These are all questions that better have good answers when you review your organization’s readiness to respond to security breaches in technology and physical facilities as well as various forms of natural and man-made disasters

Go and read some of the job openings for security and risk management people in various organizations. Just by the requirements they list, you can quickly determine how they view network and enterprise system security as well as how they value the oversight in these areas. Some are looking too much for techies instead of senior-level executives.

I just spent a week in a CISSP course that covered several areas of security as part of a 10-domain curriculum. Physical security was part of the topics covered as well as network and system security including disaster recovery and business continuity. While all of these areas have technical elements, you need to get someone who grasps the big picture if you want your organization to apply the right resources.

The range of options and price tags are staggering for software, hardware and other devices. Your company likely isn’t getting its money’s worth.

When it comes to valuating risk and determining how to mitigate risk, there are guidelines to look at and use as a benchmark. These guidelines for security in computer systems are defined in a government publication called the Orange Book. Coincidently, there is also another Orange Book that was published in Great Britain that focuses on risk assessment and risk management. Both are worth reviewing.

DoD Orange Book Standard

It is said that many organizations still use the government’s Orange Book as a reference to classify computer security. In this U.S. Department of Defense standard (DoD publication 5200.28: “Department of Defense Trusted Computer System Evaluation Criteria”), there are four divisions of security that systems are rated into (see table below).

DEPARTMENT OF DEFENSE STANDARD

TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA

These divisions provide a graduated level of confidence in the overall security of classified and sensitive information. An interesting fact is that this standard is dated Dec. 1985, which superseded an earlier standard established in 1983. You would think there would be some additional criteria and/or categories added onto it by now.

Another Orange Book: The Queen’s

I believe it’s a much better read because it was written after Sept. 11, 2001; it focuses on a more strategic view rather than a techie view; and has more pictures (models, charts and visualization aids) to help clarify the concepts. Don’t laugh about the pictures comment. You can really visualize the concepts presented in this risk book much faster than just reading the dry text in the DoD book.

Using All Resources to Resolve Risks

The lesson to be learned here is to go beyond what you normally reach for in trying to solve a problem or when getting some information. While the DoD Orange Book for computer security is of value, several references to it claimed that it was obsolete.

Should there be an update to the DoD’s Orange Book? With so many changes in technology, the additional threats that were never thought about 20 years ago and all the changes in global dynamics, there should be a newer version of the Orange Book for computer system security.

In doing research on the DoD Orange Book, I believe that coming across the Orange Book of risk management by accident was a real bonus. Getting a different perspective from someone else is of value.

With the emphasis on disaster recovery and business continuity from a compliance standpoint in the Sarbanes-Oxley Act, organizations should reevaluate their programs and their views on where to put security and risk management within their organization. It is well beyond a techie issue.

Carlinism: There are no experts in this industry. The best you can do is to be a good student who is always learning.