FEATURE

The Importance of IT Security

Roderick K. Parkin

S ecurity and the 'will to survive' are basic instincts which are evident in all aspects of life.

Businesses in general, exhibit and practice these instincts with varying degrees of success.

Historically, for the more security conscious companies, great pains have been taken to protect business assets through a combination of physical measures such as building security, and good working practices including dual control, separation of duties and data authentication. However, the increasingly competitive nature of financial services and the business environment in general, has meant that organizations now face ever increasing pressure in their efforts to maintain and increase their profitability.

In turn, this usually means that the need to take risks is increased. Achieving a cost effective balance between security and risk is, therefore, fundamental to the successful operation of all companies. IT security is a business problem, not a technical issue.

Security must not be viewed separately from other key business objectives or missions in ensuring the success and continued profitability of the company. For any organization good IT Security is essential because IT is at the heart of your organization.

All computer security is aimed at protecting the fundamenta ls of conf ident ia l i ty , integrity and availability of data and the associated computer processes. For obvious reasons this is often referred to as the CIA of IT Security.

What happens if security fails

The above fundamentals of CIA will represent differing priorities and values depending upon the size of the organization, the nature of the business and, for large companies, the area or department concerned. The following summary indicates the potential loss

scenarios together with a definition of each category as used by BS7799 (A Code of Practice for Information Security Management).

If confidentiality is breached there will be a loss due to unauthorized disclosure of information. Confidentiality entails protecting sensitive information from unauthorized disclosure or intel l igible interception.

The integrity of data or computer systems is compromised when unauthorized modification occurs. Integrity means safeguarding the accuracy and completeness of information and computer software.

The availability of information becomes a major issue when there is a

delay in obtaining the "Security must required information or accessing the computer not be viewed system. If the delay separately from is due to damage or destruction then there will also be a replacement cost to be considered. Availability ensures that information and vital services are available to users when required.

other key business objectives or missions"

What is worth examining at this point, however, is the importance of each category to your organization. By examining these

principles in respect of , , ^ch=ev=n , , , . , - , , ~ a cost every area, you can

determine what the effective balance risks are, identify the

between potential loss, and uucur,Ly decide on the type and level of protection required.

Clearly, the answers may well be time dependent both in terms of length of delay and also when the delay occurs. Generally it is

and risk is, therefore, fundamental to the successful operation of all companies,"

12 Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd

FEATURE

wise to estimate losses on a 'worst case' principle, bearing in mind that if significant delay occurs at the

worst possible time of

"Failure of your IT system can bring embarrassment and a poor public image to the company"

the week /month /yea r the result ing damage may well be compounded.

It is also essential to r ecogn ize that simple solutions which work well at a small location are unlikely to

be effective or comprehensive enough for the whole organization.

Information Technology is now at the heart of most, if not all, business operations and it is essential for developing and delivering new systems. Not only can manual systems not cope with the volume of work, but as time passes it is unlikely that there will be trained staff available who know how the old system used to work. Therefore, if IT falters, so will your business.

The c r i t i ca l f ac to r for most c o m m e r c i a l organizations is that of the availability of computer systems and the associated data or information. This does not mean that the other elements of Integrity and Confidentiality are not important. There will be times when they may be similarly critical to the continued success of the company.

Departments or sectors within an organization will have different areas of sensitivity or vulnerability. Marke t ing wil l be pa r t i cu la r ly sens i t ive to the confidentiality value of information just prior to the launch of a new product or service. After the launch, such information is valueless except as promotion.

The Management Information department will be especially reliant on the integrity of data. Customers do not apprecia te receiving incorrect invoices or statements and many business decisions are made on the basis of computer statistics and projections.

Most organizations are striving for higher quality targets . Fa i lu re of you r IT sys t em can br ing e m b a r r a s s m e n t and a poor publ ic image to the

company. By ensuring that your IT systems are secure, you will provide a better, more resilient, service to your c u s t o m e r s . IT secur i ty makes a cr i t ica l contribution to quality.

Good security

Having good security means:

Stay ing in business - if you are totally reliant on your c o m p u t e r sys t em, then any fa i lure is potentially serious. There are many protection measu re s which can be taken but the most important is that of having a Business Recovery Plan (BRP).

P rov id ing a qua l i ty service - since IT probably delivers most, if not all, of your services it makes a critical contribution to quality.

Creat ing and ma in ta in ing a compet i t ive edge - new products, new services, quickly and efficiently deve loped and del ivered to new and exist ing customers and clients.

Reta in ing bus iness conf idence - reliable quality services. Never having to say, "I 'm sorry, can't do that, the computer is down".

Deter, delay and detect crime - crime, and security failures (or breaches) are difficult to distinguish in terms of their effect. Get security right, and crime will be less likely to affect your business.

Comply with l eg i s la t ion a n d the law - prevent legal actions for breach of contract or sanctions due to l a t eness of re turns . ( )pen te rms and conditions of contracts may require business to be conduc ted in accordance with set s tandards , including BS7799.

Minimize insurance costs - insurance companies charge higher premiums for bad risks and constant claims may make insurance unavailable for certain risks.

Protect your staff and cus tomers - proper security will not only prevent staff and customers from doing harm to your company, it will also protect them from being suspects.

Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd

13

FEATURE

C h a n g i n g env i ronment

The w o r l d in w h i c h we l ive does not s tand still. Anyone looking back over the last decade or two will have noted major changes in technology, life-styles, attitudes, expectations and even moral values.

