In my introductory blog from August 26, 2014 I stated that I wanted to focus my blog entries on security topics related to the electronic payments industry. This was a stretch to get to several weeks and combine this with the class topic covered for the week, but this also helped me to relate each topic covered to my daily activities. At the beginning I wanted to make an effort to use different sources as much as possible over the 11 weeks of this blog, but looking back I was not successful at this. But I also realized this at the time as searching through different sources did not locate information I was looking for. One source consistently had information that fit into the story I wanted to tell. Breaking down my sources shows that I used:
5/11 posts - 45% - SecurityWeek
2/11 posts - 18% - c|net
1/11 posts - 9% - FBI Cybercrime
1/11 posts - 9% - ISACA Knowledge Center
1/11 posts - 9% - NIST
1/11 posts - 9% - SANS Internet storm center
In the case of the material I covered and the area of interest I was confining myself to, SecurityWeek met my requirements the most of the time, but only once for two weeks in a row.
Regarding the topics selected, the category with the most coverage was weaknesses that could be exploited by nefarious means. This could be though bugs or failure to protect an area of an application or operating system. However, there was more diversity in the categories than in the sources used as information about the people involved in security decisions and the processes used were also discussed.
The main advantage I see to using the blog format for writing about security, or really any subject, is the lower level of formality that this format allows. While this is not a scholarly method of publication, it does encourage the use of references to back up the discussion and the conclusions drawn. But it also allows more personal opinion to be expressed in the first person than would be acceptable using other methods generally used for academic papers. I have never written a blog prior to this, and may not in the future, but I am glad to have had this experience so I know what it is like. Writing is something I’ve learned to re-enjoy since entering graduate school after a 23 year hiatus from scholarly pursuits. It is now no longer a chore to put together a 400 - 500 word discussion of a subject and feel like I’ve both learned something and been able to share what I’ve learned with an audience. If I find that I have information that I want to share with a wide audience, the blog will now be a method I will consider using.
Wednesday, November 12, 2014
Tuesday, November 4, 2014
Week 11 - Who's in charge of security
When looking at the information security function in an organization it is important to understand the roles that must be fulfilled for security policies to be created, implemented, and enforced. Larger organizations require multiple positions to be defined in the information security department, and these are arranged in a typical hierarchy. At the top is the chief information security officer (CISO), which is often the highest ranked information security role in a company. Reporting to the CISO is the security manager that is responsible to day-to-day activities of the information security department. In larger companies it is possible that there would be multiple security managers depending on the activities that are required for organizational security. Multiple roles report to a security manager. The first is the security technician, which is a hands-on role that works with security hardware and applications protecting the organization. This role generally has specialization in a specific hardware or security application and, depending on the organization’s requirements, a different specialist will be needed for each technology deployed. A second role reporting to the security manager is the security administrator. This role is responsible for the administration of security devices and applications that protect the organization. There can be some overlap in the duties of the security technician and the security administrator roles. The final role reporting to the security manager is the security officer. This role ensures the physical security of the organization and may be charged with patrolling the facility and ensuring visitors are correctly supervised during a visit. All of these positions from CISO on down usually require certification in a security area and most of the certifications require a substantial amount of effort to obtain and maintain.
Up until current times organizations have been somewhat lax in information security and filling the roles needed for a functional information security department. If the roles were filled at all this was done in something of a haphazard manner with no common method of communication between different parts of the organization. This has effectively created silos of information security functions. The danger here is that an organization can have all of the proper policies, security devices, and applications in place yet a lack of communication can effectively neuter these efforts because no one person can see the overall security picture. Mark Hatton wrote in SecurityWeek on July 1, 2014 an article titled Sooner or Later You'll Get Hacked and Hire a CISO about this exact silo situation that occurred at Target stores in 2013 and caused the largest breach of customer credit and debit card information to date, over 110 million individual accounts. Target had all of the security pieces in place, including being compliant with the Payment Card Industry (PCI) standard, yet even when these preparations worked as needed the lack of an overall security picture resulted in a failure. Mr. Hatton proposes that the greatest need for an organization to have a CISO is to have a single role in charge of security. This allows visibility of all aspects of security to flow into one place and direction given on how the organizations security position will be addressed. Target hired a well-known CISO as of July 16, 2014 and he stated that there was a strong team and commitment from leadership to become the leader in retail information security. Hopefully others in the industry will use this as a lesson learned and follow suit.
Up until current times organizations have been somewhat lax in information security and filling the roles needed for a functional information security department. If the roles were filled at all this was done in something of a haphazard manner with no common method of communication between different parts of the organization. This has effectively created silos of information security functions. The danger here is that an organization can have all of the proper policies, security devices, and applications in place yet a lack of communication can effectively neuter these efforts because no one person can see the overall security picture. Mark Hatton wrote in SecurityWeek on July 1, 2014 an article titled Sooner or Later You'll Get Hacked and Hire a CISO about this exact silo situation that occurred at Target stores in 2013 and caused the largest breach of customer credit and debit card information to date, over 110 million individual accounts. Target had all of the security pieces in place, including being compliant with the Payment Card Industry (PCI) standard, yet even when these preparations worked as needed the lack of an overall security picture resulted in a failure. Mr. Hatton proposes that the greatest need for an organization to have a CISO is to have a single role in charge of security. This allows visibility of all aspects of security to flow into one place and direction given on how the organizations security position will be addressed. Target hired a well-known CISO as of July 16, 2014 and he stated that there was a strong team and commitment from leadership to become the leader in retail information security. Hopefully others in the industry will use this as a lesson learned and follow suit.
Subscribe to:
Posts (Atom)