Cybersecurity checklist for business managers.EXECUTIVES are increasingly expected to know and take responsibility for their companies' IT security, particularly if there is a data breach of customer or sensitive financial information. A new checklist being drafted by the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. Cyber Consequences Unit (US-CCU), a research unit funded by the Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States , provides business managers with a tool that makes this task simpler. John Bumgarner, research director for security technology with the US-CCU, says that the idea for the checklist evolved because, despite the number of industry-specific guidances (such as Sarbanes-Oxley and ISO standards This is a list of ISO standards that are discussed in Wikipedia articles. For a list of all the more than 16,000 ISO standards (as of 2007), see the ISO Catalogue. About 300 of the standards produced by ISO and IEC's Joint Technical Committee 1 (JTC1) have been made freely/publicly ), there was nothing aimed at nontechnical managers. He and the unit's director, Scott Borg, a senior research fellow at Dartmouth University's Tuck School of Business The Amos Tuck School of Business Administration is the business school of Dartmouth College in Hanover, New Hampshire. Founded in 1900, Tuck is the oldest graduate school of business in the world. , spent a year putting together nearly 500 questions that require no deep understanding of technology to help nontechnical executives assess whether they have adequate IT security. "We wrote it from the business angle," says Bumgarner, so that it could be used in any business unit, from physical security to human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. . "We looked at it from a business standpoint and broke down an organization's IT infrastructure into business components." The questions fall in six areas of vulnerabilities: hardware, software, network, automation, human operator, and software supply. These are further broken down into subsets, so that, for example, hardware vulnerabilities include tracking and guarding physical equipment, protecting communication lines, and controlling physical access. Questions, even those that target technical subjects like networks, are at a high level rather than intricately detailed. This allows executives to ask the right questions while leaving it to the technical professionals to consider the answers. Example questions include: Is network traffic regularly monitored for covert communication channels? Do corporate policies define what type of data communication should be encrypted en·crypt tr.v. en·crypt·ed, en·crypt·ing, en·crypts 1. To put into code or cipher. 2. Computer Science , and what type of encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. should be used? Are penetration scans regularly performed on critical systems inside the corporate network? [ILLUSTRATION OMITTED] Mike Jacobs Mike Jacobs can refer to:
SRA International, Inc. (NYSE: SRX) is a provider of technology and strategic consulting services and solutions to clients in national security, civil government, and health care and public health. , gives the list kudos. "It's the only list I've seen of its type that is that comprehensive," he says. "It's put together in a way that's both readable and understandable, in clear and unambiguous terms," unlike other checklists "written by techies for techies" that are all but undecipherable by nontechnical executives, says Jacobs, who is former head of the National Security Agency's information assurance directorate. Bumgarner says that they received comments and suggestions from security professionals throughout the private and public sectors, and that they are adding some new questions based on the feedback they've gotten. Jacobs says he plans on suggesting that updated versions of the list include questions on antitampering technology, which is software that alarms when an attacker tries to alter it and then automatically corrects any changes made. The checklist will remain a living document, updated annually or biannually bi·an·nu·al adj. 1. Happening twice each year; semiannual. 2. Occurring every two years; biennial. bi·an . "A lot of lists are stagnant," says Bumgarner. "That's a problem because the IT community moves on, and so does the business community." @ THE US-CCU CYBERSECURITY CHECKLIST IS AT SM ONLINE. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion