The President's State of the Union message last January was fascinating, particularly as he presented his law enforcement apprehension agenda. Bin Laden and Hussein were obvious choices; the bombshell was his identification of number three: dishonest corporate executives who defraud stock holders.

His statement was a clear directive to his staff and a stern warning to those who choose to "spin" the mandates of recent legislation that insists corporations aggressively develop policies, procedures and programs to manage and control their information and its distribution.

And, with each passing day, the mandates are most certainly mounting. Among the most pressing are national acts such as GLBA in the financial services sector and HIPAA in healthcare; broad state-level imposition of controls in California; or, perhaps more broadly, the regulations imposed by the Sarbanes-Oxley Act.

President Bush reminded the C-level executives in his own way, "You mess up, and you're going to jail." If that is not a wake-up call, what is?

The Current IT Landscape
Business and management have been changed forever by the rise of Information Technology. Security professionals are now obliged to understand their organization from all angles, from 'thirty thousand feet' where senior managers and boards of directors reside to the depths of the trenches both real and virtual, physical and digital.

This means that security professionals must become more aware of and fluent in the world of servers, routers, sonnet rings, T-1s and T-3s, main frames and firewalls. This world is sophisticated, necessary and expensive. Indeed, the gospel according to the IT department has frequently been that the best solution is the most expensive. The resulting logic has been that the best way to protect an organization is to invest in the most expensive solution: creating the "thousand pound gorilla."

However, current economic trends are forcing executives to ask both IT and corporate security departments to identify their return on the investment dollar and justify their existence. There just isn't room for a thousand pound gorilla anymore. It must be replaced with a more professional, creative and cost-effective solution.

As this new reality settles in, executives must acknowledge and fight the most obvious and potentially deadliest threat to the entire enterprise, one that has been overlooked throughout time.

The Weak Link
It's an axiom that has been around as long as human nature has been studied: "The weakest link in any chain is people."

And yet, most commercial security solutions deployed by IT executives have been far too limited in scope. In most instances, IT security reviews are limited to controlling the perimeter by stopping hacking, an external attack from an outside party. While there is no doubt that hackers can bring a corporation to its knees, still most organizations recover after sustaining a limited, managed loss of revenues and, perhaps, some market share. But while the majority - if not all - of investment dollars are focused on external attacks, nearly three-quarters of all information loss, intentional or otherwise, happens from the inside out. People, like it or not, remain the weakest link in security, IT and business. The greatest risk is the one most often ignored: the internal threat.

Whether that person is a victim of social engineering, a disgruntled employee, or a well-compensated mole or spy, he or she has already circumvented the "thousand pound gorilla," entered your company and acquired access to your private, confidential, valuable and proprietary information.

These individuals know where the secrets are kept; they can use your equipment to access them and, with access to email and the Internet, they do not need to smuggle them out of the building. They only need to hit the 'Send' or 'Enter' buttons.

Today, this occurs in a legislative environment in which the laws are written so as to say, "You should have known what could happen, and then prepared for what might happen." The cost of ignorance has become infinity and not knowing is no longer a defense.

Recent legislation in California, the Simitian Bill, more formally titled AB700 and SB 1386, has heightened the sensitivity to external attacks but may blur the executive focus.

For decades, California has been a lightning rod for citizen rights programs that, ultimately, have found their way back across the rest of the country. This will likely be the case in this situation as well. It is clear that other states will draft similar legislation lest they be left out of the consumer protection limelight.

California's Simitian Bill was passed as an aggressive response to the billion-dollar identify-theft industry. The law defines personal identity information as a last name, first name or initial and a third piece of information that can be as simple as a social security number or driver's license.

If it is established that this information has found its way outside the database in which it lives, the owner of that database is required to notify every other member of that information repository that its system has been compromised. One can assume that this will bring most corporations to their knees in the short term, and it is a roll of the dice as to whether they would ever recover.

Should organizations spend money to protect the database from external attacks? Of course! But, at the same time, executives must address the internal issue as well.

Into the Simitian scenario, let's introduce the insider.

The identities of ten people are given to an outsider. The insider is aware of the Simitian requirements, most likely because policies and procedures of the corporation have been augmented to address the heightened security, and an explanation of the law was attached thereto. Our insider is disgruntled and anonymously reports to any of the ten that their information has made its way out of the organization. So much for the robust system; the game is on.

