Assuring Commitment to a Security Plan
After the plan is written, it
must be accepted and its recommendations carried out. Acceptance by the
organization is key; a plan that has no organizational commitment is simply a
plan that collects dust on the shelf. Commitment to the plan means that
security functions will be implemented and security activities carried out.
Three groups of people must contribute to making the plan a success.
The planning team must be
sensitive to the needs of each group affected by the plan.
Those affected by the
security recommendations must understand what the plan means for the way they
will use the system and perform their business activities. In particular, they
must see how what they do can affect other users and other systems.
Management must be committed
to using and enforcing the security aspects of the system.
Education and publicity can
help people understand and accept a security plan. Acceptance involves not only
the letter but also the spirit of the security controls. Recall from Chapter 4 the employee who went through 24
password changes at a time to get back to a favorite password, in a system that
prevented use of any of the 23 most recently used passwords. Clearly, the
employee either did not understand or did not agree with the reason for
restrictions on passwords. If people understand the need for recommended
controls and accept them as sensible, they will use the controls properly and
effectively. If people think the controls are bothersome, capricious, or
counterproductive, they will work to avoid or subvert them.
Management commitment is
obtained through understanding. But this understanding is not just a function
of what makes sense technologically; it also involves knowing the cause and the
potential effects of lack of security. Managers must also weigh tradeoffs in
terms of convenience and cost. The plan must present a picture of how cost
effective the controls are, especially when compared to potential losses if
security is breached without the controls. Thus, proper presentation of the
plan is essential, in terms that relate to management as well as technical
concerns.
Remember that some managers
are not computing specialists. Instead, the system supports a manager who is an
expert in some other business function, such as banking, medical technology, or
sports. In such cases, the security plan must present security risks in
language that the managers understand. It is important to avoid technical
jargon and to educate the readers about the nature of the perceived security
risks in the context of the business the system supports. Sometimes outside
experts can bridge the gap between the managers' business and security.
Management is often reticent
to allocate funds for controls until the value of those controls is explained.
As we note in the next section, the results of a risk analysis can help
communicate the financial tradeoffs and benefits of implementing controls. By
describing vulnerabilities in financial terms and in the context of ordinary
business activities (such as leaking data to a competitor or an outsider),
security planners can help managers understand the need for controls.
The plans we have just
discussed are part of normal business. They address how a business handles
computer security needs. Similar plans might address how to increase sales or
improve product quality, so these planning activities should be a natural part
of management.
Next we turn to two
particular kinds of business plans that address specific security problems:
coping with and controlling activity during security incidents.
Related Topics
Privacy Policy, Terms and Conditions, DMCA Policy and Compliant
Copyright © 2018-2024 BrainKart.com; All Rights Reserved. Developed by Therithal info, Chennai.