2: Operational Organizational Security in Software

Generator QR Code 2d barcode in Software 2: Operational Organizational Security

PART I Due care and due diligence are terms used in the legal and business community to address issues where one party s actions might have caused loss or injury to another s Basically, the law recognizes the responsibility of an individual or organization to act reasonably relative to another with diligence being the degree of care and caution exercised Reasonable precautions need to be taken that indicate that the organization is being responsible In terms of security, it is expected that organizations will take reasonable precautions to protect the information that it maintains on other individuals Should a person suffer a loss as a result of negligence on the part of an organization in terms of its security, a legal suit can be brought against the organization The standard applied reasonableness is extremely subjective and will often be determined by a jury The organization will need to show how it had taken reasonable precautions to protect the information, and despite these precautions, an unforeseen security event occurred that caused the injury to the other party Since this is so subjective, it is hard to describe what would be considered reasonable, but many sectors have security best practices for their industry, which provides a basis for organizations in that sector to start from If the organization decides not to follow any of the best practices accepted by the industry, it needs to be prepared to justify its reasons in court should an incident occur If the sector the organization is in has regulatory requirements, explanations on why the mandated security practices were not followed will be much more difficult (and possibly impossible) to justify Another element that can help establish due care from a security standpoint is developing and implementing the security policies discussed in this chapter As the policies outlined become more generally accepted, the level of diligence and care that an organization will be expected to maintain will increase

Due process is concerned with guaranteeing fundamental fairness, justice, and liberty in relation to an individual s legal rights In the United States, due process is concerned with the guarantee of an individual s rights as outlined by the Constitution and Bill of Rights Procedural due process is based on the concept of what is fair Also of interest is the recognition by courts of a series of rights that are not explicitly specified by the Constitution but that the courts have decided are implicit in the concepts embodied by the Constitution An example of this is an individual s right to privacy From an organization s point of view, due process may come into play during an administrative action that adversely affects an employee Before an employee is terminated, for example, were all of the employee s rights protected An actual example pertains to the rights of privacy regarding employees e-mail messages As the number of cases involving employers examining employee e-mails grows, case law is established and the courts eventually settle on what rights an employee can expect The best thing an employer can do if faced with this sort of situation is to work closely with HR staff to ensure that appropriate policies are followed and that those policies are in keeping with current laws and regulations

Separation of duties is a principle employed in many organizations to ensure that no single individual has the ability to conduct transactions alone This means that the level of trust in any one individual is lessened, and the ability for any individual to cause catastrophic damage to the organization is also lessened An example might be an organization in which one person has the ability to order equipment, but another individual makes the payment An individual who wants to make an unauthorized purchase for his own personal gain would have to convince another person to go along with the transaction Separating duties as a security tool is a good practice, but it is possible to go overboard and break up transactions into too many pieces or require too much oversight This results in inefficiency and can actually be less secure, since individuals may not scrutinize transactions as thoroughly because they know others will also be reviewing them The temptation is to hurry something along and assume that somebody else will examine or has examined it EXAM TIP Another aspect of the separation of duties principle is that it spreads responsibilities out over an organization so no single individual becomes the indispensable individual with all of the keys to the kingdom or unique knowledge about how to make everything work If enough tasks have been distributed, assigning a primary and a backup person for each task will ensure that the loss of any one individual will not have a disastrous impact on the organization