- Email: [email protected]
The importance of IT security
FEATURE
The Importance of IT Security Roderick K. Parkin
ecurity and the 'will to survive' are basic instincts which are evident in all aspects of life. Businesses in general, exhibit and practice these instincts with varying degrees of success.
S
Historically, for the more security conscious companies, great pains have been taken to protect business assets through a combination of physical measures such as building security, and good working practices including dual control, separation of duties and data authentication. However, the increasingly competitive nature of financial services and the business environment in general, has meant that organizations now face ever increasing pressure in their efforts to maintain and increase their profitability. In turn, this usually means that the need to take risks is increased. Achieving a cost effective balance between security and risk is, therefore, fundamental to the successful operation of all companies. IT security is a business problem, not a technical issue. Security must not be viewed separately from other key business objectives or missions in ensuring the success and continued profitability of the company. For any organization good IT Security is essential because IT is at the heart of your organization. All computer security is aimed at protecting the f u n d a m e n t a l s of c o n f i d e n t i a l i t y , integrity and availability of data and the associated computer processes. For obvious reasons this is often referred to as the CIA of IT Security.
What happens if security fails The above f u n d a m e n t a l s of CIA will represent differing priorities and values depending upon the size of the organization, the nature of the business and, for large companies, the area or department concerned. The following summary indicates the potential loss
12
scenarios together with a definition of each category as used by BS7799 (A Code of Practice for Information Security Management). If confidentiality is breached there will be a loss due to unauthorized disclosure of information. Confidentiality entails protecting sensitive information from u n a u t h o r i z e d disclosure or intelligible interception. The integrity of data or computer systems is compromised when unauthorized modification occurs. Integrity means safeguarding the accuracy and completeness of information and computer software. The availability of information becomes a major issue when there is a delay in obtaining the required information or accessing the computer
"Security must
not be viewed
separatelyfrom
system. If the delay is due to damage or destruction then there will also be a replacement cost to be considered. Availability ensures that information and vital services are available to users when required.
other key business objectives or missions"
What is worth examining at this point, however, is the importance of each category to your organization. By examining these principles in respect of , , ^ c h =- ,e v = n , , , . ~, cost every area, you can d e t e r m i n e what the risks are, identify the potential loss, and decide on the type and level of protection required. Clearly, the answers may well be time dependent both in terms of length of delay and also when the delay occurs. Generally it is
a effective balance between uucur,Ly and risk is, therefore, fundamental to the successful operation of all companies,"
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
FEATURE wise to estimate losses on a 'worst case' principle, bearing in mind that if significant delay occurs at the worst possible time of the w e e k / m o n t h / y e a r the resulting damage may well be compounded.
"Failure of your IT system can bring embarrassment and a poor public image to the company"
It is also essential to r e c o g n i z e that simple solutions which work well at a small location are unlikely to be effective or comprehensive enough for the whole organization. Information Technology is now at the heart of most, if not all, business operations and it is essential for developing and delivering new systems. Not only can manual systems not cope with the volume of work, but as time passes it is unlikely that there will be trained staff available who know how the old system used to work. Therefore, if IT falters, so will your business. The c r i t i c a l f a c t o r for m o s t c o m m e r c i a l organizations is that of the availability of computer systems and the associated data or information. This does not mean that the other elements of Integrity and Confidentiality are not important. There will be times when they may be similarly critical to the continued success of the company.
company. By ensuring that your IT systems are secure, you will provide a better, more resilient, service to y o u r c u s t o m e r s . IT s e c u r i t y m a k e s a critical contribution to quality.
Good security Having good security means: S t a y i n g in business - if you are totally reliant on
your computer system, potentially serious. There m e a s u r e s w h i c h can be important is that of having Plan (BRP).
then any f a i l u r e is are many protection t a k e n but the m o s t a Business Recovery
P r o v i d i n g a q u a l i t y service - since IT probably
delivers most, if not all, of your services it makes a critical contribution to quality. Creating a n d m a i n t a i n i n g a c o m p e t i t i v e edge new products, new services, quickly and efficiently
d e v e l o p e d and d e l i v e r e d to new and existing customers and clients. R e t a i n i n g business c o n f i d e n c e - reliable quality services. Never having to say, "I'm sorry, can't do
that, the computer is down". Deter, delay and detect crime - crime, and security
failures (or breaches) are difficult to distinguish in terms of their effect. Get security right, and crime will be less likely to affect your business.
Departments or sectors within an organization will have different areas of sensitivity or vulnerability. M a r k e t i n g will be p a r t i c u l a r l y s e n s i t i v e to the confidentiality value of information just prior to the launch of a new product or service. After the launch, such information is valueless except as promotion.
Comply with l e g i s l a t i o n a n d the l a w - prevent legal actions for breach of contract or sanctions due to l a t e n e s s of r e t u r n s . ( ) p e n t e r m s and conditions of contracts may require business to be c o n d u c t e d in a c c o r d a n c e with set standards, including BS7799.
The Management Information department will be especially reliant on the integrity of data. Customers do not appreciate receiving incorrect invoices or statements and many business decisions are made on the basis of computer statistics and projections.
M i n i m i z e i n s u r a n c e costs - insurance companies
charge higher premiums for bad risks and constant claims may make insurance unavailable for certain risks. Protect y o u r staff and c u s t o m e r s - proper security
Most organizations are striving for higher quality targets. F a i l u r e of y o u r IT s y s t e m can bring e m b a r r a s s m e n t and a p o o r p u b l i c i m a g e to the
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
will not only prevent staff and customers from doing harm to your company, it will also protect them from being suspects.
13
FEATURE Changing environment
Ever increasing power of PCs - modern Pentium
The w o r l d in w h i c h we live d o e s not s t a n d still. Anyone looking back over the last decade or two will have noted major changes in technology, life-styles, attitudes, expectations and even moral values.
processors can perform tasks which would have been impossible even a few years ago, or would have required a major mainframe system. Security was relatively easy for the early systems being mainframe based, in secure buildings, i s o l a t e d f o r m the outside world. T o d a y ' s executive has, on his or her desk, a PC with t r e m e n d o u s p r o c e s s i n g p o w e r and w o r l d w i d e connectivity. Additionally, the PC may be easily portable, and contain the 'fortunes' of that company rendering it a lucrative target for thieves and those indulging in industrial espionage.
Business are also affected by these changes in the following ways:
Increased reliance on IT - every new product or service relies on Information Technology, and quite often the manual skills to perform the task are either not available or simply too expensive.
Systems are more complex - in the early days, computers performed single tasks and were rarely interlinked. The complexity and inter-connectivity of modern IT systems means that one failure may have disastrous c o n s e q u e n c e s on other linked a p p l i c a t i o n s . M u l t i - s y s t e m a c c e s s f r o m one terminal is now a prerequisite for many telephonebased systems and an examination of the processes required to, for example, obtain money from an ATM (Automated Teller Machine or 'hole in the wall') can often identify over 30 discrete systems, links, processes and computers.
Increased computer literacy - the m o d e r n generation has grown up with computers, and is not afraid to use the technology. As early retirement options become more popular, it will not be long before everyone in the organization can use (and abuse) computer technology. •
Open networks - Local Area Networks (LANs),
Wide Area Networks (WANs), and the internet are all open by design. "one failure may Whilst this openness creates exciting business opportunity it also creates possibilities e o n s e q u e n c e s o n for others to help
"Security can be likened to many aspects of life"
'Computer' crime - regrettably a current trend in all walks of life is the increasing likelihood of being affected by crime. C o m p u t e r crime itself is a complex topic and includes simple theft of IT equipment and associated data to the more complex incidence of virus infection. Other aspects, such as software piracy and unauthorized access, whilst covered by legislation, will continue to be major concerns unless action is taken. Extreme politics - fanatical organizations have always been a part of life. CLODO, in France, aim to d e s t r o y c o m p u t e r s and many t e r r o r i s t organizations recognize the publicity value of damaging IT systems.
Intellectual challenge - often c r i m i n a l s or disgruntled staff do not commit their acts for money. Often it is the intellectual challenge and stimulation of being able to gain access to a computer system. F r e q u e n t l y the d a m a g e which occurs may be accidental, but nevertheless real.
have disastrous
other linked
a""'l""*lons
without your knowledge. It is
themselves
not u n c o m m o n for companies not to know who is linked to their system, and to be completely unaware of who could be!
14
Security can be likened to many aspects of life, and as in so many other cases it cannot be 100% effective.
