateprocedures,firms caneffectivelyshareinformationaboutweaknessesandattackswithoutriskingtheirreputation.
188 MALIK
However,asofthiswriting,thereisinsufficientcaselawtoestablishaprecedentcodifyingthese assertions. Citizensexperiencinginformationsecurityproblemshaveno“helpdesk”orclearinghouse towhichtoreportsuchproblemsnoristhereaclearinghousetoinvestigateaproblem.Instead, individualusersareresponsiblefortheirownenvironment.Theymustmaintainagrowing,diverse portfolioofsecurityproducts,selectandassesscompetingalternativeswithnoguidanceormethod forperformingthatassessment,trainthemselvesontheuserinterface,anddetermineontheirown whichproductstheyneed,whatpricetopay,whentoupgrade,andhowtodiagnose,report,and fixasecurityproblem.Insomecasesfollowingabreechpeoplesimplyabandontheircomputer andpurchaseareplacementratherthanattempttofixtheoldersystematall.Whobacksuptheir personalcomputeratregularintervals? Revitalization Byreflectionontheautomobileexperience,wecanseewherewearetodayandwherewemight beinfifteenortwentyyears.Today,welackanylicensingmechanismforusersoftheInternet. Individualfirmscrafttheirprivacypoliciesandconsumersoptinorout,dependingonthestructure, tomakeuseofthewebsite’sfeatures.Atsomepointschoolswilldevelopaconsistentapproachto educateandprepareyoungusersforcyberspace.Thiselementofcivicgovernancewillbethrough lawwithsocialpressuretobolsterit. TodaywehavenoinspectionorsafetycriteriaforcomputersthatconnecttotheInternet.There isnobaselinerequirementforsecuritysoftwareorrobusthardware—anymachinecapableofrespondingtotheprotocolsisallowed.Inthefuturewemayseeabaselinedefinedtoincludevirus protection,aproperlyconfiguredfirewall,regularupdatecapability,andindicationofrecentservice forproblems.Somenetworksmaydenyaccesstononconformingcomputers,directingusersinstead tositeswheretheycanupgradetheirmachinetothatbaseline.Thisformofgovernancemaybe economicbutwithlegalelementsaswell.Theeconomicmotivationwillcreatemarkets. TodaythereisnolinkagebetweenacomputerontheInternetandthatcomputer’sowneror user.ItremainsdifficulttoevenascertaintheidentityofacomputerontheInternet.Inadecade orlesswemayhaveIPv6orsomeequallyeffectivecapabilitydeployedbroadlyenoughthatuserswillbeidentifiable—andspoofing,phishing,andspammingwillberenderedobsoletejustas Windows95endedthethreatofbootsectorvirusesadecadeago.Thisformofgovernancewill bethrougharchitecturedirectedbylaw. Vendors,universities,andresearchorganizationsmayinvestigatehowtoprovideemergency responsecapabilitiestocitizensatlarge.Safecomputingenvironmentswillneednotonlydefensivemeasuresbutalsoeducationandawarenessprograms.Thisformofgovernancewillmarry architecturewithsocialpressure,andwiththediscoveryofaneconomicincentive,amarketor setofmarketswillarise. CURRENTTHREATSANDVULNERABILITIES Today’smajorinformationsecurityconcernsincludephishing,spam(butisthisreallyasecurity concernoraqualityofserviceconcern?),andviruses,worms,andblendedthreats(collectively calledmalware).Embezzlementandextortion—usuallyinvolvinginsiders—remainresponsible forthemajorityoffinanciallysignificantcomputercrimes. Toregulateornottoregulateremainsthehottopic.Thecurrentadministrationisdisinclined tointroduceregulation,favoringindustryself-regulation.Theimpetusforself-regulationhasto
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT189
bedislikeofthealternative,whichwouldbegovernmentalregulation.Thethreatofgovernmental regulationmustbecredibletoinducevoluntarycompliance.Ifthelikelihoodofgovernmental regulationislow,self-regulationwillnottakehold.Forexample,intheearlyyearsofPresident GeorgeW.Bush’sfirstterm,theFCCunderMichaelPowellsoughtself-regulationamongInternet serviceproviders(ISPs).TheISPsdevelopedguidelinesforself-regulation,theFCCaccepted them,andthentheISPsignoredthem.TheFCCtooknoaction.TheISPsdoubtedthattheFCC wouldissueregulations,andthereforedidnotfeelanyneedtocomply. AttheRSASecurityconferenceinFebruary2005,theneedforregulationwasdebatedbetween BruceSchneier,authorofnumerousbooksandCryptogram;RichardClarke,cybersecurityczar underpresidentsClintonandBush;HarrisMiller,presidentofITAA;andRickWhite,presidentand CEOofTechNet(RSA,2005).Bruce’spointwasthatwithoutaneconomicincentivebusinesses wouldnotdeployadequateprotections—liketheinstallationofsprinklersystemsinbuildings. RichardClarke—afterdisavowingthenationalstrategy—explainedthathehadshiftedhisposition frombeingagainstregulationtobeinginfavorofitbecauseitwouldbebettertodeploysensible regulationnowasopposedtowaitingforamajorproblemandhavingsenselessregulationthrust ontheindustryfollowingamajorincident.HarrisMillerraisedthespecterofregulationstifling innovation.RickWhiteoutlinedthehistoryofbadfederalregulation,andcitedautomobilesasan exampleofoverregulation.Onbalance,thepro-regulationargumentseemedmoreconvincing. FUTUREDIRECTIONSFORNATIONALINFORMATION SECURITYPOLICY AttheSetonHallconferenceonSoftwareQualityandProductLiabilityinNovember2002(Seton Hall,2002)thepanelistsweighedinontheprosandconsofusingproductliabilitylawsuitsasa remedyfordefectivesoftwareproducts.Historically,theriskofaproductliabilitylawsuitprovided manufacturerswiththeeconomicincentivetoimproveproductquality.Fromhandgunsinthe nineteenthcenturytoautomobilesinthemid-twentiethcentury,productliabilityawardsmotivated improvements.Industrysectorssubjecttoproductliabilitylawsuitssoughtgovernmentalstandards forperformancetoshieldthemselvesfromliability.Todatetheinformationtechnologyindustry hasbeenfreeoftheseincentivesandthequalityoftheITinfrastructurereflectsthatreality. The software development methodology known as the capability maturity model (CMM), devised by Carnegie Mellon University’s Software Engineering Institute, can lead to process improvementenhancingcodequalitybyordersofmagnitude(SoftwareEngineeringInstitute, 1995).Thistechnologyhasbeenknownsincetheearly1980s.In1984IBMPoughkeepsieuseda CMManalysisfortheprocessesdevelopingtheMVSoperatingsystem,yieldingafourorderof magnitudeimprovementinthequalityofthatproduct.7However,thelargestsoftwarevendorsin theworldremaindisinclinedtoinvestintheproceduralchangesnecessarytoeffectivelyimplementthisdecades-oldprovenremedy.ArecentarticleintheWallStreetJournalsuggestedthat Microsoft’sorganizationisfacinguptotheneedformorematuresoftwaredevelopmentprocesses thanthecreativeanarchyofextremeprogramming(WallStreetJournal,2005). Ifwemapnationalinformationsecurityprogramsagainsttheseven-stepinformationsecurity programoutline,weseesignificantmissingelements. Governance Currentlygovernanceispiecemeal.Thereisnoinformationsecurityauthority—central,regional, orlocal—andnoeffectivegovernancemechanism.Problemreportingisuncoordinated,software
190 MALIK
qualityisvariable,alertnotificationishaphazard,andparticipationinsecuritymeasuresisentirelyvoluntary.IndividualsusingcomputersortheInternetaretreatedtodayashobbyistsinan experimentalandunregulatedrealm. Overtimecertainleadingcitiesmaydeploy“securecyberzones”offeringbaselineprotections andamechanismforseekinghelpbothforeducationandforresolvingproblems.Shouldthese succeedandattractwiderattention,theymightserveasamodelforpublicgovernance. Policy Todaythereareindependentanduncoordinatedinformationsecuritypoliciescoveringspecific products,applications,andenvironments.InformationsecuritypoliciesapplytousersofISPs, forinstance,butthereisnocommonalityacrosspolicies.Softwareenduserlicenseagreements makelittlementionofinformationsecurityotherthantolimitorexcludeliabilityonthepartof themanufacturerorpublisheriftheproductfails.Policyisadhoc,withnointegrationorbroadeningawayfrompointissuesandfocusonthefundamentalproblemofgoverningthebehavior ofindividualsinademocracy. Nationalleadershipconcerningsafecomputing,withrecommendationsforbaselinesecurity andmoresofbehavior,andlegislativeorregulatorysanctionsforviolations,wouldbepreferable toarchitecturalconstraints(Lessig,1999). Architecture Thereisnoawarenessoftheproblemscausedbynothavingaconsistent,agreedto,effective setofinformationsecurityprimitives.Suchasetwouldhelpconversationsamongimplementers usingdifferentplatformsbutfacingsimilarbusinessissues.Lackinganarchitecturalframework, incompatibleplatformscannotbemanagedcollectively.Eachcomputingplatformhasitsown intrinsicinformationsecurityarchitecture.Makingthosearchitecturesexplicitallowsforcomparativeanalysis,commonreportingandaudit,andaggregatedmanagement.Attimesvarious softwarecompanieshavedevelopedinformationsecurityarchitectures,butthesehaveneverrisen abovethelevelofproductmarketingorbrandingexercises.Theredoesnotseemtobeamarket foreffectiveinformationsecurityarchitectures.Thereisnobenefittoanyonefirmtodevelopa general,comprehensiveinformationsecurityarchitecture,sincethatinvestmentwillonlybenefit thefirm’scompetitionandincreasethefirm’scost.Today’smarketoffersafewalternativesources forsuchawork:governmentalagencies,universities,orresearchorganizationsmightdevelopa baseline.Todatenosuchactivityhassuccessfullyoccurred. TheIPv6protocolrepresentsanarchitecturalimprovementthatcouldreducethelikelihoodof certainclassesofproblems,asdiscussedabove. AwarenessandTraining Sometrainingishappeningbutitissporadic,task-focused,anddry.Informationsecuritycanbe taughteffectivelytoelementaryschoolstudents.TheAssociationforComputingMachinery(ACM) isdevelopingamodelcurriculum,butitisfarfromastandard.WGBHinBostonwasdeveloping videoinlate2004tosupportsuchacurriculum.Aswasthecasewitharchitecture,governmental agencies,universities,andresearchorganizationsmightprovideacurriculum.Atthispointeven thestatement“Nicepeopledon’tconnectweakcomputerstotheInternet”—spokenwithauthority byacommittedcivilservant—wouldbeasolidstepforward.Andyet,bycomparison,howef-
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT191
fectivewouldtheslogan“Friendsdon’tletfriendsdrivedrunk”bewithouttherealconsequences ofDWI/DWAIlaws? Comprehensiveeducationandtrainingforcitizenseagertousethenetwouldreducetheincidenceofidentitytheftandslowthespreadofcertainclassesofmalware,justasdriver’straining programsreducetheincidenceofaccidentsamongnewdrivers—andremedialclassesimprove theperformanceofexperienceddrivers,asshownbyreducedcollisioninsurancepremiums,and removalof“points”onthelicense,fordriverswhotakesuchclasses. Logging,Reporting,andAuditing Mostloggingisplatform-specificorapplication-specific.Therearenotoolsprovidingacomprehensiveviewofthefirm’sinformationsecurityriskportfolio.Theproblemmaybeaddressed witheffectivestandardsfordescribinginformationsecurityproblems,organizationalmaturity, andpotentiallyeffectivecountermeasures.Thereisamarketopportunityoncesuchstandardsare inplace. Reportingisimprovingunderregulatorydirectives;however,theregulatoryregimeintheUnited Statesremainssiloedandpiecemeal,providingampleopportunitiesforexceptionsandevasions. Pendingsuccessfulprosecutions,andthecorrespondingbodyoflegalprecedent,compliancewill remaindesultory. AuditinghasstrengthenedconsiderablysincetheEnroncollapsein2001.Section404ofthe Sarbanes-OxleyActof2002requirestheCEOandCFOofpublicfirmstoattesttothreeseparate facts:first,thatthealgorithmsusedtoderivethefinancialdatainreportsfrompubliclytradedfirms arecorrect;second,thatonlycertaindesignatedindividualshaveaccesstothesourcedataandthe processescreatingthosereports;andthird,thatthesefirsttwoassertionscanbeverifiedbyindependentaudittests.Astheseexecutivesfaceindividuallegalsanctionsshouldtheirattestationsprove false,complianceisproceedingbriskly.Resolvingtheseissuesrequiresanidentitymanagement infrastructure.However,deployingtechnology,withoutacontextofpolicyandgovernance,merely acceleratesdysfunctionalprocesses.Proceduralclarityisaprerequisiteforeffectiveautomation. Revitalization:maintainingtheinformationsecurityprogram’srelevanceandcurrencyshould bethechiefinformationsecurityofficer’s(CISO’s)mostimportantfunction.NoCISOatany levelofgovernmentaddressestheneedsofcivicsociety,andnoregulatoryframeworkexiststo makesuchanindividualeffective. OnFebruary2,2006,Connecticut’sattorneygeneral,RichardBlumenthal,announcedthat hisofficewasinitiatinganinvestigationofMyspace.com(ConnecticutAttorneyGeneral’sOffice,2006).Hiscommentspointedtothedangertominorsfromthesite.HeadvisedConnecticut residentsthathisofficewasexploringpossiblecriminalpersecution.Healsostatedthat“Internet siteshavealegalandmoralresponsibilitytoprotectchildren”andthatparentsshouldmonitor theirchildren’sInternetactivity.Hewasinvokingboththelegalandthesocialdimensionsof governancetomitigatethethreatposedbyMyspace.com. DuringJanuary2006aseriesofunsettlingannouncementsaroseconcerningChina’suseof legalmechanismstoforcemajorISPstodiscloseindividualswhoseactivitieswereconsidered dangeroustotheChinesestate.CongressionaltestimonyfromanumberofindividualsincludingLucieMorillonofReportersWithoutBordersandTomMalinowskiofHumanRightsWatch beforetheCongressionalHumanRightsCaucusonFebruary1,2006,detailedahistoryofdisturbingactionsthatlimitorpunishfreespeechandthefreeflowofideas(CongressionalHuman RightsCaucus,2006).OnFebruary15,2006,MichaelCallahan,Yahoo’sgeneralconsul,testified beforetheHouseSubcommitteeonAfrica,GlobalHumanRightsandInternationalOperations,
192 MALIK
andAsiaandthePacific(Yahoo!,2006).HisremarksunderscoredYahoo’svaluesandbeliefsbut notedthatthefirmhadtocomplywiththelawsofthecountryinwhichitoperated.Asreported intheRegister,RepresentativeTomLantos,Dem-CA,comparedtheactionsofMicrosoft,Yahoo, Google,andothersassimilartoIBM’scompliancewithlawsinNaziGermanyduringthe1930s (Haines,2006).Fromagovernanceperspective,theUnitedStateshasalimitedsetofcapabilities toinfluenceChinesesocialpolicy.Civicinformationsecuritygovernanceisapropersubsetof politics,nottechnology,notlaw. AREASFORFURTHERRESEARCH Atthiswritingthereisnooperationaldefinitionofacivicinformationsecurityprogram.One areaforresearchwouldbewhataneffectivecivicinformationsecurityprogrammightconsistof. Anotherwouldbewhatelementsoflawcanbearonawarenessandtraining. Civic information security programs lag corporate information security programs in every dimension.Militaryandsecretagencyinformationsecurityprogramsaremuchsimpler:Oftenall thedataandprocessingassociatedwithanoperation(whichincorporatetermsmaybeanalogous toalineofbusiness,or,incivictermsmaybeanalogoustoajurisdiction)isclassified.Thisdramaticallysimplifiestheinformationsecurityprogram:personnelareunderveryclearregulations andinformationsecurityeffortsaresubsumedwithinphysicalsecurityandsecrecyefforts.These constraintsmakebridgingmilitaryapproachestocorporateorcivicenvironmentsproblematic. Incorporations,individualsfacesocialandeconomicconstraints,butlegalandarchitectural limitationsaredifficulttobringtobear.Oneareaforresearchmightbehowtoextendcorporate informationsecurityprogramelementstothecivicsphere.Shouldtherebeagovernment-sponsored emergency phone number for computer problems, a 911 for Internet issues? Should there be “driver’slicenses”forInternetusers?Canschoolseffectivelytrainsafecomputingtechniques tothepopulation?WillinsurancecompaniesgrantreducedratesforInternetliabilityinsurance policiestoindividualswhohavesuccessfullycompletedacertainleveloftraining?Willdiverse jurisdictionsdevelopandenactamodelcodeforprosecutionofInternetcrimes?Whichcrimes canbesodefinedandprosecuted?Willlocallawenforcementagenciesadoptauniformstandard ofevidenceforinvestigatingInternet-relatedcrimes? Civic information security governance could avail itself of architectural constraints—but a populationwouldrequireagreatdegreeofknowledgetomakeinformedchoicesorpursueaneffectivedebate.Oneareaforresearchwouldbeinthedomainofeducation—forcitizensregardless ofageoreducationalattainment—oninformationsecurity. Atsomefuturetime,stateandlocalCIOswillexpandtheirscopeofcontrolfromtheinternal workingsoftheirclientdepartmentsingovernmenttoincludethepublicconstituencyoftheirlocales.Astheyunderstandtheexpectationsandlimitationsfacingthecitizenrywithintheirdomain, theywillcallforthehelpoftheirCISO.Atsomefuturetime,therewillbeacallforreviewand enhancementofthecivicinformationsecurityprogram.Atthiswriting,wehavenotyetbegun thisvaluable,necessary,andurgentwork. NOTES 1.Theauthorhassubsequentlyspokenwithoneoftheparticipantsinthisseminalmeeting.Itwasrecounted thatdisasterrecoverywasproblematic:someoftheparticipantsfeltthatifthesituationhaddeterioratedto thedegreethatrequiredinvokingthedisasterrecoveryplan,thesituationhadgonebeyondsalvaging. 2.Theauthorparticipatedinthisconversation.
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT193 3.TheauthorparticipatedintheNewYorkElectronicCrimeTaskForcefrom1998throughSpecial AgentWeaver’sretirement. 4.Theauthorwasaspeakerinthiswebcast. 5.TheauthorcreatedandchairedtheGartnerGroupInformationSecurityConferencesfromtheirbeginninginChicagoinJune1995annuallythroughJune2001. 6.Theauthorparticipatedinthismootcourtcompetitionasanexpertwitness. 7.TheauthorwasamemberoftheteamatIBMinPoughkeepsiethatimplementedtheseprocedural changes.
REFERENCES Alexander,T.,andRackley,C.2005.IntegratinginformationassuranceintoK–5curriculum.Paperpresented atInformationSecurityCurriculumDevelopmentConference’05,Kennesaw,GA,September. Anonymous.2005.InternetPioneers:MarcAndreesen(availableatwww.ibiblio.org/pioneers/andreesen. html,accessedonOctober11,2005). BITS.2005.BITSFinancialServicesRoundtable(availableatwww.bitsinfo.org/index.html,accessedon October11,2005). Carson,Rachel.1962.SilentSpring.NewYork:HoughtonMifflin. CERT.2005.UnitedStatesComputerSecurityReadinessTeamMailingListsandFeeds(availableatwww. us-cert.gov/cas,accessedonOctober11,2005). Cheswick,W.,andBellovin,S.1994.FirewallsandInternetSecurity:RepellingtheWilyHacker.Reading, MA:AddisonWesley. Cohen,F.1984.ExperimentswithComputerViruses.ReportpublishedbyFredCohen&Associates(availableatwww.all.net/books/virus/part5.html,accessedonOctober11,2005). Cohen,F.1986.ComputerViruses.Ph.D.Dissertation,UniversityofSouthernCalifornia. CommonCriteria.2005.Seewww.commoncriteriaportal.org/forinformationonthecommoncriteria(accessedonOctober11,2005). ComputerCrimeandIntellectualPropertySection.2003.TheNationalInformationInfrastructureProtection Actof1996:LegislativeAnalysis.UnitedStatesDepartmentofJustice,July31(availableatwww.usdoj. gov/criminal/cybercrime/1030_anal.html,accessedonOctober11,2005). Congressional Human Rights Caucus. 2006. Testimony of Lucie Morillon, Washington Director, Reporters Without Borders, CHRC Members’ Briefing: Human Rights and the Internet The People’s RepublicofChina(February1)(availableathttp://lantos.house.gov/HoR/CA12/Human+Rights+Caucus/ Briefing+Testimonies/02–06–06+Testimony+of+Lucie+Morillon+China+Google+Briefing.htm,accessed onFebruary19,2006). ConnecticutAttorneyGeneral’sOffice.2006.AttorneyGeneralInvestigatingMyspace.ComforAllowing MinorsEasyAccesstoPornography,InappropriateMaterial.Pressrelease,February2(availableat/www. ct.gov/ag/cwp/view.asp?Q=309712&A=2426,accessedonFebruary19,2006). EuropeanParliamentandCouncil.2002.Directive2002/58/ECoftheEuropeanParliamentandoftheCouncil ConcerningtheProcessingofPersonalDataandtheProtectionofPrivacyintheElectronicCommunications Sector(DirectiveonPrivacyandElectronicCommunications),July12(availableathttp://europa.eu.int/eurlex/pri/en/oj/dat/2002/1_201/1_20120020731en00370047.pdf,accessedonOctober11,2005). Evers, J. 2002. Feds draft national strategy to secure cyberspace. PCWorld (available at www.pcworld. com/news/article/0,aid,105002,00.asp,accessedonOctober11,2005). GOC.2000.PersonalInformationProtectionandElectronicDocumentsActof2000(availableatwww. privcom.gc.ca/legislation/02_06_01_01_e.asp,accessedonOctober11,2005). TheGreatRenaming.2005.Seehttp://cse.stanford.edu/class/cs201/projects-98–99/controlling-the-virtual-world/ history/rename.htmlforadetaileddiscussionofthehistoryoftheGreatRenaming(accessedonOctober11, 2005). Haines,L.2006.GoogleandYahoo!takeabeating.Register,February16(availableatwww.theregister. co.uk/2006/02/16/china_committee/,accessedonFebruary19,2006). Hulme,G.2005.HomelandSecuritycybersecuritychiefabruptlyresigns.InformationWeek,Oct.1(available atwww.informationweek.com/showArticle.jhtml?articleID=49400205,accessedonOctober11,2005). Hylton,J.1994.DavidLaMacchiacleared;caseraisescivillibertiesissues.TheTech,115,4(February7), (availableathttp://wild-turkey.mit.edu/V115/YIR/lamacchia.00n.html,accessedonOctober11,2005).
194 MALIK IBM Corp. 1981. Software Announcement P81–174, October 21 (available at www.os390-mvs.freesurf. fr/mvsinteg.htm,accessedonOctober11,2005). IBMCorp.1990.GC28–1440:MVS/ESASPV5Planning:B1Security.Armonk,NY. InfraGard.2002.CombatingCybercrime:FBI’sInfraGardProgramPromotesSecurityAwareness,November 4(availableatwww.infragard.net/library/combating_cybercrime.htm,accessedonFebruary8,2008). ISACA. 2005. ISACA: Serving IT Governance Professionals (available at www.isaca.org, accessed on February8,2008). ITSafe.2005.ITSecurityWarningService:SignUpforFreeWarnings(availableatwww.itsafe.gov.uk, accessedonFebruary8,2008). Lessig,L.1999.CodeandOtherLawsofCyberspace.NewYork:BasicBooks. Longstaff,T.;Ellis,J.;Hernan,S.;Lipson,H.;Mcmillan,R.;Pesante,L.;andSimmel,D.1997.Securityof theInternet.InFroehlichKentEncyclopediaofTelecommunicationsvol.15.NewYork:MarcelDekker, pp.231–255(availableatwww.cert.org/encyc_article/tocencyc.html,accessedonFebruary8,2008). Mosaic.1994.MosaicCommunicationsOffersNewNetworkNavigatorFreeontheInternet.Seewww.jwz. org/gruntle/newsrelease1.htmlfortheinitialNetscapeproductannouncement(accessedonFebruary8, 2008). Nader,R.1991.UnsafeatAnySpeed.NewYork:GrossmanPublishers,1965;KnightsbridgePub.Co.Mass; Rp/25thanniversaryeditionMarch1991. NationalResearchCouncil.1991.ComputersatRisk:SafeComputingintheInformationAge.National AcademiesPress.Seewww.nap.edu/openbook/0309043883/html/fordetailsonthebook(accessedon February8,2008). NSA.2005.NationalInformationAssurancePartnership.Seehttp://www.nsa.gov/industry/niap.cfm,for informationonthecommoncriteria(accessedonFebruary8,2008). PatriotAct.2001.UnitingandStrengtheningAmericabyProvidingAppropriateToolsRequiredtoIntercept andObstructTerrorism(USAPATRIOTACT)Actof2001(availableatwww.epic.org/privacy/terrorism/ hr3162.html,accessedonFebruary8,2008). PCI,2008.ThePCISecurityStandardsCouncil(availableathttps://www.pcisecuritystandards.org/index. htm,(accessedonFebruary8,2008). PDD63.1998.TheClintonAdministration’sPolicyonCriticalInfrastructureProtection:PresidentialDecisionDirective63.WhitePaper.May22(availableatwww.fas.org/irp/offdocs/paper598.htm,accessed onFebruary8,2008). RSA.2005.SecurityConference,PanelDiscussion:ToRegulateorNottoRegulate—ThatIstheQuestion. SanFrancisco,February16. SetonHall.2002.SetonHallLawSchool,ConferenceonSoftwareQualityandProductLiability,Newark,NJ, November15.Theauthorwasapanelistatthisevent.ParticipantsincludedBarbaraMoo,SteveLipnerof Microsoft,SteveBellovinofLucent,andMelanieSchneckthenofthelawfirmofSteptoeandJohnson. Theevent’sannouncementisathttp://law.shu.edu/administration/public_relations/press_releases/2002/ software_security_liability_symposium.htm(accessedonFebruary8,2008).TheNewarkStar-Ledger reportedtheeventatwww.nj.com/business/ledger/index.ssf?/base/business-3/1039504241203751.xml, butaccessrequiredapaidsubscriptionwhenaccessedFebruary8,2008. Shimomura,T.,andMarkoff,J.1995.Takedown:ThePursuitandCaptureofKevinMitnick,America’sMost WantedComputerOutlaw—BytheManWhoDidIt.NewYork:Hyperion. Sinclair,U.1992.TheJungle(availableathttp://sunsite.berkeley.edu/Literature/Sinclair/TheJungle/,accessed onFebruary8,2008). Smith,FredChris.2005.Personalcommunicationwiththeauthor. SoftwareEngineeringInstitute.1995.CapabilityMaturityModel:GuidelinesforImprovingtheSoftware Process. Carnegie Mellon University. The Carnegie-Mellon work on the capability-maturity model continues.Seewww.sei.cmu.eduforacomprehensivediscussionofitshistoryanddirection(accessed onFebruary8,2008). Spar,D.L.2001.RulingtheWaves:FromtheCompasstotheInternet.NewYork:Harcourt. Specter,A.2005.SenatorArlenSpecter,chairmanoftheSenateJudiciaryCommittee,RemarksofFebruary24. asreportedinTechLawJournal,(availableathttp://www.techlawjournal.com/topstories/2005/20050224. asp,accessedonFebruary8,2008). Stoll,C.1989.TheCuckoo’sEgg.NewYork:PocketBooks. Thieme,R.2001.BobWeaverandtheElectronicCrimesTaskForce.November.Report.TruSecureCorp.: InformationSecurity(availableatwww.thiemeworks.com/write/archives/electronictaskforce.htm,accessed onFebruary8,2008).
INFORMATIONSECURITYPOLICYINTHEU.S.NATIONALCONTEXT195 U.S.DepartmentofState.2007.TheUSElectronicPassportFrequentlyAskedQuestions(availableathttp:// travel.state.gov/passport/eppt/eppt_2788.html#Six,accessedonFebruary8,2008). U.S.DepartmentofJustice.1999.Creatorof“Melissa”ComputerVirusPleadsGuiltytoStateandFederal Charges.Pressrelease,December9(availableatwww.usdoj.gov/criminal/cybercrime/melissa.htm,accessedonFebruary8,2008). Visa.2005.CardholderInformationSecurityProgram2005.FordetailsoftheVISAinformationsecurity programformerchants,seehttp://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html (accessedonFebruary8,2008). WallStreetJournal.2005.Microsoftchangeshowitbuildssoftware.Sept.23. Walsh,L.1994.FinalReportoftheIndependentCounselforIran-ContraMatters.June.Darby,PA.,DIANE PublishingCo. Warren,S.,andBrandeis,L.1890.Therighttoprivacy.HarvardLawReview,December(availableatwww. lawrence.edu/fast/boardmaw/Privacy_brand_warr2.html,accessedonFebruary8,2008). WhiteHouse.2005.TheNationalStrategytoSecureCyberspace(availableatwww.whitehouse.gov/pcipb/, accessedonOctober11,2005). Yahoo!2006.TestimonyofMichaelCallahan,SeniorVicePresidentandGeneralCounsel,Yahoo!Inc.,BeforetheSubcommitteesonAfrica,GlobalHumanRightsandInternationalOperations,andAsiaandthe Pacific.Pressrelease,February15(availableathttp://yahoo.client.shareholder.com/press/ReleaseDetail. cfm?ReleaseID=187725,accessedonFebruary19,2006,sinceremoved). Zetter,K.2005.FedsrethinkingRFIDpassport.WiredMagazine,April26;summarizesthetortuousprogress of the RFID-enabled passport (available at www.wired.com/news/privacy/0,1848,67333,00.html, accessedonOctober11,2005). Zimmerman,P.1995.TheOfficialPGPUser’sGuide.April.Cambridge,MA:MITPress.Seewww.mit. edu/prz/forbackgroundonPhilZimmermanandPGP(accessedonFebruary8,2008).
