This essay explores the motivators for excellence in Security Management. Specifically it looks at the factors that work against positive motivation, and the limitations of negative motivation when it is applied to Security Managers and Managers with security responsibilities. The second section takes a look at the practical issues in security management in just one (anonymous) organisation, and while some of the issues may be very specific to that environment, they illustrate how the 'ideal' and the 'actual' can differ.
A Possible Model for IS Security Management
It is important that Managers with responsibility for IS security are motivated by a desire to create an effective IS Security Environment, rather than simply by a concern to adhere to standards so as to avoid opprobrium for security failures. While the former approach is essentially open-ended and able to accommodate changes in organisational arrangements and in technology, the latter approach is frozen in time at the moment of publication of the standards, and is limited to the horizon set within those standards. A standards-only approach discourages any initiative or questioning of those standards, even in the face of evident shortcomings. The further removed we are from the place or the point in time where those standards were developed, the less likely they are to meet, or continue to meet, our requirements to secure our IS environment.
My suggested model involves the creation of a Security Team whose primary role is to be implementers and auditors, rather than processors. Their performance should not be measured by the degree to which staff comply with the standards that the Team develop (and constantly evolve), but in fact measured by the degree to which those standards comply with the requirements of the organisation. We create a point in the organisation where IS Security is the sole focus of activity, and where security staff can be motivated by positive achievement, rather than by compliance (only) with a negative template. The continuing positive focus of the Team, would however, very much depend upon the attitude of the organisation Executive.
If the Executive’s only interest is IT Security takes the form of admonishments to avoid Security breaches, it is likely that every level below them in the organisation will revert to a standards compliance-only model. To take the initiative and drive IT Security forward we need to have an Executive that understands that IT Security is something that has to be ‘Managed’ (implying the full range of reactive, proactive and reflective approaches) rather than something we simply comply with. This suggests that the Team will need to put considerable work into upwardly managing the Executive’s perception of, and expectations for, IT Security.
I might add that I do not suggest that the processing of applications to grant or vary IT security access be done by this Team. These are simply administrative functions that could be done at almost any level or location within the organisation, and would unduly ‘clutter’ the Team with lower level staff undertaking processing work, or worse still result in senior level staff becoming bogged down in processing. There is an advantage for the Team in being somewhat removed from the actual processing, in that it allows them to more effectively exercise their (in my view correct) part-role of internal audit. It also allows them to distance themselves somewhat from the feelings of irritation that staff may feel towards the need to apply for and wait to be granted access to systems.
A successfully led team might in fact use this distance from actual processing to ensure that they are always associated in the minds of staff with what they see as positive initiatives in IT Security – such as making it more consistent and less intrusive. And there is always the happy possibility that in working to create the impression, they might achieve the result.
Deficiencies in IT Security Management Models.
Are your IT Security Managers (in IT and line areas) motivated by a desire to set up and maintain an IT security system that is minimally intrusive while effectively and appropriately securing the information assets of the organisation? The answer to this question need to be viewed through an appreciation of the answers to the following questions:
• Is he or she recognised for their security work and encouraged to continue it by senior staff
• Is he or she bogged down in processing work
• Does he or she have the tools or the opportunity to effectively do the job
• Does he or she have to ‘fit’ the security role in between other tasks
• Does he or she have the training to do the job
• Does she or he have any control or influence over how the system is built or implemented
I would suggest that the role of an IT Security Manager is not a natural nor an easy one. I would further suggest that while the fairly high level that it usually occupies within the organisation reflects the implication of Security failure to the organisation, it also reflects the complexity of the task and the skills and experience it requires of any candidate for the position.
Do we recognize a reluctance to discuss or examine our IT Security environment at management level? This may be because we operate under the ‘set and forget’ delusion that rules once set do not require further review, that rules can be implemented by lower level staff without the need for any audit, and if any improvements are required they will be suggested by external auditors when they get around to us. It may also be that managers know that if they identify any shortcomings is IT Security Management they will be called upon by the external auditor (in due course) to explain what they did about it. The nature of IT Security external auditing is that a failure to act on a recognised shortcoming in Security is regarded far more seriously than failing to recognise the shortcoming in the first place.
It may also be that IT Security Managers know that addressing shortcomings in Security Systems requires co-operation from their colleagues and staff generally, and they may doubt that anyone is prepared to put further work into a System that is already the subject of a fairly high degree of disatisfaction. And it may be that IT Security Managers are reluctant to tackle shortcomings in the administration of IT Security if they perceive that they that reach across wide areas and many levels of management, including levels above their own.
