- Email: [email protected]
IBM's data security strategy: Some implementation aspects
273
IBM’s Data Security Strategy: Some Implementation Aspects 1. Introduction
F. Buurmeijer Progrum
Munager,
t~onal Opercrtions,
Injormat~on
Asset
Security,
IBM
Wcrtsonweg 2, 1423 ND Uithoorn,
Interna-
The Nerher-
lunds
Security of resources, in particular data security, ought to be the continuous concern of any company: an effective security is a matter of vital importance. This paper discusses some implementation aspects of IBM’s security strategy, which aims at providing methods for the selective protection of assets against unauthorized or accidental disclosure, modification or destruction. The practical implementation of this security strategy takes the form of a yearly operating plan. One of the items covered in such a plan is the audit or review of functions and installations. Where audits and reviews are formally defined processes, peer reviews are an informal but very effective method of establishing a satisfactory measure of compliance with security requirements. Kqvwords: Data security program, strategy. Program implementation. Security organization, Peer review.
Asset protection, IBM Security responsibilities,
Flip Buurmeijer
is Program Manager, Information Asset security, for IBM International Operations in The Netherlands, One of the missions of IBM INTOPS as it is popularly called is the development and maintenance of software for IBM’s own needs, mainly in the EMEA countries. These are countries that form an organizational unit in Europe, the Middle East and Africa. Another mission is the supply of international computer services for IBM’s own organization. In this environment Mr. Buurmeiler is responsible for the implementation of the lnformation Asset Security Program. which is in place to protect IBM’s data processing assets.
North-Holland Computers & Security 0167-4048/84/$3.00
3 (1984) 273-277 fij 1984, Elsevier Science Publishers
Why does IBM attach so much importance to security and why does it go to such great lengths to realize and maintain an effective protection of its resources, including information assets? Let me quote from a letter that John Opel, Chairman of the Board of IBM Corp., wrote to all managers of the company. Speaking about safeguarding IBM’s stake in the business, he said: “Next to our people, no assets are of greater value than the information we generate in our business. Physical assets are replaceable, proprietary information is not.” Security should be the concern of any business. With IBM, security is a matter of vita1 importance. Because of the nature of computer technology, innovation is the key to competetiveness and success. Therefore, advance knowledge of what the market leader is doing, or not doing, can be of great benefit to others. Consequently IBM is the target of a large network of information gatherers. Collecting information about IBM’s computer activities is largely a legitimate activity - but not completely ~ and therefore not without danger for the company. Recent history has presented a number of examples in the latter category. And like in any form of intelligence gathering, it’s the many little pieces that, fitted together, complete the jigsaw puzzle. The changes that have taken place in the complex world of data processing in recent years are another reason for maintaining a good security. The eighties present us with large databases, large networks and all kinds of integrated facilities. Office automation and persona1 computers are here to stay. Moreover, data processing is no longer the privilege of a select number of professionals. Today there are large numbers of non-DP oriented users who have access to vast concentrations of information via interactively used workstations.
B.V. (North-Holland)
2. Definition So what does IBM do in terms of data security, or informution asset securitll as it is called in IBMese. Starting point is the thought that security is of vital importance for the company. Should security fail, it could have serious consequences for the continued existence of the business. A situation could arise where management is in insufficient control of the course of things. No company could afford that for very long. Within IBM data security is defined as follows: Data security is the provision of methods for the selective protection of information assets against unauthorized or accidental disclosure, modification or destruction. Emphasis is on the word selective. After careful consideration one has to decide to what extent information assets must be protected. In a poster campaign conducted in one of the European countries a number of years ago, security was compared to the shell of an egg. Too thin, and the shell will crack; too thick, and the chicken is stifled. To be able to raise future chickens, beware of deficient shells.
