New world risks call for old risk management techniques. (Special Report: Cyber Liability).If risk managers were to read just one section in the recently amended 60-page White House report, The National Strategy to Secure Cyberspace In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 , says Ty Sagalow, it would be Section I on page 39. A new white house report long on vision but short on details provides a starting point Noun 1. starting point - earliest limiting point terminus a quo commencement, get-go, offset, outset, showtime, starting time, beginning, start, kickoff, first - the time at which something is supposed to begin; "they got an early start"; "she knew from the for collaboration between the government and the private sector to protect data, infrastructure and computer networks. There the report spells out why it's important that in the fight to win the cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. security war, American businesses must use traditional risk management strategies--which they have mostly ignored until now. "Until the White House document, traditional risk management principles were not self-evident to people typically given the chore of managing cyber risk," says Sagalow, executive vice president and chief operating officer Chief Operating Officer (COO) The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president. of AIG AIG addressee indicator group (US DoD) AIG American International Group, Inc AiG Answers in Genesis (religious group in defense of Scripture) AIG Artificial Intelligence Group AIG Australian Industry Group eBusiness Risk Solutions and author of several books on cyber risk management and exposure. "This document is saying to both the chief technology officer and the risk manager, "This is part of your job.'" Cyberrisk is risk management just like any other risk management." The report, which was amended and re-released in February (it initially was released in October 2002), is much more than a call to industry to treat cyber risk just as it does any other key risk. The report is available at www.pcis.org site. Sagalow and other experts believe the report also provides a major starting point when it comes to the important business of protecting not just private industry data and infrastructure, but the public and private sectors together. Peter Allor, manager of research and development at Atlanta-based Internet Security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. Systems (ISS ISS See Institutional Shareholder Services (ISS). ), said the document is strictly a policy strategy that outlines a vision. "This report doesn't have the answers and it shouldn't, because you want a strategy to be enduring," he says. "You can never really catch up. This is more of a tactical-level view. A true strategy should last a couple of years, and will need updating to reflect changing priorities." Allor says that while cybersecurity has never been funded heavily compared with infrastructure risk management (routers, desktops, laptops, etc.), that focus now has to change. "Information technology [IT] is there to help business operate more efficiently," he says. "But most companies haven't said, 'We have a lot of intellectual knowledge and proprietary information on our network, how do we secure that?' Now, they're trying to catch up." The report is the first time there has been government partnership with the private sector on the cybersecurity front. Why? Because, Allor says, 80 percent to 85 percent of the nation's network infrastructure is in private hands. "Who has a better handle on it than people who deal with it every day?" he says. He said the report offers some broad cybersecurity aspects risk managers can think about such as, What is the company policy for securing cyberspace Coined by William Gibson in his 1984 novel "Neuromancer," it is a futuristic computer network that people use by plugging their minds into it! The term now refers to the Internet or to the online or digital world in general. See Internet and virtual reality. Contrast with meatspace. ? Do we have a response to an attack? Who makes the decision to turn off the corporate connection to the Internet? If a new virus hits, who sets the priority that this needs to be worked on over the weekend? Who decides when to change passwords and what formats should they be? "We've never had a document like this before," Allor says. "The real question is how can we put an oar in the water and all row in the same direction." Jay Williams, chief technology officer for The Concours Concours or EU concours is a recruitment competition and examination to select staff to all institutions of the European Union. Explanation of Open Competition Group, a Kingwood, Texas, consulting, research and education firm, believes the strategy outlined in the government report is focused on the importance of protecting key elements of the national network infrastructure. "The report is saying that first you have to understand what it is you want to design," says Williams. "From both a country and a business perspective, most folks need to understand the scope before they can establish a specific plan." Risk managers, Williams says, have to decide where they currently stand within their own organizations. From an overall country perspective, it's important to determine where we are most at risk. While the document itself is a good idea, it's important to be careful not to perceive it as a "silver bullet silver bullet - magic bullet " with the answers. "It's a good starting point for the debate," he says. "We wouldn't be having this conversation if this document hadn't come out." He believes one of the key challenges in securing cyberspace is that we must remember that the public vs. private issue is mainly a facade facade (fəsäd`), exterior face or wall of a building. The term implies ordered placement of its openings and other features and thus seems inapplicable to a wall without design. , because the "public is us." For example, he says, those staffing the Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States are people who come from private industry. Policies coming out of the Department of Homeland Security lay out responses to support specific standards in times of emergency. So it's important for risk managers to know how to integrate with those responses, mainly to know what are the reporting mechanisms and to understand how to be plugged into the government's newly created Cyber Threat Center. Those issues need to be factored into any cyber risk management strategy. Risk managers, he said, should pay particular attention to the report's eight key actions. One of the eight action items is to reduce software vulnerabilities. "That sounds simple, but it's a complex undertaking," he says. In a 2003 survey, the Meta Group found that 40 percent of companies have only five percent of total IT spending allocated to cyber security. "This document is starting the discussion, but it's not full of solutions," Williams also says. "This is a complex set of issues, with a huge impact on business and huge costs. And nothing is 100 percent guaranteed when it comes to cybersecurity." John Frazzini, vice president of intelligence operations The variety of intelligence and counterintelligence tasks that are carried out by various intelligence organizations and activities within the intelligence process. Intelligence operations include planning and direction, collection, processing and exploitation, analysis and production, at iDEFENSE, a Chantilly, Va.