Principle 4: Security is a common understanding

Would you sign a bank loan if you did not understand the interest to be charged, the penalties for missing a payment, or the process for making payments? You and the bank come to a mutual agreement in creating the loan.

Information security depends in large part on a common understanding of how information can be secured. This builds on the principle that Security is Everyone’s Responsibility — everyone understands their role in using and protecting the information.

Security professionals practice Due Diligence by fostering a common understanding of Threats, Risks, Costs and Incident Management. This understanding develops through communication among such groups as administrative management, technical developers and end users.

Due diligence

The concept of due diligence is significant, because it allows for an evolving metric against which computer security is compared. Essentially, it assumes that if enough IT organizations are employing a particular security practice, the control can be considered a best practice for the industry. Not employing the control and then experiencing an incident that the control was supposed to prevent could indicate a lack of due diligence.

Using HTTPS is considered a best practice to ensure transmission security on the Web, for example, especially when the Web application handles sensitive information such as login credentials or credit card numbers. An IT administrator would be hard pressed to justify not using this control. If an application accepts login information and does not use HTTPS, someone might view the credentials as they cross the network. That person could then use them for inappropriate access to the system. It is unlikely that due diligence has occurred.

Manage risk appropriately

An understanding of risk involves identifying the value of the information, threats to the information, and what can be done to protect the information from those threats.

To understand risks, consider the following:

  • What type of information do you handle? Does your department collect Social Security numbers or financial information such as bank account or credit card numbers? Do you manage information about faculty, staff and students? Do you manage research information?
  • What are the threats to this information? Does your staff store the information on laptops? Is the information processed in a secure manner with proper access controls or information encryption? Are your employees properly trained to securely handle the information?
  • What is the cost of losing the information? What will you have to pay to recover from it? Will the loss of information hurt your organization’s reputation? Can someone get hurt?

By answering the above questions, you can assess the risks you are assuming when you manage the information with current controls and processes. You can then start to identify methods to mitigate the risk. Do you adhere to other principles such as Least Privilege and Separation of Duties? Are the controls usable by staff and System Users? Has the technologist ensured that there is no single point of vulnerability? Are reports generated that can show if the information is being mishandled? If not, inform management of the risks and recommend methods to mitigate them. Management can then provide resources to reduce the risk or provide leadership in accepting the risk as is.

The Office of Cybersecurity provides a framework to assist campus departments in identifying risks and provides recommendations on how to mitigate those risks.

Threats

Threats to certain types of information may financially harm System Users or the business, may diminish the reputation of the organization, or in some cases physically harm people or property.

Information security professionals make people aware of such threats and provide information on how to mitigate the threats. To inform users about phishing schemes, for example, security professionals can distribute posters that describe the threat and how to avoid it. They can alert code developers of threats and ways to code their systems to guard against such threats. Security professionals can alert management to threats posed by storing personally identifiable information and may recommend more secure business practices.

The threat landscape is always changing, based on the value of the information being sought. Social Security numbers, for example, were not as valuable to criminals in the past, because the information was not digitally spread across business systems.

Traditional threats and mitigation steps include:

Information theft

Many companies have trade secrets. In the campus community, many research projects store valuable information. If this information is not appropriately secured, it can be misused. Controls to protect against this threat include imposing strong access controls, encrypting information, protecting desktops and laptops with anti-virus software, and deleting unneeded information.

Identity theft

Criminals may attempt to steal the identity of another person to, for example, open a credit card account. Criminals can obtain a password if it is weak or by launching a brute force attack or dictionary attack. Mandating the use of string passwords, limiting the number of failed logon attempts, and protecting the location of passwords can prevent these attacks.

Loss of availability

Some attackers who want to harm a business may launch a Denial of Service attack, which floods the target with so much network traffic that the target cannot respond to System Users. Implementing strong network controls such as firewalls that filter network traffic can reduce the possibility of lost system availability.

More information regarding threats relating to information technology is available through SANS.

Manage costs

To varying degrees, risks exist in every process. Once you know your liability and the risk you are incurring in your business processes, you can choose to accept the risk or mitigate it by implementing controls.

A business that must maintain or consume sensitive information such as Social Security numbers, driver’s licenses, or bank account numbers assumes an associated risk of that information being accidentally released to the public.

How likely is that to happen? Are these sensitive information elements encrypted on disk, absent from Web forms, and then only accessible to a key few people in your organization? If so, your risk is less than if Social Security numbers are used as a key within a table and required as an element to define users of your system(s).

Managing costs is about:

  • Understanding your risk, both the likelihood of exposure and the associated costs. Costs could include actual expenses (fixing the root problem, notifying affected users, a year of credit reports, etc.) and bad publicity.
  • Considering the relative cost savings of implementing controls and perhaps changes in your business processes up front to mitigate risks and thus lessen the likelihood of exposure of sensitive information.

Incident management

If your home were burglarized, you would ask the police to investigate. They would tell you how the thief gained access to your home and give you advice for protecting your home from future burglaries. The police will also keep a record of the event, which could lead to capture of the criminal. That success could result in more funding to protect your neighborhood.

IT Security investigates computer-related incidents in similar ways. Successful incident management involves a coordinated response to reported security incidents, which in turn:

  • Provides an overall view of current threats faced by an organization
  • Allows for metrics to be applied to received reports
  • Provides for the consistent handling of received reports
  • Helps ensure that the necessary staff are engaged to handle the reported incidents

UW-Madison’s Incident Management process begins with reporting an incident. Members of the campus community can report an incident.