textfiles/magazines/CHN/chn-0006.txt

                =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
                *  (CHN) Connecticut Hacker Newsgroup (CHN) *
                =              CHN News File #6             =
                *           an I.I.R.G. affiliate           *
                =               -=>Present<=-               =
                *      Introduction to Computer Security    *
                =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=


INTRODUCTION TO COMPUTER SECURITY
By: Ed Norris

(Ed Norris is a senior security consultant for Digital Equipment Corporation. 
 He consults on a wide range of security issues and solutions)


 You might expect that an article about computer security would discuss 
controls for passwords and file permissions, but there are many things to 
consider before you get to that level.  This article will focus on the basic
requirements to help you define a security professional's roles and 
responsibilities and how you  can influence the effectiveness of a successful
security program by gaining the support of your peers.  It also will examine
typical computer security mission and vision statements and the objectives and
goals that a computer security program needs to define.
 If you don't treat computer security as a business, success will be difficult
to achieve.  The first step in creating any business is determining if there is
a need (company assets are at risk), if there is a market (management 
understanding and approval) and if there is a profit to be made (actually 
limiting the chance Of a liability which would decrease the profit, in our 
case).
 If your company has a computer system, the first requirement for a business is
satisfied.  Your company needs to establish and implement computer security 
controls.  Computer systems process information, which can be budgets, customer
lists, business plans, trade secrets, etc.  Your job will be to protect this 
information from unauthorized or accidental disclosure (confidentiality), 
modification (integrity) or loss (availability).
 If you have been appointed to manage the computer security program, senior 
management supports the need to secure its computers.  But, if you are being 
proactive and looking to take on responsibility, you'll need to make them aware
of why a computer security program is important and should be supported and 
funded, You must create the market by informing senior management of the risks
to the computer systems, the probability of occurrence and what the loss will 
be if the risk occurs.  The awareness also must filter down to senior 
management's direct staff.
 To satisfy the profit requirement, you'll also have to show them that you can
implement security controls on the computer systems with a cost-effective 
program.  You cannot spend $100,000 to protect the company from a $10,000 loss 
and expect to receive support.
 Be prepared to outline your responsibilities as computer security manager. You
must implement controls that will work with the business procedures being 
conducted in the company. Changing business behavior is not an easy task, so 
don't expect major changes to happen quickly.  If you recommend security 
controls that have a sufficient negative impact on the employees' behavior or 
system processing times, you can expect the computer security program to last 
as long as it takes to read this article.  
Your key responsibility is to manage.
 Don't try to do it all yourself; form a computer security team. The team 
should include business managers who understand the information processing 
procedures, someone who understands physical security controls and technical 
personnel who understand operating system and network controls. You'll want to
keep the size of the team at a manageable level.  You can bring in additional
focused expertise by forming task teams if the need arises.  It will be your 
job to bring a security consciousness to the group.
 The planning and spending of the security budget also should be your 
responsibility.  Ask for input from the team members.  Each member should 
identity security awareness programs, training, security tools, etc. needed by 
the organization in order to have a successful implementation of the computer 
security program. Different organizations will have different requirements. 
If one is asking for more than the others, obtain financial support from that 
organization.
 Keeping members on the security team is not an easy task. if they feel the 
work isn't necessary or is progressing in a direction that won't suit their 
organization, their involvement may come to an end or become counterproductive.
Agree to rules in the first couple of meetings. Develop a mission statement, 
vision statement, objectives and achievable goals. Publish an agenda for each 
meeting and stick to it.  Assign meaningful action items to the members of the 
team; don't give them trivial tasks to perform. Give the team public credit for
the work being accomplished.
 If a team member is unwilling to work toward the goals, go to senior 
management for a replacement.  Remember, you obtained senior management support
for the computer security program.  They should be willing to replace a team 
member with someone who ultimately will help their organization become more 
secure.
 Computer security consists of physical and information security. Your goals 
must reflect both components.  You must physically secure the computer system 
from unauthorized access or loss.  You also must implement security controls 
that will protect the information in the computer system.  Information security
takes many forms, including operating system and network controls, information
classification and physical security of off-line data storage.
You must integrate the various security disciplines in order to develop an 
effective computer security program.
 Because information secunty is a large part of computer secunty, find and 
understand the mission statement, vision statement, objectives and goals of 
the information systems (IS) organization.  This will tell you the why, where, 
how and what the IS business is striving to achieve.  Your business should be 
running parallel to the IS business.  You must influence each other.  If  the 
IS organization is heading in one direction and the computer secunty program 
is heading in another, in the end there will be chaos.  The inclusion of the 
business managers will aid you here; they typically follow IS direction.
 One of the first action items that the computer secunty team should complete 
is a computer security mission statement, which will reflect why the computer 
security program exists in the company.  The mission statement should be 
concise and reflect a function that is believed to be necessary for success by
both you and the employees. Below is an example of  a mission statement:
 Ensure Acme Corporation's success in achieving its strategic goals by
providing computer security expertise that leads to the effective management
of Acme's assets and business security risks.
 Mission statements keep the computer security team on track. If the group 
starts to recommend working on nonrelated projects, it's time reinforce the 
mission.
 The next task should be the creation of a vision statement. This statement
is where your computer security program will lead the company in the future. 
This statement also should be concise.  Below is an example:
 Ensure that as new technologies and procedures are incorporated within Acme 
Corporation, they are implemented in a secure manner.
 The vision statement itself is a measurable statement, but it doesn't define
how it will be measured.
 The next step is to define the computer security team objectives. Objectives 
are how your team will achieve its vision and goals.  Some examples of \
objectives are: 

