The Internet Security Alliance (isalliance.org) was formed in April 2001. The alliance is a collaborative endeavor of Carnegie Mellon University’s Software Engineering Institute (SEI); its CERT Coordination Center (CEDRT/CC); the Electronics Industries Alliance (EIA), a federation of trade groups; and other private and pubic member organizations and corporatins. Their goal is to provide information sharing and leadership on information security and to represent its members and regulators.
On September 9, 2002, the alliance released results from a recent security survey conducted jointly with the National Association of Manufactures (NAM) and RedSiren Technologies Inc. (Durkovich, 2002). The survey asked 227 information security specialists worldwide to compare their current attitudes towards information security with their attitudes prior to the 9/11 terrorist attacks. Overall, the results showed that the security specialists view information security as more of an issue now and that they see it as crucial to the survival of their organization or business. However, most answered that they still feel inadequately prepared to meet their current security challenges, and just as importantly, that most lacked senior management commitment to address these challenges.
The following are some of the specific survey findings:
● 91 percent recognize the importance of information security.
● Most of the organizations reported at least one attack in the past year, with approximately 30 percent reporting more than six attacks.
● 48 percent said that the 9/11 attacks made them more concerned about information security, while 48 percent said there had been no change in their attitudes.
● 47 percent said that their organization had increased spending on information security since the attacks.
● 40 percent said that they had improved their physical security, electronic security, network security, and security policies since the attacks.
● 30 percent indicated that their companies are still inadequately prepared to deal with security attacks.
The Internet Security Alliance has identified 10 of the highest priority and most frequently recommended practices necessary for implementation of a successful security process. The parctices encompass policy, process, people, and technology. They include (IS Alliance, 2002):
1. General management. Information security is a normal part of everyone’s responsibilities managers and employees alike. Managers must ensure that there are adequate resources, that security policies are well defined, and that the policies are reviewed regularly.
2. Policy. Security policies must address key areas such as security risk management, identification of of critical assets, physical security, network security, authentication, vulnerability and incident management, privacy, and the like. Policies need to be embedded in standard procedures, practices, training, and architectures.
3. Risk management. The impacts of various risks need to be identified and quantified. A management plan needs to be developed to mitigate those risks with the greatest impact. The plan needs to be reviewed on a regular basis.
4. Security architecture and design. An enterprised-wide security architecture is required to protect critical information assets. High-risk areas (e.g., power supplies) should employ diverse and redundant solutions.
5. User issues. The user community includes general employees, IT staff, partners, suppliers, vendors, and other parties who have access to critical information systems.
6. System and network management. The key lines of defense include access control for all network devices and data, encrypted communications and VPNs where required, and perimeter protection (e.g., firewalls) based on security policies. Any software, files, and directories on the network should be verified on a regular basis. Procedures and mechanisms must be put in place that ensure that software patches are applied to correct existing problems; adequate levels of system logging are deployed; systems changes are analyzed from a security perspective; and vulnerability accessments are performed on a periodic basis. Software and data must also be backed up on a regular schedule.
7. Authentication and authorization. Strict policies must be formulated and implemented for authenticating and authorizing network access. Special attention must be given to those employees accessing the network from home and on the road and to partners, contractors, and services who are accessing the network remotely.
8. Monitor and audit. Security-breaching events and changing conditions must be monitored, and the network must be inspected on a regular basis. Standards should be in place for responding to suspicious or unusual behavior.
9. Physical security. Physical access to key information assets, IT services, and resources should be controlled by two-factor authentication. 10. Continuity planning and disaster recovery. Business continuity and recovery plans need to be implemented and periodically tested to ensure that they are effective
Questions for Minicase 2
1. Why does the Internet Security Alliance include both private and public members?
2. 2. What is the mission of the Alliance?
3. 3. Why is it beneficial to prioritize issues?
4. . How would you justify the existence of the Alliance? Who should pay its costs?