CHAPTER9
THEINTERNATIONALLANDSCAPEOF CYBERSECURITY DELPHINENAIN,NEALDONAGHY,ANDSEYMOURGOODMAN
Abstract:Thischapteraddressesthehistory,development,effectiveness,andprospectsforinternationalcooperationagainstcybercrime.Thefirstsectionintroducesthequestionandgrowing significanceofcybercrime.Thesecondprovidesanoverviewofinternationalintergovernmental cybercrimeorganizationsatthegloballevel.Theeffectivenessandpotentialfordifferentbilateral andmultilateralinformationsharingandcooperativeprosecutionregimesalongwithmeasures forstandardizinginternationalconventionsoncybercrimearediscussed.Thethirdpresentsthe actionsofregionalintergovernmentalorganizationssuchasOPEC,APEC,theEU,OAS,andthe SADC.Insectionfour,public-privateandpurelyprivate-sectoractorsarealsopresented.The authorsconcludewithanassessmentofthecurrentandprospectiveeffectivenessandscalability oftheseefforts. Keywords: Cyberspace, Cybercrime, CERT, CSIRT, Critical Infrastructure, Internet Security, Private-PublicPartnerships,CouncilofEuropeConventiononCybercrime ANEMERGINGLANDSCAPE WorldwideopenIP-enabledpublicnetworkinfrastructureforcommunications,commerce,and government—cyberspace—israpidlyexpanding.TheInternet,thelargestofthesenetworks,has takenrootinovertwohundredcountriesandisusedbyalmostabillionpeople.Eachcountryinthe worldnowsharesaporousborderwitheveryothercountry,notjustthosephysicallyadjacent. Byanymeasure,cyberspaceis“criticalinfrastructure”(DHS,2003).Individuals,commercial enterprises,andgovernmentsarebecomingincreasinglydependentonthisnetworkinfrastructure foranextensiveandexpandingrangeofneeds.Othercriticalinfrastructures,notablyelectricpower, bankingandfinance,emergencyservicesandothergovernmentfunctions,industrialprocesses, andtransportation,havealsobecomeincreasinglydependentonsuchnetworkinfrastructurefor control,communications,andmanagement.Unfortunately,cyberspaceisplaguedbyasetofpoorly understoodvulnerabilitiesthatarebeingexploitedextensivelybyawiderangeofmaliciousactors.TheeasyaccessandrelativeanonymityandopennessoftheInternethasallowedfast-paced cybercrimeandotherserioushostileactivitiestoflourishonaglobalscalewithrelativelyweak capabilitiesavailabletolawenforcementandorganizationsconcernedwithnationalandinternationalsecurity.Policymakersandseniorindustrymanagementinthemoredevelopedcountries haveonlyrecentlyappreciatedthescaleandtransnationaldimensionsoftheseproblems. Amajorityofthecountriesconnectedtothesecriticalinfrastructureshavelittleexperienceor capacityfordealingwiththeseproblems.Thenumberofuserstheremaysoonrisedramatically 196
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY197
withthespreadofVoiceoverIP(VoIP—essentiallydigitaltelephonyviatheInternet),bringing atidalwaveofexacerbatedsecurityproblems.Thesecountrieshaveoftenbeengivenlittleattention,orhelp,fromthemoreadvancedcountries,buttheyarepartoftheproblemandneedhelp tobecomepartofthesolution. Inthelastfewyearsanarrayofrelativelyautonomousactivitiesinlawandstandards-making bodies,theprivatesector,andgovernmentagenciesbegantounfoldinresponsetothechallenges ofcybercrimeandcriticalinfrastructureprotection.Atthenationalandinternationallevels,ingovernmentalandintergovernmentalbodies,atrioofcommunitieshavebegunforming:(1)reinvented legacytelecommunicationregulatoryagencies,(2)homelandsecurityandcriticalinfrastructure protectionagencies,and(3)IT-orientedjusticeandlawenforcementbodies.Theinstrumentsbeing craftedrangefromtreatiesandothervehiclesfornewkindsofglobalcollaboration,tocapabilityrequirementsinstitutedbystatutoryandregulatoryprovisions,toreal-timeoperationaland monitoringarrangementsandcapabilities. Afourthcategoryofsecurity-service-providingorganizationsisemergingattheinternational level.Afewarenarrowlyfocused,forexample,onspamcontrol,whileothersaremorebroadly chartered,forexample,coveringsuchthingsastraining,andprovidingearlywarning,information sharing,andotherformsofcooperation.Someareprivateandothersarenongovernmentalorganizations(NGOs).Manyarenational,othersregional,andstillothersarebroadlyinternational. Thischapterisaninitialattempttosurveytheorganizationsthatareexplicitlyinternationaland thattrytopromoteinternationalcooperationtodealwiththeseproblems.Itdoesnotprofessto provideexhaustivecoverage,buttriestocoverthemostprominentorganizationswecouldidentify asof2005.Wetreattheminthreecategories:internationalintergovernmentalorganizations,regional intergovernmentalorganizations,andprivate-publicpartnerships.Togethertheyformasometimes complementary,sometimesdisjointed,setofnational,regional,andmultilateralinitiatives. Wewilltrytoanswerthefollowingquestions.Whatkindsoforganizationsareemerging?What aretheytryingtodo?Aretheydoingitwell?Aretheycomingupwithenforceable,scalable,and readilyusablesolutionsthatreducevulnerabilities?Whatmeaningfulmetricscanbeusedtoassess theirsuccess?Dotheycollectivelyamounttoawholethatissomehowsignificantlygreaterthan thesimplesumoftheseparateparts?Canagoodcasebemadethattheyaremakingcyberspace moresecure,oratleastslowingtherateatwhichthingsaregettingworse? INTERNATIONALINTERGOVERNMENTALORGANIZATIONS Policy-MakingBodies Large international organizations such as the United Nations (UN) and the Organization for EconomicCooperationandDevelopment(OECD)beganpubliclydebatingcomputercrimein themid-1980s.Theirmostimportantimpacthasbeentoraiseawarenessofthedangersofcybercrimeamongthemoredevelopednationsandhelpshapenationalandregionalpoliciestoward cybercrime. OECDandtheUN:TowardaPolicyforCybercrime In1986,theOECDpublishedComputer-relatedCrime:AnalysisofLegalPolicy,areportthat surveyedexistinglawsandproposalsforreforminanumberofmemberstatesandthatalsorecommendedaminimumlistofabusesthatcountriesshouldconsiderprohibitingundercriminallaws (OECD,1986).In1990,theEighthUNCongressonthePreventionofCrimeandtheTreatment
198 NAIN, DONAGHY, AND GOODMAN
ofOffendersadoptedaresolutioncallinguponmemberstatestointensifytheireffortstocombat computercrime(UNCJIN,1990).Itarticulatedspecificneedssuchasthemodernizationofnational criminallawsandproceduresastheOECDhadrecommendedin1986.TheUNalsorecommended othermechanismsbesideslegalpolicy:improvedcomputersecurity,theadoptionoftrainingmeasures,andtheelaborationoftherulesofethicsintheuseofcomputers(UNCJIN,1990).TheUN GeneralAssemblyendorsedtherecommendationsinitsresolution45/121(December14,1990), andsincethenthetopicofcybersecurityhasbeenontheUNagendaateverysession,resulting inmanyotherresolutions.1Inparticular,aUnitedNationsResolutionwasadoptedbytheGeneral Assemblyin2000(res.55/63)oncombatingthecriminalmisuseofinformationtechnologies. Initssuccessiveresolutions,theUNrecommendedinternationaleffortsinthedevelopment anddisseminationofacomprehensiveframeworkofguidelinesandstandardsforcomputer-relatedcrime.Thefirstimportantinternationalefforttowarddevelopingsuchaframeworkstarted in1992whentheOECDissuedGuidelinesfortheSecurityofInformationSystems,intendedfor bothgovernmentuseandtheprivatesector(OECD,1992).Theframeworkdocumentfocuses on nine principles: awareness, risk assessment, responsibility, response, security design and implementation,securitymanagement,reassessment,ethics,anddemocracy.Theguidelineswere reviewedin1997and2001bytheWorkingPartyonInformationSecurityandPrivacy(WPISP) andacceleratedintheaftermathoftheSeptember11tragedy.Themostrecentguidelineswere adoptedinJuly2002.2 ImpactofUNandOECDPolicies TheUNandOECDissuedguidelinesandrecommendationsforaglobalcultureofcybersecurity butdonotenforceanymechanismsfortheirimplementation.Ultimatelyitisthetaskofevery countrytocreateandmaintainitsownmechanismstofightcybercrime.Thereforethemainimpact oftheseorganizationshasbeentosetthestageforacultureofcybersecurity,butwhetherthis culturedevelopsandsuccessfullyfightscybercrimesdependsonthelevelofcommitmentandthe levelofcooperationamongnationstoimplementtheirownmechanisms. SomeregionalorganizationssuchastheCouncilofEurope(COE),theAsia-PacificEconomic Cooperation(APEC),andtheEuropeanUnion(EU)havetakenstepstopromoteacultureof cooperationamongtheirmembersattheregionallevelinthefightagainstcybercrimeandrefer totheUNresolutionasamotivation(APEC,2005). AquestionnairecirculatedinJuly2003toOECDmembercountries(COE,2004b)surveyed theinitiativesundertakensincethereleaseofthe2002guidelines.Thesurveyaddresseshowthe guidelinesaredisseminated,whethercountrieshavedevelopedanationalpolicyoninformationsecurity,thetypesofprogramsandinitiativessetuptoraiseawareness,fosterbestpractices,educate, andsupportsecurityresearch,andtheamountofdialoguebetweenthegovernmentandbusinesses andcivilsociety.Overall,twenty-twooutofthirtymembercountriesresponded.Anotablepoint ofthesurveyisthatfifteenofthesetwenty-twohaddevelopednationalpoliciesforthesecurityof informationsystemsandnetworksandtheremainingsevenwereintheprocessofdoingso.All respondentsreportedusingtheguidelinesasareferenceframework.Asecondnotablepointisthat mostrespondingcountriesreportedhavingenactedasetofmeasurestocombatcybercrime.The mostwidelyadoptedmeasuresweretheidentificationofnationalcybercrimeunits(17countries); initiativestosetupinstitutions,whetherpublicorprivate,thatexchangethreatandvulnerability assessmentssuchascomputersecurityincidentresponseteams(CSIRTs)(17countries);designationofinternationalhigh-technologyassistancecontactpoints(14countries);cooperationbetween governmentsandbusinessinfightingcybercrime,includingbetweenlawenforcementorganizations
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY199
andbusinessaboutthesecurityofinformationsystemsandnetworks(13countries);andspecific measuresonthecollectionofevidenceofcybercrime(12countries,1inpreparation).Lesswidely adoptedwerelegislativemeasuressuchaspreservationoftrafficdatainordertosupportlawenforcementactivitiestodealwithcybercrime(5countries,3inpreparation). Initiatives to foster international cooperation received less attention. Only three countries mentionedsuchinitiatives:Japan,theUnitedStates,andAustralia.Japansupportscooperation amongCSIRTsintheAsiaPacificregion.TheUnitedStatesmentionedsupportofinitiativesat theinternationallevel(APEC,OECD,G8),andAustraliamentionedsupportinginitiativeswithin APECtoassistwiththeimplementationofthesecurityguidelines,forexamplebyhelpingthedevelopmentoftheAPECcybercrimelegislationandenforcementcapacitybuildingproject.Another weakpointrevealedbythesurveyisthesharingofbestpracticesamongcountries. Overall,theOECDsurveyishelpfulforassessingthestateofimplementationoftheguidelines, butnotformeasuringsuccess.TheOECDrecognizesthatthesurveyfailedtoaddresstheimpact oftheinitiatives(COE,2004b).Byaskingcountriestomeasurethesuccessofinitiativesina consistentway,theOECDwouldineffectrequirethememberstoagreeonappropriatemetrics. Toreallyassesspositivechange,meaningfulmeasuresareneededandapublicdebateshould existtocomeupwithsuchmeasures.Forexample,countriescouldreportthenumberofcyber criminalsarrestedandprosecutedasadirectresultofguidelineimplementation,andthenumber ofincidentssuccessfullyhandledbyCSIRTs.Suchmeasuresmightalsohelpcountriesidentify andprioritizesuccessfulmechanisms,andhelpplanandjustifybudgetdecisionsbasedonother countries’experience.Forexample,thesurveyrevealstwointerestinginitiativesthatothercountries couldfollowiftheirmeasuredimpactispositive.Finlandhaslegislationinpreparationtomake itmandatoryfortheircomputeremergencyresponseteam(CERT)toinformthegovernmentof seriousinfringementsofthesecurityofinformationsystemsandnetworks,andtheUnitedStates istheonlycountrytohaveaformalauditsystemforgovernmentagenciestochecktheimplementationoftheOECDguidelines. InternationalMechanismstoSecureCyberspace TheOECDsurveyrevealedthatinresponsetotheUNandOECDguidelines,mostcountries initiallyfocusedondevelopingtheirowncybersecuritymechanisms.Thesurveyalsoindicates atwo-tieredprocesswhenimplementingmechanismstodealwithcybercrime.Inafirstwave, mostofthetwenty-twocountriessetupnationalcybercrimeunits,early-warningcenterssuchas CERTsorCSIRTsandcontactpointsforhightechcrimeprosecution.Inasecondwave,some countrieshavestartedmodernizingtheirlegislationandcrimeprosecutionprocedurestobetter addresscybercrimeissues. Beyondnationalinitiatives,someregionalmechanismshavebeensetupaswell,particularly inEuropeandtheAsiaPacificregion,whichwillbesurveyedbelow.However,nosinglepointof governancecreatesandmonitorsmechanismsattheinternationallevel.Itisstilluptoindividual countriesandcoalitionsofcountriestocreatetheirown.Thishasledtoaseriesofuncoordinated bilateralandmultilateralinitiativesforinformationsharing,lawenforcementtraining,andlegal mechanismsthatwesurveyinthissection. InternationalInformationSharingandEarlyWarningSystems Whenwidespreadcybereventsoccur,itiscriticalthatmechanismsbeinplacetoeffectivelydetect andidentifytheactivity,provideearlywarningtoaffectedpopulationsandconstituencies,notify
200 NAIN, DONAGHY, AND GOODMAN
otherswithintheInternetandsecuritycommunitiesofpotentialproblems,effectacoordinated responsetotheactivity,sharedataandinformationabouttheactivityandcorrespondingresponses, andtrackandmonitorthisinformationtodeterminetrendsandlong-termremediationstrategies (Killcrece,2004). G8:TowardanInternational24/7PointofContactNetwork.TheG8isaninformalgroupof eightcountries:Canada,France,Germany,Italy,Japan,Russia,theUnitedKingdom,andtheUnited StatesofAmerica(G8,2005).TheLyonGroup,establishedbytheG8in1995,hasworkedon fortyrecommendationstocombattransnationalorganizedcrime.Onerecommendationcallson membersto“reviewtheirlawstoensurethatabusesofmoderntechnologyarecriminalized.”Five subgroupswerecreatedtoimplementtheLyonGrouprecommendations,includingtheSubgroup onHigh-TechCrimein1997.AtitsJuly2000summitinJapan,theG8affirmeditscommitment toacommonconcertedapproachtocombatingcybercrimebypublishingtheOkinawaCharteron GlobalInformationSociety(GISCharter)callingfor“coordinatedactiontofosteracrime-free andsecurecyberspace”(G8,2000b). TheG8hasbeenactiveindevelopinginformationsharingmechanismstodealwithcybercrimeintendedforuseattheinternationallevel.TheSubgrouponHigh-TechCrime’smissionis to“enhancetheabilitiesofG8countriestoprevent,investigate,andprosecutecrimesinvolving computers,networkedcommunications,andothernewtechnologies”(G8,2004).Countriesare representedinthesubgroupbymultidisciplinarydelegationsthatincludecybercrimeinvestigators andprosecutors,andexpertsonlegalsystems,forensicanalysis,andinternationalcooperation agreements.Forallstakeholdersinprotectionofcriticalinformationinfrastructures,thesubgroup haspublishedvariousbestpracticesdocuments,includingguidesforsecurityofcomputernetworks, internationalrequestsforassistance,legislativedrafting,andtracingnetworkedcommunications across borders; conducted training conferences for cybercrime agencies from every continent (saveAntarctica);andorganizedconferencesforlawenforcementandindustryonimprovedcooperationandtracingcriminalandterroristcommunications.Recentexamplesincludeindustry workshopsheldin2000inParis(G8,2000a),in2001inBerlinandTokyo(G8,2001),andin 2003inParis(G8,2003). Themostsignificantmechanismcreatedbythesubgroupisthe24-HourContactsforInternationalHigh-TechCrime(alsoknownasHigh-TechCrime24/7Point-of-ContactNetwork)in1997. The24/7Networkrequiresparticipatingcountriestomaintainacybercrimeunitanddesignate a 24-hour, 7-day-per-week point-of-contact for the purposes of providing information and/or respondingtorequestsforassistanceonurgentcasesinvolvingelectronicevidence.Thenetwork isopentonon-G8membersaswell,andallcountriesareencouragedtojointheG8network.In particulartheEuropeanUnioncallsonitsmemberstojointhenetworkinaCouncilRecommendationofJune25,2001(Europa,2001b),andtheAPECinits2002recommendationscallsonall itsmembercountriestojointhenetwork(APEC,2002c).Asof2002,thereweretwentymembers (USDOJ,2005)andfortyasof2004(G8,2004). Onelimitationofthenetworkisthatitdoesnotentailtheestablishmentofahigh-tech operationscenteropenaroundtheclock,butjustthemeanstoreachahigh-techexpertatall hourswhoisknowledgeableininvestigationsinvolvingcomputerandelectronicevidence. Sincethenetworkisjustawaytoconnectalreadyexistinginfrastructures,itislefttoeach countrytocreatethatinfrastructure.Thisisaconcernforcountriesoflowcapabilitiesthat do not have the means to set up such infrastructures and train experts in high tech crime investigations. TheG8hasnotissuedanyofficialdocumentsurveyingthesuccessofthenetwork.Asimple
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY201
metricwouldbetocountthenumberofinvestigationshelpedbythenetwork.However,inaletter ofinvitationtocountries,aparagraphindicatessomeofthesuccesses: Thisnetworkhasbeenusedsuccessfullyinmanyinstancestoinvestigatethreatsandother crimesinanumberofcountries.Forexample,thenetworkhasbeenusedtohelpsecurethe convictionofamurdererintheUnitedKingdombyfacilitatingthepreservationanddisclosureofInternetrecordsintheUnitedStates.Thenetworkhasalsobeenusedonseveral occasionstoaverthackingattacks,includingattacksonbanksintheUnitedStates,Germany andMexico.Conversely,inthecontextoftheongoinginvestigationintotheSeptember 11th2001terroristattacks,thelackofapointofcontactinaparticularcountryimpeded theinvestigationofaseriousthreat.(USDOJ,2005) Itwouldbeveryinformativeifaformalsurveyofmembercountrieswasconductedannuallyto collectdataaboutthesuccessesofthenetworks,suchasthenumberofinvestigationsthatusedthe networkandthepartneringcountries.Thepublicreleaseofthesedatacouldshowtheimpactofthe networkbylookingatthepercentageofinternationalinvestigationsthatuseit.Itwouldalsohelp indicatewhichcountriesaremostactiveinusingthenetworkandcouldsharetheirbestpractices. Computer Security Incident Response Teams (CSIRTs). The concept of a public service CSIRTemergedintheUnitedStatesin1988withthecreationoftheCERTCoordinationCenter (CERT/CC),locatedattheSoftwareEngineeringInstitute,aU.S.federallyfundedresearchand developmentcenteroperatedbyCarnegieMellonUniversity(CERT/CC,2005b).Itscharterwasto assessandrespondtocomputersecurityincidentsandrelatedactivity,becomingthecyberanalog totheemergencynumber911intheUnitedStates.3TheCERT/CCwasalsocharteredtoserve asamodelfortheoperationofotherresponseteamsaroundtheworldandtofosterthecreation ofadditionalteams,eachfocusedonmeetingtheneedsofaparticularconstituency(Killcrece, 2004).GuidelinesforestablishingaCSIRThavebeenformulatedandpublishedbytheCarnegie MellonUniversitySEI(Killcreceetal.,2003). FollowingtheCERT/CCmodel,since1988hundredsofCSIRTshavebeencreatedinNorth AmericaandEurope(Escobar,2004),dozensintheAsiaPacificregion(APCERT,2005b)andLatin America(Solha,2002),andafewintheMiddleEast/Africaregion(Anderson,2004;Balancing ActNews,2004b).4TheseorganizationsuseeitherCERTorCSIRTasacronyms.5 TheservicesofeachCSIRTarenormallyperformedforadefinedconstituency,suchasaprivate,governmental,oreducationorganization,oraregionorcountry.Inordertobeconsidered aCSIRT,ateammust: • provideasecurechannelforreceivingreportsaboutsuspectedincidents, • provideassistancetomembersofitsconstituencyinhandlingtheseincidents, • disseminateincident-relatedinformationtoitsconstituencyandtootherinvolvedparties. CSIRTsoftenhavetheadditionalresponsibilitiesofprovidingtechnicaladvice,identifying intrusiontrends,workingwithothersecurityexperts,disseminatinginformationtothepublic,publishingtechnicaldocuments,andofferingtraining(Killcrece,2004;West-Brownetal.,2003). InternationalCooperationamongCSIRTs.ThestructureandlevelofcooperationamongCSIRTs remainsvoluntaryandinformal(CERT/CC,2005a).CSIRTsaroundtheworldvaryintheirspecific approachestoincidentresponsebasedonavarietyoffactorssuchasconsistency,geographical
202 NAIN, DONAGHY, AND GOODMAN
and technical issues, authority, services provided, and resources. Reporting a cybercrime to a CSIRTisvoluntaryinmostcountries.Finlandisoneofthefirsttopasslegislationthatmakesit mandatorytoreportseriouscyberinfringementstoCSIRTs(OECD,2004). Mostinternationalcooperationinitiativesarepoint-to-pointandinformalcollaborationsbasedon trustedlinksbetweennationalCSIRTs.Forexample,inDecember2004,India’sCyberEmergency ResponseTeamannouncedplans,includingthesigningofane-securityprotocol,toworkwith Russianlawenforcementtoaddresscybercrime(PTI,2004).TheUS-CERTencouragesinformationsharingattheinternationallevelbyestablishingregularinternationalinformationsharing conferencecallswithgovernmentcybersecuritypolicymakersfromfivekeyalliedcountries:the UnitedStates,theUK,Australia,Canada,andNewZealand(US-CERT,2005). Currently,thereisnoinfrastructuretogloballysupportacoordinatedinternationalincident responseeffort.However,thereareeffortsunderwaytodevelopcooperativerelationshipsthat supportsuchacapabilityattheregionallevel.TheAPCERT(AsiaPacificComputerEmergency ResponseTeam),acoalitionoffifteenCSIRTsacrosstheAsiaPacificregion(APCERT,2005a)and theEuropeanTF-CSIRTTaskForce(TERENA,2006)areexamplesthatwillreviewedbelow.6 ProspectsforanInternational/GlobalIncidentResponseTeam.AccordingtotheCERT/CC philosophy,aworldwideCSIRTisnotafeasibleoption: The diverse technologies, constituencies, global demographics, and breadth of services neededbytheseconstituenciescouldnotbeprovidedbyanysingleorganization.Noone teamwouldeverbeabletoeffectivelyrespondtoallattacksagainstcomputernetworksor networkconnectedsystems—theproblemwouldbecometoolarge,thetechnicalknowledge requiredtoobroad,theuserconstituenciesneedinghelptoodiverse,andthelikelihoodof developinguniversaltrusttoosmall.(Killcrece,2004) ThereisindeednoworldwideCSIRT.Rather,themodelofcooperationhasbeentolinknationalCSIRTsattheregionallevel,thereforebuildinga“networkofregionalCSIRTs”bothin EuropeandAsia. OnepossibilityforthefuturemightbetotrytolinkthosenetworksofregionalCSIRTstoforma worldwidenetwork.However,issuesoftrustandnationalsecuritymightrestrictCSIRTcooperation totrustedregionalspheres.IssuesofnationalsecurityariseforexamplewhenCSIRTemployees holdinghighlevelsofsecurityclearanceareforbiddentotraveltoordisclosedatatoother,nontrustedcountries. Sofar,theonlyattemptatformingaworldwidenetworkofCSIRTshasbeentheForumof IncidentResponseandSecurityTeams(FIRST),foundedin1990.FIRSTisdefinedas“anetwork ofindividualcomputersecurityincidentresponseteamsthatworktogethervoluntarilytodealwith computersecurityproblemsandtheirprevention,”andconsistsofmorethan170teams(FIRST, 2006a).ManyoftheseareCSIRTs,representinggovernment,lawenforcement,academia,theprivatesector,andotherorganizationsfromAsia,Oceania,EuropeandtheAmericas.FIRSTpromotes internationalcooperationthroughthesharingoftechnicalinformation,tools,methodologies,and bestpractices,aswellasholdingconferencesopentononmembersandencouragingthedevelopmentofCSIRTs.AlthoughFIRSTisatrulyinternationaleffortataddressingcybersecurity,its membershipisexclusive.Dependingonthelevelofmembership,applicantsmustbesponsored byeitheroneortwoexistingFullMembersandcompleteanextensiveapplication,includingan on-sitevisit.FIRSTisselectiveaboutmembershipastheorganizationispredicatedupontrust (FIRST,2006b).Thismodellimitscountrieswithlowcapabilitiesfromjoining.
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY203
Gapsinincidentresponse,management,andcoordinationprocessesmeanthatsomenations aremoreatriskthanothers.OnecurrentnoteworthygapisthatveryfewCSIRTsexistinAfrica. Consequently,thesecountrieslackadequatestaffandresourcestoeffectivelymonitorsuchactivity,protectcriticalservicesandsupportingnetworks,andrespondtoincidentsthataffectcritical infrastructureservices. InternationalLawEnforcementCooperation Giventheborderlessnatureofcybercrime,cooperationamonglawenforcementagenciesisoften essentialtocollectdataaboutcrimeandhelpprosecutions.Tocombatinternationalcybercrime,law enforcementneedstheauthoritytoobtainevidencefromnetworksregardlessofjurisdictionand morequicklythanoffenderscanmoveoreraseincriminatingmaterial.Inaddition,itisessential forcountriestotrainskilledinvestigatorsandattorneystodealwithcybercrimeissues. Interpolisoneofthelargestinternationalpoliceorganizationsinexistence,andhasbeen combatingcybercrimesince1990(Westby,2004).Today,itconsistsof182membersspread overfivecontinentsandprovideslocalpoliceforceswithamechanismforinternationalcoordinationandinformationsharing(Interpol,2005).Torelyonexistingexpertise,Interpolutilizes themechanismofexpert“workingparties.”Theworkingpartyconsistsoftheheadsorexperiencedmembersofnationalcomputercrimeunits.Theseworkingpartieshavebeendesigned toreflectregionalexpertiseandexistinEurope,Asia,theAmericas,andAfrica.Accordingto Interpol,“theworkingpartiesarenotInterpol’sonlyeffort,buttheycertainlyrepresentthemost noteworthycontribution.OtherinitiativesincludecollaborationswiththeU.S.FBIandSecret Service”(Interpol,2003). Whiletheworkingpartiesareatdifferentstagesofdevelopment,theEuropeanWorking Partyiscurrentlythemostadvanced.Itmeetsthreetimesayearandhashadtangibleimpact, includingthecompilationoftheInformationTechnologyCrimeInvestigationManual(ITCIM), abestpracticeguideforlawenforcementinvestigators,whichiscontinuallyupdated;theholdingofnumeroustrainingcourses;thesupportofaninternational24-hourresponsesystem, theNationalCentralReferencePoints(NCRP),whichlistsresponsibleexpertswithinmore thaneighty-fivecountriesandisnowbeingexpandedandhasbeenendorsedbytheHighTech CrimeSub-groupoftheG8.TheAsia-SouthWorkingPartymeetsonceayearandfollows theEuropeanworkingpartymodel.Sofar,ithasbeenmostactiveinprovidingtrainingsessions.TheAfricanWorkingPartyalsomeetsonceayear,buthasyettosetupprograms.Its goalfor2005istorunanawarenessprogramfortopmanagementinAfricancountriesand regionalpoliceorganizations,andtostarttargetingallAfricancountrieswithinformationon cybercrimeonaregularbasis.TheAmericasWorkingPartydoesnotprovidepubliclyavailableinformation. Tofurtherpromoteinternationalcooperation,Interpolhasproposedthecreationandimplementationofafixedinternationaltrainingunit.Thisunitshouldconsistofapooloftrainersfromthe Interpolmemberstates.Ithasbeenfurtherproposedthatthetrainingteam,madefromthepool oftrainers,wouldvisitthedifferentcountriesandconductthecourselocally.Interpolenvisions thatwiththeaidoftheAmerican,Asian,African,andEuropeanworkinggroupsasufficiently largepoolofpotentiallecturerscouldbecreated. Theexistenceofmanualsandtrainedlawenforcementofficersisalreadyameasureofthe successoftheInterpolinitiatives.Tofurthermeasureimpact,Interpolshouldpubliclyprovide statisticsaboutthenumberofcybercrimeinvestigationsthathavebenefitedfromitsmanualsand trainingprograms.
204 NAIN, DONAGHY, AND GOODMAN
CurrentInternationalLegalLandscape:LittleHarmonization From1999to2002,manycountriesinEuropeupdatedtheirlegislationforcomputercrimesaccordingtotherecommendationsformulatedinthe1980sand1990sbytheUN,OECD,andtheEU.In NorthAmerica,similarlawswerepassedintheUnitedStatesandCanada,andintheAsiaPacific region,inAustralia,Japan,Singapore,India,andMalaysia.7Duetoheightenedattentiontoterrorist threatsaftertheeventsofSeptember11,2001,thegrowingeconomicimpactofcybercrimes,and pressurefromcountrieswithexistingcybercrimelaws,anincreasingnumberofcountrieshave beenintroducingnationallegislationonalloratleastsomeoftheaspectsconcerningcybercrime orcybersecurity.Since2002,Europeancountrieshavehadtoharmonizetheircybercrimelaws undertheCouncilFrameworkDecisiononAttacksAgainstInformationSystems. However,therearestillcountrieswithoutcybercrimelawsandinmanycountriescybercrime lawsarenotharmonized(ComptrollerandAuditorGeneralofIndia,2003;McConnellInternational,2000;DunnandWigert,2004;GelbsteinandKamal,2002;Techlawed,2005).Thelackof harmonizationisaproblemassoonasnationshavetodealwithcybercrimeonabilateralbasis. Mutuallegalagreementtreaties(MLATs)havedualcriminalityrequirements,meaningthecrime hastobedefinedinthelawsimilarlyinbothcountries.Thesituationismuchmorecomplex whenthreeormorecountriesinvestigatecybercrimeonamultilateralbasis.Afamousincident exacerbatedbylackofharmonizationinvolvesthe“Iloveyou”virus,releasedonMay4,2000, andcausinganestimated$10billionindamages(WashingtonPost,2000).8Thisviruscollected Internetpasswordsfrominfectedcomputersaroundtheworldandsentthemtoe-mailaccountsin thePhilippines.TheFBIandthePhilippinesNationalBureauofInvestigationworkedwithInternet serviceproviderstotracetheprogramtoatelephonelineintheapartmentofOneldeGuzman,a formercollegecomputingstudent.SincethePhilippineshadnolawagainstdestructivecomputer activity,investigatorschargedMr.deGuzmanwithtraditionalcrimesliketheftandviolationofan “accessdevices”lawthatnormallyappliestofraudusingcreditcards.However,inAugust2000 prosecutorswereforcedtodismissallchargesagainstMr.deGuzmanbecausethelawsciteddid notapplytocomputeractivityandtherewasinsufficientevidenceshowingintenttogainfromthe e-mailprogram.PresidentJosephEstradaimmediatelysignedalawoutlawingmostcomputerrelatedcrimes,butthelawcouldnotbeappliedretroactivelytothe“LoveBug”author. The“LoveBug”caseshowsthatifonlysomecountriesadoptcybercrimelawsanddedicatelaw enforcementtohelpothernations,theperpetratorsmaynotbearrestedandprosecutedunlessall countriesinvolvedintheprosecutionhaveharmonizedcybercrimelaws.Todealeffectivelywith theproblem,countriescannolongerbeallowedtobe“safehavens,”inwhichcybercriminals legallylaunchattacksagainstcomputerslocatedelsewhere. CouncilofEuropeConventiononCybercrime:ProspectsforHarmonization.Theonlymultilateraltreatythataddressesharmonizationoflawsfortheglobalproblemsofcomputer-related crime and electronic evidence gathering is the Council of Europe Convention on Cybercrime (COE,2006a).9TheCOE,distinctfromthetwenty-five-nationEuropeanUnion,hasforty-six membercountries(COE,2006b).10Themainobjectiveoftheconventionistoestablishatreaty thatrequiresmemberstatestopursueacommoncriminalpolicyaimedattheprotectionofsociety againstcybercrime,especiallybyadoptingappropriatelegislationandinvestigativeprocedures andfosteringinternationalcooperation.Theforty-sixCOEmembersandfournonmemberstates (UnitedStates,Canada,Japan,andSouthAfrica)participatedinthedraftingtheconventionfrom 1997to2001.AsofSeptember2006,thetreatywassignedbyforty-twocountries,andratifiedby sixteen.Thefull,updatedlistcanbefoundontheconventionwebsite(COE,2006a).Thesixteen
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY205
ratifiedcountriesare:Albania,BosniaandHerzegovina,Bulgaria,Croatia,Cyprus,Denmark, Estonia,France,Hungary,Lithuania,Norway,Romania,Slovenia,theformerYugoslavRepublic ofMacedonia,UkraineandtheUnitedStates. OverviewoftheConventiononCybercrime.Theconventioncontainsforty-eightarticles.The main themes are the common definition of offences for harmonization of the national laws, thedefinitionofinvestigationandprosecutionprocedurestocopewithglobalnetworks,andthe establishmentofaneffectivesystemofinternationalcooperation.Anexplanatoryreport(ER)accompaniestheconventionandprovidesananalysisoftheconventionaswellastheunderstanding ofthepartiesindraftingconventionprovisions.TheERisthusacceptedasafundamentalbasis forinterpretation. Articles2–13addresssubstantivecriminallaw.Partiesarerequiredtodomesticallycriminalizecybercrime.Theoffencesaredividedintocategories:(1)offencesagainsttheconfidentiality, integrityandavailabilityofcomputers,dataandsystems(alsoknownasCIAcrimes);(2)computer-relatedtraditionaloffences(forgeryandfraud);(3)content-relatedoffences(includingchild pornography);(4)offencesrelatedtoinfringementofcopyrightandrelatedrights(intellectual property);and(5)infringementofprivacy(personaldata). Articles14–22addressprocedurallaw.Electronicevidencerelevanttocybercrimecasescan bedifficulttosecureandcanbequicklyaltered,moved,ordeleted.Toaddresstheseissues,the convention requires each party to ensure that competent authorities have certain powers and proceduresforuseininvestigations.Theseinclude,butarenotlimitedto:preservationofcomputer-storeddata;preservationandrapiddisclosureofdatarelatingtotraffic,systemsearch,and seizure;real-timecollectionoftrafficdata;andinterceptionofcontentdata. Articles23–35addressinternationalcooperation.Theconvention’sprovisionsforinternational cooperationaresubjecttoexistinginternationalagreements,suchasMLATs,andthedomesticlaws oftheparties.Themainthemeistoprovidemechanismsformutualassistanceifexistinginternationalagreementsarenotapplicableortoexpediteexistingagreements.Onestrategytoexpedite internationalcooperationistheestablishmentofa24/7network,intendedtohandlerequestsfor mutualassistancequicklyandefficiently(Art.35).Eachpartyisrequiredtodesignateapointof contactavailabletwenty-fourhoursaday,sevendaysperweek,tofacilitaterapidinvestigationof cybercrimes,similartotheG8High-TechCrime24/7Point-of-ContactNetwork.The24/7networks arerequiredtobeabletocommunicaterapidlywiththeircounterpartsinotherlocations,andthe partiesmustensurethattrainedandequippedpersonnelareavailabletostaffthenetwork. Articles40–42dealwithdeclarationsandreservations.Toencouragewidespreadacceptance ofthetreaty,thedraftershaveallowedforconsiderableflexibilityininterpretationofprovisions. Thisoccursformallythroughanumberofpossibledeclarations(Art.40)andreservations(Art. 42),andmoreinformallythroughothersuggestedinterpretationsinthetreaty’sexplanatoryreport(ER).Through“declarations,”partiesmaypositadditionalelementsintheirinterpretations ofoffensesandproceduralobligations,andthrough“reservations”partiesmaylimitorqualify thosesameobligations. DebatesaroundtheConventiononCybercrime.Muchhasbeenwrittenabouttheconvention (Hopkins,2003;Jones,2005;COE,2004b;andWestby,2004).Certainprovisionswerecontroversialduringitsdraftingandnegotiationphases.Wesummarizeherethemajorissues: • Lackofgovernanceandnosupportforcountriesoflowcapability:Criticsarguethatthe COEshouldprovideforanagencyorotherconcretemechanismtofacilitateinternational
206 NAIN, DONAGHY, AND GOODMAN
cooperation.Althoughtheconventionrequirespartiestoadoptasetofdetailedinvestigativeprocedurestohelpcatchcybercriminals,itprovidesnoguidanceastohowcountries oflowcapabilitycouldimplementthis.Theconventionobligespartiesto“ensurethattheir competentauthoritieshavethecapacitytocollectorrecordtrafficdatabytechnicalmeans” (ER,Par.219,andArt.20).Securingthecooperationofvulnerablecountries—andensuring thattheyhavethemeanstocooperate—iscriticalbecausesuchcountriesarearguablymost likelytobe“safehavens”forcybercriminals.Itisnotlikelythatsomeofthecurrentratifyingcountriesareabletofullyimplementtheseguidelinesand/orprovidepropertrainingto thevariousactorsthathelpenforcetheconvention. • Undesirablybroadcoverage:Theconvention’sbroadcoverageofoffenseshasdrawnextensive criticism.Itisarguedthatitshouldlimititselftoprotectingtheinformationinfrastructures bycriminalizing“pure”(confidentiality,integrity,access)cybercrimes.Theremayalsobe insufficientinternationalconsensusonwhetherandhowtocriminalize“content-relatedoffenses”likechildpornographyandcopyrightinfringement.Thedrafters’generalresponse totheseobjectionsisthatpartiesarefreetoissuereservationsanddeclarations,allowing themtointerpretoffensesflexiblywithduerespectfornationalandculturaldifferences. • Insufficientprotectionofprivacy,civilliberties,andhumanrights:Privacyadvocates,civil libertygroups,andindustryassociationswereespeciallyconcernedwithprovisionsthatappeartointrudeonpreexistingconstitutionalandlegalrightsandplacerestrictionsonprivacy, anonymity,andencryption(COE,2004a;GILC,2003).Inresponse,thedraftersarguethat partiesdiffertooradicallyintheirconceptionsofcivillibertiesandprivacytomandateany specificlevelsofprotection,anditislefttoindividualcountriestocounterbalancethenew powersconsistentwiththeirestablishedprivacylawsandculturalnorms.Inaddition,under theconvention,nopartyisrequiredtocarryoutaninvestigativemeasurethatviolatesrights protectedindomesticlaw. • Thereistoohighaburdenonindustrytoassistlawenforcementininvestigation:Through theWorldInformationTechnologyandServicesAlliance—WITSA(WITSA,2005),industry hasarguedthattherequirementsonserviceproviderstomonitorcommunicationsandto provideassistancetoinvestigatorswouldbeundulyburdensomeandexpensive.Although itdoesnotrequireanyassistanceoutsideofaprovider’s“existingtechnicalcapability,”the conventiondoesnotprovideforanyreimbursementofcostsassociatedwithcomplyingwith thenewprocedures,fordatainterception,storage,andsurveillance,shouldserviceproviders havethetechnicalcapabilitytocooperate. ImpactoftheConventiononCybercrime.Onesuccessoftheconventionisthelevelofinvolvementofallcountriesinthedraftingprocess,includingthefournonmemberstates.Forexample, duringthedraftingandnegotiationprocess,theUnitedStatessoughtcommentsandotherinputfrom avarietyofgroupsrepresentingU.S.interests(USDOJ,2003).Asaresultoftheseconsultations, theUnitedStatesobtainedseveralimportantrevisionstotheconvention’stextandExplanatory Report.Inaddition,theCOEmadedraftsavailabletothepublicforcomment.Thefirstpublicly releaseddraftoftheconventionwasDraft19,madeavailableforcommentinApril2000.Several moredraftswerethenreleased,culminatinginthefinaldraft,releasedonJune29,2001.This processledtoanimportantpublicdebateaboutcybersecurity,asindicatedbythelevelofinvolvementofcivilandindustrialgroupsduringthedraftingprocess(USDOJ,2003). InasurveycirculatedataSeptember2004conferenceinStrasbourg,France(OctopusInterface,2004),signatorystateswereaskedtodiscussthelevelofimplementationoftheconvention. Thesignatorystatesthathadnotratifiedtheconventioncouldbedividedintothreecategories.
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY207
Aboutone-thirdthoughtthemselvesableandwillingtoratifywithinashorttime(6–9months). Legislationagainstcybercrimehasbeenadoptedorisabouttobeadoptedinanotherthird.Finally, statesinthelastthirdareabouttointroduceproposalsforrelevantlegislationorwoulddosoin thenearfuture. Thissurveyindicatesthatthemajorhurdleagainstratificationisthetimeneededtoreview andamendexistinglawsorproposenewlawstothenationalgovernments.Outofthetwo-thirds ofcountriesthathavealreadyreviewedtheirlaws,mostappeartobeadoptingacompromiseapproachbyreportingthattheyintendtoupdatepartsoftheirdomesticcybercrimelawstocomply withtheconvention,andusereservationsanddeclarationstocomplywithexistingdomesticlaws thatcannotbechanged,orwouldbetoocumbersometochange. Amorethoroughsurveyisneededtofullyaddresstheprogressofratificationineachmember country.Thecitedsurveylackeddetails.Afuturesurveymightincludeafullreviewoflawsthat needtobemodifiedoraddedbythemembercountriestocomplywiththeconventionandadetailed overviewofthemechanismsthateachcountryisputtinginplacetoaddressexpeditedcollection ofdataandprosecutionandmechanismsforinternationalcooperation.However,theconference alreadyrevealedthatdespitethecriticismsoftheconvention,mostcountrieswithintheCOEare intheprocessofratifyingit. IntheUnitedStates,theBushadministrationurgedrapidratificationoftheconvention,andtransmittedittotheSenate’sCommitteeonForeignRelationsforreviewonJuly17,2004.According totheStateandJusticeDepartments,existingU.S.federallaw,coupledwithsixreservationsand fourdeclarations,wouldbeadequatetosatisfytheconvention’srequirements(Cybercrime,2003). OnJune29,2005,acoalitionofindustrygroupsandindividualcompaniesrepresentingdifferent sectorsoftheeconomyissuedalettertotheU.S.SenateForeignRelationsCommittee,urgingratification(PRNewswire,2005).11Intheletter,thecoalitionarguesthatratificationwouldminimize obstaclestointernationalcooperationthatcurrentlyimpedeU.S.investigationsandprosecutionsof computer-relatedcrimes.OnJuly26,2005,allninemembersoftheForeignRelationsCommittee whowerepresentsaidbyvoicevotethattheybroadlyagreedwiththeCouncilofEuropeConvention onCybercrimeandtheU.S.SenateratifiedtheconventiononAugust3,2006. Anassessmentofwhethertheupdatedlawsandnewcooperationmechanismssetinplacebythe ratifyingcountrieshavehelpedprosecutecrimeshasnotyetbeenexploredbytheCOE.Inasmuch asfiveyearshavepassedsincethefirstratification,itwouldbetimelytofindmeaningfulmetrics toassesstheimpactofthemechanismsputinplacebyratifyingcountriesorbythosethathave signedbutnotyetratified,perhapsincollaborationwiththeOECD.Anobviousissueisthatthe criticalmassofratifyingcountriesmightbetoolowtomeasureimpact,particularlywhenitcomes totheexpedited24/7network;however,itwouldbeimportanttomeasurewhethertheratifying countrieshaveevenbeenabletoimplementmechanismsputforthbytheconvention. COCAdditionalProtocol.InNovember2002,theCouncilofEuropeintroducedan“Additional ProtocoltotheConventiononCybercrime,concerningthecriminalizationofactsofaracistand xenophobicnaturecommittedthroughcomputersystems.”Thisprotocolentailsanextensionofthe ConventiononCybercrime’sscope,includingitssubstantive,procedural,andinternationalcooperationprovisions.Theadditionalprotocolcontains,forexample,adefinitionofracistorxenophobic materialandprovidesforthecriminalizationoftheseactscommittedthroughcomputernetworks, includingtheofferingandthedistributionofsuchmaterialthroughcomputernetworks.Itwas openedforsignatureinJanuary2003;ithasbeensignedbytwenty-threecountriesandratifiedby two,asofFebruary19,2005.TheUnitedStatesandothercountrieshaveindicatedthattheywill notsignitoutofconcernthatitwouldviolatedomesticfreedomofspeechprotections.
208 NAIN, DONAGHY, AND GOODMAN
REGIONALINTERGOVERNMENTALORGANIZATIONS Inthelate1990s,regionalorganizationssuchastheEuropeanUnion,theAPECforum,andthe OrganizationofAmericanStates(OAS)begandevelopingtheirownpoliciestocombatcybercrimeinacoordinatedfashion,followingOECDguidelines.Theseorganizationshavebeentrying tosupplementpolicieswithmechanismstoencouragecooperationamongtheirmemberstates. Thesemechanismsfallunderthecategoriesofinformationsharing,collectiveearlywarning,law enforcementcooperation,andlegalharmonization. Cybersecuritypoliciesandmechanismsareindifferentstagesandformsofimplementation indifferentpartsoftheworld.Someorganizations,suchastheEU,takearegulatoryapproach toenforcelegalharmonizationandinformationsharingmechanisms.Others,suchastheAPEC, areencouraging,butnotrequiring,information-sharingmechanismsamongmembers,without yetfocusingonharmonizinglegalmechanisms.TheOAShasnotyetenactedmechanismsto implementitspolicies. CountriesinAfricahaveyettoformacomprehensivecybersecuritypolicy,althoughthefourteenmembercountriesoftheSouthernAfricaDevelopmentCommunity(SADC)haverecently agreedtoharmonizetheircyberlaws(Betts,2005).Whilerecentdevelopmentsincountrieslike Nigeriaindicatethatmechanismsaretobeputintoplaceatthenationalleveltoaddresscybercrime (EFCC,2004;Oyesanya,2004),nosingleorganizationhasbeenformingaregionalAfricanpolicy towardscybersecurity(BalancingActNews,2004a). Europe Europehasbeenveryactiveintryingtocreateaunifiedcybersecuritypolicyandmechanisms. Wereviewthemostsignificantinitiatives,bothfromtheEUandotherEuropeanorganizations. TheEuropeanUnion(EU)Policies:TowardRegionalCooperation TheEU’smaindecision-makingbodyistheCounciloftheEuropeanUnion.Memberstatesare representedintheCouncilbytheirministers.TheCommissionoftheEuropeanUnionproposes legislation,policies,andprogramsofactionforimplementingthedecisions.Since1997,theEUhas beensurveyingitsmembersoncybersecurity(Europa,2005).InJanuary2001,theCommission issuedacommunicationtotheCouncilentitledCreatingaSaferInformationSocietybyImproving theSecurityofInformationInfrastructuresandCombatingComputer-relatedCrime(Europa,2001a). Thissurveyedproblemsthatcomputer-relatedcrimesposefornationallawenforcementauthorities andreviewedthecybercrimelawsofmembercountries.CouncilresolutionsinJanuary2002(Europa, 2002a)andJanuary2003(Europa,2003)stressedtheneedforacomprehensiveEuropeanstrategyto “strivetowardsacultureofsecuritytakingintoaccounttheimportanceofinternationalcooperation.” Theresolutionsreiteratetheneedforbettereducationandawarenesscampaigns,promotingbest securitypracticesinsmallandmedium-sizedenterprises,andtheuseofinternationalstandards. EUMechanismsforSecuringCyberspace InitialEUinitiativesforcybersecurityremainedvoluntaryforitsmemberstates.Asafirststep,the EUencourageditsmemberstoparticipateinexistinginitiatives.OnMarch19,1998,theCouncil invitedthememberstatestojointheG824-hourinformationnetworkforcombatinghigh-tech crime,arecommendationreiteratedin2001(Europa,2001b).
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY209
Subsequentinitiativesweremoreformalandbinding.UndertheProposalforaCouncilFrameworkDecisiononAttacksagainstInformationSystemsissuedbytheCommissionin2002,member statesarerequiredtoexchangeinformationaboutcertaincybercrimeoffencesandmustestablish operationalpointsofcontactavailabletwentyfourhoursadayandsevendaysaweek.Inaddition, memberstateswillinformtheGeneralSecretariatoftheCounciloftheirpointsofcontactandof anyothermeasuresadoptedtocomplywiththeFrameworkDecision(Europa,2002b). Despite these initiatives, the European authorities indicated in 2004 that the “reactions of theMemberStateshaveproveddisparateandnotsufficientlycoordinatedtoensureaneffective responsetosecurityproblems.Apartfromcertainadministrativenetworks,thereisnosystematic cross-bordercooperationonthisissuebetweenMemberStates,eventhoughsecuritymatterscannotberegardedasanisolatedissueforanyonecountryalone”(Europa,2004). Toaddressthisissue,theEUestablishedinMarch2004aEuropeanNetworkandInformation SecurityAgency(ENISA)(ENISA,2005a).TheaimincreatingtheENISAisto“enhancethe capabilityoftheCommunity,theMemberStatesandthebusinesscommunitytoaddressandto respondtonetworkandinformationsecurityproblems.”Theagencyisfocusedonthetasksof collectingandanalyzingdataonsecurityincidentsinEuropeandemergingrisks;promotingrisk assessment and risk management methods; and promoting awareness-raising and cooperation betweendifferentactors,notablybydevelopingpublic/privatepartnerships. Theinitialgoaloftheagencyistostartworkinawarenessraisingandpromotionofbestpractices. ThefirststudyfundedbytheagencywillprovidetheEuropeanCommissionandENISAwithan overviewofachievementsoftheEU-25MemberStatesandtheEEAStates(EuropeanEconomic Area)withrespectofCouncilResolutions(2002/C43/02and2003/C48/01)tocreateaculture ofnetworkandinformationsecurityandensureacommonapproachamongstthemembers. Animportantmilestonewillbea2007review,whentheagency’sactivitiesaretobeevaluated inordertodecidewhetherithasachieveditsobjectivesandtasksandwhetheritwillcontinueto functionafteritsinitialfiveyears’duration.Thishasledtheagencytosetupaclearworkplan for2005,includingperformanceevaluatorstomonitoritssuccess(ENISA,2005b). TheoverallgoalofENISAistoserveasacenterofexpertisewherememberstates,EUinstitutions,andindustrycanseekadviceonnetworkandinformationsecurityandinparticularcollect appropriateinformationtoanalyzecurrentandemergingrisks,andtopayattentiontosmalland medium-sizedenterprises.IfENISAfulfillsthisgoal,thenitcouldserveasamodelforother regionalagenciesandperhapsamodelforaninternationalinformation-sharingagency. EuropeanInitiativesforCSIRTs’Cooperation InEurope,theTF-CSIRTTaskForcewasestablishedin1999(TERENA,2006).Theaimof thetaskforceistopromotethecollaborationbetweenCSIRTsinEurope.TF-CSIRThasbeen activeinpromotingcommonstandardsandproceduresforrespondingtosecurityincidentsand assistingintheestablishmentofnewCSIRTsandthetrainingofCSIRTstaff.TF-CSIRTis focusedonEuropeandneighboringcountries.ItsmostimportantactivityistheTIaccreditationservicethatismeanttofacilitatetrustamongCSIRTsbyformallyaccreditingthem.The rigorousaccreditationschemerequiresaminimumsetofservicesandinitiativesfromCSIRTs (TERENA,2005a)andisupdatedeveryfourmonths.Onceaccredited,CSIRTsgainaccess totherestrictedinformationthatfacilitatesinformationsharingwithotheraccreditedCSIRTs (TERENA,2005b). AnotherimportantEuropeanmechanismisTRANSITS(TrainingofNetworkSecurityIncident TeamsStaff)(TRANSITS,2005b).Itisathree-yearEuropeanprojecttopromotetheestablishment
210 NAIN, DONAGHY, AND GOODMAN
ofCSIRTsandtheenhancementofexistingCSIRTsbyaddressingtheproblemoftheshortageof skilledCSIRTstaff.Since2002,sixtrainingprogramshavebeenheld,trainingoveronehundred participants(TRANSITS,2005a). EuropeanInitiativesforLawEnforcementCooperation SinceJuly1999EuropolhasbeentheEuropeanUnionlawenforcementorganizationthathandles criminalintelligence.TheEuropolComputerSystem(TECS)scheduledtobedeployedin2005 willfacilitatecybercrimeinvestigations(Europol,2005).Thenewsystemisspecificallydesigned tofacilitatesharingandanalysisofcriminaldatabetweenEUmembersandlawenforcementorganizationsinothercountries.EachEUmembernationhasassignedtwodataprotectionexperts toEuropoltocloselymonitorhowpersonaldataarestoredandused. TheCentrexNationalCentre(CPTDA),basedintheUK,hasdevelopedamodelforregional lawenforcementtrainingforpolicingexcellence(Centrex,2003).Centrexhasbeenprovidingan accredited,modularEuropeantrainingprogramforalltwenty-eightEUandcandidatecountries aswellasNorway,Switzerland,Interpol,andEuropoltoharmonizecybercrimetrainingacross EUborders.TheEUAGISfundstheprogram(POLCYB,2004). Theprogramallowsfortransferofacademiccreditfromcountrytocountrysothatinvestigatorsareabletocommunicateeffectivelyduringinvestigationswithpeoplewhocanbeidentified ashavingsimilarknowledgeandskills.Aregisterofthosewhohavesuccessfullycompletedthe trainingandwhoreceivethestatusofEuropeanCyberCrimeInvestigator(ECCI)isbeingcreated inordertoenhancethecapacityforinternationaloperationalcollaboration.Oversixtyofficers fromacrossEuropehavereceivedtraininginintroductoryITforensicsandnetworkinvestigations. Thetrainingmaterialisbeingmadeavailabletoallcountries.OfficersfromtheUK,Germany, Denmark,Ireland,HongKong,Greece,andFrancehavedeliveredthetraining.Thenextstageof theprojectistocreateanetworkofEuropeancybercrimetraining.Thecreationoftheproposed networkofcybercrimetraininginstituteswouldbeanimportantmechanismandcouldbescaled toincludecountriesfromoutsidetheEU. Asia-PacificEconomicCooperation(APEC) TheAPECforumwasestablishedin1989topromoteeconomicgrowthandintegrationinthe PacificRimamongtwenty-onemembers.12OnSeptember21,2001,theAPECTelecommunicationsandInformationWorkingGroupnotedtheimportanceofcooperationintheefforttosecure informationsystemsandshareinformationinaccordancewiththeUNGeneralAssemblyResolution55/63:CombatingtheCriminalMisuseofInformation.InChinain2002,attheFifthAPEC MinisterialMeetingonTelecommunicationsandInformationIndustry,declarationsemphasized bothmultilateralcooperationandaneedforalegalbasistocombatcybercrime(APEC,2002b). APECmembersagreedtosupporttheimplementationofthemeasuresincludedinUNResolution 55/63,takingintoaccountinternationalinitiativesinthisareasuchastheworkoftheCouncilof EuropeandOECD(APEC,2002a). APEC’seSecurityTaskGrouphasalsobeendevelopingapolicyoncybersecurity.Establishment ofinformationsharinginstitutionsandearlywarningsystemssuchasCSIRTsand24/7networks havebeenaimsofthisgroupalongwithpromotingguidelines,publiceducation,andlaws.APEC alsohasaninitiativeforaregionalCSIRT,launchedinMarch2003,aimedatprovidingin-country trainingtoenhancecapabilitiesindevelopingcountriesintheregionandtodevelopguidelines forcomputerresponseteams(APEC,2003a).
