Upload File

governance and security: side by side

2
April 2007 Computer Fraud & Security 15 its strategic holding of oil to counter OPEC control of the market sector. Governments may also be able to provide limited resources in the event of an attack, but are unlikely to pro- vide the level of funding that would be required to improve the security and survivability of most of the ele- ments to a level that would make a significant difference. The area where it would appear that governments can have the most significant impact will continue to be the provision of timely advice and the early investigation of incidents to determine the likely cause in order to prevent unnecessary panic or overreaction. About the author During a full military career Andy Jones directed both Intelligence and Security operations and briefed the results at the highest level and was awarded the MBE for his service in Northern Ireland. After 25 years of service with the British Army’s Intelligence Corps he became a business manager and a researcher and analyst in the area of Information Warfare and computer crime at a defence research establishment. In September 2002, on completion of a paper on a method for the metrication of the threats to information systems, he left the posi- tion to take up a post as a principal lecturer at the University of Glamorgan in the subjects of Network Security and Computer Crime and as a researcher on the Threats to Information Systems and Computer Forensics. At the university he developed and managed a well equipped Computer Forensics Laboratory. He holds a Ph.D. in the area of threats to information systems. In January 2005 he joined the Security Research Centre at BT to take up a post as a research group leader. 1 ENISA web site on Risk Management has been recently released. This web site contains material from the area of Risk Management and has now been expanded with information from the thematic area of Emerging Risks. This material is available from the ENISA Risk Management URL: http://enisa. europa.eu/rmra GOVERNANCE It seems like everybody is talking about governance these days, certainly large multi-national organizations, with high profiles, powerful shareholders and complex financial affairs. Financial and other sector regulators are also estab- lishing “good governance” as a business holy grail that essentially all compa- nies must aspire to. Product vendors have taken this on board as it is seen as the latest easy way to sell products; IT managers have tired of promises of reducing Total Cost of Ownership (TCO) that didn’t really deliver, solu- tions that would “e”-enable their busi- ness, automate their supply chain, etc. Pitching your product as some sort of solution to achieving governance not only sounds great, but it might just get the attention of board members who, slightly scared by the degree of regula- tion, might just make a snap purchase decision if they think it will somehow help. The thing about corporate governance… On a basic level, Corporate Governance is about managing anything which could undermine the trust in, or give rise to risks to, the organization. As such it encompasses the processes, policies and laws affecting the way an organization/ corporation is managed, administered or controlled. A key concept of this is cor- porate accountability and trust, which means having processes and mechanisms in place to ensure responsible behav- iour and the protection of shareholders. These might include: Effectiveness and efficiency of operations. Reliability of financial reporting. Compliance with all laws and appli- cable regulations. Safeguarding of corporate assets, including physical and information. The Organization for Economic Cooperation and Development (OECD) principles of Corporate Governance requires timely and accu- rate disclosure of material information on “foreseeable risk factors” and cor- porate policy and the process by which it is implemented. It is hard to see how these days, one could claim that the myriad of IT security risks such as viruses, hacking, misuse by staff, phishing, denial-of- service, active code etc. are not “fore- seeable risks.” Corporate Governance is though (of course) much bigger than just IT/ information security. The thing about security… Security of course, is also about man- aging “foreseeable risks” and having policies and controls in place. In many respects some aspects of the work I do particularly around penetration test- ing, is to try and find what risks exist and how systems might be attacked (then advise on how to defend systems against those risks). What security and governance do have in common though is the con- cept of trust - in an organization, its practices, data safeguards, and operations rely not only on sound Governance and security: side by side Piers Wilson, Head of Technical Assurance Piers Wilson

Upload: piers-wilson

Post on 19-Sep-2016

214 views

Category:

Documents


1 download

Report

TRANSCRIPT

Page 1: Governance and security: side by side

April 2007 Computer Fraud & Security15

its strategic holding of oil to counter OPEC control of the market sector. Governments may also be able to provide limited resources in the event of an attack, but are unlikely to pro-vide the level of funding that would be required to improve the security and survivability of most of the ele-ments to a level that would make a significant difference. The area where it would appear that governments can have the most significant impact will continue to be the provision of timely advice and the early investigation of incidents to determine the likely cause in order to prevent unnecessary panic or overreaction.

