1 / 29

Cyber Security Professionalism

Cyber Security Professionalism. Cyber Security Becomes a Profession Navigating U.S. Sectoral Security S.773 - the Current Impetus . Is “CyberSecurity” a Profession? What About “Risk Analysis?”. Are these Trick/Gotcha Questions? Maybe Why…What is the Dilemma?

kailey
Download Presentation

Cyber Security Professionalism

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Security Professionalism Cyber Security Becomes a Profession Navigating U.S. Sectoral Security S.773 - the Current Impetus

  2. Is “CyberSecurity” a Profession?What About “Risk Analysis?” • Are these Trick/Gotcha Questions? • Maybe • Why…What is the Dilemma? • Long tradition of fields, disciplines, callings actively seek legitimacy of professional status Vs. • Once you’re a Professional, Public Expectations Hold you Feet to the Fire • What is the Role of S.773 & S.778 in CyberSecurity Professionalism?

  3. What is a Profession? • Traditionally only 3 professions: • Divinity, Medicine, Law • Persons/firms who supply specialized knowledge (subject, field, science) to fee-paying clients • Also the body of qualified professional persons • Derived from Latin professiō - to swear (an oath), avowal, public declaration • Professional (adj) - behaves properly, not amateurish • The oath dictates ethical standards, usually include confidentiality, truthfulness, expertise, all for client’s benefit; also upholding profession’s good name • EX: • Architects, Accountants, Actuaries, Chiropractors, Clergy, Dentists, Engineers, Lawyers, Librarians, Nurses, Occupational/ Physical Therapists, Pharmacists, Physicians, Professors/Teachers, Psychiatrists, Veterinarians • (Cyber-)Security “Professionals” too?!?

  4. Milestones towards Profession • Full-Time Occupation • Training & University Instruction • Accreditation of Instruction & Qualifications • Associations: local, national, int’l • Codes of Conduct (govt & self-) • ethics, professional responsibility, self-discipline • Law/Regulation Compels Professional Status • Licensure, Certification

  5. Skill based on theoretical knowledge Professional associations Extensive period of education Testing of competence Institutional training (apprenticeship) Licensure/Certification Work autonomy Code of professional conduct or ethics Self-regulation Self-Discipline Public service and altruism (pro bono) Exclusion, monopoly & legal recognition Fee & advertising control High status & rewards Individual clients vs. In-House single client Legitimacy, legal authority over some activities Body of Knowledge Inaccessible to Laity Professional interpretation required for body of knowledge Professional Mobility Characteristics of Most Professions

  6. Is CNSSI a Professional Program? • Ostensibly, but is it persistent?!? • CNSS standards for training & education were embraced by 169 U.S. institutions • Provides baseline for cadre of IA professionals • Educational Standards for IA professionals • NSTISSI 4011-Information Systems Security (INFOSEC) Professionals • CNSSI 4012-Senior Systems Managers • CNSSI 4013-System Administrators • CNSSI 4014-Information Systems Security Officers • NSTISSI 4015-System Certifiers • CNSSI 4016-Risk Analyst

  7. IT Governance Drives Professionalism • “specifying the decision rights and accountability framework to encourage desirable behavior in the use of IT.” • “the leadership and organizational structures and processes that ensure that [IT serves strategic objectives].” • Corporate governance constraints; impact of law, regulators, security & privacy standards; SOX; Implemented through: • technology transfer agreements • private contracts • employment restrictions • IP constraints • eCommerce commercial practice

  8. Standardization of Security Duties • ISO 17799 (predecessor: BS7799) & : • Progeny: now replaced by ISO/IEC 27000 series • ISO 27001 Info. Security Mgt. • ISO 27002 Best Practices • ISO 15408 Common Criteria: Computer Security • PCI DSS payment card security • COBIT (ISACA: Info. Sys. Audit & Control Assn) • ITIL IT Infrastructure Library: IT Service Mgt • NIST’s Fed. Info. Processing Stds • Fair Information Practice Principles (FIPP): • (1) Notice, (2) Choice, (3) Participation, (4) Security, (5) Redress

  9. Why are Standards Important? • Stds are emerging from obscurity • More widely understood to impact most economic activity • Increasingly viewed less as technically objective matters; more as arbitrary choices from among near infinite alternatives • Increasingly perceived to favor particular nations, industries, identifiable groups or individual firms who participate most effectively • Increasingly have behavioral component

  10. Why Standards Impact CyberSecurity Duties • Stds Created CyberSpace: • Consider: html, ftp, http, xml, 802.11 • Facilitates comparison, interoperability, competition • Attracts investment in compatible technologies, products & services • Standardization promises superior process design & best practice integration • Domain experts develop rather than meddlers • Standards Reduce Risks of Variety • Incompatibility, Incompetence • Conformity Assessment Analyzes Non-Compliance Risk, Provides Feedback • Incentivizes Compliance & Improvement

