HDS Aware!

The Holy Trinity of Info Security

Information security programs depend on three crucial factors: confidentiality, integrity, and availability.

By Richard Forno (BIOGRAPHY)
10/15/98

few years ago, I helped establish the information security office for the U.S. House of Representatives. We had just started when the cell phone traffic of a senior house member was recorded and forwarded to the national media by a technoliterate eavesdropper.

The conversation was politically embarrassing. In panic mode our office was asked to draft a cell-phone-usage guide and obtain secure phones for house members. Within a week the other 434 cell-phone-toting congressmen had approved our guidance document.

Unfortunately, our comprehensive, 4-inch-thick info security plan languished for another 18 months waiting for congressional action. Well reasoned and carefully planned issues like password aging and system security don't compete with political peccadillo for the national leadership's mind share once the lights of network television begin to glare.

Lack of coordination introduces the hidden flaw of many info security efforts. A workable plan requires smooth planning and ample coordination. Otherwise, we, like the fabled Dutch boy, just stick our fingers in the dike while the water flows through the holes just beyond our reach.

Information security programs sit atop a three-fold base--confidentiality, integrity, and availability. Yet, too often, security is bypassed or ignored because it is imposing, complicated, and not perceived as an asset by both management and employees. A common misperception equates increased security with decreased convenience. This proves false as info security can be strong, robust, and secure without burdening users.

To secure your information, conduct a proactive "perception management analysis" (PMA) as part of an ongoing corporate security self-evaluation. The PMA should answer these questions:

The first two questions are self-explanatory. The third and critical question lies at the focus of this article. Security programs do NOT have to be complicated, but they MUST be all encompassing and ongoing. Large, bloated security models adversely effect management, communications, resource allocation, security operations, and employee productivity. Unfortunately, as information moves faster than corporate actions, so do threats, vulnerability, and risk.

Remember, "information security" is not limited to "computer security." It includes computers, networks, data, the telecom infrastructure, and day-to-day human factors involved in information exchange.

Question 1:
Does your program adhere to information security fundamentals?
Confidentiality, integrity, and availability must be spelled out in documents approved by your senior management. This is the baseline for measuring the effectiveness of your security program and enforcing security procedures.

Confidentiality: You don't need to be paranoid to want security from competitors, criminals, and malcontents. However, some paranoia can strengthen your info-security plan. The last thing you want is your strategic marketing initiative to be used against you or worse, to find your competition has "built the better mouse trap" with your plans and left you to pick up the R&D tab!

Any organization operated by people has inherent vulnerabilities. Therefore, to insure confidentiality of corporate information, start with your people. Develop and require signed non-disclosure and acceptable use statements -- from CEO to new-hires. Deploy encryption, authentication technologies, and use automated confidentiality tools. Just remember that people will need to use these tools and people are vulnerable.

Integrity: Doctored data can create more damage than stolen data. Moving a decimal during an audit could prove disastrous. A $4.5 million theft may be marginal, but a $45 million data manipulation could close the doors. Even product designs can be surreptitiously tampered with to produce structural failure, liability exposure, and damaged corporate reputation.

Any organization operated by people has inherent vulnerabilities. To insure information integrity, start with your people. Do background checks for key people such as systems and database administrators, security staff, and those who have "detailed, unmonitored, insider access" to your corporate information resources and would be in a position to co-opt sensitive data. Regularly back up and restore based on the cost of manually rebuilding data. Software- and management-based preventive measures also help. Never blindly accept what you see on the screen. Double check your work and your numbers--an age-old form of error prevention!

Availability: Your employees need to work in a supportive technological environment. Paying people to come to work and play solitaire on their computers when they cannot access the network or their files is a waste of time, labor, and resources. You must insure information resources (networks, systems, and the information contained within) are running to insure productivity.

Any organization that is operated by people has inherent vulnerabilities. To insure availability, start with your people. Insure that authorized users cannot inadvertently bring down a network or jam-up the e-mail system. Have network administrators provide redundant information resources, stand-by power, backup capabilities, and related services.

People are ignorant of security responsibilities, threats, and risks to information. They are often uninformed on how a system should perform. Companies spend millions on firewall and encryption technologies believing they have the Good CyberKeeping Seal of Impenetrable Security, but secrets still get out. If you seal all technical escape routes and still hear the hiss of escaping information, where can it be coming from other than your people?

About Richard Forno
Putting a mean dog in your yard is one way of keeping unwanted visitors out. If you want to protect data, Richard Forno might just be the mean dog that you are looking for.

Mr. Forno lives and breathes information security. In addition to being the youngest graduate in the U.S. Naval War College's 109-year history (where he focused on information warfare), he has steeped himself in just about every facet of information and corporate security, computer crime, and cyber-warfare.

Starting with an associate degree in management from Valley Forge Military College, Mr. Forno received a B.S. in International Relations at the American University in Washington, D.C. with a concentration in National Security Studies and Middle Eastern Affairs. Next stop was the aforementioned Naval War College.

Mr. Forno's federal work experience includes helping set up the Information Security Program Office for the U.S. House of Representatives and developing a global security education program for the U.S. Agency for International Development. Prior to that, he supported military command, control and intelligence systems as an Army contractor. Richard has also been a consultant to the Office of the Secretary of Defense on information warfare issues.

Richard is a frequent speaker at intelligence community seminars and industry conferences. In his spare time, he has written two books and numerous articles on information warfare and security management.

Richard's professional affiliations include: the National Military Intelligence Association; the Operations Security Professionals Society; High-Technology Crime Investigators Association; United States Naval War College Foundation; and the Valley Forge Military Academy and College Board of Directors.

Currently, Mr. Forno is the Security Officer for Network Solutions, Inc. (NSI) in Herndon, VA. NSI operates the InterNIC and WorldNIC domain-name services and Internet Domain Name registration system.

Developing a Sound Security Plan

Conduct a "perception management analysis" to evaluate your security plan by clicking the links below.

Does your information security program adhere to information security fundamentals?

	©David Trozzo Is there support and management buy-in for your plan at all levels? Is it doable? How to sell security to the board

Any organization operated by people has inherent vulnerabilities. . . If you seal all technical escape routes and still hear the hiss of escaping information, where can it be coming from other than your people?