Information security management

Neil Churcher – RHU, Information Security Group,

23 Oct. 1997

Text by Filip Schepers

The objective of the following text is to place IT security in a more general context of crime and fraud. It is a summary of the presentation given by Neil Churcher at Royal Holloway. After a short word on crime in general we will look at IT security, its threats, the possible losses and solutions to the problems discussed. The entire discussion is heavily oriented towards the banking sector.

Different types of fraud can be distinguished, varying from investment fraud or lending fraud to insurance fraud, banking fraud or current account fraud. These can affect an organisation's branches as well as its head office, within the UK as well as abroad. This means that different regulations may be in effect according to the location where fraud is committed or observed. One type of fraud that is considered in more depth is computer fraud. Preventing computer fraud is part of an overall IT security concern, which main aims are to protect the staff, secure an organisation's assets, protect its customers and prevent loss through crime. The underlying idea of setting up an security system is that you can't stop crime. But what you can do is make it more difficult, try to foresee the possible loss and consequently try to minimise the risk of crime. The types of crime an organisation could be faced with ranges from different forms of theft (robbery, burglary) to deception, forgery or kidnapping, or it can be computer related. People responsible for IT security can deal with IT fraud, being computer related fraud, or IT security, meaning they set up policies and procedures.

The number of cases of IT fraud being reported in the banking sector is growing rapidly, reaching about 23,000 incidents by the end of 1995. The measurements to detect and cope with fraud however are also evolving, and information systems make part of that evolution. The use of database systems, knowledge based systems or neural networks for instance speeds up the process of tracking down stolen credit cards. Systems can be (and are) built to detect typical fraud behaviour by analysing expenditure records using batch processing techniques and looking for unusual patterns.

An organisation can also be confronted with a number of unpleasant incidents that IT security has to deal with. Destruction of systems for instance, either physical or logical. An example of logical destruction is the so-called time-bomb: malicious software that changes data or makes systems inaccessible if certain conditions haven't been met for a particular period of time. Another form of attack that can heavily harm one's reputation is the unwanted alteration of information published on the Internet. In general alterations of data often remain undetected for long periods of time, thereby introducing specific problems of restoring the system in a coherent state.

The fact that a growing number people becomes acquainted with computers and information systems, has a double effect. More and more organisations rely on IT and become dependent on it. On the other hand, more and more people are capable of spotting weaknesses in these systems. Successful attacks can therefore have a larger impact than before while they are more likely to happen than for instance 20 years ago. As already mentioned in previous papers, losses due to security weaknesses can be direct as well as indirect, where the latter are in general the more important ones.

It is interesting to note that in some cases the cost of introducing new and more secure techniques do not guarantee lower loss. The introduction of smartcards in stead of the magnetic cards for banking purposes for instance could make abuse much more difficult. The problem is however that fraud would probably move abroad, making it more difficult to trace.

How can problems with IT security c.q. fraud be addressed? One step towards a solution is acknowledging that the problem exists. Again, as mentioned in previous papers this means that managers have to be made aware of the threats and possible losses, as well as of the things that can be done about it. The best approach appears to be to lay down a short security policy that is easy to understand for people who do not know about IT. The next step is to make sure everybody throughout the company knows about it, and let managers sign self certifications saying that they implemented the policy. This implies an acknowledgement of responsibility. Furthermore a policy should address elements as data ownership, classification of data and various standards and procedures. In general, people in charge operational aspects should be the owners of their data, not for example the head of department. Crucial data to the organisation should be ranked more important in the classification and should be secured accordingly. Standards and procedures cover questions as "how must information be transferred", "how long should it be kept", "how should it be destroyed", etc. Special issues in security are the control of outside access (only allow dial-up on special request, according to the procedures), the control of trusted IT staff (use of non-erasable logs) and trusted non-IT staff (split keys and distribute them over a number of persons).

A few final remarks can be made on the management aspects of IT security. Where should it be placed in the organisation structure? Line functions already have a lot to administer. Internal audit should control the working of the organisation and its people. External auditors may have little knowledge of the business and take only snapshots of the working of the organisation. The IT department may see security as a nuisance and as an extra cost. Therefore it seems to be a good practice to set up a separate security department and assure good communication between the different parties and departments involved. Of course, the department has to report to top management. This should be done in terms of tangible returns ("We saved 80% of the values under attack").