3. Responsibilities The question who is responsible for the security of information assets, is an important one. Within IBM, information asset security is the responsibility of line management. This means that each line manager must know very well for what resources he is responsible, and what requirements he must define regarding an efficient control of these resources. He is also responsible for granting access authorization to users of DP equipment under his control. It is the manager who is responsible for keeping the employees reporting to him, up-to-date on the requirements regarding security. He is further responsible for a periodic self-assessment of his department to check if he complies with the security requirements. In case of non-compliance situations he must come up with a committed action plan to get in line again with the norm. Besides line management as a general group with security responsibilities, IBM distinguishes three categories with a specific set of responsibilities of their own, namely ‘owners’. ‘suppliers of services’. and ‘ users’. An owner is in general an IBM manager who
has specific responsibilities for the identification, the classification and the corresponding protection of important resources. Apart from hardware. such resources cover a wide range, from specific data assets such as financial records or product schedules, to important applications that manipulate the data, like accounts receivable and order handling. Suppliers of services are, generally speaking, the computer centers which provide the support for IBM’s DP operations. In the context of this paper, these centers are the internal computer centers, although from a security point of view there is not much practical difference between the internal centers and the service centers that offer DP capacity to customers. The responsibilities of the suppliers of services lie mainly in the field of executing the security measures specified by the owners, and exercising the controls defined for the information stored in their computer systems. The users form the largest group. Users are those employees that have been authorized to use specific computer resources, and only for approved business purposes at that. They too, have to comply with a number of security instructions, e.g. regarding the use of terminals, the handling of passwords and the handling of output they generate themselves. Apart from being responsible for the classification of such output, they fall into the category of owner, with associated responsibilities, for the protection of any information asset they generate.
4. Organization A somewhat simplified picture of the worldwide IBM organization shows three main ‘operating units’, defined by geographic areas. These areas are the United States of America (IBM US), Europe/Middle East/Africa (IBM EMEA) and the Americas/Far East (IBM AFE). In the headquarters of each of these operating units, a staff group has been charged with data security tasks. These groups draft and maintain data security standards, give out guidelines for the implementation of security instructions, and organize reviews of the security posture of the various functions and installations. A function in this respect is an organizational entity consisting of a number of departments all dealing with a particular line of work, e.g. business
planning, business controls, finance, customer engineering, information systems, office automation, to name a few. Such functions may vary considerably in size. These staff groups also coordinate all security activities to come to an approach as uniform as possible for all locations under their direction. Responsibility for security matters is placed at executive level. For instance, in each country in Europe, an executive manager is charged with the responsibility for security matters. He is assisted by a program manager, who will implement the security program in his country according to the standard and guidelines issued. The program manager has an educational task: he must promote the security awareness of a large number of employees. In addition, he has an advisory role in the implementation of the program. Finally, in a reviewing capacity, he must check if all requirements are complied with. The larger IBM locations and functions have full-time data security program managers, who work with a network of part-time coordinators at department level to deal with security matters. Small locations or functions have at least one or more coordinators.
5. Implementation The responsibilities of both line management in general, and those of owners, users, and suppliers of services have been laid down in the standard mentioned before. This standard further describes various procedural matters. such as the execution of the departmental self-assessment program. It also establishes compliance criteria, describes the risk assessment process, and indicates what records are required for audit purposes. No matter what function is formally audited, information asset security is always part of the investigation. The practical implementation of IBM’s security strategy takes the form of a yearly operating plan. This operating plan is the cornerstone for the whole security process. Once a year the security staff will issue the plan guidance, on the basis of which a plan must be made for each location or function. Within a country such plans are consolidated to a national plan. The country plans in their turn get combined into a security plan per geographic area. An important part of the con-
tents of each level of security plans is determined by the results of what is known as the departmental self-assessment, a kind of X-ray of the security posture of each department. 5.1. How does this work? Slightly dependent on the functional organization, each department manager receives a questionnaire with the aid of which he can make an assessment of the security status of his department(s). The questionnaires are function-oriented as much as possible. By means of the questionnaire the manager compares his status to the norm. If he complies with the norm, no further action is necessary. If he does not comply on one or more points, the manager has to do define an action plan to make sure he does comply in the shortest possible time. Action plans are incorporated in the operating plan and the results to be reached are clearly marked as objectives for the manager who defined the action plan. The security coordinator or program manager belonging to that function has to report on a regular basis what the status of such action plans is. It may happen that a manager does not comply with a security requirement but that he is unable to come up with an action plan because a realistic alternative is not feasible, or because an alternative would become too expensive. In such a situation he must make a risk assessment to evaluate the risk and restrict the possible dangers as much as possible. After approval by higher management this risk assessment is also incorporated in the operating plan. During audits or formal reviews certain findings may reveal inadequacies in the protection of information assets. The manager responsible for these assets then has to put a plan in place to remedy the shortcomings. Or he has to make a risk assessment because alternatives are difficult or expensive. The guidance for the operating plan distinguishes between standard plan items and focus items. Focus items are ‘special’ subjects that require an action plan. Examples are: handling information with a high security classification, the security of office automation systems, the use of terminals at home, etc. Standard items are e.g. the self-assessment process, education and awareness programs, access control, control of special system software, control of shared systems, and peer reviews.
6. Peer Reviews Peer reviews are special evaluations regarding the security situation of a function. An important aspect is that peer reviews are fundamentally different from audits or compliance reviews. All three are independent evaluations, but audits and compliance reviews are instigated by top management, with findings being officially reported back to them. With this way of reporting it is not possible to keep problems ‘in the family’, and serious deficiences may have managerial consequences. Corrective actions are formally followed up by an independent business controls function and progress is reported to general management. Contrary to audits and compliance reviews, peer reviews are initiated by functional management itself, for its own benefit. Ensuing reports do not go any further than functional management, so there is no action plan follow up and reporting outside the function. 6. I. Who ure involved in u Peer Review:)
Usually the function to be reviewed invites specialists from a similar function in another location. Depending on the size of the function and the scope of the review, a team could be from two to eight people. Often the composition of the team and the recruiting of its members is ‘subcontracted’ to a data security manager who is appointed team leader and general coordinator. A typical team may consist of two systems programmers, preferably with expert knowledge of system security, someone experienced in media control, and one or two data security coordinators or managers who know the rules and requirements with which the function has to comply. In consultation with the requesting function, the team leader determines the scope of the review, defines a set of objectives and informs, in writing, line management of the forthcoming review. Usually this is done approximately four weeks before the start of the review. 6.2. How is a Peer Review carried out? The review usually starts with a kick-off meeting with functional management. During this meeting the objectives of the review are agreed upon, and functional management informs the
team of the organization to be reviewed and provides them with any details that might be useful to have right from the start. Such details could be problem areas or exposures already identified, or action plans currently being implemented. At the outset of the review it is also useful to have available any documentation that supports the security status of the function. Among this material one would expect to find not only the operating plan and filled-in questionnaires of the latest selfassessments, but also risk assessments, local procedures, definition of responsibilities, access authorization records, volume inventories, etc. There are no fixed rules as to the duration of a peer review, but as a rule of thumb one could reckon a week, with the team starting on Monday morning with the kick-off meeting, and ending with a presentation of the findings to functional management on Friday. This schedule does not include the time needed for defining the objectives of the review and preparing a questionnaire. Nor does it include writing of the final report, listing in detail the items reviewed, the findings, possible exposures, and the team’s recommendations. Although the peer review is an informal process, that does not mean it is taken lightly, or dealt with in a perfunctory manner. On the contrary, such a review is a real challenge for the participants. Especially between similar functions there is always a certain amount of rivalry, and reviewers will do their utmost to dig up situations that can be improved. On the other hand, they may discover elegant solutions to problems they are hardly aware of themselves yet. Depending on the function to be reviewed, a peer review might include topics such as the following: _ Physical access to computer centers and restricted areas ~ Classification of software and data - System access and integrity - Change control of sensitive programs - Password management ~ Media control _ Emergency planning, e.g. for vital applications and data - Backup procedures The review itself is mostly conducted by having interviews with various representatives from the function under review, whereby the reviewer must seek confirmation of all answers given. He must
F. BuurmeiJer / Asprci.~
of DataSecurrty