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY211
CSIRTs’CooperationInitiativesintheAsiaPacificRegion APCERT(AsiaPacificComputerEmergencyResponseTeam)isacoalitionoffifteenCSIRTsfrom twelveeconomiesacrosstheAsiaPacificregioncreatedin2002(APCERT,2005a).Thegoalof thecoalitionistoaccelerateactivesharingofinformationaboutcomputerthreats,vulnerabilities, andincidentsamongregionalCERTsandtoprovidecrosstraining.Inaddition,APCERTorganizesAPSIRC,anannualmeetingforinformationsharing(APCERT,2005a).APCERTdecidedto haveitsownaccreditationschemetocertifymemberteamsinordertobeabletohandlesensitive informationwithinthememberswithtrust. A2003reportshowsthatAPCERThasenabledregionalcooperation.Forexample,theAustralian governmentthroughitsAusAIDprogramhasprovidedfundingforin-countryCSIRTtraining.As partofthisprogramAusCERTprovidedtrainingforThailand,Vietnam,thePhilippines,Indonesia,andPapuaNewGuineain2003–4(APCERT,2003).AusCERTalsosponsoredMyCERT’s (MalaysiaCERT)successfulapplicationtoFIRST,aninternationalprivate-publicinformation sharingnetwork.Forincidentresponse,theThaiCERTindicatedamuchfasterresponsetothe Blastervirusin2003thankstocommunicationchannelswiththeAPCERTthanitsresponseto theSlammerwormearlierintheyearwhencooperationwithAPCERTwasnotasactive. APECexplicitlysupportsAPCERTandrecognizestheroleofCSIRTsandtheneedtoestablish teamsinmembercountriestopromoteinformationexchangeandcooperation.Toachievethis, APEClaunchedaninitiativeforaregionalCSIRTinMarch2003,aimedatprovidingin-country trainingtoenhancecapabilitiesindevelopingcountriesintheregionandtodevelopguidelines (APEC,2003a).TheexperiencedAustralianandU.S.organizationshaveactivelyledthisprogrambyprovidingtrainingandfunding.InadditiontotheAustraliantrainingjustdescribed,the UnitedStateshasfundedpartoftheprojecttoprovideCERTtrainingtoRussia,Mexico,Peru, andChilein2005. LawEnforcementCooperationintheAsiaPacificRegion In theAsia Pacific region,APEC has been promoting cooperation among law enforcement agencies.InJuly2003,APEC-TELheldaCybercrimeLegislationandEnforcementCapacity BuildingConferenceofExpertsandTrainingSeminarinBangkok(APEC,2003b).Theseminar hadthreemaingoals:topromotethedevelopmentofcomprehensivelegalframeworksrelating tocybercrime,toprovideassistanceinthedevelopmentoflawenforcementcybercrimeunits, andtoimprovecooperationbetweenindustryandlawenforcementincombatingcybercrimes. Asof2005,assistanceeventswereprovidedforthePhilippines,Indonesia,Vietnam,Chinese Taipei, Peru, andThailand (Downing, 2003). However, most of these cooperative measures remainvoluntaryandhighlydependentonfundingfromcountriessuchastheUnitedStates (Downing,2003). OrganizationofAmericanStates(OAS)Initiatives Formedin1948,OASmembershipincludesthirty-fournationsoftheAmericas(OAS,2005). TheissueofcybercrimewasfirstaddressedintheOASattheSecondMeetingofMinistersof JusticeinMarch1999,whenitwasrecommendedthataworkinggroupbecreatedinthisarea (OAS,1999b).Theworkinggroupissuedareportin1999describingsignificantvarianceamong itsmemberswithregardtotheirperceptionoftheimpactofcybercrime.Itrecommendedapolicy to“develop,adapt,andharmonizethelegislation,procedures,andinstitutionsrequiredtocombat
212 NAIN, DONAGHY, AND GOODMAN
cybercrime”(OAS,1999a).Inaddition,itrecommendedthatstatesbecomemembersoftheG8 24-Hour/7-Day-a-Weekpointofcontactgroup,orparticipateinothermechanismsforexchange ofinformation. AtaJune2003meetinginWashington,theOASGeneralAssemblyapprovedaresolution “thatcallsforbuildinganinter-Americanstrategyagainstthreatstocomputerinformationsystemsandnetworks.”TheresolutionnotesthatotherOASmeetingsonthesubjecthavecalled cyber-security-related crimes an “emerging terrorist threat.” Foreign ministers and high-level officialsmetinMexicoCityinOctober2003toreviewandupdatethehemisphere’soverallsecuritystructureandlistedcybersecurityasanewconcern.Theministersreassertedtheneedfor cooperationmechanisms,highlightingtheGovernmentalExpertsGrouponCybercrime(REMJA) andtheInter-AmericanTelecommunicationCommission(CITEL)asforumstodiscussissues (REMJA-V,2004).TheOAShasnotyetsetupconcretemechanismstoenhancecybersecurity intheAmericancontinents. PRIVATE-PUBLICORGANIZATIONS SincetheIP-basednetworkinfrastructuresaresharedandmanagedbypublicandprivateentities,thereisanintrinsicinterdependencybetweenthesesectors.Althoughagovernmentmaynot ownorcontrolcriticalnetworks,itisnonethelessdependentuponthesecurity,reliability,and availabilityoftheseinfrastructuresfornationalandeconomicsecurity.Giventhattheownership, operation,andsupplyofnetworksandcriticalsystemsaremostlyinthehandsofprivateindustry inmanycountries,private-publiccybersecurityinitiativeshavebecomeapillarofcybersecurity policies.Varioustypesofinternationalpartnershipsareemerging,ledbybusinesses,NGOs,or governments.Theirmissionsareusuallyveryspecifictoaprivatesector,suchasbanking,ora typeofattack,suchasspam.Asaresult,theiractionsarelargelyuncoordinated. MultinationalPublic-PrivateInternationalPolicyInitiatives Manyinternationalorganizationsrecognizetheneedforprivateandpublicsectorcooperation tosecureinformationinfrastructures.TheEU,G8,COE,APEC,OAS,OECD,andUNhaveall recognizedtheneedtopromotepublic/privatesectorcooperationinpolicymaking.Theseorganizationsaredevelopingwaystofacilitatepartnershipsthatshareinformationandexperiences, bestpractices,managementprocedures,andtechnicalsolutions(Westby,2004). Oneforumforcompaniesandgovernmentstodiscussstandardsandideasaboutcybersecurityis theInternationalTelecommunicationUnion(ITU),thespecializedagencyoftheUNresponsiblefor telecommunicationsstandardswherepublic/privatedialoguetakesplace(ITU,2005b).TheITU’s membershipincludes189memberstatesandover650privatecompaniesandotherorganizations and the ITU is the only intergovernmental organization within the UN system that has had a partnershipbetweengovernmentsandindustry.Ithaspublishedoverseventyrecommendations inthefieldofsecurityandhasorganizedworkshopsandsymposiumsonsecurityduringrecent years.In2002,theITU,followingaproposalbythegovernmentofTunisia,resolvedtoholda WorldSummitontheInformationSociety(WSIS)andplaceitontheagendaoftheUnitedNations.Subsequently,theUNGeneralAssemblyendorsedholdingWSISintwophases(ITU,2002). Thefirst,heldinDecember2003,theGenevaSummit,laidthefoundationwithadeclarationof principlesandaplanofaction.Twomajorthemeswereidentified:“buildingconfidence,trustand security”and“establishingstableregulatoryframeworks(goodgovernance).”Thesecondphase, heldinNovember2005,theTunisSummit,reviewedandevaluatedprogressontheactionplan
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY213
anddevisedanagendathatwilltargetgoalsforachievementby2015.InfoSecemergedasoneof theprimaryareasofconcernandattention. Business-ledInternationalPolicyInitiativesbythePrivateSector Duringthe1990s,internationalorganizationsrepresentingtheprivatesectorbecameactivein promotingcybersecurity,issuingguidelinestotheirmembers,andtryingtoinfluenceinternational cybersecuritypolicy. Internationalorganizationsinthebankingsectorhavebeenparticularlyactive.TheWorldBank hasissuedaseriesofpapers,reports,presentations,andeventstoaddressthesecurityoffinancialtransactions(Glaessneretal.,2002).Thebankissuedrecommendationsfortwelvelayersof securityinElectronicSecurity:RiskMitigationinFinancialTransactions—PublicPolicyIssues. TheserecommendationshavebeenputintooperationbytheWorldBankTreasury,incorporatedin theMonetaryAuthorityofSingapore’sRiskManagementGuidelines,andaddedtothelatestISO InformationSecurityBankingStandard13569.13Inaddition,theinfoDevProgramoftheWorld BankGroupfundedthecreationoftheInformationTechnologySecurityHandbook,whichprovides technology-independentbestpracticesandaddressesissuesrelevantspecificallytoindividuals, smallandmediumsizedorganizations,government,andtechnicaladministrators(Sadowskyetal., 2003).Thehandbook’sfocusisinternational:theauthorsreportthattheyhaveattemptedtoprovide practicalguidanceapplicableanywhereandtoincludeexamplesfromdevelopingcountries. AnotherinternationalbankingorganizationaddressingcybersecurityissuesistheBankfor InternationalSettlements(BIS),whichfostersinternationalmonetaryandfinancialcooperation andservesasabankforfifty-fivecentralbanks(BIS,2005).In2003,theBaselCommitteeon BankingSupervisionofBISissuedtheRiskManagementPrinciplesforElectronicBanking(BIS, 2003).Thecommitteecalledonbankstoreviewtheirriskmanagementprograms,policies,and proceduresforelectronicbankingactivitiesandlistedfourteenriskmanagementprinciples.These includeprinciplespertainingtoboardandmanagementoversight,securitycontrols,andlegaland reputationriskmanagement. TheInternationalChamberofCommerce(ICC)hasbeenrepresentingtheinterestsofinternationalbusinessesandassociationsworldwideandprovidesrecommendationstotheUN,theEU, andtheG8(Westby,2004).TheICCaddressescybersecurityissuesinitsGlobalActionPlanfor ElectronicBusinessincoalitionwiththeBusinessandIndustryAdvisoryCommittee(BIAC)to theOECD,theGlobalInformationInfrastructureCommission(GIIC),theInternationalTelecommunicationUsersGroup(INTUG),andtheWorldInformationTechnologyandServicesAlliance (WITSA)(ICCWBO,2002).Theactionplanrecognizestheneedtoprotectcriticalinformation infrastructure to ensure economic security. In particular it recommends cooperation between businessandlawenforcement. The ICC addresses cybersecurity issues in its Commission on E-Business, IT andTelecoms (EBITT).ItsTaskForceonCybercrime/Cybersecurity“articulatedbusinessinterestsininternational andregionalpolicyinitiativesrelatedtocybercrimes,aimingtoensurethereliabilityandtrustworthinessinelectroniccommunicationssystemswhilesafeguardingtheinterestsofprovidersandusers ininitiativestocountercybercrime”(EBITT,2003).ThetaskforceprovidedinputontheCouncilof Europe(COE)ConventiononCybercrimeandobtainedmajoramendments,includingtheprevention of“routinedataretention,”inthefinaltextoftheconvention.TheICCalsoprovidedcommentsto nationalgovernmentsofsignatorycountriesregardingkeyconsiderationsforlegislationtoimplement theCOEConventiononCybercrimeanditsFirstAdditionalProtocol(EBITT,2003). In2003,theICCalsoteamedwiththeBIACtotheOECDtopublishabooklet,Information
214 NAIN, DONAGHY, AND GOODMAN
SecurityAssuranceforExecutives,thatdescribeshowtheOECDSecurityGuidelinescanbeused topromoteacultureofsecuritybothinsideandoutsideofacorporation(ICCWBO,2004). InternationalPublic-PrivatePartnershipsthatTargetSpecificAttacks Interesting partnerships are emerging to treat specific types of cybercrimes, such as phishing, pharming,spoofingandspamming.14TheAnti-PhishingWorkingGroup(APWG)isa“global pan-industrialandlawenforcementassociationfocusedoneliminatingthefraudandidentitytheft thatresultfromphishing,pharmingandemailspoofingofalltypes”(APWG,2005).Although the1,200membersareconfidential,theyincludeeightofthetoptenU.S.banksandfourofthe fivetopU.S.ISPs.TheAPWGoffersresourcestoindustryandlawenforcementthatallowthem tostaycurrentwithphishingtechniquesandattackscenarios,andofferstechnicaladvice.The APWGalsoservesasareportingandtrendanalysiscenterforscams. Otherorganizations,suchasSpamhaus,arecomposedofvolunteers.Accordingtoitswebsite, Spamhaus“trackstheInternet’sSpammers,SpamGangsandSpamServices,providesdependable real-timeanti-spamprotectionforInternetnetworks,andworkswithlawenforcementtoidentify andpursuespammersworldwide”(Spamhaus,2005a).BasedintheUK,itisrunbyeighteenvolunteerslocatedaroundtheworld.Theymaintainareal-timedatabaseofIPaddressesofverified spam(SBLadvisory)andprovideitasafreeservicetohelpemailadministratorsbettermanage incomingemailstreams(Spamhaus,2005b).AsofAugust2005,Spamhausclaimsontheirwebsite tobeprotectingthemailboxesof485,456,881Internetusers.Italsomaintainsareal-timedatabase ofIPaddressesofillegalthirdpartyexploits(XBL)andaRegisterofKnownSpamOperations (ROKSO)databaseonknownprofessionalspamoperations(Spamhaus,2005a;2005b).Spamhaus hasalsotakenanactiveroleinlobbyinggovernmentalandintergovernmentalagenciestoeffect stronganti-spamlawattheUNWorldSummitontheInformationSociety(WSIS). Someindividualcompaniesarehelpingthelegalsystemdirectly.Microsofthasbeenactivein thatareaduetoitsexpertiseinthesoftwareindustry.OnNovember2003,Microsoftannounced thecreationoftheAnti-VirusRewardProgram,initiallyfundedwith$5million,to“helplaw enforcementagenciesidentifyandbringtojusticethosewhoillegallyreleasedamagingworms, viruses and other types of malicious code on the Internet” (Microsoft, 2003). Since then, the softwarecompanyhasplacedquarter-million-dollarbountiesonthoseresponsiblefortheSasser worm,MSBlastworm,theSobigvirus,andtheMyDoomvirus.Itisstatedthatresidentsofany countryareeligibleforthereward,accordingtothelawsofthecountryinwhichtheyreside, becauseInternetvirusesaffecttheInternetcommunityworldwide.Thisprogramledtothearrest oftheSasserwormauthorinGermany(Blau,2004;Lemos,2004;Sophos,2004). Privatecompaniesprovidetrainingtolawenforcementagenciesaswellasinformationand technicalassistancetosuchagenciesinspecificcases.Forexample,Microsoftprovidedtechnical informationandinvestigativeassistancetoFBIagentsinAugust2003inthecaseagainstJeffrey LeeParson,authoroftheBlasterworm(Sophos,2003).Despitethoseefforts,amainissuelimitingpublic-privatecooperationforlawenforcementisunderreporting.CERT/CCrecentlystated thatmanycompaniesstillseemunwillingtoreporte-crimeforfearofdamagingtheirreputation (CERT/CC,2004).Ithasbeenestimatedthat98percentofincidentscommittedagainstfinancialinstitutionsarenotreportedtolawenforcement(Workshop,2005),thereasonsbeingthat theinstitutionsareabletohandletheincidentsthemselvesorthatthedamagedoesnotwarrant involvinglawenforcement.Regardless,thistrendistroubling,asthesmallerincidentscouldbe partofalargereffortandwitheventsunreported,itisharderforlawenforcementtocorrelate attacksandidentifypatterns.
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY215
MAKINGGLOBALCYBERSPACEMORESECURE...? Theinformationgatheredontheorganizationsandinitiativesthathavebeendescribedinthischapter comesfromwebsitesandotherdocumentsandfrominternationalmeetingswhererepresentatives spokepubliclyandthenprivatelywiththeauthors.Thereisagreatdealofpublicinformationon missionstatementsandcharters,organizationalstructure,andwhattheyaretryingtodo. Aretheydoingitwell?Aretheycomingupwithenforceable,scalable,andreadilyusable solutionsthatreducevulnerabilities,determaliciousactivity,andmakecyberspaceasaferand moresecureinfrastructureglobally,oratleastslowtherateatwhichthingsaregettingworse?So far,thereislittlepublicinformationthatwouldhelpustoprovideconvincingpositiveanswers tothesequestions. Oneissueisthatmanyoftheorganizationsarestillintherealmofnascentformationand discovery.Manyarerecentlycreated(mostsignificantsurveyedinitiativesaretenyearsoldor less),becomingawareofeachother,adapting,andseekingmeansofcollaboration.Almostall proclaimadesiretoharmonizelawsandimproveinternationalcooperation,anecessitygiventhe scaleofattacksandamultitudeofjurisdictionalproblemswhereattackersinonesetofcountries canlaunchthroughasecondsetagainsttargetsinathird. A second issue is that surveyed organizations do not provide much in the way of metrics, statistics,orexamplesonhowmanycompaniestheysavedfromcybercatastrophe,howmany seriouscybercriminalstheyhelpedeliminateinonewayoranother,howmuchspamorphishing orotherformsofunwantedandfraudulentonslaughtstheydeterredorinterceptedbeforeitcould reachitsintendedtargets,andsoon.15Inthefollowingsection,wediscusshowInfoSecresearcherscanidentify(orhelpdefine)effectiveoperationalmodelsandsuccessmetricsforseveraltypes oftheseorganizationsthatwouldhelptheresearchcommunityassesstheirimpactandhelpthe organizationsbecomemoreeffective. Athirdissueisscalability.Unfortunately,transnationalcybercrimeseemstoscaleverywell ineverywaycyberspaceisexpanding.Thisispartlytheresultofeasyandinexpensivetechnical feasibility,internationalreachviaconnectivity,andthelackofotherconstraints(e.g.,controlled physicalborders,well-establishedlaws)thathelpkeepsomekindofcaponotherformsofcrime. Accordingly, it would seem desirable that the effectiveness of the international and regional organizationsandinitiativessurveyedinthischaptershouldalsobeexpectedtoscalewiththe problems.Wediscussthisissueintheremainderofthissection. Cyberlawsmayormaynotscalewell.Agoodcasecanbemadethathavinglawsthatexplicitly identify,forbid,andpunishcertainbehaviorisanecessity.Peopleandorganizationsaresubjectto nationallaws.Giventhetransnationaltechnicalstructureofthesenetworkedinfrastructures,itis desirablethatallnationshaveacommoncoreofcyberlawsinordertoprecludesafehavensand thelike.Intheory,anearlyuniversalmultilateralconvention,withparticipatingstateshavinga commonsetoflawsasnationallaws,wouldscalewell,asithasinthecivilaviationandmaritime domains.Incontrast,theuseofbilaterals,forexample,MLATs,tocovercrimesinvolvingmultiple jurisdictionsdoesnotscalewellduetothenon-transitivenatureofMLATs. TheCOEConventionisthemostadvancedinitiativeinthisregard.Notonlyisittryingtobring theforty-sixCOEmembersunderitsumbrella,butalsomanyothers.Forexample,officialsfrom theCOEinvitedallofthecountriespresentattheJune28–July1,2005ITUGenevameetingon cybersecuritytoconsiderjoining,althoughmanyofthesecountriesareamongthelessdeveloped andcouldnotcurrentlymeettheobligationsundertheconvention.Anargumentcanbemade thatitisdesirabletogetasmanycountriesaspossibletoofficiallyacknowledgetheimportance andlegitimacyofconcernsovercybercrimeandthenhelpthemdevelopcapacitytoenforcethe
216 NAIN, DONAGHY, AND GOODMAN
convention.Inthissensetheconventionmightscalewell,buttheCOEatthistimehasnoclear programtohelpdevelopandstrengthenthecapacitiesofthecountriesthatratify. Cyberlawenforcementdoesnotscalewell.Identification,apprehension,prosecution,andpunishmentarealloftentechnicallydifficult,timeconsuming,andcostly,especiallyinternationally; somuchsothatitisrelativelysafetobeacybercriminal.Manyoftheorganizationsandprograms surveyedinthischapterareconcernedwithoneormoreoftheseaspectsofinternationalcyberlaw enforcement,andanyimprovementoverwhatlittlethereisnowshouldbewelcomed.Realistically, onecannotexpectlawenforcementtosucceedinthisrealmasmuchasithas(ratherunevenly)in someothercriminalareas.Perhapsallthatcanbeexpectedissuccessinthemostseriouscases. Dealingwithcybercrimeisveryintelligenceintensive.Itisnoteasy,especiallyinearlystages,to clearlyidentifyaseriousattackascriminalvs.onethatshouldbeofnationalsecurityconcern.The commonassumptioninmanyplacesisthatitistobeconsideredtheformeruntilthereareindicationsotherwise.Asaresult,internationalcooperationgetsmuchtrickierwhennationalsecurity agenciesneedtoshareintelligenceinformation.Atthistime,cooperativetrainingprogramsand theestablishmentofinternationalcontactsarethemostprominentmechanismsthatcouldhelp promotecooperation.However,statisticsonwhetherthesemechanismsarehelpinginternational apprehensionsandprosecutionsonalargescalearenotreadilyavailable. Howwelldoesdeterrencescale?Onewouldhopethatacombinationoflawsandeducationand astrongerethicalcultureincyberspacewouldserveasadefactodeterrenttoalargervolumeof maliciousactivity.Wecanalwayshopethatmostpeoplearebasicallylawabidingand,oncethey appreciatewhatisagainstthelaw,theywouldbeinclinednottoviolatethoselaws.However,given whatwehaveseensofar,andhowunlikelyitisthatcyberoffenderswillbeidentifiedorpunished, weshouldhavetheexpectationthatalotofmaliciousactivitywillnotbedeterred.Educationata minimallevel,forinstance,topromoteawareness,caution,andbetterbehavior,mayscalefairly well,andmostoftheorganizationssurveyedheremaycontributetothat.Educationtoproduce highlyskilleddefenderswillnotscalewellagainstthelessdemandinglearningcurvethatneeds tobetraversedbymanykindsofattackers. Howwelldoespreventionscale?Inthisrealm,itmaybearguedthatthemostimportantform ofscalablepreventionistechnologyandproceduresthateliminatevulnerabilities.Forexample, manyattackswouldhavebeenprecludedifbufferoverflowvulnerabilitieshadnotexistedorhad beenremovedfromwidelyusedsoftwaresystems.Butoncelessvulnerablesoftwareexists,itis necessarythatitbewidelyadopted,somethingthatoftendoesnothappenasquicklyorextensively asnecessary.Asimilarstatementcanbemadewithregardtobestmanagementpracticesandprocedures.Therewouldseemtobeapotentialroleforanumberoftheorganizationssurveyedhere inthisregard,butasyetwedonotdetectthatithasbeenstronglyandeffectivelypursued. Anotherpreventionpossibilityisearlywarningandinformationsharing,whichseemsvery consistent with the missions of a fair number of these organizations. This is a very complex subject(e.g.,the“who”and“how”ofwarning,consequencesoffalsealarms,etc.)thatisfurther complicatedbytheextraordinaryspeedatwhichattackscanpropagate.Manymechanismsfor informationsharinghavebeencreated,includingpointofcontactnetworksandCSIRTs.These effortsareoftenuncoordinated,informal,andrelyonapoint-to-pointmodelofcommunication, whichdoesnotscalewell.ForCSIRTs,onemorescalablemodelwouldbea“networkofregional networks”ofCSIRTstoemerge,whereindividualCSIRTsfirstconnectwithothersintheirgeographicvicinityformingaregionalnetwork,suchastheAPCERT,andultimatelyeachwould startcooperatingwithotherregionalnetworks.Anothermightbetohaveanetworkofregional informationsharingagencies.Inthisrealm,theEUhastakentheleadbycreatingtheEuropean NetworkandInformationSecurityAgency(ENISA).
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY217
Privatesectorinitiativesarecurrentlynumerous,oftenuncoordinated,andnarrowlyfocused oneitheraparticularprivatesectororparticularattacks.Thismodelofpartnershipsisnotreadilyscalable.Giventheexperienceoftheprivatesectorindealingwithcybercrime,acentralized collectionandanalysisofprivatesectordatathroughatrustedthirdpartymightbecreated.The FIRSTinitiativeisastepinthisdirection;howeveritsexclusivemembershiprestrictscountries withlowcapabilitiesfromaccessingvaluableinformation. Ingeneral,thelackofnationalpoliciesandmechanismsinsomeregionsoftheworld,most notablyAfrica,presentsamajorchallengetoglobalcybersecurity.Industrializednationsmust offertechnicalassistancetothesenationstohelpthembuildmechanismssuchasCSIRTsandto createandupdatecybercrimelaws.However,sofarmostofthesurveyedorganizationshavemade littleornosignificantpoliticaland/ortechnical-economicefforttohelpcountrieswithlittleinthe formofcybersecuritypoliciesandmechanisms. SUGGESTEDINTERNATIONALCYBERSECURITY RESEARCHTOPICS Aswehaveseeninthischapter,numerousinternationalorganizations/partnerships/initiativeshave beencreatedinthepasttwodecadestoencourageandaddressinternationalcooperationagainst cybercrime.Thechapterhasprovidedabroadoverviewofthecurrentlandscape,fromanalysis ofwebsitesandotherdocuments,andfrominternationalmeetingswhererepresentativesspoke publiclyandthenprivatelywiththeauthors. However,furtherin-depthstudiesoftheseorganizationsareneededtoanalyzetheirimpact, bothindividuallyandcollectively,oninformationsecurity.Inparticular,InfoSecresearcherscan identify(orhelpdefine)effectiveoperationalmodelsforseveraltypesoftheseorganizationsthat wouldhelptheresearchcommunityassesstheirimpactandhelptheorganizationsbecomemore effective.Inparticular,Table9.1presentsasetofimportantquestionsthatneedtobeinvestigated. Eachofthemwillbediscussedindetailbelow. DetailsonIssue1 Manyorganizations/initiativeshavebeencreatedinthepasttwodecadestoaddresscybercrime.These amounttosubstantialfinancial,organizational,andhumaninvestments.Havemoneyandtimebeen usedeffectivelytohelpfightcybercrime?Thisquestioniscriticalforshareholdersandgovernments (andultimatelytax-payersandpotentialvictimsofcybercrime)tokeepinvestinginsuchinitiativesand toensurethatthehumanandfinancialinvestmentshaveanimpact.Inparticular,iftheeffortshavenot beenfocusedontherightissuesorhavenotbeensuccessful,howcantheseorganizationsdobetter? Inordertoanswerthesequestions,metricsareneededtoassesstheimpactoforganizations targetingcybercrimeattheinternationallevel.Researchersneedtoidentifystandardinternational metricstomeasurethesuccessofexistingandnewinitiatives.Forexample,countriescouldcollect statisticsonthenumberofcybercriminalsarrestedandprosecutedasadirectresultofOECD guidelineimplementation,andthenumberofincidentssuccessfullyhandledbyCSIRTs.Public andprivateinitiativesneedtoreporthowmanycompaniestheysavedfromcybercatastrophe,how manyseriouscybercriminalstheyhelpedeliminateinonewayoranother,howmuchspamor phishingorotherformsofunwantedandfraudulentonslaughtstheydeterredorinterceptedbefore itcouldreachitsintendedtarget.Suchmeasureswillhelpcountriesandtheprivatesectoridentify andprioritizesuccessfulmechanismsandhelpplanandjustifybudgetdecisions.Additionally,it willrevealwhichissuesarenotbeingaddressedproperlybycurrentorganizations.
218 NAIN, DONAGHY, AND GOODMAN Table9.1
ProblemsinNeedofFurtherStudy Area
Issue
1.Overall 1.1Noorganizationprovidesmuch assessment/metrics intermsofmetrics,statisticsor ofsuccess numerousexamplesonitsuccessin fightingcybercrimeattheinternational level 2.Identificationof operationalmodels
3.Analysisof underdeveloped areasoffocus
Impact Researchersneedtoidentify meaningfulmetricsthatcanbe usedtoassessthesuccessof organizations/initiatives
2.1Ouranalysisindicatesregional coordinationiscurrentlythemost popularmodel(e.g.,“networkof regionalnetworks”ofCSIRTssuch asAPCERTs,regionalinformation sharingmechanisms,suchas EuropeanENISAagency,numerous regionalcybersecurityinitiatives, suchasEU,APEC,OASinitiatives)
Istheregionalmodelaviable, scalableoperationalmodeltofight cybercrimeattheinternational level?Ifso,howcancommunication betweentheseregionalentitiesbe effective?Candevelopingregions suchasAfricafollowthismodel withoutthehelpofotherentities?
2.2Mostcollaborationsofthe surveyedorganizations/initiatives areuncoordinated,informal,point topoint
Isthisinformal,point-to-point communicationmodelaviableand scalableoperationalmodeltofight cybercrime?Inparticular,doesthis modelincreaseordecreasethe speedandeffectivenessatwhich organizationscanadapttotheeverchanginglandscapeofcybercrime?
3.1Fewsurveyedorganizations/ initiativesfocusonresearchand development(R&D)forcybercrime preventionusingtechnologyand proceduresthateliminatevulnerabilities
Whatarethebarrierslimiting organizationsfromfocusingon/funding internationalR&Dinitiatives?Howcan thosebarriersbeovercome?
3.2Fewsurveyedorganizations/ initiativesfocusonpoliticaland/or technical-economicefforttohelp countriesthatlackcybersecurity policiesandmechanisms,especially developingeconomiesintheMiddle East/Africa
Whatarethebarrierslimiting organizationsfromhelpingdeveloping economies?Howcanthosebarriers beovercome?
3.3Privatesectorinitiativesare Howcanpublic-privatecooperation currentlynumerous,oftenuncoordinated bemoreeffective,withoutaffecting andnarrowlyfocusedoneithera theprivatesectorprotectionofIPand particularprivatesectororparticular shareholdervalue? attacks.Akeyissuelimitingpublicprivatecooperationforlawenforcement isunder-reportingofcybercrimes.
DetailsonIssues2.1–2.2 Regional and informal initiatives have been the most popular forms of cooperation to tackle cybercrimeattheinternationallevel,particularlyinEuropeandtheAsiaPacificregion.Whyis thismodelcurrentlythemostpopular?Isitpossibleforcountries/regionstoforegogeopolitical
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY219
barriersandcooperatewhenitcomestocybercrimeissues?Giventhecurrentgeopoliticalreality, isthisregionalandinformalmodelaviableone? Nosingleformalpointofgovernancecreatesandmonitorsmechanismsattheinternational level.Wouldaninternationalagencyinchargeofcybersecuritybeaviablemodel?Howwould suchanagencybefunded?Whatwouldbeitsscope?WoulditbeabranchoftheUnitedNations orastandaloneentity?Shouldsuchanagencypunishcriminalcybercrimeactivities? DetailsonIssue3.1 InfoSecspecialistsneedtounderstandwhatthebarriersarelimitingorganizationsfromfocusing moreoninternationalR&Dinitiativesandhowthosebarrierscanbeovercome.Additionally,how canthefindingsoftheInfoSeccommunity,epistemicinnature,successfullytransformintoaset ofnorms?16Ifanewtechnologicaladvanceisdiscovered,howcanweensurethatitisrapidly adoptedbygovernmentsandtheprivatesector,especiallyindevelopingeconomiesthatoftenlack fundstoaccessallrelevanttechnologies?Cantheprivatesectorhelpinthisrapidadoption,given itsinterestincurbingcybercrime?(SeeMicrosoftanti-virusandanti-piracyactions,[Microsoft, 2003].) DetailsonIssue3.2 Fewsurveyedorganizations/initiativesfocusonpoliticaland/ortechnical-economicefforttohelp countriesthatlackcybersecuritypoliciesandmechanisms,especiallydevelopingeconomiesin theMiddleEast/Africa.Someeffortsstandout,suchas: TheTelecommunicationDevelopmentBureau(BDT),abranchoftheInternationalTelecommunicationUnion(ITU),whosemissionstatementisto“assistdevelopingcountriesinthefieldof informationandcommunicationtechnologies(ICTs),infacilitatingthemobilizationoftechnical, humanandfinancialresourcesneededfortheirimplementation,aswellasinpromotingaccess toICTs”(ITU,2005a).Fromits2005report(ITU,2005c),itseemsthatitseffortsforcybersecurityareconcentratedonseminarsandworkshops(oneforCEE/CIS/BalticStates,twoforthe Americas,oneforSyria)andoneongoingprojectentitled“developmentoftoolsforaddressing securityandtrustissuesfore-applicationsande-transactionsandguidelinesforimplementation ofe-applicationprojects.” APECprovidesin-countrytrainingtoenhancecapabilitiesindevelopingcountriesintheregion andtodevelopguidelines(APEC,2003a). TheinfoDevProgramoftheWorldBankGroupfundedthecreationoftheInformationTechnologySecurityHandbook,whichprovidestechnology-independentbestpracticesandaddresses issuesrelevantspecificallytoindividuals,smallandmediumsizedorganizations,government, andtechnicaladministrators(Sadowskyetal.,2003).Thehandbook’sfocusisinternational;the authorsreportthattheyhaveattemptedtoprovidepracticalguidanceapplicableanywhereandto includeexamplesfromdevelopingcountries. Basedontheseobservations,threeimportantlinesofresearchemerge: 1. FurtheranalysisbyInformationSecurityresearcherstoevaluatewhethertheBDTworkshops,theAPECtraining,infoDevguidelines,andthecoupleofCSIRTSintheMiddle East/Africaregionaresuccessfulinimpactingcybercrimeindevelopingnations(also tiedtoissue1.1,identifyingmetrics).
220 NAIN, DONAGHY, AND GOODMAN
2. Understandingwhatthebarriersarethatlimitorganizationsfromhelpingdeveloping economies.Howcanthosebarriersbeovercome?Whatareeffectiveincentivesforboth thepublicandprivatesector? 3. Basedonthepreviouspoint,informationsecurityresearchersneedtodevelopaneffectiveoperationalmodelforcurrentorganizations(oraneworganization)tosuccessfully helpdevelopingeconomies. DetailsonIssue3.3 Asdiscussedearlierinthechapter,amajorissuelimitingpublic-privatecooperationforlawenforcementisunderreporting.Additionally,existingprivateorpublic-privateinitiativesareoften uncoordinatedandnarrowlyfocusedoneitheraparticularprivatesectororparticularattacks. Informationsecurityresearchersneedtodevelopeffectivealternativestoincreasetheamount of trust among public-private sector actors and encourage cybercrime reporting. The reasons forunderreportingneedtobefurtheranalyzedandtheimpactneedstobeclearlystatedtothe privatesectorandlawenforcementtostartadialoguebetweentheentitiesandfindasolutionto theunderreportingissue. Additionally,isthereaneedtocreateavenueormechanismforexchangeofR&Dinformation between multinational industries, governments, and academia at the international level, withrecommendationsraisedduringtheseexchanges,suchastheU.S.NSTACmodel(NSTAC, 2005)?Oristhereamoreeffectivemodeltorapidlyexchangeand,especially,toimplementR&D breakthroughs? CONCLUSIONS Cybercrimeisbecominganincreasinglysignificantfeatureinthelandscapeofworldwideinformationprocessing.Insurveyingthemanyregionalandglobalorganizationsandinitiatives,itis clearthatorganizationsliketheUN,OECD,theCouncilofEurope,theAsia-PacificEconomic CooperationForumandtheOrganizationofAmericanStatesareperformingtheirroleaspolicymakingbodiesinthecreationofinternationalmechanismstohelpprotectcyberspaceagainst crime.Thesemechanismsincludemostprominentlyaconsistencyinlawmaking,information sharing,andlawenforcementcooperation.Overthepasttwodecades,theseinitiativescreateda commoncharterelementtoimproveinternationalcooperation.Atthistime,itisnotpossibleto quantitativelyconcludewhethertheseorganizationshavebeensuccessfulinmakingcyberspace moresecureduetothelackofpertinentmetricsandpubliclyavailablestatisticstoassesspositive impact.Qualitativelyhowever,fivetypesofcooperationsurveyedinthischapterstandoutfortheir potentialtoshapecybersecurityduetotheirlargegeographicfootprintandambitiouscharters. Theseare(1)theCouncilofEuropeConventiononCybercrime,(2)regionalComputerSecurity IncidentResponseTeamsinitiativesinAsiaPacificandEurope,(3)cooperativetrainingprograms suchastheInterpolinternationaltrainingunits,(4)regionalinformationsharingagenciessuch astheEuropeanNetworkandInformationSecurityAgency,(5)public-privatepartnershipsthat targetspecificattacks.Manyoftheseinitiativesarestillintheirearlystagesandfutureanalysis willneedtoassesswhethertheycollectivelyamounttoawholethatissignificantlygreaterthan thesimplesumoftheseparateparts.Mostoftheseinitiatives,however,areattheregionallevel. Internationalenforcementandprosecutionofcybercrimewillprovedifficultwithoutasincere globalpolitical,economic,andtechnicalcommitmentfromwealthynationstoassistnotonlyeach otherbutespeciallyless-wealthynationsincombatingcybercrimeofalltypes.
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY221
ACKNOWLEDGMENTS TheauthorsareverygratefultoMichaelMurphree,researchassistantattheGeorgiaInstituteof TechnologySamNunnSchoolofInternationalAffairs,forhishelpwiththischapter.Thiswork hasbeenfundedinpartbytheJohnD.andCatherineT.MacArthurFoundationfortheGeorgia InstituteofTechnologySamNunnSecurityProgram. NOTES 1.Since1994,theUNpassedvariousresolutionsoncybersecurity.Itsresolutionsfallunderthree maintopics: (1) Creationofaglobalcultureofcybersecurity(resolution57/239of20Dec.2002andresolution 58/199on23Dec.2003). (2) Establishingthelegalbasisforcombatingthecriminalmisuseofinformationtechnologies(resolution55/63of4Dec.2000and56/121of19Dec.2001). (3) Developmentsinthefieldofinformationandtelecommunicationsinthecontextofinternational security(53/70of4Dec.1998,54/49of1Dec.1999,55/28of20Nov.2000,56/19of29Nov. 2001,57/53of22Nov.2002,59/61on3Dec.2004).Theitem“developmentsinthefieldof informationandtelecommunicationsinthecontextofinternationalsecurity”willagainbeonthe provisionalagendaofitssixtiethsession. 2.TheWPISPbringstogetherrepresentativesfromthethirtyOECDmembercountrygovernments,the privatesector,andcivilsocietytofostertheemergenceofsolutionstobuildtrustonline. 3.Anincidentisanadverseevent,orthethreatofsuchanevent,inaninformationsystem. 4.Tothisdate,theauthorshavefoundtwoCSIRTsintheMiddleEast/Africaregion:theAlgeriaCERIST, createdwiththehelpofUSAID,andtheEtisalatCorporationintheUnitedArabEmirates,whichjoined FIRSTin2004(BalancingActNews,2004b). 5.“CERT”isaCMUtrademarkanditsusebyanorganizationrequiresCMUapproval. 6.TERENA—Trans-EuropeanResearchandEducationNetworkingAssociation—wasformedinOctober 1994bythemergerofRARE(RéseauxAssociéspourlaRechercheEuropéenne)andEARN(EuropeanAcademicandResearchNetwork).Withinthisorganization,theTF-CSIRTtaskforceencouragescollaboration andcooperationamongEuropeanCSIRTS. 7.Formoreinformationonnationalorregionallawsconcerningcybercrimevisit: Australia Britain Canada EU Germany India Japan Malaysia Singapore
CybercrimeAct 2001, available at http://parlinfoweb.aph.gov.au/piweb//view_ document.aspx?TABLE=OLDBILLS&ID=910,accessedonSeptember1,2005 ComputerMisuseAct1990,availableatwww.bailii.org/uk/legis/num_act/cma1990204/, accessedonSeptember1,2005 Canadian Criminal Code: Unauthorized Use of Computer & Mischief (342.1 and 430[1.1]), available at www.hackcanada.com/canadian/freedom/canadacode.html, accessedonSeptember1,2005 TheTechlawedProject,availableatwww.techlawed.org/page.php?v=24&c=2&page= crime,accessedonSeptember1,2005 TelecommunicationsAct(intranslation),availableatwww.netlaw.de/gesetz/tkg.htm, accessedonSeptember1,2005 TheInformationTechnologyAct—2000,availableathttp://cag.nic.in/cyber_laws/india. htm,accessedonSeptember1,2005 UnauthorizedComputerAccessLaw(LawNo.128of1999),availableatwww.meti. go.jp/english/report/data/gMI1102e.htm,accessedonSeptember1,2005 LawsofMalaysia,Act563,ComputerCrimesAct1997,availableathttp://cag.nic. in/cyber_laws/malaysia.htm,accessedonSeptember1,2005 SalientfeaturesofElectronicTransactionsAct1998,availableat/www.ida.gov.sg/ idaweb/pnr/infopage.jsp?infopagecategory=regulation:pnr&infopageid=I1965&vers ionid=1,accessedonSeptember1,2005
222 NAIN, DONAGHY, AND GOODMAN UnitedStates FraudandRelatedActivityinConnectionwithComputers(18U.S.C1030),availableat www.usdoj.gov/criminal/cybercrime/1030_new.html,accessedonSeptember1,2005 8.Sincetrueeconomicdamageisimpossibletoaccuratelymeasureandisoftenbasedonself-reporting bytheprivatesector,suchfiguresshouldonlyserveasanindicator. 9.TheCOEwebpagecontainsthetextoftheConventiononCybercrime,theexplanatoryreport,and chartsofsignaturesandratifications. 10.ThemembersoftheCouncilofEuropeare:Albania,Andorra,Armenia,Austria,Azerbaijan,Belgium, BosniaandHerzegovina,Bulgaria,Croatia,Cyprus,CzechRepublic,Denmark,Estonia,Finland,France,Georgia,Germany,Greece,Hungary,Iceland,Ireland,Italy,Latvia,Liechtenstein,Lithuania,Luxembourg,Malta, Moldova,Monaco,Netherlands,Norway,Poland,Portugal,Romania,RussianFederation,SanMarino,Serbia, Slovakia,Slovenia,Spain,Sweden,Switzerland,Macedonia,Turkey,Ukraine,andtheUnitedKingdom. 11.ThecoalitionincludestheCyberSecurityIndustryAlliance(CSIA),theBusinessSoftwareAlliance (BSA),theAmericanBankersAssociation(ABA),theAmericanChemistryCouncil(ACC),ASISInternational,theAssociationforCompetitiveTechnology(ACT),theBankers’AssociationforFinanceandTrade (BAFT),theBusinessRoundtable,theDowChemicalCompany,theFinancialServices/InformationSharing andAnalysisCenter(FSISAC),theFinancialServicesRoundtable,theInformationTechnologyAssociation ofAmerica(ITAA),InfraGard,theInternetCommerceCoalition,andVerisign,Inc. 12.APECmembersare:Australia;BruneiDarussalam;Canada;Chile;People’sRepublicofChina;Hong Kong,China;Indonesia;Japan;Korea;Malaysia;Mexico;NewZealand;PapuaNewGuinea;Peru;Philippines;Russia;Singapore;ChineseTaipei;Thailand;UnitedStatesofAmerica;Vietnam. 13.AnupdatedversionofISO/TR13569thatincorporatesthetwelvelayersofsecuritywasreleasedin summer2004andisavailableforpurchaseat:www.iso.org/iso/en/CombinedQueryResult.CombinedQuer yResult?queryString=13569. 14.ThefollowingdefinitionsareavailablefromtheDepartmentofInformationTechnology,attheState of Michigan website, www.michigan.gov/cybersecurity/0,1607,7–217–34415—-,00.html, accessed on September1,2005. • PharminginvolvesTrojansprograms,worms,orothervirustechnologiesthatattacktheInternet browseraddressbarandismuchmoresophisticatedthanphishing.Whenuserstypeinavalid URLtheyareredirectedtothecriminals’websitesinsteadoftheintendedvalidwebsite. • Phishingistheactoftrickingsomeoneintogiving...confidentialinformationortrickingthem intodoingsomethingthattheynormallywouldn’tdoorshouldn’tdo.Forexample:sendingan e-mailtoauserfalselyclaimingtobeanestablishedlegitimateenterpriseinanattempttoscam theuserintosurrenderingprivateinformationthatwillbeusedforidentitytheft. • Spoofingisanattempttogainaccesstoasystembyposingasanauthorizeduser.Synonymous withimpersonating,masqueradingormimicking. ThefollowingdefinitionisavailablefromtheSpamhausProjectwebsite,www.spamhaus.org/definition. html,accessedonSeptember1,2005:“SpamasappliedtoemailmeansUnsolicitedBulkEmail(“UBE”). UnsolicitedmeansthattheRecipienthasnotgrantedverifiablepermissionforthemessagetobesent.Bulk meansthatthemessageissentaspartofalargercollectionofmessages,allhavingsubstantivelyidentical content.” 15.Spamhausisoneoftheexceptionsinthisregard,butitshouldberecalledthatitisessentiallyasmall NGOwithnoauthorityandreliesonthegoodwillofISPsandotherorganizationstoactuallydosomething withtheinformationSpamhausprovides. 16.Epistemic:anetworkofexpertswithanauthoritativeclaimaboutanissue(knowledge-society).Norms: anexpectedstandardofbehaviorandbeliefestablishedandenforcedbyagroup.
REFERENCES Anderson,C.2004.EtisalatJoinsthe“First”GlobalAllianceforComputerandInternetSecurity.AME Info,Dubai(availableatwww.ameinfo.com/39573.html,accessedonNovember26,2006). APCERT.2003.APCERTAnnualReport.AsiaPacificComputerEmergencyResponseTeam(availableat www.apcert.org/documents/pdf/annualreport2003.pdf,accessedonSeptember1,2005).
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY223 APCERT. 2005a. Asia-Pacific Emergency Response Team (available at www.apcert.org/, accessed on September1,2005). APCERT.2005b.FullMemberList.APCERTSecretariat(availableatwww.apcert.org/member.html,accessed onSeptember1,2005). APEC.2002a.APECTelecommunicationsandInformationWorkingGroup(TEL)ProgramofAction.Fifth APEC Ministerial Meeting on Telecommunications and Information Industry. Shanghai, May 29–30 (availableatwww.apec.org/apec/ministerial_statements/sectoral_ministerial/telecommunications/2002/ annex_a.html,accessedonSeptember1,2005). APEC. 2002b. Shanghai Declaration. FifthAPEC Ministerial Meeting on Telecommunications and Information Industry. Shanghai, May 29–30 (available at www.apec.org/apec/ministerial_statements/ sectoral_ministerial/telecommunications/2002.html,accessedonSeptember1,2005). APEC.2002c.RecommendationbytheAPECTELWGtoSOMforanAPECCybersecurityStrategy.APEC 14thAnnualMinisterialMeeting,LosCabos,Mexico,October23–24,p.4(availableatwww.apec.org/ apec/documents_reports/annual_ministerial_meetings/2002.html,accessedonSeptember1,2005). APEC.2003a.ProtectingDevelopingEconomiesfromCyberAttack—AssistancetoBuildRegionalCyber Security Preparedness.APEC media release, March 18 (available at www.apec.org/apec/news___ media/2003_media_releases/180303_sin_protecting_developing_economies.html,accessedonSeptember 1,2005). APEC.2003b.JointStatement.FifteenthAPECMinisterialMeeting,Bangkok,October17–18(availableat www.mofa.go.jp/policy/economy/apec/2003/joint.html,accessedonNovember26,2006). APEC.2005.TelecommunicationsandInformationWorkingGroup—APECCybersecurityStrategy(available atwww.apec.org/apec/apec_groups/working_groups/telecommunications_and_information.html,accessed onSeptember1,2005). APWG.2005.WhatisPhishingandPharming?Anti-PhishingWorkingGroup(availableatwww.antiphishing. org/index.html,accessedonSeptember1,2005). BalancingActNews.2004a.CSIRT:aroutetocombatingAfrica’spositionasoneoftheworld’scyberbadlands. Balancing Act News, 216 (available at www.balancingact-africa.com/news/back/balancingact_216.html,accessedonSeptember1,2005). BalancingActNews.2004b.USAIDhelpstosetupfirstCSIRTinAlgeria.BalancingActNewsUpdate,223 (availableatwww.balancingact-africa.com/news/back/balancing-act_223.html,accessedonNovember 26,2006). Betts,M.2005.Globaldispatches:14Africancountriesagreetostandardizecyberlaws.ComputerWorld,May 16(availableatwww.computerworld.com/databasetopics/businessintelligence/story/0,10801,101755,00. html,accessedonSeptember1,2005). BIS.2003.RiskManagementPrinciplesforElectronicBanking.BaselCommitteeonBankingSupervision— BankofInternationalSettlements.Basel,July(availableatwww.bis.org/publ/bcbs98.pdf,accessedon September1,2005). BIS.2005.BIShomepage.BankforInternationalSettlements.Basel(availableatwww.bis.org,accessed onSeptember1,2005). Blau,J.2004.GermanteenagerindictedoverSasserworm.IDGNewsServiceonComputerWorld,September 9(availableatwww.computerworld.com/securitytopics/security/story/0,10801,95787,00.html,accessed onSeptember1,2005). Centrex. 2003. Central Police Training and Development Authority (available at www.centrex.police. uk/cps/rde/xchg/SID-3E8082DF-A3DD3A16/centrex/root.xsl/home.html,accessedonNovember28, 2006). CERT/CC.2004.E-CrimeWatchSurveyShowsSignificantIncreaseinElectronicCrimes.CarnegieMellon University Software Engineering Institute CERT Coordination Center (available at www.csoonline. com/releases/ecrimewatch04.pdf,accessedonOctober25,2005). CERT/CC.2005a.TheCERTFAQ.CarnegieMellonSoftwareEngineeringInstituteCERTCoordination Center,Pittsburgh(availableatwww.cert.org/faq/cert_faq.html,accessedonNovember28,2006). CERT/CC.2005b.CERTCoordinationCenter.CarnegieMellonSoftwareEngineeringInstitute,Pittsburgh (availableatwww.cert.org/,accessedonSeptember1,2005). COE.2004a.BigBrotherorFree-for-All—HowCantheLawStrikeaBalance?CouncilofEurope(available atwww.coe.int/T/E/Com/Files/Themes/Cybercrime/e_bigbrother.asp,accessedonSeptember1,2005). COE.2004b.SummaryoftheOrganizedCrimeSituationReport2004—FocusontheThreatofCybercrime. CouncilofEuropeOctopusProgramme.Strasbourg,December23(availableatwww.coe.int/T/E/Legal_
224 NAIN, DONAGHY, AND GOODMAN Affairs/Legal_co-operation/Combating_economic_crime/8_Organised_crime/Documents/Organised%20 Crime%20Situation%20Report%202004.pdf,accessedonNovember28,2006). COE.2006a.ConventiononCybercrime.CETSNo.185.CouncilofEurope(availableatwww.conventions. coe.int/Treaty/Commun/QueVoulezVous.asp?NT=185&CM=12&DF=17/04/05&CL=ENG,accessedon November,262006). COE. 2006b. The Council of Europe’s Member States (available at www.coe.int/T/E/Com/About_Coe/ Member_states/default.asp,accessedonNovember26,2006). Comptroller andAuditor General of India. 2003. Compilation of Cyber Laws: Summary Analysis of ResponsestoCyberLawQuestionnaire.SupremeAuditInstitutionofIndia(availableathttp://cag.nic. in/html/inter_projects_cyber.htm,accessedonNovember28,2006). Cybercrime. 2003. Message from the President of the United States—Transmitting. U.S. Senate, 108th Congress.1stSession,Washington,D.C.,November17(availableatwww.cybercrime.gov/senateCoe. pdf,accessedonSeptember1,2005). DHS.2003.NationalStrategytoSecureCyberspace.DepartmentofHomelandSecurity,U.S.,February(available at/www.dhs.gov/xprevprot/programs/editorial_0329.shtm,accessedonNovember28,2006). Downing, R.W. 2003. Cybercrime legislation and enforcement capacity building project. APEC TelecommunicationsandInformationWorkingGroup.Bangkok,April3–8(availableatwww.apectelwg. org/document/download.jsp?fname=Cybercrime%20Project%20Update%2020050401.pdf&all_ cd=010306&d_seq=2766,accessedonSeptember1,2005). Dunn,M.,andWigert,I.2004.CIIPHandbook2004:AnInventoryandAnalysisofProtectionPoliciesin FourteenCountries.ColumbiaInternationalAffairsOnline(availableatwww.ciaonet.org/book/dum01/ index.html,accessedonSeptember1,2005). EBITT.2003.FormerTaskForceonCybercrime/Cybersecurity.ICCCommissiononE-Business,ITand Telecoms(EBITT)(availableatwww.iccwbo.org/home/e_business/Cybercrime%20Cybersecurity.asp, accessedonSeptember1,2005). EFCC.2004.NigerianCyber-crimeWorkingGroup(NCWG).EconomicandFinancialCrimeCommissions (EFCC).Abuja,Nigeria(availableatwww.efccnigeria.org/,accessedonSeptember1,2004). ENISA.2005a.EuropeanNetworkandInformationSecurityAgency.EUROPA(availableateuropa.eu.int/ agencies/enisa/index_en.htm,accessedonSeptember1,2005). ENISA.2005b.WorkProgramme2005—”InformationSharingIsProtecting.”Brussels:EuropeanNetwork andInformationSecurityAgency,February25(availableatwww.enisa.eu.int/doc/pdf/management_board/ decisions/work_programme_2005.pdf,accessedonSeptember1,2005). Escobar,M.2004.Frameworkforestablishinganinter-AmericanCSIRTwatchandwarningnetwork.Third Plenary Session of the OAS Committee on Hemispheric Security of the OAS. Montevideo, Uruguay, January29. Europa.2001a.CommunicationfromtheCommissiontotheCouncil,theEuropeanParliament,theEconomic andSocialCommitteeandtheCommitteeoftheRegions:CreatingaSaferInformationSocietybyImproving theSecurityofInformationInfrastructuresandCombatingComputer-relatedCrime.Brussels,January 26(availableathttp://europa.eu.int/ISPO/eif/InternetPoliciesSite/Crime/CrimeComEN.pdf,accessedon September1,2005). Europa.2001b.OrganizedCrime:ContactPointstoCombatHigh-techCrime.EuropeanUnionDocuments, June 25 (available at http://europa.eu.int/scadplus/leg/en/lvb/133157.htm, accessed on September 1, 2005). Europa.2002a.Councilresolutionof28January2002onacommonapproachandspecificactionsinthe areaofnetworkandinformationsecurity.OfficialJournaloftheEuropeanCommunities,C043(2002), 0002(availableathttp://europa.eu.int/eur-lex/pri/en/oj/dat/2002/c_043/c_04320020216en00020004.pdf, accessedonOctober25,2005). Europa. 2002b. Proposal for a Council Framework Decision onAttacks against Information Systems. Commission of the European Communities. Brussels,April 19 (available at europa.eu.int/eur-lex/en/ com/pdf/2002/com2002_0173en01.pdf,accessedonSeptember1,2005). Europa.2003.Councilresolutionof18February2003onaEuropeanapproachtowardsacultureofnetwork and information security. Official Journal of the European Communities, C 048 (2003), 0001–0002 (availableathttp://europa.eu.int/eur-lex/lex/LexUriServ/LexUriServ.do?uri=CELEX:32003G0228(01): EN:HTML,accessedonOctober25,2005). Europa.2004.EstablishmentofaEuropeanNetworkandInformationSecurityAgency(ENISA)(available athttp://europa.eu.int/scadplus/leg/en/lvb/124153.htm,accessedonSeptember1,2005).
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY225 Europa.2005.ActivitiesoftheEU:FightagainstCybercrime(availableathttp://europa.eu.int/scadplus/leg/ en/lvb/133193b.htm,accessedonSeptember1,2005). Europol.2005.FactSheetonEuropol2005.TheHague(availableatwww.europol.eu.int/index.asp?page=facts, accessedonSeptember1,2005). FIRST.2006a.FIRSTOperationalFramework.ForumofIncidentResponseandSecurityTeams.Mountain View,CA(availableatwww.first.org/about/policies/op-framework/index.html,accessedonNovember 26,2006). FIRST.2006b.MemberProcessataGlance.ForumofIncidentResponseandSecurityTeams.Mountain View,CA(availableatwww.first.org/membership/,accessedonNovember26,2006). G8.2000a.G8ConferenceonDialoguebetweenthePublicAuthoritiesandPrivateSectoronSecurityandTrust inCyberspace.Finalpressrelease,Paris,May15–17(availableatwww.g8.utoronto.ca/crime/paris2000. htm,accessedonSeptember1,2005). G8.2000b.OkinawaCharteronGlobalInformationSociety.Kyushu-OkinawaSummit2000.Okinawa: Government of Japan, July 22 (available at www.g7.utoronto.ca/g7/summit/20000kinawa/gis.htm, accessedonSeptember1,2005). G8.2001.ReportofWorkshopIV:ProtectionofE-commerceandUserAuthentication.G-8GovernmentIndustryWorkshop.Tokyo,MinistryofForeignAffairsofJapan,May(availableatwww.mofa.go.jp/ policy/i_crime/high_tec/conf0105–7.html,accessedonSeptember1,2005). G8.2003.MeetingofG8MinistersofJusticeandHomeAffairs.Paris,June9(availableatwww.g8.utoronto. ca/justice/justice030505.htm,accessedonSeptember1,2005). G8.2004.BackgroundontheG8.MeetingofG8JusticeandHomeAffairsMinisters.Washington,D.C., May 11 (available at www.usdoj.gov/criminal/cybercrime/g82004/g8_background.html, accessed on September1,2005). G8.2005.HowtheG8Works(availableatwww.g8.gc.ca/work-en.asp,accessedonSeptember1,2005). Gelbstein,E.,andKamal,A.2002.InformationInsecurity:ASurvivalGuidetotheUnchartedTerritories ofCyber-threatsandCyber-security.UnitedNationsICTTaskForce,November. GILC. 2003. Global Internet liberty campaign: latest news. Global Internet Liberty Campaign, May 5 (availableatwww.gilc.org,accessedonSeptember1,2005). Glaessner,T.; Kellermann,T.; and McNevin,V. 2002. Electronic Security: Risk Mitigation in Financial Transactions—Public Policy Issues.World Bank, July (available at www-wds.worldbank.org/servlet/ WDSContentServer/WDSP/IB/2002/08/23/000094946_02081004010495/Rendered/PDF/multi0page. pdf,accessedonSeptember1,2005). Hopkins,S.L.2003.Cybercrimeconvention:apositivebeginningtoalongroadahead.JournalofHigh Technology and Law, 2, 1 (available at www.jhtl.org/docs/pdf/SHOPKINSV2N1N.pdf, accessed on September1,2005). ICCWBO.2002.AGlobalActionPlanforElectronicCommerce,PreparedbyBusinesswithRecommendations forGovernments,3rded.AllianceforGlobalBusiness,July(availableatwww.iccwbo.org/home/e_business/ word_documents/3rd%20Edition%20Global%20Action%20Plan.pdf,accessedonSeptember1,2005). ICCWBO.2004.SecuringYourBusiness:ACompanionforSmallorEntrepreneurialCompaniestothe2002 OECDGuidelinesfortheSecurityofNetworkandInformationSystems:TowardsaCultureofSecurity. InternationalChamberofCommerce(availableatwww.iccwbo.org/home/e_business/RESOURCES-rev4. pdf,accessedonSeptember1,2005). Interpol.2003.InterpolJoinsMicrosoftinFightagainstCybercrime:AgreestoAssistinGlobalAnti-virus Reward Program. Interpol media release, November 5 (available at www.interpol.int/Public/ICPO/ PressReleases/PR2003/PR200331.asp,accessedonSeptember1,2005). Interpol.2005.IntroductiontoInterpol.Lyon(availableatwww.interpol.int/Public/Icpo/introduction.asp, accessedonSeptember1,2005). ITU.2002.ResolutionAdoptedbytheGeneralAssembly—WorldSummitontheInformationSociety.UN Resolution56/183,January31(availableatwww.itu.int/wsis/docs/background/resolutions/56_183_unga_ 2002.pdf,accessedonOct25,2005). ITU.2005a.AboutTelecommunicationDevelopmentBureau(BDT).InternationalTelecommunicationsUnion (availableatwww.itu.int/ITU-D/aboutbdt.html,accessedonMarch15,2006). ITU. 2005b. International Telecommunications Union website (available at www.itu.org, accessed on September1,2005). ITU.2005c.StatusReportontheImplementationofITU-DActivities2005.ITU-D,November1(available atwww.itu.int/ITU-D/pdf/imple-stat-rep05.pdf,accessedonMarch15,2006).
226 NAIN, DONAGHY, AND GOODMAN Jones,C.W.2005.CouncilofEuropeConventiononCybercrime:ThemesandCritiques.Berkeley:University ofCaliforniaatBerkeley,April5(availableatwww.sims.berkeley.edu/~cjones/Full%20Text%20Papers/ Council%200f%20Europe%20Convention%200n%20Cybercrime%20-%20Themes%20and%20Critiques. pdf,accessedonSeptember1,2005). Killcrece, G. et al. 2003. Handbook and Organizational Models for CSIRTs. CMU/SEI-2003-HB-001. Pittsburgh:CarnegieMellonSoftwareEngineeringInstitute(availableatwww.cert.org/archive/pdf/03tr001. pdf,accessedonSeptember1,2005). Killcrece,G.2004.StepsforCreatingNationalCSIRTs.Pittsburgh:CarnegieMellonSoftwareEngineering Institute(availableatwww.cert.org/archive/pdf/NationalCSIRTs.pdf,accessedonSeptember1,2005). Lemos,R.2004.Sasserbountyhangsonconviction,saysMicrosoft.CNETNews.com,September13(available at http://news.zdnet.co.uk/internet/security/0,39020375,39166398,00.htm, accessed on September 1, 2005). McConnellInternational.2000.Cybercrime...andPunishment?ArchaicLawsThreatenGlobalInformation. December (available at www.mcconnellinternational.com/services/CyberCrime.pdf, accessed on November28,2006). Microsoft. 2003. Microsoft Announces Anti-virus Reward Program. Washington, D.C., November 5 (availableatwww.microsoft.com/presspass/press/2003/nov03/11–05AntiVirusRewardsPR.asp,accessed onSeptember1,2005). NSTAC. 2005. R&D Exchange. President’s National SecurityTelecommunicationsAdvisory Committee (availableatwww.ncs.gov/nstac/rd/nstac_rd_about.html,accessedonMarch15,2006). OAS.1999a.FinalReportoftheSecondMeetingofGovernmentExpertsonCybercrime.Organizationof AmericanStates,Washington,D.C.,October14–15(availableatwww.oas.org/juridico/english/cybGE_rec. doc,accessedSeptember1,2005). OAS.1999b.FinalReportoftheSecondMeetingofMinistersofJusticeorofMinistersorAttorneysGeneral of theAmericas. Lima, March 1–3 (available at www.oas.org/juridico/english/Minjusti.htm, accessed September1,2005). OAS.2005.TheOrganizationofAmericanStates.Washington,D.C.(availableatwww.oas.org/,accessed onSeptember1,2005). OctopusInterface.2004.TheChallengeofCybercrime.OctopusInterfaceConference,Strasbourg,France (availableatwww.coe.int/T/E/Legal_affairs/Legal_co-operation/Combating_economic_crime/Cybercrime/ International_conference/Octopus-Interface-2004.asp,accessedonSeptember1,2005). OECD.1986.Computer-relatedCrime:AnalysisofLegalPolicy.Paris. OECD.1992.RecommendationoftheCouncilConcerningGuidelinesfortheSecurityofInformationSystems. OECD/GD(92)10.Paris. OECD.2004.SummaryofResponsestotheSurveyontheImplementationoftheOECDGuidelinesforthe SecurityofInformationSystemsandNetworks:TowardsaCultureofSecurity.Paris:WorkingPartyon InformationSecurityandPrivacy-OECD,September24(availableatwww.olis.oecd.org/olis/2003doc. nsf/43bb6130e5e86e5fc12569fa005d004c/81dd07040a1c0e43c1256eb6005423d4/$FILE/JT00169904. DOC,accessedonSeptember1,2005). Oyesanya,F.2004.AperformancereviewofEFCCandtheNigeriancyber-crimeworkinggroup.Nigerian VillageSquare,December22(availableatwww.nigeriavillagesquare1.com/Articles/oyesanya/2004/12/ performance-review-of-efcc-and.html,accessedonNovember26,2006). POLCYB.2004.CybercrimeInvestigation—DevelopinganInternationalTrainingProgrammefortheFuture. NationalCentreforPolicingExcellence(availableatwww.polcyb.org/Events/ILECA/04_ILECA_Other. htm,accessedonSeptember1,2005). PRNewswire.2005.MultipleindustrygroupsjointogethertourgeSenateratificationofthecybercrime treaty. PR NewswireAssociation LLC, June 29 (available at www.prnewswire.com/cgi-bin/stories. pl?ACCT=104&STORY=/www/story/06–29–2005/0003988022&EDATE=,accessedonSeptember1, 2005). PTI. 2004. India to work jointly with Russia to tackle cybercrime. Press Trust of India, Nationwide International News, December 4 (available through LexusNexus at: web.lexis-nexis.com.gtel.gatech. edu:2048/universe/document?_m=174547b04acd7eb6ebe3a9b84d8f25e8&_docnum=1&wchp=dGLbVlbzSkVA&_md5=37342b61a2088a83ec289d09d2587c65,accessedonNovember26,2006). REMJA-V.2004.ConclusionsandRecommendationsofREMJA-V.FifthMeetingofMinistersofJusticeor ofMinistersorAttorneysGeneraloftheAmericas,Washington,D.C.,April28–30(availableatwww. oas.org/juridico/english/cybV_CR.pdf,accessedonSeptember1,2005).
THEINTERNATIONALLANDSCAPEOFCYBERSECURITY227 Sadowsky,G.etal.2003.InformationTechnologySecurityHandbook.Washington,D.C.:InternationalBank forReconstructionandDevelopment—TheWorldBank(availableathttp://infodev-security.net/handbook/, accessedonSeptember1,2005). Solha,L.E.V.2002.CSIRTsinLatinAmerica.14thFIRSTConference.Hawaii(availableathttp://72.14.203.104/ search?q=cache:GY6RAFtjUlMJ:www.first.org/events/progconf/2002/d5–08-teamupd-csirts-latin-america. pdf+CSIRTS+in+Latin+America,+FIRST+Conference+2002&hl=en,accessedonSeptember1,2005). Sophos.2003.FBISettoArrestBlasterWormSuspect,SophosAnti-VirusComments.August29(available atwww.sophos.com/virusinfo/articles/blasterarrest.html,accessedonSeptember1,2005). Sophos.2005.SasserComputerWormTrialDelayed,SophosReports.October25(availableatwww.sophos. com/virusinfo/articles/sasserdelay.html,accessedonSeptember1,2005). Spamhaus.2005a.Rokso:TheRegisterofKnownSpamOperations(availableatwww.spamhaus.org/rokso/ index.lasso,accessedonSeptember1,2005). Spamhaus. 2005b. SBLAdvisory: Spamhaus Block List (available at www.spamhaus.org/sbl/index.lasso, accessedonSeptember1,2005). Spamhaus. 2005c. XBLAdvisory: Exploits Block List (available at www.spamhaus.org/xbl/, accessed on November28,2006). SpamhausProject.2005.TheSpamhausProject(availableatwww.spamhaus.org/,accessedonSeptember 1,2005). Techlawed. 2005. The Techlawed Project. University of Ottawa (available at www.techlawed.org/page. php?v=1&c=1&page=home,accessedonNovember28,2006). TERENA.2005a.InvitationPackageforTI“Accredited”Status.TrustedIntroducerforCSIRTsinEurope (availableatwww.ti.terena.nl/ti_process/invitation.pdf,accessedonSeptember1,2005). TERENA. 2005b. Trusted Introducer for CSIRTs in Europe.Amsterdam, January 4 (available at www. ti.terena.nl/,accessedonSeptember1,2005). TERENA.2006.TF-CSIRT.TERENA,Amsterdam(availableatwww.terena.nl/activities/tf-csirt/,accessed onNovember26,2006). TRANSITS.2005a.ReportontheSixthTrainingWorkshop:TrainingofNetworkSecurityIncidentTeamsStaff. Amsterdam,March18(availableatwww.ist-transits.org/d10_transits.pdf,accessedonSeptember1,2005). TRANSITS.2005b.TrainingofNetworkSecurityIncidentTeamsStaff(availableatwww.ist-transits.org/, accessedonSeptember1,2005). UNCJIN.1990.InternationalReviewofCriminalPolicy—UnitedNationsManualonthePreventionand ControlofComputer-relatedCrime.EighthUNCongressonthePreventionofCrimeandtheTreatment ofOffenders.Havana,August26–September7(availableatwww.uncjin.org/Documents/EighthCongress. html,accessedonSeptember1,2005). US-CERT.2005.FactSheet:ProtectingAmerica’sCriticalInfrastructure—CyberSecurity.UnitedStates Computer Emergency Readiness Team.Arlington,VA (available at www.us-cert.gov/press_room/ 050215cybersec.html,accessedonOctober25,2005). USDOJ.2003.FrequentlyAskedQuestionsandAnswers—CouncilofEuropeConventiononCybercrime. Department of Justice, November 10 (available at www.usdoj.gov/criminal/cybercrime/COEFAQs. htm#QA2,accessedonSeptember1,2005). USDOJ. 2005. G8 24/7 High Tech Contact Points Invitation. U.S. Department of Justice.Washington, D.C. (available at www.cybersecuritycooperation.org/moredocuments/24%20Hour%20Network/ 24%207%20invitation.pdf,accessedonSeptember1,2005). WashingtonPost.2000.ILoveYou,don’tprosecuteme,August24,p.A24. West-Brown,M.J.etal.2003.HandbookforComputerSecurityIncidentResponseTeams(CSIRTs),2nded. Pittsburgh:CarnegieMellonSoftwareEngineeringInstitute,April(availableatwww.cert.org/archive/ pdf/csirt-handbook.pdf,accessedonOctober25,2005). Westby,J.R.(ed.)2004.Internationalguidetocybersecurity.ABASectionofScienceandTechnologyLaw,95. WITSA.2005.WITSAPressCenter.Pressreleases.WorldInformationTechnologyandServicesAlliance. Arlington,VA(availableatwww.witsa.org/press/,accessedonSeptember1,2005). WorkshopontheInternationalDimensionsofCyberSecurity.2005.GeorgiaInstituteofTechnologyand CarnegieMellonUniversity,Atlanta,GA,April6–7.
PARTIV FORCESANDRESEARCH LEADINGTOFUTURE INFORMATIONSECURITYPROCESSES
CHAPTER10
EMERGINGUBIQUITOUS COMPUTINGTECHNOLOGIESAND SECURITYMANAGEMENTSTRATEGY GIOVANNIIACHELLOANDGREGORYD.ABOWD
Abstract:EmergingITapplicationsareincreasinglyembeddedinenvironmentsofeverydaylife andrunautonomouslyandwithoutsupervisionfromtheuser.Thesetechnologiesintroduceseveral newsecurityconcerns,bothtechnicalandorganizational,includingproblemsrelatedtopublic knowledgeandeducation,legality,privacyandacceptance.Inthischapter,wedefinethesalient featuresofthesetechnologiesandprovideaframeworkforanalyzingdataexchangeswithinthese systems.Wethendiscusssecurityissuesrelatedtomanagement,administration,oversight,legality, liability,acceptance,andsecuritystrategydesign.Weemploytworesearchubicompapplications toshowhowtheseissuesmanifestthemselves. Keywords: Ubiquitous Computing, Security Management, Capture and Access, Advanced IT Applications INTRODUCTION Overthepasttwentyyears,anewgenerationofcomputingapplicationshasbeensilentlyentering ourdailylives.RFIDtechnology(RadioFrequencyIdentification)isusedtotrackitemswithin supplychains,computer-controlledactuatorsystemssuchasABS(Anti-BlockingSystems)controlthebrakesofourcars,meetingsandlecturesareautomaticallyrecorded,mostpeoplecarry integrated location and communication systems in the form of cell phones, and the list could continue. Computing technology is increasingly embedded in environments of human action, suchashomes,transportationinfrastructure,andconsumerartifacts.Infact,withoutrealizingit, weinteractwithhundredsifnotthousandsofcomputingdevicesthroughoutourdailyactivities. Moreover,theseapplicationsareincreasinglynetworkedthroughwiredandwirelessconnections. Collectivelyreferredtoasubiquitouscomputing(orubicomp),theseapplicationsruncontinuously, unattended,andunsupervised(Weiser,1993). Ubicomp applications have been enabled by the converging developments of several strands ofinformationtechnology(IT),includingnetworking,theminiaturizationofcomputingdevices, reductioninpowerconsumption,andnovelsensing,dataprocessing,andstoragetechniques.These applicationsarecharacterizedbyadvancedcomputingcapabilitiesandcomplexoperatingbehaviors, andbythecollectionanduseoflargeamountsofinformationsensedfromphysicalenvironments (e.g.,videoinconjunctionwithimagerecognition,biometrics,orenvironmentaldata). Researchershavelongrecognizedthattheautomaticcollectionanduseofextensiveanddetailed 231
232IACHELLOANDABOWD
informationfromphysicalenvironmentscancausesecurityandsafetyrisksandupsetcurrentsocial practicesandnorms(Langheinrich,2001;Lessig,1999;PalenandDourish,2003;Patton,2000).For thisreason,privacyandsecurityhavecometotheforefrontoftheubicompresearchagenda.Past effortsinthisareafocusedondesign,suggestingprinciples,methods,andtechniquestoincrease applicationsecurityortoprotectuserprivacy.Theseincludebothgeneralefforts(e.g.,reinterpreting privacy-enhancingprinciplessuchasinformationminimization)(Langheinrich,2001),aswellas morefocusedanalysesinvolvingspecificapplicationssuchasofficevideoawarenesssystemsand employeelocatorapplications(BellottiandSellen,1993;HarterandHopper,1994). Inpractice,mostresearchonubicompsecurityhashithertoconcentratedontechnicalissues, be it the specifics of a particular technology or architectural solutions. However, the kind of informationhandledbyubicompapplications,andtheirsocialsettingofuse,suggestthatthe managementofthesetechnologieswillpresentsignificantchallenges.Thisisbecausesecurity managementtypicallyrestsonassumptionsthatarenotnecessarilytrueforubicompsystems. Theseassumptionsinclude: • sufficientresourcesandcompetentpersonneltoimplementandoverviewsecuritycontrols; • userinterfacestoinspectandauditsystemperformanceandoperation; • effectiveregulationandpolicyenforcement. Therefore,managingubicompapplicationswithcurrentdataprotectionandsecuritystrategies (used,forexample,formanagingfinancialorhealthdata)mayprovedifficult.Researchhasnot yettackledthemanagementissuesrelatedtoubicompapplications,dueinparttothelackofexperienceinusingtheseapplicationsinreal-worldsettings.Acknowledgingtheurgencyandscale ofissues,inthischapterweconcentrateonthesecuritymanagementissuesforubicompsystems. Thepurposeofthisdiscussionistopointoutthefundamentalmanagementchallengesforubicomp systemsandtosuggestsomeinstrumentsforachievingmoresecureubicompenvironments. Inthefollowingsection,weprovideanoverviewofsomerepresentativeubicompapplications andadescriptionofthetechnologicalevolutionthathasmadetheseapplicationspossible.Wealso introduceacharacterizationofinformationbasedonsemanticdensity,richness,andsensitivity, whichcanbeusedinthesecurityanalysisoftheseapplications.Wethendescribethetwocase studiesthatwillleadthediscussionthroughouttheremainderofthechapter.Thesetwoapplications(thePersonalAudioLoopandCareLog)areresearchplatformsdevelopedatourinstitution andarerepresentativeofsomeofthesecuritymanagementissuesdiscussedhere.Usingthetwo casestudiesasbackdropstothediscussion,wecatalogthemainsecuritymanagementchallenges brought on by ubiquitous computing applications. Finally, we briefly discuss future research directions. APPLICATIONSANDTECHNOLOGY Inthissection,weprovideasampleofsomeapplicationsingeneralterms.Wedescribeubicomp systemsasabstractflowsofinformation(seebelow,Figure10.1).Wedescribethetypesofinformationcollectedbyandusedinubicompsystems,andproposethreeattributes(semanticdensity, richness,sensitivity)usefulforsecurityandriskanalysis.Informationflowsandthecharacterizationofinformationareusedasguidesforthediscussionofsecuritymanagementstrategiesinthe remainderofthischapter. Earlyubicompapplicationsincludedautomatedmeetingrecordinginworkplaces.Theseapplicationscollectedaudioandvideoofmeetingsthatcanbeusedforfuturereference;examplesofthis
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY233
aretheTivolisystemdevelopedatPARC(Pedersenetal.,1993)andtheTeamspacesystem(Geyer etal.,2001).Theefficiencyofsearchwithinthemultimediadatacanbeincreasedbyrecording additionalinformation,suchastheidentityofthespeaker,salientevents(e.g.,slidechangeslike intheADEPTsystemdevelopedatStanford,peopleenteringandexitingtheroom,etc.)orstudent notes(e.g.,intheeClassdevelopedatGeorgiaTech)(Brusilovsky,2000). Other early ubicomp applications were “awareness” tools for office environments, through which remote coworkers could “see and hear” each other on audiovisual links, to foster collaborationandeasecommunication(Gaveretal.,1992).Othersystemsmadeuseoflocalization technologytofindpeoplewithinanofficecomplexforcallroutingpurposes(HarterandHopper, 1994).Intheseenvironments,designerswereawareofsocialdynamicsthatmightresistthese applications,forexample,outoffearofpotentialmisuseformonitoringworkers’performance (BellottiandSellen,1993). Thecaptureandretrievalofvideorecordingsistypicallyusedinpublicspaceforsecurityand accesscontrol,andincreasinglyforleisureandcommercialactivities.Theuseofsurveillance camerasincitiesstartedintheUnitedStatesduringthelate1960s(ColumbiaHumanRightsLaw Review,1973).Videocapturehasbeenproposedindistributedofficeenvironmentstoprovide abackground,continuouscommunicationchannelamongremoteworkers(BellottiandSellen, 1993).Recently,simplewebcamshavebeenusedforleisureandmarketingactivities,forinstance, tobroadcasttheinteriorofnightclubsandbarsorbeaches(BritishInstituteofInternationaland ComparativeLaw,2003). Inthehome,ubicomptechnologyhasbeenproposedtohelppeoplefindinglostobjects(Orr etal.,1999):inthatapplicationconcept,videocamerastrackthelocationoftheinhabitantsand statisticalalgorithmsareusedtosuggestpossiblelocationsofmisplacedobjects.Alternatively, RFIDtagsappliedontheobjectscanbeusedfortrackingtheirmovement.Automaticmonitoring systemsdeployedinthehomesofelderlypeoplecanbeusedbycaregiversandrelativestomaintain aneyeontheperson’swell-beingandhavebeenproposedasawayofprolongingthepermanence ofpeopleintheirownhomebyincreasingtheirsenseofsecurity(Mynattetal.,2001). Inhealthcare,ubicomptechnologycanalsobeusedformonitoring,suchaspatientobservation,anomalydetection,andtelemedicine.Implantablesensorsareusedtomonitorthehealthof patientsforseveralweeksaftersurgery(Maheuetal.,2001)andinformationsensedfromthe bodyisautomaticallytransmittedtoaprocessingcenter,analyzedforanomalies,andforwarded tothemedicalpersonnelincharge. Transportationsystemshaveusedthesetypesoftechnologiesforseveralyears.Thedistributed natureofthesesystemsandhighusagevolumeareraisingthecostsofdirect,continuous,human surveillance,thuspromptingthedevelopmentofautomatedtechnologies.Automaticpaymentsystems basedonRFIDtechnology,associatedwithautomaticvideocaptureandlicenseplaterecognition, forfraudpreventionhavebeenusedonmotorwaysinseveralcountriesfromtheearly1990s(Foresti etal.,2000).Moresophisticatedsystemsarecurrentlybeingdevelopedtouselocationtechnologies forautomatingtollcollectiononentirehighwaynetworks(TheEconomist,2004). FlowsofEnvironmentalInformation Theubicompapplicationsmentionedabovecollectinformationfromenvironmentsofhumanaction andtranslateitintooperationalresourcesforlateruse.Theseapplicationssharethesamegeneral informationflowsstructure.Figure10.1depictsthisstructure.Weemploythetermcaptureand access,proposedbyTruongetal.(2001),tocharacterizeaspecificsetofubicompapplications, asagenerallabelforthesetechnologies.