  11. Risks of Security Standardization • General Disadvantages of Standardization • Lock in old/obsolete technology • Resists favorable evolution or adaptation • Favors/disfavors particular groups • Voluntary Consensus is really a Sub-optimal Compromise that Dictates too much Design However, Standardization Risks Stagnancy & Communicates Widespread Vulnerability

  12. Economic Analysis of Security • The Law & Economics Approach: • legal theory applies methods of economics to law; economic concepts explain effects of law/regulation; assesses efficient rules; predicts legal rules will/should be promulgated • Micro-Economics Fundamentals • Information Asymmetries • Market Failure & its Justification for alternative policies • Adverse Selection • Moral Hazard • Positive vs. Negative Externalities • Free Rider & Tragedy of the Commons • Game Theoretic Framework & Network Economics Approach • Critical Mass • Network Externality • Vulnerability Markets & Disclosure Incentive

  13. Some Public Policies Pressing Security Duties • Privacy Law Requires CyberSecurity • G/L/B, SourBox (a/k/a SOX), FCPA • Internal Control • The Primary Federal Privacy Regulator: FTC • Enforcement Caselaw, deceptive trade practices • State Privacy & Info Security Laws • CA state Privacy Czar • Breach Notification, see: Privacyrights.org • Mass, Nev. Comprehensive Regulations • Tort Liability for Privacy Violations • HIPAA now HITECH PHI std • IA laws Impact Security Duties • Outsourcing (SAS70) • Trade Secrecy (IP) & National Security • USA PATRIOT Act • FTC Privacy Enforcement Common Law History • Red Flags (best/worst practices), Disposal Rule, • Exposing then Stamping Out Deception

  14. Example of Security Complexity: the Purported IPAS Drivers • PSU “Policies” • FN07, Credit Card Sales • AD11 - University Policy on Confidentiality of Student Records • AD19 - Use of Penn State Identifier and Social Security Number • AD20, Computer and Network Security • AD22 - Health Insurance Portability and Accountability Act (HIPAA) • AD23, Use of Institutional Data • Trusted Network Specifications • AD35, University Archives and Records Management • AD53 - Privacy Statement • Public Policies • Health Insurance Portability and Accountability Act (HIPAA) • Gramm-Leach-Bliley Act (G/L/B) • Family Educational Rights and Privacy Act (FERPA) • PA Breach of Personal Information Notification Act 73 P.S. § 2301 • PA Mental Health Law • 21 USC Ch. 16 - Drug Abuse Prevention, Treatment, & Rehab

  15. What is Federal Pre-Emption? • Only the most central institutional design feature in the whole “American Experience” • E.g., Reaction to English Crown, Articles of Confederation, Civil War, New Deal, Reagan’s New Federalism • Fed. Law May Displace State Law • EX: FDA labeling overrides state products liability • Why would it be good to bar the states from regulating CyberSecurity? • Why would it be good to include states in regulating CyberSecurity?

  16. S.773 & S.778 • S.773=Cyber Security Act of 2009 • Sponsors • John Rockefeller [D, WV] + 3 Co-Sponsors • Evan Bayh [D, IN] • Bill Nelson [D, FL] • Olympia Snowe [R, ME] • S.773 Bill Actions • 4.1.09: Introduced & Read twice • Referred to Commerce, Science & Transportation. • S.778 • Companion to S.773 • Creates White House Office of National Cybersecurity Advisor • Authority/Power: from S.773 & later legislation/delegation

  17. Some S.773 & S.778 Provisions • Raise CyberSecurity profile within Fed. Govt. • Streamline cyber-related govt functions & authorities • Establish: Office of the National CyberSecurity Advisor • Develop CyberSecurity national strategy • Quadrennial Cybersecurity Review • modeled after the DoD Quadrennial Defense Review • to examine cyber strategy, budget, plans & policies • Require a threat & vulnerability assessment • Promote public awareness • Protect civil liberties • Require comprehensive legal review

  18. More S.773 & S.778 Provisions • ISAC: • pub-pvt clearinghouse for cyber threat & vulnerability info-sharing • CyberSecurity Advisory Panel • industry, academia, not-for, advocacy organizations • review & advise President • Establish enforceable cybersecurity standards • NIST to create measureable, auditable CyberSecurity stds • Licensing & certification of CyberSecurity professionals • Establish & negotiate international norms • cybersecurity deterrence measures • Foster innovation and creativity in cybersecurity • Scholarship-For-Cyber-Service program • NSF: Increase federal cybersecurity R&D • Develop CyberSecurity risk evaluation framework$

  19. Probability of S.773 Passage • Much proposed legislation is arguably political grandstanding, with scant probability of success • Passage of any proposed legislation is uncertain • Predictions based on heuristics of domain experts • Few sectors reactive, most pro-active • Limits of empirical approaches to prediction • See: “Resume of Congressional Activity:” • http://www.senate.gov/pagelayout/reference/two_column_table/Resumes.htm • 110th Cong. 1st Sess. (Jan. 4-Dec. 31, 2007) 138 enacted/9227 introduced = 1.5% yield • 110th Cong. 2nd Sess. (Jan. 3, 2008 – Jan. 2, 2009) 278 enacted/4815 introduced = 5.8% yield