To what degree have you already achieved excellence in IT Security Management? Remembering that the state of the IT Security environment is the sum of many inputs (which is to say the Security Manager doesn't bear total responsibility for anything that the following lists might indicate as being 'amiss'). Consider just one aspect of Security, password management, and gauge your own performance:
• Do we use a form or some other mechanism that can be recalled and audited
• Do we check the signatures on the form against known signatures of managers
• Do we know who the managers of those applicants are
• Do we check why the applicant is making the application
• Do we use the request for a password change as an opportunity to detect fraud
• Do we check applications for evidence of the managers signature being photocopied
• De we retain copies of the applications for later audit, and are they retreivable by multiple criteria
• Do we understand the difference between ‘authorisation‘ and ‘verification of identity’
• Do we feed back to Managers information about the request they have athorised
• Do we feed back to Systems ‘owners’ the rate at which their systems generate password resets
• Do we make suggestions about how those systems might be improved to lessen the rate of password resets
• Are we confident that our network replicates a changed password between all systems that use that password within the timeframe that a system user might change their password and then switch between applications
• Do we ensure that onscreen password change prompts act consistently and reliably, and that all sytems use consistent and clearly understood rules for new passwords.
• Do we make suggestions about how induction or training could be improved to lessen the rate of password errors
• Do we ensure that resets passwords are not always the same initially
• Do we ensure that reset passwords are treated as one-use only by their systems
• Do we ensure that in the case the system does not insist on resetting a freshly allocated password, the caller does
• Do we take steps to ensure that freshly allocated password are communicated to applicants through secure channels
• Are we taking any steps to reduce the burden on systems users of having to remember multiple passwords that reset at different intervals
• And giving regard to all of the above, do we still believe it is the system users fault when they forget their password, or make a mistake when using systems to change their password Consider also how we perform against the broader field
• Does the Security Manager have a matrix which shows all levels of access to all resources and systems and which positions within the organisation should have access to those resources?
• Can the security Manager point to written authorities detailing appropriate access templates from the owners of those resources and systems?
• Has the Security Manager take steps to ensure that they have mechanisms to ensure that movements between positions and commencements and cessations are triggering appropriate parallel movements in the Security Systems?
• Can the Security Manager point to a log of incidents where staff have been detected (or reported) that they have incorrect levels of access as a result of a failure to co-ordinate between the HR and the IT systems, and is the Security Manager able to indicate what has been done to overcome this problem if it exists?
• Does the Security Manager take any steps to ensure that there is appropriate separation of responsibility built into systems, and that Unit Managers are allocating levels of security access to different positions in such a way that the intended separation occurs – or does the IT Security Manager believe that is solely a line manager responsibility?
• Does the Security Manager take any role in keeping a watching brief on alternate security technologies and security issues raised by the expansion of new technologies such as USB memory devices, and where appropriate issues new guidelines and regulations for the use of that technology (as it effects security of data and systems)?
• Does the Security Manager take any role in setting policy for, or monitoring of, removal of data to offsite locations, and its level of security when held offsite (eg homes)?
• Does the Security Manager have any log of files copied to removable devices which would show him or her what was copied, when it was copied, and by whom?
• Does the Security Manager take any steps to survey system user attitudes to Security Systems, or attempt via anonymous surveys to measure the frequency of instances of subversion of password security (eg by sharing passwords)?
• Does the Security Manager have a clear understanding of a protocol to handle situtations where criminal fraud may be involved, including issues relating to the protection of evidence?
The extent to which we achieve excellence against these criteria may give a very rough indication of how we stand. I say rough, because they have just ‘top of the head stuff’ and by no means cover the full range of IT Security Management issues. For instance the issue of wirelass security is a whole chapter that I have skipped past. I have expanded a little on some points in my notes, but even here I taken a fairly economical approach. My view as that organisations to a large degree will have to take the pressing need for work in the IT Security Management area ‘on faith’, and organise a proper review to point out exactly where they are at the moment, where they need to go, and how to get there.
Notes (I have to reference these back to the preceeding text .. another task for 'later')
1. Where there is some periodicity built into reporting on, or hosting an external audit of, compliance with standards (as is usually the case) the ‘enthusiasm’ for - and the effectiveness of - managing compliance tends to follow that cycle also.
2. Staff compliance with IT security standards should be a job for Unit Managers, as it is essentially a staff management issue. Removing responsibility from (or not encouraging it in) Unit Managers diminishes the significance of security in the minds of staff and managers, and makes correction of bad habits more difficult. Unit Managers are often best placed to observe ‘holes’ in security and are less likely to regard these with concern or alert senior IT security planners if they are not do not perceive they have any responsibility (evidenced by day to day involvement) in IT Security. Anecdotal evidence suggests that staff and Managers have colluded on occasions to circumvent IT security, where they have observed (correctly or otherwise) that it has impeded their ability to 'get on with doing their jobs'
3. I am not suggesting a no-standards approach. In fact the opposite, a set of very strong, very clear, and very current standards, and tying the organisation to compliance to those standards much more closely.
4. I am not suggesting that the IT Security Manager simply ‘hope’ that quality of their work flow through to, and be recognised by, systems users. This is far too haphazard an approach to hang one’s prospects for reward and advancement upon. I am suggesting a very active approach by IT Security Manager, through survey, touring and meeting with systems users. I am suggesting that they become an advocate for systems users (and the organisation) against application designers who incorporate difficult security models, and an advocate for any security technology that will make life for systems users easier. This latter advocacy does not require that we adopt those developing technologies, and in fact to push to hard to do so would alienate one’s peers in IS responsible for systems and infrastructure, and cause alarm in Executive at the potential cost. The IT Security Manager simply needs to make it known to staff that we are aware of possible improved technologies and are monitoring them with a view to hopefully implementing them in due course. Perception of a better future, however insubtantive, is a powerful tool in managing acceptance of existing shortcomings, and the advocate of the better future is often given disproportionate confidence and regard.
5. If there is an understanding of what security levels are appropriate to every position within the organisation and a process for identifying who the occupants of those positions are, then the process of authorisation of access becomes extremely simple, and highly verifiable through audit and exception reporting systems. It would be one of the early functions of the IT Security Management Team to construct a people/resource security matrix, and to look at the linkages out to HR systems and procedures. Given this ground work, authorisation could then easily be handled by first level support within the ServiceDesk. I am not suggesting any expert system type approach, simply doing some well overdue work on the rule-base. I might add that experience with computerised expert systems suggests that it is the discipline of creating a rule base (which is a prerequisite to computerising those rules), rather than the technology used to do it, that is the major factor in delivering effeciencies and cost savings. Whether the rules are accessed automatically or manually results in few additional savings. The organisation might wish to consider, giving regard to issues of fallibility (and cost), the possibility of a fully automatic IT Security System. A caution is warranted here, however, in that many of the staff with the most complex and customised security are found in the senior levels of both the medical and administrative arms of the organisation. This creates a risk scenario of high probability and high consequence. Ultimately it may be safer for IT Security Managers to leave people in the loop (remembering that they may not be directly responsible for the processing staff), rather than have an automated system (which will almost certainly be considered their direct responsibility) making the mistakes.
6. There is sometimes an assumption that Security Management is not a skill that can be taught or learnt. A compliance only model suggests that all that is required is a familiarity with the ‘rules’, or where the rule book is located. Consider, however, that even a modest IT Security Management training curriculum might include (but not be limited to) modules covering (1) underlying principles of network and application security (2) privacy act considerations (3) Virus and trojan risks and responses (4) Live and archived data storage, transmission and encryption issues both onsite and offsite (5) Email security (6) overview of firewall management and (7) Legal aspects of Security Management and the Evidence Act (or equivalent in your jurisdiction). I’d guess that there might be some debate about whether all of these were required, or the degree to which IT Security Managers already had skills in these areas. I would, however, suspect that none had given consideration to a scenario where they were giving evidence in court, or were confident that if they collected evidence and presented it they had not inadvertently done so in a way that made it inadmissable in court.
7. If we believe 'forgotten passwords' is the systems users fault by inference we believe that it is not our fault, and we have (then) very little motive to do anything to make those passwords easier to remember, or to make the systems that change them easier to use (or more reliable). For instance, is there not a case to prevent password change prompts happening on a Friday afternoon, or just before public holidays (which is not to say manually triggered ones wouldn't be possible). If you consider this 'pandering' to the fallibilities of the system users 'memories' then you are absolutely correct. But you should realize the significance of the existence of this option whether you choose to implement it or not - it means that you have elected to maintain a system that results in a small, but visible increase in the number of password reset requests on Mondays and days following public holidays.
Comments