Business are also affected by these changes in the following ways:

Increased reliance on IT - every new product or service relies on Information Technology, and quite often the manual skills to perform the task are either not available or simply too expensive.

Systems are more complex - in the early days, computers performed single tasks and were rarely interlinked. The complexity and inter-connectivity of modern IT systems means that one failure may have disas t rous consequences on other linked app l i ca t ions . M u l t i - s y s t e m access f rom one terminal is now a prerequisite for many telephone- based systems and an examination of the processes required to, for example, obtain money from an ATM (Automated Teller Machine or 'hole in the wall') can often identify over 30 discrete systems, links, processes and computers.

Increased computer l iteracy - the modern generation has grown up with computers, and is not afraid to use the technology. As early retirement options become more popular, it will not be long before everyone in the organization can use (and abuse) computer technology.

• Open networks - Local Area Networks (LANs), Wide Area Networks (WANs), and the internet are

all open by design.

" o n e f a i l u r e m a y Whils t this openness creates exci t ing

have disastrous business opportunity it also creates possibilities

e o n s e q u e n c e s o n for others to help

other linked themselves without a""'l""*lons your knowledge. It is

not u n c o m m o n for companies not to know

who is linked to their system, and to be completely unaware of who could be!

Ever increasing power of PCs - modern Pentium processors can perform tasks which would have been impossible even a few years ago, or would have required a major mainframe system. Security was relatively easy for the early systems being mainframe based, in secure bu i ld ings , i so la ted form the ou t s ide world . Today ' s execut ive has, on his or her desk, a PC with t remendous process ing power and wor ldwide connectivity. Additionally, the PC may be easily portable, and contain the 'fortunes' of that company rendering it a lucrative target for thieves and those indulging in industrial espionage.

"Security can be likened to many aspects of life"

'Computer' crime - regrettably a current trend in all walks of life is the increasing likelihood of being affected by crime. Compute r crime i tself is a complex topic and includes simple theft of IT equipment and associated data to the more complex incidence of virus infection. Other aspects, such as software piracy and unauthorized access, whilst covered by legislation, will continue to be major concerns unless action is taken.

Extreme politics - fanatical organizations have always been a part of life. CLODO, in France, aim to des t roy c o m p u t e r s and many te r ror i s t organizations recognize the publici ty value of damaging IT systems.

Intellectual challenge - of ten cr iminals or disgruntled staff do not commit their acts for money. Often it is the intellectual challenge and stimulation of being able to gain access to a computer system. Frequent ly the damage which occurs may be accidental, but nevertheless real.

Security can be likened to many aspects of life, and as in so many other cases it cannot be 100% effective.

The solut ion

If we accept that computer security is necessary, we need a f r a m e w o r k wi th in wh ich to work . The following is offered as a summary:

14 Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd

FEATURE

good foundation of security awareness, clear policy and accountability implementation of sound 'baseline' controls using BS7799 as the 'model', use of risk analysis as a strategic tool to identify weaknesses and vulnerabilities, application and location specif ic security measures where cost justified, constant review and rev i s ion in the l ight of chang ing circumstances

Management support

Security cannot be 100% effective, there will always be some residual risk and there will have to be a c o m p r o m i s e be tween ava i lab i l i ty /usab i l i ty and security. Security has to be cost effective.

Thus, securi ty has to be a line management responsibility. It is not something special, nor is it the province of one department. All staff should own an

element of security in

"Security cannot be 100% effective, there will always be some residual risk"

the same way that cu r r en t l eg i s l a t ion r equ i r e s p e r s o n n e l to be p e r s o n a l l y accountable for certain ac t ions . The Data P r o t e c t i o n Act, Computer Misuse Act, Copyright Design and Pa ten t s Act, plus

the many Health & Safety requirements all place emphasis on individuals, and there are penalties for n o n - c o m p l i a n c e both for the c o m p a n y and the individual.

In order to crea te the env i ronment whereby management can discharge their responsibilities, there needs to be support at the h ighest level. In most cases this will be 'the Board' and, ideally, a senior IT manager should take their rightful place at this level.

All organizations have 'key players' who may, or may not, be part of the traditional management team. Ask the following questions: "Who sorts out the computer if it goes wrong" or "who helps me when I forget my password". Invariably this will not be the

department head, it will be some junior person or systems administrator.

For larger organizations where there is a Security Manager (and team) then they have thei r part to play in u n d e r s t a n d i n g the business goals, and for f o r m u l a t i n g and communica t ing good security advice, but they cannot do it alone. It is also good practice to build in security responsibilities to job descr ip t ions and objec t ives to indica te the importance attached to the topic.

Conclusion

"there needs to be support at the highest level"

IT Security is a vital aspect of all business operations. The "Security Officer's Dozen" below may well serve as summary for the importance of IT security:

I. Codes can, and will, be broken.

2. Passwords can be disclosed or guessed.

3. Messages can be intercepted.

4. Audit trails can be compromised.

5. Computer criminals do exist.

6. Programs can, and do, fail.

7. Disasters can happen.

8. Accidents can, and do, occur.

9. Risks are taken.

10. Controls will be by-passed.

11. Information is not always secure.

12. People do foolish things.

This paper was.first presented at COMPSEC '97 at the QEH Centre, London, UK.

Computer Fraud & Security March 1998 © 1998 Elsevier Science Ltd

15