cross-check, for example, if what a manager maintains is an action plan for his department is actually perceived as such by the members of that department. He must also obtain documented evidence, particularly in those cases where a procedure stipulates regular management signoff. Procedures are often misinterpreted, and the fact that a department has a procedure, or procedures, is in itself no guarantee that the requirements are met. By asking different people the same questions, a reviewer can judge whether everyone has the same perspective of matters. This is made easier by using a pre-defined questionnaire, although some items may come up spontaneously and turn out to be well worth pursuing. Apart from interviews, actual tests may be carried out. A systems programmer may try to penetrate an operating system merely by using an ordinary userid, without any special attributes. If he does not succeed in gaining access to any privileged software, for example data sets or libraries that contain user verification passwords or information access passwords, it says something for the protection of that operating system. A reviewer may also test the physical access protection of e.g. the computer room by trying to gain access without proper authorization. During the interviews, the reviewers must take notes, and at the end of each day they must summarize their findings. Alternatively, the entire review team may meet at the end of each day to compare notes, list findings, and outline their recommendations. In this way it becomes easier to prepare a presentation to functional management by the end of the review week. The reviewers should remember to ensure at least a general agreement on findings with individual managers. This may contribute considerably to
Implementarron
277
the efficiency of the final wrap-up meeting. The last thing left to be done is writing the final report for functional management. This too, may be a team effort, or it may be done by the teamleader after the review. The method is not important. What is important is that the report lists in detail all items checked, all findings with an assessment of possible exposures, plus recommendations to situations. improve or remedy non-compliance Functional management then has a working document that they can act upon in a responsible manner. 7. Epilogue Adequate data security is never a matter of a single system, or tool, or procedure. It is always a combination, consisting of physical security, software, hardware and procedures. Procedures are necessary, standards must be set, guidelines must be issued, and there must be a segmentation of certain tasks and functions. In short, the rules of the game must be stated. Hardware comes in handy for a lot of security tasks, ranging from simple badge readers, through encryption devices, to small computers monitoring various controls. Speaking of software, a well-tuned package to protect the operating system is a must. The emphasis is on well-tuned, because it is of the utmost importance that such a package is not just installed but tuned to the system it is meant to protect. Last, but not least, a physical security system to ensure, among other things, proper access control, is absolutely indispensable. It is the combination of functions such as these that makes it very difficult, if not impossible, for anyone to gain access to a company’s valuable assets.
IBM’s Data Security Strategy: Some Implementation Aspects 1. Introduction
F. Buurmeijer Progrum
Munager,
t~onal Opercrtions,
Injormat~on
Asset
Security,
IBM
Wcrtsonweg 2, 1423 ND Uithoorn,
Interna-
The Nerher-
lunds
Security of resources, in particular data security, ought to be the continuous concern of any company: an effective security is a matter of vital importance. This paper discusses some implementation aspects of IBM’s security strategy, which aims at providing methods for the selective protection of assets against unauthorized or accidental disclosure, modification or destruction. The practical implementation of this security strategy takes the form of a yearly operating plan. One of the items covered in such a plan is the audit or review of functions and installations. Where audits and reviews are formally defined processes, peer reviews are an informal but very effective method of establishing a satisfactory measure of compliance with security requirements. Kqvwords: Data security program, strategy. Program implementation. Security organization, Peer review.
Asset protection, IBM Security responsibilities,
Flip Buurmeijer
is Program Manager, Information Asset security, for IBM International Operations in The Netherlands, One of the missions of IBM INTOPS as it is popularly called is the development and maintenance of software for IBM’s own needs, mainly in the EMEA countries. These are countries that form an organizational unit in Europe, the Middle East and Africa. Another mission is the supply of international computer services for IBM’s own organization. In this environment Mr. Buurmeiler is responsible for the implementation of the lnformation Asset Security Program. which is in place to protect IBM’s data processing assets.
North-Holland Computers & Security 0167-4048/84/$3.00
3 (1984) 273-277 fij 1984, Elsevier Science Publishers
Why does IBM attach so much importance to security and why does it go to such great lengths to realize and maintain an effective protection of its resources, including information assets? Let me quote from a letter that John Opel, Chairman of the Board of IBM Corp., wrote to all managers of the company. Speaking about safeguarding IBM’s stake in the business, he said: “Next to our people, no assets are of greater value than the information we generate in our business. Physical assets are replaceable, proprietary information is not.” Security should be the concern of any business. With IBM, security is a matter of vita1 importance. Because of the nature of computer technology, innovation is the key to competetiveness and success. Therefore, advance knowledge of what the market leader is doing, or not doing, can be of great benefit to others. Consequently IBM is the target of a large network of information gatherers. Collecting information about IBM’s computer activities is largely a legitimate activity - but not completely ~ and therefore not without danger for the company. Recent history has presented a number of examples in the latter category. And like in any form of intelligence gathering, it’s the many little pieces that, fitted together, complete the jigsaw puzzle. The changes that have taken place in the complex world of data processing in recent years are another reason for maintaining a good security. The eighties present us with large databases, large networks and all kinds of integrated facilities. Office automation and persona1 computers are here to stay. Moreover, data processing is no longer the privilege of a select number of professionals. Today there are large numbers of non-DP oriented users who have access to vast concentrations of information via interactively used workstations.
B.V. (North-Holland)
2. Definition So what does IBM do in terms of data security, or informution asset securitll as it is called in IBMese. Starting point is the thought that security is of vital importance for the company. Should security fail, it could have serious consequences for the continued existence of the business. A situation could arise where management is in insufficient control of the course of things. No company could afford that for very long. Within IBM data security is defined as follows: Data security is the provision of methods for the selective protection of information assets against unauthorized or accidental disclosure, modification or destruction. Emphasis is on the word selective. After careful consideration one has to decide to what extent information assets must be protected. In a poster campaign conducted in one of the European countries a number of years ago, security was compared to the shell of an egg. Too thin, and the shell will crack; too thick, and the chicken is stifled. To be able to raise future chickens, beware of deficient shells.
3. Responsibilities The question who is responsible for the security of information assets, is an important one. Within IBM, information asset security is the responsibility of line management. This means that each line manager must know very well for what resources he is responsible, and what requirements he must define regarding an efficient control of these resources. He is also responsible for granting access authorization to users of DP equipment under his control. It is the manager who is responsible for keeping the employees reporting to him, up-to-date on the requirements regarding security. He is further responsible for a periodic self-assessment of his department to check if he complies with the security requirements. In case of non-compliance situations he must come up with a committed action plan to get in line again with the norm. Besides line management as a general group with security responsibilities, IBM distinguishes three categories with a specific set of responsibilities of their own, namely ‘owners’. ‘suppliers of services’. and ‘ users’. An owner is in general an IBM manager who
has specific responsibilities for the identification, the classification and the corresponding protection of important resources. Apart from hardware. such resources cover a wide range, from specific data assets such as financial records or product schedules, to important applications that manipulate the data, like accounts receivable and order handling. Suppliers of services are, generally speaking, the computer centers which provide the support for IBM’s DP operations. In the context of this paper, these centers are the internal computer centers, although from a security point of view there is not much practical difference between the internal centers and the service centers that offer DP capacity to customers. The responsibilities of the suppliers of services lie mainly in the field of executing the security measures specified by the owners, and exercising the controls defined for the information stored in their computer systems. The users form the largest group. Users are those employees that have been authorized to use specific computer resources, and only for approved business purposes at that. They too, have to comply with a number of security instructions, e.g. regarding the use of terminals, the handling of passwords and the handling of output they generate themselves. Apart from being responsible for the classification of such output, they fall into the category of owner, with associated responsibilities, for the protection of any information asset they generate.
4. Organization A somewhat simplified picture of the worldwide IBM organization shows three main ‘operating units’, defined by geographic areas. These areas are the United States of America (IBM US), Europe/Middle East/Africa (IBM EMEA) and the Americas/Far East (IBM AFE). In the headquarters of each of these operating units, a staff group has been charged with data security tasks. These groups draft and maintain data security standards, give out guidelines for the implementation of security instructions, and organize reviews of the security posture of the various functions and installations. A function in this respect is an organizational entity consisting of a number of departments all dealing with a particular line of work, e.g. business
planning, business controls, finance, customer engineering, information systems, office automation, to name a few. Such functions may vary considerably in size. These staff groups also coordinate all security activities to come to an approach as uniform as possible for all locations under their direction. Responsibility for security matters is placed at executive level. For instance, in each country in Europe, an executive manager is charged with the responsibility for security matters. He is assisted by a program manager, who will implement the security program in his country according to the standard and guidelines issued. The program manager has an educational task: he must promote the security awareness of a large number of employees. In addition, he has an advisory role in the implementation of the program. Finally, in a reviewing capacity, he must check if all requirements are complied with. The larger IBM locations and functions have full-time data security program managers, who work with a network of part-time coordinators at department level to deal with security matters. Small locations or functions have at least one or more coordinators.
