IT and Security Business Alignment

 
IT and Security Business Alignment
 
Questions you might hear from a board member, council member or senior management:
What is the purpose of IT?
What is the purpose of Security?
IT's place in an organization?
Security's place in an organization?
 
Business managers often need a reminder of what the value of information technology and security brings to the organization.  Some see information technology and security as cost centers and not as business enablers.  Best in class organizations see information technology and security as strategic and business enablers.  The question I often get is, how do we get senior management to buy in on this maxim?
 
We need to go back to the basics; Business and Management 101.  I like to quote from Peter F. Drucker, the famous business consultant and writer on management and business topics, and apply that wisdom to technology and security.  Here is the quote:
 
"Business enterprises - and public-service institutions as well - are organs of society.  They do not exist for their own sake, but to fulfill a specific social purpose and to satisfy a specific need of a society, a community, or individuals."  Peter F. Drucker
 
This is a great business maxim and is often quoted.  To apply this maxim to information technology simply substitute the organization with IT.  Once you read the quotes you will see how clear the purpose of IT and security in the organization.
 
"Information technology is an organ of the organization.  It does not exist for its own sake, but to fulfill a specific organizational purpose and to satisfy a specific need of the organization."
 
Apply this maxim to information security:
 
"Information security is an organ of the organization.  It does not exist for its own sake, but to fulfill a specific organizational purpose and to satisfy a specific need of the organization."
 
Here is another Drucker quote that is great for a maxim.
 
"Business exists in a society and community and, therefore, has to discharge social responsibilities, at least to the point where it takes responsibility for its impact upon the environment."  Peter F. Drucker
 
Here are the new maxims for information technology and information security:
 
"Information technology exists in an organization and, therefore, has to discharge organizational responsibilities, at least to the point where it takes responsibility for its impact upon the organization."
 
"Information security exists in an organization and, therefore, has to discharge organizational responsibilities, at least to the point where it takes responsibility for its impact upon the organization."
 
Armed with these maxims alignment of information technology and security with the organization should be clear.   Here is how we ensure business alignment at Maze & Associates:
 
Maze & Associates Mission
"We are in business to help our clients succeed."
 
Information Systems Department Mission
"We help our clients succeed by helping them secure and manage their technology investment."
 
IS Department Internal Clients: We support Maze and Associates by securing and managing the IT systems.  By supporting the staff of Maze and Associates we can help them help their clients to succeed.
 
IS Department External Clients: We help clients align their IT investment with their business goals and vision.  We can help them lower the total cost of ownership by proper IT governance.
 
Our information systems department mission statement is fully aligned with our overall business mission.  The mission of our information systems department support the overall business mission.
 
In the military a drill instructor or platoon sergeant will call cadence as a way to keep all members of the platoon in step with everyone else and going the same direction.  In the opening scene of the movie “A Few Good Men” starring Tom Cruise as a Navel JAG officer we are shown the world famous Marine Corps silent drill team as they practice drills all in locked step and precision movements.  One impressive aspect is no one calls cadence and yet they are in unison.  It looks impressive because everyone is marching in precise unison.  If one person is off you will notice it and the entire platoon will become an unorganized cluster and will not reach its intended destination.
 
The Silent drill team is able to maintain unison only after extensive practice.  In other words they don't need the cadence because of all the practice they have had.
 
Think of this illustration in your organization.  Is the entire organization in step?  If not who is going to call cadence to get everyone in step?
 
Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.
 

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
Types of Error
alt

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a reader:
Thanks Don. I am looking for a good definition or comparison difference between a false positive and a false negative. I googled it, but the definition provided appears vague. My take is a false positive is a hit, but it doesn't apply to the system and a negative is that the opposite but someone else is connected to your network. I am still researching because it could be on the next exam and want to make sure I get those two terms straight.
 
Answer:
There are two main error types we have in testing and in systems that make selections:
Type I error which is also, α error, or false positive
Type II error which is also, β error, or a false negative
 
These terms are used in statistics and applied in information security to SPAM filtering, anti-virus, vulnerability scans, intrusion detection and biometrics authentication. In each instance they mean the same thing.
 
A Type I or 'false positive' is simply a positive result that is false. For a SPAM filter it would mean the email was tagged 'positive' as SPAM but it wasn't SPAM. For vulnerability scanners the result would indicate a vulnerability that did not exist. For biometrics a false positive is when the scanner identifies a person as someone else; someone is able to impersonate someone else. In biometrics a false positive is often referred to as false acceptance.
 
