informis/textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/magazines/CHN/chn-0006.txt
root@procul 278a90f7ce Initial commit
2021-04-15 13:31:59 -05:00

177 lines
11 KiB
Plaintext
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
* (CHN) Connecticut Hacker Newsgroup (CHN) *
= CHN News File #6 =
* an I.I.R.G. affiliate *
= -=>Present<=- =
* Introduction to Computer Security *
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
INTRODUCTION TO COMPUTER SECURITY
By: Ed Norris
(Ed Norris is a senior security consultant for Digital Equipment Corporation.
He consults on a wide range of security issues and solutions)
You might expect that an article about computer security would discuss
controls for passwords and file permissions, but there are many things to
consider before you get to that level. This article will focus on the basic
requirements to help you define a security professional's roles and
responsibilities and how you can influence the effectiveness of a successful
security program by gaining the support of your peers. It also will examine
typical computer security mission and vision statements and the objectives and
goals that a computer security program needs to define.
If you don't treat computer security as a business, success will be difficult
to achieve. The first step in creating any business is determining if there is
a need (company assets are at risk), if there is a market (management
understanding and approval) and if there is a profit to be made (actually
limiting the chance Of a liability which would decrease the profit, in our
case).
If your company has a computer system, the first requirement for a business is
satisfied. Your company needs to establish and implement computer security
controls. Computer systems process information, which can be budgets, customer
lists, business plans, trade secrets, etc. Your job will be to protect this
information from unauthorized or accidental disclosure (confidentiality),
modification (integrity) or loss (availability).
If you have been appointed to manage the computer security program, senior
management supports the need to secure its computers. But, if you are being
proactive and looking to take on responsibility, you'll need to make them aware
of why a computer security program is important and should be supported and
funded, You must create the market by informing senior management of the risks
to the computer systems, the probability of occurrence and what the loss will
be if the risk occurs. The awareness also must filter down to senior
management's direct staff.
To satisfy the profit requirement, you'll also have to show them that you can
implement security controls on the computer systems with a cost-effective
program. You cannot spend $100,000 to protect the company from a $10,000 loss
and expect to receive support.
Be prepared to outline your responsibilities as computer security manager. You
must implement controls that will work with the business procedures being
conducted in the company. Changing business behavior is not an easy task, so
don't expect major changes to happen quickly. If you recommend security
controls that have a sufficient negative impact on the employees' behavior or
system processing times, you can expect the computer security program to last
as long as it takes to read this article.
Your key responsibility is to manage.
Don't try to do it all yourself; form a computer security team. The team
should include business managers who understand the information processing
procedures, someone who understands physical security controls and technical
personnel who understand operating system and network controls. You'll want to
keep the size of the team at a manageable level. You can bring in additional
focused expertise by forming task teams if the need arises. It will be your
job to bring a security consciousness to the group.
The planning and spending of the security budget also should be your
responsibility. Ask for input from the team members. Each member should
identity security awareness programs, training, security tools, etc. needed by
the organization in order to have a successful implementation of the computer
security program. Different organizations will have different requirements.
If one is asking for more than the others, obtain financial support from that
organization.
Keeping members on the security team is not an easy task. if they feel the
work isn't necessary or is progressing in a direction that won't suit their
organization, their involvement may come to an end or become counterproductive.
Agree to rules in the first couple of meetings. Develop a mission statement,
vision statement, objectives and achievable goals. Publish an agenda for each
meeting and stick to it. Assign meaningful action items to the members of the
team; don't give them trivial tasks to perform. Give the team public credit for
the work being accomplished.
If a team member is unwilling to work toward the goals, go to senior
management for a replacement. Remember, you obtained senior management support
for the computer security program. They should be willing to replace a team
member with someone who ultimately will help their organization become more
secure.
Computer security consists of physical and information security. Your goals
must reflect both components. You must physically secure the computer system
from unauthorized access or loss. You also must implement security controls
that will protect the information in the computer system. Information security
takes many forms, including operating system and network controls, information
classification and physical security of off-line data storage.
