Industry View
How to Combat Five Network Security Compliance Risks
Atchison Frazer and Brian Dennis provide practicals for ’court-proof’ security in areas of common corporate weakness.
By Atchison Frazer and Brian Dennis
Risk Three: Incomplete Cost-Benefit Analysis.
Areas of Loss: Formulas to calculate losses are built on models that often do not include: cost of lost IP; market value of lost or stolen information; cost of fixing an unsecured area after an attack; productivity losses; costs of becoming a greater insurance risk; and loss of brand equity and corporate reputation.
Risk Four: Areas where corporations are not ’Court-Proof Secure.’
a. Due Diligence: Under SEC regulations, due diligence is closely akin to the legal responsibility of the Duty of Care and Duty of Loyalty standards to which the boards of directors, officers, CEOs and CFOs are held in the corporate charter. Corporations must create defensible audit trails that include logging of IP, malicious attacks, and unauthorized access to another IP address.
b. Third Party Locations (extranets): Third party responsibility has been a hotly contested area especially for web-hosted services that provide online applications. Tort law cases have indicated a duty to provide security for a company’s remote employee and contractor use to avoid downstream liability. Existing case law establishes that, in order to prevent lawsuits for insider espionage, a company must meet secured operations standards, which include setting corporate and network policies even for contractors and short-term employees.
c. Hardened VPN Services: Generic VPNs may not protect against an attempted hack into an encrypted tunnel, or worse, prevent the propagation of an agent that plants a time-released intrusion on the network. One way to harden VPN communications is by establishing ’trusted zones’ that are securely enabled by multiple layers of security from unified threat management appliances that combine firewall/VPN functionality with intrusion prevention and threat intelligence services.
Risk Five: There are limited layers of security for electronic correspondence between fiduciaries.
a. Higher standards clearly exist for fiduciaries. Bill Cook, one of the foremost experts in cyber security who prosecuted the first case under the often overlooked Computer and Fraud Abuse Act of 1986, says the courts are specific about the steps fiduciaries must take to avoid being considered "reckless" and potentially liable to criminal prosecution. This includes the recognition that something as simple as an email from a fiduciary to another employee is held to a higher standard of protection than an email sent from an individual who is not considered a fiduciary. Furthermore, any content that is transmitted from a fiduciary through the corporate network and other IT resources can be held to a higher standard than any employee without equivalent responsibilities
network security
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
