Informal Workshop on
IT Security Management
An informal Workshop on IT Security Management was organised by OECD and held on 19-20 April 2001 in Paris at OECD headquarters. IT security management is a particularly relevant topic in view of the growing reliance of the OECD and Member country administrations on the Internet for email and many other information services, and the significant and increasing risk of exposure to external computer threats - on data integrity, information availability and privacy, and overall network security.
There were over sixty participants with representation from nineteen OECD Member countries and eleven international organisations.
The Workshop focused on the need for expanding electronic communications in support of international co-operation; issues of security of information networks among national agencies and international organisations; the current state and trends in external IT security systems and procedures; and resources and organisational structures devoted to IT security. Participants had a unique opportunity to draw lessons from recent computer virus and other "cyber" attacks, share experiences and ideas on emerging policies, standards and "best practices", and reflect on possible steps for more co-operative action on external security.
The event was judged timely, as international co-operation increasingly relies on electronic networks and organisations need to develop new approaches to external IT security in order to reinforce trust and confidence against the ever-increasing "cyber" threat.
Pierre-Dominique Schmidt, Head of OECDs Executive Directorate, welcomed participants and along with Guido Maccari, Head of Information Technology and Network Services, officially opened the Workshop,
The Workshop included four sessions - led by senior IT officials from the Irish Statistical Office, the Austrian Chancellery, the World Bank and OECD - and nine presentations followed by discussion. Two of the presentations were made by selected IT private sector security firms (SITA, Network Associates).
Participants provided an overview of the IT architecture and security infrastructure in their respective organisations.
IT Security is part of Information Management Policy
Participants agreed that information, including its systems and infrastructure, should be a managed corporate resource to support the business objectives throughout its life cycle. Information should be protected to ensure its confidentiality, integrity, availability and accessibility, as required.
A "best practice" approach to IT security management should include fundamental elements:
- Independent risk assessment, to weigh threats and exposures, establish security measures, and identify acceptable residual risk
- Safety measures, which include physical, personnel, procedural and technical
- Independent and regular policy implementation audits and vulnerability tests
The standard BS 7799 / ISO 17799 was cited by a number of participants as a valuable reference specification for information security management systems.
Facilitate access to information
It was agreed that a significant objective of improved security is to facilitate access to and sharing of information that should be shared, not to hide it. Safeguarding key and confidential corporate information which should not be shared, is the main challenge to be addressed by an appropriate IT security policy. Because information security tools are limited and the stakes can be high, organisations often resort to safeguarding everything and denying all access. A combination of better tools -- policies and technology -- can enable information to be shared more easily.
There is also a need to find the appropriate balance between IT and other forms of security. It will not help to implement elaborate electronic protection from external cyber threats, without sufficient attention being paid to other avenues for obtaining or tampering with the same information. Threats from within still represent the greatest security risk, whether physical or electronic. If the physical security of buildings is weak, for example, then no amount of electronic security can prevent someone from walking into a building and taking paper documents. Therefore the decision on IT security investments, should be in balance with the other types of protection, as well as the culture of the organisation.
What are we trying to protect ?
Participants recognised that the threat to content - tampering with documents, databases, emails - is a potential problem, but does not have major consequences to key operations, as information can be easily restored. Solutions to counter threats to content have not yet been implemented by most organisations, mainly because of a lack of clear classification of information and authorisation policies that would accompany IT developments. In this regard a partnership must exist between the "business" units of an organisation and the ICT department to assess and decide what information needs to be available and to whom. The alternative may be a classical model such as: "staff member can see everything, and no-one else can see anything".
Whom are we trying to protect ?
A balance should be found to the tendency of applying different access control standards to staff onsite as opposed to people working from "elsewhere". It would be desirable to provide staff on mission or working from home with the same access as from their offices. Similarly, there are frequently business partners to whom more access to information should be granted -- but which is not because they are "outside the perimeter". The emphasis should be less on trying to keep "outsiders" outside, and more on enabling the right people to get access to the right information, wherever they are. Meeting this connectivity requirement is a significant challenge faced by all participants.