You must integrate the various security disciplines in order to develop an
effective computer security program.
Because information secunty is a large part of computer secunty, find and
understand the mission statement, vision statement, objectives and goals of
the information systems (IS) organization. This will tell you the why, where,
how and what the IS business is striving to achieve. Your business should be
running parallel to the IS business. You must influence each other. If the
IS organization is heading in one direction and the computer secunty program
is heading in another, in the end there will be chaos. The inclusion of the
business managers will aid you here; they typically follow IS direction.
One of the first action items that the computer secunty team should complete
is a computer security mission statement, which will reflect why the computer
security program exists in the company. The mission statement should be
concise and reflect a function that is believed to be necessary for success by
both you and the employees. Below is an example of a mission statement:
Ensure Acme Corporation's success in achieving its strategic goals by
providing computer security expertise that leads to the effective management
of Acme's assets and business security risks.
Mission statements keep the computer security team on track. If the group
starts to recommend working on nonrelated projects, it's time reinforce the
mission.
The next task should be the creation of a vision statement. This statement
is where your computer security program will lead the company in the future.
This statement also should be concise. Below is an example:
Ensure that as new technologies and procedures are incorporated within Acme
Corporation, they are implemented in a secure manner.
The vision statement itself is a measurable statement, but it doesn't define
how it will be measured.
The next step is to define the computer security team objectives. Objectives
are how your team will achieve its vision and goals. Some examples of \
objectives are:
* Foster the philosophy that computer security is an integral part of plannig
and decision-making
* Always meet or exceed Acme Corporations expectations by focusing on asset
and risk management needs.
* Stay a key player in the planning, design, implementation and management of
computer information processing.
The objectives then are supplemented by goals that are obtainable and
measurable.
The goals are what you must accomplish in order to reach your vision for the
company. Your security team will want to develop short and long-term goals.
Don't make the mistake of presenting only short-term goals. Senior management
might be led to believe that once these are achieved, the computer security
program is completed. It never will be completed; like any business, its an
ongoing concern.
There are many things you can do to secure computer systems. One of the most
important is the development of computer security standards and procedures,
which must be living documents. Technology and business environments are
constantly changing, and the standards and procedures must reflect that
change. Once they are developed, they must be implemented within the
corporation and now become a measurement tool. If the standard states how a
person is to perform a login, you can check to see if it's actually being
followed. You must monitor the computers to ensure they are compliant with the
standards. Usually this is best accomplished by using automated computer
security software.
Choosing and implementing the software will become another goal.
While in the development phase of the standards and procedures, you must
achieve computer security awareness by the general employee population. You
must ensure they understand why the changes are taking place. If they don't,
they will be reluctant to change their behavior. Some will search for
alternative, counterproductive methods. Other goals you may want to achieve
are: development of computer security standard violation and exception
procedures, computer intrusion escalation procedures, disaster recovery plans,
authorization procedures and vulnerability studies. You also might advise
senior. management of the progress and state of computer security within the
company.
To manage an effective computer security program and develop long,term goals,
you must stay current with what is happening within your corporation and
within the computer security industry. Subscribe to one or more security
journals There is a wealth of information available to you at no cost.
This journal and Infosecurity news are two such publications. If you're
connected to the Internet, there are many news groups that deal with
computer security, including alt.security, comp.security.unix,
comp.security.misc, misc.security and comp.virus.
You also should join at least one professional organization. Computer
Security Institute, Information System Security Association and National
Computer Secunty Association are a few. All conduct national conventions
that offer excellent seminars and publish newsletters or journals for members.
A computer security program should be run as a business with measurable and
achievable short and long-term goals that reflect the current business and
technical environments. The program must be managed by you, through a team
of business and technical people. For it to be successful, you must gain
support of the entire corporation.
Reference in New Issue View Git Blame Copy Permalink