Tag: information security

Information security professionals can learn a lot from WikiLeaks.  It seems that there are always new lessons available to us every day.  One topic that came to light early in the release of the cables was that most of the information seemed rather trivial, which made it difficult to see why politicians were so upset over the incident. 

The Center for Public Integrity has an excellent piece on examples of over classifying data that is in fact trivial.  According to the Information Security Oversight Office report , the government spent $8.8 billion on safeguarding classified information.

“Over-classification is not in the interest of the government,” said Bosanko. “Finite resources are best deployed when they are focused on the information that truly requires protection.”

Over-classification a problem that creates inefficiencies, weakens accountability, and financially weakens an organization.  Some security professionals believe that security for the sake of security defines what security is.  This may be done to create perceived job security or because the individual believes it is the right thing to do.  If sometimes there is a temptation to label all data as the most important and critical for simplicity.  In the end this creates unnecessary expense in both equipment and personnel resources.  The proper thing for all security professionals to do is to deliver a customized solution that suits the customer or employer needs.

Security professionals should be aware of the organization’s operating objectives.  In an economic downturn this may mean under protecting some assets in favor of deploying finite resources to protect the organization’s critical areas.  Even in good times the security professional should accept that all businesses exist to provide benefits to the shareholders.  This includes government because the taxpayers are the equivalent of shareholders.

The security professional should be prepared to interact with various business unit heads to get their view of what is important.  Each department head or staff member will have their own opinions and these should be collected for senior management review.  Senior management with the assistance of the security professional will determine the appropriate level of protection needed for the organization’s data.  This may be driven by the sensitivity of the data or it may be a financially driven decision where a total budget number is given in the organization must find a way to secure the most critical information only.

Under the ISO 27,001 standard, "top management" should be involved in the security and risk decisions made by the organization.  The security professional should work with top management to find the best solution that suits the organization in terms of both costs and efficiency. Security professionals can increase their visibility and bring value to their organizations through partnering with upper management.

The military has implemented a new policy stating removable media can not be used on SIPRNET computers.  While this may seem like a good thing the implementation may be lacking.  The private sector has warned of the exposure caused by removable media for years.  From a practical stand point banning all removable media is nothing more than a good sounding idea. 

“Users will experience difficulty with transferring data for operational needs which could impede timeliness on mission execution,” the document admits. But “military personnel who do not comply … may be punished under Article 92 of the Uniformed Code of Military Justice.” Article 92 is the armed forces’ regulation covering failure to obey orders and dereliction of duty, and it stipulates that violators “shall be punished as a court-martial may direct.”

The military understands that efficiency will be impacted by their decision and they appear to be sticking by their guns on disciplining anyone who disobeys orders.  The key point here is a loss of efficiency via this policy . Private sector businesses rely on efficiency to maintain profitability.  Before implementing such a policy at your business, it is important to determine if it is the right thing to do.  The CFO is going to be interested in the impact any proposed policy has on the bottom line.  The loss of efficiency is something that will have to be weighed against security.  Based on the content of the Wired.com article it appears that no preventative technological controls are going to be used, otherwise punishing soldiers with a courts martial would not be mentioned.  The best solution would be to use technology to disable removable media as a supplement to the policy.  Policies that depend on the honesty of the workforce are seldom successful.  The anonymous sources in the article that intend to keep using removable media show that policies alone do not equal security.

The Tao Te Ching brings us Yin and Yang, two opposites that are a part of the ever changing universe.  The misfortunes of the State Department (Yin) can be transformed into a victory for the security profession (Yang).  Or to simply put it, when life gives someone else lemons, you take their lemons and make lemonade.  One important aspect of Cable Gate is that it has brought attention to information security and the need for information security.  Security professionals across the world can expect organizations to begin asking if they are vulnerable to the same thing. And more importantly, what to do about it. This is a grand opportunity to bring your skills to the table and represent the profession when your employer or customers turn to you for help .  It does not matter if you are an engineer, a consultant, or management.  When a breach happens the spotlight is on security and it is our time to sing.

Technology Is A Tool Not The Solution

In the world of information security it is all too easy to propose technology solutions that are not the whole solution. The technology can be a part of the solution, but we must realize that there is no silver bullet and that the truly motivated will find a way around any barrier.  A solution is a combination of leadership, with a strategy, direction, and a team that can bring it all together.  The most important component is leadership.  Leadership does not have to come from the top of the organization.  Security professionals by nature have to interface with other professionals in finance, public relations, marketing, and other areas.  Be the expert in what you know, but do not discount the knowledge that other team members bring because they are a part of the solution. 

Know That Everything Can Not Be Fixed

Leadership is also about knowing what can and can not be done.  Not every exposure can be fixed.  Not every risk can be effectively mitigated.  Not every budget is unlimited.  Not everyone wants to hear that no matter what you do, there is not a silver bullet.  Setting expectations with other professionals and the public is extremely important.  Security is about providing reasonable protection against threats.  Sure, it may be possible to secure something by sending all the workers home and burning everything that is left.  Even then you can not be sure that everything is gone.  The stakeholders in the business would certainly object to shutting everything down.  They would also object to a more pleasant picture than an army of security professionals could paint.  Reasonable protection is about compromise between all stakeholders.  This means that security professionals may also have to compromise.  That does not mean that security is unimportant.  Understanding that fact brings us back to the solution with many professionals working together and to teamwork.