Owning the information security responsibility

This situation shows how the responsibility for information security primarily rests on the shoulders of the wrong people -- the consumer, who can't make a significant difference in information security. Instead, responsibility for these types of attacks should rest on the organizations, the Internet service providers and the government agencies involved.

Organizations providing online systems, which handle financial and confidential information processes, should take ownership of information security by investing in stronger and sophisticated user authentication technology. For example, dynamic passwords as supported with RSA Security's SecurID smart tokens could be used rather than relying on encrypted fixed passwords for access control. Stronger user authentication technology would make Web site spoofing much more difficult because unauthorized users couldn't exploit a dynamic password, which changes every minute or so.

• The top consumer complaint -- identity theft -- hits organizations where it hurts.
• Learn how phishing affects your bottom line.
• Peruse our collection of articles, white papers and tips on Web security.

Likewise, these organizations could also employ analytic systems, such as offered by Fair Isaac, which could be used to automatically detect suspicious activity in the online banking arena. Such technology can detect and block suspicious activity before losses are incurred. Unusual patterns in online banking could set off an alarm, and additional controls could be applied. This approach would be similar to how unusual patterns in credit card usage can set off an alarm, which then requires the involved merchant clerk to take additional steps to check the identity of the person using the card.

When organizations, ISPs and government agencies write policies and regulations to deal with new problems like phishing, they should focus on their role, rather than the consumer's role, as the key to solving these security problems. Unfortunately, the majority of the information security policies written over the last several decades have focused on educating users. While there's a place for user training and awareness, which is an important part of achieving an acceptable level of information security, we all know that users are unreliable, prone to making errors, and often not motivated to do anything about security. Relying primarily on users only perpetuates the problem.

Rather, security should be transparent to users. And, the right policies and processes can make that happen:

• Develop policies requiring dynamic passwords with smart cards or digital certificates for accessing online financial systems and confidential resources, which will eliminate the need for consumers to worry about Web site spoofing and related problems. Such a solution could work without putting the undue ownership on users, much in the way that personal computers on a LAN are backed-up automatically at night.
• Clarify with management who is responsible for solving the problem -- and to what extent they are responsible, before you write information security policies. When writing policies for a new security problem, acquaint the management team with the relevant legal and public relations issues, and spell out the role that each party to the problem must play.
• Discuss the organization's expected compliance with specific information security laws and regulations, the penalties for non-compliance, and the legal obligations to third parties such as customers and suppliers with the management team.
• Review the legal responsibilities regarding the standard of due care, a court's potential expectations of the organization and what would constitute negligence.
• Generate conversations on regulations aimed at white-collar crime and the resulting penalties that could send members of the management team to jail.
• On the public relations side, cover the impact on the organization for not taking on enough responsibility.

As more organizations, Internet service providers, and government agencies take responsibility for information security, the easier it will become to investigate, block and prosecute the perpetrators of these crimes.

About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, California. He specializes in the development of information security documents including policies, standards, procedures, and job descriptions. He is also the author of the book and CD-ROM entitled, Information Security Policies Made Easy.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Compliance Counselor,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   Application and Platform Security,   Email Protection,   Email and Messaging Threats (spam, phishing, instant messaging),   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Compliance Counselor Benefits of ISO 27001 and ISO 27002 certification for your enterprise Identity lifecycle management for security and compliance Interpreting 'risk' in the Massachusetts data protection law FTC Red Flags Rules: How to create an identity theft prevention plan Creating a HIPAA employee training program Data protection tips for corporate compliance leaders PCI DSS compliance requirements: Ensuring data integrity Understanding PCI DSS compliance requirements for log management Are 'strong authentication' methods strong enough for compliance? Strategies for using technology to enable automated compliance Information Security Policies, Procedures and Guidelines How to detect and respond to money laundering Health Net breach failure of security policy, technology How to protect distributed information flows Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Email and Messaging Threats (spam, phishing, instant messaging) The world's top 5 riskiest domains How to secure a .pdf file Top spammer gets four years in jail for stock fraud scheme New Zeus spam poses as Social Security statements Messaging security risks have upper hand on solutions Web-based attacks skyrocket, pirating sites surge, security firms say Pushdo botnet uses Facebook to spread malicious email attachment Scareware report highlights successful business model How to prevent phishing attacks with social engineering tests Phishing protection begins with training, antiphishing evangelist Email and Messaging Threats (spam, phishing, instant messaging) Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary defense in depth  (SearchSecurity.com) non-disclosure agreement  (SearchSecurity.com) security policy  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.