A few years ago, in a large financial services organization that had around 15 different business units selling different products and services, the marketing folks got what seemed like a great idea to feed people's growing appetites for new technologies. They decided that they would give a free Blackberry phone (not nearly as common as they are now) to all brokers that reached a specific sales goal for the upcoming month.
To the marketers' great joy, almost all of the approximately 800 brokers met their goal! Along with the Blackberrys, the marketers sent instructions along with this magical and delightful gadget that described how the brokers could synchronize their email with the device. They advised in the instructions that the brokers should not try to do the synchronization until 9:00am PST on a specified Monday so that they would be sure to have staff on hand from any of the time zones in case the brokers had problems. Sound like good preplanning?
That Monday came, and mysteriously the response time of a section of the corporate network not only ground to a standstill but also the call center was flooded with calls, primarily from brokers saying that the synchronization did not work. The brokers basically inadvertently performed a nicely coordinated Denial of Service (DoS) attack by flooding the network all at the same time with the synchronization attempt. Oops.
New technologies have always provided great potential opportunities for businesses to make improvements upon how business is done. Technologies can provide new ways to improve productivity in everyday work activities. These technologies were often created as consumer goods first but then wholeheartedly embraced by business leaders. These new technologies include everything from DVDs to iPods; from Blackberrys to iPhones; from CDs to super tiny, high‐storage USB memory devices; from Facebook and other Web‐based services to online virtual networks; from instant messaging to texting and tweeting.
Although all these new technologies bring with them the potential for improving business, the bad news is that every new technology also brings with it new and unforeseen information security and privacy risks. It makes sense; the majority of new technology is not developed with security in mind but rather ease of use accompanied by how cool and unique they can be. All these cool and unique features inherently bring with them new and unique threats, and can introduce unanticipated vulnerabilities into a business, creating new risks that businesses had never anticipated or prepared for.
What makes these good, new technologies—along with the really bad new accompanying risks—really ugly is that usually the risks are not addressed until after something bad happens. Or, if some forward‐thinking information security leader anticipates the risks and then creates policies for the use of the new technologies, the ugly truth is that significant portions of personnel choose not to follow policies if they perceive the restriction as infringing upon their personal rights.
Multiple studies done in the past year show that growing numbers of personnel are purposefully choosing not to follow policies, particularly when the policies impact their personal use of email, texting, instant messaging, tweeting, and general talking on the phone.
A late‐2008 RSA survey reported that the majority of workers polled said they regularly do not follow corporate security policies in order to get their jobs done. Many others indicated that they did not even know what their information security policies covered, or what they allowed and disallowed.
These situations reveal significant information security management problems:
Is it any wonder policies are perceived as being ineffective?
The already existing risks are significantly magnified when rampant, and employeeperceived innocent policy breaking occurs on a daily basis by otherwise well‐intentioned employees. If you want your information security and privacy policies to be effective, you must:
In the next few sections, I'll discuss the growing common areas where policies either don't exist, the policies are not communicated, or personnel overwhelmingly choose not to follow them.
Consider these statistics:
As these statistics reveal, most people now feel the need to be able to talk, or communicate in some other way, on their mobile phones. Although this enables personnel to get their work done anywhere, it also allows personnel to do personal tasks anywhere, including at work.
Not long ago, while doing a project for a large financial organization, I was sitting at an empty desk in the aisle where all the contracted workers, doing security access changes, were sitting. Two of the eight people sitting in that aisle were talking or texting on their cell phones most of the day. They justified their non‐work activities during the hours they were getting paid by saying, "Hey, we're just contracted; we could get cut at any time. Of course we're going to try and find permanent positions at other organizations while we're here so that we can be covered when we have to leave." Do you have workers with this kind of attitude?
Personnel are also increasingly using USB storage devices within the workplace, and without, to store and carry large amounts of business information. Much of this is personally identifiable information (PII). Do you have enforced policies in place for such devices?
