Information Technology Reference
In-Depth Information
The exception mechanism does make the risks identifiable and trace-
able. It forces one to think through the issue and allows others to look
at the risks.
Responding to Attacks
Appropriate communication is key to responding to a breach. Psycholog-
ical aspects of human and organizational behavior have always been part
of conventional security. In the information security field, there is need
to understand their implication better, to avoid overreacting. Martial arts
in their various forms are based on the philosophy of self-defense. Most
people, when attacked, demonstrate an emotional reaction that is either
a paralyzing panic or else an undisciplined, blinding rage. Years of serious
training in martial arts are required to take out the emotional charge.
Quite often, IT departments assign too much authority to one person
playing a certain role, who could ultimately turn out to be compromised
or incompetent. He or she could shut down the entire system. Some
organizations have concepts of dual control, especially for supervisory
functions where the password is split between two managers. Both of
them must be entered for the system to go into supervisor mode. This is
somewhat similar to checks that must be signed by two officers of the
company for amounts larger than some threshold amount.
Adherence
How does one get people to adhere to controls? People use something
when they are convinced of the need to follow the processes. This
conviction may be the result of a painful experience. Adherence is helped
by adequate displays of seriousness by management about such issues.
Repeated clear communications are essential. The problem sometimes lies
not with a reluctance to follow procedure, but with the difficulty of
interpreting what may be incomplete, impractical, or contradictory orders
or standards.
Contradictory Orders
Many organizations have disjointed or conflicting secu-
rity policies and procedures. This section looks at how
the U.S. Navy handles contradictory orders. Note the
information flows between the person issuing or
receiving the original order and the person issuing or
