Earlier this week, I was privileged to join over 250 government and more than
600 IT professionals for the American Council for Technology (ACT)/Industry
Advisory Council (IAC) 2008 Executive Leadership Conference in Williamsburg,
Virginia. The government participants in this 2-1/2 day conference included more
than 50 chief information officers, chief information security officers and
chief privacy officers (collectively, CXOs). These CXOs were from Veterans
Affairs, Health and Human Services, Defense, GSA, Justice, State Department,
Commerce, Treasury, and the military services, among others. Also attending ELC
as a speaker, panelist and participant was the Administrator of the Office of
E-Government and Information Technology within the federal Office of Management and Budget.
At the ELC, I participated in six sessions dealing with a
range of information security and privacy risk management issues. What follows
are selected highlights from those sessions – key takeaways that may be helpful
to you and your organizations in the months and years ahead. Although these ELC
sessions focused on government information security and privacy risk management issues, lessons learned from speakers and panels are applicable to both public and private sector information security and privacy safeguards.
* The traditional equation for determining the risk to safeguarding information
confidentiality, integrity and availability [Risk = (Threat) x (Vulnerability) x
(Impact)] may result in risk assessments and risk management plans that are not
focused on what an organization can actually address
o Organizations may not be able to control the threats
o If the confidentiality, integrity or availability of information is compromised, an impact will occur. The impact of a compromise can not be eliminated; it can only be mitigated
o Key may be focusing on physical and cyber vulnerabilities to information confidentiality, integrity and availability
+ Elimination of a vulnerability removes both a threat and an impact
+ Reducing a vulnerability reduces the threat and the potential impact
* Security is not just today, but every day in the future
o Security through 2007 was perimeter and infrastructure centric
+ For many organizations, if someone pierces their perimeter, everything may be open
+ “Low risk” systems may provide “high risk access” to all systems inside the perimeter
o Security now and beyond: data and application centric – safeguarding against changes in your organization’s information
+ Assume your perimeter can be breached
+ Mitigate the consequences of the breach
# Protect the immutability of data elements
# Track and log changes and who touches the data
+ Mandate that applications procured by your organization have information security “baked in” and not acquired as an “add on”
+ Segregation control systems from operational systems; disconnect control systems from the Internet or other public channels
+ Legacy systems may not be “risk tolerant,” creating the need to protect their critical elements through separate physical and cyber security measures
+ Vulnerabilities creating business continuity risks
* Organizations need to distinguish between what are “issues” and what are “risks”
o “Issues” – What is currently impacting your information security and privacy safeguards
o “Risks” – What may potentially impact your information security and privacy in the future
o Risk management plans which focus on information security and privacy "issues” provide address the past, not the future
* Physical security and cyber security are converging and organizations need to break down the silos which separate these two aspects of information security and privacy
o Physical security increasingly depends on cyber security
o Cyber security increasingly depends on physical security
o Greatest information security and privacy vulnerabilities exist where physical and cyber security overlap
o Traditional cultures of physical and cyber security are different, creating roadblocks to effectively fusing physical and cyber security (and achieving hard dollar cost savings over time)
* Addressing risks to the confidentiality, integrity and availability of information
o Risk management is part of the planning and budget process
o Organizations must evaluate whether their culture is one of “risk tolerance,” “risk adverse” or “risk avoidance.”
+ An organization’s “risk culture” may dictate not only solutions, but also the budget, for information security and privacy
o Risks which are not mitigated or avoided are retained risks
+ “Denial” is neither a strategy nor a risk management plan
+ “Hope” is neither a strategy nor a risk management plan
+ Is retention of risks which are not small a viable, reasonable or appropriate component of an organization’s information security and privacy program?
o Stellar performance in safeguarding the confidentiality, integrity and availability of an organization’s information garners few or no accolades; the downside of non-performance is large
* “Checkbox security” is not evidence of reasonable, appropriate or viable information security and privacy safeguards
o Documentation is not the source of good security
o Documentation is an artifact [tool or weapon] of good security
* Selected risk management keys o Assuring data usability must be a factor in
risk analysis (whether data is used within or without the organization)
o Innovate to block attacks o Develop attack-based metrics
o Monitor new attacks and critical vulnerabilities daily
o Continuously monitor and fix vulnerabilities
o Automate to make old defenses inexpensive
o Procure new applications and hardware with “baked in security”
+ Security should not be something for which a vendor charges “extra”
* * * * * * * Speakers and panelists for the Risk Management Sessions at ELC included (but were not limited to) Alan Paller, Director of Research at the SANS Institute; Karen Evans of OMB’s Office of E-Government and Information Technology; Glenn Schlarman, former Chief of the OMB Office of Information Policy and Technology Branch; Scott Borg, Director and Chief Economist, U.S. Cyber Consequences Unit; Greg Alexander, Cyber Information Security Officer, US Public Sector, EDS, an HP Company; Adair Martinez, Deputy Assistant Secretary
for Information Protection and Risk Management, Department of Veterans Affairs; and Gregory Friedman, Inspector General, Department of Energy.
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template
