Governing for Enterprise Security

Julia Allen’s 2005 article on the CERT Coordination Center’s web site defines governance for enterprise security as “setting clear expectations for the conduct (behaviors and actions) of the entity being governed, and directing, controlling, and strongly influencing the entity to achieve these expectations.” As my experience focus has largely been on software product integrity in the small and medium sized enterprise (SME) market, governance as an organisation, rather than simply ensuring software security has been a challenge. Governance as an organisation is extremely important as “the largest financial threats come not from robberies but from embezzlement by insiders” Laudon & Traver (2010). This citation was specifically regarding banks; however it has been found that organisations lacking in policies and procedures are susceptible to attack by insiders according to Gupta, A & Hammond, R (2004).

I was always aware of the threat of insider action and potential devastating consequences on the business should sensitive data or intellectual property find its way into the public or competitive arenas. It is possible to mitigate, to a high percentage, the risks of an e-commerce system’s security being breached by using the latest technologies; however CERT’s work has taught me about the enterprise level approach to combating such threats. Some of their recommendations in the Podcast we undertake often as a result of “lessons learned” however using business focus and human factors (roles and responsibilities) were usually handled as a result of the business leader’s own abilities with people and culture and not a part of normal security procedures.

For example, when dealing with a network of people in offices, over great geographical distances in the mid 1990s, with varying technical ability who were required to maintain the security of their own access (i.e. password and computer) to a central electronic document management system, not enough was done to explain the consequences of protecting their computers from malicious data collecting software, that they should preserve complex passwords, not leave the system whilst logged in and so on. As a result sensitive documents found their way into the hands of those who did not have system access at a certain level and, had the Internet been as prolific then as it is now, we could have had much worse consequences. CERT report that their insistence on consistency of treatment of security across the organisation as a business issue has produced great results and if the people involved in the organisation are communicated with about risks, then a significant reduction of non-technology based breaches will result as perceptions change.

References

Allen, J (2005) Governing for Enterprise Security: Networked Systems Survivability Program [Online]. Available at http://www.cert.org/archive/pdf/05tn023.pdf (Accessed 27 August 2010).

CERT (2010) Governing for Enterprise Security [Online]. Available at http://www.cert.org/governance/ (Accessed 27 August 2010).

CERT (2010) Podcast: Getting Real About Security Governance [Online]. Available at http://www.cert.org/podcast/show/losiallen.html (Accessed 27 August 2010).

Gupta, A & Hammond, R (2004) Information systems security issues and decisions for small businesses [Online] (Accessed 29 August 2010).

Laudon & Traver (2010) E-Commerce: Business. Technology. Society. (6th Edition). Pearson Prentice Hall.