End-User Computing Security Guidelines - IT Today

1 86-10-10 End-User Computing Security GuidelinesRon HalePayoffProviding effective Security in an End-User Computing environment is a challenge. First,what is meant by Security must be defined, and then the services that are required to meetmanagement's expectations concerning Security must be established. This article examinessecurity within the context of an architecture based on AddressedThis article examines Security within the context of an architecture based on quality. Toachieve quality, the elements of continuity, confidentiality, and integrity need to beprovided. Confidentiality as it relates to quality can be defined as access control. It includesan authorization process, authentication of users, a management capability, and last element, auditability, extends beyond a traditional definition of the term toencompass the ability of management to detect unusual or unauthorized circumstances andactions and to trace events in an historical fashion. Integrity, another element of quality,involves the usual components of validity and accuracy but also includes individualaccountability.

2 All information system Security implementations need to achieve thesecomponents of quality in some fashion. In distributed and End-User computingenvironments, however, they may be difficult to Current Security EnvironmentAs End-User Computing systems have advanced, many of the Security and managementissues have been addressed. A central administration capability and an effective level ofaccess authorization and authentication generally exist for current systems that areconnected to networks. In prior architectures, the network was only a transportmechanism. In many of the systems that are being designed and implemented Today ,however, the network is the system and provides many of the Security services that hadbeen available on the mainframe. For example, many workstations now provide power-onpasswords; storage capacity has expanded sufficiently so that workers are not required tomaintain diskette files; and control over access to system functions and to data is protectednot only through physical means but also through logical Security , encryption, and Approaches to Information ProtectionAlthough tools are becoming available ( , from hardware providers, Security productdevelopers, and network vendors) that can be used to solve many of the confidentiality andintegrity problems common in End-User Computing , the approach to implementing securityis often not as straightforward as is common in centralized processing environments.

3 Thegoals of worker empowerment, increased functionality and utility, and the ability of end-users to control their environment must be guarded. In many organizations, end-users havethe political strength and independence to resist Security efforts that are seen as restrictive orcostly. In addition, networks, remote access, distributed data servers, Internet tools, andthe other components that have become part of the End-User environment have madesecurity a difficult address the complexity of End-User Computing , an architectural approach isrequired. A Security architecture is a way of designing and implementing Security solutionsso that control points are identified, the effectiveness of controls is ensured, and monitoringPrevious screenand reporting capabilities are provided. It also helps to ensure that an organization'ssecurity strategy and technical strategy are mutually supportive. The components of aninformation protection architecture include management, confidentiality and integritycontrols, and continuity StructurePerhaps the best and most expedient means of bringing Security to the End-User platform isto develop an effective management Security ManagementBecause End-User Computing is highly distributed, and because local personnel andmanagers are responsible for controlling the business environment where end-usersolutions are implemented, it is appropriate that Security and control responsibilities are alsodistributed.

4 Centralized administration and management of Security in a highly decentralizedenvironment cannot work without a great deal of effort and a large staff. When authorityfor managing Security is distributed within the organization, management can expect ahigher degree of voluntary compliance; in particular where adherence to Security policiesand procedures is included in personnel evaluation criteria. If distributed securityresponsibility is properly implemented, ensuring that the goals of the Security program areconsistent with the requirements and goals of the business unit is more likely to Security responsibilities may mean that traditional information protectionroles need to be redefined. In many centralized Security organizations, Security specialistsare responsible for implementing and managing access control. In a distributed end-userenvironment, this is not practical. There are too many systems and users for the securityorganization to manage access control. Even with the availability of network and othersecurity tools, it may not be appropriate for Security personnel to be responsible for accessadministration.

5 In many distributed environments where advanced networks have beenimplemented, access controls may best be managed by network administrators. In a similarmanner, server Security , UNIX Security , and any other system Security may best bemanaged by personnel responsible for that many technologies that are used in distributed and End-User computingenvironments, no special classes of administration are defined for Security . Administratorshave access to root or operate at the operating system level with all rights and privileges. Insuch cases, it is not appropriate for Security personnel to take an active role in managingaccess Security . Their role should be more consultative in nature. They could also beinvolved with monitoring and risk management planning, which are potentially morebeneficial to the organization and more in line with Security management Management CommitteeBecause Security in End-User Computing environments is distributive, greater acceptanceof Security policies and procedures can be expected if the organization as a whole isinvolved with defining the Security environment.

