- Email: [email protected]
The role of information security in corporate governance
Computers
& Security, 15 (1996) 477-485
The Role of Information Security in Corporate Governance Ken Lindup SRI It~ternatiortal, Stanford House, 2 Manchester Square, London, WIM SRE UK.
Introduction Of all the questions I get asked as an information security consultant. The two that occur time and time again are these: 1. 2.
How do I get my message across to my user community? How do I convince my boss that security is important?
It is the second question and its implications that I want to consider, because I believe that senior management have never been so dependent on information security as they are today All the signs are that this dependency can only increase. In a press release issued in early September, the UK’s Securities and Futures Authority (SFA) announced proposals that would make a nominated officer in each firm directly responsible and accountable for ensuring that proper controls are in place and working effectively. Nicholas Durlacher, the SFA chairman said: “We are not proposing that senior executives take responsibility for all the actions of their employees. However, we do think that the SFA should have the right to require senior executives f-ormally to justify their conduct and competence in the event of a management failure which is so serious that it threatens the future of the firm as a regulated entity”
0167-4048/96/$15.00
0 1996, Elsevier Science Ltd
For information security managers working for organizations operating in City of London investments markets, this announcement is good news. In today’s markets which are so dependent on computer systems and networks, it will be impossible for the nominated senior executive to feel safe without assurances that the information, networks, and systems in the firm are adequately protected. Following widely publicized failings, there have been other moves to make directors and senior executives personally accountable for the consequences of failures of internal control. Since internal control ultimately relies on information security, it seems to me that managers of information security have a key role to play in protecting their bosses. Put simply, when next a senior executive asks why it is worth spending money on information security, you can answer: “It will help keep you out ofjail.“This may be a slight exaggeration, but at least you will be helping protect him or her from legal action, and possible bankruptcy. The trouble is that developments in IT and business practice are making corporate governance more difflcult, not easier. Distributed systems, extensive use of communications, outsourcing, and electronic commerce all combine to make corporate control more diffuse. New technologies do not always have an obvious impact on security and control.They may make new
477
Ken LindupfThe Role of lnforma tion Security in Corporate Governance
possible, and it is these that lead to the
corporate negligence. I do not think it will be long before directors see personal liability as a significant risk.
This means that information security managers must not only be alert to the latest CERT Advisory, they must also be aware of how new technologies may affect management thinking. In my experience too many managers see information security as a technical issue. The corporate governance weapon is a two edged sword, it is great for getting attention, but it broadens the scope of information security.
An organization must maintain a system of internal controls both to ensure its own success, and also to comply with legal and regulatory requirements. Corporate governance depends on information about:
business practices loss of control.
To survive. biological organisms must adapt to environmental changes such as changes in temperature, salinity of sea water, sea levels etc. Some changes may threaten survival directly, others may give competitors the edge, whilst others may provide an opportunity for predators and parasites. Organisms that adapt succeed, others become extinct unless they can find some unique environmental niche like the shrimps that live in the Dead Sea. Ifwe look at the business environment,we pressures for change: drive for lower costs, higher increased market share.
lThe pressure from customers at lower cost, and for greater
can see three
profitability,
and
for more functionality ease of access.
lThe demand from society for greater accountability of business and public service
organizations.
Technology facilitates new ways of doing business (in its widest sense). The legal and regulatory framework (part of the business context) is the way society attempts to constrain the worst excesses of the free market by balancing the sometimes competing needs ofthe nation, individuals, and businesses. One impact of this balancing act has been the imposition of personal liability on directors and senior executives for the consequences of losses and failures resulting from inadequate systems of internal control. Thus far, we have not seen many (if any) instances of directors going to jail for financial loss. We have seen directors face criminal charges for deaths caused by
478
and return on funds employed.
lThe
business processes including legal and regulatory requirements.
compliance
with
lFeedback
The Pressures for Change
lThe
lThe business operations such as cash flow,profitability,
of summary information such as exception reports, credit and trading limits, and other financial controls.
All this information must be timely,accurate,up-to-date, and able to be kept confidential where necessary. If a decentralized organization does not have direct control over this information on which it depends, how can it maintain the necessary system of internal controls? Your directors and senior executives depend on your information security in order to exercise control over their business. The problem that you face is to help your organizations define an information security framework that enables them to succeed, and to protect your directors and senior executives from legal action.
The Impact of Technology on Corporate Governance Changes in technology not only create new markets and opportunities, they also affect the way business is done. However much the business changes, one thing remains constant, the need for directors and executives to manage and control the business. The problem is this. Most senior executives grew up in a world based upon a paradigm that included central control and hierarchical organizations.Developments in information technology such as client server architectures, extensive use of communications, and cheap powerful work stations have helped to create a new paradigm where control is decentralized along with IT systems, and organizations are anything but hierarchical. Indeed the concept of an organization as an entity with a finite boundary is increasingly being eroded. The signs point towards the extended, even virtual corporation.
Computers & Security, Vol. 15, No. 6
HIERIRCHY
IMPLEMENTATION
Boardof Directors
Memorandum 8 Ari~cles of Assoclallon. Board Resolullons 8 Minutes. Corporate Dlrechves
Audit Committee Non-Executwe Directors
Credit Control. Apphcations Developmer Techmcal Support
Office Procedures Development Standards &Procedures
General Ledger. MIS CASE Tools
Reqwements Speahcatlons
Secutlty Treaty
Infrastructure Controls
ACFP.Netware. Procedures
Figure 1.