-based provider of security intelligence to government agencies and the private sector, says the report represents a fundamental shift from cyber security as an IT issue to a business issue. The shift is an evolution of public policy that began with the Clinton White House and is being continued by the Bush administration. "The report elevates the issue of cyber security to a national security issue for the nation's infrastructure," says Frazzini. The report singles out eight sectors of the US economy, banking and finance, insurance, chemical, oil and gas, electric, law enforcement, higher education higher education Study beyond the level of secondary education. Institutions of higher education include not only colleges and universities but also professional schools in such fields as law, theology, medicine, business, music, and art. , transportation (rail), information technology and communications, and public utilities--and how a disruptive disruptive /dis·rup·tive/ (-tiv) 1. bursting apart; rending. 2. causing confusion or disorder. "cyber event" could affect the domestic and global economies. The report makes it clear that cyber security is not just a technology concern any longer to be handled by a systems administrator, Frazzini says. Now it's on "Now It's On" is a single by the American rock group Grandaddy released in 2003. Track listing 7"
CD1
n. One that is partially disabled or unable to use a limb or limbs. v. To cause to lose the use of a limb or limbs. a department or company. "There is no question that in Washington there is an evolution to protect U.S. security that has reached the highest levels of government, and the report is calling on the private sector to do its part," he says. "The argument is you are not only helping your own business, you are helping America, too." As it stands, Frazzini said, some larger companies, even some on the Fortune 100 level, are doing the minimum to protect their cyber assets. "Some admit they have not spent the money on security they should have spent," he says, adding that in many cases the situation is due to a basic failure of IT people to communicate with business people. "The biggest challenge isn't talking about technology, but communicating with business leaders," says Frazzini, a former agent with the U.S. Secret Service. "Having technology creates opportunity, but it also creates risk. And that risk is a business risk, not just a technology risk." Eric Uner, co-founder of Bodacion Technologies, a Barrington, Ill., company that develops technology security solutions, agrees that in general, the plan is a series of suggestions, not a hard policy statement or regulatory document. In fact, he says the document really states the obvious when it comes to everything going on and what people are doing and might do to secure their networks. "The entire document is drafted for a nontechnical audience," he says. "And the section of the document that deals cyberrisk is vague and somewhat toothless." The recommendations come with a government promise to follow up on some items. But he admits that the guidelines guidelines, n.pl a set of standards, criteria, or specifications to be used or followed in the performance of certain tasks. , are important for risk managers who may not be as familiar with the challenges of developing risk management programs for cybersecurity. "The report is worth a look by everyone in the private sector as a reality check," he says. "It's an informational piece, with some recommendations on what to do and what to look for." "The report is the opening act of a major play," Sagalow says, noting that right now, cyberrisk coverage is a $100$150 billion market projected to grow to $5.2 billion by 2005. "It's setting the stage, and telling risk managers that establishing an approach is critical. It also says to the risk management community, 'This is a risk that falls within your bailiwick BAILIWICK. The district over which a sheriff has jurisdiction; it signifies also the same as county, the sheriff's bailiwick extending over the county. 2. . You can't just manage cyber risk through technology, you have to do it with sound risk management strategies as well.'" RELATED ARTICLE: Key Elements of a National Strategy for Securing Cyberspace * Enhance law enforcement's ability to prevent and prosecute To follow through; to commence and continue an action or judicial proceeding to its ultimate conclusion. To proceed against a defendant by charging that person with a crime and bringing him or her to trial. cyber attacks. * Create an assessment process to understand the potential consequencs of threats and vulnerabilities. * Improve Internet protocols Refers to all the standards that keep the Internet running. The foundation protocol is TCP/IP, which provides the basic communications mechanism as well as ways to copy files (FTP) and send e-mail (SMTP). and routing. * Foster the use of trusted digital control systems/supervisory control and data acquisition systems * Reduce and strengthen software against attacks and viruses. * Improve the security of cyber systems and telecommunications networks A telecommunications network is a of telecommunications links and nodes arranged so that messages may be passed from one part of the network to another over multiple links and through various nodes. . * Prioritize pri·or·i·tize v. pri·or·i·tized, pri·or·i·tiz·ing, pri·or·i·tiz·es Usage Problem v.tr. To arrange or deal with in order of importance. v.intr. federal cyber security research and development agendas. * Assess and secure emerging systems. More information is available at www.pcis.org. Thomas Stainer stain v. stained, stain·ing, stains v.tr. 1. To discolor, soil, or spot. 2. To bring into disrepute; taint or tarnish. 3. can be reached at TomStarner@earthlink.net. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion