Название: The Official (ISC)2 SSCP CBK Reference
Автор: Mike Wills
Издательство: John Wiley & Sons Limited
Жанр: Зарубежная компьютерная литература
isbn: 9781119874874
isbn:
Fundamentally, these codes of ethics have the capacity to balance the conflicting needs of law and regulation with the bottom-line pressure to survive and flourish as an organization. This is the real purpose of an organizational ethical code. Unfortunately, many organizations let the balance go too far toward the bottom-line set of values and take shortcuts; they compromise their ethics, often end up compromising their legal or regulatory responsibilities, and end up applying their codes of ethics loosely if at all. As a case in point, consider that risk management must include the dilemma that sometimes there are more laws and regulations than any business can possibly afford to comply with and they all conflict with each other in some way, shape, or form. What's a chief executive or a board of directors to do in such a circumstance?
It's actually quite easy to incorporate professional and personal ethics, along with the organization's own code of ethics, into every decision process you use. Strengths, weaknesses, opportunities, and threats (SWOT) analyses, for example, focus your attention on the strengths, weaknesses, opportunities, and threats that a situation or a problem presents; being true to one's ethics should be a strength in such a context, and if it starts to be seen as a weakness or a threat, that's a danger signal you must address or take to management and leadership. Cost/benefits analyses or decision trees present the same opportunity to include what sometimes is called the New York Times or the Guardian test: How would each possible decision look if it appeared as a headline on such newspapers of record? Closer to home, think about the responses you might get if you asked your parents, family, or closest friends for advice about such thorny problems—or their reactions if they heard about it via their social media channels. Make these thoughts a habit; that's part of the practice aspect of being a professional.
As the on-scene information security professional, you'll be the one who most likely has the first clear opportunity to look at an IT security posture, policy, control, or action, and challenge any aspects of it that you think might conflict with the organization's code of ethics, the (ISC)2 Code of Ethics, or your own personal and professional ethics.
UNDERSTAND SECURITY CONCEPTS
What does it mean to “keep information secure?” What is a good or adequate “security posture?” Let's take questions like these and operationalize them by looking for characteristics or attributes that measure, assess, or reveal the overall security state or condition of our information.
Confidentiality: Limits are placed on who is allowed to view the information, including copying it to another form.
Integrity: The information stays complete and correct when retrieved, displayed, or acted upon.
Availability: The information is presented to the user in a timely manner when required and in a form and format that meets the user's needs.
Authenticity: Only previously approved, known, and trusted users or processes have been able to create, modify, move, or copy the information.
Utility: The content of the information, its form and content, and its presentation or delivery to the user meet the user's needs.
Possession or control: The information is legally owned or held by a known, authorized user, such that the user has authority to exert control over its use, access, modification, or movement.
Safety: The system and its information, by design, do not cause unauthorized harm or damage to others, their property, or their lives.
Privacy: Information that attests to or relates to the identity of a person, or links specific activities to that identity, must be protected from being accessed, viewed, copied, modified, or otherwise used by unauthorized persons or systems.
Nonrepudiation: Users who created, used, viewed, or accessed the information, or shared it with others, cannot later deny that they did so.
Transparency: The information can be reviewed, audited, and made visible or shared with competent authorities for regulatory, legal, or other processes that serve the public good.
Note that these are characteristics of the information itself. Keeping information authentic, for example, levies requirements on all of the business processes and systems that could be used in creating or changing that information or changing anything about the information.
All of these attributes boil down to one thing: decision assurance. How much can we trust that the decisions we're about to make are based on reliable, trustworthy information? How confident can we be that the competitive advantage of our trade secrets or the decisions we made in private are still unknown to our competitors or our adversaries? How much can we count on that decision being the right decision, in the legal, moral, or ethical sense of its being correct and in conformance with accepted standards?
Another way to look at attributes like these is to ask about the quality of the information. Bad data—data that is incomplete, incorrect, not available, or otherwise untrustworthy—causes monumental losses to businesses around the world; an IBM study reported that in 2017 those losses exceeded $3.1 trillion, which may be more than the total losses to business and society due to information security failures. Paying better attention to a number of those attributes would dramatically improve the reliability and integrity of information used by any organization; as a result, a growing number of information security practitioners are focusing on data quality as something they can contribute to.
Conceptual Models for Information Security
There are any number of frameworks, often represented by their acronyms, which are used throughout the world to talk about information security. All are useful, but some are more useful than others.
The CIA triad (sometimes written as CIA) combines confidentiality, integrity, and availability and dates from work being done in the 1960s to develop theoretical models for information systems security and then implement those technologies into operating systems, applications programs, and communications and network systems.
CIANA combines confidentiality, integrity, availability, nonrepudiation, and authentication. The greater emphasis on nonrepudiation and authentication provides a much stronger foundation for both criminal and civil law to be able to ascertain what actions were taken, by whom, and when, in the context of an incident, dispute, or conflicting claims of ownership or authorship.
CIANA+PS expands CIANA to include privacy and safety. Cyberattacks in the Ukraine since 2014 and throughout the world from 2017 to present highlightthe need for far more robust operational technology (OT) safety and resiliency. At the same time, regulators and legislators continue to raise the standards for protecting privacy-related data about individuals, with over 140 countries having privacy data protection laws in effect.
The Parkerian hexad includes confidentiality, integrity, availability, authenticity, utility, and possession СКАЧАТЬ