💾 Archived View for gemini.spam.works › mirrors › textfiles › magazines › CHN › chn-0006.txt captured on 2022-06-12 at 10:39:09.
-=-=-=-=-=-=-
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
* (CHN) Connecticut Hacker Newsgroup (CHN) *
= CHN News File #6 =
* an I.I.R.G. affiliate *
= -=>Present<=- =
* Introduction to Computer Security *
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
INTRODUCTION TO COMPUTER SECURITY
By: Ed Norris
(Ed Norris is a senior security consultant for Digital Equipment Corporation.
He consults on a wide range of security issues and solutions)
You might expect that an article about computer security would discuss
controls for passwords and file permissions, but there are many things to
consider before you get to that level. This article will focus on the basic
requirements to help you define a security professional's roles and
responsibilities and how you can influence the effectiveness of a successful
security program by gaining the support of your peers. It also will examine
typical computer security mission and vision statements and the objectives and
goals that a computer security program needs to define.
If you don't treat computer security as a business, success will be difficult
to achieve. The first step in creating any business is determining if there is
a need (company assets are at risk), if there is a market (management
understanding and approval) and if there is a profit to be made (actually
limiting the chance Of a liability which would decrease the profit, in our
case).
If your company has a computer system, the first requirement for a business is
satisfied. Your company needs to establish and implement computer security
controls. Computer systems process information, which can be budgets, customer
lists, business plans, trade secrets, etc. Your job will be to protect this
information from unauthorized or accidental disclosure (confidentiality),
modification (integrity) or loss (availability).
If you have been appointed to manage the computer security program, senior
management supports the need to secure its computers. But, if you are being
proactive and looking to take on responsibility, you'll need to make them aware
of why a computer security program is important and should be supported and
funded, You must create the market by informing senior management of the risks
to the computer systems, the probability of occurrence and what the loss will
be if the risk occurs. The awareness also must filter down to senior
management's direct staff.
To satisfy the profit requirement, you'll also have to show them that you can
implement security controls on the computer systems with a cost-effective
program. You cannot spend $100,000 to protect the company from a $10,000 loss
and expect to receive support.
Be prepared to outline your responsibilities as computer security manager. You
must implement controls that will work with the business procedures being
conducted in the company. Changing business behavior is not an easy task, so
don't expect major changes to happen quickly. If you recommend security
controls that have a sufficient negative impact on the employees' behavior or
system processing times, you can expect the computer security program to last
as long as it takes to read this article.
Your key responsibility is to manage.
Don't try to do it all yourself; form a computer security team. The team
should include business managers who understand the information processing
procedures, someone who understands physical security controls and technical
personnel who understand operating system and network controls. You'll want to
keep the size of the team at a manageable level. You can bring in additional
focused expertise by forming task teams if the need arises. It will be your
job to bring a security consciousness to the group.
The planning and spending of the security budget also should be your
responsibility. Ask for input from the team members. Each member should
identity security awareness programs, training, security tools, etc. needed by
the organization in order to have a successful implementation of the computer
security program. Different organizations will have different requirements.
If one is asking for more than the others, obtain financial support from that
organization.
Keeping members on the security team is not an easy task. if they feel the
work isn't necessary or is progressing in a direction that won't suit their
organization, their involvement may come to an end or become counterproductive.
Agree to rules in the first couple of meetings. Develop a mission statement,
vision statement, objectives and achievable goals. Publish an agenda for each
meeting and stick to it. Assign meaningful action items to the members of the
team; don't give them trivial tasks to perform. Give the team public credit for
the work being accomplished.
If a team member is unwilling to work toward the goals, go to senior
management for a replacement. Remember, you obtained senior management support
for the computer security program. They should be willing to replace a team
member with someone who ultimately will help their organization become more
secure.
Computer security consists of physical and information security. Your goals
must reflect both components. You must physically secure the computer system
from unauthorized access or loss. You also must implement security controls
that will protect the information in the computer system. Information security
takes many forms, including operating system and network controls, information
classification and physical security of off-line data storage.
You must integrate the various security disciplines in order to develop an
effective computer security program.
Because information secunty is a large part of computer secunty, find and
understand the mission statement, vision statement, objectives and goals of
the information systems (IS) organization. This will tell you the why, where,
how and what the IS business is striving to achieve. Your business should be
running parallel to the IS business. You must influence each other. If the
IS organization is heading in one direction and the computer secunty program
is heading in another, in the end there will be chaos. The inclusion of the
business managers will aid you here; they typically follow IS direction.
One of the first action items that the computer secunty team should complete
is a computer security mission statement, which will reflect why the computer
security program exists in the company. The mission statement should be
concise and reflect a function that is believed to be necessary for success by
both you and the employees. Below is an example of a mission statement:
Ensure Acme Corporation's success in achieving its strategic goals by
providing computer security expertise that leads to the effective management
of Acme's assets and business security risks.
Mission statements keep the computer security team on track. If the group
starts to recommend working on nonrelated projects, it's time reinforce the
mission.
The next task should be the creation of a vision statement. This statement
is where your computer security program will lead the company in the future.
This statement also should be concise. Below is an example:
Ensure that as new technologies and procedures are incorporated within Acme
Corporation, they are implemented in a secure manner.
The vision statement itself is a measurable statement, but it doesn't define
how it will be measured.
The next step is to define the computer security team objectives. Objectives
are how your team will achieve its vision and goals. Some examples of \
objectives are: