Written by Guest Poster Wade Woolwine

The Chief Information (Security) Officer* is a top level executive who is responsible for defining and executing a plan for identifying, cataloging, and protecting information assets throughout a company or government agency. Seems like a pretty important job, right? So why is it that so many public and private companies don’t have one? Sure, there might be a CTO, or legal team who claims that part of their mission within the company is data, but that simply isn’t enough.

In today’s world, just about every industry must maintain a certain amount of personal information about their customers even if the soul purpose is to be able to reliably discern one customer from another. In more extreme cases such as social networks, paid services providers, banks, or healthcare providers, the amount of PII (personally identifiable information) amassed in information systems becomes a huge liability for the company and consumers demand that this information be kept safe from criminals. Who bares the responsibility for this data? The CEO? Probably not, most CEOs are concerned with company performance, products, and marketing – in other words, making money for the company or share holders. How about the CTO? Perhaps, but when you’re also responsible for maintaining the availability of your product delivery platform, the focus on confidentiality and integrity of the data maintained within the platform is often lost to availability of products and services to consumers. Furthermore, data does not typically sit stagnantly on systems, it gets consumed by both customer facing applications and internal application such as trend calculation and other business intelligence purposes that are likely not under the authority of the CTO.

By the position title alone, we can determine that the CI(S)O reports up to the CEO and is a peer to other “C” level executives such as the CFO (Chief Financial Officer), CP/DO (Chief Product/Development Officer), CTO (Chief Technology Officer), and COO (Chief Operating Officer). Generically, and as I’ve already stated, the CI(S)O is responsible for identifying, cataloging, and protecting ALL information assets, whether this data is externally or internally sourced. As such, the CI(S)O must interface with other executives in order to identify, document, and classify data assets.

It feels like a good place for a quick tangent on data classification; each information asset within the company must be evaluated against a set of defined criteria to ensure that the level of protection applied to said assets is consistent with the risk associated with the loss or theft of the data. Incidentally, the responsibility for defining the classification levels and assigning appropriate properties to each level falls on the CI(S)O.

Once all information assets have been identified, solutions must be devised and implemented to ensure the data remains protected no matter where it travels or rests within the company’s (and partners) technical infrastructure. Partnerships with other executives are key to achieve this goal:

• The CI(S)O must interface with the CTO to ensure that solutions for network security/monitoring, host/server security, configuration/patch management, identity management, access controls, desktop security, and overall network and host health monitoring are in place. Please note that this is not an exhaustive list, just some key items to demonstrate the importance of the CI(S)O’s ability to interface with other executives and influence changes in other organizations within the same company.
• The CI(S)O must interface with the CFO to ensure that appropriate data retention policies are in place, and that software, hardware, and communications paths used to transport or store sensitive employee data have appropriate levels of confidentiality, integrity, and non-repudiation.
• The CI(S)O must interface with the COO to ensure that appropriate physical security controls, security awareness and security policy training programs, and employee accountability are in place.
• The CI(S)O must interface with the CP/DO on implementing a robust software security lifecycle for applications and products that collect or display sensitive information.

By no means is this meant to be an exhaustive list of CI(S)O responsibilities, but rather a select few to demonstrate that information security cannot be shared across multiple executive owners. With something as critical as securing consumer and corporate data against an ever growing number and diverse set of threats, accountability at the highest levels of the company is key to creating and enforcing good security policies, procedures, and solutions.

*For the purposes of this article, I’ve assumed that the titles Chief Information Officer and Chief Information Security Officer are one and the same. The CI(S)O’s roles is to ensure the security of information assets.

Wade’s Bio: An IT Security professional in the Washington DC area, Wade works for a large Web Application Service Provider as a Senior Engineer on the IT Security Assurance Team. You can find Wade on Twitter @wadew (you can also see him on our NovaInfosec Twits list), and can read more of what he has to say on his blog at WadeWoolwine.com.

o o o o o

Many thanks to Wade for this excellent post. We hope that you’ll follow Wade’s lead and contact us about becoming a guest poster for NovaInfosecPortal.com.

Written by Guest Poster Kirsten Goodwin

The “Watching the Wather” talk by Brent Chapman, Tera Corbari, and Matt Devers at ShmooCon discussed Third-party Web Tracking and provided a basic understanding of tracking code used on various websites. They evaluated the top sites listed by Alexa and showcased which websites are currently the “Most Chatty” and the “Best Listeners.”

Websites classified as “Most Chatty” are characterized by how many different servers that website sends your information to. For example: the top three “Most Chatty” sites were AOL, ESPN, and The New York Times. Visiting any of these sites could expose your information to a multitude of servers, rather than one single location. 

In contrast, the “Best Listeners” websites pool user information from several websites that track their web behavior, which is usually identified by a unique identifier such as the IP address of a user. DoubleClick, Google, and Yahoo are examples of “Best Listeners” websites.

The problem with tracking code (such as cookies), is that it can prevent a user from remaining anonymous while browsing the internet. This poses a huge privacy issue because if a website can obtain basic information about your surfing habits, who knows what else they can retrieve. To better protect your information, you can use plugins like Adblock Plus or No Script. Other options include the use of Tor or Privoxy.

Kirsten’s Bio: Kirsten Goodwin is a graduate of Virginia Tech and has recently started working in Information Security focusing on vulnerability analysis for a large defense contractor. She is currently studying for SSCP exam with an anticipated completion date in June of 2009.

###

Would you like to be a Guest Poster for NovaInfosecPortal.com? If so, visit our Contact Page or send us a tweet @grecs. Include “Guest Blogger” in the title of your request.