Manage Learn to apply best practices and optimize your operations.

Owning the information security responsibility

In this tip, Charles Cresson Wood explains where the focus should be when organizations, ISPs and government agencies write policies and regulations to deal with new problems.

According to a June 2004 Gartner report, some two million Americans have had online bank accounts raided in the last year. The average loss per incident was $1,200, which puts the total loss at over $2 billion, from causes such as phishing, Web site spoofing, Trojan horse programs and keyloggers that steal passwords. Consumers taking the fraud evidence to their banks often spend exorbitant time fighting to get their money back, and many settle for less cash than was lost.

This situation shows how the responsibility for information security primarily rests on the shoulders of the wrong people -- the consumer, who can't make a significant difference in information security. Instead, responsibility for these types of attacks should rest on the organizations, the Internet service providers and the government agencies involved.

Organizations providing online systems, which handle financial and confidential information processes, should take ownership of information security by investing in stronger and sophisticated user authentication technology. For example, dynamic passwords as supported with RSA Security's SecurID smart tokens could be used rather than relying on encrypted fixed passwords for access control. Stronger user authentication technology would make Web site spoofing much more difficult because unauthorized users couldn't exploit a dynamic password, which changes every minute or so.


Likewise, these organizations could also employ analytic systems, such as offered by Fair Isaac, which could be used to automatically detect suspicious activity in the online banking arena. Such technology can detect and block suspicious activity before losses are incurred. Unusual patterns in online banking could set off an alarm, and additional controls could be applied. This approach would be similar to how unusual patterns in credit card usage can set off an alarm, which then requires the involved merchant clerk to take additional steps to check the identity of the person using the card.

When organizations, ISPs and government agencies write policies and regulations to deal with new problems like phishing, they should focus on their role, rather than the consumer's role, as the key to solving these security problems. Unfortunately, the majority of the information security policies written over the last several decades have focused on educating users. While there's a place for user training and awareness, which is an important part of achieving an acceptable level of information security, we all know that users are unreliable, prone to making errors, and often not motivated to do anything about security. Relying primarily on users only perpetuates the problem.

Rather, security should be transparent to users. And, the right policies and processes can make that happen:

  • Develop policies requiring dynamic passwords with smart cards or digital certificates for accessing online financial systems and confidential resources, which will eliminate the need for consumers to worry about Web site spoofing and related problems. Such a solution could work without putting the undue ownership on users, much in the way that personal computers on a LAN are backed-up automatically at night.
  • Clarify with management who is responsible for solving the problem -- and to what extent they are responsible, before you write information security policies. When writing policies for a new security problem, acquaint the management team with the relevant legal and public relations issues, and spell out the role that each party to the problem must play.
  • Discuss the organization's expected compliance with specific information security laws and regulations, the penalties for non-compliance, and the legal obligations to third parties such as customers and suppliers with the management team.
  • Review the legal responsibilities regarding the standard of due care, a court's potential expectations of the organization and what would constitute negligence.
  • Generate conversations on regulations aimed at white-collar crime and the resulting penalties that could send members of the management team to jail.
  • On the public relations side, cover the impact on the organization for not taking on enough responsibility.
A management team that's well acquainted with the facts and appreciative of their responsibility for implementing strong security policies and technologies will understand how taking the responsibility to implement strong policy and authentication technology is in the organization's best interest over the long term.

As more organizations, Internet service providers, and government agencies take responsibility for information security, the easier it will become to investigate, block and prosecute the perpetrators of these crimes.

About the author
Charles Cresson Wood, CISSP, CISA, CISM, is an independent information security consultant based in Sausalito, California. He specializes in the development of information security documents including policies, standards, procedures, and job descriptions. He is also the author of the book and CD-ROM entitled, Information Security Policies Made Easy.

This was last published in February 2005

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.