Business control can be represented by the four layer model shown in Figure 1. The diagram shows that directors and executives do not operate in isolation. The effectiveness of their governance is dependent on many things that include:
lBusiness processes
lApplication lTechnical
systems security
l Procedures
lHuman factors The London Code c~Conduct (a Bank of England document about controlling dealing operations) stipulates that “It is essential that management have in place, and review regularly, appropriate control procedures which their dealing and other staff must follow.” One of the key control areas is counterparty control, firms must ensure that they know their counterparty, and have in place an approval process before dealing with a new counterparty for the first time. Security at each of the four levels must be effective.
Policy
A clear statement about the bank’s policies and rules for establishing counterparty relationships.
Procedure
Procedures for establishing relationships with counterparties, establishing limits, and updating the counterparties file. The procedural level controls should also specify which members of the bank’s staff are authorized to carry out the various steps involved in establishing a new relationship. The application provides the Application the mechanisms to update counterparties file, and report any changes. It also ensures that only deals with valid counterparties are accepted. at the infrastructure Infrastructure Controls (networks, operating system, and database management system) layer are concerned with authenticating users, and checking their levels of authority particularly with respect who may update the counterparties file. It is important that the infrastructure does not provide a backdoor to allow an unauthorized individual to update the file without using the appropriate application. It is this last requirement that makes the security of the operating system and network; so important.
479
Ken LindupfThe Role of Information Security in Corporate Governance
The impact of new technologies is not limited to the infrastructure layer. They can make existing controls in the higher layers ineffective or make new control mechanisms possible. Technology can impact on security and control in three ways: 1. 2. 3.
By introducing new security vulnerabilities By changing the way business is done By changing the way the workplace is organized.
We should recognize that whilst a technology may have a direct impact on security and control, it is most often the way a technology is used that has the greatest impact. Users often exploit technology in a way never envisaged by the designers. Technology can affect security and control because it creates new vulnerabilities. Many companies have seen the potential benefits of delivering information about their products and services to customers via the World Wide Web. Connecting to the Internet is not without its risks. An Internet connection is a potential gateway into the corporate networks for hackers and computer criminals.The Internet was never designed with security in mind other than the need to be there, even if the physical infrastructure was severely damaged. Technology can be used to create new ways of doing business. We have for several years seen ED1 users exchanging orders and invoices. Increasingly we are seeing the interconnection of networks. Groupware extends this concept, leading to the extended corporation and ultimately to the virtual corporation. A consortium of different companies can be put together for a specific project. Groupware provides the link that enables them to function as one organization the virtual corporation. Cheap, powerful workstations and modems mean that once again we can take the work to the workers, and they can be anywhere in the world. People processing corporate information in a normal office do so in a controlled environment. Physical security can be implemented and enforced. It is much harder to get assurances about the physical security of someone’s home. Technology can be used to automate part of a process thereby removing humans from the loop. Speech processing coupled with artificial intelligence can be used to automate the underwriting of a loan application at a bank. Removing humans from the loop makes the
480
process consistent. If the system is flawed, systematic errors could prove very expensive.
New Technologies If information security managers are to succeed in providing the security and control required by the business they must look at the broader scope of changes in information technology. They must also look at the wider implications for business control of a new technology. Many of the information security issues associated with some technologies are the subject of extensive debate, and are well understood. Examples are the use of cryptography and Internet firewalls. The security implications of other technologies have not received the same amount of coverage.
Object Oriented Technology Unlike traditional software methods where procedures act on data, with object oriented techniques, messages (which equate to procedure calls in COBOL) are sent to objects that contain methods (Which equate to COBOL procedure code). Objects may also contain local data. Some objects respond to messages from other objects (passive objects), others react to circumstances (active objects). A message to a passive object such as a paragraph in a document may instruct it to change its format. An active object may detect that another object (such as a customer account) has gone outside predefined limits. A traditional program consists of a series of procedures that interact with other procedures and manipulate items of data. The data may be contained within files or databases. or it may be contained within a program module. Object oriented technology has some similarities with those traditional software methods that used m-entrant modular programming with dynamic linkages. The key difference is that whereas traditional modules were designed around procedures, objects are designed around entities (such as a paragraph in a document or a balance sheet), and the way those entities behave. Object oriented technology has some potential benefits for security and control: l
It can result in improved reliability and maintainability of program code.
Computers & Security, Vol. 15, No. 6
l1t can be used to implement lData validation
methods
logical access controls. can be made
part of the
object. Many of the errors that occur in traditional application programs are a result of the focus on procedures. A common class of program failure occurs when the format of a data item is changed, and a module downstream of the creating module is not updated. The need to modify and test all the program modules that process a data item makes program maintenance more complex and expensive than it need be. One problem with logical access control is enforcing the access control mechanism.The typical access control system requires a user to go through the identification and authorization process to gain access to a system. Once they have passed the checks they are assumed to be trusted. Ifthey have bypassed the checks, that assumption is founded on a false premise. Logical access control can be made the responsibility of the object being accessed,and an object specially created to carry out the authorization process. The traditional approach to data validation relies on all data items coming into the system through a single entry point. The data entry module contains code that validates incoming data. All modules that subsequently process the item of data assume that it is valid. That is fine as long as there is only the one data entry point. The problem is that subsequent system changes may make it possible for data to enter the system at another point. or data can be changed or corrupted elsewhere in a system. By making the object responsible for validating data, data validation is simplified. Object oriented technology security and control issues.
also introduces
some new
people were likely to write different modules. Consequently a rogue programmer could not rely on having total control of the processing of a data item. If all the processing is concentrated in one object and it is treated as a black box, it becomes easier for the author of the object to control how its methods respond to a message or a request. It may be prove more difficult to follow the flow of control in applications based on objected oriented software. This is because systems will be built out of black boxes, the contents ofwhich will become less well understood. I think this means that auditors will have to shift from reliance on compliance based testing to substantive testing.
There is an inbuilt assumption that the complete system is the sum of its parts. A benefit of building a system from objects is that its functionality can be assumed to be the sum of the functionality of the objects from which it is built. This assumption may not be valid unless care is taken with the testing of the delivered system.
Object inheritance Objects can automatically share data and methods by means of inheritance. This mechanism allows programmers to create a new sub-class of objects based on a preexisting class by defining the differences between the two. This has two implications for security and control:
lRedundancy
can be introduced in the definition of objects. This means that the problems of accuracy and integrity of objects is an issue, as it is with the automatic database replication used in groupware.
lIt is possible words/PINS)
that inappropriate logic can be passed to a subclass.
(pass-
Objects are black boxes with known inputs and outputs.
Speech Processing
As a programmer knows nothing about an object’s internals, there is the possibility ofproblems arising with the accuracy and integrity of information. Considerable trust is placed in the procedures used to design, create and test objects. One benefit of traditional processing techniques was that committing a fraud by program manipulation was complicated by the fact that different
Speech processing is a new technology that on first consideration has no implications for information security.That view is wrongwhilst it may be true that speech processing technology has no intrinsic security implications, the way it is used certainly does. There are two aspects of speech processing technology that have implications for information security:
481
Ken Lindup/The Role of Information Security in Corporate Governance
l
Speech processing process.
removes humans from the business
lThe
user authentication processes associated with speech processing are often based solely on a password.
Some systems rely on a question and answer script, or asking for selected positions of a password or PIN. This is intended to prevent eavesdroppers from learning the full password or PIN. It seems to me that with the use of analogue mobile phones still widespread, eavesdropping is a major issue. Removing humans from the business process means that organizations are totally reliant on applications systems to provide security and control. This is a two edged sword. The major advantage is that automated systems perform consistently and that any security built into them will perform consistently. One disadvantage is that systematic security weaknesses will occur equally consistently. There is a second problem with removing humans from the business process that relates to fraud detection. Humans have the ability to be suspicious, so will be alerted if the same voice makes several calls giving different identities. An automated system cannot be relied upon to be suspicious in this way. I think that we may see a growth in attempts to make speech processing a front end to automated applications such as consumer loan processing. Automated loan processing has been a reality for the last ten years albeit based on the customer sitting at a PC. Speech processing can make that even more user friendly. Information security managers should remain aware to the dangers of such systems being implemented without adequate safeguards. Serious losses are likely because the system designers did not understand the sophistication of the manual decision making process. Particular attention should be paid to the types of transactions that are processed using this technology .
Client Server Client server architectures have proved popular with users because the development cycle can be shortened, and the use of the PC/Workstation makes them more user friendly. They can improve error handling because errors can be identified earlier and dealt with close to
the point introduce
of data entry However, client server systems potential security and control weaknesses.
Co-operative processing means that applications are spread across different hardware and software environments. This brings with it the possibility of problems with incompatible versions of data files and software, and greater complexity of the change management processes. Where data validation is based on tables and files (such as valid supplier codes) resident on the workstation, then version control becomes a critical issue. Backup and recovery can be more complex in a client server architecture. Each element in the distributed system must be recoverable and able to establish the status of dependent elements. A central tenet of information security has long been the establishment andprotection ofa security perimeter. The theory behind a security perimeter is that it enables a distinction to be drawn between the trusted environment within the perimeter and the untrusted environment outside. The lessons of history show that blind reliance on a security perimeter can be misplaced. In the second world war, the German army went round the Maginot Line to invade France. The Japanese army came from a different direction from that expected by those who built the security perimeter for Singapore. The Maginot Line failed because it was not complete, and the Singapore defences failed because they failed to identify the direction of the threat. In the days of a central mainframe computer we built a computer room and protected it with guards, locked doors and intruder alarms. Only trusted individuals were allowed inside the computer room. All that is changing, new business practices and the growth of distributed computing have combined to fragment the security perimeter. No longer is it a tangible, physical entity that can be evaluated and periodically audited. In many people’s eyes there is still a correlation between the cost of the hardware and the security that is applicable. PCs and workstations are very cheap, therefore many people argue that the cost of security should be similarly cheap. Also, in a client server architecture, there may be thousands ofworkstations. Workstations and PCs are generally subject to less security than servers and mainframe computers.