A Type II or 'false negative' is simply a negative result that is actually true. For a SPAM filter it is the SPAM that gets past the filter, in other words the filter did not detect it as SPAM. A false negative on a vulnerability scan would be a result that indicates a vulnerability where no vulnerability exists. Finally in biometrics a false negative is when the system fails to authenticate a legitimate user. In biometrics a false negative is often referred to as false rejection.
 
A related term you might see is Crossover Error Rate.
"Crossover Error Rate (CER) is a comparison metric for different biometric devices and technologies. It is the error rate at which the false acceptance rate (FAR) equals the false rejection rate (FRR). As an identification device becomes more sensitive or accurate, its FAR decreases while its FRR increases. The CER is the point at which these two rates are equal, or cross over."
 
Ideally in a perfect world we don't want false negatives or false positives; we want the system to be 100% accurate 100% of the time. Since we don't live in a perfect world, statistically, we want these error rates to be low in our SPAM filters, anti-virus, vulnerability scans, intrusion detection and biometrics systems. The lower the better.
 
Note:
These terms maybe found on a number of security certification exams, such as CISSP, Security+, CISM etc…

Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.

Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
Account Hacked
alt

From time to time I get interesting or pertinent questions from clients, colleagues and readers. I like to post the answers on my blog because I think more people may have the same question.
 
Here is a question from a reader:
What do you do if your online account at a social media site has been hacked? 

Take Action
1. Make sure you contact the website ASAP and let them know your account was hacked
2. Make sure his home computer has not been compromised - or any computer he uses to log onto the site
3. Reset all your passwords, even for unrelated sites

Prevention: The easiest way to protect your computer and account
1. Make sure he has anti-virus and it is set for automatic updates
2. Make sure he has a complex password (not easy to guess) and change your password regularly
3. Make sure you only login on the real and not pages that look like it (spoofed sites)
4. Make sure his computer has the most up-to-date patches (this can and should be automated)
5. Upgrade to Internet Explorer 8, it has features to detect fraudulent websites
6. A healthy skepticism, be skeptical of offers, emails and communications

How do hackers get into my online account?
There are a number of ways hackers can gain access to your online accounts.  In order for a hacker to gain access to your online account they need to get your password.  This means protecting your password is very important.

One of the main ways to get your password is to get spyware on your computer.  The spyware can track your activities including the key strokes you make.  This type of spyware is called a keystroke logger.  Once it gets on your computer it can track your moves and capture your password when you log onto any site.  With this a hacker can gain access to password you type which could be to every site you visit or use.

This happened to a City in Southern California.  Spyware was introduced to a computer in finance and when the employee logged on to the Banks website to view the City's account the spyware captured the username and password.  The hackers wasted no time transferring hundreds of thousands of dollars out of the City's account.

The best protection against spyware is to have up-to-date anti-spyware and anti-virus software.

Another way hackers gain access to your passwords is called phishing.  This technique is just like it sounds.  They use bait to lure you into giving them your username and password.  Typically they setup a website that looks like the login page of the website you want.  You type in your username and password thinking it is the real site, but you have just given the hackers your password.

Web browsers such as Internet Explorer 8 have anti-phishing protection and some antivirus packages are now adding anti-phishing protections in.  It is important to be a little skeptical and keeping your browser, anti-virus and computer up-to-date.

Of course it isn't just hackers you have to watch out for.  Other people such as family members, friends and fellow employees may get your password if you are careless and use your accounts for who knows what.

It is important that you do not share your password with others, change it often and use a complex password no one else will guess.

Of course following these prevention measures is no guarantee of security, constant vigilance is needed.

Brought to you by Maze & Associates, a leading Northern California Accounting Firm specializing in Municipal & Nonprofit Audit, Tax for individuals and all types of entities, Information System Audits, Security Reviews, as well as PCI Scans and certified training. Maze & Associates is a PCI ASV - Approved Scanning Vendor.
 
RSS Subscription
 
Disclaimer: The views expressed here are those of the author and do not represent those of Maze & Associates.

Slashdot Facebook Technorati Stumble It! Google Yahoo MyWeb Reddit Del.icio.us; Digg This!
 
More Articles...
<< Start < Prev 1 2 3 4 Next > End >>

Page 1 of 4

Subscribe To Feed

Subscribe to LearnSecurity Blog using your favorite feed reader by clicking here.


Donald Hester Bio


Click here to read Donald Hester's bio.


Facebook

Click here to subscribe to the LearnSecurity Facebook Group.



Latest News

We prepare State Controller’s Report annual filings for over thirty Cities and Special Districts. Call today for a quote: 925-930-0902.
Copyright © 2010 Maze & Associates. Designed by Purple Cow Websites.