234IACHELLOANDABOWD Figure10.1 FlowofEnvironmentalInformation
Camera Environment
Aggregator …
Other environmental sensors
Retrieval system
Storage
Application
Sensorscollectenvironmentalinformationindigitalform,whichisdeliveredviatelecommunicationchannelstoanaggregator.Accordingtomilitaryterminology,theterm“sensor”canreferto anydevice,person,orsystemthatisabletocollectandforwardinformationfromtheenvironment, fromdisposablevibrationdetectorstosatellite-basedreconnaissancesystems(Libicki,2000).In thiscontext,wewillusethetermsensortoindicatedevicesatthesimplerendofthespectrum. Animportantsecuritycharacteristicofsensorsisthatlowreliabilitymustbetakenintoaccount asanormaloperatingmode.Thisisincontrastwiththebasicassumptionunderpinningdigital informationsystems,whicharegenerallyconsideredhighlyreliable. Theaggregatorcorrelatesandtranslatesthedatainformatsappropriateforstorageorimmediatedeliverytoapplications.Informationoriginatingfromdifferentsensorscanbeintegratedina coherentwhole(sensorfusion).Storedinformationmaybecollectedandanalyzedbyaretrieval system,andpossiblystoredagain,ordeliveredtothefinalconsumerofinformation.Theconnectionsbetweencomponentsarenotnecessarilypermanent.Forexample,applicationscanbe placedonmobiledevicesandcommunicateoverwirelessnetworkswithwhateversensorsare presentintheenvironmenttocollectdata.Othercomponentscanbemobileaswell;forexample, thestoragesystemcouldbelocatedina“personalserver”(i.e.,apersonal,wearable,networked, UI-lessstoragedevice)(Wantetal.,2002). Thecollectedinformationcanberetrieved,playedback,andsearched,bothfordirectconsumptionbyauserandforsupportinghuman-machineinteraction(e.g.,byprovidingthesystemwitha descriptionoftheenvironmentandtheactivitiesinwhichtheuserisengaged—suchadescriptionis referredbytheubicompliteratureascontext).Retrievalsystemstypicallyprovidefacilitiesforrelating,cataloging,andaccessinginformationatalevelofabstractionthatishigherthanthatnormally affordedbytypicaldatabases,usingcriteriabased,amongothers,ontemporalrange,geographic position,andontheidentitiesoftheindividualstowhichthecapturedinformationpertains. Table10.1synthesizesthecurrentstateandpaceatwhichvariouscomponentsofthisinfrastructurearedeveloping.1Thetablesuggeststhatoverthenextfewyears,sensortechnologywill
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY235 Table10.1
TechnologiesUsedinUbiquitousComputing Typeoftechnology
Cost
Video
Decreasing Costisrelatedtoimagequality.Inthemediumterm,the 10–20percent/ captureandperceptualqualitiesofthesedeviceswillnot year(Global improvedrastically. Information Inc.,2003)
Forecast
Audio
Stationary
High-qualitymicrophonesarestillrelativelylargeandexpensive devices,andhavenotimprovedmuchovertherecentpast.
Presence,motion, contact
Stationary
Thesesensingdevicesarerelativelyreliableandinexpensive, andlittleinnovationhasoccurredintherecentpast.
Location technologies
Stationary
TheintroductionoftheGlobalPositioningSystem(GPS) hasenabledahostofapplications,notwithstandingits poorperformanceindenselybuiltareasandindoors. Otheremerginglocationtechnologiesarebasedonan infrastructureofRFbeacons(e.g.,cellphonestowers,radio stations,802.11basestations).
Identification technologies
Slowly decreasing
IDtechnologiesforpeopleandobjectshaveundergone dramaticchangesoverthepastfewyears,withtheintroduction ofRFIDtagging.Otherkindsofidentificationtechnologies, basedonvideooraudioandpatternmatchingalgorithms,are stillresource-intensiveandtoounreliabletobeusedeffectively. Thesetechnologiesmightbecomerelativelyviableinthenear future.
Telecommunications Decreasing40 Theevolutionofthesetechnologiesistypicallyincremental, andnetworking percent/year althoughfromacustomerendpointdifferenttechnologies (e.g.,POTS,DSL)areintroducedinsteps,enablingdifferent categoriesofapplications.Thecost/bandwidthratiohas steadilydecreasedoverthepastdecade,roughlyaveraging 40percent/yearoverthe1990s(AustralianInformation EconomyAdvisoryCouncil,2004). Storage
Decreasing45 Magneticstoragecostperbytehasdecreasedanaverage percent/year of45percent/yearbetween1992and2004,andthistrendis likelytocontinue.Whilethisallowstostoreincreasingamounts ofmultimediainformationonarandom-accessdevice,access speedsandthroughputhaveevolvedmoreslowly,duetolimits tothemechanicalpropertiesofdisks(dimensionsandrotation speed).Thusthetransferspeed/capacityratiohasworsened (BerghellAssociatesLLC,2004;GrochowskiandHalem,2003).
Multimediadata mining
Stationary
1
Hasbeengainingspeedoverthepastyears(Elmagarmidet al.,1997;Forestietal.,2000).Currently,retrievalmethods relyonmeta-dataassociatedwithmultimediainformationand gatheredatthepointofcaptureorcreatedduringarchival, oronstatisticalalgorithms.1Oncedataisstored,exhaustive searchbearshighcostsduetotheamountofthestored information.Whileperformancewillincreasewithfaster algorithmsandmoreprocessingpower,dataminingcostwill notdecreaseradicallyinthenearterm.
SuchascommerciallyavailablesystemslikeAutonomy.Seewww.autonomy.com/.
236IACHELLOANDABOWD
notprovidegroundbreakingimprovementsinperformance,butitscost/capabilityratiowillslowly decrease.Storeddataaccessspeedwillgrowslowly.Unlessnovelstoragetechnologiesareintroduced,therelativeperformanceofexhaustiveanalysisandretrievalwillnotincreaseatthesame rateasstoragecapacity,astheamountofstoredinformationovergrowsaccessspeed. SemanticDensity,Richness,Sensitivity We point out three ways of characterizing information that we found useful for our analysis: semanticdensity,richness,andsensitivity.Althoughthethreepropertiesaredefinedloosely,and correlatedwithoneanother,distinguishingamongthesequalitiescanhelphigh-levelsecurityand riskanalysis.Table10.2showsanoverviewofthethreepropertiesofsenseddata,andoftherisks associatedwithhighandlowlevelsofsemanticdensity,richness,andsensitivity.Therightmost columnincludessomesecuritygoalstocounterthelistedrisks. Semanticdensity,measuredinrelationtoaspecificcoding,indicatestherelationshipbetween theinformationstoragesizeandtheinterestofitsinformationalcontentwithregardtoaspecific metric.Forexample,inanapplicationthattrackspeopleenteringandexitingabuilding,avideo recordingoftheentrancemightprovidelowsemanticdensity(i.e.,muchdatamustbeanalyzed toobtainspecificdesiredinformation),whilethelogofallaccessesbasedonanelectronicbadge lockwillprovidethesameinformationinaverycompactfashion(highdensity).Sensorfusion mayincreasesemanticdensity,asdatafromdifferentsourcescanbeusedtocross-referenceand facilitateaccesstosensedinformation. Thesemanticdensityofinformationanditsrelationshipwithsearchcostisanimportantparameterduringdesignandaffectsbothsystemandusersecurityandprivacy,becauseitinfluences thecost-risktradeoffintrinsictocounteringsecurityandprivacythreats. Datawithhighsemanticdensitycanbeprocessedefficiently,andsearchedforitemsmatching specificsearchcriteria.Itisthuseasiertouseormisuseafterthefact(i.e.,afteradatabasehasbeen created).Thisincreasedmalleabilityhighlightstherisksassociatedwithdatabaserepurposing, andexposestherelevanceofunforeseenattacksormisuse.Sincehigh-densitydataareparticularlypronetomisusethroughafter-the-factanalysis(e.g.,throughdatamining),technicaland organizationalsafeguardsshouldfocusonaccesscontrol,bothtotheinformationitselfandtothe processingtools(e.g.,management,dataminingtools).Low-densitydata,instead,aredifficultto searchtopinpointinformationitemsofinterest,ifthesearchcriterionisnotamongthe“natural” criteriaofhowthedataareorganized.2 Low-densitydatacanbeprotectedfromundesiredaccessbyreducingtheaccessrate.Thatis,it maynotbenecessarytoimplementaccesscontrolonthetoolsusedtoaccessthedata,butitmay besufficienttomakeaccessexpensiveenoughtodiscourageexhaustivesearches.Inthecaseofa databaseofindividualvideorecordings,forexample,accesscontroltothedatamayallowchecking outfromstorageonlyonevideorecordingatatime.Thedataarenottechnicallyconfidential,but thecostofobtainingenoughinformationforsystematicabusemaybemadeexcessive.Similar misuse-preventiontechniquesprotectinformationinmanyorganizationstoday. Richnessreferstothequalityofdataprovidingalargeamountofinterrelateddetails.Therichnessofavideofeedismuchhigherthanthatofanaccesscontrollog.Whilemorecostlytoanalyze, richerinformationconstitutesgoodevidencebecauseitismoredifficulttofabricate.Thisfactis acknowledgedbycourts:forexample,intheUnitedStatesadatabaserecordprintoutdoesnothave anyvalueasevidenceperseunlessapersoncanbebroughttotestifyaboutitsaccuracyandreliability(UnitedStatesDepartmentofJustice,2002),whereasavideorecordingoraudiointerception,if obtainedlegally,doesnotneedanyfurthervalidation.Lowsensorreliabilitymayaffecttherichness ofcollectedinformationanditsrelativestrengthasevidence.
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY237 Table10.2
PropertiesofSensedDataataGlance
RisksandSecurityGoalsfortheManagementofStoredData Characteristics
Risks
Securitymanagementgoals
Unforeseenanalysisanduse ofdata
Preventunauthorized disclosureofdata
Semanticdensity High
Efficientsearch Highvalue
Low
Costlytosearch
Preventunauthorizedaccess toprocessing/miningtools Mismanagementofdata
Limittherateofaccessto theinformation
InabilitytocomplywithchalImplementaccessand lengesonpersonaldata(e.g., challengeprocedures externalaudit/accessrequests) Incorrectfusion Richness High
Trustworthy
Misuseofpersonalinformation
Preventunauthorized disclosureofdata
Accurate
Inabilitytocomplywithrequests Controlreplication foramendmentordeletion
Difficulttomakeup Low
Easytofabricate
Unauthorizedmodification
Integritysafeguards
Forgingofdata
Detecttampering Abilitytoassessdata trustworthiness
Sensitivity High
Speciallegalstatus Claimscausedby mismanagement(breachesof regulatoryrequirements)
Integritysafeguards
Highsocialvalue
Loss/corruption
Preventunauthorized disclosureofdata
Two-tierleaks
Preventunauthorizeduses ofdata Implementsecurehandling procedures
Low
Lowersocialvalue
Managementcostshigherthan Cost-effectivesecurity valueofpreservinginformation controls
Protectingrichinformationhighlightsaspectsrelatedtointegrityandtrustworthiness.Rich informationsuchasanaudiorecordingismuchmoretrustworthythanatranscript,anditsdisclosurecanpresenthigherrisksofmisuse.Thisislikelytoaffecttheuseofdatainlegalproceedings.Storagemodalitiesshouldbetakenintoconsiderationwhendesigningsystemsthatrequire
238IACHELLOANDABOWD
stronglevelsofaccountabilityorunaccountability.Forexample,theSarbanes-OxleyActof2002 imposes specific security requirements on information related to the financial performance of publiclytradedcompanies.3Suchrequirementsmaybehardertosatisfywithrichdatasuchas videorecordingsofmeetingsasopposedtomoretraditionaldatabases. Finally,sensitivityisaconceptintroducedbydataprotectionlegislation.Itisusedtodescribethesocial characteristicsofinformation.Sensitiveinformationtypicallyincludeshealth-related,financial,political, religious,andothertypesofinformationthatcouldbeusedtoaffectadverselyanindividual. Ingeneral,personalinformationmustbeprotectedbyappropriatesecuritysafeguards.However, regulation often mandates specific additional security controls for sensitive information. Forexample,intheUnitedStates,healthserviceprovidersmustprotecthealth-relatedpersonal informationaccordingtospecificsecurityrequirements,detailedintheHealthInsurancePortability andAccountabilityAct(HIPAA)SecurityRule(U.S.DepartmentofHealthandHumanServices, 2003).IntheEU,privacylegislationprovidesforspecificrequirementsonsensitiveinformation, includingstrongerinformedconsentrequirements,andadditionalsecurityprovisionswhendisclosingthedatatothirdparties(EuropeanUnion,1995). Inordertocontainsecurity-relatedcosts,atwo-tieredsystemwithdifferentsecuritypolicies fordifferenttypesofdata(sensitiveandnotsensitive)canbeemployed.However,suchasetup presentstheriskofsensitiveinformationleakingtothenonsensitivepartitionofthesystem.Thisis aclassicsecurityprobleminthemilitarydomain,typicallysolvedusingmandatoryaccesscontrol. However,solutionsfromthatdomainmaybedifficulttotransfertocommercialorganizationsand rapidlyevolvingtechnology. CASESTUDIES Havingintroducedsomebackgroundconceptsusedthroughoutouranalysis,wenowdiscusstwo casestudies.Theseapplicationswillbeusedasaconceptualtestbedofthesecuritymanagement optionsdiscussedinthenextsection.Thesecasestudiesarerelevantbecausetheybothdisplay technical security issues and are used in a complex social environment: in the first case our analysisofthesecuritystrategyfocusesontheapplication’sdevelopersandonitsusers;inthe secondcase,ouranalysisfocusesonthebroadorganizationsurroundingtheapplication.Itshould benotedthatwearenotprovidingacomprehensivesecuritymanagementsolutionforeitherof theseapplications,whichare,inreality,muchmorecomplexthanwhatemergesfromthisdiscussion.Thecasestudiesareonlyusedtoprovideconcreteexamplesforsomeofthechallengesand solutionsthatwesuggest. ThePersonalAudioLoop ThePersonalAudioLoop(orPAL)isaportable,near-termaudioreminderservice,implemented onaconsumermarketmobilephone(Hayesetal.,2004a).PALwasmotivatedbytheeveryday experienceofconversationalbreakdowns,aspeopletrytoremembersomethingthatwassaid recently,suchasthetopicofaconversationbeforebeinginterrupted,oranameornumberbriefly heardinsituationsofhighcognitiveload.Thedeviceallowstheusertoreplay,atanymoment intime,anysoundthatwasheardbytheuserintherecentpast,uptoadefinedmaximumtime span,orbufferlength(forexample,uptoonehourinthepast).Audioolderthanthebufferlength isautomaticallyoverwrittenandcannotbereplayed.4 PALisintegratedinacellphone,butthedeviceonlyrecordssoundfromtheenvironment,and notphoneconversations.SincePALusesthespeakerphonemicrophoneofthedevice,therange
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY239
oftherecordingmightbeofuptoafewmetersfromthepersoncarryingthephone.Theusercan replaytherecording,rewindandfastforwardthroughitorjumptobookmarkedpositions(“earmarks”).Thestoredaudiocanbeheardeitherthroughtheloudspeakeronthephoneorthrough theexternalspeaker/mike. Thisapplicationpresentsobviousconcernsrelatedtothecommunicationpartner’sprivacy, unrelatedthirdparties’privacy(e.g.,passersby),andrisksrelatedtothelossortheftofthedevice.Severalsecuritymeasurescanbeemployedtocontroltheserisks,includingusingtrusted implementations,monitoringtheco-evolutionofsocialnormsofitsuse,andinfluencingthesocial acceptanceofthedevice. Thisapplicationhighlightstheroleoftheuserinconformingtosocialexpectationsthatprotect others’privacy.Ouranalysis,discussedfurtherbelow,suggeststhatmanufacturersshould“package”partofthesecuritymanagementfunctionsofthedeviceititsdesign,inordertodrivethe usertowardappropriatebehaviorsandreducerisksassociatedwiththeapplication. CareLog Thesecondapplicationweconsiderisasystemthatsupportsdiagnosisandevidence-basedcare ofchildrenwithlearningorbehavioraldisabilities.Thecareofthesechildreninvolvesseveral groupsofpeople,includingparents,teachers,caregivers,andprofessionaltherapists.Caregivers administerspecificprograms,suchasengagingthechildinone-to-onetasks.Teachersandparents sometimesactascaregivers.Professionaltherapistsplandiagnosticandinterventionstrategiesand superviseothercaregivers,butmaynotalwaysadministerone-to-oneintervention. Measurementofperformanceandofothertherapy-relateddataisanintegralpartofsuchdiagnosticandinterventionstrategies.Detailednotesareoftentakenbothforquantitativemeasurement ofthechild’sperformancewithregardstothetherapy,andforqualitativelyassessingthecauses andconsequencesofparticularepisodes(e.g.,atempertantrum,orwhenthechildrunsawayfrom theclassroom).Itshouldbenotedthatthebroadterm“care”includesnotonlyspecifictherapies butmayalsoincludepreventiveandfollow-upmonitoring. Thesedatacangreatlybenefittheeffectivenessofthechild’scare,byallowingspecialiststo subsequentlyreviewandunderstandthecausesandtriggersofaparticularbehaviorandaction. Overthepasttentofifteenyears,researchershaveproposedtoinstallcamerasintheclassrooms andhomeswheretheseinterventionstakeplace.Thesecamerasautomaticallycollectqualitative informationaboutspecificevents,toaugmentthenotesthatteachersandcaregiverstakeonpaper.Earlyexperimentationemployedanalogcameratechnology(GuidryandvandenPol,1996). RecentlyHayesetal.haveproposedtheuseofanintegrateddigitalcaptureandaccesssystem calledCareLog(Hayesetal.,2004b).CareLog’spurposeistorelievecaregiversoftheburdenof takingextensivenotes,bothqualitativeandquantitative,onthechild’sbehaviorandperformance, bycapturing,amongotherthings,videofootageofhisorheractivity. Thecameraskeeprecordofsalientchildrenactivity,andthetherapistcanmarkuptherecordingtoindicaterelevantevents(e.g.,criticaleventsthatcannotbeforeseen,orareveryinfrequent) forsubsequentreviewandarchivalpurposes.Videorecordingshavealsobeenemployed,with goodresults,totraincaregivers(Becketal.,2002).Furthermore,videoscanbeveryusefulasa communicationtoolbetweenteachersandparents,whomightnotbeabletobepresentduring dailyschoolactivitiesortherapy. Ingeneral,theautomaticorevensemiautomaticcaptureofsuchrichandsensitivedatainclassrooms(orinhomes)raisesconcernsregardinginformationcontrol,safety,andprivacy(European CommissionArticle29WorkingParty,2004).Theserisksmayincludeobvioussecurityriskssuch
240IACHELLOANDABOWD
asthedisclosureofpersonalinformationtounauthorizedparties(whichmaycauselegalliability), butalsomoresubtleriskssuchasthemisinterpretationofvideosequencesout-of-contextbypartieswhowerenotpresentatthetimeofcapture. Thisapplicationhighlightstheroleofthesystemoperatorsinsecuringthecollectedinformation,aswellasthesocialandorganizationalaspectsofthetechnology,whichrequiresabroad consensusonitsmeritsandrisksinordertobeeffectivelydeployed. ELEMENTSOFASECURITYMANAGEMENTSTRATEGYFOR UBICOMPAPPLICATIONS Thesocialconsequencesofenvironmentaldatacapturehavebeenrecognizedsincethebeginnings intheubicompcommunity:forexample,surveillancetechnologieshavelongbeenthetopicof critics,lawresearchers,andcivillibertiesunions(BennetandGrant,1999;ColumbiaHuman RightsLawReview,1973;Patton,2000;Zarski,2002).Researchershavelongacknowledgedthat usersmayrejectubicompapplicationsduetoconcernswiththecollectionofmassiveamountsof information(WalmsleyandNielsen,1991). Mosteffortsonubicompsecurityandprivacyhaveconcentratedonthetechnicalaspectsofthese systems.Bothgeneralguidelinesandsolutionsforspecificapplicationshavebeenpublished.Among theformerareproposalstousetheappropriatelytailoredversionsoftheFIPS(FairInformation Practices)(OECD,1980)forubicompapplications(Garfinkel,2002;Langheinrich,2001).Other researchershaveusedeconomictheoriesofinformationflowstoformulatedesignguidelinesfor theseapplications(Jiangetal.,2002).Riskevaluationmodelshavebeenalsoproposedforaddressingprivacyconcerns(Hongetal.,2004).Someresearchgroupshaveproposedsolutionsforspecific applicationsaswell;forexample,for“awareness”applications(BellottiandSellen,1993). ThedataprotectioncommunityinEuropehaspublishedmanagementguidelinesforvideo,telephone,andemailsurveillanceinworkplaces(e.g.,SwissFederalDataProtectionCommissioner,2000; UKInformationCommissioner,2003)andforCCTVsystems(e.g.,UKInformationCommissioner, 2000).EuropeanDataProtectionAuthorities(orDPAs)havealsopublishedopinionsthatprovide guidelinesonthemanagementofautomatedsensingtechnology,forexample,videosurveillanceon commercialpremisesandprivatedwellings(EuropeanCommissionArticle29WorkingParty,2004). TheBritishInstituteofInternationalandComparativeLawcompiledasummaryofDPArulingson videosurveillanceacrosstheEU(BritishInstituteofInternationalandComparativeLaw,2003).A veryinterestingaccountofhowCCTVsystemsareoperatedandmanagedonaday-to-daybasisis providedbyNorrisandArmstrong(1999).GrahamframesthedevelopmentofCCTVsystemsasa fifthutility,andthisconceptualapproachisverysimilartoours(Graham,2004). Exceptforthesepublications,thereareveryfewpracticalmanagementrecommendationsinthe lightofreal-worldexperienceandexistinglegislation.Thereareevenfewerpublishedresources onhowintegratedenvironmentalinformationsystemsemployingadvancedtechnologysuchas patternmatchingaremanaged.TraditionalITsecuritymanagementresourcessuchasthepublicationsoftheNationalInstituteofStandardsandTechnology(NIST,1995)andtheInternational OrganizationforStandardization(ISO,2000)standardsmayprovidesomeguidance,especially inrelationtophysicalsecuritymanagementandtherelatedcontrols.However,thesestandard guidelinesweredesignedfortraditionalinformationsystemsandthuslackfundamentalelements neededinthemanagementofubicomptechnologies. Basedonexperiencegainedininvestigatinganddevelopingsomeofthesetechnologies(both directlyandthroughexchangeswithourcolleagues),wehaveidentifiedanumberofchallenges totheeffectivesecuritymanagementinubicompsystems:
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY241
• athrusttowarddecentralizationofmanagementfunctions,whichempowersindividualusers withnewabilitiesandresponsibilities; • adramaticchangeintheroleofadministrationandoversightfunctions; • anwideninggapbetweenlegislation’sregulatorypowerandnewtechnology’scapabilities, whichimpactsbothpolicymakersandindustryandengendersliabilityrisks; • disruptivedevelopmentpatternswithconsequencesforthecapabilityofpeopletounderstand thetoolstheyareusingandtheensuingacceptanceproblems. Inthissection,wediscussthesechallengesandsuggestguidelinesforthemanagementofsecurityofubicompsystems.Thediscussionwilldrawuponthecasestudiesintroducedaboveandwill highlightthedifferentrolesofmanufacturers,users,andorganizationsinsecuritymanagement. Themanagementsuggestionsprovidedbelowarenotintendedtobecomplete:traditionalsecuritymanagementpracticesarestillnecessaryinadditiontotheseproposals(e.g.,allowingaccess onaneed-to-knowbasis,personnelmanagement,etc.).Wewillalsopointoutwhentraditional managementapproachesmightnotworkwellforubicompapplications. ManagementDecentralization Ubicompsystemscollectlargeamountsofdata,whichmustbesecuredeitherbecauseofregulatoryrequirementsorbecauseofitscommercialorsocialvalue.Asubicompsystemsincreasinglypervadesociety,theratiobetweenthenumberofcomputersandthenumberofindividuals responsiblefortheirmanagementdecreases. ITsystems’governanceisacomplexproblem,ashighlightedinChapter3.However,these developmentschallengeeventestedsecuritymanagementtechniques,whichrestontheassumptionthatresponsibilitiescanbeidentifiedandallocatedwithinanorganizedstructureinorderto deliversecuritypolicyimplementationandenforcement. Asspecializedpersonnel,abletotendtothesystem,becomelessavailable,informationsecurity managementresponsibilitiesmustinparttransitiontotheindividualswhooperatedailywiththedata. However,theseindividualsmaynotbemotivatedtoenactstrongsecuritypractices,duetoseveral reasons,includingthatenactingsecuritypoliciesisnotpartoftheirmissionwithintheorganization oroftheirpersonalgoals.Furthermore,usersmaylacknecessarytrainingandknowledge. ExploitingSocialNormsinDesign InpersonalapplicationssuchasPAL,securitymanagementresponsibilitiesareassignedtotheend user.However,securitypoliciescanbeinfluencedupfrontbythemanufacturer,byappropriately designingthesystem. InordertoavoidaPALuserknowinglyandsurreptitiouslyrecordingconversationpartners, appropriatedesigncouldinducetheusertorefrainfromusingtheapplicationincertainsituations, forinstance,whenitcouldcausesecurityriskstohimself/herselfortobystanders.Researchinthe socialscienceshashighlightedthattheuseofprivacy-invasivetechnologiesfitswithinaboundary negotiationprocessbetweenindividuals(Altman,1975;PalenandDourish,2003).Thisprocess couldbeexploitedtoachievespecificsecuritygoals.Forexample,ifallindividualsareawareof andknowledgeableaboutthedevice,awarenesscuesaboutitspresencecouldbemadeavailable tothepeoplestandingwithinitsmicrophonerange. Thiscaseissimilartothatofcameraphones,whichhaverecentlyenjoyedstrongpresscoverage, includingnumerousnewsstoriesofabuse.Eventually,specificlegislation,suchastheU.S.Video
242IACHELLOANDABOWD
VoyeurismPreventionActof2004,hasbeenenactedprohibitinginappropriateuses.Furthermore, somecountries(e.g.,SouthKorea)havemandatedthatpicture-takingdevicesproducea“click” soundtoinformtheindividualspresentwhenapictureisbeingtaken(Sung-jin,2003). Withtime,usersmaybecomeaccustomedtoPAL’soperationmodeanddevelopanetiquette regardingtheuseofthedevice.PALusersmaydisablethedevicevoluntarilywhileinsituations thatdemandtrustandconfidentiality.Forexample,someparticipantsofthePALuserstudies toldusthattheywouldturnoffPALwhentheyenteredwhattheythoughtwouldbesensitiveor confidentialconversations.5 Notallmanagementfunctionscanbetakenonbytechnologythatimposesdesiredsecurity managementpractices.IntheCareLogsystemdescribedabove,forexample,avideorecording takeninaclassroommaybeprovidedtoanexternalentity(e.g.,aconsultant)forexamination. Designersmightnotbeabletoenforcesecuritypoliciespreventingmisuseofthosedata.Clearly, organizationalcontrolsandoversightarestillnecessaryforsomeapplications. UseofLicensingSchemes AsecondoptionforreducingthepotentialnegativeimplicationsofapplicationssuchasPALis thatoflimitingtheirusetocertaincategoriesofusers(thus,centralizingcontrolbacktoregulatoryauthorities).GrantedthatPALmaybemostlyusefulforpeoplewithmemorydisabilities,a certificationofsuchdisabilitymightberequiredforacquiringandusingthisapplication. Whilethisiscommonpracticewithnumerousothertechnologies(e.g.,motorvehicles),itshould beconsideredthatoftentheadministrativecostsimposedbyalicensingschemewouldbeexcessive inrelationtothepotentialharmthattheapplicationmaycauseandtoitsexpectedprofit. Administration Theexplosivegrowthofthenumberofubicompapplicationsanddevicesmakessystemadministrationincreasinglyproblematic,becausecompetentITpersonnelarebeingoutnumberedbya plethoraofsmallandwidelydispersedcomputingsystems. Training AtypicalapproachforincreasingthequalityofITadministrationhasincludedtraining,whichis oftenbasedonstandardizedmanagementguidelines.Theseguidelinesprovidenotonlyreference tosampleapplications,butalsobaselineguidanceonmattersrelatingtosecurity,affordancesand perceptualproperties,retentiontimes,andusagepolicies.Someoftheseguidelines,suchasISO 17799(ISO,2000),couldbeextendedtoubicompsystems.Increasing,trainingeffortsmaybe feasibleonlyinstructuredsettings,suchastheschoolsinwhichCareLogisdeployed.However, thatapplicationmaybeusedinunconstrainedsettings,suchashomes,andhereformaltraining mightnotbeeasilyimplemented. Self-ManagingSoftware Humanadministrationcanbeexpectedonlyforcomputingsystemsofacertainminimumsize.As ubicompischaracterizedbyautomaticandunattendedoperationoflargenumbersofcomputingdevices,itmaybenecessarythatmanyeverydaysystemadministrationtasksrelatedtosecuritybecome automatic,assuggestedbytheproponentsofautonomiccomputing(KephartandChess,2003).
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY243
Toaddressthechallengesbroughtonbythedecentralizationofsystemsmanagement,researchershavebeenworkingonself-maintainingsystems.Forexample,automaticpatchinstallationis nowcommonplaceondesktopoperatingsystems.Moresophisticatedsolutions,suchasautonomic computing,foreseesystemsabletomanageandrepairthemselveswithoutuserintervention,based onhigh-levelhumandefinedoperationalguidelines.Designersofubicompapplicationsshould includeprovisionsforautomaticadministrationearlyonintheirdesigns. UbicompApplicationsasServices Analternativewaytoprovideadministrationfunctionsthroughtechnologyisthatofimplementing ubicompapplicationsnotasstand-alone,locallyoperateddevices,butasservices,providedfor afeebycentralizedorganizations.Forexample,theCareLogapplicationcouldbeprovidedasa servicetoschools,externallymanagedbyspecializedentities,andnotasaproductunderlocal control.Insuchasituation,managementfunctionssuchasbackups,softwareupdates,andaccess controlwouldbecentralized.Further,byemployingthiskindofserviceprovision,consultantsand otherstakeholderscouldbeallowedtoaccessrecordeddatawhilebeingpreventedfromfurther distributingtheinformation,thusbetterensuringconfidentiality. However,athird-partyserviceprovidermayintroduceadditionalconfidentialityriskstopupils’ personalinformation.Theseconcernscouldbeaddressedbycontractualmeans,furtherincreasing organizationalcomplexity.Giventheseconsiderations,inpractice,aserviceprovisionmodelmay notbeappropriatetoschoolsintheUnitedStatesbecauseofthetightconfidentialityrequirements imposedbyfederalregulationsuchasFERPA,state,andlocalpolicies,andexistingeducation professionals’practice. IntegratedManagementStructure InsystemslikeCareLog,securitymanagementcontrols(suchasmaintainingproperbackups,removingunnecessarydata,etc.)canonlybeimplementedtoalimiteddegreebytheprimaryusers ofthesystem(i.e.,thecaregiversandconsultants).Thereasonisthatthisapplicationneedstobe usedwithinpreexistingeducationalandcarepractices,andthereforeanymanagementcontrolthat getsintothewayofthesepracticesislikelytobeworkedaroundorignored,aspriorexperience insecuritymanagementsuggests.Inaddition,thedeploymentenvironmentisnotahigh-security environment,andthepersonnelresponsiblefortheday-to-dayoperationofthesystemarenot ICTprofessionals. Nevertheless,legislationaswellassocialandorganizationalexpectationsneedtobecomplied with.IntheCareLogcase,inordertosimplifysecuritymanagement,astraightforwardoptionis toenactsecuritymanagementcontrolssimilartothosecurrentlyinplaceforotherschoolrecords. Theadvantageofleveragingexistingpracticeswithintheschoolorganizationreducestheneed fortraining.However,theintroductionofCareLoginschoolsmayextendtheknowledgeabout theinformationsystemtoindividualswhomighthavebeenpreviouslyunawareoftheinternals ofschoolorganization,suchasparents.Andparents’involvement(especiallytheparentsofthe childrenwhoarenotbenefitingdirectlyfromthesystem)isessentialforacceptance. DataRetentionManagement Multimediainformationcollectedwithinubicompsystemsmayneedtobestoredforlongperiodsoftime.Long-termmanagementofdatapresentsverydifferenttechnicalandorganizational
244IACHELLOANDABOWD
requirementsthanshort-termretention.Whileshort-termstoragecanbeaccomplishedwithina frameworkofday-to-dayactivity(i.e.,tapesordigitalrecordingsofvideocanbeoverwritten systematically,mediaareinconstantuseintherecordingcycle,etc.),permanentstoragerequires implementingphysicalandlogicstorageproceduresandresponsibilities.Thisimpliesresource accountingandtracking,responsibilityallocationandtransfer(ifthepersoninchargechanges), backupanddatatransferprocedures,anddatadestructioncriteriaandprocedures.Thesearetypical dataprotectionconcerns,whichrequirecomprehensiveplanningandoversight. Oversight Afundamentaldifferencebetweenthetwocasestudiesdiscussedinthischapteristheroleand structureofoversightfunctions.Asmentionedabove,theresponsibilityforavoidingabuseof personalapplicationssuchasPALlargelyrestsontheindividualsusingthem,andoversightis enactedthroughtheday-to-daysocialinteractionamongusers(Hayesetal.,2004a).Forexample, thefearofcausingcontentiousreactionsmightdiscouragetheuserofPALfromactivatingthe applicationincertainsocialsettingsorwhiletalkingwithcertainpeople. Systemsthatareoperatedwithinorganizationsmightbemoreamenabletoformaloversight (e.g.,CareLogdeployedinaschool).Thiskindofstructuredoversightisalreadyrequiredby somedataprotectionlegislation:organizationsthatmanagepersonaldataidentifyanindividual responsibleforthecomplianceoftheorganization’sdataprocessingpracticeswithregulationand thedatasubject’srights(EUDirective95/46,1995§18). OversightofProliferatingApplications While,attheorganizationallevel,localoversightasdescribedabovemaybepossible,theproliferationofubicompapplicationsmightrequirepolicymakerstorethinktheroleandfunctionsof oversightauthorities(e.g.,DPAs),thusimpactingsecuritymanagementpractices. Oversightauthoritiestodayarelimitedintheirabilitytoregulatenewapplications.Apartfrom publishingsector-specificguidelines,theirinterventionsaretypicallylimitedtoprovidingopinions, grantingpermitsforselectapplications,andrespondingtoafewspecificcomplaints.Extensive oversightofaboomingecosystemofapplicationsthatgatherpersonalinformation,suchascapture andaccessapplicationsdescribedhere,wouldbeimpracticalandcostly. Fromthesecuritymanagementstandpoint,thisrequiresplannersanddesignerstobecome more aware of the opinions and guidelines published by oversight authorities and develop communicationmechanismswiththeseentities.Thisisnotalwayseasy,sincecommunication overheadwithauthoritieslikeDPAs(intheUnitedStates,variousgovernmentagenciessuchas theFCCandFTCareattributedsimilarfunctions)maybequitehigh.Manufacturersofmassmarkettechnologiesmightbeinabetterpositiontointeractwiththeseentitiesthanindividual systemintegrators. OversightofCustomizableTechnology Thesheernumberofinstallationsisnottheonlyreasonwhyoversightsystemsmightnotbeable toprovidedetailedguidance.Currenttrendsinubiquitouscomputingresearchareheadingtoward providingtoolsthatenduserscantailortotheirneedsratherthanself-containedapplications(Truongetal.,2004).Theincreasingrelevanceofinteroperabletoolswillshiftmuchresponsibility fromdesignerstosystemoperatorsandendusers.Theabilitytomixandmatchcapturedevices,
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY245
analysistools,andstoragesystemswillenablemanymoreindividualstocreatetailoredapplications,whichwilldefysystematicoversight. Oversightfunctionswillrequirenewtoolsforeffectivelymonitoringandpreventingabuse, bothattheorganizationalandpolicylevels.Thisrequiresdesignersandsecuritymanagerstoperform,whenmakingcertaintoolsavailable,ananalysisofthecapabilitiesthatusersmayacquire bycombiningdifferentpiecesofavailableinformationtechnology(andhowlikelyitisthatthis mighthappen,basedonskillsrequiredandassociatedcost). Legality Inthissection,wediscusstheimpactoflegislationonvariousaspectsofubicompsystemdesign andmanagement,includingdataretention,informedconsent,andtheareaaffectedbyenvironmentalsensing. Inbothcasestudies,weperformedalegislativeanalysisthatprovidedvaluableguidance.6 Theinterpretationoflegislationcanbeproblematicforapplicationsthatdonotfitthecategorizationsthatthelawmakershadinmindwhendraftingexistinglegislation.Thisisespeciallytrue forlegislationthatistechnology-dependent(e.g.,theElectronicCommunicationsPrivacyActor ECPA),andforimplementationguidelinesthataccompanylegislation,forinstance,HIPAArules (U.S.DepartmentofHealthandHumanServices,2002and2003),whichoftenarearesponseto existinginformationmanagementneedsandconsequentlylackforesight. OurexperiencehasalsoshownthatcurrentregulationofITsecurityandprivacyincertain domains(e.g.,healthcareorfinancialapplications)isnotwellfitforregulatingubicompapplications.Therearefewmanagementordesignguidelinesthatcanbeproposedfortheseproblems, andweofferthefollowingobservationsaswarningsofwherelegalanalysismaybecumbersome andproduceuncertainresults. Whileitisnotinthescopeofthischaptertoindicatehowitmightbeenacted,policyorlegislationchangeshouldnotbediscountedasasecuritymanagementstrategy,especiallyforverylarge systems—likehashappenedforCCTVsurveillanceormandatoryretentionoftelecommunicationrecords(EuropeanCommission,2004)orapplicationsthatmightbecomeverywidespread (e.g.,PAL). CharacterizationofDataandApplications Incertainsituations,legislationmaycurtailusefulapplicationsbasedonbluntrulesinsteadofa realisticrisk-benefitanalysis.Fromthemanagementstandpoint,thiscausesuncertaintyinboth therequirements-definitionprocessandintheidentificationofanoptimalliabilitystructure.For example,whilethePersonalAudioLoopdoesnotkeepapersistentrecordofthecapturedconversations,lawsoftenfailtoaccountforthisnuance.ECPAdoesnotcontemplatetransitoryrecordings, andregulatesPALjustasitregulatestheuseofanyordinaryaudiorecorder.7However,therisks engenderedbyPALarearguablyinferiortothosethatarisefromanaudiorecorderbecausethe recordingisautomaticallydeletedafterashorttime. Europeanlegislation,toutedastechnology-neutral,attemptstoaddressthisissuebystating flexiblerequirementsandbycreatingspecificbodiesinchargeofinterpretingthelawforspecific applications(nationalDPAsandtheso-calledArticle29WorkingParty).Theseentitiesareresponsibleforissuingopinionsonspecifictechnologiesorapplications.Infact,DPAshavealarge leewayintheirdecisions,aslongasaplausibleproportionalityassessmentshowsthatthebenefits andtherisksoftheapplicationarecommensurable.
246IACHELLOANDABOWD
IntheUnitedStates,regulationismorespecificandtheinterpretationroleofDPAsisassigned totheFTC,FCC,andinmostcasestocourts,whichhave,however,considerablylessfreedomin decidingwhatmaybeacceptableornot. DifferencesacrossJurisdictions Often, subtle differences in legislation across jurisdictions can have complex technological consequences. For example, in the United States, the ECPA provides for the so-called oneparty-consentrule,inwhichinformedconsent(torecordingaconversation)byallconversation partnersisnotnecessaryaslongasonepartytotheconversationisawareoftherecording(i.e., theuserofPAL).ECPAactsonlyasabaseline,however,andsomestateshaveintroducedadditionalregulationsthatrequiretwo-partyconsent.Thismeansthatallconversationspartners mustagree.Further,somelocallegislationalsointroducesstrongersafeguardssuchasnotificationcuessuchas“recorderbeeps”oranindicatorlight,andprivacyexpectationsvaryacross cultures(Altman,1977). Itmaynotbesufficientformanufacturerstoenforcetheserequirementsbylimitingthesale ofdevicesandapplicationsindifferentmarkets(whichalsohasaneconomicimpact),because usersmaycarry(mobile)devicesacrossnationalorstateboundaries,thusmakingsalecontrol ineffective.Differentsecuritypoliciesoroperatingmodescouldbeappliedautomaticallyin different jurisdictions, based on the location of the device. For example, PAL could easily calculateitslocationbasedontheidentificationnumberofthecellphonetowertowhichthe phoneisconnected,andusethisinformationtodisableitselfwhereusingtheapplicationmight posealegalrisk. LeewayandImpreciseLegislation Often,legislationdoesnotprovideclearguidance,andthiscanimpactthesecuritymanagement ofthetechnology.Asexample,considerinformedconsentrequirementsinthecaseofthePAL application. Ingeneral,theuserofPALissupposedtorequestinformedconsentforrecordingfromtheother conversationpartners.However,thisisimpracticalduetotheoperatingmodeoftheapplication. EUDirective95/46/EC(EuropeanUnion,1995)exemptsdatacollectedforpersonaluse(e.g., apersonaldiaryornotebook)frominformedconsentrequirements.8PALisarguablyapersonal application,andusersinourpilotstudyagreedwiththischaracterization.Yet,aDPAmightdisagree,andinthatcase,usersofverysimilarenvironmentalrecordingshavebeenrequiredtoseek informedconsentbyallpresentindividuals. ECPA explicitly prohibits capturing a third party’s conversation when the owner of the deviceisnotpartofthatconversationandtheconversationtakesplacewithexpectationthatit isnotbeingintercepted.InthecaseofPAL,thisraisestheconcernofinadvertentlyrecording passersbyiftheyhaveanexpectationofprivacy.Theproblemisthatthis“expectation”isvery difficulttotranslateintooperationalterms:theperceptualpropertiesofsoundmightnotgrant constitutionalbasisintheUnitedStatesforareasonableexpectationofprivacyinpublicspace. However,thishasnotyetbeentestedincourt,soitwouldberiskytobaseasecuritystrategy onthisassumption. Securitymanagementplannersshouldidentifytheseweakspotsanddevisetheirsecuritystrategy accordingly,allowingforalternativecompliancemethods,dependingonwhatconclusionacourt orDPAmightreachontheacceptabilityoftheapplication.
