Introduction to Computer Security
Connecticut Hacker Newsgroup - Issue 6
By: Ed Norris
(Ed Norris is a senior security consultant for Digital Equipment Corporation. He consults on a wide range of security issues and solutions)
You might expect that an article about computer security would discuss controls for passwords and file permissions, but there are many things to consider before you get to that level. This article will focus on the basic requirements to help you define a security professional's roles and responsibilities and how you can influence the effectiveness of a successful security program by gaining the support of your peers. It also will examine typical computer security mission and vision statements and the objectives and goals that a computer security program needs to define.
If you don't treat computer security as a business, success will be difficult to achieve. The first step in creating any business is determining if there is a need (company assets are at risk), if there is a market (management understanding and approval) and if there is a profit to be made (actually limiting the chance Of a liability which would decrease the profit, in our case).
If your company has a computer system, the first requirement for a business is satisfied. Your company needs to establish and implement computer security controls. Computer systems process information, which can be budgets, customer lists, business plans, trade secrets, etc. Your job will be to protect this information from unauthorized or accidental disclosure (confidentiality), modification (integrity) or loss (availability).
If you have been appointed to manage the computer security program, senior management supports the need to secure its computers. But, if you are being proactive and looking to take on responsibility, you'll need to make them aware of why a computer security program is important and should be supported and funded, You must create the market by informing senior management of the risks to the computer systems, the probability of occurrence and what the loss will be if the risk occurs. The awareness also must filter down to senior management's direct staff.
To satisfy the profit requirement, you'll also have to show them that you can implement security controls on the computer systems with a cost-effective program. You cannot spend $100,000 to protect the company from a $10,000 loss and expect to receive support.
Be prepared to outline your responsibilities as computer security manager. You must implement controls that will work with the business procedures being conducted in the company. Changing business behavior is not an easy task, so don't expect major changes to happen quickly. If you recommend security controls that have a sufficient negative impact on the employees' behavior or system processing times, you can expect the computer security program to last as long as it takes to read this article. Your key responsibility is to manage.
Don't try to do it all yourself; form a computer security team. The team should include business managers who understand the information processing procedures, someone who understands physical security controls and technical personnel who understand operating system and network controls. You'll want to keep the size of the team at a manageable level. You can bring in additional focused expertise by forming task teams if the need arises. It will be your job to bring a security consciousness to the group.
The planning and spending of the security budget also should be your responsibility. Ask for input from the team members. Each member should identity security awareness programs, training, security tools, etc. needed by the organization in order to have a successful implementation of the computer security program. Different organizations will have different requirements. If one is asking for more than the others, obtain financial support from that organization.
Keeping members on the security team is not an easy task. if they feel the work isn't necessary or is progressing in a direction that won't suit their organization, their involvement may come to an end or become counterproductive. Agree to rules in the first couple of meetings. Develop a mission statement, vision statement, objectives and achievable goals. Publish an agenda for each meeting and stick to it. Assign meaningful action items to the members of the team; don't give them trivial tasks to perform. Give the team public credit for the work being accomplished.
If a team member is unwilling to work toward the goals, go to senior management for a replacement. Remember, you obtained senior management support for the computer security program. They should be willing to replace a team member with someone who ultimately will help their organization become more secure.
Computer security consists of physical and information security. Your goals must reflect both components. You must physically secure the computer system from unauthorized access or loss. You also must implement security controls that will protect the information in the computer system. Information security takes many forms, including operating system and network controls, information classification and physical security of off-line data storage. You must integrate the various security disciplines in order to develop an effective computer security program.
Because information security is a large part of computer security, find and understand the mission statement, vision statement, objectives and goals of the information systems (IS) organization. This will tell you the why, where, how and what the IS business is striving to achieve. Your business should be running parallel to the IS business. You must influence each other. If the IS organization is heading in one direction and the computer secunty program is heading in another, in the end there will be chaos. The inclusion of the business managers will aid you here; they typically follow IS direction.
One of the first action items that the computer secunty team should complete is a computer security mission statement, which will reflect why the computer security program exists in the company. The mission statement should be concise and reflect a function that is believed to be necessary for success by both you and the employees. Below is an example of a mission statement:
Ensure Acme Corporation's success in achieving its strategic goals by providing computer security expertise that leads to the effective management of Acme's assets and business security risks.
Mission statements keep the computer security team on track. If the group starts to recommend working on nonrelated projects, it's time reinforce the mission.
The next task should be the creation of a vision statement. This statement is where your computer security program will lead the company in the future. This statement also should be concise. Below is an example:
Ensure that as new technologies and procedures are incorporated within Acme Corporation, they are implemented in a secure manner.
The vision statement itself is a measurable statement, but it doesn't define how it will be measured.
The next step is to define the computer security team objectives. Objectives are how your team will achieve its vision and goals. Some examples of \ objectives are:
- Foster the philosophy that computer security is an integral part of planning and decision-making
- Always meet or exceed Acme Corporations expectations by focusing on asset and risk management needs.
- Stay a key player in the planning, design, implementation and management of computer information processing.
The objectives then are supplemented by goals that are obtainable and measurable.
The goals are what you must accomplish in order to reach your vision for the company. Your security team will want to develop short and long-term goals. Don't make the mistake of presenting only short-term goals. Senior management might be led to believe that once these are achieved, the computer security program is completed. It never will be completed; like any business, its an ongoing concern.
There are many things you can do to secure computer systems. One of the most important is the development of computer security standards and procedures, which must be living documents. Technology and business environments are constantly changing, and the standards and procedures must reflect that change. Once they are developed, they must be implemented within the corporation and now become a measurement tool. If the standard states how a person is to perform a login, you can check to see if it's actually being followed. You must monitor the computers to ensure they are compliant with the standards. Usually this is best accomplished by using automated computer security software.
Choosing and implementing the software will become another goal.
While in the development phase of the standards and procedures, you must achieve computer security awareness by the general employee population. You must ensure they understand why the changes are taking place. If they don't, they will be reluctant to change their behavior. Some will search for alternative, counterproductive methods. Other goals you may want to achieve are: development of computer security standard violation and exception procedures, computer intrusion escalation procedures, disaster recovery plans, authorization procedures and vulnerability studies. You also might advise senior. management of the progress and state of computer security within the company.
To manage an effective computer security program and develop long, term goals, you must stay current with what is happening within your corporation and within the computer security industry. Subscribe to one or more security journals There is a wealth of information available to you at no cost. This journal and Infosecurity news are two such publications. If you're connected to the Internet, there are many news groups that deal with computer security, including alt.security, comp.security.unix, comp.security.misc, misc.security and comp.virus.
You also should join at least one professional organization. Computer Security Institute, Information System Security Association and National Computer Secunty Association are a few. All conduct national conventions that offer excellent seminars and publish newsletters or journals for members. A computer security program should be run as a business with measurable and achievable short and long-term goals that reflect the current business and technical environments. The program must be managed by you, through a team of business and technical people. For it to be successful, you must gain support of the entire corporation.