Whitepaper 01-04: Organizational Security Concerns: Analysis and Recommendations

Click here to download “Organizational Security Concerns” now!

Computer security breakdowns in the news remind us how companies are vulnerable to many types of failures – logical, physical, and administrative. In this paper, we review a number of these news stories to see how they could affect our own organization’s security posture. To some, security simply means guarding the computers. While the importance of physical computer security cannot be overstated, security far “transcends technology.”[i]

In this paper, we posit that specific security breaches are best stated as failures in the organization’s high-level Security Policy (or lack thereof). As eminent security analyst Mich Kabay points out, the security policy “govern[s] how an institution’s information is to be protected against breaches of security.”[ii] A properly implemented security policy provides both the formal effort to demonstrate due diligence to our customers (example: use of Bell-LaPadula[iii] as a security model) as well as creating the security-aware employee mindset for preventing security problems in the first place. A security policy allows us to deliver on the basic security tenets of confidentiality, integrity, and availability (otherwise known as the CIA Triad[iv]).

[i]      “Security Transcends Technology” is a registered trademark of the International Security Certification Consortium (ISC2), https://www.isc2.org/. This organization provides the highly desirable Certified Information System Security Professional (CISSP) certification, the gold standard for certification in the field of Information Assurance.

[ii]     Seymour Bosworth, M.E. Kabay, Eric Whyne, eds., “Chapter 44.2.1: Security Policy Guidelines,” Computer Security Handbook: Volume 1, 4th ed. (Hoboken, NJ: John Wiley & Sons, Inc., 2009), pg. 1148. Dr. Kabay’s definition points out that without a foundational security policy, it is impossible for an organization to show a meaningful due diligence effort.

[iii]    D. Elliott Bell and Leonard J. LaPadula, “Secure Computer Systems: Mathematical Foundations,” MITRE Technical Report 2547, Volume I (March 1, 1973). Available online at http://www.albany.edu/acc/courses/ia/classics/belllapadula1.pdf (accessed: July 31, 2010). Bell – LaPadula (BLP) defines a mathematical data security model that guarantees data confidentiality in all system states (when properly implemented). The BLP is the most widely recognized model in existence.

[iv]    Charles P. Pfleeger and Shari Lawrence Pfleeger, Security in Computing, 3rd  ed. (Upper Saddle River, NJ: Prentice Hall, 2003), pg. 10. Dr. Pfleeger is widely credited with the first mention of the term CIA Triad in his first edition of this book (same publisher, dated 1989).

Team-oriented systems mentor with deep knowledge of numerous software methodologies, technologies, languages, and operating systems. Excited about turning emerging technology into working production-ready systems. Focused on moving software teams to a higher level of world-class application development. Specialties:Software analysis and development...Product management through the entire lifecycle...Discrete product integration specialist!

Leave a Reply

Your email address will not be published. Required fields are marked *