The more mobile PII becomes—being stored upon smart phones, Blackberrys, laptops, and mobile storage devices and being accessed by people who work from home, work while traveling, or work for other companies—the more risk there is that PII will be involved in a breach. Every day, literally, I read news reports about lost or stolen laptops. On June 18, 2008, I read a news report, "A Misconfigured Laptop, a Wrecked Life," which chronicled how one man had his first work laptop stolen, then was fired when the second work laptop he was issued as a replacement was found to have pornography on it; either it was preloaded when he got it or lack of prevention software allowed someone to remotely load it on his computer while he was online.
It is very important to provide training and ongoing awareness communications to personnel about the risks of mobile computing and how to protect mobile computers as well as implement protections for mobile computing devices.
Growing numbers of personnel are using online networking sites and tools. Not only are social networking sites, such as Facebook, more popular than ever but also new communications tools, such as Twitter, are increasingly being considered as a necessity. Do you have information security and privacy policies, procedures, and tools in place to control the participation in and use of these types of sites and technologies to help ensure valuable business information is not leaked out through them?
Organizations must create policies for the use of online social networks. You and your personnel need to understand the security and privacy implications of these sites to prevent accidentally exposing information intended to be private.
Consider Twitter. Today, I spent just a few minutes doing some searches to see if I could find any information posted related to business. I was curious to see how much PII, or other sensitive information, I cold find.
Here are some of the tweets I found, with sensitive and otherwise inappropriate information redacted, when doing a search for "password":
There are also a huge number of company‐ and boss‐bashing messages. In fact, boss bashing seems to be a rampantly popular type of tweet to make while at work. Here are just a small fraction of boss‐mentioning tweets, with appropriate parts redacted, that I also found within just a few minutes:
Not only are many of these career‐limiting types of messages, they could also have legal implications for the companies where these folks work. Just because they usually did not name names in the tweets, it was trivial to go to the profile of the associated TwitterId and often find the name of the company where the individual works. That very quickly led to knowing much more about who the boss could be. Do your personnel understand or realize how easily their tweets could be linked back to them and to your organization? It is your responsibility as the organization's information security and privacy leader to make them aware of this possibility.
In mid‐April 2009, more than 14 million people used Twitter. A recent MarketingProfs survey of 425 Twitter users revealed that they spend an average of almost 3 hours a day on Twitter. And from what I've seen in 2 months of using, and often just lurking on, Twitter, most of this activity is during normal business hours. Business leaders, do you know what your personnel are actually doing throughout the day? Are they linking to business information that should not be made public? Are they naming names that should not be named? It is important to think about all the possibilities and address the identified concerns, and associated risks, with effective and enforced policies; not only for Twitter, but for any of the new and emerging social networking sites.
Not that long ago, personnel never really expected to do any type of personal activities at work. Well, maybe make a quick phone call or two during the course of an exceptional day when a doctor's appointment needed to be made or a school appointment set, but otherwise, for the most part, they came to work expecting to focus on getting their jobs done and then leaving. Occasionally, workers would justify doing such things as writing personal letters at work or taking work supplies home with them. They still do.
But new technologies have brought along new attitudes about what perceived acceptable activities should be at work. Not only do people now expect to use their own mobile phones and computers within the workplace and visit whatever Websites they want to visit whenever they want, it is even becoming the expectation of children in elementary and secondary schools.
I was recently at a conference and heard Jason Dorsey, "The Gen Y Guy," give a keynote about the wants and perceived needs of the four generations of workers that he had defined. He indicated that the youngest generation, the "Gen Y" workers, frankly just expect to be able to do personal activities and use their own personal computers and data storage devices at work unless they are explicitly told by their work managers, through policies and on an ongoing basis through other communications, that they could not.
Various studies also show that the ability to use personal technology tools and Web sites while at work is a feature that growing numbers of workers look for in an employer. If they do not have these abilities, even in these hard economic times, many actively search for a new employer.
Information security and privacy leaders need to keep this perceived need for personal technology use in mind as they create policies and governance programs. Look over your policies, procedures, processes, and technologies and consider the following:
It is critically important to effectively establish information security and privacy requirements if you want to successfully manage data protection to support business.
Why?