Internet, software and hardware are often part of the problem
Every participating agency has come under external cyber threat in the last year or so, mainly from Internet. The overwhelming majority suffered serious disruption of service at least once. "Denial of Service" attacks and the three infamous computer viruses (I Love You, Melissa and Kournikova) were cited as the most common causes of disruption. The motivation behind most of the Internet-originated attacks on government sites is political (e.g., anti-globalisation) and must be taken very seriously. Most participant organisations are subjected daily to multiple attempted security breaches. Also, due to the worldwide popularity of Microsoft, MS-based systems are the most common target of computer hackers and viruses. Weaknesses in software upgrades also make it attractive for hackers to disclose and profit from them. The rapid rise (and fall) of new networking devices such as PDAs, UTMS/WAP, mobile telephones, etc., add to the complexity of managing sources of threat.
Senior management and computer users awareness of the cyber threat
Most organisations reported an increase in the level of senior management awareness of the threat and a recognition that IT security is a corporate managerial issue, and not simply an IT technical matter. Heightened level of awareness and interest in IT security frequently followed a serious disruption of services in the organisation.
Nonetheless there was broad concern that the level of awareness and attention to IT security policies and practices by computer users was generally inadequate. It was agreed that best IT security practice must start with every individual at the screen. It was noted that home users have been found to have the poorest PC security practices.
Quality and continuity of efforts and dialog in the area of "user education" need to be improved, at all levels. However, when setting up technology to achieve IT security, it is important to understand what the business really wants and/or needs. As working staff frequently have an innate sense of what needs to be protected (and what does not), their input is important even though they may need assistance to be able to articulate good rules for this.
Organisation of IT Security Management
For most organisations, the information business is a 7x24 hours operation (e.g., Internet, Embassies, Centres and Regional offices) which requires extra vigilance and an active programme to counter security threats. However, in most instances, there are insufficient staff resources to monitor and intervene rapidly around the clock.
Also, a uniform organisational structure to address IT security did not emerge. In many organisations, responsibility for IT security has traditionally been spread across several technical areas in the ICT department. More recently, approximately half of the participant organisations have created a Security Group, headed by a Security Officer and consisting of one or more specialists reporting to the head of ICT. In a few organisations the Security Group is independent of the ICT department. Regardless of its location, it was generally agreed that the Security Group should be separate and independent from development and operations.
Many organisations are outsourcing, or considering outsourcing some or all elements of IT security detection and protection. Firewall management, intrusion detection and computer virus detection are the prime candidates for outsourcing. Nonetheless, budgetary constraints have made it difficult to allocate adequate resources to vigorously combat security threats, with most ICT departments instead focusing on minimising potential for damage. While difficult to define and quantify all resources devoted to IT security, most participants estimate that less than 5 % of their IT operational budget is devoted to IT security.
Emerging Best Practices
Many best practices are emerging, and are being adopted by most participant organisations to combat external threats, including:
For secure communications many organisations have implemented solutions based VPNs on private networks, and the Public Key Infrastructure. Concerning the latter, interoperability of digital certificates is a significant impediment at the present time. It was noted that biometrics identification systems, while appropriate in some situations do not, as of yet, constitute a strong authentication solution.
The widespread use of laptop computers and the high incidence of loss or theft represent a significant security risk. To counter this threat, the practice adopted by many organisations is to encrypt all data stored on laptops. It was recognised, however, that this created an overhead, which could be particularly noticeable in applications such as Computer-Assisted Personal Interviewing, where information is gathered by statistical office interviewers equipped with laptop computers.
Participants considered that the rapidly evolving use of mobile devices such as: PDAs, mobile telephones, and increased teleworking are major challenges that further add to the complexity of managing IT security.
Opportunities for co-operative action
Most participants considered the workshop of great value to them and to their organisations. They recommended that similar intergovernmental workshops on ICT management in the public service be held again, as the need arises. A number of possible initiatives were proposed which, through co-operation and sharing of information, could strengthen IT security in governments and benefit all participating organisations. These include: