Let Someone Break Rules to Improve Security Compliance

Transcription

1 20 September 2012: Let Someone Break Rules to Improve Security Compliance Author Dr. T V Gopal Chairman, Division II [Software], Advisor CSI Communications [CSIC] and Professor Department of Computer Science and Engineering Anna University Chennai , India gopal@annauniv.edu In their popular book titled First, Break All the Rules: What the World's Greatest Managers Do Differently, Marcus Buckingham and Curt Coffman of the Gallup Organization present the remarkable findings of their massive in-depth study involving 80,000 great managers across different industries and a wide variety of situations. The greatest managers in the world seem to have little in common. They differ in sex, age, and race. They employ vastly different styles and focus on different goals. Yet despite their differences, great managers share one common trait: They do not hesitate to break virtually every rule held sacred by conventional wisdom. They do not believe that, with enough training, a person can achieve anything he sets his mind to. They do not try to help people overcome their weaknesses. They consistently disregard the golden rule. And, yes, they even play favorites. Buckingham and Coffman explain how the best managers select an employee for talent rather than for skills or experience; how they set expectations for him or her -- they define the right outcomes rather than the right steps; how they motivate people -- they build on each person's unique strengths rather than trying to fix his weaknesses; and, finally, how great managers develop people -- they find the right fit for each person, not the next rung on the ladder.

2 The essence of the above book is nicely summarized by Regine P. Azurin and Yvette Pantilla [ as given below. Key Ideas: 1. The best managers reject conventional wisdom. 2. The best managers treat every employee as an individual. 3. The best managers never try to fix weaknesses; instead they focus on strengths and talent. 4. The best managers know they are on stage every day. They know their people are watching every move they make. 5. Measuring employee satisfaction is vital information for your investors. 6. People leave their immediate managers, not the companies they work for. 7. The best managers are those that build a work environment where the employees answer positively to these 12 Questions: Do I know what is expected of me at work? Do I have the materials and equipment I need to do my work right? At work, do I have the opportunity to do what I do best every day? In the last seven days, have I received recognition or praise for doing good work? Does my supervisor or someone at work seem to care about me as a person? Is there someone at work who encourages my development? At work, do my opinions seem to count? Does the mission/purpose of my company make me feel my job is important? Are my co-workers committed to doing quality work? Do I have a best friend at work? In the last six months, has someone at work talked to me about my progress? This last year, have I had the opportunity at work to learn and grow? Data security presents a multi-dimensional challenge where complex environments that include a wide range of heterogeneous database management systems (DBMS), enterprise applications, OS platforms with multiple access paths and permission levels have resulted in a seemingly endless array of security threats and violation scenarios. Traditional fortress approaches such as firewalls, IDS/IPS systems are no longer sufficient to protect against 21st-century attackers who can easily bypass perimeter defenses. These security measures can t differentiate or prevent traffic that appears to be legitimate. Employees are becoming increasingly mobile. An IDC study states that the world mobile worker population will reach 1.3B representing 37%+ of total workforce by These mobile workers are now accessing sensitive corporate data in a variety of places from coffee shops to airports, to backseats of cabs and from a variety of devices such as laptops, smart phones, tablets and so on. Of these devices, mobile phones and tablets (non- company issued) are brought in by employees as organizations now allow employees to Bring Your Own Device (BYOD).

3 Some dominant security risks associated with people are given below. Network administrators overlooking security flaws in topology or hardware configuration Network administrators overlooking security flaws in operating system or application configuration Lack of proper documentation and communication of security policies Dishonest or disgruntled employees abusing their file and access rights An unusual computer or terminal being left logged into the network Users or administration choosing easy-to-guess passwords Authorized staff leaving computer room doors open or unlocked Staff discarding disks or backup tapes in public waste containers Administrators neglecting to remove access files and rights for former employees Users leaving passwords out in open spaces Forrester Research report titled Market Overview: Database Security, 2011 estimates that currently only 20% of enterprises have an enterprise wide database security strategy in place.