6 To achieve this, a Security managementcommittee can be created that represents some of the largest or most influential informationtechnology users and technology groups. This committee, which reports to the securitymanager, should be responsible for recommending the Security policy and for developingthe procedures and standards that will be in force throughout the on the committee by the internal audit department is often beneficial, andtheir support and insight can be important in developing an effective Security managementstructure. However, consideration must be given to the control responsibilities of audit andPrevious screenthe need to separate their responsibility for monitoring compliance with controls and fordeveloping controls as part of the Security committee. In some enterprises, this is not amajor issue because internal audit takes a more consultative position. If maintaining theindependence of audit is important, then audit can participate as an Executive SupportThe internal audit department traditionally had an advantage over the securityorganization because of its reporting relationship.

7 Internal auditors in most organizationsreport to senior executives, which enables them to discuss significant control concerns andto get management acceptance of actions that need to be taken to resolve issues. Securityhas traditionally reported to IS management and has not had the executive exposure unlessthere has been a Security compromise or other incident. In a distributed environment, it maybe beneficial to have the Security department and the Security management committee reportto a senior executive who will be a champion and who has sufficient authority within theenterprise to promote information protection as an important and necessary part ofmanaging the business. Such a reporting relationship will also remove Security from thepurely technical environment of information systems and place it in a more business-focused and StrategyThe ability to communicate Security strategy and requirements is essential in an end-usercomputing environment. This communication generally takes the form of enterprisewidepolicy statements and is supported by procedures, standards, and Guidelines that can betargeted to specific business functions, technology platforms, or information Information Protection Policy StatementAn information protection policy statement should define management expectations forinformation protection, the responsibilities of individuals and groups for protectinginformation, and the organizational structure that will assist management in implementingprotection approaches that are consistent with the business strategy.

8 Because the statementwill be widely distributed and is meant to clearly communicate management's and users'responsibilities, it should not take the form of a legal document. The effectiveness of theinformation protection policy depends in large part on its effective of InformationTo protect information, users and managers need to have a consistent definition of whatinformation is important and what protective measures are appropriate. In any organization,local management will be inclined to feel that their information is more sensitive and criticalthan other information within the organization. From an organizational standpoint, this maynot be the case. To ensure that the organization protects only to the appropriate level theinformation that has the highest value or is the most sensitive, a classification method mustbe in the mainframe environment, all information was protected essentially to the samelevel by default. In a distributed and End-User Computing environment, such levels ofprotection are not practical and represent a significant cost in terms of organizationalefficiency.

9 The information protection policy should clearly identify the criteria that shouldbe used in classification, the labels that are to be used to communicate classificationdecisions, and the nature of controls that are appropriate for each class of screenClassifying information is a difficult task. There is a tendency to view variations in thenature of information or in its use as separate information classes. However, the fewer theclasses of information that an enterprise defines, the easier it is to classify the informationand to understand what needs to be done to protect it. In many organizations, informationis classified only according to its sensitivity and criticality. Classes of sensitivity can behighly sensitive, sensitive, proprietary, and public. Classes of criticality can be defined interms of the period within which information needs to be made available following abusiness and ControlA method of monitoring the control system and correcting disruptive variances must beestablished.

10 Such monitoring can include traditional audit and system reports, but becausethe system is distributed and addresses all information, total reliance on traditionalapproaches may not be an End-User Computing environment, relying on business management to callsecurity personnel when they need help is unrealistic. Security needs to be proactive. Byperiodically meeting with business managers or their representatives and discussing theirsecurity issues and concerns, Security personnel can determine the difficulties that are beingexperienced and can detect changes in risk due to new technology, the application oftechnology, or business processes. By increasing dialogue and promoting the awarenessthat Security wants to improve performance, not to block progress, these meetings can helpensure that business management will seek Security assistance when a problem , Procedures, and GuidelinesThe other elements of effective management standards, procedures, and Guidelines define in terms of technology and business processes precisely how controls are to beimplemented.