ITS 305 - Security Policies and Auditing

Chapter 1, Introduction to the Management of Information Security

Objectives:

This lesson introduces the student to concepts that are important to different types of managers in an organization. Objectives important to this lesson:

1. Differentiate between IT management, IT Security management, and Enterprise management
2. Understand the three primary characteristics of IT security
3. Be able to discuss some common operational areas of security
4. Be familiar with the McCumber Cube
5. Understand common security related terms
6. Consider how management styles affect security policies
7. Consider the six Ps of information security
   

Concepts:

This chapter begins with a parable, which continues throughout the text, about a new IT Security manager who is having difficulties. Her story and her problems are not clear until we consider some of the concepts that the chapter introduces.

The first point of the chapter is that information security is everyone's job. This sounds like the attitude of someone trying to avoid blame and responsibility, but it is not. The point is that everyone uses information, to some degree, and everyone is a potential security risk because of it. This is why the text tells us that the best approach is for the organization to make security decisions in committees that are formed by three parts of the organization:

• IT managers and professionals
• IT security managers and professionals
• Business managers and professionals

The first two groups look like the same people, but they are not.

• IT staff are responsible for meeting the IT needs of the business. It might be better to call these people the IT Operations staff, although that phrase may have a different specific definition in some organizations.
• IT Security staff are responsible for protecting information.
• Business staff are responsible for the core interests of the business.

A problem with this concept is that IT security is often the domain of one part of an organization, and other parts may not have any connection to their decision making process. The authors tell us that this is not a viable situation.

The text continues with a series of attempts to define security. Someone should have told the authors that a definition should not contain the word you are defining. Let's see what they have worth remembering:

• there are several specialized areas of security: physical, operations, communications, and network
• information security has three classic characteristics/elements: confidentiality, integrity, and availability (commonly referred to as CIA)

The classic CIA concept defines security from the point of view of the IT Security staff. The text explains that an expansion of this concept is called by several names, one being the McCumber Cube. It provides three different perspectives on security, which should be considered together to make better security decisions:

• IT Security perspective: Confidentiality, Integrity, Availability
  How do we protect the information, make sure it is not tampered with, and provide access to those who need it?
  
• IT Operations perspective: Storage, Processing, Transmission
  How do we perform the basic IT functions of storing, processing, and transmitting data?
• Business perspective: Policy, Education, Technology
  How do we make the rules for employees about protecting information, educate our staff in protecting it, and use the technology we have to do our business?

It feels a bit off that the first two bullets above seem to relate to the primary activities of the respective entities, but the third does not. All three perspectives relate to IT security, from the point of view of that entity. Each is different from the others, and each should be considered a necessary aspect of the security process.

It may be clearer now that in the parable about our IT Security manager, her organization has not adopted this set of ideas.

The text continues with definitions of several terms it has already used and some new ones:

• Confidentiality - information should only be accessible to users who have been granted access to it for valid reasons. Only authorized users can access data if it is protected properly, and if authorized users do not violate security policy.
• Integrity - data may not be changed except by authorized users or processes. This means that data must be protected from alteration, deletion, or other changes to its intended form.
• Availability - authorized users can access data when they need to do so. The text points out that some readers misunderstand this concept. Availability means only that proper access methods are provided to authorized users, not to everyone.
• Privacy - information provided by a customer, for example, is only used in ways that our organization has disclosed to that customer. This does not mean that our organization makes no use of the information, but that it complies with the rules that it has made and disclosed to the information owner.

The next terms have to do with proving who you are and accessing assigned resources.

• Identification - This is the equivalent of entering a user ID. By itself, it is not sufficient on any system that is at all secure.
• Authentication - This is what a user is doing when they enter a password. The password is run through a process to see if it matches the information on file for the user account named. Instead of a password, the authentication information could be biometric or a personal ID number.
• Authorization - This is the step after authentication, in which the rights that have been assigned to the user account become available for use. The text says that this occurs after authentication, but be aware that the actual assignment of rights had to be done before the user authenticated.
• Accountability - This is a state or characteristic of a system that exists if the system tracks what actions on the system were carried out by which logged in user.

The text moves on to discuss high level concepts about management.

The material on management in this chapter may serve as some background reading when you are making your mind up about several course assignments. The text presents three classic management theories:

• autocratic - do it because I say so
• democratic - let's all decide what to do
• laissez-faire - let the people do what they want

Ask several managers which of the theories above they tend to endorse, and you will get different answers depending not only on the person you ask, but on the circumstances in which they find themselves. It is easy to adopt a "manage less" approach when things are going well, but hard to justify it in the middle of crisis that your staff may have created. No one with any experience will endorse one theory over the others in all circumstances.

The text discusses some aspects to planning that will be useful in assignments as well. Organizations often make plans that address actions in a particular span of time.

• strategic planning - long term plans, formed at high levels, for the company as a whole
• tactical planning - shorter term plans, formed at an intermediate level, to apply to applicable parts of a company
• operational planning - day to day plans, formed at low levels, to apply to problems that are meant to be resolved in the short term

Another list of wisdom is called the Six Ps of Information Security.

• Planning - planning specifically for information security
  
• Policy - setting information security rules for the organization
  
• Programs - not software, but operational areas within the information security division; this could represent teams that do different jobs or specific functions of particular staff
• Protection - risk assessment and management
• People - people will make or break your security measures
  
• Project Management - every project should be managed properly to see that it is implemented successfully

The authors spend the rest of the chapter discussing project management, which is outside the scope of this class.