Re: CRIME Computers vulnerable at Oregon department

From: esteban gutierrez (esteban@private)
Date: Tue Sep 24 2002 - 09:37:05 PDT

  • Next message: Greg Jorgensen: "Re: CRIME Computers vulnerable at Oregon department"

    Folks on the list have hit on most of the essential elements of getting 
    problems at an agency like Oregon Department of Human Services fixed.  
    Policies need to be put in place. Management "buy-in" or stronger and 
    more focused management leadership needs to be developed to make Infosec 
    a priority. Getting over the fears of the developers and or productions 
    folks to being "locked down" and kept from providing services and "doing 
    their work".
    
    The key element that hasn't been brought up is the role of the 
    information security professional in either the State government or at 
    the individual department position.  As professionals, we have to get 
    over the huge hump of being perceived as the people who say "No, you 
    can't do that". We're also seen as the people who jump to point out the 
    problems and deficiencies in an organization. Until we successfully 
    smash those concepts and help educate companies or organizations as 
    whole, we'll keep seeing articles such as these in the press. Indeed, 
    we'll keep seeing compromises that could have easily been averted by 
    adherence to simple practices.  I am not saying all problems would be 
    solved; we're just picking at low hanging fruit.
    
    Towards this end, the information security professional needs to develop 
    an understanding of how an organization's business works. They then need 
    to balance this understanding with the risks from both the technology 
    side and the business practice side. These risks and the steps needed to 
    mitigate them then need to be translated into pointy haired manager 
    speak and put into terms that are directly relevant to the business or 
    organization.  Developers need to be shown how their programs and 
    environments could work better and more securely with changes in their 
    development life cycles. Managers need to be shown the cost-benefit or 
    potential loss breakdowns of their security holes and shown Return on 
    Investment spreadsheets. The organizations' or companies lawyers need to 
    be given an understanding of the risks. They'll put a fire under 
    someone's butt.
     Time and time again, I hear information security personnel get a bad 
    rap because we're seen as these roadblocks to doing business and getting 
    stuff done.  Unfortunately, the stuff I am talking about isn't the 
    glorious or sexy side of Infosec. It's not entirely the tech side or 
    investigative side. But it's a critical part of Infosec that I think a 
    lot of us are not giving enough thought.
    To this end, the information security community of Oregon has the 
    responsibility to educate the state leadership to bring about a shift in 
    their perceptions. We should, however work on ourselves to become people 
    who help businesses, organizations, or non-profits to do their work 
    securely and not just people who lock stuff down and point out deficiencies.
    
    As an aside, perhaps the state government should create and information 
    security oversight tzar. Someone who would help drive Information 
    Security practice downwards from the top.
    
    -Esteban Gutierrez
    
    T. Kenji Sugahara wrote:
    
    > What's needed is buy-in from the Governor on down.  (e.g. a 
    > fundamental shift in thinking).
    >
    > Each agency head needs to understand the costs and benefits of 
    > security.  They need to be advised of the cost of computer insecurity.
    >
    > Risk management needs to be all over this issue.  Identity thieves 
    > have already been caught with copies of DMV records on CD.  What's 
    > next?  Each breach could cost the state millions with ensuing litigation.
    >
    > Would people on this list be willing to put their names on a piece of 
    > paper that says we need to make security a priority in Oregon government?
    >
    >
    >
    >
    



    This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 10:31:46 PDT