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY247
BalancingApplicationPurposewithItsBurden Asoundsecuritystrategyshouldnotonlyconsiderthetypeofinformationcaptured,butalsothe purposeforcapture.Forexample,intheCareLogsystem,videosofclassroomsarestoredand madeavailabletoasmallgroupofindividualsforenhancingthecareoftheobservedchildren. Conceptually,thisisaverysimilarsetuptosurveillancecamerasinstalledforsecuritypurposes. Thedesignershouldhowevernotbemisledbythesimilarity,becausethedifferentpurposesmay tipthebalanceofacceptanceagainstacertainapplicationthatmaynotbeperceivedasproviding sufficientbenefitsinthefaceoftheburdenimposedonitsstakeholders. Legislationandcourtsoftenresorttoproportionalityassessmentswhenjudgingthelegality ofnoveltechnologies.Suchproportionalityassessmentsbalancethepotentialburdenimposed onindividuals’privacy,security,orsafetyandthebenefitsprovidedbytheapplication.Theseassessments,madebycourtsandDPAs,couldbeappliedalsotoapplicationdesign(Iachelloand Abowd,2005).However,forsecuritymanagersordevelopers,itisoftendifficulttopredictwhat conclusionacourtorDPAwouldreach. ImpactofSensorDesignonLegality Designandmanagementchoicescanhaveafundamentalimpactonthelegalityofubicompapplications.Incasesinvolvingvideosurveillanceunitsathomeentrances,forexample,DPAshaveindicated thattheareacoveredbythecameraisoneofthemainfactorsofaproportionalitydeterminationthat balancesburdenonprivacywithusefulness(BritishInstituteofInternationalandComparativeLaw, 2003).Moregenerally,sensorreachandprecisionmightneedtobefinelymodulatedtoachievea proportionalitybalanceasindicatedbypublishedDPAopinions.Thisisnotalwayspossible.Forexample,soundpropagatesaroundobstructions.Therefore,whileitisrelativelysimpletolimittheview coneofasurveillancecamera,limitingtheradiusofamicrophonemightbemuchmorecomplex. WhatConstitutesaTechnologyinCommonUse? Overthepastseveraldecades,manycaseshavecentereduponthecontrastingrequirementsofprivacy andutilityrelatedtorecordingapplications,andespeciallyuponthedefinitionofreasonableexpectationofprivacy.InKatzv.UnitedStates(1967),theU.S.SupremeCourtextendedtherightofprivacy towhattheindividualseekstoprotectfromthepublic—inthiscase,hisphonecommunication.Inthe Kyllov.UnitedStates(2001)case,theSupremeCourtindicatedthatthesubjectsofsurveillancehave areasonableexpectationofprivacyifthesurveillancetechnologyemployedisnotincommonuse.9 Clearly,thismeasurevarieswithtimeandtechnologicaldevelopment:thePersonalAudioLoop isnotincommonuse,andpeopledonotassociateacellphonewithenvironmentalrecording.Onthe otherhand,onemightarguethatportableaudiorecordersareareadilyavailabletechnology,andthat PALdoesnotpresentanyfurtherrisksthanthoseposedbyportablerecorders.Thisrequiresdesigners ofubicompapplicationsandofsecuritymanagementplanstoconsidertechnologicalevolutionand knowledgeabouttechnologyatthesociallevelascomponentsofacomprehensivesecuritystrategy. ContrastingLegislativeRequirements Sometimes,differentapplicablelawscanproducecontrastingrequirementsforasystemdesign oritsadministration.Forexample,Table10.3summarizesasubsetofU.S.legislationrelevantto theCareLogapplication.
248IACHELLOANDABOWD Table10.3
PrivacyRegulationImpactingCareLog Regulation
Effect
FederalEducationalRightsand PrivacyAct(FERPA)
Regulatesaccesstoandconfidentialityofrecordsof studentsattendinganyfederallyfundededucational institution
HealthInsurancePortabilityand AccountabilityAct(HIPAA)(United StatesHealthInsurancePortability andAccountabilityActof1996)
Regulatespersonalinformationheldbyhealthcareservice providers(insurances,hospitals,individuals,etc.)
IndividualswithDisabilities EducationAct(IDEA)
Guaranteeschildrenwithdisabilitiesa“freeappropriate publiceducation”intheleastrestrictiveenvironment
Localregulation
Useofcamerasinschoolsandrelatedpolicies
Worker’sstatutes
Workersrightsinworkplaces,forexample(ILO,1993)
Consider informed consent requirements for environmental data collection. If personal informationaboutchildreniscollectedinclassrooms(suchasavideorecordingoftheminthe classroom),theFederalEducationalRightsandPrivacyActrequiresexplicitinformedconsentby alldatasubjectsinvolvedintherecordinginordertodisclosesuchdataoutsidetheeducational institution(e.g.,toprovideittoacaregiverexternaltotheschool).Normally,suchconsentwould beprovidedbytheparentsofthechildren. However,FERPAalsorequiresschoolstograntaccesstoinformationcollectedaboutstudents totheirguardians.Inthecaseofvideorecordings,thismayrepresentasignificantburdenon schoolauthorities,becausewhendisclosinginformationtoonechild’sfamily,theprivacyofthe otherchildreninthevideoshouldbepreserved.Itwouldthusbenecessarytosingleouttheparts ofrecordspertainingtoonespecificchild.Giventhelowsemanticdensityofthisinformation, searchingthroughextensivevideorecordsisatime-consumingtaskthatcannotbeundertaken automatically,andisthusextremelyexpensive.Thismayinpartexplainwhymanyschoolshave adoptedthepracticeofdeletingrichdataafterithasbeenanalyzed. Whileschoolsmustcomplywiththisrequirementonlyifitentailsareasonableexpense,10the letterofthelawsuggeststheriskthatsuchrequestscouldbeupheldincourt.Fromasecurity strategystandpointtheremaybevariousworkaroundsforavoidingliability,bothtechnicaland organizational.Forexample,inthecaseofvideorecordingsinclassroomswhenmanychildren arepresent,theseworkaroundsmayinclude: • Askingallparentstopartiallyforgotheirrightsinaccessingtheserecords.Thismightnot bepossibleundersomejurisdictions. • Deletingnonessentialrecordedmaterial. • Limitingrecordingtimeandaffectedphysicalareas. • Reducingthefieldofviewofthecameratozoomintothesubjectandavoidrecordingother children. Not all of the above solutions may be appropriate to the work practices of the caregivers, however.Forexample,reducingthefieldofviewofthecameramayexcludefromtherecording
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY249
informationessentialforunderstandingaspecificevent(e.g.,ifsomethingoutsideofthefieldof viewofthecamerahasattractedachild’sattention). Another concern where incompatible legislative requirements may arise relates to the area andtemporalspanoftherecording.Asmentionedabove,theareaaffectedbyenvironmentaldata capturecanbeafundamentaldiscriminatorforapplicationacceptance.Apossiblesolutiontothe concernsoftheotherchildrenintheclassroomcouldbethatoflimitingautomaticcaptureactivity tospecialtimesorplaces(e.g.,inseparaterooms).However,currenttrendsineducationaland therapeuticcommunitiesendorsetheinclusionofchildrenwithspecialneedsinregulareducationclassroomsettings,atrendthatisalsoencodedinlegislationsuchastheIndividualswith DisabilitiesEducationAct(IDEA)intheUnitedStates.11 Adjudication CareLogprovidesacompellingcasestudyonhowsecuritymanagementisinfluencedbyadjudicationissuesbetweenthebeneficiariesandthesecondarystakeholdersoftheapplication.In mostcases,asecuritymanagerwouldhavetoheedtheoppositionofjustoneparentintheentire classtotheuseofCareLog. ThisisamajorissueinCareLog’ssecuritymanagementstrategy:gaininginformedconsentby allparentsofthechildrenwhomightbecapturedbytherecordingsmaybepossible,becauseof theclosedenvironmentrepresentedbytheschool.However,itmightbeveryimpractical(thatis, costly)todoso,andsomeparentsmightnotassent,whichleadstotheissueofhowtodetermine adjudicationifsomeparentsrefusetoconsent. Parentsofotherchildrenmightperceivenobenefitfromthiskindofcapture,becausetheir childrendonotneedtherecordsfortheireducationandcare,sotheymightbelesslikelytoconsent torecording.Alltheseconcernscastdoubtonwhethersuchtechnologycouldbeagreedonbyall involvedparties,notwithstandingitsbenefits. Achievingunanimityinthemodesandpoliciesinvolvedintheintroductionofadvancedtechnologyisoftenimpossible.Manysuccessfulsystems,suchassurveillance,havebeendeployedalong differentpaths,engaginginacomprehensiveadjudicationprocessamongcompetingconcerns, precededbylengthyandoftenacrimoniousdebate. Indevelopingasecuritystrategyfortheseapplicationsitmightbemorecosteffectivetobring amajorityofstakeholderstobuyintoatechnologyoroverallinformationpolicyratherthanrequestinginformedconsentfromallofthem.InapplicationssuchasCareLog,forexample,instead ofseekingassentfromallinvolvedparentsonacase-by-casebasis,itmightbemoreeffective toengageinapublicinformationcampaignandtomakecertainapplicationsanintegralpartof organizationalpolicy,withsufficientsafeguardstogainamajorityassent. Liability Manufacturersofubicompapplicationsareconcernedwithreducingtheliabilitytheymaybeexposed to.Followingindustrybestpracticesmayhelptoreduceliability.Ubicomptechnologies,fromthis perspective,arenotdifferentfromotherICT,exceptthattheirinterfacewiththephysicalworldismuch morecomplex,andbestpracticeisnotreadilyavailable.Inmanyubicompapplications,therearenoset guidelinesonwhattheapplicationshoulddoorwhatitsfunctionalornonfunctionalrequirementsshould be.Inthiscontext,riskanalysisandthreatanalysishavebeenproposedastoolstoprovideguidanceon howtheapplicationshouldbedeveloped,butthereisstilllittleexperiencetoevaluatewhetherthese toolsareappropriatetotheapplicationdomainandthedevelopmentmodels(Hongetal.,2004).
250IACHELLOANDABOWD
Manufacturerscantakeanumberofstepstoreducelegalliabilityrisks,asmentionedabove, suchasimposingsecurityandusagepoliciesthroughdesignandarchitecturalchoicesandby limitingthemarketforcertainapplications.Finally,manufacturersmayoptnottodeploycertain applicationsatallinanefforttoreduceliabilityrisks.InthecaseofPALthismightseemexceedinglycautious,giventhataudiorecordingdevicesarereadilyavailablethataremuchmoreinvasive thanPAL.However,fordifferentapplications,thisoptionshouldnotbeexcluded. Acceptance Theimpactofrapidlyevolvingtechnologyonsocietyhasbeenaddressedcompellinglyelsewhere (Arnold,2003;Latour,1991;Lessig,1999).AcceptancemodelshavebeendevelopedintheMIS community(Venkateshetal.,2003).Here,wedonotintendtoprovideacomprehensiveaccount butwanttopointouttwocharacteristicsofubiquitouscomputingthatmakeacceptanceproblematic:theinvisibilityofthetechnologyanditsautomaticoperation. Ubicompsystemsareintendedtomeldintoeverydaylifetosuchadegreeastobecomeinvisible totheuser.Thatis,theyareintendedtoprovidebenefittotheiruserswithoutbeinginthewayof theirgoalsandtasksandwithouttheneedfortheusers’attention,supervision,ormanagement. Forexample,PALcouldnotbeeffectiveiftheuserhadtoconsciouslyandpreventivelyactivatetherecordingbeforespeakingorhearingsomethingthatheorshemightfindusefullater. Anordinaryaudiorecorderwouldfitthispurposemuchbetter.Moreover,itisdifficulttoprovide noticeablecuesofitsoperation,becausethecuescoulddistractthepeoplepresent.Invisibilityis thefundamentalreasonwhyitisnotcompatiblewithlegislationandpeople’sexpectations. InCareLog,thetechnologyisnotnecessarilyinvisibletoitsusers,althoughinpermanentinstallationscamerasandmicrophonesmightbeplacedinlocationsthataresomewhatrecessed.In schools,itmightbepossibletoplacewarningsignsatthefacilityentrance,informingvisitorsof thepresenceandpurposeofthecameras.However,ingeneral,thepurposeofthecapturetechnologyanditsgoverningpoliciesmaynotbeapparentandunderstandableatfirstsight. Theautomaticoperationofubicompsystempresentssimilarchallenges.Theusefulnessof bothcasestudieshingesupontheabilitytocollectinformationautomaticallywithoutpriorexplicit intervention. InPAL,thebystanders’privacycanbeachievedbycertaintechnicalmeans(i.e.,byreducing thelengthofbufferstorageandretentiontime,byimpedingstorage).However,thistechnical solutioniscontemplatedneitherbyregulationnorbysecuritybestpractices.Assessingrisksand actinguponsecurityandprivacycontrolsrequiresknowledgeofthestatusofthesystem(thisis impliedinmostprivacyandsecurityprinciples,suchasinformedconsentandaudit).Infact,most securitymanagementbestpracticesarebasedontheassumptionofintentionalinteraction.This assumptionbreaksdowninubicompsystemssuchasthosediscussedinthischapter. Theacceptanceofubicomptechnologiesisrelatedtoperceptionsofusefulness,safety,and security.ReflectionontheCareLogcasestudysuggeststhatevaluatingacceptanceisafundamental componentofasoundsecuritymanagementstrategy. Understanding and influencing acceptance patterns is a general problem in IT design and formsaresearchfieldinitsownright.Facilitatingacceptancerequiresacomprehensivestrategy thatideallyshouldinvolveallaspectsofdesign,fromconception,torequirementsgathering,to developmentanddeployment.Severaltoolsareavailabletofacilitateacceptance,includingthe useofspecificdesigntechniques,usertrainingandeducation,andsoundmanagementplanning. Acceptancefacilitationisnotaone-wayprocess,butshouldinvolveadialoguebetweendesigners andstakeholders,withtheobjectiveofreachingmutuallyacceptablecompromises.
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY251
ParticipatoryDesign Itisimportanttoconsiderthatimpressionsandopinionsabouttechnologyinfluencetheacceptanceoftechnologyperhapsevenmorethanlegalandtechnicalconstrains.Participatorydesign canprovideinsightintothepeculiaritiesoftheorganizationalenvironmentwherethetechnology willbedeployed. WhiletheCareLogprojectisstillattheearlystagesofdevelopment,thelong-terminvolvement ofinterestedstakeholders,especiallyschoolofficials,teachers,andparentshasalreadyprovided compelling benefits. By building relationships with the involved stakeholders, the researchers involvedintheCareLogdevelopmenthavegainedunderstandingofthedeploymentenvironment. Interviewswithprofessionalsandparentshavehighlightedasetofconcernsthatarenotnecessarilycodifiedinlegislationbutwhichaffectdeployment(forexample,concerninginformedconsent forrecordingvideosbychildren’sparents). Stakeholders’involvementmayalsoincreasesacceptanceofIT:proponentsofparticipatory designworkundertheassumptionthataspeoplefindthemselvesinvolvedinthedesignofanapplication,theyappropriateitastheirown,andbecomedirectlyinterestedinitssuccess(Kensing andBlomberg,1998).ExperienceintraditionalITdevelopmentsuggeststhatparticipatorydesign mayuncoverpotentialusageproblemsearlyonduringthedesignofasystem,withapositive impactonsecuritymanagementaswell.Clearly,thebenefitsofparticipatorydesignareonlyfelt ifsystemsaredevelopedonacase-by-casebasisforeachorganizationandnotinmass-market applications. EducationandTraining Insomecases,participatorydesignisnotfeasiblewithalltheusersofanapplication(e.g.,an applicationlikePALthatcouldbedeployedonalargescaleasadd-onsoftwareforamobile phone).Inthesecases,otherwaysofinformingtheusersandthepublicatlargeshouldbeemployed.“Camera-phones”presentagoodexampleofthis:initially,peoplewereunaccustomedto theirfunction.Marketpenetrationofthesedeviceshasbeenextremelyrapid,andthepublichas beeninformed,mainlythroughthenewsandadvertisementoutlets,aboutfunctionsandpotential misusepatterns. However,themassiveeffortinthemediatomakecustomersknowledgeableofthistechnology and develop appropriate strategies for coping with privacy concerns has not been consideredsufficienttopreventmisuse.Theconcernbroughtonbythattechnologywasso overwhelmingthatitpromptedspecificlegislation(forinstance,theVoyeurismPrevention Actof2004intheUnitedStates).Publicknowledgeofhowtechnologyworksmightalso lowerliabilityrisks,asitallocatesresponsibilityformisuseandpreventiontotheusersand otherstakeholders. LobbyingStakeholders Publiccampaigningconstitutesavaluabletoolforfacilitatingacceptance,especiallywhenthe targetaudienceisrelativelysmallandsharescommonconcernsandbenefitsfromthetechnology beingintroduced.BelowwediscusstheanalogiesanddifferencesbetweentheuseofCareLog andvideosurveillanceinschools,andarguethatvideosurveillancetechnologyhasbeenmade acceptabletoorimposedonamajorityofinterestedparties,inmanycasesthroughpersistentand concertedeffortsofschoolandlawenforcementofficials.
252IACHELLOANDABOWD Table10.4
AttributesofInformationCollectedbyPAL Attribute
Notes
Semantic density
Low
Mostofthetimeandformostusers,theaudiorecordedbyPALmay belittleinteresttoattackers(e.g.,thieves,orthepersoncarryingofthe device).Infact,mostofthetime,thedevicemayberecordingsilent surroundings,especiallyinnon-workenvironments.
Richness
High
Spokenvoiceisarichmediumbecauseitallowsfornuanced communicationandfortheidentificationofthespeaker.
Sensitivity
Low— Inmostsituationsandformostusers,everydayconversationsdonot occasionally includesensitiveinformation.However,insomeinstancestherecorded high conversationscanbesensitive.
Inmanycases,thequestionisnotwhetherstakeholderscanbeconvincedto“buyinto”this specifictechnology,buthowmucheffortisrequiredtoachievethisgoal.Thisproblemisnotlimitedtotheapplicationsdiscussedhere,butisatypicaltraitofemergingtechnologies’acceptance dynamics(Venkateshetal.,2003).Theseconsiderationshaveafundamentalimpactondesigners andonthesocio-technologicalbalanceintrinsictothedevelopmentofnovelapplications,asthe costoftechnicalmeasuresintendedtocomplywithstakeholders’claimsshouldnotexceedthe costofconvincingstakeholderstoforgosuchclaims. SECURITYSTRATEGYDESIGNANDMANAGEMENTDESIGN Anumberoftoolsareavailabletodesignersfordesigningapplicationsandtheirmanagement structureswhilereducingsecurityandprivacyconcerns.Inthisbook,severalchaptersprovide detailsonsecuritymanagementmethods,suchasChapter4.Inthissection,wefocusondevelopingsecuritymanagementstrategiesspecificallyforubicompapplications.Moreover,webriefly discusshowsecuritymanagementcanbedesignedintoapplications. InformationCharacterizationandApplicationDesign Above,weprovidedacharacterizationofenvironmentalinformationthatcanbeusefulforthe analysisofthesecurityandinthedesignofubicompapplications.Table10.4showstheattributes oftheenvironmentaldatacapturedbythePALapplication.BycomparingTable10.4withTable 10.2,somedatamanagementsecurityrequirementsthatareparticularlyimportantemergefor PAL,including: 1. preventingthedisclosureofinformation; 2. implementingsafeguardstoreducetherateofaccesstorecordedinformation(andthus, potentially,increasethecostofmisuse);and 3. controlunauthorizedreplicationofdata. InordertoreducethelikelihoodofPALbeingmisused,oneofseveraluserinterfacefeatures orinformationpoliciescouldbemanipulated,includingthevisualappearanceofthedevice(e.g., addingablinkingredlighttosignalthatthedeviceisrecording),therangeofthemicrophone, andthetoolsavailableforsearchingandnavigatingtherecordedaudio.
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY253 Table10.5
AttributesofInformationCollectedbyCareLog Attribute
Notes
Semanticdensity Low
Mostofthetimeandformostusers,videorecordingsareoflittleinterest; onlyspecificevents,ofshorttemporalduration,areofinteresttoany stakeholder.
Richness
High
Videoisarichmedium.
Sensitivity
High
Relatestominorsandforthesubjectsoftherapy;alsoincludeshealthrelateddataandeducationaldatasubjecttospecificregulatory requirements.
Inordertomeetsecuritygoal1above(preventingdisclosureofinformation),variousdesign variablescanbemanipulated.Retentiontimeshouldbekeptaslowaspossibleandpermanent storageshouldbedisallowedbythedevice.Inordertomeetsecurityrequirement2(safeguards toreducerateofaccess),thedeviceshouldhaveabalancedcostofaccessingstoredinformation. Inordertomeetrequirement3(avoidingreplication),PALshouldnotallowstoringconversations norshoulditbeeasytotransfertherecordedaudiotoapermanentrecordingdevice. Astheflexibilityandpowerofmobilephonesincreases,itisbecomingincreasinglyeasyto developapplicationssuchasPALwithoutcontrolorconsentbytheoperatorormanufacturers. Whilemostmanufacturersincludeanaudible“click”whenapictureistakenwithacameraphone, itisjustamatteroftimeuntilindependentsoftwaredeveloperscomeupwithapplicationsthatdo notincorporateprecautionssuchastheclickorlimitsonthedesignvariablesdiscussedabove. Forexample,inPALitwouldberelativelysimpletoreverse-engineerthesoftwareonthephone andincreasetheretentiontime—afterall,memoryisvirtuallylimitlessonmodernphones.This leavesanumberofalternativestomanufacturersforlimitingundesiredchangestosoftwareapplicationslikePAL. Onepossibilityisthatofimplementingcertificationprogramsforadd-onsoftwareonwhat aresupposedtobetrustedplatforms.NokiahasadoptedthisapproachwithJavasoftware,which mustcarryacertificateinordertoaccesssomeofthemoresophisticatedphonefeatures.Many manufacturers,however,intheefforttocreatelargemarketsfortheirdevices,haveadoptedopen developmentmodels.Thus,controllingsoftwaredevelopmentmayonlybeastopgapmeasure. Blockingcertainhardwarefunctionsmightbemoreeffectivethancontrollingsoftwaredevelopment:afterall,thesehighlyintegratedsystemsaredifficulttomodifywithoutlargeinvestmentsinmanufacturingfacilities.Finally,therehavebeenproposalstouseradiotransmittersto automaticallyinformthephoneoftheallowedactivitiesinacertainenvironment(Perry,2005). Thiswould,however,requireindustrystandardization,consensusbymanufacturers,and,again, theavailabilityoftrustedplatforms. Table10.5showsthecharacteristicsofthevideodatacollectedbyCareLog.Theusersofthe datahaveinterestintwokindsofevents: • exceptionalcircumstancesthatneedtobeinvestigated(asmentionedabove),andthatmay happenoccasionally;and • activitiessuchasplannedtherapeuticinterventionsandspecifictasksthechildisengagedin.
254IACHELLOANDABOWD
Botheventsmayspanasmallfractionofarecordingcoveringtheentiredayatschool.Thiscauses thesemanticdensityoftheinformationtobelow.Therichnessoftheinformationis,again,high,for reasonssimilartothePALcase:videoisanexpressive,richmediumthatisdifficulttomanipulate. Finally,theinformationcontainedintheserecordingsissensitive,unliketheaudiorecordedbyPAL inmostinstances.Muchofthisinformationrelatestominorswithspecialneeds;evenifthisdoes notcausetheinformationtoincreaseinsensitivityperse,socialifnotlegalconventionrequires specificcontrolstoavoiddisclosuresthatcouldaffectindividualswhoarenotabletoconsenttothe collectionofdataaboutthem.Moreover,inthecaseofthesubjectsoftheinterventions,thecollected datamaybeconsideredhealth-relatedandthussubjecttorelevantrequirements. Cross-comparisonwithTable10.2suggeststhatrelevantsecuritygoalsforthekindsofinformationcollectedandstoredinthissysteminclude: • • • • • •
Preventunauthorizeddisclosure Controlaccessrate Preventreplication Guaranteeintegrity Controlusageofdata Controldatahandling
Thesesecuritygoalscanbeachievedbyleveragingappropriatedesignoptions.Theprevention ofunauthorizeddisclosureandunauthorizedreplicationofthedatacanbeachievedinvarious ways,includingimplementingaccesscontrolandgatheringaccesslogstotheinformation.The deploymentenvironmentofthisapplicationalreadyhassecuritymanagementpoliciesforpersonalinformationinplace,andCareLog’simplementationcouldleverage,whereappropriate,the organizationalknowledgeandpracticeembeddedinthesepolicies.Thereductionoftheaccess ratetotheinformationcanbeachievedbymanipulatingtheeffectivenessofaccessandbrowsing facilitiesprovidedwiththeapplication.Sincethismanipulationmayhaveacrucialimpacton systemusability,thisrequirementmustbebalancedamongthesecompetingneeds. Thecontrolofdatahandling,use,andintegritymaybeachievedbyamixoftechnical(e.g., backupprocedures)andorganizational(e.g.,trainingofpeopleresponsibleforhandlingthedata) measures.Typical data protection management techniques may be employed for this purpose (Iachello,2003),althoughthetypeofcollecteddatamightmakeredresscomplianceonerousfor schoolofficials.AsolutionthathasbeenproposedbythedesignersofCareLogistokeepvideo recordingsonlyaslongasisnecessaryforcompilingwrittensynthesesoftheinformationofinterest anddiscardingthemimmediatelythereafter.Thisreflectsexistingpracticeinmanyschools. DesignbyAnalogy Traditional IT applications such as those used in marketing, financial services, healthcare, or e-commerce,are,bynow,quitewellunderstood,andawiderangeofsolutionsisprovidedby regulationandindustrybestpractice(BritishInstituteforInternationalandComparativeLaw, 2003;UKInformationCommissioner,2003).Conversely,giventhelimitedpriorknowledgeand experienceindesigningubicompapplications,guidelinesandbestpracticesarestilllacking.Academicresearchhasstartedonlyrecentlytouncovertheseissuesandproposingdesignguidelines, butmuchmoreworkisnecessarytoachievereliabledesigntechniques. Oneapproachtotheproblemisthatofdesigningbyanalogy,thatis,analyzingexistingapplicationsthataretechnicallyandorganizationallysimilartotheonebeingdesigned,withcon-
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY255 Table10.6
ComparisonofVideoSurveillanceandCareLog Securityvideosurveillance
CareLog
Purpose
Security,althoughdeviantstudent behaviorisalsobeingtracked(Paige, 2005)
Behavioraltherapy
Beneficiary
Schooladministration,students,teachers
Individualstudent,parents,teachers
Burdenedparties
Students,teachers,schoolstaff
Students,teachers
Oversight
Schoolofficials,police
Schooladministration,caregivers
Access
Schoolofficials,police
Caregivers,teachers,parents, professionaltherapists
Deploymentareas Publicareas,hallways,entrances, externalpremises
Classrooms,homes,otherplacesof dailyactivity
siderationofhowdifferencesbetweenthetwoapplicationsmightaffectthesecuritymanagement requirementsofthenewapplication.Applicationsthatarealreadydeployedincorporateawealth ofknowledgeonsocialpracticesandeconomiccompromisesthatmightbedifficulttoassessfrom scratchwithanewsystem.Giventheusefulnessofthistechniquefordevelopingsecuritystrategiesforubicompapplications,wewillprovidebelowanexampleofhowthistechniquecouldbe appliedbycomparingCareLogwithsecuritysurveillance. Thisprocessprovidestwoadvantages:First,itgroundsdesignandpolicychoicesonexperience withexistingsystems,thuslendingreliabilityandcredibilitytothesecurityanalysis.Second,it allowsdefiningexpectationsonthesecuritymanagement,anddefiningwhatsecuritypolicieswill bereasonabletoenforceinthenewsystems. Theknowledgepresentintheexistingbenchmarkapplicationsmightnotbeavailableexplicitly,but canberecoveredbyanalyzingtheapplicationandtherelatedsocialpractices.Howtheanalysisisto beperformeddependsonthetypeofapplication.Weproposetofocusonfivetypesofdifferences: • • • • •
Purposeoftheapplication Stakeholders(bothbeneficiariesandburdenedparties) Oversightfunctions Accesspolicies Deploymentscope
Here,wecompareCareLogwithvideosurveillance.Whiletheintroductionofsurveillance camerasinschools(Paige,2005)isgreetedinsomecasesbyprotests,itisneverthelessmaking itswayinsidetheseinstitutions.Oftencamerasareinstalledinthecommunalareas(entrances hallways,lunchrooms,andsoon),butinsomecases,alsoinclassrooms.Often,surveillanceis deployedafterarecordofviolentordeviantbehaviorsoractsofvandalism.12Theuseofvideo recording within classrooms for the purpose of conducting diagnostic, therapeutic, and other activitiesis,however,differentfromsurveillancefunctionsinvariousrespects,assummarizedin Table10.6.ThetableshowsanoverviewcomparingsecuritysurveillancewithCareLoginterms ofpurpose,beneficiaries,burdenedparties,andaccessandoversightfunctions.
256IACHELLOANDABOWD
The stated purposes for using video cameras are different for the two applications. Using videorecordingforsecuritypurposesisbecominganincreasinglyacceptedpractice,thankstoa greateffortexpendedbyschoolandlocalauthoritiestoconvincethepublicofitsmerits.Infact, surveillancecamerasarebecominganacceptedpartofthetechnologicalinfrastructureofschools andprotestsaboutthepotentialnegativeimpactofthesesystemshavebeensubduedintheface oftheperceivedincreaseofsafetyandsecuritybroughtonbythetechnology.Repurposingexistinginfrastructureordeployingnewcamerasforinterventionsonchildrenwithspecialneedsmay requirespendinganadditionalefforttoconvinceallstakeholdersoftheirappropriatenessand utility.Althoughcompellingclaimscouldbemadeaboutsociety’sgainsfrombettertreatment andintegrationofindividualswithdisabilities,theindividualslikelytobenefitdirectlyfromsuch technologyconstituteamuchsmallergroupthanthosegainingfromsecuritycameras. Strictorganizationalmeasuresareusuallyinplacetoensuretheuse,confidentiality,andretentionofthevideodatacapturedbysurveillancecameras.Onlyafewindividuals,inkeymanagementpositions,ordinarilyhaveaccesstothecamerafeedsandstoredrecordings.Thesepolicies areregulatedattheEUandnationallevelsinEurope,andDPAshavebeenparticularlyactivein thisdomainduringthepastcommission(1999–2004),publishingseveralreportsandguidelines documents (European CommissionArticle 29 Working Party, 2004). Several countries have publishedsimilarguidelines—forexample,Canada(InformationandPrivacyCommissionerof Ontario,2001)andSwitzerland.IntheUnitedStates,regulationofsurveillancecamerasinpublic places,includingpublicschools,isperformedatthelocallevel,forexample,Washington,D.C. (WashingtonD.C.,n.d.)andNewYorkCity(NewYorkCity,2004).Oftenthesepoliciesinclude thefollowingelements: • Limitationsonretentiontime(e.g.,10–30days) • Measurestopreventunauthorizedaccess(needcourtordertoretainrecordings,access control) • Identificationandallocationofmanagementandoversightresponsibilities • Limitationsonwherecamerascanbeinstalled • Limitationsontheuseofthetechnologyandofthecollecteddata • Limitationsonacceptableobjectsofobservations Such a strong regulatory framework makes schools’ case for installing surveillance cameras relativelyacceptable. ThedeploymentoftheCareLogsystemdiffersfromsurveillance.First,thecollectedvideo isavailabletomanymoreindividualsthansurveillancecamerasrecordings,which,according tomanylocalandnationalguidelines,aresupposedtobeneveraccessedundernormalcircumstances (European CommissionArticle 29Working Party, 2004). Regulatory contexts change considerablyacrossjurisdictions,however;localpoliciesmaygiveschoolofficialsconsiderable leewayinthesecuritymanagementofvideocollectedthroughsecuritycameras(NewYorkCity, 2004).TheopennessrequiredbytheeffectiveuseofthedatawithinanapplicationlikeCareLog presentsaheightenedriskofconfidentialitybreaches.Inbothtypesofapplications,thereisarisk thatresponsibilitiesindatamanagementmaynotbespelledoutclearlyandallocatedamongthe variousindividualshavingaccesstotherecordeddata. Inadditiontodifferencesinthestakeholders,oversightresponsibilities,andaccess,intrinsic totheapplicationisthatthecollecteddata(videofootage)isbothpersonallyidentifiableand generallyconsideredsensitivebecauseitreferstominorswithspecialneedsandmaybehealth related.Thecollectionofvideoinclassroomsisalsoqualitativelydifferentfromvideorecorded
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY257
inpublicspacessuchashallways,becauseclassroomsareoccupiedformuchlongerperiodsand morecomplexactivitiestakeplaceinthem. Summarizing,thisexampleofdesignbyanalogyhassuggestedthreeprimaryelementsofa securitystrategyfortheCareLogapplications: • Astronginformationmanagementpolicy,thatcaneffectivelyenforcemaximumretention timesfordata,andlimiteddatacapture • Atargetedcampaigningeffortaimedatconvincingsecondarystakeholdersoftheapplication’s usefulnessandbenefitsforthegreatercommunity • Aflexibleaccesscontrolpolicythatencouragesallusersofthecollecteddatatopreventor minimizeinappropriateuses Animportantcaveatthatappliestodesignbyanalogyisthat,inmanyorganizations,actual practicedivergesfromwrittenpolicies.Thisrelatestotheclassic“dustyshelf”problemofpolicy andproceduresdocuments:organizationalstandardsarelefttogatherdustonashelfandarenot reallyfollowed—aconcernoftenraisedinconnectionwithcertificationprogramslikeIS09001. Thiscanhappenforavarietyofreasons,anditisnotinthescopeofthischaptertoaddressthe problemsrelatedtoarchitecturerecovery.However,designersshouldbeespeciallyawareofthe gapbetweenofficialpolicyandactualpractice,especiallywithregardtosecurityrequirements, whenanalyzingexistingsecuritymanagementmodels.Securitymodels,whichwereinitiallydevelopedformilitaryapplications,areespeciallyvulnerabletothisproblembecausetheyareoften inadequatefortheneedsofcommercialorganizationsandindividuals(Povey,2003).Therefore, designersshouldbecarefultogainanunderstandingofhowareferenceITapplicationreallyis used,andnothowitwasintendedtobeused. FUTURERESEARCHDIRECTIONS Securitymanagementforubicompisafieldthathasnotbeenyetconsideredindepthduetothe lackofreal-worldexperiencewiththetechnology.However,ubicompapplicationsarereaching themarket,andsecuritymanagementwillbecomeincreasinglyrelevantbecauserecentexperience withtraditionalcomputingsystemshasshownthatitisoneoftheweakestlinksininformation security. Thischapterhasindicatedsometechniquesandoptionsforplanningandenforcingparticular securitypoliciesavailabletomanagersanddesigners.Thesetoolsincludedesignbyanalogy,the analysisofexistinglegislation,waystoaccelerateacceptance,andtechniquestoreduceindustrial liability;weofferedtwocasestudiesthatdemonstratehowthesetoolswereusedinpracticeto achieveasecuritystrategythatisbothcredibleanddefensible.Thesetoolsprovidesomeelements ofacomprehensivesecuritymanagementstrategy. However,manyissuesmuststillbeaddressed.Relevantfutureresearchthemesinclude: • howtoreconciletraditionalinformationsecuritymanagement,whichrestsonclearroles definitionandonthevisibilityoftheinformationsystem,withapplicationsthatrununattendedandunnoticed; • howtofacilitateacceptancebyallinvolvedstakeholders(specificallyrelatingtosecurity, safetyandprivacyconcerns); • waysofincreasingtheexchangesbetweenlegislativeandregulatorybodiesandmanufacturersandserviceprovidersinordertoreducedevelopmentrisksandliability;
258IACHELLOANDABOWD
• noveldesigntechniquesthatcanincorporateexperiencefrompastapplicationstothisnovel classoftechnologies. Wehopethatbypointingoutsomeoftherelevantissuesinthischapter,wewillbeableto motivateresearchersandpractitionerstodevotemoreattentiontotheseissues. ACKNOWLEDGMENTS This work was funded in part by the National Science Foundation through the GRFP, by the MacArthurFoundation,andGeorgiaInstituteofTechnology.Wethankfortheircollaborationon projectsrelatedtothisworkandthoughtfulcomments:JosephBenin,KrisNagel,ShwetakPatel, andKhaiTruong.ShwetakPatelandKhaiTruongwrotethePALapplication.Inparticular,we wouldliketothankGillianHayesforprovidingaccesstoherresearchexperienceandknowledge oftheCareLogprojectandforgreatlyimprovingdraftsofthischapterwithhersharpandto-thepointcomments.Thisworkwouldnothavebeenpossiblewithouthercollaboration.Wealsothank SyGoodmanandMerrillWarkentinforrevisingdraftsofthechapter. NOTES 1.Weareexcludingfromthistablebiometricstechnologies.Despitecurrentwithimminentimpacton society(e.g.,personalauthentication[InternationalCivilAviationOrganization,2004]),ourassessmentsuggeststhatbiometricsmaynotbeyetreliableandefficientenoughforubicompapplications(e.g.,recognition ofpeopleinunconstrained,unattendedenvironments)(Balint,2003). 2.Forexample,anaturalcriterionofvideorecordingorganizationistime,andgivenacertainmoment intime,itisalmostimmediatetoretrievedatarelatingtoit.However,itwouldbeveryexpensivetofindall greenobjectsthatappearinavideodatabase;thiswouldentailperforminganexhaustivevideoanalysisof theentirerecording. 3.“[Itis]acrimeforanypersontocorruptlyalter,destroy,mutilate,orconcealanydocumentwith theintenttoimpairtheobject’sintegrityoravailabilityforuseinanofficialproceeding”(UnitedStates Sarbanes-OxleyActof2002). 4.ThissystemisconceptuallysimilartoNorthropGrumman’sTRIMARCtrafficmonitoringsystem (NorthropGrummanCorp.,2002). 5.Cautionisdueingeneralizingthisassessment,becausewedonotknowhowsuchbehaviorswould manifestthemselvesinlargesocialgroups. 6.Itshouldbestressedthatwearenotlegalscholars—theanalysisoflegislationaffectingPALand CareLogisnotintendedtoprovidelegalopinionontheseapplications.Thepurposeofouranalysisisonly thatofextractinginitialguidelinesandrequirements. 7.ECPA(theU.S.ElectronicCommunicationsPrivacyActof1986)appliestoanyelectronicrecording deviceandtoanyconversation(“oralcommunication”)betweentwopersons“exhibitinganexpectationthat suchcommunicationisnotsubjecttointerception,”eveniftheconversationsarenottransmittedthrougha telecommunicationsnetwork—thisincludesthePALapplication. 8. Directive 95/46/EC (European Union, 1995) applies to any personally identifiable information. Historically,thedirectiveregulatedthecollectionofpersonaldatabyorganizationsinlargetext-oriented databases.Recently,however,DataProtectionAuthorities(DPA)(EuropeanCommissionArticle29Working Party,2004)havepointedoutthataudiorecordingsofvoiceconversationsarecoveredbythedirective.EU Directive2002/58/EC(EuropeanUnion,2002)regulatestheprovisionoftelecommunicationservices(both voiceanddata),andmandatestheirconfidentiality. 9.FurtherinformationonthedetailsoftheseandotherU.S.SupremeCourtdecisionscanbefoundat www.findlaw.com/casecode/supreme.html.A comprehensive historical account (limited to 1972) can be foundinabookpublishedbytheColumbiaHumanRightsLawReview(1973). 10.Historically,thisregulationwasintendedforaninformationenvironmentbasedonpaperdocuments andstructureddatabaserecords,whicharerelativelyeasytosearchand“clean”fromotherstudents’data. 11.IDEAguaranteeschildrenwithdisabilitiesa“freeappropriatepubliceducation”intheleastrestrictive
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY259 environment(U.S.IndividualswithDisabilitiesEducationActof1977),oftenregulareducationclassroom settings. 12.Whilethesekindsoftechnologiesmaybeinstalledforaspecificpurpose,onceinplacetheymight berepurposed.So,surveillancecamerasinstalledinschoolsforpreventingordocumentingseriouscrimes couldthenbeusedforprosecutingminoroffences,suchasstudentssmoking. REFERENCES Altman, I. 1975. The Environment and Social Behavior—Privacy, Personal Space,Territory, Crowding. Monterey,CA:Brooks/Cole. Altman,I.1977.Privacyregulation:culturallyuniversalorculturallyspecific?JournalofSocialIssues,33, 3,66–84. Arnold,M.2003.Onthephenomenologyoftechnology:the“Janus-faces”ofmobilephones.Information &Organization,13,231–256. AustralianInformationEconomyAdvisoryCouncil.2004.NationalBandwidthInquiry:Bandwidth2000–2004 (availableatwww.dcita.gov.au,accessedonApril4,2004). Balint,K.2003.No“SnooperBowl”forSanDiego;policewon’tbeusingface-scanningtechnologythat sparkedireinTampa.SanDiegoUnion-Tribune,January20. Beck,R.J.;King,A.;Marshall,S.K.2002.Effectsofvideocaseconstructiononpreserviceteachers’observationsofteaching.JournalofExperimentalEducation,70,4,345–361. Bellotti,V.,andSellen,A.1993.Designforprivacyinubiquitouscomputingenvironments.Proceedingsof ECSCW’93.Dordrecht:KluwerAcademicPublishers,pp.77–92. Bennet, C., and Grant, R. (eds.). 1999. Visions of Privacy:PolicyChoicesfortheDigitalAge.Toronto: UniversityofToronto. BerghellAssociatesLLC.2004.ProjectingtheCostofMagneticStorageovertheNext10Years(available atwww.berghell.com/whitepapers.htm,accessedonApril4,2004). BritishInstituteofInternationalandComparativeLaw.2003.TheImplementationofDirective95/46/ECto theProcessingofSoundandImageData(availableatwww.europa.eu.int). Brusilovsky, P. 2000. Web lectures: electronic presentations in web-based instruction. Syllabus, 13, 5, 18–23. ColumbiaHumanRightsLawReview.1973.Surveillance,DataveillanceandPersonalFreedoms:Useand AbuseofInformationTechnology.FairLawn,NJ:Burdick. TheEconomist.2004.Truckinghell.February19. Elmagarmid,A.etal.1997.VideoDatabaseSystems:Issues,Products,andApplications.Boston:Kluwer AcademicPublishers. EuropeanCommission.2004.DGINFSO—DGJAIConsultationDocumentonTrafficDataRetention,July 30(availableathttp://europa.eu.int/information_society/topics/ecomm/doc/useful_information/library/ public_consult/data_retention/consultation_data_retention_30_7_04.pdf). EuropeanCommissionArticle29WorkingParty.2003.WorkingDocumentonBiometrics.12168/02/EN WP80(availableathttp://europa.eu.int). EuropeanCommissionArticle29WorkingParty.2004.Opinion4/2004ontheProcessingofPersonalData byMeansofVideoSurveillance.11750/02/ENWP89(availableatwww.europa.eu.int). EuropeanUnion.1995.Directive95/46/ECoftheEuropeanParliamentandoftheCouncilof24October1995 ontheprotectionofindividualswithregardtotheprocessingofpersonaldataandonthefreemovement ofsuchdata.EuropeanUnionOfficialJournal,L281,31–50. EuropeanUnion.2002.Directive2002/58/ECoftheEuropeanParliamentandoftheCouncilof12July2002 concerningtheprocessingofpersonaldataandtheprotectionofprivacyintheelectroniccommunicationssector(Directiveonprivacyandelectroniccommunications).EuropeanUnionOfficialJournal, L201,37–47. Foresti,G.;Mähönen,P.;andRegazzoni,C.2000.MultimediaVideo-basedSurveillanceSystems:Requirements,IssuesandSolutions.Norwell,MA:KluwerAcademicPublishers. GarfinkelS.2002.AdoptingfairinformationpracticestolowcostRFIDsystems.UbiquitousComputing2002 PrivacyWorkshop(availableatwww.teco.edu/~philip/ubicomp2002ws/,accessedon:January10,2005). Gaver,W.;Moran,T.;MacLean,A.;Lovstrand,L.;Dourish,P.;Carter,K.;andBuxton,W.1992.Realizing avideoenvironment:EuroPARC’sRAVEsystem.ProceedingsoftheConferenceonHumanFactorsin ComputingSystemsCHI’92.Monterey,CA:ACMPress,pp.27–35.
