The Official (ISC)2 SSCP CBK Reference. Mike Wills

Чтение книги онлайн.

Читать онлайн книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills страница 19

The Official (ISC)2 SSCP CBK Reference - Mike Wills

Скачать книгу

use these codes of ethics to guide the efforts of their employees, team members, and associates; in many cases, these codes can be the basis of decisions to admonish, discipline, or terminate their relationship with an employee. In most cases, organizational codes of ethics are also extended to the partners, customers, or clients that the organization chooses to do business with. Sometimes expressed as values or statements of principles, these codes of ethics may be in written form, established as policy directives upon all who work there; sometimes, they are implicitly or tacitly understood as part of the organizational culture or shaped and driven by key personalities in the organization. But just because they aren't written down doesn't mean that an ethical code or framework for that organization doesn't exist.

      Fundamentally, these codes of ethics have the capacity to balance the conflicting needs of law and regulation with the bottom-line pressure to survive and flourish as an organization. This is the real purpose of an organizational ethical code. Unfortunately, many organizations let the balance go too far toward the bottom-line set of values and take shortcuts; they compromise their ethics, often end up compromising their legal or regulatory responsibilities, and end up applying their codes of ethics loosely if at all. As a case in point, consider that risk management must include the dilemma that sometimes there are more laws and regulations than any business can possibly afford to comply with and they all conflict with each other in some way, shape, or form. What's a chief executive or a board of directors to do in such a circumstance?

      As the on-scene information security professional, you'll be the one who most likely has the first clear opportunity to look at an IT security posture, policy, control, or action, and challenge any aspects of it that you think might conflict with the organization's code of ethics, the (ISC)2 Code of Ethics, or your own personal and professional ethics.

      What does it mean to “keep information secure?” What is a good or adequate “security posture?” Let's take questions like these and operationalize them by looking for characteristics or attributes that measure, assess, or reveal the overall security state or condition of our information.

       Confidentiality: Limits are placed on who is allowed to view the information, including copying it to another form.

       Integrity: The information stays complete and correct when retrieved, displayed, or acted upon.

       Availability: The information is presented to the user in a timely manner when required and in a form and format that meets the user's needs.

       Authenticity: Only previously approved, known, and trusted users or processes have been able to create, modify, move, or copy the information.

       Utility: The content of the information, its form and content, and its presentation or delivery to the user meet the user's needs.

       Possession or control: The information is legally owned or held by a known, authorized user, such that the user has authority to exert control over its use, access, modification, or movement.

       Safety: The system and its information, by design, do not cause unauthorized harm or damage to others, their property, or their lives.

       Privacy: Information that attests to or relates to the identity of a person, or links specific activities to that identity, must be protected from being accessed, viewed, copied, modified, or otherwise used by unauthorized persons or systems.

       Nonrepudiation: Users who created, used, viewed, or accessed the information, or shared it with others, cannot later deny that they did so.

       Transparency: The information can be reviewed, audited, and made visible or shared with competent authorities for regulatory, legal, or other processes that serve the public good.

      Note that these are characteristics of the information itself. Keeping information authentic, for example, levies requirements on all of the business processes and systems that could be used in creating or changing that information or changing anything about the information.

      All of these attributes boil down to one thing: decision assurance. How much can we trust that the decisions we're about to make are based on reliable, trustworthy information? How confident can we be that the competitive advantage of our trade secrets or the decisions we made in private are still unknown to our competitors or our adversaries? How much can we count on that decision being the right decision, in the legal, moral, or ethical sense of its being correct and in conformance with accepted standards?

      Another way to look at attributes like these is to ask about the quality of the information. Bad data—data that is incomplete, incorrect, not available, or otherwise untrustworthy—causes monumental losses to businesses around the world; an IBM study reported that in 2017 those losses exceeded $3.1 trillion, which may be more than the total losses to business and society due to information security failures. Paying better attention to a number of those attributes would dramatically improve the reliability and integrity of information used by any organization; as a result, a growing number of information security practitioners are focusing on data quality as something they can contribute to.

      Conceptual Models for Information Security

      There are any number of frameworks, often represented by their acronyms, which are used throughout the world to talk about information security. All are useful, but some are more useful than others.

       The CIA triad (sometimes written as CIA) combines confidentiality, integrity, and availability and dates from work being done in the 1960s to develop theoretical models for information systems security and then implement those technologies into operating systems, applications programs, and communications and network systems.

       CIANA combines confidentiality, integrity, availability, nonrepudiation, and authentication. The greater emphasis on nonrepudiation and authentication provides a much stronger foundation for both criminal and civil law to be able to ascertain what actions were taken, by whom, and when, in the context of an incident, dispute, or conflicting claims of ownership or authorship.

       CIANA+PS expands CIANA to include privacy and safety. Cyberattacks in the Ukraine since 2014 and throughout the world from 2017 to present highlightthe need for far more robust operational technology (OT) safety and resiliency. At the same time, regulators and legislators continue to raise the standards for protecting privacy-related data about individuals, with over 140 countries having privacy data protection laws in effect.

       The Parkerian hexad includes confidentiality, integrity, availability, authenticity, utility, and possession

Скачать книгу