Computers & Security, Vol. 15, No. 6
Groupware The decentralization Ft&tre 2 summarizes
New
Business
Decentralization and people
Other
and changes in work practice some of these.
that go with groupware
Practice
Impact
of servers, systems, information
enterprises
may interact
with information
introduce
some major security
issues.
on Security
-
Security is decentralized, standards arc harder to maintain Backup and recovery are more complicated
-
No control overfinal
-
destination
and use of
in$rmation
Growth
in home
Information
Multi-user working
and mobile
may be collated
working
from different
access to information
Information may be replicated enterprise automatically
Communication
sources
allows collaborative
throughout
the
using E-mail
-
Injjrmation may movefrom an area ofh&h security to one of no security
-
Tlze derived in@rmation may have a value not obvious from its components
-
Chinese
-
InJ;,rmation may become damaged or currupted
-
I&ion control is more dijicult Errors can pro&rate Precedence of information may not be clear
-
Ownership
walls may be undermined
ofE-mail
and personal privacy problems
Source: SRI International
Figure 2: Major Groupware security issues
Database
Replication
Lotus Notes has carried the concept of automatic database replication further, but it is a technology that is becoming ubiquitous.Database replication (automatic database replication) introduces significant weaknesses that I call Inj)rmation Cocktails and Information Mutations. Information
Cocktails
Lotus has described Notes as a key enabler of the ‘extended enterprise’. The extended enterprise encompasses employees, suppliers, customers and increasingly
competitors. Adoption of the extended enterprise model involves some significant risks. For example, it is not possible to enforce global rules across an extended enterprise. This means that the originator cannot control how information is used once it has been replicated to another server. A partner in one project may be a competitor in another. It is feasible for a partner collaborating in another project to have access to yet more information. This second partner could replicate the additional information to a third unbeknown to the originator. They could combine the two sources to produce an information cocktail that the originator
483
Ken Lindup/The Role of Information Security in Corporate Governance
would never have allowed. Whilst information mixing has always been possible, Notes facilitates the process in a systematic way Automatic replication allows the spread to be faster and wider.
Information
Mutations
In standard database models, changes are made to one or a few central databases. In the Notes model, multiple servers may each host the same information. Each of these servers can replicate to each other and end-users can replicate the information to their PCs. Any error (whether accidental or intentional) can be replicated back and proliferated through the network. I call this process information mutation because of its parallels with biological mutation. Like the body’s repair system, ideal Notes security would prevent damage where possible. detect damage where it occurs and repair damage if required.
Internethntranet The Unix operating system (at the heart of Internet) was designed with communications in mind, not security The TCP/IP communications protocols, the basis of Internet communications, were not designed with security in mind. TCP/IP enables different platforms to talk to each other easily The new versions of the PC and Macintosh operating systems contain built-in links to the Internet. Establishing an Internet session is as easy as clicking on an icon. With protocols like SLIP and PPPl, and cheap and easy to use Internet points of presence offering dialup access, restricting networking is difficult. Even if a ban is enforced in the workplace, staff are increasingly likely to have a private account accessible from their home. The Internet started life as a government and academic network. Its use as a commercial resource is growing. The commercial use of Internet was made possible when the National Science Foundation lifted its restrictions on commercial Internet applications. Internet shopping malls and department stores are developing faster than their real world counterparts. Encyclopedia Britannica is currently available online to libraries and educational institutes,it will soon be available to domestic subscribers - for a fee. Internet
provides
access to many millions
of informa-
tion sources scattered over the globe. FTP sites contain program and information files that can be downloaded to a PC. For example, anyone can obtain copies of Phil Zimmerman’s PGP (Pretty Good Privacy). PGP is a public key system that can be used to encrypt information stored on disks or transmitted across a network. Utilities, communications software are other examples of what is available. World Wide Web servers provide access to of information. Access is simplified by the face applications like Netscape. Users can newspapers, business information, books The list is very long.
vast amounts use of interaccess online statistics etc.
Internet access is becoming so widespread and so easy to use that it will become as commonplace as the VCR. We are faced with a workforce that will not only be computer literate, it will be networking literate. Networking is an integral component of groupware products. It will become very difficult for the security manager to be certain of where corporate information comes from, and where it goes.
The Way Forward It is clear that corporate governance is going to make greater demands on information security, and that there is going to be greater reliance on third party security. What should managers responsible for information security be doing?
lYOU should be taking a close look at emerging nologies and considering their potential the way corporate governance operates ganization.
lYOU should be identifying
techimpacts on in your or-
the way technologies be used in your organization.
will
lYOU should pay particular attention organization intends to modify in response to new technologies.
lYOU should
to the way your its business practices
be briefing your directors executives of the impact of proposed corporate governance.
and senior changes on
You should not consider technologies in isolation from each other. Their greatest impact comes when they are combined, as the shown by the following two examples:
Computers & Security, Vol. 15, No. 6
lThe combination
of extensive use of communications networks, groupware, and powerful cheap workstations leads to a distribution ofthe business process.This in turn generates the diffused,virtual security perimeter. It generates problems of precedence of security policies and standards between electronic partners.
You now have the ear of your senior executives - they need you to protect them. They need information security to ensure that they are exercising good stewardship over the business and all its assets. You in turn must look at the wider issues to make sure that all aspects are covered. You must make sure that security is sufficiently robust to withstand the scrutiny of the courts.
lThe combination
of networks, powerful cheap workstations, groupware and speech processing leads to a drive for automated business processes with minimal human intervention. This means that there is a greater reliance on the effectiveness of procedures for development and maintenance of programs. It also means that controls to prevent non-application access to data fdes become critical.
Ken Lindup is senior consultant with SRI International’s Information Systems Management Practice. This paper was first presented at the Compsec International ‘96 conference in London in October.
