User 'passive resistance' causes biggest security risk
Organisations should change their information security policies from being technology-based to being people based, as well-resourced online threats continue to gain the upper hand, delegates at ISSE 2009 were told this week.
Conventional security policies were largely proving most ineffective where “collective patterns of user behaviour were undermining security policy effectiveness”, von Roessing added. The situation has reached the point where “habits of passive resistance toward data security just cannot be dealt with by policing, prohibition, and coercion.”
“The element of control needed to operate traditional security paradigms is growing, and is not sustainable,” von Roessing asserted. “Security management is continually calling for more control, more limits, more resources.” This trend is placing ever-greater demands on the enterprise IT resources to enforce policies more stringently.
“The age of 'more for less' is at an end,” von Roessing predicted. “Hackers and cybercriminals now have a 'do more for more' mentality. They have more time, more skills, and are focused on a single aim.”
As a result of this, information security is “no longer essentially a technological issue”, he concluded.
Von Roessing's remarks prefaced the first public exposition of ISACA's Business Model for Information Security – BMIS – at the ISSE 2009 Conference at the Hague, Netherlands, this week. BMIS has been designed to address 'weaknesses' in existing models, the body claims. ISACA – the Information Systems Audit and Control Association – provides knowledge, certifications, and education on information systems assurance and security, enterprise governance of IT, and IT-related risk and compliance.
BMIS addresses information security from a management perspective, by placing it primarily in the context of of a functioning, profit-focused enterprise. Although designed to address perceived deficiencies in existing security models, BMIS has been designed to 'interface' with existing models, along with common control frameworks and other international IT management standards, ISACA says.
The current BMIS proposals have been published for comment and feedback from the ICT sector – further details can be found at the weblinks below. ISACA's von Roessing said that the full version of the BMIS specification is scheduled for publication by February 2010.