©workingarts.com
2001-2008

An information security heads-up for HR professionals

In early November 2003, the Computer Security Institute hosted its 30th annual computer security conference and exhibition in Washington DC. Former FBI Director Louis Freeh (1993-2001) was one of the keynote speakers. His speech centered on computer ethics, the need for information security policies and the relationship between law and computer security.

Mr. Freeh reminded the conference attendees of the early 1990’s, when the White House tried to control the use of encryption technologies in the US, by requiring security vendors to make encryption keys available to the government, so that law enforcement agencies could tap into and decipher encrypted communications of suspected criminals and terrorists. The whole encryption key escrow idea fell apart, mostly because foreign encryption products vendors would have taken over the US market while US data security vendors would no longer have been able to sell products overseas: why would foreign entities trust the US government with their encryption keys?

Mr. Freeh then told us about a disk his team took almost six months of so-called “brute force attack” to decrypt: a Malaysian computer hard drive captured from a known terrorist (Youssef Mustafa Nada). The hard drive contained carefully prepared plans to blow up ten planes over the Pacific Ocean within a 2 hour timeframe. Obviously, it would only have taken a few minutes to decrypt the drive, had the government been legally enabled to access the encryption keys.

Laws that govern security technologies are many years behind the technology they aim to control and the early 1990’s attempts to legislate those technologies showed a profound ignorance of the technology itself, the status of the industry and the breadth of usage of such technologies. What can be controlled, however, is the concept of teaching and enforcing computer ethics, particularly when it concerns the use of corporate computing devices and corporate data, that is to say, data that does not belong to the individual employees who use or create it.

The next morning of the conference, Scott Hastings, Chief Information Officer of the newly created Bureau of Citizenship and Immigration Services, told us about the "US Visit" initiative, which will implement use of biometrics, specifically digital index finger printing, for all passports used to come into the United States. Completion target date: October 2004! The technology requirements are complex, the costs are staggering but the deadline remains less than eleven months away. Corporate security officers throughout the US will pay close attention to the government pilots, to the imminent ubiquity of biometrics at US ports of entry and, eventually, will look at ways to implement similar technologies in the private sector.

The omnipresence of Internet use and access has transformed the use of information systems and, at the same time, has distributed the responsibility of data security throughout the enterprise and the users of its information systems. Increasing numbers of companies are hiring information security teams to create, implement and monitor security policies, technologies and procedures for enterprise workers. More importantly, that responsibility is no longer solely an IT position, but it is making its way into the HR department, where employee policies are usually formulated.

It is easily conceivable that HR professionals will soon have to demonstrate competence with concepts such as strong user authentication, authorization, access controls, non-repudiation, confidentiality, privacy or even digital forensics. In the not-so-distant future, human resources professionals may have to quantify HR decisions based on hard data or audit trails generated by unauthorized employee use of banned practices, ranging from documented access to pornography over the organization’s internet connection, with company computers, to company prohibited use of instant messengers.

The reason for those restrictions does not necessarily stem from concerns of data confidentiality or even from lofty ethical goals; in fact information security and audit of information systems requirements are more likely to come from legal departments eager to protect the organizations from employee or shareholder lawsuits.

Frederic Martin has over 15 years of experience in the information security industry. He can be reached at fred@workingarts.com

Other Services...