As in any fast-growing industry, changes are to be expected. The types of
potential threats to network security are always evolving. If the security of
the network is compromised, there could be serious consequences, such as loss
of privacy, theft of information, and even legal liability
.
Legal
Issues and Privacy Concerns
For many businesses today, one of the
biggest reasons to create and follow a security policy is compliance with the
law. Any business is potentially liable should a hacker or a virus take down
the operation. Similarly, if a business is running a publicly held e-business
and a catastrophic attack seriously impairs the business, a lawsuit is
possible.
Legal liability in such cases is likely to depend on what prevention
technologies and practices are available and on whether these technologies and
practices are reasonably cost-effective to implement. As a result, showing due
diligence will mean everything from implementing technologies such as
firewalls, intrusion-detection tools, content filters, traffic analyzers, and
virtual private networks to having best practices for continuous risk
assessment and vulnerability testing. Of course, litigation is not the only
legal consideration that e-businesses are facing today. Lawmakers concern over
the lack of Internet security, particularly where it hampers rights to privacy,
is growing.
In 1998, the European Union passed the comprehensive Data
Privacy Directives that provide consumers with strong control over their
personal data. Many countries outside the United States have adopted the
equivalent of these privacy principles. In the United States, over 1000
privacy-related bills were introduced in state legislatures in 1999 and 2000,
and numerous bills are currently pending.
In the United States,
education, financial services, government, and healthcare are currently
scrambling to meet federally mandated guidelines for network security and
privacy. In financial services, there is the Gramm-Leach-Blilely (GLB) bill,
which was passed in 1999. The GLB Act erased long-standing antitrust laws that
prohibited banks, insurance companies, and securities firms from merging and
sharing information with one another. The idea was that smaller firms would
then be able to pursue acquisitions and/or alliances that would help drive
competition against many of the larger financial institutions. Included in that
law were several consumer privacy protections. Namely, companies must tell
their customers what sorts of data they plan to share and with whom and then
give customers a chance to opt out of that data sharing. The law required banks
to send those notices to customers by July 1, 2001.
The US Government is
contending with the Government Information Security Reform Act, which was
passed in October of 2002, and directs federal agencies to increase security
plans for their computer systems. Representatives from the General Accounting
Office (GAO) and other organizations recently told Congress that, despite this
legislation, federal agencies are still falling short of dealing with key
security issues.
On the healthcare side, The Health Insurance Portability
and Accountability Act of 1996 (HIPAA) requires the US Department of Health and
Human Services to develop a set of national standards for healthcare
transactions and provide assurance that the electronic transfer of confidential
patient information will be as safe as or safer than paper-based patient
records. Compliance with HIPAA is estimated to cost the healthcare industry $4
billion.
Finally, many education institutions in the US must comply with
the Children Internet Protection Act (CIPA) if they wish to receive any form of
US Federal funding.
Wireless Access
The increasing use of
wireless local area network (LAN) connections and the rapid rise of Internet
access from cell phones in Europe and Asia are requiring entirely whole new
approaches to security. RF connections do not respect firewalls the way wired
connections do. Moreover, the slow processors, small screens, and nonexistent
keyboards on cell phones and personal digital assistants (PDAs) break many of
the standard approaches to access, authentication, and authorization.
The Need for Speed
The number of broadband connections to the
Internet from homes is exceeding projections. Many businesses are finding that
multiple T1 or E1 connections to the Internet are no longer sufficient. Current
software-based security approaches have problems scaling to OC-1 and higher
rates.
IT Staffing Shortages
The IT staffing shortage is
especially evident in the security field. To solve this problem, many
enterprises are increasingly outsourcing day-to-day security management tasks.
The application service provider (ASP) business model will become increasingly
common in the security world. Therefore, security solutions will need to be
more manageable in this outsourced model. Clearly, there is a demand for
skilled network security professionals.
ISO/IEC 17799
ISO/IEC 17799, Information technology – Code of
practice for information security management, is an information security
standard that is published by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO/IEC 17799 is intended to be a common basis and practical guideline for
developing organizational security standards and effective security management
practices.
ISO/IEC 17799 was originally published in 2000 and is
scheduled to be revised and republished in 2005. The 2005 revision of ISO/IEC
17799 is made up of the following eleven sections:
- Security policy
- Organization of information security
- Asset management
- Human resources security
- Physical and environmental security
- Communications and operations management
- Access control
- Information systems acquisition, development and maintenance
- Information security incident management
- Business continuity management
- Compliance