Around 20 years ago managers working in the food and car industries got together in order to implement comprehensive quality management. Under the slogan ‘Total Quality’ supply chains and production processes began to be subjected to integrated control.

Today this model can be applied to the field of information technology. Every member of staff with access to data in the company is effectively part of the IT supply chain and must therefore implement the predetermined security policies. Instead of ‘Total Quality’ we could talk here about ‘Total Security’.

The concept of data access should be interpreted appropriately widely: every link in an e-mail can be an attempt to defraud. There can also be unpleasant consequences if the son of a sales representative takes out a ringtone subscription on the firm’s mobile. Even the team assistant is affected by security policies - anyone involved in sending e-mails should be able to recognise phishing. The only way to deal with external threats in a sustained manner is to shift security know-how from the ivory tower of the IT security department into the heads and consciousness of all staff.

IT systems consist of technology, processes and people. Systems can be updated several times a month by using patches and processes can be safeguarded by means of technical measures, but the user - one of the greatest risks - is often left out of consideration. Integrated security management, however, should start precisely with the person - on an individual basis.

Analysts estimate that around 70 per cent of all IT running costs are labour costs. In order to set up an effective and efficient security environment, there must be smooth cooperation between all members of staff. Running battles about whether, for example, database backups are security relevant and whether, as a result, the IT service or the security department is responsible for them should be consigned to the past. Security policies, roles and responsibilities in the company should adapt all procedures to the tasks carried out by staff and also be measurable.

Such target group oriented guidelines will initially give the departments concerned a good deal of extra work: they have to draw up clear security policies directed at staff’s know-how. These policies should also be comprehensible to non-technical users. Subsequently it is essential to build up and consolidate the relevant security knowledge. Tests can then be used to check staff’s knowledge and understanding of IT security. The results of these tests will show immediately whether the arrangements can be understood and thus implemented by users. This all happens most easily if the workflow relating to policy formulation and distribution, package of measures, reporting, training and testing is supported by a shared workflow tool.

Security cannot simply be prescribed ‘from above’. Staff may regard the measures involved as just another programme that they do not necessarily want to take on board. Those in charge can respond to these problems with a three stage approach. ‘Required security’ principle: What guidelines are there? What level of awareness is already in place? What must be achieved and what should be achieved? Which approach is suitable? ‘Roles and responsibilities’ principle: What reporting tools, communication paths and measuring tools are needed? And ‘Business units’ principle: Each unit is responsible for its core business - and this also includes security. What level of expenditure is needed to bring about the security required?

A company cannot safeguard itself overnight. The individual steps are important as is, above all, a clearly defined process flow. All too often today, unfortunately, the approach taken is rather project-oriented - only a few companies first analyse their specific overall situation and then introduce all the necessary steps. Managers are people too - and usually belong to the group that has to be won over by new measures. This argument should be based on economic facts rather than driven from a technological point of view. This means that security has to be calculated in euros and cents. The usual consideration given to amortisation (return on investment or ROI) is often irrelevant when justifying potential investments. Other models are required in this case.

One possible approach is an evaluation of the potential for loss: the single loss expectancy (SLE) estimates the damage that could arise from a one-off event. As well as this single loss estimate, the company’s board is also normally influenced by the annual losses that would be expected if an IT system failed. In this respect the SLE events are multiplied by the frequency of their occurrence and summarised as the ‘anticipated’ loss per year - the so-called annual loss expectancy (ALE).

As a concrete example a scenario might be as follows. A consultancy firm employs 1000 members of staff at an hourly rate of 100 euros. During their working time a virus brings the mail and file server to a standstill so that half of the consultants cannot access their bases for 30 minutes. The SLE for such an incident is around 25,000 euros. If something of this nature occurs ‘statistically’ four times a year, this results in an ALE of 100,000 euros. In the event that the costs of the envisaged security equipment are lower than the ALE, it is generally a good buy. If not, it is to be assumed that the investment will be rejected as a rule.

