Printer Friendly

Take it from the top.


MANAGEMENT'S ROLE IN computer security. This concept may come as a shock to many of today's managers. However, not only do managers have a role, but their role includes much more than mere asset accountability and control. Too many managers regard computer security as a technology problem rather than a management one and defer computer security to technicians.

Why this confusion? Management's erroneous perception that computer security is a technology problem stems in part from a misunderstanding. In addition to obviously technological components such as hardware and software, computer security includes both administrative issues (personnel and procedural matters) and environmental issues (physical security and hazard protection).

Another point of confusion is that to many managers computer security is neither computer nor security. This opinion is formed when managers hear computer technicians disparage security as detrimental to data processing and claim that security personnel want to lock up everything indiscriminately, and when managers hear businesspeople question the expenditure of funds and other precious resources on something so difficult to comprehend. Management tends to disregard any issue, like computer security, that lacks clear-cut organizational and staff support.

Another element of confusion stems from the belief that because nothing bad has happened, nothing needs to be done. This shortsighted view suggests that one ought to wait for a disaster before doing anything about it. If this line of thinking were applied to the rest of the business, no insurance or other risk management process would ever be used.

Security's fundamental objective is to reduce losses, while management generally focuses on expanding business opportunities. Because of these differences, management often assigns computer security responsibility to the data processing department, which may seem more sensitive to management's objectives than the security department is.

Finally, the fact that computer security crosses over organizational lines makes it difficult for management to identify a department that can obtain cooperation and compliance from the entire organization. This situation is another reason that management often assigns computer security responsibilities to data processing technicians--they already cross organizational lines. This management decision may be made even though there is a basic conflict of interest in allowing the unit responsible for operating the computer system also to have the final say on the type and amount of protection the system is provided.

A definition of computer security might help clear up these misunderstandings about management's role. Computer security is the detection, prevention, and investigation of actual or potential acts or omissions that threaten a computer system's resources, data, or processing capabilities. Computer security includes all the problems associated with safeguarding critical resources and sensitive information in general plus problems that are unique to automated information processing and communications systems.

The difficulty in providing adequate security for computer systems lies not in the general security principles but in the aggregation of diverse, complex elements whose security affects all aspects of the organization. As a result, management that defers computer security responsibilities to the data processing organization is likely to experience some type of computer security-related problems eventually.

ONCE management recognizes that computer security transcends both the data processing department and the security office, it must assume the leadership role by performing several key steps toward securing computer systems.

Policy. Management's role in computer security begins with the establishment of a definitive computer security policy. A policy statement about computer security might not be necessary except that employees' attitudes toward computer and information security vary widely. This diversity of attitudes applies to computer users who understand the sensitivity of their data but trust that it is bein secured by someone else, to data processors who may not fully appreciate the value of the data with which they are entrusted, and to many others who feel they are entitled to use the computer and its resources as they wish because of their knowledge of the technology.

To demonstrate management's seriousness, the computer security policy should be issued from the highest possible level in the corporation. The policy should succinctly state that all data and computer resources are the property of the corporation and that their use is restricted to authorized activities that support company goals. The policy should further state that all employees are responsible for computer security and safeguarding corporate information assets.

However, the policy will do no good unless it is properly communicated to all employees and managers. It is also important periodically to remind them that the computer security policy exists. Posters, newsletters, and employee briefings are useful communication methods for these purposes.

Compliance incentives. The next step management should take toward computer security is to develop goals against which individuals' compliance with the corporate policy can be measured. Important corporate issues must be used as a measure of individual performance and reward, especially in the realm of computer security, where employees often need incentives to participate.

These performance goals should be applied not to security and data processing personnel alone but to all managers and supervisors. Including everyone is an acknowledgment that computer security is everyone's responsibility. It also suggests that senior management considers computer security an important indicator of individual merit.

Responsibility. Management should assign computer security oversight responsibility to a senior manager who reports at the highest level in the organization. This manager can then influence business decisions so computer security will be included in overall strategic plans. For example, if a corporation is considering a fully automated order entry, inventory control, shipping, and billing system, the senior manager can remind the executive group to provide for computer security in it.

Management should also assign one person the functional responsibilities of computer security. This manager should be independent of the data processing department and the security office. Ideally, the functional manager would report to the senior manager responsible for computer security. The functional manager should develop and implement a computer security program budget and direct the day-to-day computer security activities of the corporation.

Program. Management should initiate a computer security program under the direction of the functional manager to establish an overall approach to implementing computer security throughout the corporation. The program can be divided into the following parts:

* Standards, procedures, and guidelines. The computer security manager should prepare rules governing data classification, backup and recovery, contingencies, auditability, physical access control, the computer environment, hazard protection, personnel surety, media storage, and communications.

* Data classification requirements. To design and implement adequate security, management should develop data classification requirements that help users determine the criticality and sensitivity of a system or application.

Criticality is the relative importance of a system or application--how often the system or application is required and how much its destruction or delay would affect the business. Systems and applications have varying degrees of impact on operations as well as varying tolerances to delay or destruction. For example, a payroll application may be critical when the payroll is scheduled to be run; however, between paydays it is important but not critical.

The primary user of a system or application should prepare a written statement of criticality, which can be included in the user requirements for a system or application as well as in the justification supporting a request for funding.

Sensitivity is the susceptibility of a system, an application, or data to disclosure or modification. Generally, sensitivity is a concern about data. However, because data is integrated with systems and applications, the sensitivity of a system or application may affect data.

Once again, the primary user of a system or application should prepare a written statement to describe what would happen should the data be disclosed or modified in an unauthorized or undesired manner. The sensitivity statement can be included in the user requirements for the system or application as well as in the justification supporting an appropriation request.

* Auditability. The principle of auditability includes more than a historical review of the security controls for a system or application. It also includes interaction between the computer security manager and audit personnel during all phases of a system's life. All computer systems should provide audit trails of who is doing what, when, and why.

* Recoverability. The computer security program should ensure that recoverability is addressed for each system or application within the corporation. With the help of appropriate users, management should develop an overall strategy for the recovery of systems and applications.

* Training/security awareness. An overall program of recurring training in computer security should be planned, developed, and implemented with the participation of management. This training could be in the form of videotapes, brochures, posters, newsletters, or briefings.

Management's role is to endorse and support. Managers should attend the training sessions and make public statements of support in newsletters and videotapes. Management should support computer security as a cost-containment program that results in bottomline savings.

Regardless of the specific way in which managers take part, they must show employees a level of sincerity that adds credibility to the organization's computer security program. Managers should apply their leadership skills to computer security just as they do to other critical aspects of the business.

Management's role in computer security is, in a word, leadership. This management leadership role should result in a more effective computer security effort that safeguards critical corporate information and prevents costly losses.

About the Author. . . James R. Wade is manager of information systems security at Battelle Memorial Institute in Columbus, OH. He is also program manager for Battelle's information systems security program office. Wade is chairman of the ASIS Standing Committee on Computer Security.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:special section - Computer-Information Security: Getting the Protection You Need
Author:Wade, James R.
Publication:Security Management
Date:Mar 1, 1989
Previous Article:Can we get it together?
Next Article:The perils of personal computers.

Related Articles
A computer and information security directory.
Getting a Job, Getting Ahead, and Staying Ahead in Security Management.
New fringe benefit regulations make useful changes to car and plane valuation rules.
Protection Officer Training Manual Fifth Edition.
Tour tool.
Meeting of the minds.
Comparing Information Protection Practices.
Business Law Section upgrades its website.
Disaster Recovery Yellow Pages, 8th Edition, 1999/2000.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters