End-User Computing Security Guidelines Previous Screen Ron Hale Payoff Providing Effective Security in an End-User Computing Environment Is a Challenge
Total Page:16
File Type:pdf, Size:1020Kb
86-10-10 End-User Computing Security Guidelines Previous screen Ron Hale Payoff Providing effective security in an end-user computing environment is a challenge. First, what is meant by security must be defined, and then the services that are required to meet management's expectations concerning security must be established. This article examines security within the context of an architecture based on quality. Problems Addressed This article examines security within the context of an architecture based on quality. To achieve quality, the elements of continuity, confidentiality, and integrity need to be provided. Confidentiality as it relates to quality can be defined as access control. It includes an authorization process, authentication of users, a management capability, and auditability. This last element, auditability, extends beyond a traditional definition of the term to encompass the ability of management to detect unusual or unauthorized circumstances and actions and to trace events in an historical fashion. Integrity, another element of quality, involves the usual components of validity and accuracy but also includes individual accountability. All information system security implementations need to achieve these components of quality in some fashion. In distributed and end-user computing environments, however, they may be difficult to implement. The Current Security Environment As end-user computing systems have advanced, many of the security and management issues have been addressed. A central administration capability and an effective level of access authorization and authentication generally exist for current systems that are connected to networks. In prior architectures, the network was only a transport mechanism. In many of the systems that are being designed and implemented today, however, the network is the system and provides many of the security services that had been available on the mainframe. For example, many workstations now provide power-on passwords; storage capacity has expanded sufficiently so that workers are not required to maintain diskette files; and control over access to system functions and to data is protected not only through physical means but also through logical security, encryption, and other techniques. Architectural Approaches to Information Protection Although tools are becoming available (e.g., from hardware providers, security product developers, and network vendors) that can be used to solve many of the confidentiality and integrity problems common in end-user computing, the approach to implementing security is often not as straightforward as is common in centralized processing environments. The goals of worker empowerment, increased functionality and utility, and the ability of end- users to control their environment must be guarded. In many organizations, end-users have the political strength and independence to resist security efforts that are seen as restrictive or costly. In addition, networks, remote access, distributed data servers, Internet tools, and the other components that have become part of the end-user environment have made security a difficult task. To address the complexity of end-user computing, an architectural approach is required. A security architecture is a way of designing and implementing security solutions so that control points are identified, the effectiveness of controls is ensured, and monitoring and reporting capabilities are provided. It also helps to ensure that an organization's Previous screen security strategy and technical strategy are mutually supportive. The components of an information protection architecture include management, confidentiality and integrity controls, and continuity controls. Management Structure Perhaps the best and most expedient means of bringing security to the end-user platform is to develop an effective management structure. Distributed Security Management Because end-user computing is highly distributed, and because local personnel and managers are responsible for controlling the business environment where end-user solutions are implemented, it is appropriate that security and control responsibilities are also distributed. Centralized administration and management of security in a highly decentralized environment cannot work without a great deal of effort and a large staff. When authority for managing security is distributed within the organization, management can expect a higher degree of voluntary compliance; in particular where adherence to security policies and procedures is included in personnel evaluation criteria. If distributed security responsibility is properly implemented, ensuring that the goals of the security program are consistent with the requirements and goals of the business unit is more likely to be successful. Distributing security responsibilities may mean that traditional information protection roles need to be redefined. In many centralized security organizations, security specialists are responsible for implementing and managing access control. In a distributed end-user environment, this is not practical. There are too many systems and users for the security organization to manage access control. Even with the availability of network and other security tools, it may not be appropriate for security personnel to be responsible for access administration. In many distributed environments where advanced networks have been implemented, access controls may best be managed by network administrators. In a similar manner, server security, UNIX security, and any other system security may best be managed by personnel responsible for that environment. With many technologies that are used in distributed and end-user computing environments, no special classes of administration are defined for security. Administrators have access to root or operate at the operating system level with all rights and privileges. In such cases, it is not appropriate for security personnel to take an active role in managing access security. Their role should be more consultative in nature. They could also be involved with monitoring and risk management planning, which are potentially more beneficial to the organization and more in line with security management responsibilities. Security Management Committee Because security in end-user computing environments is distributive, greater acceptance of security policies and procedures can be expected if the organization as a whole is involved with defining the security environment. To achieve this, a security management committee can be created that represents some of the largest or most influential information technology users and technology groups. This committee, which reports to the security manager, should be responsible for recommending the security policy and for developing the procedures and standards that will be in force throughout the enterprise. Representation on the committee by the internal audit department is often beneficial, and their support and insight can be important in developing an effective security management structure. However, consideration must be given to the control responsibilities of audit and the need to separate their responsibility for monitoring compliance with controls and for Previous screen developing controls as part of the security committee. In some enterprises, this is not a major issue because internal audit takes a more consultative position. If maintaining the independence of audit is important, then audit can participate as an observer. Senior Executive Support The internal audit department traditionally had an advantage over the security organization because of its reporting relationship. Internal auditors in most organizations report to senior executives, which enables them to discuss significant control concerns and to get management acceptance of actions that need to be taken to resolve issues. Security has traditionally reported to IS management and has not had the executive exposure unless there has been a security compromise or other incident. In a distributed environment, it may be beneficial to have the security department and the security management committee report to a senior executive who will be a champion and who has sufficient authority within the enterprise to promote information protection as an important and necessary part of managing the business. Such a reporting relationship will also remove security from the purely technical environment of information systems and place it in a more business- focused environment. Policy and Strategy The ability to communicate security strategy and requirements is essential in an end-user computing environment. This communication generally takes the form of enterprisewide policy statements and is supported by procedures, standards, and guidelines that can be targeted to specific business functions, technology platforms, or information sources. The Information Protection Policy Statement An information protection policy statement should define management expectations for information protection, the responsibilities of individuals and groups for protecting information, and the organizational structure that will assist management in implementing protection approaches that are consistent with the business strategy. Because the statement will be widely distributed and is meant to clearly communicate management's and users' responsibilities, it should not take the form of a legal document. The effectiveness of the information protection policy depends in large part on its effective communication.