Los conceptos morales y el género femenino

What is it that an organization requires of its information assets? In this section we tighten the focus onto just the information assets, as many organizations’ information security policies are more far-reaching and deal with other related areas.

Objectives

The following objectives apply equally to information assets that are stored, developed and retrieved in IT-based systems and to those that exist in paper documents, informal records, or even the memory of individuals. Most of our discussion will only concern the former.

•

Information assets must be accessible only to those who have the right to access them – confidentiality.

•

Information assets must be correct – up-to-date, accurate and verifiable – integrity.

•

Information assets must be accessible when needed – availability.

•

Information asset management must meet external legal, governance and regulatory requirements – compliance.

Observant readers will have noticed that the ‘CIA mantra’ of confidentiality, integrity and availability has been extended. While external legal, governance and regulatory needs will generally be in the same CIA categories, the particular threats and risks under the compliance heading are sufficiently distinctive to warrant separate treatment. So we have a new mantra – CIAC.

As a perhaps cruel aside, many organizations would also aim to establish information assets that meet the needs of the organization for its operation, management and control. While it is, of course, a valid objective for the develop- ment of the organization’s information assets, it is not appropriate here where we principally consider guardianship. Such objectives are in the domain of the IT application and the IT strategy.

Confidentiality

Can we ensure that only the people who are supposed to have access to an information asset, do get access? Alternative sources of threats:

•

The criminal mind46

– a comfortable livelihood can be made if delivery schedules can be intercepted, or data can be sold to competitors.47

If you were a criminal, how many opportunities for gain could you identify in your organization? The 2004 surge in ‘phishing’48

shows that there are other objectives for spam.

•

The competitor mind – imagine a competitor is walking around your organi- zation and finds a logged-on, ready-to-go computer system, what could they do? What would be the most valuable data to them?

•

The customer – privacy legislation in many jurisdictions now permits the individual customer (or client) to gain access to their own data, but sets severe penalties if others’ information is retrieved. Yet information about others is potentially valuable (credit-card details, for example) or simply of enormous curiosity value. A business customer may be extremely interested to know its supplier’s cost prices and discount policies.

•

The employee – devil or angel, in-between, or variable? Even the most rule-abiding employee can imagine data that they would ‘love to know’ – their manager’s salary or performance appraisal, or a flame’s age, status and home address. In the normal course of events, employees seek employment elsewhere and will need to ‘feather their nest’ in the new job, perhaps with a customer list, price list or even new product release schedule. But aggrieved employees have many opportunities (see www.internalmemo.com, or other rumour mills for example).

•

Anyone can be a ‘hacktivist’ – a hacker with a mission. An organization’s manufacturing locations, hiring policies, perceived social or environmental impact, or pricing practices can inspire some individuals or groups to distribute the ‘truth’. Moral outrage is not confined to anarchists and libertarians – passing on real data is much more satisfying than unconfirmed rumours.

This crowd of attackers will have various means and divergent motivations: some willing to die for the cause, others simply spending a quiet evening at home on a ‘hobby’.

Typical approaches to confidentiality are access control methods based on need-to-know user profiles and hard-to-crack passwords, restricting data to par- ticular computers or networks, physical access restrictions and dongles (security

46 _{The CSI/FBI survey (2003) provides statistics on the frequency, distribution and impact}

of computer crime. In total, the 251 organizations surveyed reported annual losses of US$200 million. The theft of proprietary information caused the greatest financial loss with the average reported loss of approximately US$2.7 million. Virus incidents (impacting 82%) and insider abuse of network access (80%) were the most cited forms of attack or abuse.

47 _{The definition of what exactly cybercrime is and how multiple jurisdictions must work}

together to combat it are current topics of great interest to legislators (Pounder, 2001).

48 _{Seeking log-in data by creating websites that mimic others’, and gaining access to their}

accounts.

devices attached to designated end-user devices). Systems designers typically recognize that ‘prevention’ measures are not 100% effective and will build layers of detection and response mechanisms for various breaches. Penetration testing using ‘white-hat’ hackers can be a shocking experience for any organization that wants to establish their performance in this domain.

Integrity

Can we ensure that the data is not corrupted, either intentionally or accidentally? Intentional corruption can be an alternative strategy for all of the people identi- fied in the above section. They can achieve their objective to steal, damage reputation or whatever, by deleting or editing data.

The cases of student grades that have been deliberately, fraudulently changed represent examples of direct personal benefit. Indeed, a common approach to fraud is an attack on data integrity through changes to prices, delivery instruc- tions, status (perfect to damaged) or payment.

Unintentional corruption or loss typically arises from the following sources:

•

Computer hardware loss, damage or malfunction, such as disk crash or faulty

communication channels.

•

Computer software errors – such as bugs in the software allowing a delivery to be authorized twice but only one payment received, data being overwritten, data being written to one file but not to another. Faults that allow prices to be changed without records being kept of the amendments, calculation algorithms that generate incorrect values – the list is, to all intents and purposes, infinite.

•

Utility failure – the simple failure of electricity supply at a critical moment can lead an otherwise well-behaved program to generate errors. Similarly for telecommunications facilities.

•

User error – warning messages such as ‘Do not interrupt this operation’, ‘Back up all data before proceeding’, ‘Press submit after making changes’ and so on, are certain to be broken at some time. If data integrity is threatened, the process must be carried out differently.

Typical approaches to ensure integrity are fault tolerant systems, imaged disks, back-ups, system logs, control totals, audit trails, recovery testing. Intrusion detec- tion is another critical component of integrity assurance, although re-establishing a ‘record of truth’ once integrity is lost can be a painstaking and expensive endeavour.

Availability

Imagine the hostile crowd of users, megaphones blaring, demonstrating outside the IT services department while their systems are down:

What do we want? Information assets! When do we want them? Now!

Unlikely, yes, but users facing increased performance monitoring and reliance on IT to do their work can become seriously aggrieved when they are prevented from performing well. Meeting the needs for confidentiality and integrity gives no assurance for availability, although discovered failures of confidentiality or integrity will lead quickly to unavailability.

Can we ensure that our information assets are readily provided to those who need to use them at the time that they are needed? What are the key threats to availability? Hardware, software and utility failure mentioned in the section above are significant culprits in this area too. Additional threats arise from:

•

Natural disasters – forest fire, flood, storms and the like. These threats can be to your facilities, to access to your facilities, to key staff or to utility services.

•

Deliberate damage – arson, terrorism, vandalism. In this case there is the potential that the damage strikes at a particular vulnerable part of your organ- ization, if the antagonist is well informed.

•

Supplier or partner IT failure – while a contracted service provider may offer some assurance of availability, if your bank’s e-banking is not operating, you may have no redress. If you are relying on this to authorize shipments, business operations may be limited.

Typical approaches to ensure availability are duplication and redundancy of resources, including computers, networks, power supplies and physical locations. The removal of identified ‘single points of failure’ enhances the overall availabil- ity of the whole system. Recovery strategies are dealt with in Chapter 5 under business continuity and IT service continuity.

Compliance

Legislators around the world now address information asset security explicitly and empower regulators to police them. The UK Data Protection Act 1998, EU Directive 2002/58, US Sarbanes-Oxley Act, US Federal Information Security Management Act (2002), various Australian privacy Acts, all address the issues of confidentiality, integrity and availability of records. Failure to follow them is typically a breach. Penalties vary enormously but the worldwide corporate governance movement is placing pressure on controlling board members to take individual, personal and collective responsibility for the defaults.

The decisions about the information assets that are retained and how they are safeguarded are effectively out of the hands of management. Controlling boards will need to be assured – typically through the audit or risk function – that

legislative, regulatory and ‘corporate responsibility’ standards are being met, whatever they are.49

It becomes quite inadequate to say, ‘We have an email policy and we can retrieve any records for due legal process’ as organizations are expected to be proactive in seeking out inappropriate use across a broad spectrum of illegal use and could be seen to be negligent if taking a minimalist approach. But the strong-hand supervision of email could easily open up claims of breach of confidentiality. Perhaps the availability paradox suggested above is in effect a dilemma, where both alternatives are unattractive.

Compliance is different from confidentiality, integrity and availability – it specifies the form of the information assets that we must keep and aspects of their guardianship.

Culture

It is fine to set confidentiality, integrity, availability and compliance as our objectives but it is hoping against hope to expect an organization to change to suit this new approach, just because some new directives have appeared. Unless the security of information assets is part of the way of thinking and behaving inside the organization, the level of breaches will be probably unknown and probably too high. So while the key performance indicators may be confidentiality, integrity, availability and compliance, the mediating influence will be in a myriad of organizational attitudes, behaviours and practices, that we conveniently label ‘culture’.50

Introduction of policies to safeguard information assets needs to be carefully thought through. Clearly in disciplined forces or organizations where security is part of the culture, information asset management will be seen to be part of the framework in which the organization is operating. But other, more open organizations may demonstrate much resistance to change in this area.

The objective is that everyone in the organization will have a response towards information assets that is consistent and positively engaged. If all employees see the benefit in knowing that information assets are confidential, accurate and available when required, they should be more positively disposed towards playing their part. In the same way that building security is everyone’s business and occupational health and safety concerns are widely observed, informa- tion security has the potential to become ‘part of the culture’. Thus a change in the organizational culture should be seen to be one of the objectives of the introduction of information asset management policies and practices.

49 _{For some these will be imposed, for example the Federal Information Security Manage-}

ment Act of 2002 applying to US Government organizations.

50 _{Straub and Welke (1998) identify the importance of formalizing security management,}

with attention to planning and education. The OECD (2002) set out a far broader set of requirements in their call for a ‘culture of security’.

In document ESCUELA NACIONAL POSGRADO EN EDUCACIÓN, HUMANIDADES Y CIENCIAS SOCIALES. Efectos de la multimedia y la solución de dilemas morales en un ambiente de (página 82-0)