At the moment there is no shortage of solutions for risk management. Each of these approaches has strengths and weaknesses as far as precision, resources, time, complexity and subjectivity are concerned, which must be selected appropriately for a particular company. A risk management process defines priorities, lists threats and proposes a plan for responding to weak points. Every security strategy should be underpinned by detailed risk analyses.

Company IT consists of people, processes and technology. In order to safeguard working procedures, all these elements must be taken into consideration - central control is affected at the same time in accordance with the security policy. In order to involve people in the company in this process, an action plan for the implementation of security should be agreed with each business unit. This company-wide security programme is composed of three main parts: part one defines the security architecture in which the ‘rules of the game’ are laid down throughout the company. This includes, amongst other things, security policies, legal requirements, best practices, a method for classifying information and similar guidelines.

The second part deals with internal coordination within the company and draws up a process that brings together the above mentioned security architecture and the business certification that is aspired to. This process is mostly about structures, roles and responsibilities, together with reporting relationships.

The third step is business certification - which takes a rather unusual approach to security: instead of a top down principle in the sense of ‘The board has decided that we are now doing security!’ this is far more about each business unit within the company being responsible for its own security. Each unit is able to decide, within certain bounds, the timescale in which the measures agreed with the IT security department and looked after by it can be introduced. Of course, this depends considerably on the demands of the business department - so staff have the opportunity to recognise and also experience security as their ‘own’ process, and not as a process ordered from above to be endured - one which is possibly not at all suited to their own requirements.

Monthly follow-up reports should accompany the introduction of this plan. They provide orientation with regard to how, for example, the staff's level of knowledge is progressing. Above all, however, they can be used to record the current status of security in the business unit. This means that they become a valuable reporting tool and security becomes a behaviour that is practised and analysed on a daily basis by those involved. Alongside the reporting measures, defined milestones can be used to set and achieve goals step by step. In this way it is ensured that the basic processes are actually running. In addition workshops should promote a fundamentally new way of thinking amongst staff and provide information on the tools required. The advice that is needed here with regard to processes and management can possibly also bring in the suppliers that are involved.

When it comes to selecting security technology, the ‘best of breed’ method is the most suitable strategy. This means that the most appropriate solutions are chosen from the antivirus, firewall and spam filter fields, for example. It is then a matter of evaluating the information that has been gathered in a logical and efficient manner. Here, again, people become involved - logfile entries that nobody reads are ultimately not worth the bits used to store them. In order to set up an integrated solution with a consistent database, one thing that should be done is linking the records from the individual security systems with one another.

In addition the system and security management consoles should be interconnected. This must not be regarded as a technological solution but as an organisational process! Information can then be sent from one console to the other. This coordination is absolutely essential. Incidents such as the Sasser virus have clearly brought home the need for convergence between security and system management solutions. The two relevant departments still remain separate ‘sovereign territories’ with their own functions, but there must be close coordination between them. Only an integrated approach that brings together all security relevant information on a central basis makes it possible to correlate events. This can also be described as knowledge based service assurance: while the service remains guaranteed for the user, this strategy facilitates the search for problems, provides support with regard to possible responses and prevents the same problem from occurring again in the future.

The IT security department does not become superfluous as a result of the emphasis on more personal responsibility on the part of all staff. The opposite is more likely to be the case, as with the growing number of threats and legal requirements, companies need - as well as a well defined security process - an expert team that can implement the demands in this regard. The author’s forecast is that in the next five to eight years security will become part of the tasks to be carried out by each individual member of staff. It may even be assumed that - by means of their individual business objectives (IBOs) - they will be assessed on how they deal with their IT systems and the data made available to them.

The ‘promotion’ of each member of staff to security manager is certainly a striking picture. However, the motivation to collaborate on security in the company is quite pragmatic: it serves to protect and maintain one’s own working environment and that of one’s colleagues. The company’s dependence on IT and the potentially severe damage that can be caused by an intentional or unintentional operating error should ultimately motivate all members of staff to acknowledge their share of the responsibility.

BIOS, Jan 23, 07 | Print | Send | Comments (0) | Posted In Security