How you measure a CSO

1 2 3 Page 2
Page 2 of 3

But even as security threats continue to multiply, signs of a more touchable terrain are emerging in, of all places, Washington, D.C. A new initiative spearheaded by the National Capital Planning Commission is putting forth the almost treasonous idea that security and historic urban design can coexisteven complement one another. The commission's $878 million Urban Design and Security Plan focuses on restoring the beauty, grandeur and accessibility to areas such as the White House, the Washington Monument (see the diagram on this page) and the Federal Triangle, which all have been blighted by jersey barriers and bollards in the recent "siege-chic" approach to security. The plan solicits proposals for ways to build security into the landscape in subtle ways that still provide an obvious deterrent to a terrorist but become virtually invisible to the average visitor.

Similarly at the corporate level, CSOs can effect the same kind of change by providing security efficiently while not intruding on aesthetic masterpieces, such as The Genzyme Center, the biotech company's new headquarters in Cambridge, Mass.

There, a glassy design for the new headquarters provides Vice President and CSO Dave Kent with a huge security challenge: Keep intellectual property safe in a building that seems custom built for spying in from the outside.

Not surprising, meeting such a challenge starts with policy. Kent and his team are developing a clean-desk policy for employees to follow. But he's influenced the design of the building in other ways too. He has surveillance equipment built into support columns, saving money on the cost of retrofitting cameras. He helped design a lecture hall with good acoustics to eliminate the need for and vulnerability of wireless microphones. And he helped design a state-of-the-art, combined physical and IS operations center in the building. In fact, Kent's security plans have their own layer in the blueprints. Security doesn't get much more ingrained into the culture than that.

In both Washington and Cambridge, the lessons are as clear as the glass skin of The Genzyme Center: Security doesn't have to be ugly, obtrusive or blatant to be effective; and including a security expert early in the design (or in the case of Washington, D.C., redesign) process not only improves security, but it saves money too. And without an antiaircraft gun or jersey barrier in sight.

-Scott Berinato and Daintry DuffyGlossaryTerms your CSO is likely to use...when you finally invite him to the board meeting

Acceptable use policy What an employee can and can't do when using information resources. This policy may also disclose the employer's monitoring procedures. (If yours doesn't, it should.)

American Society for Industrial Security (ASIS) International A professional membership organization that provides security practitioners with programs and services to increase their productivity and effectiveness. ASIS has more than 33,000 members worldwide whose titles range from CSO and vice president of security to security manager and director.

Authentication A method of confirming a user's identity. Techniques typically rely on something the user knows (a password or PIN), something the user carries (a smart card or ATM card), or something the user has (in the form of a fingerprint, iris scan or set of facial features). The strongest authentication involves a combination of two or three of those elements.

Bandwidth The amount of data traffic a network can handle in a given period of time. High bandwidth means more data per second can be transported.

Biometrics The authentication of a user based on physical characteristics, such as a fingerprint, iris, face, voice or handwriting. The cost of biometric systems has been dropping and reliability is improving, but many analysts say the technology will not be ready for full-scale use before 2005.

Black intelligence Dirty work at the crossroads; information obtained through espionage.

Breach The unauthorized penetration of a system. A violation of controls of a particular information system, such that information assets or system components are unduly exposed.

Buffer Space reserved in a computer's memory in which an application stores data.

Buffer overflow Ten pounds of data in a five-pound bag. When an application sends more data to a buffer than the buffer is designed to hold, the overflow can cause a system crash or create a vulnerability that enables unauthorized system access (see Breach).

CERT Coordination Center The computer emergency response team coordination center is a federally funded research center at Carnegie Mellon University that focuses on technical issues related to Internet security. CERT/CC provides training, incident response guidance, R&D, threat advisories and more. Check out www.cert.org.

Certified information security manager (CISM) A relatively new certification recognizing skills in information risk management and technical security issues; geared toward managers who oversee enterprise information security at the conceptual level.

Certified information systems auditor (CISA) This certification indicates excellence in the areas of IS auditing, control and security. More than 30,000 people hold this widely recognized certification.

Certified information systems security professional (CISSP) The 800-pound gorilla of IS certification. To get it, you must pass an exam consisting of 250 multiple choice questions that cover such topics as access-control systems, cryptography and security management practices.

Chief information security officer (CISO) Presides over the digital side of security. A relatively new position in most organizations, the CISO is responsible for infosecurity strategy and practice, and often reports to the CIO or CTO.

Closed-circuit television (CCTV) A surveillance system in which signals are distributed via cables to a private network of monitors. CCTV is most often used for security surveillance in small, closed areas such as buildings or parking garages. But there are some extensive governmental CCTV networksin the United Kingdom, for exampleused for widely monitoring public spaces.

Computer Security Institute (CSI) An educational membership organization that offers conferences, training and networking opportunities to security professionals.

Cryptography The art and science of rendering plain text unintelligible and for converting encrypted messages into intelligible form.

Cyberinsurance Policies covering losses incurred online or within computers and information networks. Coverage targets areas neglected in traditional insurance.

Data encryption standard (DES) A cryptographic algorithm, now adopted by the National Institute of Standards and Technology, used to encipher and decipher data using a cryptographic key.

Denial-of-service (DOS) attacksA concerted attack in which a mail server, Web server or even telephone system is deliberately overwhelmed with phony requests so that it cannot respond properly to valid ones (see Distributed denial-of-service attacks).