Whether there is a loss or not, this scenario very well may meet the Simitian standard. If so, the requirements associated with disclosure apply, and action must be taken.

Some contemporary thinkers feel that Simitian applies only to customer records. It does not. In fact, it includes internal data as well. Employee records are a perfect example.

Complicating this issue even further is how it affects the rest of the country. The Simitian Bill may exist in California, but it expressly covers every company that does business in the State. Ohio and Florida never felt so close.

So how do you address this and more nefarious schemes such as theft of trade secrets or confidential business information?

Information Distribution Management
Theft has been with us since man took his first steps. What has evolved is the means to commit theft. Business, security and risk management practitioners must evolve congruously.

In years past, the Department of Defense developed procedures in which sensitive documents were color-coded. Only those with appropriate clearance were authorized to be in possession of those colored documents. Security officers searched those who entered or left as one means of ensuring documents were protected. This fundamental means of document control was a strong deterrent.

In our electronic world, the task has expanded from the control of paper documents to virtually all information contained in an electronic storage device somewhere. This is the business world in which we live. How should this information be protected?

• All information must be identified and prioritized, and distribution rights must be controlled.
• Policies and procedures, even updated to integrate distribution management controls, are not enough.
• Funds must be made available to develop or purchase software that encodes information with a unique electronic identifier that captures all of the required information, particularly who has rights to send or receive the document.
• The software must monitor in real time the internal IT access policies, and, when an event occurs, it must identify the offender, immediately report the event to the appropriate gatekeeper(s) and impose pre-set actions, controls or blocking mechanisms to enable compliance with internal or external policies and requirements. All that said, it must also be transparent to the end user so as to not impede or change his or her workflow.
• Distribution violations must be supported by a zero tolerance policy.
• Distribution violations must be documented. Such documentation may serve as a useful defense by showcasing aggressive, successful prevention techniques.
• This mandates a partnership among IT, risk management and security on one hand and the CEO and Board of Directors on the other. The stakes are too high for traditional turf battles.

Conclusion
The business environment in which we find ourselves is, at best, unfriendly. The potential threats to our businesses are real and potentially catastrophic. In a perfect world, the IT executive will have already implemented the systemic changes to address the internal threat or, said another way, would have been provided the budgetary support to augment the system.

Whether you are a risk management or security practitioner, IT executive or C-level executive, this issue must be raised and addressed. The answers are out there, and our President has told you to find them.

Discuss this article! Post your thoughts to RAG's message boards. If you have not used the RAG website before, you will be asked to create a user profile. The message boards are currently free for all users.

Integrated Risk Management Strategies:
From the Front Gate to the Hard Drive.

Presented by former U.S. Secret Service agents and other nationally recognized security specialists, this comprehensive two-day seminar offers practical solutions for preventing harm to staff, property, and information assets.

Earn CPP, CISSP, CLE, CLSD, PHR, SHRP and other continuing education Credits!

Space is limited! Sign up NOW!

Boston
November 3-4, 2003
Hilton Hotel@MIT
617-577-0200

Phoenix
January 26-27, 2004
TBA

Dallas
February 26-27, 2004
TBA

Atlanta
March 23-24, 2004
TBA

Chicago
April 22-23, 2004
TBA

For additional information or to register,
click here or call us at (877) 558-5559 or (818) 501-3297.

Career Opportunities
Looking for your next great opportunity? Not looking but open?

Add your resume confidentially to the Risk Analysis Group Resume Database.

Our placement experts will contact you with exciting opportunities.

CBS.com
Aug. 20, 2003
"Nuke Lab Pays Whistleblower $1M"

news.com
Aug. 17, 2003
"Indonesia celebrates on high alert"

zdnet.com
Aug. 15, 2003
"New worm blasts Microsoft"

CSO Online
August, 2003
"Privacy's new image"

zdnet.com
Aug. 8, 2003
"DNS inventor says cure to net identity problems is right under our nose"

Risk Analysis Group is dedicated to providing information and resources to security-conscious professionals.

As a RAG member, you will have access to:

• The advice and experience of experts
• Research, white papers and presentations to get your security programs funded
• Education and training seminars
• Networking opportunities and information on career advancement opportunites
• Special Interest Groups (SIGs)
• Discounts at all Risk Analysis Group events and most external events
• Preferred pricing on all RAG services

"The seminar was presented by two world-class experts. The course content is very comprehensive, exceptionally educational, and very topical."

- James Broder, Author of Risk Analysis and Security Survey