5. Implementation The responsibilities of both line management in general, and those of owners, users, and suppliers of services have been laid down in the standard mentioned before. This standard further describes various procedural matters. such as the execution of the departmental self-assessment program. It also establishes compliance criteria, describes the risk assessment process, and indicates what records are required for audit purposes. No matter what function is formally audited, information asset security is always part of the investigation. The practical implementation of IBM’s security strategy takes the form of a yearly operating plan. This operating plan is the cornerstone for the whole security process. Once a year the security staff will issue the plan guidance, on the basis of which a plan must be made for each location or function. Within a country such plans are consolidated to a national plan. The country plans in their turn get combined into a security plan per geographic area. An important part of the con-
tents of each level of security plans is determined by the results of what is known as the departmental self-assessment, a kind of X-ray of the security posture of each department. 5.1. How does this work? Slightly dependent on the functional organization, each department manager receives a questionnaire with the aid of which he can make an assessment of the security status of his department(s). The questionnaires are function-oriented as much as possible. By means of the questionnaire the manager compares his status to the norm. If he complies with the norm, no further action is necessary. If he does not comply on one or more points, the manager has to do define an action plan to make sure he does comply in the shortest possible time. Action plans are incorporated in the operating plan and the results to be reached are clearly marked as objectives for the manager who defined the action plan. The security coordinator or program manager belonging to that function has to report on a regular basis what the status of such action plans is. It may happen that a manager does not comply with a security requirement but that he is unable to come up with an action plan because a realistic alternative is not feasible, or because an alternative would become too expensive. In such a situation he must make a risk assessment to evaluate the risk and restrict the possible dangers as much as possible. After approval by higher management this risk assessment is also incorporated in the operating plan. During audits or formal reviews certain findings may reveal inadequacies in the protection of information assets. The manager responsible for these assets then has to put a plan in place to remedy the shortcomings. Or he has to make a risk assessment because alternatives are difficult or expensive. The guidance for the operating plan distinguishes between standard plan items and focus items. Focus items are ‘special’ subjects that require an action plan. Examples are: handling information with a high security classification, the security of office automation systems, the use of terminals at home, etc. Standard items are e.g. the self-assessment process, education and awareness programs, access control, control of special system software, control of shared systems, and peer reviews.
6. Peer Reviews Peer reviews are special evaluations regarding the security situation of a function. An important aspect is that peer reviews are fundamentally different from audits or compliance reviews. All three are independent evaluations, but audits and compliance reviews are instigated by top management, with findings being officially reported back to them. With this way of reporting it is not possible to keep problems ‘in the family’, and serious deficiences may have managerial consequences. Corrective actions are formally followed up by an independent business controls function and progress is reported to general management. Contrary to audits and compliance reviews, peer reviews are initiated by functional management itself, for its own benefit. Ensuing reports do not go any further than functional management, so there is no action plan follow up and reporting outside the function. 6. I. Who ure involved in u Peer Review:)
Usually the function to be reviewed invites specialists from a similar function in another location. Depending on the size of the function and the scope of the review, a team could be from two to eight people. Often the composition of the team and the recruiting of its members is ‘subcontracted’ to a data security manager who is appointed team leader and general coordinator. A typical team may consist of two systems programmers, preferably with expert knowledge of system security, someone experienced in media control, and one or two data security coordinators or managers who know the rules and requirements with which the function has to comply. In consultation with the requesting function, the team leader determines the scope of the review, defines a set of objectives and informs, in writing, line management of the forthcoming review. Usually this is done approximately four weeks before the start of the review. 6.2. How is a Peer Review carried out? The review usually starts with a kick-off meeting with functional management. During this meeting the objectives of the review are agreed upon, and functional management informs the
team of the organization to be reviewed and provides them with any details that might be useful to have right from the start. Such details could be problem areas or exposures already identified, or action plans currently being implemented. At the outset of the review it is also useful to have available any documentation that supports the security status of the function. Among this material one would expect to find not only the operating plan and filled-in questionnaires of the latest selfassessments, but also risk assessments, local procedures, definition of responsibilities, access authorization records, volume inventories, etc. There are no fixed rules as to the duration of a peer review, but as a rule of thumb one could reckon a week, with the team starting on Monday morning with the kick-off meeting, and ending with a presentation of the findings to functional management on Friday. This schedule does not include the time needed for defining the objectives of the review and preparing a questionnaire. Nor does it include writing of the final report, listing in detail the items reviewed, the findings, possible exposures, and the team’s recommendations. Although the peer review is an informal process, that does not mean it is taken lightly, or dealt with in a perfunctory manner. On the contrary, such a review is a real challenge for the participants. Especially between similar functions there is always a certain amount of rivalry, and reviewers will do their utmost to dig up situations that can be improved. On the other hand, they may discover elegant solutions to problems they are hardly aware of themselves yet. Depending on the function to be reviewed, a peer review might include topics such as the following: _ Physical access to computer centers and restricted areas ~ Classification of software and data - System access and integrity - Change control of sensitive programs - Password management ~ Media control _ Emergency planning, e.g. for vital applications and data - Backup procedures The review itself is mostly conducted by having interviews with various representatives from the function under review, whereby the reviewer must seek confirmation of all answers given. He must
F. BuurmeiJer / Asprci.~
of DataSecurrty
cross-check, for example, if what a manager maintains is an action plan for his department is actually perceived as such by the members of that department. He must also obtain documented evidence, particularly in those cases where a procedure stipulates regular management signoff. Procedures are often misinterpreted, and the fact that a department has a procedure, or procedures, is in itself no guarantee that the requirements are met. By asking different people the same questions, a reviewer can judge whether everyone has the same perspective of matters. This is made easier by using a pre-defined questionnaire, although some items may come up spontaneously and turn out to be well worth pursuing. Apart from interviews, actual tests may be carried out. A systems programmer may try to penetrate an operating system merely by using an ordinary userid, without any special attributes. If he does not succeed in gaining access to any privileged software, for example data sets or libraries that contain user verification passwords or information access passwords, it says something for the protection of that operating system. A reviewer may also test the physical access protection of e.g. the computer room by trying to gain access without proper authorization. During the interviews, the reviewers must take notes, and at the end of each day they must summarize their findings. Alternatively, the entire review team may meet at the end of each day to compare notes, list findings, and outline their recommendations. In this way it becomes easier to prepare a presentation to functional management by the end of the review week. The reviewers should remember to ensure at least a general agreement on findings with individual managers. This may contribute considerably to
Implementarron
277
the efficiency of the final wrap-up meeting. The last thing left to be done is writing the final report for functional management. This too, may be a team effort, or it may be done by the teamleader after the review. The method is not important. What is important is that the report lists in detail all items checked, all findings with an assessment of possible exposures, plus recommendations to situations. improve or remedy non-compliance Functional management then has a working document that they can act upon in a responsible manner. 7. Epilogue Adequate data security is never a matter of a single system, or tool, or procedure. It is always a combination, consisting of physical security, software, hardware and procedures. Procedures are necessary, standards must be set, guidelines must be issued, and there must be a segmentation of certain tasks and functions. In short, the rules of the game must be stated. Hardware comes in handy for a lot of security tasks, ranging from simple badge readers, through encryption devices, to small computers monitoring various controls. Speaking of software, a well-tuned package to protect the operating system is a must. The emphasis is on well-tuned, because it is of the utmost importance that such a package is not just installed but tuned to the system it is meant to protect. Last, but not least, a physical security system to ensure, among other things, proper access control, is absolutely indispensable. It is the combination of functions such as these that makes it very difficult, if not impossible, for anyone to gain access to a company’s valuable assets.