1. Security Is a Management Issue, Not a Technology Issue
Section 302 of the Sarbanes-Oxley Act requires the CEO and the CFO to certify that the financial statements fairly present the results of the company’s activities and requires them to certify that they have evaluated the effectiveness of the organization’s internal controls. Security is a key component of internal control and systems reliability. Top management plans a critical role in information security.
The Trust Services Framework identifies four essential criteria for successfully implementing each of the five principles that contributes to systems reliability:
1) Developing and documenting policies
2) Effectively communicating policies to all authorized users 3) Designing and employing appropriate control procedures to implement policies 4) Monitoring the system and taking corrective action to maintain compliance with policies
Management needs to develop a comprehensive set of security policies before designing and implementing specific control procedures. The development of those security policies begins by taking an inventory of information system resource—hardware, software, and databases. Once the organization’s information systems resources have been identified, they need to be valued in order to select the most cost-effective control procedures.
Effective Communication of Policies
Security policies must be communicated to and understood by employees, customers, suppliers and other authorized users. Regular reminders and training should be on-going. Sanctions associated with violations should also be communicated.
The Design and Employment of Appropriate Control Procedures
Control frameworks, such as COBIT and Trust Services, identify a variety of specific control procedures and tools that can be used to mitigate various security threats. Cost/benefit analysis should be used in evaluating alternative control procedures as well as a thorough risk assessment program. Focus 7-1 on Page 241 discusses the consequences of inadequate investments in security are increasing and provides several tips for avoiding lawsuits:
▪ Establish and implement an in-house security policy ▪ Have a security audit done
▪ Remember security in contracts ▪ Don’t make promises you can’t keep ▪ Pay attention to regulations affecting your industry ▪ Consider purchasing e-commerce insurance ▪ Pay attention to what similar companies are doing
Monitoring and Taking Remedial Action
It is important to understand that security is a moving target. Advances in information technology create new threats and alter the risks associated with existing threats. Effective control over information systems involves a continuous cycle of developing policies to address identified threats, communicating those policies to all employees, implementing specific control procedures to mitigate risk, monitoring performance, and taking corrective actions in response to identified problems.
2. The Time-Based Model of Security
The time-based model of security focuses on the relationship between preventive, detective and corrective controls and evaluates the effectiveness of an organization’s security by measuring and comparing the relationship among the following three variables:
P = the time it takes an attacker to break through the organization’s preventive controls D = the time it takes to detect that an attack is in progress C...