When we think of strategic security measures, we often think of policy, standards, procedures, firewalls, intrusion detection and intrusion prevention systems, security information and event management systems, network access control, VPNs, identity management systems, personal firewalls, anti-virus software, and the like. Strangely, we too often overlook change management and its value in risk mitigation. Wikipedia defines change management as “the process during which the changes of a system are implemented in a controlled manner by following a pre-defined framework/model with, to some extent, reasonable modifications.” Change management can range anywhere from an informal process involving little more than advance notification of the intention to make a change (something that may be adequate for small groups and organizations) to a formal process that requires change requests to be written and submitted to a change control board that reviews and ultimately approves or disapproves them. Read more…
Those of us who are information security professionals have long been aware of the need of organizations to defeat users’ expectation of privacy before they use their organization’s computers and networks. Showing a warning banner displayed to users before they log on has become a standard practice. This banner generally reads as follows:
“This computer is the sole property of and must be used for official business only. Unauthorized use is forbidden and will be punished to the full extent of the law. All user actions will be monitored. Attempting to log on constitutes user consent to be monitored.”
However, a recent ruling is causing us to rethink the meaning and impact of warning banners intended to defeat the expectation of privacy. Two years ago, Marina Stengart, a former employee of the Loving Care Agency, filed a lawsuit against this company. While still an employee, she used Loving Care’s computers to send emails back and forth to her lawyer. This company searched for and found copies of these emails and argued that because Stengart had been warned that whatever she did while she used Loving Care’s computers was subject to monitoring and was thus not private meant that the company had the prerogative to retrieve, read and disclose the content of these messages. Stengart’s attorney argued that the content of these messages was protected by client-attorney privileges. Loving Care won the trial case, but the New Jersey Supreme Court reversed the ruling by a 7 – 0 margin. Loving Care was ordered to hand over all of Stengart’s messages in connection with her lawsuit and to not keep any of them. Read more…
At RSA 2010 James Anderson, Executive security consultant at Emagined Security, gives me insight into his session: Security Business cases – Fact and fiction in selling security. More specifically, we talk about the following:
- Steps to walk through in creating a security business case to get approval for your security project and hard versus soft benefits
- [3:43] Tips on creating the business case
- [5:43] Key flaws in logic when people present their business case
- Where security risk analysis plays a good role to build your case
- [9:14] Examples of where security can be tied to revenue
- [12:28] Examples of security adding value which don’t fall directly into the hard or soft benefit categories
- [15:35] Recommended resources for learning more on these topic areas and where he would like to see the industry go. How you can tell a CISO is good.