260IACHELLOANDABOWD Geyer,W.;Richter,H.;Fuchs,L.;Frauenhofer,T.;Daijavad,S.;Poltrock,S.2001.TeamSpace:ACollaborativeWorkspaceSystemSupportingVirtualMeetings.IBMResearchReport,RC21961. GlobalInformationInc.2003.Pressrelease,October8(availableatwww.the-infoshop.com/press/cg15968_ en.shtml,lastaccessedonJanuary17,2005). Graham, S. 2004. CCTV: the stealthy emergence of a fifth utility? PlanningTheory and Practice, 3, 2, 237–241. Grochowski,E.,andHalem,R.D.2003.Technologicalimpactofmagneticharddiskdrivesonstoragesystems.IBMSystemsJournal,42,2,338–346. Guidry,J.,andvandenPol,R.1996.Augmentingtraditionalassessmentandinformation:thevideoshare model.TopicsinEarlyChildhoodSpecialEducation,16,1(March1). Harter,A.,andHopper,A.1994.Adistributedlocationsystemfortheactiveoffice.IEEENetwork,8,1, 62–70. HayesG.R.;Patel,S.N.;Truong,K.N.;Iachello,G.;Kientz,J.A.;FarmerR.;andAbowd,G.D.2004a.The personalaudioloop:designingaubiquitousaudio-basedmemoryaid.ProceedingsofMobileHCI2004, LNCS3160.Berlin:SpringerVerlag,pp.168–179. Hayes,G.R.;Kientz,J.;Truong,K.N.;White,D.;Abowd,G.D.;andPering,T.2004b.Designingcapture applicationstosupporttheeducationofchildrenwithautism.Proceedingsof6thInternationalConference onUbiquitousComputingUbicomp2004,LNCS3205.Berlin:SpringerVerlag,pp.161–178. Hong,J.I.;Ng,J.D.;Lederer,S.;andLanday,J.A.2004.Privacyriskmodelsfordesigningprivacy-sensitive ubiquitouscomputingsystems.Proceedingsofthe2004ConferenceonDesigninginteractiveSystems DIS’04.NewYork:ACMPress,pp.91–100. Iachello,G.2003.Protectingpersonaldata:canITsecuritymanagementstandardshelp?Proceedingsof 19thAnnualComputerSecurityApplicationsConferenceACSAC2003.LasVegas,NV:IEEEPress, pp.266–275. Iachello,G.,andAbowd,G.D.2005.Privacyandproportionality:adaptinglegalevaluationtechniquesto informdesigninubiquitouscomputing.ProceedingsoftheConferenceonHumanFactorsinComputing SystemsCHI2005.NewYork:ACMPress,pp.91–100. InternationalCivilAviationOrganization.2004.BiometricsDeploymentofMachineReadableTravelDocumentsTechnicalReport.ICAOTAGMRTD/NTWG,Version1.9(availableatwww.icao.int/mrtd). InformationandPrivacyCommissionerofOntario.2001.GuidelinesforUsingVideoSurveillanceCameras inPublicPlaces,October(availableatwww.ipc.on.ca/docs/video-e.pdf,accessedonMarch7,2005). ILO.1993.SpecialseriesonworkersprivacyPartII:monitoringandsurveillanceintheworkplace.ConditionsofWorkDigest,12,1.InternationalLaborOrganization. ISO. 2000. ISO/IEC 17799:2000 Information Technology—Code of Practice for Information Security Management.ISO,2000.InternationalOrganizationforStandardization/InternationalElectrotechnical Commission. Jiang,X.;Hong,J.I.;andLanday,J.A.2002.Approximateinformationflows:socially-basedmodelingof privacyinubiquitouscomputing.Proceedingsof4thInternationalConferenceonUbiquitousComputing Ubicomp2002,LNCS2498.Berlin:SpringerVerlag,pp.176–193. Katzv.UnitedStates,389U.S.347;88S.Ct.507(1967). Kensing,F.,andBlomberg,J.,1998.Participatorydesign:issuesandconcerns.ComputerSupportedCooperativeWork,7,167–185. KephartJ.,andChess,D.2003.Thevisionofautonomiccomputing.IEEEComputer,36,1,41–50. Kyllov.UnitedStates,121S.Ct.2038;150L.Ed.2d94;2001U.S.LEXIS4487(2001). Langheinrich,M.2001.Privacybydesign—principlesofprivacy-awareubiquitoussystems.Proceedingsof the3rdInternationalConferenceonUbiquitousComputingUbicomp2001,LNCS2201.Berlin:Springer Verlag,pp.273–291. Latour, B. 1991. We’ve Never Been Modern. Translated by Catherine Porter. Cambridge, MA: Harvard UniversityPress. Lessig,L.1999.Thearchitectureofprivacy.VanderbiltJournalofEntertainmentLaw&Practice,1,1,56. Libicki,M.2000.WhoRunsWhatintheGlobalInformationGrid.SantaMonica,CA:RAND. Maheu,M.M.;Whitten,P.;andAllen,A.2001.E-Health,Telehealth,andTelemedicine:AGuidetoStart-up andSuccess.Jossey-BassHealthSeries.SanFrancisco:JosseyBass. Mynatt,E.D.;Rowan,J.;Craighill,S.;andJacobs,A.2001.Digitalfamilyportraits:providingpeaceofmind forextendedfamilymembers.ProceedingsoftheConferenceonHumanFactorsinComputingSystems (CHI2001).NewYork:ACMPress,pp.333–340.
COMPUTINGTECHNOLOGIESANDSECURITYMANAGEMENTSTRATEGY261 NIST.1995.AnIntroductiontoComputerSecurity:TheNISTHandbook.SpecialPublication800–12.NationalInstituteofStandardsandTechnology(availableathttp://csrc.nist.gov/publications/nistpubs/index. html,accessedonApril10,2005). NewYorkCity.2004.IntroductionNo.150-A2004,ALocallawtoamendtheNewYorkCitycharter,in relationtorequiringtheDepartmentofEducation,inconsultationwiththeNewYorkCityPoliceDepartment,toinstallsecuritycamerasatNewYorkCitypublicschools(availableatwww.nyccouncil.info,last accessedonNovember28,2005). Norris,C.,andArmstrong,G.1999.TheMaximumSurveillanceSociety:TheRiseofCCTV.Oxford,England:Berg. Northrop Grumman Corp. 2002. TRIMARC—Automatic Incident Recording System (available at www. trimarc.org/perl/about_trimarc.pl and www.nascio.org/scoring/files/2002Kentucky7.doc, accessed on April2,2004). OECD.1980.GuidelinesontheProtectionofPrivacyandTransborderFlowsofPersonalData.OrganizationforEconomicCooperationandDevelopment(availableatwww.oecd.org). Orr,R.;Raymond,R.;Berman,J.;andSeay,A.F.1999.ASystemforFindingFrequentlyLostObjectsinthe Home.GVUTechnicalReportGIT-GVU-99–24,GeorgiaInstituteofTechnology. Paige,C.2005.Securitycamerasinschoolsdebated.BostonGlobe,February24. Palen,L.,andDourish,P.2003.Unpacking“privacy”foranetworkedworld.ProceedingsoftheConference onHumanFactorsinComputingSystemsCHI2003.NewYork:ACMPress,pp.129–136. Patton,J.W.2000.Protectingprivacyinpublic?Surveillancetechnologiesandthevalueofpublicplaces. EthicsandInformationTechnology,2,181–187. Pedersen,E.R.;McCall,K.;Moran,T.P.;andHalasz,F.G.1993.Tivoli:anelectronicwhiteboardforinformal workgroupmeetings.ProceedingsoftheSIGCHIConferenceonHumanFactorsinComputingSystems CHI1993.NewYork:ACMPress,pp.391–398. Perry,S.2005.HPBlurPhotoswithCameraPrivacyPatent.January(availableatwww.digital-lifestyles. info/display_page.asp?section=business&id=1888,accessedonMarch7,2005). Povey,D.2003.Optimisticsecurity:anewaccesscontrolparadigm.ProceedingsoftheNewSecurityParadigmsWorkshopNSPW1999.Ontario,Canada:ACMPress,pp.40–45. Sung-jin,K.2003.Cameraphonetorequireshuttersoundfromnextyr.KoreaTimes,November11. SwissFederalDataProtectionCommissioner2000.7.Tätigkeitsbericht1999/2000(7thAnnualReport 1999/2000)(availableatwww.edsb.ch/). Truong,K.N.;AbowdG.D.;andBrotherton,J.A.2001.Who,what,when,where,how:designissuesofcapture &accessapplications.Proceedings3rdInternationalConferenceonUbiquitousComputingUbicomp 2001,LNCS2201.Berlin:SpringerVerlag,pp.209–224. Truong,K.N.;Huang,E.M.;andAbowdG.D.2004.CAMP:amagneticpoetryinterfaceforend-userprogrammingofcaptureapplicationsforthehome.Proceedingsof6thInternationalConferenceonUbiquitous ComputingUbicomp,LNCS3205.Berlin:SpringerVerlag,pp.143–160. UKInformationCommissioner.2000.CCTVCodeofPractice(availableat:http://www.informationcommissioner. gov.uk/). UKInformationCommissioner.2003.TheEmploymentPracticesDataProtectionCode:Part3:Monitoring atWork(availableatwww.informationcommissioner.gov.uk/). UnitedStatesDepartmentofJustice—ComputerCrimeandIntellectualPropertySection—CriminalDivision. 2002.SearchingandSeizingComputersandObtainingElectronicEvidenceinCriminalInvestigations (availableatwww.cybercrime.gov). UnitedStatesElectronicCommunicationsPrivacyActof1986.18USC§2510etseq. UnitedStatesFamilyEducationalRightsandPrivacyActof1974.20USC§1232getseq. UnitedStatesHealthInsuranceAccountabilityandPortabilityActof1996.42USC§1320etseq. UnitedStatesIndividualswithDisabilitiesEducationActof1997.20USC§1400etseq. UnitedStatesSarbanes-OxleyActof2002.15USC§7201etseq. UnitedStatesVideoVoyeurismPreventionActof2004.18USC§1801etseq. U.S.DepartmentofHealthandHumanServices.2002.StandardsforPrivacyofIndividuallyIdentifiable HealthInformation;FinalRule.45CFRParts160and164,August. U.S.DepartmentofHealthandHumanServices.2003.HealthInsuranceReform:SecurityStandards;Final Rule.45CFRParts160,162,and164,February. Venkatesh,V.;Morris,M.G.;Davis,G.B.;andDavis,F.D.2003.Useracceptanceofinformationtechnology: towardaunifiedview.MISQuarterly,27,3,425–478.
262IACHELLOANDABOWD Walmsley,T.,andNielsen,S.1991.TheVideoshareProject.InstructionandClassroomVideotapingGuide,EducationResourcesInformationCenter(ERIC),PublicationED376653(availableatwww.eric.ed.gov). Want,R.;Pering,T.;Danneel,G.;Kumar,M.;Sundar,M.;andLight,J.2002.Thepersonalserver:changing thewaywethinkaboutubiquitouscomputing.Proceedings4thInternationalConferenceonUbiquitous ComputingUbicomp2002,LNCS2498.Berlin:SpringerVerlag,pp.194–209. Washington,D.C.n.d.MetropolitanRegulationsTitle24,Chapter25.MetropolitanPoliceDepartmentUse ofClosedCircuitTelevision. Weiser,M.1993.Somecomputerscienceproblemsinubiquitouscomputing.CommunicationsoftheACM, 36,7,75–84. Zarski,T.Z.2002.“Mineyourownbusiness!”:makingthecasefortheimplicationsofthedataminingof personalinformationintheforumofpublicopinion.YaleJournalofLaw&Technology,5(2002/2003), 1–54.
CHAPTER11
PROMISINGFUTURERESEARCHININFOSEC DETMARW.STRAUB,SEYMOURGOODMAN, ANDRICHARDL.BASKERVILLE
Abstract:Thischapterprovidesananalysisandsummaryofthekeyresearchquestionsraisedin theprecedingchaptersofthebook.Italsoorganizestheneedsforfuturemanagerialresearchin theareaofInfoSec.Mostresearchbeingcarriedouttoday(andbeingheavilyfunded)istechnical innature.Itfocusesondevelopingnewsoftwareandnewphysicalartifactsforsecuringsystems. Wearenotarguingthatthisworkisnotimportant.However,weareconcernedthatmuchofthe technologyisnotbeingutilizedduetoproblemsthatareendemictothehumandimension.Buying newtechnologyalonewillnotsolveserioussecurityissues.Questionsaboutwhyitisnotbeing effectivelyimplementedarecriticaltomakesurethatthebesttechnologyismeetingitsintended purpose.Futuremanagementresearchwillprovidetheanswerstothesequestions. Keywords: Information Security Processes, Policies, Practices, Guidelines, TechnicalVersus ManagerialInfoSecResearch,KeyResearchQuestions,FutureResearchDirections,National andInternationalLandscapeofInformationSecurity INTRODUCTION Weconcludethisbookbyprovidingananalysisoftheimportantquestionsraisedinthepreceding chapters.Thisanalysiswascreatedbyareviewoftheissuesraisedbytheauthorsandclassifying theseissuesintocategories.Thecriteriaforthecategoriesemergedinthisprocessanddelineated thegeneralareasofscholarlycontributionforinformationsecurity.Thisdevelopeda“wedding cake”modeloffutureworkinthemanagementofinformationsecurity.Thisweddingcakemodel isshowninFigure11.1. Thefutureresearchimpliedbytheissuesraisedbyeachoftheprecedingchaptersprojects thesefivecategories,eachbuildinguponthefoundationlaidbyothers.Atthemostfundamental level are issues dealing with the obligations of management to provide information security. Theseobligationsvaryinnature,andincludetheethical,legal,andeconomicmotivesimposedon managersbytheirstakeholders.Theseobligationsbringaneedforthedevelopmentofconcepts andconceptualframeworksinordertounderstandtheresponsibilities,constraints,processes,and metricswithwhichinformationsecuritymanagersmustoperate.Theframingoftheseconcepts raisesawarenessofthemyriadcontingenciesthatdefineandconstraintheactionsthatmanagers maybeabletotakeinthefaceofinformationsecuritydemands.Withintheconstraintsdefined bythesecontingencies,managersmustcreatetheorganizationalprocessesandmethodsthatwill effectivelyandefficientlyimplementandoperatethesecuritytechnologiesandorganizational behavior.Oncetheprocessesaredeveloped,waysmustbefoundtomeasurethesuccessofthe 263
264 STRAUB, GOODMAN, AND BASKERVILLE Figure11.1 WeddingCakeModelofFutureResearchNeedsinInformation SecurityManagement
Metrics Processes Contingencies Conceptual Framing Obligations
processes.Thesemetricsprovidethefundamentalandobjectivemeansbywhichmanagerscan planandcontrolorganizationalinformationsecurity. Wewilldiscusseachchapterinorder,stressinghowtheissuestheauthorshavediscussedfit intheweddingcakemodel.Thisanalyticalreviewofthesesuggestionsforfutureresearchserves twopurposes.Itwillremindthereadersinoneplacewhattheseissueswere.Second,itwillallowustoargueonceagainthatthekeyproblemswithinformationsecurityarenottechnical.The majorfailingsareinwhatisknownaboutthepropermanagementofinformationassets.Even withunlimitedsourcesoffunds,anorganization(andnations)couldeasilywastethemwithout knowingwheretoapplythemformaximumeffect. FUTURERESEARCH InformationSystemsSecurityStrategy:AProcessView(Chapter2) Chapter2beginsourthinkingaboutorganizationalneedsbydiscussingsecuritystrategyasbotha processandaproduct.Itframestheconceptsbyraisingtheissueofprecedenceamongthesetwo concepts.Ineithercase,strategymakingiscomplexandmanagerscannotalwaysbecertainthat theirstrategyisworkingandhowitcanbeadjustedtomakeitmoresuccessful.Policiesareone elementofanoverallstrategy,andtheauthorsraisetheinterestingquestionofwhetherstrategy drivespolicyorpolicydrivesstrategy.Therearelikelycircumstanceswheneachiscalledfor,and futureresearchneedstosortthisout(ideallythroughtheorydevelopment)formanagers. Thischaptergoesontoexploretheissuesproceedingfromthisconceptualprecedenceinterms ofmethods,processes,andmetrics.Whentheorganizationalstrategy-makingsettingistoorigid, theresultcanbecatastrophic,andtheauthorscautionthatscientificfindingswouldhelpresolve thisissue.Anotherunresolvedissueloomslargeandthatthatiswhichstrategiesworkandwhich donot?Itisunfortunatelythecasethatresearchtodateiswoefullyinadequateinbeingableto answerthisquestion.Inonesensethisisthemostvitalquestionofallsinceweknowthatmanagerswillpersistintheirfailingcoursesofactionunlessthecountervailingevidenceisverystrong (Brockner,1992;KeilandRobey,1999).Methodsandmeasurestoevaluatehowsuccessfula strategyorpolicy(policies)isarealsolacking,anddesperatelyneeded. Inthefinalanalysis,thebeststrategyisprobablyonethatisformulatedthroughthebestprocess, and,onceagain,weknowlittleaboutthecomparativestrengthsofvariousprocesses.Thecurrent bookprovidessomewaysofthinkingaboutprocesses,butscienceisneededtoassuremanagers thatthisprocesshasadvantagesoveravarietyofsituations.Atthemoment,suchinnovationsas
PROMISINGFUTURERESEARCHININFOSEC265
thosebroughtforwardinthischapterareobvious.Buttheproofthattheywillworkbetterthan othershasnotyetcomeforth. ITGovernanceandOrganizationalDesignforSecurityManagement(Chapter3) Chapter3bringsafocusonthosecontingenciessurroundinginformationsecuritywithwhich managersmustcontend.Inthefaceofthesecontingencies,itdealswithhoworganizationsshould organizethemselvestomaximizetheirsecurityefforts.Onesideoftheequationisthedistribution ofdecision-makingrights,whichistheusualdefinitionofgovernance.Questionssurrounding governanceinevitablyrevolvearoundwherethedecisionsshouldreside,forexampleinacentralized,federalized,ordecentralizedstructure. ThefirstissuetheauthorsraiseiswhetherthestructuringoftheIT/InfoSecgovernanceshould paralleltheoverallstructureoftheorganization.Ifafirm,forexample,isorganizedarounddomestic andinternationaldivisions,woulditbebesttohaveseparatesecurityorganizationsforeachof thesedivisionsorwoulditbebesttohaveglobalsecurityproceduresandpractices? Related to this point, the authors next ask whether a centralized IT security management strategyprovidesthemostassurance.Bringingsecurityclosertothosewhowillbesecuringtheir ownworkstationsandlocalareanetworkswouldimplyamoredecentralizedmode.Muchmore researchisneededtotrytounderstandthecontingenciesthatarepresentwheneversuchdecisions aremade. Firmsclearlyhavestrategyalternativesintermsofallocatingdecisionrights.Theauthorsraise thequestionofwhethertherearedifferencesinindustrywhenconsideringsuchcentralizationdecentralizationgovernancematters.Finally,theyquerywhichvariationscanoccurinindividual decisions from one action to another.These are good questions that can only be answered if researchersstudysecurityeffectivenessandthenrelateittotheseconditions.Governanceissues shouldbehighontheagendasofsecurityresearchersforthisreason. InformationSystemRiskAssessmentandDocumentation(Chapter4) Chapter4raisesmanyissuesabouttheobligationsofmanagementtoprovideinformationsecurity. Theseissuesproceedasthesubjectofriskassessmentatatacticallevelisexplored.Theprocedures forassessingriskarecoveredasareasetofrelevantquestionsformakinganaccurateassessment. Withregardtofutureresearch,theauthorsofChapter4askwhetherriskassessmentandreports onsecurityandsecurityviolationshaveanimpactontrainingandeducationalprograms,and whethertheseinturnreducecomputerabuseandcrime.Theybelievethisisacrucialareaforfuture research,onethatextendsandupdatespriorworkandsurveys.Furtherquestionsincludewhether formalizedreportsandproceduresworkbetter.Laterinthechapter,theauthorsquerywhether individuals’andemployees’knowledgeofabuseaffectstheirreceptivitytoeducationalprograms. InitialworkexploringaspectsofthisvitalissuehasbeensetforthbyGoodhueandStraub(1991) andStraubandWelke(1998),butmuchmoreresearchneedstobecarriedout,assuredly. Thereislittledoubtthatthesearecrucialquestionsforbothmanagersandscholars.Insider threatsarereal,andenlightenedtrainingandeducationcouldinformperpetratorsthatthereare optionstocomputerabuseandcrime,butdothesework?Weneedtohaverealempiricalevidence onewayortheother. Anothersetofquestionsraisedbytheauthorsaskshoworganizationsshouldreportincidents tolawenforcementinordertoavoidadversepublicity.Weknowthatorganizationstypicallyavoid officialreporting,evenwhentheyareviolatingthelawinsodoing(StraubandNance,1988),
266 STRAUB, GOODMAN, AND BASKERVILLE
sofindingwaysthatwouldencouragegreatercomplianceisanextremelyimportantmanagerial problem. Finally,theauthorsraisetheessentialquestionofjustification.Doesknowledgeofrisklead toastrongerjustificationforincreasedsecuritymeasures?Onewouldthinkthatknowingone’s riskwouldinevitablyleadtorationaldecisionsaboutareasonableinvestmentinsecurity.Unfortunately,rationalitydoesnotalwayshold,especiallyinInfoSeccases.Thatiswhyitissuch importantresearch. StrategicInformationSecurityRiskManagement(Chapter5) WhileChapter4developsissuesarisingfromtacticalriskassessment,Chapter5advancesquestionsabouttheprocessesandmetricsthatinformationsecuritymanagersmusthaveinorderto setpoliciesaboutriskmanagement.Certainly,organizationsneedtodevisepoliciestodealwith specificsecurityrisks.Yet,thereisalargerconceptualframeworkinwhichthesepoliciestakeplace, theoverallsecuritystrategy.Theauthoraskshoworganizationsallowthesetwodifferentlevelsto interactandcreateaviablestrategy-policyset.Hegoesontoquestionwhatshouldhappenwhen therearenopresetpoliciesthatcanhelptoscopeoutthatoverallsecuritystrategy.Additional researchcanshedlightonthisbyprobingfirms,governments,andnonprofitstoseewhatworks well.Bothbestpracticesandtheoreticalapproachesmightbeutilizedtoaddressthedomain. Creatingstrategyisnotatrivialexercise,whetheritisforgoalsatleveloftheentireorganization oratthelevelofinformationsecurity.Beyondtheissueofhowtocreatestrategyishowshouldit beevaluated.Theauthorarguesthatweknowsolittleabouthowtomeasureaneffectivesecurity strategythatwearetrappedinthelandofconsult-speakanddonothaveanyin-depthunderstanding oftruly“best”practices.Itislikelythateffectivestrategyisintimatelyconnectedwithasetting, suchastypeoforganizationortypeofindustry,sizeoftheorganization,manufacturingversus service,andsoon.Butlackingscientificstudiesofwhethersecurityisseenasaprocessorasa product,andwhethercertainstrategydevelopmentproceduresareeffectiveornot,weareunable toanswerawholerealmofseriousmanagerialquestions. SecurityPolicy:FromDesigntoMaintenance(Chapter6) Thischapterrepresentsareturntoourfocusoncontingenciesthatwillinhabitfutureinformation securitypolicysetting.Itintroducesasetofresearchquestionsrelatedtotheprinciplesthatare offeredtocreateeffectivedesign-to-maintenancepolicies.Thefirstareaofconcernisidentificationofcriticalsuccessfactors(CSFs)intheimplementationofinformationsecurity.Theauthor presentsfivefactorsthatmustbepresentforpolicytowithstandexternal,legalscrutiny:(1)dissemination(distribution),(2)review(reading),(3)comprehension(understanding),(4)compliance (agreement),and(5)uniformenforcement.Aretheseallmajorcriticalsuccessfactors?Arethere othersthatneedtobeincluded? Researchshouldbegininthegeneralareabystudyingthefeaturesorcharacteristicsofeffectivesecuritypolicies.Thesefeatureswillnodoubthavetobequalifiedforvaryingsettings,but thereareresearchissuesrelatedtothisendeavoraswell.Howdoorganizationsadapttheirgeneric principlesfortheformulationofpolicytofittheirneedsbetter? Theauthorbelievesthereisinterestingworktobedoneinapplyingthetechnologyacceptance model(TAM)withitsconstructsofperceivedusefulnessandperceivedease-of-usetotheacceptanceofsecuritypolicies.Thisrequiresabroadeningoftheconceptoftechnology,butthisis notalargestretchgiventhatthismodelhasalreadybeenappliedtosuchabreadthofartifacts.
PROMISINGFUTURERESEARCHININFOSEC267
TheapplicationofTAMtoautomatedpolicymanagementsoftwareandothersoftwareproducts likeintrusiondetectionsoftwarewouldbeperfectlyinlinewiththislineofwork,andshouldbe carriedout,nodoubt. Therearespecificresearchquestionsthattheauthorelicitsregardingchampionsorsponsoring seniorexecutives,theextenttowhichpoliciesarecompliedwith,andwhetherpoliciesactually affectuserbehavior.Atamoremicrolevel,heaskswhetherpolicieshaveanorganizationalimpact andcanactuallyimprovetheoverallsecurityenvironment.Howthisorganizationallevelmight interactwiththelegalenvironmentisthelastframingtypeofquestionheraises. BusinessContinuityPlanningandtheProtectionofInformationalAssets (Chapter7) Chapter7raisesnewissuesintheobligationsoforganizationstoprovidesecureinformation.It explainsthetypesofdisastersthatcanbefallanorganizationandhoworganizationscanorganizetominimizethedamage.Thisistypicallycalledbusinesscontinuityplanning(BCP)inthe literature.BCPhasanumberofclearmacro-levelissueswithregardtofutureresearch.InfoSec researchersshouldraiseasimplebutbasicquestionfirst:DoesBCPwork?Ofcourse,knowing thecontingenciesunderwhichitismoreorlesseffectivewouldbethebestdesignedresearch.Part oftheproblemisthattopmanagersarenotconvincedthatsuppliersandcustomersappreciatea firmthathashighpreparedness,soInfoSecandBCPappeartothesemanagerstobecostsrather thanacompetitivepositioning. Weknowverylittlescientificallyaboutphasesofrecovery.Knowingwhetherthereisastandard modelwouldaidfirmsinthenormativedevelopmentoftheirownplans.Arethephasesarticulated inthischapterthebestpossible?Sometimesreceivedwisdomisnotwisdomatall.Weneedto knowifthestandardapproachesareaseffectiveastheycouldbe. CanafirmoutsourceBCP?Theauthorsaskwhetherastrategicselectionofareastooutsource canbeperformed.Thisisadeploymentissue,andmergesintothegeneralissueofcoldsites versushotsitesversusdistributedprocessing.Again,notmuchisknownaboutwhichofthese workswellandwhen. InformationSecurityPolicyintheU.S.NationalContext(Chapter8) Chapter8takesahistoricalapproachtodescribinghowU.S.nationalsecuritypolicyhasevolved (ornotevolvedasitshould).Aswemightexpectfromsuchabroadchapter,itraisesissuesof conceptualframingthatmustalwaysfollowhistoricalviewpoints.Butthischapteralsoraises issuesofaprocessintermsofwhatourlearningfromthepastmaybesuggestingforustodoin thefuture.Thislearningalsosuggestsfutureworkintheobligationsofmanagersandthemetrics thatareneededtomeasurethesuccessofmanagersinmeetingthoseobligations. Inconceptualframing,muchofthechapterisorganizedaroundLessig’sprinciplesforsocial governanceasdescribedinhisbookCodeandOtherLawsofCyberspace.Lessig(1999)argues thattherearefourwaystogovernbehavior:(1)law,(2)economics,(3)socialpressure,and(4) architecture.Lawrelatesclearlytopolicymakingbyvariousgovernmentallevels,andtheauthor concludesthatthesegovernanceprocessesarepiecemealatbest.Thissuggestsresearchquestions thatwouldaddresswhythispiecemealsituationhasdevelopedandwhat,ifanything,canbedone tocoordinatethesenationalandstatepoliciesinthefuture.StudiesinwhatessentialInfoSecdomainsofproducts,applications,andenvironmentshavebeenexcludedaswellasthosethathave beenunnecessarilyincludedinpolicymakingshouldproceed.
268 STRAUB, GOODMAN, AND BASKERVILLE
Thisproblemisdwarfedinmanywaysbyarchitecturalproblems,namelythelackofaneffectivesetofinformationsecurityprimitives.Commondefinitionsofessentialsecurityelements meansthatincompatibleplatformswillcontinuetobecreated,andtheseproblemstransferred tofuturegenerations.Howcantheseprimitivesbedevelopedandacommonbodyofknowledge putforth?Sensiblegovernmentpoliciescouldatleastencouragemovementinthisdirection,but nonehascomeforth.Theresearchquestionsinthisareaabound.Whataretheprimitives?What processcanbeusedtocertifyawidelyacceptedbodyofknowledgealongtheselines? Nationaleffortsineducationalprogramsandcertificationwouldalsobehelpful,accordingto theauthor.IfthereisagreementthatstandardsinInfoSeccurriculumandcertificationaredesirable, whatshouldtheselooklike?Oncepromulgated,additionalquestionsariseabouttheireffectiveness,ofcourse.Onemeasureofeffectivenesswouldbewhetherthecertificationhasteeth.Ifno oneiseverexpelledfornoncompliance,thenthecacheofthecertificateisweakened. Thechapteralsoprovidesdirectionsforfutureprocesses,arguingthattrainingandeducation ofthegeneralpopulationcouldbehelpful.Again,theresearchquestionsaroundwhatliteracy curriculumwouldbebestaregoodones,asisthequestionofdownstreameffects.Ifthereisa heightenedlevelofinformationsecurityliteracy,doestheincidenceofcomputerabuseandcrime godown?Ifnot,whynot? Thelackoftoolstoprovideacomprehensiveviewofafirm’sinformationsecurityriskportfolio meansthatitisnotpossibletohavemuchmeaningfulgovernmentregulationoforganizational security. Here we find issues of corporate obligation in the metrics necessary to measure the successinmeetingtheseobligations.Whatstandardscouldbehelduptofirms?Irrespectiveof EnronandSarbanes-Oxley,aclearerandcleanersetofinformationsecurityguidelinesisneeded. Thiscouldbecarriedoutbytheprivatesector,ascouldcertification,butgovernmentregulatory requirementscouldspeeditsdevelopment.Therearefascinatingresearchquestionssurrounding howgovernmentagenciesandtheprivatesectorcouldworktogethertomakethishappen.Movingthiskindofreportingtoapublicaudiencecouldstabilizemanyareasofsecuritythatarenow exceedinglyvolatile.Studyingthelong-termeffectsofsensiblenationalorstatelevelregulation wouldofferinterestingresearchpossibilities. ThechapterconcludesbyraisingthepossibilitythatfederalandstateCIOstakeonthechallengeofbeingresponsiblefortheirconstituency’ssecurity.Whatformthiswouldtakeandwhether thiswouldreallyhelpisaviableresearchquestion.Atthemoment,theresearchcommunityis virtuallysilentonthisimportantissue. TheInternationalLandscapeofCyberSecurity(Chapter9) Thischapteralsoraisesissuesoffutureprocessesandthemetricsneededinthefuturetoplan andcontrolthoseprocesses.Discussinginternationalaspectsofcybersecurity,Chapter9first raisesthequestionofhowsuccessatfightingcomputerabuseandcrimeattheinternationallevel shouldbemeasured.Theissueisseriouswithhighlyindustrializedcountries,sotheglobalmetrics areevenmoreelusive.Whatcanbedoneisforresearcherstospecify(andvalidate)theproper metrics.Ifthesearereasonable,andespeciallyifthereareprovisionsforprotectingtheidentity oftherespondingorganizations,itmaybepossibletocreateaninternationallyrelevantdatabase ofstatistics.Thesewouldbeenormouslyusefulnotonlyforpurposesofresearch,butforbenchmarkingbyorganizationsofeverytypeandsize. Thesecondmajorresearchquestionarticulatedbytheauthorsishowscaleableareregional operationalmodelsforInfoSecinitiativessuchasAPEC?Regionalmodelsseemtobetheonly gamegoingintheinternationalarena,andifregionalmodelscanincludesharingamongstthem-
PROMISINGFUTURERESEARCHININFOSEC269
selves,thentheymaybescaleable.Thisconfigurationmaybreakdownincertainareascurrently under-served,suchasAfrica.Butthisremainstobeseen.Researcherscansurelyinvestigateand reportonthevariouspossibilities. Drillingdownwardonthisquestion,thesameissuecanbebroughtforwardaboutthecoordination,orlackthereof,betweenorganizationsacrossnationalboundaries.Isthisfeasible?Would ithelpifthereweregreatercoordination?Tothistime,theanswerstosuchquestionsarenot known. Manypartsoftheworldhavelittleinthewayofpreventivemechanisms.Therearebarriersto fundingsucheffortsinternationallyaswell.Cananythingbedonetoimprovethissituation?This isanotherviable,andunderstudied,issue,especiallyforthedevelopingworld. Therearealsoissuesheredealingwiththeobligationsofinformationsecurity.Globally,the problemswithunderreportingofcybercrimearelegion.Caninternationalpublic-privatecooperationassistindealingwiththisperennialproblem?CanthisbedonewithoutthreateningIPand shareholdervalueissues?Thereisalotofresearchthatcanbedoneinthisfinalarea. EmergingUbiquitousComputingTechnologiesandSecurityManagement Strategy(Chapter10) Becauseitissorelativelynew,ubicompbringsupahostofgoodresearchquestionsforInfoSec researchers.Itbringsusafocusonfutureprocessesthatmustbeinplacetomanagenewsecurity threatsandtechnologies.Whichofthesenewproductsisjustagadgetandwhichistrulyuseful isonlyoneaspectofhowwelltheycanbesecured.Ubicompbothheightenssecurityproblems andaddressesthematthesametime.Well-designedsystemscansolvemanyoftheirownsecurity problems,butcandesignersbreakoutsideoftheirtraditionalmoldsandtrulywrestlewithsecurity whiletheyarebuildingsuchnoveltechnologies?Carefulimplementationcanmakeabigdifference inhowwellitcanbecontrolled,butwedonotknowifthisisapossiblenewstepfordesigners. Securitymanagersaregoingtohavetothinkoutsidetheboxtoexercisetherequisitecontrol. Cantheycarrythisoff?Cantheyenlisttheattentionoflegislatorstohelpinalegalframeworkto makethetechnologysafeandsecureforusers?Theseareexcellentquestionsthatarecompletely unansweredatthepresenttime. CONCLUSION Overall,theissuesraisedbytheauthorsofthechaptersaboverangebroadlyacrossourwedding cakemodeloffutureresearchneedsforinformationsecuritymanagement.Thereareopportunitiesforimportantnewworkintheobligations,conceptualframing,contingencies,processes,and metricsthatmustinhabitthedailyworklivesofeffective,futureinformationsecuritymanagers. ThegeneralfocusoftheissuesraisedineachchapterisdetailedinFigure11.2. Thecurrentvolumeclearlydoesnotaddressallpossibleissuesaboutpolicyandpracticein InfoSec.Wehopethatithasservedtomovetotheforefronttheessentialpointthatmanagementof informationsecurityhasnotreceivedtheattentionitneedstosecuretheworld’scomputersystems. Thereisavailableintheworldtodayagreatdealoftechnologythataddressesorganizationaland national-levelsecurityconcerns.Butwelackclearandconcisepoliciesatalltheselevelstomake certainthatthistechnologyisappliedwhereandwhenitshouldbeapplied.Thereismuchwheel spinningthatisnotproductiveandnotmeetingglobalneeds,especiallypost-9/11. Finally,theagendaforfutureresearchthathasbeensetforthinthisvolumeisbynomeans complete.Itrepresentsthethinkingofthisdistinguishedpoolofauthors,butadifferentpoolwould
270 STRAUB, GOODMAN, AND BASKERVILLE Figure11.2 MajorAreasofFutureResearchIssuesDevelopedintheChaptersin thisBook
Metrics Chapters 2, 5, 8, 9 Processes Chapters 2, 5, 8, 9, 10 Contingencies Chapters 3, 6 Conceptual Framing Chapters 2, 5, 8 Obligations Chapters 4, 7, 8, 9
likelyhavecomeupwithasetthatlookedsomewhatdifferent.Wehopeandtrustthattherewould besignificantoverlapinothersuchlists,butwemakenoclaimstobedefinitive. Readersareinvitedtochallengetheassumptionswehavemadeandthelinesofthinkingthat wehavepursued,bothindividuallyandcollectively.MoreneedstobelearnedaboutInfoSecas bothabehavioralandorganizationalissue.Weleavethereaderwithhopethattwenty-fiveyears fromnowmanyormostoftheproblemsthatwehavebroughttothesurfaceinthisbookwillbe addressedandperhapsevensolvedandthatInfoSectakesitsrightfulplaceamongtheimportant functionsthatorganizationsandnationshavegrowntounderstandandeffectivelyutilize. REFERENCES Brockner,J.1992.Theescalationofcommitmenttoafailingcourseofaction:towardtheoreticalprogress. AcademyofManagementJournal,17,1,39–61. Goodhue,D.L.,andStraub,D.W.1991.Securityconcernsofsystemusers:astudyofperceptionsofthe adequacyofsecuritymeasures.Information&Management,20,1(January),13–27. Keil,M.,andRobey,D.1999.Turningaroundtroubledsoftwareprojects:anexploratorystudyofthedeescalationofcommitmenttofailingcoursesofaction.JournalofManagementInformationSystems,15, 4(March),63–87. Lessig,L.,1999.CodeandOtherLawsofCyberspace.NewYork:BasicBooks. Straub,D.W.,andNance,W.D.1988.Uncoveringanddiscipliningcomputerabuse:managerialresponses andoptions.InformationAge,10,3(July),151–156. Straub,D.W.,andWelke,R.J.1998.Copingwithsystemsrisk:securityplanningmodelsformanagement decisionmaking.MISQuarterly,22,4(December12),441–469.
