New approaches to secure IT systems (page 1 of 2)

Information and the systems that process it are a critical resource for an organisation, indeed it is a fundamental management responsibility. IT departments and users of IT systems are confronted by an array of threats including:

• spam [VNUN2004] and spim (instant messaging spam),

• phishing attacks - phishing attacks usually arrive in an e-mail message purporting to be from a trusted business like a bank; users are asked to visit a website, made to look like the real business's site, and provide private information for 'security purposes'. This information is often then used to commit credit card fraud,

• spyware - spyware can monitor a user's web habits for such purposes as serving pop-up ads or, more maliciously, to steal sensitive personal data,

• ineffective firewalls, particularly for e-commerce web applications,

• cyber crime such as cyberextortion, cybernapping (holding an electronic database for ransom and the ubiquitous

• virus's and worms (Netsky, MyDoom, Sasser, Korgo, Bagle, Blaster, Zafi).

Added to these threats is the alarming fact that most IT professionals have not been formally trained in IT security and the recent pool of graduates trained in IT security is not large (in the US in 2003 there were there were anecdotally around 30 PhD's in computer systems security).

However there are readily available resources that can assist greatly in developing, implementing and maintaining sound IT security for an organisation.

The NIST (National Institute of Standards and Technology) group based in the US Department of Commerce promotes the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems.

These guidelines are intended to be suitably generic to be applied to security in the private sector. For management charged with the responsibility for security of Information Systems applications and systems, but with limited security trained IT staff, the NIST publications offer much hope. They can assist with 'security implementation guidance' and 'system certification and accreditation'.

Check these websites

The following NIST websites, http://csrc.nist.gov/publications/nistpubs/index.html and http://checklists.nist.gov/ are strongly recommended for referral to by IS practitioners for security guidance. These publications are guidelines and as such offer a degree of flexibility as how an individual organisation implements any measures described.

They suggest what needs to be done, but not necessarily how. The 'how' will depend on the amount of security awareness and expertise that the organisation has available to it, either in-house or external such as outsourcing the security.

Prior to utilizing any of the above security guidelines it is mandatory that an enterprise have a properly developed and comprehensive security management plan. Once again, NIST guidelines can assist here too. When developing a security management plan, an excellent place to start is to conduct a security self-assessment.

NIST Special Publication 800-26 'Self Assessment Guide for Information Technology Systems' contains a comprehensive self assessment questionnaire IT practitioners can use for this purpose. The questionnaire can be used to develop the three major control areas: 1) management controls, 2) operational controls, and 3) technical controls to be placed into the security management plan.