485
& Security, 15 (1996) 477-485
The Role of Information Security in Corporate Governance Ken Lindup SRI It~ternatiortal, Stanford House, 2 Manchester Square, London, WIM SRE UK.
Introduction Of all the questions I get asked as an information security consultant. The two that occur time and time again are these: 1. 2.
How do I get my message across to my user community? How do I convince my boss that security is important?
It is the second question and its implications that I want to consider, because I believe that senior management have never been so dependent on information security as they are today All the signs are that this dependency can only increase. In a press release issued in early September, the UK’s Securities and Futures Authority (SFA) announced proposals that would make a nominated officer in each firm directly responsible and accountable for ensuring that proper controls are in place and working effectively. Nicholas Durlacher, the SFA chairman said: “We are not proposing that senior executives take responsibility for all the actions of their employees. However, we do think that the SFA should have the right to require senior executives f-ormally to justify their conduct and competence in the event of a management failure which is so serious that it threatens the future of the firm as a regulated entity”
0167-4048/96/$15.00
0 1996, Elsevier Science Ltd
For information security managers working for organizations operating in City of London investments markets, this announcement is good news. In today’s markets which are so dependent on computer systems and networks, it will be impossible for the nominated senior executive to feel safe without assurances that the information, networks, and systems in the firm are adequately protected. Following widely publicized failings, there have been other moves to make directors and senior executives personally accountable for the consequences of failures of internal control. Since internal control ultimately relies on information security, it seems to me that managers of information security have a key role to play in protecting their bosses. Put simply, when next a senior executive asks why it is worth spending money on information security, you can answer: “It will help keep you out ofjail.“This may be a slight exaggeration, but at least you will be helping protect him or her from legal action, and possible bankruptcy. The trouble is that developments in IT and business practice are making corporate governance more difflcult, not easier. Distributed systems, extensive use of communications, outsourcing, and electronic commerce all combine to make corporate control more diffuse. New technologies do not always have an obvious impact on security and control.They may make new
477
Ken LindupfThe Role of lnforma tion Security in Corporate Governance
possible, and it is these that lead to the
corporate negligence. I do not think it will be long before directors see personal liability as a significant risk.
This means that information security managers must not only be alert to the latest CERT Advisory, they must also be aware of how new technologies may affect management thinking. In my experience too many managers see information security as a technical issue. The corporate governance weapon is a two edged sword, it is great for getting attention, but it broadens the scope of information security.
An organization must maintain a system of internal controls both to ensure its own success, and also to comply with legal and regulatory requirements. Corporate governance depends on information about:
business practices loss of control.
To survive. biological organisms must adapt to environmental changes such as changes in temperature, salinity of sea water, sea levels etc. Some changes may threaten survival directly, others may give competitors the edge, whilst others may provide an opportunity for predators and parasites. Organisms that adapt succeed, others become extinct unless they can find some unique environmental niche like the shrimps that live in the Dead Sea. Ifwe look at the business environment,we pressures for change: drive for lower costs, higher increased market share.
lThe pressure from customers at lower cost, and for greater
can see three
profitability,
and
for more functionality ease of access.
lThe demand from society for greater accountability of business and public service
organizations.
Technology facilitates new ways of doing business (in its widest sense). The legal and regulatory framework (part of the business context) is the way society attempts to constrain the worst excesses of the free market by balancing the sometimes competing needs ofthe nation, individuals, and businesses. One impact of this balancing act has been the imposition of personal liability on directors and senior executives for the consequences of losses and failures resulting from inadequate systems of internal control. Thus far, we have not seen many (if any) instances of directors going to jail for financial loss. We have seen directors face criminal charges for deaths caused by
478
and return on funds employed.
lThe
business processes including legal and regulatory requirements.
compliance
with
lFeedback
The Pressures for Change
lThe
lThe business operations such as cash flow,profitability,
of summary information such as exception reports, credit and trading limits, and other financial controls.
All this information must be timely,accurate,up-to-date, and able to be kept confidential where necessary. If a decentralized organization does not have direct control over this information on which it depends, how can it maintain the necessary system of internal controls? Your directors and senior executives depend on your information security in order to exercise control over their business. The problem that you face is to help your organizations define an information security framework that enables them to succeed, and to protect your directors and senior executives from legal action.
The Impact of Technology on Corporate Governance Changes in technology not only create new markets and opportunities, they also affect the way business is done. However much the business changes, one thing remains constant, the need for directors and executives to manage and control the business. The problem is this. Most senior executives grew up in a world based upon a paradigm that included central control and hierarchical organizations.Developments in information technology such as client server architectures, extensive use of communications, and cheap powerful work stations have helped to create a new paradigm where control is decentralized along with IT systems, and organizations are anything but hierarchical. Indeed the concept of an organization as an entity with a finite boundary is increasingly being eroded. The signs point towards the extended, even virtual corporation.
Computers & Security, Vol. 15, No. 6
HIERIRCHY
IMPLEMENTATION
Boardof Directors
Memorandum 8 Ari~cles of Assoclallon. Board Resolullons 8 Minutes. Corporate Dlrechves
Audit Committee Non-Executwe Directors
Credit Control. Apphcations Developmer Techmcal Support
Office Procedures Development Standards &Procedures
General Ledger. MIS CASE Tools
Reqwements Speahcatlons
Secutlty Treaty
Infrastructure Controls
ACFP.Netware. Procedures
Figure 1.