EDITORSANDCONTRIBUTORS
GregoryD.AbowdisaProfessorintheSchoolofInteractiveComputingandGVUCenteratthe GeorgiaInstituteofTechnology.HecurrentlyservesasCo-directorfortheAwareHomeResearch InitiativeandAssociateDirectorfortheHealthSystemsInstitute.Hisresearchisintheareaof human–computerinteraction,withparticularfocusontheengineeringandevaluationofmobileand ubiquitouscomputingapplications.Dr.AbowdreceivedaBSinMathematicsfromtheUniversity ofNotreDamein1986andthedegreesofM.Sc.(1987)andD.Phil.(1991)inComputationfrom theUniversityofOxford,whereheattendedasaRhodesScholar.HeisamemberoftheACM andoftheIEEEComputerSociety. RichardL.BaskervilleisaProfessorofInformationSystemsintheDepartmentofComputer Information Systems, Robinson College of Business, Georgia State University. His research specializesinsecurityofinformationsystems,methodsofinformationsystemsdesignanddevelopment,andtheinteractionofinformationsystemsandorganizations.Hisinterestinmethods extendstoqualitativeresearchmethods.Dr.BaskervilleistheauthorofDesigningInformation SystemsSecurity(J.Wiley)andmorethanonehundredarticlesinscholarlyjournals,professional magazines,andeditedbooks.HeisaneditorfortheEuropeanJournalofInformationSystems andservesontheeditorialboardsoftheInformationSystemsJournal,JournalofInformation SystemsSecurity,andtheInternationalJournalofE-Collaboration.Baskervilleholdsdegrees fromtheUniversityofMaryland(B.S.summacumlaude,Management),andtheLondonSchool ofEconomics,UniversityofLondon(M.Sc.,Analysis,DesignandManagementofInformation Systems,Ph.D.,SystemsAnalysis). GurpreetDhillonisProfessorofInformationSystemsintheSchoolofBusiness,VirginiaCommonwealthUniversity,Richmond,USA.HeholdsaPh.D.fromtheLondonSchoolofEconomics andPoliticalScience,UK.Hisresearchinterestsincludemanagementofinformationsecurity,and ethicalandlegalimplicationsofinformationtechnology.Hisresearchhasbeenpublishedinseveral journalsincludingInformationSystemsResearch,Information&Management,Communicationsof theACM,Computers&Security,EuropeanJournalofInformationSystems,InformationSystems Journal,andInternationalJournalofInformationManagement. Dr.DhillonhasauthoredsixbooksincludingPrinciplesofInformationSystemsSecurity:Text andCases(JohnWiley,2007).HeisalsotheEditor-in-ChiefoftheJournalofInformationSystem Security,istheNorthAmericanRegionalEditoroftheInternationalJournalofInformationManagement,andsitsontheeditorialboardofMISQExecutive.Heconsultsregularlywithindustry andgovernmentandhascompletedassignmentsforvariousorganizationsinIndia,Portugal,the UK,andtheUnitedStates. 271
272 EDITORS AND CONTRIBUTORS
Neal M. Donaghy holds a Bachelor of Science (1997) from the University ofToronto and a MastersofScienceinInternationalAffairs(2005)fromtheGeorgiaInstituteofTechnology.He specializesinglobalriskoversightforaFortune15company.WhileattendingGeorgiaTech, NealservedasaGraduateResearchAssistantfortheMacArthurFoundation–fundedSamNunn SecurityProgramandwasnamedtheSamNunnSchoolofInternationalAffairs2005Outstanding GraduateStudentoftheYear.Nealhassevenyears’experienceworkingininformationtechnology intheUnitedStates,Europe,andAsia. Seymour(Sy)GoodmanisProfessorofInternationalAffairsandComputingjointlyattheSam NunnSchoolofInternationalAffairsandtheCollegeofComputingatGeorgiaTech,co-Director oftheGeorgiaTechInformationSecurityCenter,andPrincipalInvestigatorfortheMacArthur FoundationgrantsupportingtheSamNunnSecurityProgram.Hestudiesscienceandtechnologyandinternationalaffairs,particularlyinternationaldevelopmentsininformationtechnology andrelatedpublicpolicyissues.Herecentlyservedasco-chairofthepolicygroupforthestudy ofthevulnerabilitiesoftheU.S.telecommunicationinfrastructurefortheAssistantSecretaryof Defense(NII)andNSA,asco-chairoftherisksandexposuressubcommitteefortheAssociation forComputingMachinery(ACM)studyoftheimpactofoffshoring,andontheNationalResearch CouncilcommitteeconcernedwithanationalR&Dstrategyforinformationsecurity.Professor GoodmanhasbeentheInternationalPerspectiveseditorfortheCommunicationsoftheACMsince 1990,andhasconductedresearchonITinmorethaneightycountries.Hewasanundergraduate atColumbiaUniversityandobtainedhisPh.D.fromtheCaliforniaInstituteofTechnology,where heworkedonproblemsofappliedmathematicsandmathematicalphysics. GiovanniIachelloisaconsultantatMcKinsey&Co.’sAtlantaoffice,whereheservesHighTech andMediaclientsoncorporatestrategyissues.HereceivedaPh.D.fromtheGeorgiaInstitute ofTechnology(2006).Hisresearchfocusesonsecurityandprivacyinmobileandubiquitous computingapplications.Dr.IachelloreceivedaLaureainInformaticsEngineeringfromPadua University,Italy(1999),withathesisonITsecurityevaluationcriteria.HeworkedforAltoprofilo SPA,providingcorporateconsultingservicesrelatedtosecuritymanagementandpersonaldata protection,andatIntelResearch,developingmobilelocation-basedservices.Hewasafellowof theNSFGraduateResearchFellowshipProgramandtheSamNunnSecurityProgramatGeorgia Tech.HeismemberoftheACM,theIEEEComputerSociety,andofIFIPWG9.6/11.7“ITMisUseandTheLaw.” AllenC.JohnstonisanAssistantProfessorofInformationSystemsattheUniversityofAlabama atBirmingham.HeholdsaB.S.fromLouisianaStateUniversityinElectricalEngineeringaswell asanMSISandPh.D.fromMississippiStateUniversity.Hisworkscanbefoundinsuchoutlets asCommunicationsoftheACM,JournalofGlobalInformationManagement,JournalofInformationPrivacyandSecurity,InternationalJournalofInformationSecurityandPrivacy,andthe JournalofInternetCommerce,amongothers.Theprimaryfocusofhisresearchhasbeeninthe areaofinformationassuranceandsecurity,withaspecificconcentrationonthebehavioralaspects ofinformationsecurityandprivacy. WilliamJ.Malikisanindependentconsultantwiththirty-fouryearsofexperienceininformation technology.HewasaprogrammeratJohnHancockinBostonfrom1974through1978,aprogrammer,tester,planner,andstrategistatIBMthrough1990,andaresearcheratGartnerthrough2001, wherehemanagedtheinformationsecurityresearchteam.HeworkedatKPMGasanITauditor,
EDITORSANDCONTRIBUTORS273
thenbecameCTOofWaveset,astart-upinidentitymanagement.OnWaveset’sacquisitionby Sun,hebecameSun’sDirectorofMarketingforSecurity.HeestablishedhisownfirminFebruary 2005.HedevelopedthematerialonInformationSecurityPolicyintheUSNationalContextfor GeorgiaTech’sgraduatelevelinformationsecuritypolicyclasstaughtinspring2005. Herbert Mattord completed twenty-four years of IT industry experience before becoming a full-timeacademic.Hisexperiencesasanapplicationdeveloper,databaseadministrator,project manager,andinformationsecuritypractitionerareavaluablebackgroundtohisroleatenuretrackInstructoratKennesawStateUniversityinKennesaw,Georgia.DuringhiscareerasanIT practitioner,hehasbeenanAdjunctProfessoratKennesawStateUniversity;SouthernPolytechnic StateUniversityinMarietta,Georgia;AustinCommunityCollegeinAustin,Texas;andTexas StateUniversity–SanMarcos.Hecurrentlyteachesundergraduatecoursesininformationsystems, andinformationsecurityandassurance.HewasformerlytheManagerofCorporateInformation TechnologySecurityatGeorgia-PacificCorporation,wherehispracticalknowledgeofinformationsecurityimplementationandmanagementwasacquired.HeisthecoauthorofPrinciples ofInformationSecurity,ManagementofInformationSecurity,IncidentResponseandDisaster RecoverPlanning,theHands-onInformationSecurityLabManual,andReadingsandCasesin theManagementofInformationSecuritywithDr.MichaelWhitman.Theirlatesttitle,Guideto FirewallsandNetworkSecurity,willbeavailableinJuneof2008. DelphineNainisaconsultantforaglobalmanagementconsultingfirm,providingstrategyconsultingservicesforHighTechandHealthcareFortune500companies.SheholdsaBachelorof ScienceandMastersofEngineering(2002)fromtheMassachusettsInstituteofTechnologyand aPh.DinComputerScience(2006)fromtheGeorgiaInstituteofTechnology.Herresearchhas beenappliedtotopicsinmulti-agentsystems,computernetworksandcomputervision.Shewas afellowforGeorgiaTechSamNunnSecurityProgram(2004-2005)whensheresearchedthe internationallandscapeofcybersecurityandco-authoredthechapterincludedinthisbook. RobertH.SainsburyisaPh.D.candidateintheComputerInformationSystemsDepartment oftheJ.MackRobinsonCollegeofbusinessatGeorgiaStateUniversity.Sainsburyconducts researchinareasincludinginformationsecurity,digitalsupplynetworks,ITriskmanagement andinformationwarfare. DetmarStraubistheJ.MackRobinsonDistinguishedProfessorofISatGeorgiaStateUniversity andconductsresearchintheareasofinformationsecurity,e-commerce,technologicalinnovation, andinternationalIT.HeholdsaDBA(M.I.S.;Indiana)andaPh.D.(English;PennState).Hehas morethan145publicationsinjournalssuchasMISQuarterly,JournalofManagementInformationSystems,ManagementScience,InformationSystemsResearch,JournaloftheAIS,Journalof GlobalInformationManagement,andavarietyofotherjournals.HehasservedasaSeniorEditor forjournalssuchasInformationSystemsResearch,JournalofAIS,andDATABASE,andAssociate EditorforthesejournalsaswellasMISQuarterlyandothers.FormerVPofPublicationsforAIS, hehasbeentheco-programchairforbothAMCISandICIS.HeisanAISFellow. Carl Stucke isAssociate Chair of the Computer Information Systems department within the RobinsonCollegeofBusinessatGeorgiaStateUniversityandservesascoordinatorofthesecurity SIG.Dr.Stucketeachessecurityandprivacycoursesandisanactiveresearcherininformation securityandriskmanagement.Inadditiontotwelveyearsofacademicexperience,hehastwenty
274 EDITORS AND CONTRIBUTORS
years’commercialworldexperiencein,amongothers,seniortechnicalandmanagementpositions atEquifax,includingChiefScientist(VPR&D).HeisanactivememberoftheGeorgiaElectronic CommerceAssociation’sInformationPrivacyWorkingGroup. MerrillWarkentinisProfessorofMISatMississippiStateUniversity.Hehaspublishedmore than125researchmanuscripts,primarilyincomputersecuritymanagement,e-commerce,and virtualcollaborativeteams,whichhaveappearedinbooks,proceedings,andjournalssuchasMIS Quarterly,DecisionSciences,DecisionSupportSystems,CommunicationsoftheACM,CommunicationsoftheAIS,InformationSystemsJournal,JournalofEndUserComputing,Journalof GlobalInformationManagement,JournalofComputerInformationSystems,andothers.Professor Warkentinisthecoauthororeditoroffourbooks,andiscurrentlyanAssociateEditorofInformationResourcesManagementJournalandJournalofInformationSystemsSecurity.Dr.Warkentin hasservedasaconsultanttonumerousorganizationsandhasservedasNationalDistinguished LecturerfortheAssociationforComputingMachinery(ACM).ProfessorWarkentinholdsB.A., M.A.,andPh.D.degreesfromtheUniversityofNebraska-Lincoln. MichaelE.Whitman,Ph.D.,CISM,CISSP,isaProfessorofInformationSystemsintheComputer ScienceandInformationSystemsDepartmentatKennesawStateUniversity,Kennesaw,Georgia. Dr.WhitmanisalsotheDirectoroftheKSUCenterforInformationSecurityEducationandthe architectofKSU’srecognitionasaNationalCenterofAcademicExcellenceinInformationAssuranceEducationbytheNationalSecurityAgencyandtheDepartmentofHomelandSecurity.Dr. Whitmanisanactiveresearcherininformationsecurity,fairandresponsibleusepolicies,ethical computingandinformationsystemsresearchmethods.HehaspublishedarticlesinInformation SystemsResearch,theCommunicationsoftheACM,InformationandManagement,theJournalof InternationalBusinessStudies,andtheJournalofComputerInformationSystems.Dr.Whitmanhas sixtextbooksintheareaofinformationsecurityincludingPrinciplesofInformationSecurity,3rd ed.,ManagementofInformationSecurity,2nded.,PrinciplesofIncidentResponseandDisaster Recovery,andTheGuidetoFirewallsandNetworkSecurity,2nded.,allfromCourseTechnology. HeisanactivememberoftheComputerSecurityInstitute,theInformationSystemsSecurityAssociation,GeorgiaElectronicCommerceAssociation’sInformationSecurityWorkingGroup,the AssociationforComputingMachinery,andtheAssociationforInformationSystems. TerryL.WiantwasanAssistantProfessorofManagementInformationSystemsatMarshall Universityforseveralyearsfollowingatwenty-two-yearcareerinthemilitary.InMay2005,Dr. WiantjoinedthefacultyatKennesawStateUniversityasanAssistantProfessorofInformation Systems.Dr.Wiant’sresearchandteachinginterestswereininformationsecurity,information securitypolicy,andthedevelopmentofinformationsecuritycapabilitymodels.Dr.Wiantpassed awayprematurelyinJuly2005.
SERIESEDITOR
VladimirZwassistheUniversityDistinguishedProfessorofComputerScienceandManagement InformationSystemsatFairleighDickinsonUniversity.HeholdsaPh.D.inComputerScience fromColumbiaUniversity.ProfessorZwassistheFoundingEditor-in-ChiefoftheJournalof ManagementInformationSystems,oneofthethreetop-rankedjournalsinthefieldofinformationsystems.HeisalsotheFoundingEditor-in-ChiefoftheInternationalJournalofElectronic Commerce,rankedasthetopjournalinitsfield.Morerecently,Dr.ZwasshasbeentheFounding Editor-in-ChiefofthemonographseriesAdvancesinManagementInformationSystems,whose objectiveistocodifytheknowledgeandresearchmethodsinthefield.Dr.Zwassistheauthorof sixbooksandseveralbookchapters,includingentriesintheEncyclopaediaBritannica,aswell asofanumberofpapersinvariousjournalsandconferenceproceedings.VladimirZwasshas receivedseveralgrants,consultedforanumberofmajorcorporations,andisafrequentspeaker tonationalandinternationalaudiences.HeisaformermemberoftheProfessionalStaffofthe InternationalAtomicEnergyAgencyinVienna,Austria.
275
INDEX277
INDEX
Pagenumbersinitalicrefertofiguresandtables. A ABS(Anti-BlockingSystems),231 acceptanceofrisk,87–88,116,121,250–252 access,regulating,18,37,131 accountability,48,139 accountingsystems,24 acquisitionordivestitureriskassessment, 102 adaptability,incrisis,159–160 ADEPT,233 adequacy,57 adjudication,249 Adleman,Len,180 Africa,203,208,219 AfricanWorkingParty(Interpol),203 Albania,205 alignmentactivities,26 “alt”groups,177 Americas,203,211–212,219 AmericasWorkingParty(Interpol),203 analysistechniques,39,41,104 Andreesen,Marc,181 annualizedlossexpectancy(ALE),93 annualizedrateofoccurrence(ARO),93 anonymity/confidentiality,124,136 Anti-PhishingWorkingGroup(APWG), 214 anti-spywareprotection,55 anti-virusprotectionsoftware,55,61 APCERT,202 applicationriskassessment,86,102 applications,244 appropriateusepolicy,126–130 architecture,177–180,186 ARPANET,177 Asia-PacificEconomicCooperation(APEC),198, 200,210–211 Asia-SouthWorkingParty(Interpol),203
assets identification,75–80 protectionof,267 valuation,80,84,93 AssociationforComputingMachinery(ACM),190 attacktrees,83–84 audiorecordings,235,237.SeealsoPersonal AudioLoop(PAL) auditprocedures,61,106 auditing,187–188 Australia,199,202,204 automation,142–143,242 automobileinfrastructure,11 avoidance/preventionstrategy,85–86,114,116, 118,216 Avolio,Frederick,94 awarenessprograms,140–142,186 “awareness”tools,233 Azerbaijan,181 B backuptapes,181 BalticStates,219 Bayesianstatisticaloperations,112 bestpractices,97–98,161–162 BestPracticesOnline,96 Blaster,56–57,62,214 Blumenthal,Richard,191 BosniaandHerzegovina,205 Brandeis,L.,182 breaches,35–37,106 BS7799,179 Bulgaria,205 Bush(GeorgeW.)administration,184,189 businesscontinuityplanning(BCP),87,88 bestpractices,161–162,162 creatingplansfor,160–161,163–166 defined,153 277
278INDEX businesscontinuityplanning(BCP),(continued) disasterrecoveryand,154–155,156,164 dispersalstrategies,163 futureresearchin,166–170,267 lackof,consequencesfrom,159–160 outsourcingof,167,168 response-onlystrategy,158 riskassessmentfor,157–161 businesspartnerriskassessment,102 businessprocesses,34–35 businessstrategies,66,108,109 C CableCommunicationPolicyAct,24 Callahan,Michael,191–192 Canada,182,200,202,204 CanadianSecurityEstablishment(CSE),17 capabilities,131,189 captureandaccess,233–236 CardholderInternetSecurityProgram(CISP),176 caregivers,239–240 CareLog,239–240,242–244,247–250,253–254,255 CarnegieMellonUniversity,189 CCTVsurveillance,245 centralizationofinformationsystems,52–55 incasestudy,55–60,62–64 futureresearchin,65–66 ITenvironmentof,64 threatsto,categoriesof,61 CentrexNationalCentre,210 CERT(ComputerEmergencyResponseTeam),98, 181,183,199,201 Charney,Scott,184 chiefinformationsecurityofficer(CISO),125,131 childcare,239–240 childpornography,206 children’seducation,248 Children’sOnlinePrivacyProtectionActof1998,24 China,191–192 ChoicePoint,184 Citibank,181 civilliberties,206 Clarke,Richard,184–185,189 Clinger-CohenAct,51–52 COBIT(ControlObjectivesforInformationand relatedTechnology),25,50–51,71,73–74, 117,179–180 Code(Lessig),186 Cohen,Fred,180 “cold”sites,155–156,169 commandstructure,48
CommitteeonNationalSecuritySystem,140 CommonBodyofKnowledge(CBK),71 CommonCriteria,179 commonuse,technologyin,247 communication,informal,37–38 communicationincorporations,25–26 competenciesforstrategy-settingprocess,33–38 compliancerequirements,66 comprehensiveinformationsecurityoperational riskassessment,102,103 computerabuse,106,146,177,182 ComputerFraudandAbuseAct,180–181 ComputerSecurityAct,140 ComputerSecurityInstitute(CSI),76–77 ComputerSecurityResourceCenter,140 computerusagemonitoring,61 conceptualframing,270 confidentiality/anonymity,124,136 configurationrules,131 Confucius,135 consistentsecuritypolicy,61 contactdetectors,235 content-relatedoffenses,206 context,ubicompdefinitionof,234 contingencies,18–19,270 control,76 controlandauditingtheory,18–19 COPPA,185 copyrightlaw,182,206 corevalues,statementof,29,32 corporategovernancestructure,25–26,50 COSO(CommitteeofSponsoringOrganizationsof theTreadwayCommission),25 costanalysis,18,54,91–94,105,235 CouncilFrameworkDecisiononAttacksAgainst InformationSystems,204 CouncilofEurope(COE),198,204–206 CouncilofEuropeConventiononCybercrime, 204–207,215–216 countermeasure,76 criminallaw,205 crisismanagement,154,159.Seealsobusiness continuityplanning(BCP) criticalinfrastructureprotectionagencies,197 criticalsuccessfactors(CSF),147–148 Croatia,205 CSIRT(computersecurityincidentresponseteam), 163,199,201–203,209 cultureofinformationsecurity,107–109 customization,244–245 cyberactivism,86
INDEX279 cybercrime,206–207,215–216.Seealsocomputer abuse cyberspace,vulnerabilitiesof,196–197 Cyprus,205 D DARPA,181 data asasset,77–78 destructionof,181 miningof,235 privacyof,185 retention,243–244 storagelimitations,236 uncollected,112–113 DataPrivacyDirective,185 decentralizationofinformationsystems,52–55 incasestudy,55–60,62–64 ITenvironmentof,64 threatsto,61 decision-making baselining,98–99 benchmarking,96–97 controlgiventoemployees,48 duecare/duediligenceconsiderations,95–96 qualitativeapproaches,95–100 quantitativeapproaches,94–95,100 riskassessment,using,94–100 declarationsandreservations,205 Denmark,205,210 Dennedy,Michelle,184 DepartmentofJustice,187 design,participatory,251 destructionofrecords,181 deterrence,216 dialedmodemriskassessment,102 digitaluserhierarchy,49 disabilities,248 disasterrecovery(DR).Seealsobusiness continuityplanning(BCP) businesscontinuityplanningand,154–156, 163–166 defined,153 futurestudiesin,166–170 organizationalstructurefor,163 organizationsaffected,159 outsourcingof,167,168 planningfor,160–161,164–166 disasterrecoveryplan(DRP),87,88 dispersalstrategies,163 divisionalorganization,49
documentclassificationschemes,134 documentation,100–106,138,265 “do-nothing”option,116,121 downtime,occurrencesof,15 duecare/duediligence,95–96 Duigan,Adrian,144–145 E eClass,233 economics,176–177 educationandtraining,47,86,107–108,138–142, 186,242,248,251 effectiveness.Seemetrics efficiency,54 ElectronicCommunicationsPrivacyAct(ECPA), 24,245–246 elementaryschoolstudents,190 employees awarenessofsecurityprocedures,37,40, 135–136,138–142 andcontinuityplanning,152–154 controlgivento,48,136 educationof,61 illegalactivitiesby,129 testingof,135 encryption,lawsforbidding,181 endusers,145–146 end-users,55,64 Enron,181,191 enterprisearchitect,52 enterpriseinformationsecuritypolicy(EISP) securitypolicies,125–126 environmentalinformation,flowsof,233–236 equipment,appropriateuseof,128 Estonia,205 EuropeanCyberCrimeInvestigator(ECCI),210 EuropeanDataProtectionDirective,182 EuropeanNetworkandInformationSecurity Agency(ENISA),209 EuropeanUnion,182 EuropeanUnion(EU),179–180,198,200,204, 208–210 EuropeanWorkingParty(Interpol),203 EuropolComputerSystem,The(TECS),210 exceptions,guidelinesforpermitting,131 execution/practice,38,47 exposurefactor(EF),93 F fairandresponsibleusepolicy,126–130 FamilyEducationalRightsandPrivacyAct,24
280INDEX FCC,189 FederalAgencySecurityProject(FASP),97,131 FederalBureauofInvestigation(FBI),76–77 FederalEducationalRightsandPrivacyAct (FERPA),248 federalgovernmentrequirements,51–52,139–140 Finland,199,202 firewallprotection,55,61 flatteningoforganizations,48 ForumofIncidentResponseandSecurityTeams (FIRST),163,202 FRAAP,70,73,74,100 France,181,200,205,210 fraud,176 freespeech,191–192 FreedomofInformationAct,187 frequencyofrisk,114–115,118 functionalstructure,49 G G8,200–201,203 gasolineinfrastructure,11 Gaston,S.J.,18 Germany,200,210 Ghana,183 glasshouse,177 GLBA,185 GlobalGridForum,98 GlobalInformationSociety,200 GlobalPositioningSystem(GPS),235 goalsassessment,24–28,236,237–238 governance,49–50,53,175,185,265 GreatRenaming,177 Greece,210 GreenBook,179 Guzman,Onelde,204 H hackers,106,177,182 Hansche,Susan,141 hardware,asasset,77–78 harmonization,ofinternationallegislation,204– 207 HealthInsurancePortabilityandAccountability Act,117,238,248 HealthInsurancePortabilityandAccountability Act(HIPAA),185 High-TechCrime24/7Point-of-ContactNetwork, 200 homelandsecurityagencies,197 Hong,K.-S.,18–19
HongKong,210 hostintrusiondetection,61 “hot”sites,155–156,169 24-HourContactsforInternationalHigh-Tech Crime,200 humanerror,138–139 humanrights,206 HumanRightsWatch,191 Hungary,205 HurricaneAndrew,159 HurricaneKatrina,153,159 I “Iloveyou”virus,204 IBM,178,189 identificationtechnologies,235 identitytheft,184–185,187 improvementfeedbackloop,154 InSearchofExcellence(Peters&Waterman),86 incidentresponseplan(IRP),87,88 India,202,204 IndividualswithDisabilitiesEducationAct (IDEA),248 informationsecuritypolicies.Seesecuritypolicies informationsharing,intergovernmental,199–200 InformationSystemsAuditandControl Association(ISACA),71,73,98,180 InformationTechnologyCrimeInvestigation Manual(ITCIM),203 InfraGard,183 in-housetraining,140 InstituteofElectricalandElectronicEngineers (IEEE),52 insurance,114.Seealsotransference InternationalInformationSystemsSecurity CertificationConsortium(ISC2),71 internationalsecurityefforts agencies,197 earlywarningsystems,199–200 encryption,banon,181 futureresearchin,217–220,268–269 informationsharing,199–200,205 intergovernmentalorganizations,197–207 legalharmonization,204–207 policy-makingbodies,197–199 private-publicorganizations,212–214 regionalintergovernmentalorganizations, 208–212,218–219 supportfor,199 underservedcountries,205–206,219 Interpol,203
INDEX281 IPversion6,185–186 IranContraAffair,181 Ireland,210 ISO7498,178 ISO17799,179,186,242 ISO27001,73,74 ISO/IEC17799,24–25,70,72–73,74,117 issue-specificsecuritypolicy(ISSP),126–130 ITarchitecture,51–52 ITgovernance,50–51,51,65–66 ITGovernanceInstitute,50–51 ITGovernanceInstitute(ITGI),71,73 ITInfrastructureLibrary(ITIL),120,120 ITSAFE(SecurityAwarenessforEveryone),186 Italy,200 ITAR(InternationalTrafficinArmsRegulations), 181 ITMRA(InformationTechnologyManagement ReformAct),51–52 IT-orientedjusticeandlawenforcementbodies, 197 J Japan,183,199–200,204 K Kalfan,A.M.,27 Katzv.UnitedStates,247 Kyllov.UnitedStates,247 L LaMacchia,David,182 Lantos,Tom,192 law,180–184 legality/legislation,204–207,245–250 LehmanBrothers,160 Lessig,Lawrence,186 liability,129,141,249–250 licensingschemes,242 Lithuania,205 localareanetworking(LAN),earlyuseof,177 locationtechnologies,235 logging,187–188 logicalaccesscontrol,178 lostobjects,finding,233 LoveBugvirus,204 LyonGroup,200 M mailservers,100,101 Malaysia,204
Malinowski,Tom,191 malware,55–60,62–64,180–181,183,204,214 management BCP/DR,commitmentto,160 design,252–257 obligationsof,263–264,270 policy,roleinimplementing,136,141,143–144 structure,243 systemtheory,18–19 managerialguidanceSysSPs,130–131 MastersofDeception,181 McDonald’sCorporation,86 mediabackup,61 medicalapplications,24,233 meetings,recordingtechnologyfor,232–233 Melissavirus,183 metrics,142,215,217,218,270 Microsoft,98,189,214 MiddleEast,219 militaryinformationsecurityprograms,192 Miller,Harris,189 monitoring,38 Morillon,Lucie,191 Morris,Robert,181 Mosaic,181–182 motiondetectors,235 MTBU(maximumtimeforbellyup),156–157 mutuallegalagreementtreaties(MLATs),204 Myspace.com,191 N Nader,Ralph,186 namebadges,136 NASDAQ,159 NationalCentralReferencePoints(NCRP),203 NationalInstituteofStandardsandTechnology (NIST),70–71,83.SeealsoindividualNIST titles NationalStrategytoSecureCyberspace,184,186 naturaldisasters,153 Netherlands,177 networkconnectivity,77–78,102,178–179,235 NewYorkElectronicCrimeTaskForce (NYECTF),181–182 NewZealand,202 Nigeria,208 9/11terroristattacks.SeeSeptember11,2001, terroristattacks NISTComputerResourceCenter,98,140 NISTSP800–12,ComputerSecurityHandbook, 71,131,140–141
282INDEX NISTSP800–14,GenerallyAcceptedSecurity Principals&Practices,71 NISTSP800–18,GuideforDevelopingSecurity Plans,71 NISTSP800–26,SecuritySelf-AssessmentGuide forInformationTechnologySystems,71,99 NISTSP800–27,EngineeringPrinciplesfor InformationTechnologySecurity,99 NISTSP800–30,RiskManagementforInformation TechnologySystems,71,74,80,83 NISTSP800–34,160 NISTSpecialPublication800–14,124 nonaction.Seeacceptanceofrisk non-governmentalorganizations.Seeprivate-public organizations North,Oliver,181 northeastpowerblackout(US),153 Norway,205 notificationcues,242,246 O obligations,263–264,270 OCTAVE,70,72,74,119,119 officeenvironments,“awareness”toolsfor,233 OfficeofManagementandBudget(OMB),51–52 off-siterecoveryfacilities,155–156,169 OklahomaCitybombing,159 openingsfornewstudies,42–44 OPMCircularA-130,140 OrangeBook,179 OrganizationforEconomicCooperationand Development(OECD),197–199 OrganizationofAmericanStates,211–212 organizationaldesign,6–8,47–49,265 outsourcing.Seetransference(outsourcing) oversightfunctions,244–245 P PacificBell,177 Parson,JeffreyLee,214 passports,electronictourist,187 passwords,30,61 PatriotAct,184–185 PaymentCardIndustryDataSecurityStandard (PCI/DSS),117,177 PDD63,186 people,asassets,77–78 perceptions,108,109–110 performance,measuresof,31 PersonalAudioLoop(PAL),238–239,241–242, 244,250,252,253
personalcomputers,early,177 PersonalInformationProtectionandElectronic DocumentsAct(PIPEDA),185 Pescatore,J.,145 Peters,Tom,86 PFIRES(PolicyFrameworkforInformation Security),23–24,144 Philippines,204 PhilippinesNationalBureauofInvestigation,204 physicalaccesscontrol,177 picture-takingdevices,242 PIPEDA,182 Poindexter,John,181 Powell,Michael,189 powermapping,30 powerrelationships,30 practice/execution,38,47 pranks,106 presencedetectors,235 President’sCommissiononCriticalInfrastructure Protection,182 PrettyGoodPrivacy(PGP),181 prevention/avoidancestrategy,85–86,114,116, 118,216 privacy,24,102,182,206,247,248 PrivacyActof1978,24 private-publicorganizations,6,212–214 probabilitycalculations,113 procedurallaw,205 procedures,39,41,47,77–78 processes,33–34,37,270 productcriterion,28–33 productliabilitylawsuits,183,189 productstructure,49 professionalpractices,codificationof,25 programs,perceptionsregarding,108,109–110 publicconfidence,lossof,113 PurpleBook,179 R rainbowseries,179 recoveryfacilities,169 regionalintergovernmentalorganizations,208–212, 218–219 regulation/self-regulation,188–189 Reno,Janet,184 ReportersWithoutBorders,191 reporting,108,109,187–188,214 response-onlystrategy,158 responsibilitystructureincorporations,25–26 retrieval(datamining),costof,235
INDEX283 RFIDtechnology(RadioFrequencyIdentification), 231,235 Rice,Condoleezza,185 richness,236,237–238,252–253 risk acceptanceof,87–88 analysisof,30,104,112–113,116–118 assetvaluationin,84 audits,106 breaches,motivationfor,106 forbusinesscontinuityplanning(BCP),157– 161 componentsof,83–85,103 comprehensiveinformationsecurityoperational assessment,102,103 controlstrategyselection,89–90 currentpractices,70–74 documentationof,100–106 identification,83,102 likelihood,83–84 managementof,18–19,89,114–116,118, 120–121,266 researchin,future,106–110,265–266 researchin,previous,104–106 securityinvestment,105 selfassessment,39,41 softwaresecurity,104–105 threatidentification,35–36,61,64,75–76, 80–81,82 transference(outsourcing)of,26–28,86–87, 114,115–116,118,167,168 treatments,118,118–120 TVA(Threat-Vulnerability-Asset)matrix, 87–88 RiskManagementforInformationTechnology Systems,71,74,80,83 rodentdamage,159 roles,defining,35 Romania,205 Russia,200 S safehavens(forcybercriminals),206 safeguard,18–19,76 Sarbanes-OxleyAct,24–25,50,117,185,191 Sarbanes-OxleyActof2002,238 Sasserworm,214 scalability,215–216 Schneier,Bruce,83–84,189 SearchSecurity.com,98 secretagencyinformationsecurityprograms,192
SecuritiesandExchangeCommission,183 security,defined,6 securitychain,21–23 securityinvestment,105 securitypolicies accountability,139 analysisphase,132,133 automationof,142–143 awarenessprogramsfor,140–142 changesto,132,136–138 compliancewith,133,135–136 costof,123 defined,5–6,16,47,124 designphase,132,133 developmentof,39–41,123,131–139 disseminationof,133,134 easeofuse,148 effectivenessof,144–145,147 endusers,tailoredto,145–146 enforcementof,133,136 enterpriseinformationsecuritypolicy(EISP), 125–126 equitableadjudicationofviolations,137–138 evolutionof,185–186 exceptions,guidelinesforpermitting,131 externalstandards,basedon,178–180 flexibilityof,36 frameworksfor,146 futureresearchin,147–148,266–268 impactof,198–199 implementationof,36,132,133,146–148 importanceof,123 internationalsecurityagencies,197–199 investigation,132,132–133 issue-specificsecuritypolicy(ISSP),126–130 liability,limitationsof,129 maintenanceof,132,133,136–138 managementsupportfor,143–144 managerialguidanceSysSPs,130–131 ofnetworkperimeters,178 numberofinorganization,143 ofphysicalaccesscontrol,177 researchin,143–144 reviewof,133,134–135,138 SETAprogram,138–139 andstrategies,43–44 systems-specificpolicy(SysSP),130–139 technicalguidanceSysSPs,131 theoryof,18–19 timelinessof,129 trainingfor,47,139–140
284INDEX securitypolicies(continued) TVA(Threat-Vulnerability-Asset)matrix,86 violationsof,129,136–137 securitystandards,116–117 securitystrategies.seestrategy-settingprocesses selfassessment,39,41 self-insurance,114,116,118,121,121 semanticdensity,236,237–238,252–253 senseddata,propertiesof,233–238 sensitivity,236,238,252–253 sensortechnology,234,236,247 September11,2001,terroristattacks,152–153, 159–160,184,201 servicelevelagreements(SLAs),27 SETA,138–139 ShellOil,181 Sherwood,J.,27 Singapore,204 singlelossexpectancy(SLE),93 Slovenia,205 Smith,David,183 Smith,FredChris,184 Sobig.F,56–57,62 socialpressure,177 software,asasset,77–78 software,self-managing,242–243 softwaresecurity,104–105 SouthAfrica,204 SouthKorea,242 SoutheastAsiatsunami,153 Spamhaus,214 spamming,214 stakeholders,158,251–252 standards,24–25,41,47,178–180 statements,28–30 Steinke,G.,145 storage,costof,235 storeddata,236,237–238 strategy,defined,15–17 strategydesign,252–257 strategymaps,29 strategy-settingprocesses administrationof,40–42 balancingin,18,18 competenciesfor,33–38 componentsof,30–32 descriptiveview,17 documentsfor,33 federal,40–42 formulatedprocessesforsecuritystrategy, 23–24
strategy-settingprocesses(continued) fragmentsofsecuritystrategies,19–23 futureresearchin,264–265 goalsassessmentfor,24–28 integrationofsecurityfragments,19–23 organizationof,32–34 PFIRES(PolicyFrameworkforInformation Security),23–24 plansfor,29 andpolicies,43–44 prescriptiveview,17–18 processcriterion,33–34 productcriterion,32–33 productsof,28–32 qualitymeasuresfor,43,44 strategicrationale,29 strategy,defined,15–17 theoriesof,18–19 top-down,38–40 universalcookie-cutterstrategies, 18–19 students,186,188,190 SunTzu,70 susceptibilitymapping,19–21 SWIFT,179 Syria,219 systems-specificpolicy(SysSP),130–139 T Teamspace,233 TechnologyManager’sForum,98 telecommunications,235,245 telecommunicationsregulatoryagencies,197 terrorism,106,152–153,159–160,201 TF-CERT,202 threatidentification,35–36,61,64,75–76, 80–81,82 threats,countering,86,188–189 timevalueofmoney,95 Tivoli,233 totalcostofownership(TCO),95 training.Seeeducationandtraining transactions,online,176–177 transference(outsourcing),26–28,86–87,114, 115–116,118,167,168 TRANSITS(TrainingofNetworkSecurity IncidentTeamsStaff),209–210 transportationapplications,233 TreasuryDepartment,182 trespassing,onwebsites,182 TruSecure,62
INDEX285 TrustedComputerSystemEvaluationCriteria (TCSEC),179 Turrini,Elliot,183 TVA(Threat-Vulnerability-Asset)matrix acceptanceofrisk,87–88 additionalcontrolsfor,85–88 assetidentification,76–80 Avoidance/Preventionstrategy,85–86 inblendedapproach,100 cost-benefitanalysis(CBA),91–94 decisionmaking,94–100 defined,75–76 futurecontrols,planningfor,90–94 mitigation,87,88 policyapplication,86 riskassessment,83–85 threatidentification,76,80–81 threats,countering,86 trainingandeducation,86 transference,86–87 vulnerabilityidentification,81–83 21CFRpart11,185 U ubiquitouscomputing(ubicomp) acceptance,250–252 dataretention,243–244 design,241–242 developmentof,231–233 environmentalinformation,flowsof,233–236 futureresearchin,257–258,269 legality/legislation,245–250 licensingschemes,242 managementof,232 managementstructure,243 medicalapplications,233 oversightfunctions,244–245 socialconsequencesof,241 software,self-managing,242–243 training,242 transportationapplications,233 Ukraine,205 uncertainty,84 underservedcountries,205–206,219 UnitedKingdom,186,200,202,210 UnitedNations(UN),197–199 UnitedStates,Katzv.,247 UnitedStates,Kyllov.,247 UnitedStatesofAmerica,199–200,202,204–205 UnsafeatAnySpeed(Nader),186 U.S.DepartmentofCommerce,181
U.S.DepartmentofHomelandSecurity,187 U.S.informationsecuritypolicy asof2005,184–188 awarenessandtraining,186 futuredevelopmentsin,188–192 governance,185 governanceof,180–184 logging,reporting,andauditing,187–188 policy,approachto,185–186 technologyfor,186–187 threatsandvulnerabilities,188–189 througharchitecture,177–180,186 througheconomics,176–177 throughsocialpressure,177 U.S.nationalsecurity,267–268 U.S.SecretServiceNewYork,181–182 U.S.SenateSpecialCommitteeonAging,184 USAPatriotAct,184–185 US-CERT,202 USENET,177 V values,78–79 videorecordings,233,235,237 videosurveillance,255–257 VideoVoyeurismPreventionAct,242,251 VigilEntPolicyCenter(VPC),143 violationsofpolicy,129,136–137 virusprotectionsoftware,55,61 viruses,180,183,204,214 Visa,176 visionstatements,29,32–33 Vitalistschool,33–34 VoIP,197 vulnerabilities assessedfrompossiblethreats,82 defined,76 endpoint,66 identificationof,81–83 rankingof,100,101 ratingrecommendation,83 riskassessmentof,102 timelyevaluationof,57–58 vulnerablecountries,205–206 W Warren,S.,182 Waterman,Robert,86 WAVES(WebApplicationVulnerabilityandError Scanner),105 W32.Blaster.Worm(Blaster).SeeBlaster
286INDEX Weaver,Robert,181–182 Webdefacements,106 weightedfactoranalysis,81 WGBHinBoston,190 White,Rick,189 WhiteBook,179 W32/Lovesan.worm.a(Lovesan).SeeBlaster Wood,CharlesCresson,131 workstations,controlof,61 WorldInformationTechnologyandServices Alliance(WITSA),206 WorldTradeCenter,1993terroristattack,152, 159–160
WorldTradeCenter,2001terroristattack, 152–153 worms,56–57,62,181,214 W32.Sobig.F@mm.SeeSobig.F Y Yahoo,191–192 Y2Kbug,183 Youran,Amit,185 YugoslavRepublicofMacedonia,205 Z Zimmerman,Phil,181