4 Perhaps half of all the damage caused to information systems comes from authorized personnel who are either untrained or incompetent. Another quarter or so of the damage seems to come from physical factors such as fire, water, and bad power. Maybe a fifth of the damage comes from dishonest and disgruntled employees. Computer viruses cause another few percent, and maybe about 5 or 10% of the damage is caused by external attack. Generally, security experts estimate that insiders, dishonest or disgruntled employees and contractors account for these security breaches. It is interesting to note that 92 percent of security breaches are actually avoidable by deploying the strategies mentioned below. 42 percent of these incidents can be prevented using DAC (Data Access Control). Source data encryption can prevent another 28 percent of these compromises. Secure data backup can prevent another 32 percent of the occurrences. The statistics given below are excerpted from a whitepaper titled EMPOWERING ENDPOINTS: Unifying Data Protection and Collaboration, Druva Inc., % of all corporate data resides on laptops. 17% of these laptops have unrecoverable data. Only 35% of the organizations have laptop backup solutions in place. Over 600,000 laptops are lost at US Airports alone Over 70% of the employees do not have a back-up plan before travel In a recent study, Intel calculated that the average cost of a lost laptop is US$ 49,000 and over 80% of this cost is due to data breach.

5 /* Excerpt Ends*/ Let Someone Break The Rules Sometimes breaking a rule leads to better compliance: It creates an opportunity for an individual to practice autonomy, on the condition that they live with the consequences. This allows an individual to be recognized, and feel respected. The experience created a unique, shared context to discuss the reason for the rule. Generally this leads to a better understanding of the rule; sometimes, it actually creates a better understanding of why the rule needs to change. It creates a better bond between people; individuals get closer to the consequences of their actions, and everyone improves their relationship. To make this work: Select the 'right' rule to break: find something that is not likely to cause damage while allowing individuals to get the experience necessary to understand the outcome (the consequences of their actions) Make it a special event (and not a routine): acknowledge that they get a shot to break a rule because they are respected, but that it comes with conditions (some structure) Engage in a conversation, not a lecture; learn from their experience and use it as a basis to reach a common understanding on the purpose of the rule. This is a simple way to increase contextual understanding of the purpose of the rule in the first place. With better understanding comes better compliance.

6 Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process. These include: Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE) Factor Analysis of Information Risk (FAIR) The National Institute of Standards and Technology's (NIST) Risk Management Framework (RMF) Threat Agent Risk Assessment (TARA) Every framework has a clear scope, advantages and disadvantages. NIST RMF (National Institute of Standards and Technology's Risk Management Framework) outlines a series of activities related to managing organizational risk. These can be applied to both new and legacy information systems, according to the NIST. The activities include: Categorizing information systems and the information within those systems based on impact. Selecting an initial set of security controls for the systems based on the Federal Information Processing Standards (FIPS) 199 security categorization and the minimum security requirements defined in FIPS 200. Implementing security controls in the systems. Assessing the security controls using appropriate methods and procedures to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcomes with respect to meeting security requirements for the system. Authorizing information systems operation based on a determination of the risk to organizational operations and assets, or to individuals resulting from the operation of the systems, and the decision that this risk is acceptable. Monitoring and assessing selected security controls in information systems on a continuous basis, including documenting changes to the systems, conducting securityimpact analyses of the associated changes, and reporting the security status of the systems to appropriate organizational officials on a regular basis. Excerpted below are some useful pointers from the whitepaper titled Symantec Data Loss Prevention - Information Security and Employee Communication Best Practices, Some tips for engaging employees include: Explain the damages that could be inflicted to the Company (financial and reputation costs) and how that can impact employees in return (e.g., Company profitability impacting personal bonus). Draw their attention to the personal benefits such as ensuring proper security of their work products and instilling confidence in their customers. Let them know that this impacts their personal information as well as customer information. Keep in mind the different ways that people learn. Some are visual learners; written materials or looking at diagrams and illustrations will work well for them. Others need to hear the policies explained to them. Others need more interactive training, incorporating

7 examples that they might encounter and questions and answers on how they might handle the situation. Take these differences into account when communicating with your employees and be sure to present the information in ways that will appeal to people with varying learning styles and levels of knowledge and understanding. In addition to discussing policies, provide employees with quick reference materials presenting common mistakes and common steps to take to improve information security. Issue periodic reminders with an interesting way of understanding the points outlined in the security policy and to communicate Frequently Asked Questions (FAQs). What are some common mistakes in information security? Failing to maintain written policy setting the expectation of limited privacy in the workplace as well as communicating potential corrective action and consequences of policy violation Failing to clearly communicate that policy to all employees; failing to properly train new employees on the policies Leaving loopholes as to what is prohibited Failing to consider the impact that policy violation conduct has/can have on the workplace Failing to ensure that employee communications monitoring is based on legitimate needs and limited in scope to achieve those needs.