Digital certificate The electronic equivalent of an ID card. Works in conjunction with public-key encryption to ensure the integrity of digital signatures. Certificates contain a user's name and other identifying data. They are issued by a certification authority, which vouches for their validity.

Digital signature An electronic signature considered to be reliable and secure. Uses public-key infrastructure (see PKI) to authenticate the sender and verify the information contained in transmitted documents.

Distributed denial-of-service (DDOS) attacks A DOS attack (see Denial-of-service attacks) in which attackers load their malignant code onto many servers. Distributed attacks cause more damage than attacks originating from a single machine because defense requires blocking dozens, even hundreds, of IP addresses.

Encryption The scheme by which communication is encoded. The best encryption is asymmetric, based on two keysone private to the individual and the other public and widely shared. (Morse code is an example of symmetric encryption, since the same scheme is used both to code and decode.) In asymmetric encryption, many users can have the same public key without violating the security of the private key.

False negative The failure of a system to recognize an intrusive action.

False positive The erroneous classification of an action as anomalous (a possible intrusion) when it is, in fact, legitimate and benign.

Firewall Your enterprise's demilitarized zone, consisting of hardware and software components; it enforces a boundary between two or more networks by limiting access in accordance with local security policy. A typical firewall is an inexpensive PC that is kept clean of critical data with many modems and public network ports on it, but just one carefully monitored connection back to the critical data it protects.

Freedom of Information Act (FOIA) Legislation passed to ensure that the public gets access to certain government information. FOIA creates procedures enabling citizens to petition federal departments or agencies by describing specific information they believe the agency has on file, and to request photocopies of those files.

Gateway A device that can isolate and control the flow of information between a computer system and authenticated users on networks connected to the system. Based on a user's profile, the gateway regulates his access to various network destinations.

Gramm-Leach-Bliley Act Legislation that restricts the ways in which financial institutions can share private consumer data with nonaffiliated third parties. In addition, companies with significant involvement in finance must alert customers about their information-sharing policies and practices and obtain consent to share their data.

Health Insurance Portability and Accountability Act (HIPAA) Regulations designed to protect patients' privacy rights. Provisions require doctors, hospitals, insurance companies and pharmacies to obtain written consent from patients before disclosing medical information to anyone for any reason; document any access to that data; hire a full-time privacy officer; and give patients access to their own data, including the ability to make corrections.

Honeypots Unpatched default systems whose goal is to attract and log the probes and attacks of malicious hackers and crackers. While they do not protect the network, honeypots can glean data about "black hat" behavior and help identify potential system weaknesses. Honeypots can also help in postattack forensic analysis.

Information security The protection of information against unauthorized disclosure, transfer, modification or destruction, whether accidental or intentional; a system of administrative policies and procedures for identifying, controlling and protecting information.

Information security director The person responsible for protecting information, often accountable directly to the CIO. She generally has global responsibilities for policy development, compliance, investigations and information protection.

Information Sharing and Analysis Center (ISAC) A number of industry-specific groups (in financial services, energy, telecom and transportation, among other sectors) formed to give critical infrastructure companies a forum for information-sharing about security threats and vulnerabilities.

InfraGard Public and private information-sharing effort led by the FBI with local chapters across the United States.

International Information Systems Security Certification Consortium (ISC2) International, nonprofit organization dedicated to developing training, certification exams and a common body of information security knowledge.

International Security Management Association (ISMA) Security organization that represents CSOs from more than 300 of the largest global corporations.

Intrusion detection system (IDS) Security software that identifies and records all attempts to compromise a networkfor example, someone scanning server ports or making repeated attempts to log in using random passwords.

ISO 17799 A set of information security management standards created by the International Organization for Standardization. When is a standard not a standard? Because ISO 17799 provisions function more like voluntary guidelines, companies cannot be certified against its provisions. Still, they are the most widely recognized international security standards.

Layered security A physical security approach that requires a criminal to penetrate or overcome a series of security layers before reaching a target. The layers might be perimeter barriers; building or area protection with locks, CCTV and guards; and point-and-trap protection using safes, vaults and sensors.

Malicious code Software that appears to perform a useful or desirable function but actually gains unauthorized access to systems resources, or tricks a user into causing other malicious code to execute.

Overt surveillance Letting the bad guys know you're there. This tactic is usually applied in high crime areas as a means for discouraging criminal behavior. (Among the attributed effects of widespread CCTV use in the United Kingdom is citizens' awareness in public that they are often being watched.)

Password sniffing Passive wiretapping, usually on a local area network, to gain knowledge of passwords.

Patch A small update released by a software manufacturer to fix known vulnerabilities (bugs) in existing programs.

Penetration testing Also called pen testing, this probes the perimeter of a network or facility, looking for its weaknesses.

Physical security The part of security concerned with physical measures designed to safeguard personnel; prevent unauthorized access to equipment, installations, material and documents; and safeguard them against espionage, sabotage, damage and theft.

Privacy Something people used to care a lot aboutwhich is a good thing, since there's less and less of it left. Depending on the agency and the day of the week, the federal government oscillates crazily between, on the one hand, ordering you to provide privacy for customers and transactions and, on the other hand, petitioning Congress and the courts to ratify plans to violate it evermore aggressively. Privacy has clearly seen better days.

1 2 3 Page 2
Page 2 of 3
The 10 most powerful cybersecurity companies