Kno wledgewharto n inf o rmatio n security why

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: apitalizatio n had plummeted o ver 75 percent, dro pping o ver half a billio n do llars in value.T. Claburn, “P ayment Card Industry Gets Encryptio n Religio n,” Info rmatio nWeek, No vember 13, 2009. The Heartland case pro vides a cautio nary warning against thinking that security ends with co mpliance. Heartland had in f act passed multiple audits, including o ne co nducted the mo nth bef o re the inf iltratio n began. Still, at least thirteen pieces o f malware were unco vered o n the f irm’s servers. Co mpliance do es no t equal security. Heartland was co mplaint, but a f irm can be co mpliant and no t be secure. Co mpliance is no t the go al, security is. Since the breach, the f irm’s executives have champio ned industry ef f o rts to expand security practices, including encrypting card inf o rmatio n at the po int it is swiped and keeping it secure thro ugh settlement. Such “cradle-to -grave” encryptio n can help create an enviro nment where even co mpro mised netwo rking equipment o r intercepting relay systems wo uldn’t be able to grab co des.T. Claburn, “P ayment Card Industry Gets Encryptio n Religio n,” Info rmatio nWeek, No vember 13, 2009; R. King, “Lesso ns f ro m the Data Breach at Heartland,” BusinessWeek, July 6, 2009. Reco gnize that security is a co ntinual pro cess, it is never do ne, and f irms need to pursue security with tenacity and co mmitment. Education, Audit, and Enforcement Security is as much abo ut peo ple, pro cess, and po licy, as it is abo ut techno lo gy. Fro m a peo ple perspective, the security f unctio n requires multiple levels o f expertise. Operatio ns emplo yees are invo lved in the day-to -day mo nito ring o f existing systems. A gro up’s R&D f unctio n is invo lved in understanding emerging threats and reviewing, selecting, and implementing updated security techniques. A team must also wo rk o n bro ader go vernance issues. These ef f o rts sho uld include representatives f ro m specialized security and bro ader techno lo gy and inf rastructure f unctio ns. It sho uld also include representatives f ro m general co unsel, audit, public relatio ns, and human reso urces. What this means is that even if yo u’re a no ntechnical staf f er, yo u may be bro ught in to help a f irm deal with security issues. P ro cesses and po licies will include educatio n and awareness—this is also everyo ne’s business. As the Vice P resident o f P ro duct Develo pment at security f irm Symantec puts it, “We do pro ducts really well, but the next step is educatio n. We can’t keep the Internet saf e with antivirus so f tware alo ne.”D. Go ldman, “Cybercrime: A Secret Undergro und Eco no my,” CNNMo ney, September 17, 2009. Co mpanies sho uld appro ach inf o rmatio n security as a part o f their “co llective co rpo rate respo nsibility…regardless o f whether regulatio n requires them to do so .”Kno [email protected] n, “Inf o rmatio n Security: Why Cybercriminals Are Smiling,” August 19, 2009. Fo r a lesso n in ho w impo rtant educatio n is, lo o k no f urther than the head o f the CIA. Fo rmer U.S. Directo r o f Intelligence Jo hn Deutch engaged in sho ckingly lo o se behavio r with digital secrets, including keeping a daily jo urnal o f classif ied inf o rmatio n—so me 1,000+ pages—o n memo ry cards he’d transpo rt in his shirt po cket. He also do wnlo aded and sto red P entago n inf o rmatio n, including details o f co vert o peratio ns, at ho me o n co mputers that his f amily used f o r ro utine Internet access.N. Lewis, “Investigatio n Of Ex-Chief Of the C.I.A. Is Bro adened,” New Yo rk Times, September 17, 2000. Emplo yees need to kno w a f irm’s po licies, be regularly trained, and understand that they will f ace strict penalties if they f ail to meet their o bligatio ns. P o licies witho ut eyes (audit) and teeth (enf o rcement) wo n’t be taken serio usly. Audits include real-time mo nito ring o f usage (e.g., who ’s accessing what, f ro m where, ho w, and why; so und the alarm if an ano maly is detected), anno unced audits, and surprise spo t checks. This f unctio n might also stage white hat demo nstratio n attacks— attempts to hunt f o r and expo se weaknesses, ho pef ully bef o re hackers f ind them. Framewo rks o f f er guidelines o n auditing, but a recent survey f o und mo st o rganizatio ns do n’t do cument enf o rcement pro cedures in their inf o rmatio n security po licies, that mo re than o ne-third do no t audit o r mo nito r user co mpliance with security po licies, and that o nly 48 percent annually measure and review the ef f ectiveness o f security po licies.A. Matwyshyn, Harbo ring Data: Info rmatio n Security, Law , and The Co rpo ratio n (P alo Alto , CA: Stanf o rd University P ress, 2009). A f irm’s techno lo gy develo pment and deplo yment pro cesses must also integrate with the security team to ensure that f ro m the start, applicatio ns, databases, and o ther systems are implemented with security in mind. The team will have specialized skills and mo nito...
View Full Document

This document was uploaded on 01/31/2014.

Ask a homework question - tutors are online