T h e solution If we accept that computer security is necessary, we n e e d a f r a m e w o r k w i t h i n w h i c h to w o r k . The following is offered as a summary:
Computer Fraud & Security March1998 © 1998 ElsevierScienceLtd
FEATURE good foundation of security awareness, clear policy and accountability implementation of sound 'baseline' controls using BS7799 as the 'model', use of risk analysis as a strategic tool to identify weaknesses and vulnerabilities, application and location specific security measures where cost justified, constant review and r e v i s i o n in the light of c h a n g i n g circumstances
Management support Security cannot be 100% effective, there will always be some residual risk and there will have to be a c o m p r o m i s e b e t w e e n a v a i l a b i l i t y / u s a b i l i t y and security. Security has to be cost effective. Thus, security has to be a line m a n a g e m e n t responsibility. It is not something special, nor is it the province of one department. All staff should own an element of security in the s a m e w a y that current legislation requires personnel to be personally accountable for certain a c t i o n s . The D a t a Protection Act, Computer Misuse Act, Copyright Design and P a t e n t s Act, plus the many Health & Safety requirements all place emphasis on individuals, and there are penalties for n o n - c o m p l i a n c e both for the c o m p a n y and the individual.
"Security cannot be 100% effective, there will always be some residual risk"
department head, it will be some junior person or systems administrator. For larger organizations where there is a Security M a n a g e r (and team) then they have their part to play in understanding the business goals, and for formulating and c o m m u n i c a t i n g good security advice, but they cannot do it alone. It is also good practice to build in security responsibilities to job d e s c r i p t i o n s and o b j e c t i v e s to i n d i c a t e the importance attached to the topic.
"there needs to be support at the highest level"
Conclusion IT Security is a vital aspect of all business operations. The "Security Officer's Dozen" below may well serve as summary for the importance of IT security: I. Codes can, and will, be broken. 2. Passwords can be disclosed or guessed. 3. Messages can be intercepted. 4. Audit trails can be compromised. 5. Computer criminals do exist. 6. Programs can, and do, fail. 7. Disasters can happen.
In o r d e r to c r e a t e the e n v i r o n m e n t w h e r e b y management can discharge their responsibilities, there needs to be support at the highest level. In most cases this will be 'the Board' and, ideally, a senior IT manager should take their rightful place at this level.
8. Accidents can, and do, occur.
All organizations have 'key players' who may, or may not, be part of the traditional management team. Ask the following questions: "Who sorts out the computer if it goes wrong" or "who helps me when I forget my password". Invariably this will not be the
11. Information is not always secure.
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
9. Risks are taken. 10. Controls will be by-passed.
12. People do foolish things. This paper was.first presented at COMPSEC '97 at the QEH Centre, London, UK.
15
The Importance of IT Security Roderick K. Parkin
ecurity and the 'will to survive' are basic instincts which are evident in all aspects of life. Businesses in general, exhibit and practice these instincts with varying degrees of success.
S
Historically, for the more security conscious companies, great pains have been taken to protect business assets through a combination of physical measures such as building security, and good working practices including dual control, separation of duties and data authentication. However, the increasingly competitive nature of financial services and the business environment in general, has meant that organizations now face ever increasing pressure in their efforts to maintain and increase their profitability. In turn, this usually means that the need to take risks is increased. Achieving a cost effective balance between security and risk is, therefore, fundamental to the successful operation of all companies. IT security is a business problem, not a technical issue. Security must not be viewed separately from other key business objectives or missions in ensuring the success and continued profitability of the company. For any organization good IT Security is essential because IT is at the heart of your organization. All computer security is aimed at protecting the f u n d a m e n t a l s of c o n f i d e n t i a l i t y , integrity and availability of data and the associated computer processes. For obvious reasons this is often referred to as the CIA of IT Security.
What happens if security fails The above f u n d a m e n t a l s of CIA will represent differing priorities and values depending upon the size of the organization, the nature of the business and, for large companies, the area or department concerned. The following summary indicates the potential loss
12
scenarios together with a definition of each category as used by BS7799 (A Code of Practice for Information Security Management). If confidentiality is breached there will be a loss due to unauthorized disclosure of information. Confidentiality entails protecting sensitive information from u n a u t h o r i z e d disclosure or intelligible interception. The integrity of data or computer systems is compromised when unauthorized modification occurs. Integrity means safeguarding the accuracy and completeness of information and computer software. The availability of information becomes a major issue when there is a delay in obtaining the required information or accessing the computer
"Security must
not be viewed
separatelyfrom
system. If the delay is due to damage or destruction then there will also be a replacement cost to be considered. Availability ensures that information and vital services are available to users when required.
other key business objectives or missions"
What is worth examining at this point, however, is the importance of each category to your organization. By examining these principles in respect of , , ^ c h =- ,e v = n , , , . ~, cost every area, you can d e t e r m i n e what the risks are, identify the potential loss, and decide on the type and level of protection required. Clearly, the answers may well be time dependent both in terms of length of delay and also when the delay occurs. Generally it is
a effective balance between uucur,Ly and risk is, therefore, fundamental to the successful operation of all companies,"
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
FEATURE wise to estimate losses on a 'worst case' principle, bearing in mind that if significant delay occurs at the worst possible time of the w e e k / m o n t h / y e a r the resulting damage may well be compounded.
"Failure of your IT system can bring embarrassment and a poor public image to the company"
It is also essential to r e c o g n i z e that simple solutions which work well at a small location are unlikely to be effective or comprehensive enough for the whole organization. Information Technology is now at the heart of most, if not all, business operations and it is essential for developing and delivering new systems. Not only can manual systems not cope with the volume of work, but as time passes it is unlikely that there will be trained staff available who know how the old system used to work. Therefore, if IT falters, so will your business. The c r i t i c a l f a c t o r for m o s t c o m m e r c i a l organizations is that of the availability of computer systems and the associated data or information. This does not mean that the other elements of Integrity and Confidentiality are not important. There will be times when they may be similarly critical to the continued success of the company.
company. By ensuring that your IT systems are secure, you will provide a better, more resilient, service to y o u r c u s t o m e r s . IT s e c u r i t y m a k e s a critical contribution to quality.
Good security Having good security means: S t a y i n g in business - if you are totally reliant on
your computer system, potentially serious. There m e a s u r e s w h i c h can be important is that of having Plan (BRP).
then any f a i l u r e is are many protection t a k e n but the m o s t a Business Recovery
P r o v i d i n g a q u a l i t y service - since IT probably
delivers most, if not all, of your services it makes a critical contribution to quality. Creating a n d m a i n t a i n i n g a c o m p e t i t i v e edge new products, new services, quickly and efficiently
d e v e l o p e d and d e l i v e r e d to new and existing customers and clients. R e t a i n i n g business c o n f i d e n c e - reliable quality services. Never having to say, "I'm sorry, can't do
that, the computer is down". Deter, delay and detect crime - crime, and security
failures (or breaches) are difficult to distinguish in terms of their effect. Get security right, and crime will be less likely to affect your business.
Departments or sectors within an organization will have different areas of sensitivity or vulnerability. M a r k e t i n g will be p a r t i c u l a r l y s e n s i t i v e to the confidentiality value of information just prior to the launch of a new product or service. After the launch, such information is valueless except as promotion.
Comply with l e g i s l a t i o n a n d the l a w - prevent legal actions for breach of contract or sanctions due to l a t e n e s s of r e t u r n s . ( ) p e n t e r m s and conditions of contracts may require business to be c o n d u c t e d in a c c o r d a n c e with set standards, including BS7799.
The Management Information department will be especially reliant on the integrity of data. Customers do not appreciate receiving incorrect invoices or statements and many business decisions are made on the basis of computer statistics and projections.
M i n i m i z e i n s u r a n c e costs - insurance companies
charge higher premiums for bad risks and constant claims may make insurance unavailable for certain risks. Protect y o u r staff and c u s t o m e r s - proper security
Most organizations are striving for higher quality targets. F a i l u r e of y o u r IT s y s t e m can bring e m b a r r a s s m e n t and a p o o r p u b l i c i m a g e to the
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
will not only prevent staff and customers from doing harm to your company, it will also protect them from being suspects.
13
FEATURE Changing environment
Ever increasing power of PCs - modern Pentium
The w o r l d in w h i c h we live d o e s not s t a n d still. Anyone looking back over the last decade or two will have noted major changes in technology, life-styles, attitudes, expectations and even moral values.
processors can perform tasks which would have been impossible even a few years ago, or would have required a major mainframe system. Security was relatively easy for the early systems being mainframe based, in secure buildings, i s o l a t e d f o r m the outside world. T o d a y ' s executive has, on his or her desk, a PC with t r e m e n d o u s p r o c e s s i n g p o w e r and w o r l d w i d e connectivity. Additionally, the PC may be easily portable, and contain the 'fortunes' of that company rendering it a lucrative target for thieves and those indulging in industrial espionage.
Business are also affected by these changes in the following ways:
Increased reliance on IT - every new product or service relies on Information Technology, and quite often the manual skills to perform the task are either not available or simply too expensive.
Systems are more complex - in the early days, computers performed single tasks and were rarely interlinked. The complexity and inter-connectivity of modern IT systems means that one failure may have disastrous c o n s e q u e n c e s on other linked a p p l i c a t i o n s . M u l t i - s y s t e m a c c e s s f r o m one terminal is now a prerequisite for many telephonebased systems and an examination of the processes required to, for example, obtain money from an ATM (Automated Teller Machine or 'hole in the wall') can often identify over 30 discrete systems, links, processes and computers.