* Foster the philosophy that computer security is an integral part of plannig
and decision-making 

* Always meet or exceed Acme Corporations expectations by focusing on asset 
and risk management needs. 


* Stay a key player in the planning, design, implementation and management of 
  computer information processing.

 The objectives then are supplemented by goals that are obtainable and 
measurable.
 The goals are what you must accomplish in order to reach your vision for the 
company.  Your security team will want to develop short and long-term goals. 
Don't make the mistake of presenting only short-term goals.  Senior management
might be led to believe that once these are achieved, the computer security 
program is completed.  It never will be completed; like any business, its an 
ongoing concern.
 There are many things you can do to secure computer systems. One of the most 
important is the development of computer security standards and procedures, 
which must be living documents.  Technology and business environments are 
constantly  changing, and the standards and procedures must reflect that 
change.  Once they are developed, they must be implemented within the 
corporation and now become a measurement tool. If the standard states how a 
person is to perform a login, you can check to see if it's actually being 
followed.  You must monitor the computers to ensure they are compliant with the
standards.  Usually this is best accomplished by using automated computer 
security software. 
Choosing and implementing the software will become another goal.
 While in the development phase of the standards and procedures, you must 
achieve computer security awareness by the general employee population. You 
must ensure they understand why the changes are taking place. If they don't, 
they will be reluctant to change their behavior. Some will search for 
alternative, counterproductive methods. Other goals you may want to achieve 
are: development of computer security standard violation and exception 
procedures, computer intrusion escalation procedures, disaster recovery plans, 
authorization procedures and vulnerability studies. You also might advise 
senior. management of the progress and state of computer security within the 
company.
 To manage an effective computer security program and develop long,term goals, 
you must stay current with what is happening within your corporation and 
within the computer security industry. Subscribe to one or more security 
journals There is a wealth of information available to you at no cost. 
This journal and Infosecurity news are two such publications. If you're 
connected to the Internet, there are many news groups that deal with 
computer security, including alt.security, comp.security.unix, 
comp.security.misc, misc.security and comp.virus.
 You also should join at least one professional organization.  Computer 
Security Institute, Information System Security Association and National 
Computer Secunty Association are a few.  All conduct national conventions 
that offer excellent seminars and publish newsletters or journals for members.
A computer security program should be run as a business with measurable and 
achievable short and long-term goals that reflect the current business and 
technical environments.  The program must be managed by you, through a team 
of business and technical people.  For it to be successful, you must gain 
support of the entire corporation.