On occasion, I get reminded that the
industry continues to use the terms information security (InfoSec) and
Information Technology security (ITSec) as synonymous terms. This is very
misleading to all parties and has really made the information security
practitioner’s job much, much more difficult. Going on record, let me state
that information security is all about the protection and appropriate use of
‘information’, regardless of its source (e.g., electronic, paper,
intellectual). Information security is a ‘business issue’ and therefore
ownership and information appropriate use is under the business owner’s
guidance of control and direction. Information Technology security,
although a sub-component of InfoSec, is about IT tools for the protection of
IT infrastructure (e.g., firewalls, antivirus, web filters, software
patches, servers). Clearly, these two are related, but also just as
clearly, InfoSec is at the highest level of the security paradigm.
I am often amused at how industry
continues to make the CIO/CTO ‘own’ InfoSec for an organization. Let us get
serious here; how would an IT Director ‘know’ all the legal terms and
obligations from a business sense to ensure that the information they are
only the custodian of is protected as required by law or internal
governance. Information protection is based upon the ‘owners’ requirements
(whatever they are extracted from) and thus it is the information owners
responsibility to label their information (data per se) accordingly and then
tell/inform IT of how that information is to be protected in the IT
environments.
This essentially is really a business
analysis 101 concept. That is to say that the business owner dictates how
an IT system is to behave (they own that too) and that the proper IT
security controls are in place to protect the information on those system(s).
IT staff are to be considered the ‘experts’ on their particular lines of IT
business. For example, an applications programmer is charged with ensuring
that the code they create meets a certain level of integrity (they are
expected to write secure code) and test it accordingly. Network staff are
expected to make sure that their networks have the latest patches, the
access control lists are accurate and up to date, and that only
authenticated and authorized transactions are allowed to pass on the
network.
Systems software staff basically
perform the same functions and services as an application software staff
only at the ‘systems software’ levels (think operating systems or OS).
Again, they are primarily concerned that the operating systems that run
application software are reliable and are performing as required to keep a
system available to all of its users.
Operations staff are the IT staff that
‘run’ all of these systems and applications to meet their customer’s needs.
These are usually dependent upon some time interval that make sense to the
customer (and in many cases this could be the information owner
themselves).
Most IT organizations have a helpdesk
or customer services center whose primary function is to help ‘users’ gain
access to various customers systems and applications to perform their duties
for their organizations. These IT staff should have a pretty good
understanding of both the applications and IT infrastructure in place to run
those applications so that they can assist their customers to obtain the
required information that they are authorized to access. This includes
creation of such things as logs of problems, remediation events, and any
other action necessary to keep the business afloat.
You will note here that IT staff are
separated by distinct duties (often referred to as separation of duties) to
ensure that no one individual can compromise the whole computerized
environment. Also note here that information (data) itself has not been
truly referenced in the IT staff duties.
Putting the word ‘information’ along
side ‘technology’ is a misnomer. It should simply be technology security.
As an industry, technology has and will
continue to transform the ways that organizations can process their
information (data). And yes, as that technology changes, so will the risks
associated with the availability and integrity of technology platforms.
This has always been the case, especially since the invention of the
personal computer, which was that point in time when the information (data)
was placed at more significant risk, as it is now on a distributed
computerized platform (long gone is the mainframe in the middle of the
building surrounded by glass). Now, clearly, mobile media is increasing the
risks associated with information loss, unauthorized access, and other terms
of misuse.
However, as a practice, InfoSec has
always been the same. Regardless of the technology involved, InfoSec has
always been about the confidentiality, integrity, and availability (CIA) of
information. This too is a risk management/assessment concern as the
business of protecting the information continues to fall on risk tolerance
of the business/information owner. The more the information is valued, the
more protection or security layers will be necessary to maintain the
information. This concerns policies, legal positions, corporate and
government laws. It also then takes into account both physical and logical
(computerized/technology) security methods. InfoSec then is comprised of
governance over the information and includes organizational policies,
technology security (e.g., authentication, authorization, logs, firewalls,
disaster recovery to interface with business contingency planning,
information retention) all of which are defined by the business owners risk
tolerance. It also includes an overall information security and awareness
component that will ensure that all stakeholders understand their roles and
responsibilities in ensuring that the information made available to them is
used appropriately.
Organizations need to reconsider how they are using their
security resources. There is a clear need therefore to have a Chief
Information Security Officer that is the peer to the Chief Information
(Technology) Officer. Again, the rational here is that if and when the CISO
publishes a corporate policy that would or may have a direct impact on how
an IT department is run, the CIO should not be in a position to say ‘no’.
Again, let me emphasize it, InfoSec is a business issue
and as such should be reporting to the highest level (the risk taker!) of
the organization.
The CIO is clearly not that individual!
Kevin D. Dickey is the Deputy
CIO and Chief Information Security Officer for Contra Costa County.
He has over 34 years of government experience in the field of
Information Technology. He currently oversees the Contra Costa
County Information Security Program for the County’s 38 Departments
to ensure consistent rollout of this County-wide Program and was the
first Information Security Officer in a California County Government
(58 Counties) Kevin pioneered the formation of a State-wide
Information Security Forum through the California County Information
Services Directors Association (CCISDA) to ensure that all
California County’s have the ability to build and maintain a uniform
Information Security Program. He is also the Co-Chair for the
establishment of California State standards for Electronic Health
Information Exchange (E-HIE) let by the California Privacy and
Security Advisory Board (CalPSAB). He was a member of The Pacific
NorthWest Economic Region (PNWER) which is a Public-Private
Partnership consisting of the American states and Canadian provinces
of Alaska, Alberta, British Columbia, Idaho, Montana, Oregon,
Washington, and the Yukon. PNWER's mission is to foster sustainable
economic development throughout the entire region in the event of
any disruption due to manmade or nature disaster. He has been a
regular speaker or panel member at various seminars for many years,
discussing the issues such as Continuity Planning, Information
Security Program ‘Best Practices’, HIPAA and Privacy of Government
Controlled Information. Kevin was also the first ‘Security Counsel’
in the premier edition of Chief Security Officer (CSO) magazine, was
on the Editorial Advisory Board for SC Magazine and has been
published in many industry and government periodicals.
