Undercover
Undercover: A Case of Help Desk Failure
How a lack of coordination between departments at a large bank opened up a big security hole, and what we did about it.
By Anonymous
"We are not here to cast blame," I said. "We are simply looking to see which controls need improvement, and I think that the process to verify users can be improved, don't you?"
In Joe's case, the opportunity to improve was noted and later acted upon by the enterprise.
A complete new process involving IT security assistance was introduced to the help desk, and refresher courses are now an annual mandate.
A similar problem exists in IT people saying, "Well, access control is not my problem."
They may be following organizational guidelines, but not organizational best ideas. An example can be seen in the CISSP exam's required body of knowledge.
The 10 principals of a basic CISSP are:
- 1. Access control;
- 2. Application security;
- 3. Business continuity and disaster recovery planning;
- 4. Cryptography;
- 5. Information security and risk management;
- 6. Legal, regulations, compliance and investigations;
- 7. Operations security;
- 8. Physical (environmental) security;
- 9. Security architecture and design; and
- 10.Telecommunications and network security.
Notice that item three is not "data center continuity," and that item eight is not "firewall security." What good would 100-percent recovery of our entire computer and information be if we had no place to recover it to?
What good will a great backup program do if the employees (i.e. users) are not there to access it?
Similarly, what good is a firewall if by passing by one door or bypassing one receptionist, a person with bad intent has reached the keyboard? Has loaded the server on a truck? How is that "protecting the information?"
For our profession to continue existing, we must evolve.
Caring about firewalls and antivirus, for example, is an analyst's responsibility, and in a large company, it's a manager's responsibility. To earn the "C" or the "O" and to continue to enjoy a seat at the table, information security professionals must become business people.
In many companies today, and perhaps not in small part due to the global recession, we see the security function being pushed down in the enterprise.
From a vice-president level to a director; from a director, to a manager. This trend reflects business realities.
We must metamorphose and trade our traditional IT focus and lingo into organizational (read: business) vision.
Business does not "care" about IT. Business cares about risk and opportunity.
Similar to how CIOs do not want to be seen as a utility (they would rather be seen as a strategic asset), security professionals ought to want to be seen as risk mitigators.
To ensure our survival and justify our salaries, we should look at organizational processes and not focus on IT functions.
undercover
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
