Implementing Basic Organizational Computer Security
By Ryan A. Dibble, Fall 2001
Computer Security Goals
Computer Security has three objectives confidentiality, integrity, and availably. Pfleeger [1] summarizes these:
Confidentiality means that the assets of a computing system are accessible only by authorized parties. The type of access is read-type access: reading, viewing, printing, or even just knowing the existence of an object. Confidentiality is sometimes called secrecy or privacy.
Integrity means that assets can be modified only by authorized parties or only in authorized ways. In this context, modification includes writing, changing, changing status, deleting, and creating.
Availability means that assets are accessible to authorized parties. An authorized party should not be prevented from accessing objects to which he, she, or it has legitimate access. Availability is sometimes known by its opposite, denial of service.
These underlying principles then need to be applied to the creation of policies and procedures that govern the organization, the implementation of infrastructure and software, and finally to the planning and execution of security risk assessments.
Policies and Procedures
Establishing small company security starts with clearly written policies. A good definition of policy is:
The formal guidance needed to coordinate and execute activity throughout the institution. When effectively deployed, policy statements help focus attention and resources on high priority issues - aligning and merging efforts to achieve the institutional vision. Policy provides the operational framework within which the institution functions. [3]
Clear policies establish what management and staff believes are important to the organization. If security is not important at the management level, any lower level security technology added will prove ineffective. From these policies, technical staff can develop procedures with help from the project and middle management. For this paper the definition of procedure is:
The operational processes required to implement institutional policy. Operating practices can be formal or informal, specific to a department or applicable across the entire institution. If policy is "what" the institution does operationally, then its procedures are "how" it intends to carry out those operating policy expressions. [3]
An organization must address three main areas when developing the policies that drive security:
The beginning of a successful overall security process starts with Internal Non-Technical Security. Technology cannot fill in the gaps left by poor physical security. Effective IT security policies and procedures start by outlining the necessary physical security (server room door lock, closed windows and blinds, etc.) and establishing access tracking and record keeping.
Internal Technical Security covers implementation and documentation of the technical nature of the work environment. This includes the network architecture, the server account management, and the application development process. The many technical measures of computer security exceed the scope of this paper but implementing them correctly will enhance security and implementing them poorly will give a false sense of security.
Finally, the External Security involves two groups. First, it should address the concerns that the customer will have for their data. A customer security and privacy policy provides the customer with this assurance and delineates for the staff and management a clear understanding of the necessary level of security. Second, external security should also address any concerns about outside venders and consultants, to assure all parties that the security provided at these external sites and processes adequately meets the established standards for security within the local organization.
Infrastructure and Software Design
Once the security policies and procedures are in place, the development of the IT infrastructure and applications can begin with their overall guidance. Creating additional important policies and procedures helps to cover special needs, such as a disaster recovery plan to ensure the availability of a service is not lost due to natural causes.
In creating the infrastructure and applications, the practitioners should design with security in mind. They should write documentation that highlights the security measures involved in that tool at the physical, component, subsystem, system, and process level and peers should audit the security aspects.
Security Risk Assessments
As an organization continues to grow, it will need to review both the internal security and the external security of business partners. In order to do so effectively the organization should develop a Security Risk Assessment Questionnaire. The SRAQ addresses the key areas of network and computer security and crosses over into some process management as well. Internally, independent auditing staff can use the SRAQ to assess the security standards within the IT organization. The SRAQ also provides a method to evaluate external hardware and software vendors and consultant services.
Conclusion
Most companies are a little reluctant to invest time up front developing these materials. However, since increasingly heavy pressure comes from corporate partners for a secure environment, security related issues will take the forefront in an organization.
The important thing to remember in enhancing computer and network security in companies is to have strong security related policies and procedures in place, which management fully supports. Without support from management for a strong enforcement of policies, all the security services implemented by the IT staff are practically useless because all such procedures end up ignored.
References
Ryan Dibble is a Consultant for Dibble Group Inc. and lives in Dearborn Hts., MI. He is a member of HKN, IEEE, and the ACM. To contact him write rdibble@dibble.net.
Copyright © 2001 Dibble Group Inc. All Rights Reserved.