Establishing and implementing documented, thoughtful, risk‐based information security and privacy policies provides the safeguard directions and goals necessary to effectively control security. Documented policies also demonstrate and establish management expectations as well as responsibilities and accountability for personnel to implement the safeguards.
Do not assume that personnel will innately know that they must protect information, let alone how to protect it—especially when they are using new and emerging technologies. Were you born with the knowledge for how to cross the road safely or how to ride a bike? People have to be told, and reminded often, how to protect information. Documented policies, supported by appropriate procedures and ongoing training and awareness communications, are necessary to effectively protect information in all forms.
Additionally, persuasive, new, and emerging laws and regulations as well as government and business partner retention and archiving requirements call for formally documented information security and privacy requirements, internal compliance, litigation, and ediscovery support. These must be regularly reviewed and updated appropriately to address risks created by new and emerging technologies that personnel use within the business environment.
Most experienced information security practitioners know that the three generally accepted primary components of information security are confidentiality, integrity, and availability. They are commonly referenced as the CIA triad.
As far back as 1990, Donn Parker expanded upon this typical CIA triad model to provide what, in retrospect, was a more tenable information security model within the context of all these new technologies. Parker called these six elements the "six atomic elements of information," which Dr. Mich Kabay subsequently coined the phrase "Parkerian Hexad," which is now the more popular label. These elements included not only confidentiality, integrity, and availability, but also the additional components of authenticity, utility, and possession (or sometimes referenced as "control"). Certainly with the business‐to‐business and person‐to‐person connections new technologies now allow, these additional three components are more apparent than in 1990 when we were a basically larger, unconnected world.
Let's consider how personnel use of a new technology, such as social networking sites, impacts business through each of the Parkerian Hexad components.
Now let's consider a different type of technology that is just as pervasive as social networking site use—cell phones with texting and photo capabilities—as they apply to the
Parkerian Hexad components. We'll use an iPhone for ease of referencing:
A bad economy requires more information security diligence. That is worth repeating: whenever there is a bad economy, information security practitioners must be more diligent and more aware to ensure security controls and safeguards are effectively working.
The economy has a profound impact on the information. Chapter 1 described the many recent studies that business leaders need to know about that provide compelling evidence that information security and privacy incidents dramatically increase as a result of desperation, with those committing the crimes convincing themselves that they are justified in their criminal actions. The studies reveal that many of the incidents will occur from insiders with authorized access to valuable information.
The economy has a noticeable impact in increasing information risks around data protection activities:
I attend several information security and privacy professional group meetings, seminars, and conferences. A recent seminar was held with information security and privacy officers from numerous agencies and organizations. The facilitator asked the group of around 50 in attendance to name four major technical changes that were on the horizon that would affect their organizations.
Even within this very knowledgeable group of folks, the responses revealed that many to most attendees were unaware of emerging technologies that could have significant impacts on their organizations. In general, they were knowledgeable about current developments in laws and regulations and new compliance products but were unaware of dramatic changes to existing technologies, and brand‐new technologies, that would certainly have a major impact with their organizations in the coming months. Significant numbers of the attendees had never heard of the following:
The challenge to keep up with new and emerging technologies that personnel throughout the organization are widely and quickly using, even while doing business activities, is a weakness among many organizations. Most information security and privacy leaders are overwhelmed by the need to do daily operational and tactical planning.
All these variables result in the need for more proactive data protection activities, including diligent risk assessment activities, which include consideration and forecasting of the new technologies that personnel will be bringing in‐house and using prior to having safeguards established.
Information security risk assessments for facilities, infrastructure, applications, operations, and PII use need to be performed to ensure that threats and vulnerabilities associated with these new technologies have been identified, the recommended controls implemented, and management has accepted the residual risk or transferred applicable risks to another organization. When performing risk assessments for new and emerging technologies, be sure to think out of the box. (Yes, I used an overworked cliché; but it is applicable here.) Information security and privacy practitioners cannot just look at how the new technologies are currently being used; they must also look at how they COULD be used!
Remember, information security exists to SUPPORT the business. To effectively support the business, information security professionals must apply safeguards that are appropriate to mitigate risks to a level that is acceptable to BUSINESS; this will vary from one organization to another based upon each organization's unique environment and circumstances. This is why you cannot just put out a cookie‐cutter information security policy or use an exact copy of a policy that a friend of yours who is also a CISO is using.
There are a number of data protection issues and responsibilities that information security leaders must understand. If poor decisions are made, it could have significant negative impacts upon the organization. Table 3.1 provides a listing of the ways in which information security leadership decisions can impact the business.
Exemplary Leadership Results: Positive Impacts | Poor Leadership Results: Negative Impacts |
Regulatory, contractual, and industry standards compliance | Fines and other sanctions for legal, regulatory, and standards non-compliance, along with bad publicity and lost customers |
Efficient use of staff, resources, and budget | Wasted resources because of duplicated activities, conflicting tasks, numerous versions of code used to do the same type of security task, and so on |
Efficiently prioritizing information security activities based upon risk and need, resulting in projects being delivered on time with little to no security mishaps | Lack of project information security prioritization, resulting in missed due dates and leaving more critical tasks unaddressed |
Standardization of information security products, technologies, processes, and activities makes security actions more efficient and saves time and money | Lack of standardized information security products, resulting in increased time to correct problems and fight fires |
Standardization of information security technologies results in having to support significantly fewer types of products as opposed to trying to keep up with many different products | Lack of standardized of information security processes and procedures, resulting in confusion and loss of momentum |
Centralized information security leadership that applies to all parts of the enterprise ensure security is addressed consistently, resulting in more efficient security | Lack of clear direction and objectives results in lackluster information security leadership, perceived lack of information security importance, and too many areas of the enterprise doing too many types of information security activities; this situation creates conflicts in some areas and leaves gaps in others |
Including specific information security checks and activities throughout the entire systems development management process will help to ensure the most secure applications and systems possible, and ensures that they will handle security controls consistently throughout the enterprise network | Lack of a defined systems development management program that includes information security requirements results in haphazard applications development and applications with poor or completely lacking security controls and poor documentation |
Working on applications and systems based upon criticality and risk will help to ensure the most business-critical vulnerabilities are addressed and implemented before those that are less critical | Lack of organization-determined application criticality results in the unavailability of the most critical applications |
Effective information security controls and requirements will more effectively secure PII and other sensitive information, preventing costly incidents and privacy breaches from occurring | Ineffective information security controls will lead to unauthorized disclosure of sensitive information, including PII, resulting in costly incidents, privacy breaches, bad publicity, lost customers, and fines and other potential penalties |
Effective information security controls help to ensure proper use of information resources in compliance with applicable laws, regulations, industry standards, contractual requirements, and policies | Ineffective information security controls usually results in improper use of information resources |
Effective information security controls help to manage efficiently and in a cost-conservative manner the large numbers of information security threats for which all organizations constantly must be on the lookout | Ineffective information security controls allow a barrage of information security threats, including intrusions, DoS attacks, malicious code (such as viruses, Trojans, worms, spyware, and keyloggers), bots, phishing messages, content spoofing, spam, and related forms of electronic pestilence and mayhem to enter the enterprise infrastructure |
Table 3.1: Information security leadership impacts.
Privacy and trust are essential to maintaining good relationships with customers, employees, and business partners. It is also necessary to address privacy issues to comply with a growing number of privacy regulations worldwide. An effective information security program is necessary to ensure privacy expectations, and trust, are maintained with your customers, employees, and business partners.
For smooth, or at least the smoothest possible, sailing with your information security initiatives, create a governance plan and stick with it. Your organization must stay aware of compliance not only with your information security and privacy policies and practices but also to ensure the policies and practices cover applicable laws and contractual requirements. Implement procedures and documentation to monitor the information security and privacy program on an ongoing basis.
The following are leading practices organizations increasingly follow to help ensure an effective privacy program as well as to help demonstrate due diligence:
The entire enterprise organization, from senior executives down to entry‐level staff, must consider security and privacy as in integral part of the business, not as an after‐thought. Implementing an effective information security and privacy program is more than important; it is a key component of business success.