Business control can be represented by the four layer model shown in Figure 1. The diagram shows that directors and executives do not operate in isolation. The effectiveness of their governance is dependent on many things that include:
lBusiness processes
lApplication lTechnical
systems security
l Procedures
lHuman factors The London Code c~Conduct (a Bank of England document about controlling dealing operations) stipulates that “It is essential that management have in place, and review regularly, appropriate control procedures which their dealing and other staff must follow.” One of the key control areas is counterparty control, firms must ensure that they know their counterparty, and have in place an approval process before dealing with a new counterparty for the first time. Security at each of the four levels must be effective.
Policy
A clear statement about the bank’s policies and rules for establishing counterparty relationships.
Procedure
Procedures for establishing relationships with counterparties, establishing limits, and updating the counterparties file. The procedural level controls should also specify which members of the bank’s staff are authorized to carry out the various steps involved in establishing a new relationship. The application provides the Application the mechanisms to update counterparties file, and report any changes. It also ensures that only deals with valid counterparties are accepted. at the infrastructure Infrastructure Controls (networks, operating system, and database management system) layer are concerned with authenticating users, and checking their levels of authority particularly with respect who may update the counterparties file. It is important that the infrastructure does not provide a backdoor to allow an unauthorized individual to update the file without using the appropriate application. It is this last requirement that makes the security of the operating system and network; so important.
479
Ken LindupfThe Role of Information Security in Corporate Governance
The impact of new technologies is not limited to the infrastructure layer. They can make existing controls in the higher layers ineffective or make new control mechanisms possible. Technology can impact on security and control in three ways: 1. 2. 3.
By introducing new security vulnerabilities By changing the way business is done By changing the way the workplace is organized.
We should recognize that whilst a technology may have a direct impact on security and control, it is most often the way a technology is used that has the greatest impact. Users often exploit technology in a way never envisaged by the designers. Technology can affect security and control because it creates new vulnerabilities. Many companies have seen the potential benefits of delivering information about their products and services to customers via the World Wide Web. Connecting to the Internet is not without its risks. An Internet connection is a potential gateway into the corporate networks for hackers and computer criminals.The Internet was never designed with security in mind other than the need to be there, even if the physical infrastructure was severely damaged. Technology can be used to create new ways of doing business. We have for several years seen ED1 users exchanging orders and invoices. Increasingly we are seeing the interconnection of networks. Groupware extends this concept, leading to the extended corporation and ultimately to the virtual corporation. A consortium of different companies can be put together for a specific project. Groupware provides the link that enables them to function as one organization the virtual corporation. Cheap, powerful workstations and modems mean that once again we can take the work to the workers, and they can be anywhere in the world. People processing corporate information in a normal office do so in a controlled environment. Physical security can be implemented and enforced. It is much harder to get assurances about the physical security of someone’s home. Technology can be used to automate part of a process thereby removing humans from the loop. Speech processing coupled with artificial intelligence can be used to automate the underwriting of a loan application at a bank. Removing humans from the loop makes the
480
process consistent. If the system is flawed, systematic errors could prove very expensive.
New Technologies If information security managers are to succeed in providing the security and control required by the business they must look at the broader scope of changes in information technology. They must also look at the wider implications for business control of a new technology. Many of the information security issues associated with some technologies are the subject of extensive debate, and are well understood. Examples are the use of cryptography and Internet firewalls. The security implications of other technologies have not received the same amount of coverage.
Object Oriented Technology Unlike traditional software methods where procedures act on data, with object oriented techniques, messages (which equate to procedure calls in COBOL) are sent to objects that contain methods (Which equate to COBOL procedure code). Objects may also contain local data. Some objects respond to messages from other objects (passive objects), others react to circumstances (active objects). A message to a passive object such as a paragraph in a document may instruct it to change its format. An active object may detect that another object (such as a customer account) has gone outside predefined limits. A traditional program consists of a series of procedures that interact with other procedures and manipulate items of data. The data may be contained within files or databases. or it may be contained within a program module. Object oriented technology has some similarities with those traditional software methods that used m-entrant modular programming with dynamic linkages. The key difference is that whereas traditional modules were designed around procedures, objects are designed around entities (such as a paragraph in a document or a balance sheet), and the way those entities behave. Object oriented technology has some potential benefits for security and control: l
It can result in improved reliability and maintainability of program code.
Computers & Security, Vol. 15, No. 6
l1t can be used to implement lData validation
methods
logical access controls. can be made
part of the
object. Many of the errors that occur in traditional application programs are a result of the focus on procedures. A common class of program failure occurs when the format of a data item is changed, and a module downstream of the creating module is not updated. The need to modify and test all the program modules that process a data item makes program maintenance more complex and expensive than it need be. One problem with logical access control is enforcing the access control mechanism.The typical access control system requires a user to go through the identification and authorization process to gain access to a system. Once they have passed the checks they are assumed to be trusted. Ifthey have bypassed the checks, that assumption is founded on a false premise. Logical access control can be made the responsibility of the object being accessed,and an object specially created to carry out the authorization process. The traditional approach to data validation relies on all data items coming into the system through a single entry point. The data entry module contains code that validates incoming data. All modules that subsequently process the item of data assume that it is valid. That is fine as long as there is only the one data entry point. The problem is that subsequent system changes may make it possible for data to enter the system at another point. or data can be changed or corrupted elsewhere in a system. By making the object responsible for validating data, data validation is simplified. Object oriented technology security and control issues.
also introduces
some new
people were likely to write different modules. Consequently a rogue programmer could not rely on having total control of the processing of a data item. If all the processing is concentrated in one object and it is treated as a black box, it becomes easier for the author of the object to control how its methods respond to a message or a request. It may be prove more difficult to follow the flow of control in applications based on objected oriented software. This is because systems will be built out of black boxes, the contents ofwhich will become less well understood. I think this means that auditors will have to shift from reliance on compliance based testing to substantive testing.
