Purpose This special coverage examines the role of e-Security in the growing trend of using ICT (information communication technology) for development. It explores electronic information security issues for national governments and national agencies, and examines ways for governments to assess and implement a cost-effective national e-Security strategy. This topic is important because along with the great potential that ICT brings to allow for rapid transmission of indefinite quantities of information across great distances, it also brings an increased risk to the security of the information it carries. Definition E-security refers to the process of ensuring the confidentiality, integrity, and availability of electronic information and protecting it against malicious attackers who could use or alter the information to disrupt critical national infrastructure and industry. Potential In recent years, information technology has proven to be a critical tool in facilitating the near-instant delivery of information and in increasing the availability of information to billions of new organizations and users. As more and more organizations recognize the potential that ICT can bring, they have begun to use it to exchange increasingly important information, creating a need to have an e-Security strategy to ensure that important information is protected from attackers. There are several important factors to remember about e-Security strategy and information risk management. First, the function of e-Security is not to remove risk completely, but to assess what the acceptable level of risk is for an information system and work to bring the risk down to that level – risk cannot be completely eliminated but can be managed. Second, managing information risk is not a one time process, it must be undertaken on a continuous basis – information technology is constantly growing and changing and organizations must adapt to ensure information security against malicious attackers who are also evolving with the technology. Third, it is inevitable that e-Security systems will be breached at some point. In developing an e-Security strategy, it is important to create a balanced program that considers all organizational and technical levels – management, operational, and technical controls are all important. An organization must first classify its information assets and assess the potential impact of their loss, and then develop baseline security controls to ensure that a minimum level of security is in place for the information it assessed. Security controls must be continually tested, refined, and monitored. The cycle of categorizing risk and implementing controls must work on a continual basis as technology evolves and as new information becomes available within the system. Several sets of minimum e-Security standards are already available which can be used in developing and implementing an e-Security strategy for federal governments. The ISO (International Organization for Standardization) has extensive e-Security standards which are used by governments and international organizations across the world, in particular ISO 27001 which is used by the World Bank. Additionally, the US National Institute of Standards and Technology has developed its own set of minimum security standards for federal agencies which are available at http://csrc.nist.gov/sec-cert. A legal framework that provides the foundation of a national e-Security strategy is an important element in protecting national information systems. Law that protects the integrity of electronic information and transmission of electronic information is a fundamental component which allows e-Security policies to legally exist and which allows for enforcement in the event of a breach. It is important to recognize national information technology infrastructure as a critical element of e-Security. In some cases, this infrastructure may be owned and managed by the private sector. If so, it is important to bring in private sector organizations to ensure that all internal e-Security measures are applied externally as well. This should accompany oversight and frequent audits. Limitations The primary limitation to e-Security strategy is the inevitability of breaches of security measures. There is always inherent risk in the transmission of electronic information and the function of an e-Security strategy is to manage that risk so it exists at an acceptable level for a given set of information. As such, breaches will occur regardless of existing security measures and it is the job of e-Security management to continually evaluate and refine e-Security strategy to keep current with technology. Case Studies E-security strategy for Australian Government agencies:
http://www.agimo.gov.au/infrastructure/government Overview of Australian E-security agenda for government information systems, national critical infrastructure, and personal and commercial information systems:
http://www.tisn.gov.au/agd/WWW/rwpattach.nsf/VAP/(930C12A9101F61D43493D44C70E84EAA)~ESNA+brochure.pdf/$file/ESNA+brochure.pdf Overview of the British strategy for security of e-Government services, including legal frameworks supporting e-Security strategy, existing security standards, threats to e-government, and e-Security strategy for delivery of government e-services. Very extensive and detailed.
http://www.govtalk.gov.uk/documents/security_v4.pdf Resources Paper: “Managing Enterprise Risk in Today’s World of Sophisticated Threats: A Framework for Developing Broad-Based, Cost-Effective Information Security Programs”
http://csrc.nist.gov/groups/SMA/fisma/documents/rmf-sz.pdf Presentation by NIST on e-Security strategy, challenges, and the roadmap ahead. Contains extensive information on strategies for managing risk, tips for strategy implementation, and multiple examples of potential weaknesses within organizational structure that threaten e-Security:
http://csrc.nist.gov/groups/SMA/fisma/documents/PPT/fisma.pdf Resources from the National Institute of Standards and Technology (NIST) on US federal standards regarding categorization of information and information systems, minimum information security requirements, guidelines for developing security strategies for government information systems, and guidelines for managing information security risk. This is a trusted, useful site for these documentation, standards and software.
http://csrc.nist.gov/groups/SMA/fisma/library.html E-security checklist for assessing the vulnerability of an organization’s information and information systems:
http://www.agimo.gov.au/infrastructure/government/checklist Site run by the Australian government for home users and small businesses to assess e-Security risk and implement personal e-Security strategies:
http://www.staysmartonline.gov.au The Computer Emergency Response Team Coordination Center's (CERT/CC) charter is to work with the Internet community to facilitates its response to computer security events involving Internet hosts, to take proactive steps to raise the community's awareness of computer security issues, and to conduct reseach into improving the security of existing systems. Their website contains an extensive collection of alerts about past (and current) security problems.
http://www.cert.org The European Network and Information Security Agency has an interesting and relevant quarterly newsletter available from their website.
http://www.enisa.eu The Internet Society sponsors many activities and events related to the Internet, including an annual symposium on network security.
http://www.isoc.org |
RSS