Increased computer literacy - the m o d e r n generation has grown up with computers, and is not afraid to use the technology. As early retirement options become more popular, it will not be long before everyone in the organization can use (and abuse) computer technology. •
Open networks - Local Area Networks (LANs),
Wide Area Networks (WANs), and the internet are all open by design. "one failure may Whilst this openness creates exciting business opportunity it also creates possibilities e o n s e q u e n c e s o n for others to help
"Security can be likened to many aspects of life"
'Computer' crime - regrettably a current trend in all walks of life is the increasing likelihood of being affected by crime. C o m p u t e r crime itself is a complex topic and includes simple theft of IT equipment and associated data to the more complex incidence of virus infection. Other aspects, such as software piracy and unauthorized access, whilst covered by legislation, will continue to be major concerns unless action is taken. Extreme politics - fanatical organizations have always been a part of life. CLODO, in France, aim to d e s t r o y c o m p u t e r s and many t e r r o r i s t organizations recognize the publicity value of damaging IT systems.
Intellectual challenge - often c r i m i n a l s or disgruntled staff do not commit their acts for money. Often it is the intellectual challenge and stimulation of being able to gain access to a computer system. F r e q u e n t l y the d a m a g e which occurs may be accidental, but nevertheless real.
have disastrous
other linked
a""'l""*lons
without your knowledge. It is
themselves
not u n c o m m o n for companies not to know who is linked to their system, and to be completely unaware of who could be!
14
Security can be likened to many aspects of life, and as in so many other cases it cannot be 100% effective.
T h e solution If we accept that computer security is necessary, we n e e d a f r a m e w o r k w i t h i n w h i c h to w o r k . The following is offered as a summary:
Computer Fraud & Security March1998 © 1998 ElsevierScienceLtd
FEATURE good foundation of security awareness, clear policy and accountability implementation of sound 'baseline' controls using BS7799 as the 'model', use of risk analysis as a strategic tool to identify weaknesses and vulnerabilities, application and location specific security measures where cost justified, constant review and r e v i s i o n in the light of c h a n g i n g circumstances
Management support Security cannot be 100% effective, there will always be some residual risk and there will have to be a c o m p r o m i s e b e t w e e n a v a i l a b i l i t y / u s a b i l i t y and security. Security has to be cost effective. Thus, security has to be a line m a n a g e m e n t responsibility. It is not something special, nor is it the province of one department. All staff should own an element of security in the s a m e w a y that current legislation requires personnel to be personally accountable for certain a c t i o n s . The D a t a Protection Act, Computer Misuse Act, Copyright Design and P a t e n t s Act, plus the many Health & Safety requirements all place emphasis on individuals, and there are penalties for n o n - c o m p l i a n c e both for the c o m p a n y and the individual.
"Security cannot be 100% effective, there will always be some residual risk"
department head, it will be some junior person or systems administrator. For larger organizations where there is a Security M a n a g e r (and team) then they have their part to play in understanding the business goals, and for formulating and c o m m u n i c a t i n g good security advice, but they cannot do it alone. It is also good practice to build in security responsibilities to job d e s c r i p t i o n s and o b j e c t i v e s to i n d i c a t e the importance attached to the topic.
"there needs to be support at the highest level"
Conclusion IT Security is a vital aspect of all business operations. The "Security Officer's Dozen" below may well serve as summary for the importance of IT security: I. Codes can, and will, be broken. 2. Passwords can be disclosed or guessed. 3. Messages can be intercepted. 4. Audit trails can be compromised. 5. Computer criminals do exist. 6. Programs can, and do, fail. 7. Disasters can happen.
In o r d e r to c r e a t e the e n v i r o n m e n t w h e r e b y management can discharge their responsibilities, there needs to be support at the highest level. In most cases this will be 'the Board' and, ideally, a senior IT manager should take their rightful place at this level.
8. Accidents can, and do, occur.
All organizations have 'key players' who may, or may not, be part of the traditional management team. Ask the following questions: "Who sorts out the computer if it goes wrong" or "who helps me when I forget my password". Invariably this will not be the
11. Information is not always secure.
Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd
9. Risks are taken. 10. Controls will be by-passed.
12. People do foolish things. This paper was.first presented at COMPSEC '97 at the QEH Centre, London, UK.
15