  20. Security Risk Analysis is Sectoral • Risk Analysis Differs by Domain • Just like U.S. Privacy Law, but not EU Privacy Law • Major Differences: Physical vs. Intangible Security • Most domains blend tangible w/ information • Many Key Domains Track Critical Infrastructures as defined in USA Patriot’s CIPA §1016(e) • “…systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” • telecommunications; electrical power systems; gas & oil storage & transportation; banking & finance; transportation; water supply systems; emergency services (e.g., medical, police, fire, & rescue), govt. continuity & CyberSpace • Calls for National Effort to Enhance Modeling & Analytical Capacities • appropriate mechanisms to ensure the stability [of] complex & interdependent systems, [incl] continuous viability & adequate protection of critical infrastructures • What is Shared Among these Vastly Different Sectors?

  21. Quantitative Statistical Actuarial Mortality & Morbidity Admissibility of Forensic Quality Expertise Decision Analysis Failure Analysis Qualitative Heuristic Visualization Interdependence Risk Assessment Education Demographics Risk Recognition Emotion Law Permits/Regulates Risk Analytics

  22. Epilogue • There is far more here than meets the eye! • A website devoted to the developing public policy of cyber security professionalism • http://faculty.ist.psu.edu/bagby/SecurityProfessionalism/ • This IS interdisciplinary! • Good luck w/o interdisciplinarity…

  23. Financial Info Security Risks: SEC • Financial Institutions w/in SEC Juris. Must: • Adopt written policies & procedures, reasonably designed to … • Insure security & confidentiality of customer records • Protect against anticipated threats or hazards • Protect against unauthorized access or use that could result in substantial harm or inconvenience • Disposal Rule: • must properly dispose of PII using reasonable measures to protect against unauthorized access to or use of PII

  24. Controls over Internal Risks COSO’s Definition of Internal Control • “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” in these categories: • effectiveness and efficiency of operations; • reliability of financial reporting; and • compliance with applicable laws and regulations. • Components of Internal Control are: - Control Environment - Risk Assessment - Control Activities - Information & Communication - Monitoring

  25. GLB Safeguards Rule • Financial institutions must design, implement and maintain safeguards • Purpose: to protect private info • Must implement written information security program • appropriate to company's size & complexity, nature & scope of activities, & sensitivity of customer data • Security program must also: • assign one or more employees to oversee program; • conduct risk assessment; • put safeguards in place to control risks identified in assessment then regularly test & monitor them • require service providers, by written contract, to protect customers' personal information; & • periodically update security program

  26. Admitting then Analyzing Outsourcing Risks • Not Outsourcing Risks Internal Failure • Interdependency Reduces (Some) Risks of Conflict • Outsourcing Sacrifices Monitoring Risking Injury from Diminished Control • Slipshod Rush to Outsource for $avings • Cross-Cultural Ignorance Obscures Outsourcing Vulnerabilities • SAS 70 Requires Outsourcing Risk Analysis/Mgt • SLC Negotiation Opportunities to Reduce Risk

  27. NIST Risk Mgt Method • Asset Valuation • Information, software, personnel, hardware, & physical assets • Intrinsic value & the near-term impacts & long-term consequences of its compromise • Consequence Assessment • Degree of harm or consequence that could occur • Threat Identification • Typical threats are error, fraud, disgruntled employees, fires, water damage, hackers, viruses

  28. NIST Risk Mgt Method • Vulnerability Analysis • Safeguard Analysis • Any action that reduces an entity’s vulnerability to a threat • Includes the examination of existing security measures & the identification of new safeguards • Risk Management Requires Risk Analysis • Analyzed in terms of missing safeguards“The Process of Identifying, Controlling and Minimizing the Impact of Uncertain Events” (NIST, 1995 @59) Source: NIST Handbook

  29. Roles of Law/Reg/Policy in Risk Analysis & Risk Management • Law Resolves Disputes, Shifts Risk of Loss • Risk Analysis Failure Shifts Liability Risks to Creator • Actual Injuries Trigger Disputes over Risk Duties • Law Defines Risks & Duties of Care • Crimes, Torts, Contracts, Standards, Determination of Injury • Law Dis-Incentivizes Risky Deeds (DD&tDDC) • Law Defines Risk Management Duties • Law Compensates Injuries Derived from • Law Defines/Constrains Damage Computation • Law Encourages Risk Mgt • Law Defines Risk Mgt Professionalism • Law Enforces Risk Shifting Contracts • Law Requires Risk Analysis & Impacts Methods • But Law may Disincentivize Introspection w/o Self-Eval Privilege • Law Regulates Risk Management Industry • Law Enforces Risk Mgt Profession’s Arrangements

More Related