There is an inbuilt assumption that the complete system is the sum of its parts. A benefit of building a system from objects is that its functionality can be assumed to be the sum of the functionality of the objects from which it is built. This assumption may not be valid unless care is taken with the testing of the delivered system.
Object inheritance Objects can automatically share data and methods by means of inheritance. This mechanism allows programmers to create a new sub-class of objects based on a preexisting class by defining the differences between the two. This has two implications for security and control:
lRedundancy
can be introduced in the definition of objects. This means that the problems of accuracy and integrity of objects is an issue, as it is with the automatic database replication used in groupware.
lIt is possible words/PINS)
that inappropriate logic can be passed to a subclass.
(pass-
Objects are black boxes with known inputs and outputs.
Speech Processing
As a programmer knows nothing about an object’s internals, there is the possibility ofproblems arising with the accuracy and integrity of information. Considerable trust is placed in the procedures used to design, create and test objects. One benefit of traditional processing techniques was that committing a fraud by program manipulation was complicated by the fact that different
Speech processing is a new technology that on first consideration has no implications for information security.That view is wrongwhilst it may be true that speech processing technology has no intrinsic security implications, the way it is used certainly does. There are two aspects of speech processing technology that have implications for information security:
481
Ken Lindup/The Role of Information Security in Corporate Governance
l
Speech processing process.
removes humans from the business
lThe
user authentication processes associated with speech processing are often based solely on a password.
Some systems rely on a question and answer script, or asking for selected positions of a password or PIN. This is intended to prevent eavesdroppers from learning the full password or PIN. It seems to me that with the use of analogue mobile phones still widespread, eavesdropping is a major issue. Removing humans from the business process means that organizations are totally reliant on applications systems to provide security and control. This is a two edged sword. The major advantage is that automated systems perform consistently and that any security built into them will perform consistently. One disadvantage is that systematic security weaknesses will occur equally consistently. There is a second problem with removing humans from the business process that relates to fraud detection. Humans have the ability to be suspicious, so will be alerted if the same voice makes several calls giving different identities. An automated system cannot be relied upon to be suspicious in this way. I think that we may see a growth in attempts to make speech processing a front end to automated applications such as consumer loan processing. Automated loan processing has been a reality for the last ten years albeit based on the customer sitting at a PC. Speech processing can make that even more user friendly. Information security managers should remain aware to the dangers of such systems being implemented without adequate safeguards. Serious losses are likely because the system designers did not understand the sophistication of the manual decision making process. Particular attention should be paid to the types of transactions that are processed using this technology .
Client Server Client server architectures have proved popular with users because the development cycle can be shortened, and the use of the PC/Workstation makes them more user friendly. They can improve error handling because errors can be identified earlier and dealt with close to
the point introduce
of data entry However, client server systems potential security and control weaknesses.
Co-operative processing means that applications are spread across different hardware and software environments. This brings with it the possibility of problems with incompatible versions of data files and software, and greater complexity of the change management processes. Where data validation is based on tables and files (such as valid supplier codes) resident on the workstation, then version control becomes a critical issue. Backup and recovery can be more complex in a client server architecture. Each element in the distributed system must be recoverable and able to establish the status of dependent elements. A central tenet of information security has long been the establishment andprotection ofa security perimeter. The theory behind a security perimeter is that it enables a distinction to be drawn between the trusted environment within the perimeter and the untrusted environment outside. The lessons of history show that blind reliance on a security perimeter can be misplaced. In the second world war, the German army went round the Maginot Line to invade France. The Japanese army came from a different direction from that expected by those who built the security perimeter for Singapore. The Maginot Line failed because it was not complete, and the Singapore defences failed because they failed to identify the direction of the threat. In the days of a central mainframe computer we built a computer room and protected it with guards, locked doors and intruder alarms. Only trusted individuals were allowed inside the computer room. All that is changing, new business practices and the growth of distributed computing have combined to fragment the security perimeter. No longer is it a tangible, physical entity that can be evaluated and periodically audited. In many people’s eyes there is still a correlation between the cost of the hardware and the security that is applicable. PCs and workstations are very cheap, therefore many people argue that the cost of security should be similarly cheap. Also, in a client server architecture, there may be thousands ofworkstations. Workstations and PCs are generally subject to less security than servers and mainframe computers.
