- CNET NETWORKS UK BUSINESS SITES:
- atlarge.com
- BNET UK
- silicon.com
- SmartPlanet.com
- ZDNet.co.uk
To print: Click here or Select File and then Print from your browser's menu
This story was printed from silicon.com, located at http://www.silicon.com/
Story URL: http://www.silicon.com/research/specialreports/datalockdown/0,3800014480,39170493,00.htm
Box-tickers risk serious data breaches
Obsession with compliance misses real threats
By Danny Bradbury
Published: Friday 28 March 2008
Life would be simple if curing security headaches were just a matter of buying some new technology. In reality, good security requires fundamental organisational change, says Danny Bradbury
What constitutes good security today? Simply throwing a firewall at your system won't cut it, says Ross Anderson, professor of security engineering at Cambridge University's computer laboratory.
"It usually comes down to how people behave in institutions," he warns. "Managers optimise their own utility, rather than the shareholders'."
Expert opinion from lawyer Stewart James:
Is encryption really the silver bullet for security?
All too often, those in charge resort to buying equipment, plugging it in and declaring the problem solved. In reality, security must be part of the company's DNA at an operational level.
At the heart of the debate lies the disparity between the box-tickers, who do just enough to satisfy the regulators, and those who put in extra effort, says Mark Lobel, principal in advisory services at consultancy PricewaterhouseCoopers.
"There are two ways you can go about it. You can adopt a compliance-based approach and tick every box in the Sarbanes Oxley rule book, or you can take a risk-based approach," he says. "A risk-based approach is the way you should approach this."
That approach entails identifying and analysing real threats to the organisation. More mature companies may use some kind of risk matrix to quantify this, say, with the probability of risk on one axis, and impact to the organisation on the other.
"By identifying and starting with the business objectives, you make sure that you're properly aligned and focused," says Lobel.
But companies need a more detailed framework than this. David Cole, academy team leader and senior consultant at risk management consultancy DNV IT Global Services, thinks he has the answer.
"ISO 27001 is a standard on how to set up a management system," Cole says. "It tells you what is expected of an information security management system."
However, as an abstract document detailing the nature of management systems, it won't give you a step-by-step guide to what security controls you should be managing.
"In terms of the technical controls - the procedures to be followed by staff - the material in its sister standard ISO 27002 has much more detail on nitty-gritty stuff," Cole says.
There are other frameworks in the pipeline as part of the 27000 series. For example, ISO 27004 and 27005 dictate how you measure security and manage risk. There are also frameworks for the risk assessment element that Lobel describes.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
British Standard 7799 part 3 outlines a method for risk assessment, and aligns with ISO 27001 - the 27000 series is the international version of BS 7799.
IT security must be viewed in a broader IT governance context, say experts, because the need to fold security and process together demands it. If security is to be reflected in operational processes, then it resonates through everything, from change management, through to information handling, and business continuity.
"Security goes across the architecture," says Lobel. "It has to be an infrastructure component that's part of the whole thing. It isn't something that can be called out separately."
What does that mean in practice? Fundamentally, prevention is cheaper, and less damaging to your reputation than cure, and the best path to prevention is operational excellence.
Take unstructured data, for example - web pages, notes of conversations, and the cacophony of information languishing in spreadsheets on individual laptops throughout the organisation. It's like toxic waste - you often don't know what's in it, or how sensitive it is, and ideally, it should be treated and contained. How can you avoid becoming the data equivalent of Three Mile Island?
"Unstructured data is everywhere. Can a wrapper be put around it to ensure that it is protected? Can it also be preserved by backup?" asks Cole.
"If you can centralise it, then do. We use centralised file stores. That makes it easier to protect because then you know where it is." Naturally, encryption is also a desirable preventative measure.
Other measures, such as business continuity, can also sometimes benefit from operational integration. For example, a smaller company might find it useful to implement home working as everyday practice, meaning its workforce is geographically distributed.
Then, a disaster affecting one area may leave others unscathed - and in the case of an epidemic such as bird flu, the company could conceivably carry on operating.
The upside of an approach like this is that business continuity doesn't necessarily have to be tested. The company lives it, every day, as a matter of course.
But such measures must be carefully considered, says Cole. "That's an attractive model, and certainly for smaller companies might be viable in some ways. The problem you face is ensuring the availability of data for home workers," he says.
"You'd need some kind of centralised data storage point and high capacity lines available. So you're suddenly looking at a VPN, and you can't set those up from scratch in a jiffy."
The pervasive nature of security means that it should be a consideration at senior management and steering committee meetings, says Lobel. Unfortunately, governance expert Michael Parent says that those senior managers are asleep at the tiller in many cases, meaning the integration between IT risk management and enterprise risk management isn't happening.
Careers advice from Tessa Hood:
You won't get promoted looking like that
"The board's responsibility to governance is fiduciary," says Parent, who is director of the CIBC Centre for Corporate Governance and Risk Management at Simon Fraser University's Segal Graduate School of Business. "That's just table stakes. That's what they have to do, or they will get themselves into trouble."
He proposes an IT risk governance chain, in which five broad categories of risk - IT competence, infrastructure, project, business continuity and information risk - go through an internal and external audit process which is reported to an audit committee, which in turn addresses the board.
Unfortunately for those managers that fetishise technology, the process-based part of security is both crucial, and becomes more depressingly complex the larger and more arcane your company's structure becomes.
Much will depend on the risk appetite of the organisation involved, and on the willingness of senior management to understand the significance of folding security into operational procedures - and to help ensure that it happens.
No one said this one was going to be easy, but for companies that don't engineer security in from the ground up, it will be a lot harder clearing up the mess afterwards.
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
