Comments on: Our Polymorphic Fluid Field of Information Security http://www.bloginfosec.com/2008/03/27/why-information-security-cannot-draw-its-line-in-the-sand/ An Information Security Magazine in a Blog Format Mon, 30 Jan 2012 11:01:25 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Ashish http://www.bloginfosec.com/2008/03/27/why-information-security-cannot-draw-its-line-in-the-sand/comment-page-1/#comment-1290 Ashish Fri, 28 Mar 2008 06:32:14 +0000 http://www.bloginfosec.com/2008/03/27/why-information-security-cannot-draw-its-line-in-the-sand/#comment-1290 Very interesting! In fact there is another angle to address this issue and every organization should enable its employees in that regard. Let me explain by bringing in another triad...JAR. The JAR triad, if I run it backwards, is Responsibility, Accountability and who's Job is it anyway? In the matrix organization structures we live in today, when it comes to information security for enterprises, no single function can be held liable. It has to be a joint effort from people who what information security and people who enable it. The senior members of business are the ones who know the criticality of keeping information confidential and they should be responsible for identifying what information needs "protection". Having done that, it is the job of InfoSec team to ensure that adequate enablers are provided for the business team to exercise this protection. Both go hand-in-hand. If the business fails to identify what needs protection, no amount of enablement will help. At the same time, "categorization" of information for security by business has no meaning if IS has not provided security frameworks. Also, sometimes the roles reverse, where in its the InfoSec that identifies what needs to be protected, and the business enables it (by following processes etc). The real need of the hour is security frameworks that allow this enablement and role reversals. Security frameworks that provide full control on business critical information. In todays collaborative world, where sharing of information is taken for granted (within and outside of the organization), this control should be exercise-able on information regardless of where it is physically residing. Also, since business is dynamic, the security policies also should be dynamic, and new policies should be applicable to information even after it is distributed. All this also needs complete central administration and monitoring capabilities. In other words Information Rights Management needs to be applicable on distributed information, where by the "content" is distributed, but the "control" on its usage is held back. Very interesting! In fact there is another angle to address this issue and every organization should enable its employees in that regard. Let me explain by bringing in another triad…JAR. The JAR triad, if I run it backwards, is Responsibility, Accountability and who’s Job is it anyway? In the matrix organization structures we live in today, when it comes to information security for enterprises, no single function can be held liable. It has to be a joint effort from people who what information security and people who enable it. The senior members of business are the ones who know the criticality of keeping information confidential and they should be responsible for identifying what information needs “protection”. Having done that, it is the job of InfoSec team to ensure that adequate enablers are provided for the business team to exercise this protection. Both go hand-in-hand. If the business fails to identify what needs protection, no amount of enablement will help. At the same time, “categorization” of information for security by business has no meaning if IS has not provided security frameworks. Also, sometimes the roles reverse, where in its the InfoSec that identifies what needs to be protected, and the business enables it (by following processes etc).

The real need of the hour is security frameworks that allow this enablement and role reversals. Security frameworks that provide full control on business critical information. In todays collaborative world, where sharing of information is taken for granted (within and outside of the organization), this control should be exercise-able on information regardless of where it is physically residing. Also, since business is dynamic, the security policies also should be dynamic, and new policies should be applicable to information even after it is distributed. All this also needs complete central administration and monitoring capabilities. In other words Information Rights Management needs to be applicable on distributed information, where by the “content” is distributed, but the “control” on its usage is held back.

]]> By: Anish http://www.bloginfosec.com/2008/03/27/why-information-security-cannot-draw-its-line-in-the-sand/comment-page-1/#comment-1254 Anish Thu, 27 Mar 2008 19:20:11 +0000 http://www.bloginfosec.com/2008/03/27/why-information-security-cannot-draw-its-line-in-the-sand/#comment-1254 You are right, clear delegation of roles and responsibility is very much important in a security org. and these kind of CIO's can be found in plenty, it;s just that more strict compliance will take care of the stuff. for eq. one person can perform only one role within the org. -- Anish You are right, clear delegation of roles and responsibility is very much important in a security org. and these kind of CIO’s can be found in plenty, it;s just that more strict compliance will take care of the stuff. for eq. one person can perform only one role within the org.

– Anish

]]>