Computers & Security, Vol. 15, No. 6
Groupware The decentralization Ft&tre 2 summarizes
New
Business
Decentralization and people
Other
and changes in work practice some of these.
that go with groupware
Practice
Impact
of servers, systems, information
enterprises
may interact
with information
introduce
some major security
issues.
on Security
-
Security is decentralized, standards arc harder to maintain Backup and recovery are more complicated
-
No control overfinal
-
destination
and use of
in$rmation
Growth
in home
Information
Multi-user working
and mobile
may be collated
working
from different
access to information
Information may be replicated enterprise automatically
Communication
sources
allows collaborative
throughout
the
using E-mail
-
Injjrmation may movefrom an area ofh&h security to one of no security
-
Tlze derived in@rmation may have a value not obvious from its components
-
Chinese
-
InJ;,rmation may become damaged or currupted
-
I&ion control is more dijicult Errors can pro&rate Precedence of information may not be clear
-
Ownership
walls may be undermined
ofE-mail
and personal privacy problems
Source: SRI International
Figure 2: Major Groupware security issues
Database
Replication
Lotus Notes has carried the concept of automatic database replication further, but it is a technology that is becoming ubiquitous.Database replication (automatic database replication) introduces significant weaknesses that I call Inj)rmation Cocktails and Information Mutations. Information
Cocktails
Lotus has described Notes as a key enabler of the ‘extended enterprise’. The extended enterprise encompasses employees, suppliers, customers and increasingly
competitors. Adoption of the extended enterprise model involves some significant risks. For example, it is not possible to enforce global rules across an extended enterprise. This means that the originator cannot control how information is used once it has been replicated to another server. A partner in one project may be a competitor in another. It is feasible for a partner collaborating in another project to have access to yet more information. This second partner could replicate the additional information to a third unbeknown to the originator. They could combine the two sources to produce an information cocktail that the originator
483
Ken Lindup/The Role of Information Security in Corporate Governance
would never have allowed. Whilst information mixing has always been possible, Notes facilitates the process in a systematic way Automatic replication allows the spread to be faster and wider.
Information
Mutations
In standard database models, changes are made to one or a few central databases. In the Notes model, multiple servers may each host the same information. Each of these servers can replicate to each other and end-users can replicate the information to their PCs. Any error (whether accidental or intentional) can be replicated back and proliferated through the network. I call this process information mutation because of its parallels with biological mutation. Like the body’s repair system, ideal Notes security would prevent damage where possible. detect damage where it occurs and repair damage if required.
Internethntranet The Unix operating system (at the heart of Internet) was designed with communications in mind, not security The TCP/IP communications protocols, the basis of Internet communications, were not designed with security in mind. TCP/IP enables different platforms to talk to each other easily The new versions of the PC and Macintosh operating systems contain built-in links to the Internet. Establishing an Internet session is as easy as clicking on an icon. With protocols like SLIP and PPPl, and cheap and easy to use Internet points of presence offering dialup access, restricting networking is difficult. Even if a ban is enforced in the workplace, staff are increasingly likely to have a private account accessible from their home. The Internet started life as a government and academic network. Its use as a commercial resource is growing. The commercial use of Internet was made possible when the National Science Foundation lifted its restrictions on commercial Internet applications. Internet shopping malls and department stores are developing faster than their real world counterparts. Encyclopedia Britannica is currently available online to libraries and educational institutes,it will soon be available to domestic subscribers - for a fee. Internet
provides
access to many millions
of informa-
tion sources scattered over the globe. FTP sites contain program and information files that can be downloaded to a PC. For example, anyone can obtain copies of Phil Zimmerman’s PGP (Pretty Good Privacy). PGP is a public key system that can be used to encrypt information stored on disks or transmitted across a network. Utilities, communications software are other examples of what is available. World Wide Web servers provide access to of information. Access is simplified by the face applications like Netscape. Users can newspapers, business information, books The list is very long.
vast amounts use of interaccess online statistics etc.
Internet access is becoming so widespread and so easy to use that it will become as commonplace as the VCR. We are faced with a workforce that will not only be computer literate, it will be networking literate. Networking is an integral component of groupware products. It will become very difficult for the security manager to be certain of where corporate information comes from, and where it goes.
The Way Forward It is clear that corporate governance is going to make greater demands on information security, and that there is going to be greater reliance on third party security. What should managers responsible for information security be doing?
lYOU should be taking a close look at emerging nologies and considering their potential the way corporate governance operates ganization.
lYOU should be identifying
techimpacts on in your or-
the way technologies be used in your organization.
will
lYOU should pay particular attention organization intends to modify in response to new technologies.
lYOU should
to the way your its business practices
be briefing your directors executives of the impact of proposed corporate governance.
and senior changes on
You should not consider technologies in isolation from each other. Their greatest impact comes when they are combined, as the shown by the following two examples:
Computers & Security, Vol. 15, No. 6
lThe combination
of extensive use of communications networks, groupware, and powerful cheap workstations leads to a distribution ofthe business process.This in turn generates the diffused,virtual security perimeter. It generates problems of precedence of security policies and standards between electronic partners.
You now have the ear of your senior executives - they need you to protect them. They need information security to ensure that they are exercising good stewardship over the business and all its assets. You in turn must look at the wider issues to make sure that all aspects are covered. You must make sure that security is sufficiently robust to withstand the scrutiny of the courts.
lThe combination
of networks, powerful cheap workstations, groupware and speech processing leads to a drive for automated business processes with minimal human intervention. This means that there is a greater reliance on the effectiveness of procedures for development and maintenance of programs. It also means that controls to prevent non-application access to data fdes become critical.
Ken Lindup is senior consultant with SRI International’s Information Systems Management Practice. This paper was first presented at the Compsec International ‘96 conference in London in October.
485