Identity Theft and Fraud: Evaluating and Managing Risk

Chapter 12: Evaluating and Managing Organizational Readiness for Security and IDTF Risks

259 “Minds are like parachutes. They only function when they are open.” —Sir James Dewar Introduction Information security is in a constant state of change, and security methodologies have been unable to keep pace with the continuous appearance of new threats. With each advance in technology, new risks are exposed that could represent security exposures to the enterprise , both internally and externally. Newly developed applications may have exploitable flaws. Personal applications used by employees , like peer-to-peer file sharing applications (US-CERT 2007), may also expose enterprises to risks from inadvertent disclosure of sensitive business information over the Internet or risks of licensing or copyright violations. Employees may use removable media devices like laptops to introduce unwanted applications or to move sensitive data outside of corporate walls, with the risk of improper disclosure. Organizations with an immature approach to security are constantly playing catch-up by reacting to risks posed by evolving technologies. This will not defend successfully against a constant flood of threats and vulnerabilities. There are a number of ways for an organization to plan for and defend against risks from security vulnerabilities. First, we discuss organizational security management. Next, we introduce and describe in some detail a maturity model for organizational Chapter 12 Evaluating and Managing Organizational Readiness for Security and IDTF Risks 260 | Identity Theft and Fraud security management, followed by an alternative balanced scorecard approach. Finally, we describe organizational readiness to implement and support security needs at the executive level. Organizational Security An acceptable level of security is one where the investment in security protection strategies is commensurate with the risk of exposure to the assets being protected. An organization must mobilize in a coordinated and collaborative way to achieve desired security goals (Figure 12.1). These security goals are reached by implementing, monitoring and controlling the security requirements of critical assets, managing risks to these assets and using effective processes to do so (Allen 2004). The organizational dependencies depicted in Figure 12.1 are expanded upon below: Security Adoption Drivers • Support by top management • Strategic importance of ICT to the organization Figure 12.1: Organizational Security and Confidentiality Management Management Controls and Activities Security and Management Management Adoption Drivers Evaluating and Managing Organizational Readiness | 261 • Budget availability • Availability of knowledgeable technical support • Awareness of security and confidentiality issues • Priority level for security and confidentiality measures • Government and legal compliance regulations • Contractual obligations • Awareness of internal and external security threats • External pressure from partners • Manager(s) with designated responsibility for information security Security and Confidentiality Management • Planning • Organizational team approach • Change management • Development of management policies • Assignment of responsibilities Security and Confidentiality Management Controls and Activities • Adoption of ethical code of conduct • Promotion of ethical code of conduct among employees • Adoption of uniform procedures for managing and controlling security • Management and employee education and training • Monitoring databases and communications for security abuse • Adoption of measures to counter abuse of security and privacy • Adoption of measures for physical management of data • Adoption of measures for virtual management of data 262 | Identity Theft and Fraud Organizational Maturity Models of organizational maturity in managing security may assist in evaluating organizational performance in combating security threats. The level of organizational maturity should correspond to the level of computer security required to meet security threats. The resulting benefits for stakeholders include: • Providing information that can be useful in the pursuit of an enlightened public policy • Detection and reporting of trends in existing and new forms of IDTF • Guiding organizational efforts to combat cybercrime • Determining what types of IDTF are having the greatest social and economic impacts • Relating levels of prevention to their impact on identity theft and fraud The terms ‘predictability,’ ‘control’ and ‘effectiveness’ may be used to define organizational maturity (Harmon 2004). Predictability refers to the use of schedules, milestones and goals that are met. Immature organizations often create schedules, but then may miss milestones or goals by wide margins, and they only achieve their outcomes as a result of the heroic efforts of individuals using approaches that they create more or less spontaneously (Harmon 2004). Mature organizations create schedules and consistently achieve them. Control refers to the consistency with which organizations meet their goals. Mature organizations meet their goals over and over again with very little deviation. Immature organizations are never that sure which goals will be met and have little idea how likely it is that a milestone will be achieved within some particular...