About the authorDuring a full military career Andy Jones directed both Intelligence and Security operations and briefed the results at the highest level and was awarded the MBE for his service in Northern Ireland. After 25 years of service with the British Army’s Intelligence Corps he became a business manager and a researcher and analyst in the area of Information Warfare and computer crime at a defence research establishment. In September 2002, on completion of a paper on a method for the metrication of the threats to information systems, he left the posi-tion to take up a post as a principal lecturer at the University of Glamorgan

in the subjects of Network Security and Computer Crime and as a researcher on the Threats to Information Systems and Computer Forensics. At the university he developed and managed a well equipped Computer Forensics Laboratory. He holds a Ph.D. in the area of threats to information systems. In January 2005 he joined the Security Research Centre at BT to take up a post as a research group leader.

1 ENISA web site on Risk Management has been recently released. This web site contains material from the area of Risk Management and has now been expanded with information from the thematic area of Emerging Risks. This material is available from the ENISA Risk Management URL: http://enisa.europa.eu/rmra

GOVERNANCE

It seems like everybody is talking about governance these days, certainly large multi-national organizations, with high profiles, powerful shareholders and complex financial affairs. Financial and other sector regulators are also estab-lishing “good governance” as a business holy grail that essentially all compa-nies must aspire to. Product vendors have taken this on board as it is seen as the latest easy way to sell products; IT managers have tired of promises of reducing Total Cost of Ownership (TCO) that didn’t really deliver, solu-tions that would “e”-enable their busi-ness, automate their supply chain, etc. Pitching your product as some sort of solution to achieving governance not only sounds great, but it might just get the attention of board members who, slightly scared by the degree of regula-tion, might just make a snap purchase decision if they think it will somehow help.

The thing about corporate governance…On a basic level, Corporate Governance is about managing anything which could undermine the trust in, or give rise to risks to, the organization. As such it encompasses the processes, policies and laws affecting the way an organization/corporation is managed, administered or controlled. A key concept of this is cor-porate accountability and trust, which means having processes and mechanisms in place to ensure responsible behav-iour and the protection of shareholders. These might include:

• Effectiveness and efficiency of operations.

• Reliability of financial reporting.• Compliance with all laws and appli-

cable regulations.• Safeguarding of corporate assets,

including physical and information.

The Organization for Economic Cooperation and Development (OECD) principles of Corporate Governance requires timely and accu-rate disclosure of material information on “foreseeable risk factors” and cor-porate policy and the process by which it is implemented.

It is hard to see how these days, one could claim that the myriad of IT security risks such as viruses, hacking, misuse by staff, phishing, denial-of-service, active code etc. are not “fore-seeable risks.”

Corporate Governance is though (of course) much bigger than just IT/information security.

The thing about security…Security of course, is also about man-aging “foreseeable risks” and having policies and controls in place. In many respects some aspects of the work I do particularly around penetration test-ing, is to try and find what risks exist and how systems might be attacked (then advise on how to defend systems against those risks).

What security and governance do have in common though is the con-cept of trust - in an organization, its practices, data safeguards, and operations rely not only on sound

Governance and security: side by sidePiers Wilson, Head of Technical Assurance

Piers Wilson

Page 2: Governance and security: side by side

Computer Fraud & Security April 200716

TROJAN HORSE

The German Home Minister (Innenminister), Wolfgang Schäuble,

recently brought a security related idea into public discussion: A law which would allow the creation of Trojan horses by government authorities to be used by police and secret services. The purpose of such “governmental mali-cious software” is to spot illicit con-tents in personal computers and servers connected to the Internet. Such a law would allow the security authorities to penetrate suspected computers in a clandestine approach; the Trojan horse would browse through the hard disks and send information about findings to the relevant authority.

Breach of human rightsThe need for such a law was per-ceived by the minister because the highest German court (Ericht to Bundesgerichtshof – Constitutional

Court) had ruled that the existing legal situation would not allow such attacks. Of course domiciliary visits by the police are possible and computers may be taken away to search systematically for illicit contents, but such cases take place in an open way. The owner of the computer is immediately alerted to the accusations he faces. As a result he can introduce his lawyer into the matter, and judicial steps are possible. None of these rights apply, however, if a clandestine search is completed on a computer in an enterprise or a private home.

German police and Secret Service propose use of Trojan horse: a crazy notionHans Gliss

German IT security expert Hans Gliss discusses the dangers of his government allowing police to use Trojan horses to snoop. Gliss wor-ries that criminals would only be encouraged to raise their game by such a move.

Steganography quick facts• Steganography allows messages to be

hidden within cover files. Hiding mes-

sages in jpeg files is the most common

method.

• It is only possible to see the carrier file

and the intended recipient uses a tool to

read the hidden message.

• A search on Google images returns 5,990

steganography pictures.

• Steganography detection tools (steg

analysis).

• Wetstone’s Gargoyle tool.

• Niels Provo’s stegdetect.

• Wetstone Technology – Stego Watch.

• Steganography tools.

• F5.

• SecurEngine.

• MP3Stego.

• Steganos Suite.

governance practices but also on good security. However I would argue that these controls are not two separate sets of mechanisms that both contrib-ute, but actually the same unified set of safeguards, processes and techni-cal controls that provide the trust required, whether the driver be gov-ernance or security.

Take almost any security solution or practice; pick quite an expensive one if you like, such as centralised log collec-tion, management, analysis and archiv-ing. The security benefits of doing this

are hopefully fairly clear (despite what can be a significant investment) – you might thwart a corrupt employee, or diagnose and resolve an external attack; but this isn’t just good security – its good governance too.

SummarySo information security and corporate governance are not really two separate business initiatives or sets of rules, they really go hand in hand.

Apart from anything else, as allies within a business they both stand a

better chance of achieving a sound set of controls than if they are kept separate, the Governance manager and Security manager should really be the best of friends. There are so many ways in which improvements regard-ing one aspect can also benefit the other.

About the authorPiers Wilson is a Principal Consultant for Siemens Insight Consulting, where he heads up the Technical Assurance Team

Are Trojans always destined to be for criminal use only?


IBM Security Identity Governance Infographic

Disaster, Security, and Governance

IT Governance, Controls and Security:

Achieving Information Security Governance though ISMS ... · Achieving Information Security Governance though ISMS ... Project Managers ... Achieving Information Security Governance

Project Governance : The Human Side of It

Security Sector Governance and Reform - ETH Z · Security Sector Governance and Reform DCAF Backgrounder What is meant by security sector governance and security sector reform? Security

IBM Security Verify Governance 10.0, formerly IBM Security

GAO-04-902R REBUILDING IRAQ: Resource, Security ... · Resource, Security, Governance, Essential Services, ... Rebuilding Iraq: Resource, Security, Governance, Essential ... security

Security Governance - Trends and Ideas

CORPORATE SECURITY GOVERNANCE: MULTINATIONAL …

Soa Governance And Security V1.1

1. ◦ Intro ◦ Client-side security ◦ Server-side security ◦ Complete security ? 2

Workshop on Security Sector Governance in Africaafricansecuritynetwork.org/assn/download/web_literature...2 Workshop on Security Sector Governance in Africa Security Sector Governance

On Security Governance Eng

Security Governance

BYOD : Security, Policy & Governance

Governance of Enterprise Security

Italgo Information Security Governance

Security sector governance (SSG) and conflict …€¦ · This paper examines the evolution of security sector governance (SSG) in ... Rizal, 2012, Security sector governance (SSG)

Data governance, Information security strategy

Palestinian Security Sector Governance

INFORMATION SECURITY GOVERNANCE: A CALL … SECURITY GOVERNANCE: A CALL TO ACTION The road to information security goes through corporate governance. America cannot solve its

Information Security Governance

Shaping a Security Governance Agenda in Post-Conflict ......security governance strategy provides a more promising approach. 2. Approaching Peacebuilding from a Security Governance

Unified Security Governance

MQAUSX Client-side Configuration Manual · security exit and server-side security exit. 1.1.1 Client-Side Security Exit The client-side security exit first checks if the server-side

Fadi Mutlak - Information security governance

Office 365 Governance & Security · Your Policy. Our Automation. Technical Overview Office 365 Governance & Security Accountability & Security Recertification Public Site Collection

Governance of security operation centers

Security Governance, Accountability & Performance 10.pdf · 2019. 2. 7. · Governance Governance of the security sector is the process by which citizens and the state define security,

Big Data Security and Governance

Energy Governance, Suppliers and Demand Side Managementprojects.exeter.ac.uk/igov/wp-content/uploads/2015/... · Energy Governance, Suppliers and Demand Side Management Caroline Kuzemko

Afghanistan: Post-Taliban Governance, Security, … Post-Taliban Governance, Security, and U.S. Policy Congressional Research Service Summary Afghan security forces have lead security

Practical Query Governance & Data Security

THE CITIZEN’S SIDE OF GOVERNANCE