Computer security breakdowns in the news remind us how companies are vulnerable to many types of failures â€“ logical, physical, and administrative. In this paper, we review a number of these news stories to see how they could affect our own organization’s security posture. To some, security simply means guarding the computers. While the importance of physical computer security cannot be overstated, security far â€œtranscends technology.â€[i]
In this paper, we posit that specific security breaches are best stated as failures in the organization’s high-level Security Policy (or lack thereof). As eminent security analyst Mich Kabay points out, the security policy â€œgovern[s] how an institution’s information is to be protected against breaches of security.â€[ii] A properly implemented security policy provides both the formal effort to demonstrate due diligence to our customers (example: use of Bell-LaPadula[iii] as a security model) as well as creating the security-aware employee mindset for preventing security problems in the first place. A security policy allows us to deliver on the basic security tenets of confidentiality, integrity, and availability (otherwise known as the CIA Triad[iv]).
[i]Â Â Â Â Â â€œSecurity Transcends Technologyâ€ is a registered trademark of the International Security Certification Consortium (ISC2), https://www.isc2.org/. This organization provides the highly desirable Certified Information System Security Professional (CISSP) certification, the gold standard for certification in the field of Information Assurance.
[ii]Â Â Â Â Seymour Bosworth, M.E. Kabay, Eric Whyne, eds., â€œChapter 44.2.1: Security Policy Guidelines,â€ Computer Security Handbook: Volume 1, 4th ed. (Hoboken, NJ: John Wiley & Sons, Inc., 2009), pg. 1148. Dr. Kabay’s definition points out that without a foundational security policy, it is impossible for an organization to show a meaningful due diligence effort.
[iii]Â Â Â D. Elliott Bell and Leonard J. LaPadula, â€œSecure Computer Systems: Mathematical Foundations,â€ MITRE Technical Report 2547, Volume I (March 1, 1973). Available online at http://www.albany.edu/acc/courses/ia/classics/belllapadula1.pdf (accessed: July 31, 2010). Bell â€“ LaPadula (BLP) defines a mathematical data security model that guarantees data confidentiality in all system states (when properly implemented). The BLP is the most widely recognized model in existence.
[iv]Â Â Â Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing, 3rd Â ed. (Upper Saddle River, NJ: Prentice Hall, 2003), pg. 10. Dr. Pfleeger is widely credited with the first mention of the term CIA Triad in his first edition of this book (same publisher, dated 1989).