FRAMINGHAM (11/12/2003) - Bill Boni, CISO of Motorola Inc., answers readers' questions on information security.
Q: How do you integrate your privacy requirements into your security infrastructure?
A: We revised our information protection lifecycle documentation and classification frameworks to address data protection and privacy (DP/P) requirements for both new and legacy systems. Our approach is to focus on process and technology mechanisms that will prevent and detect risks to DP/P content through appropriate application of vulnerability detection, access controls and encryption tools.
Q: I'm building the security department for my organization. Do you have any preferences for who reports to whom?
A: There are two primary missions that must be accomplished -- policy creation and policy execution. Many organizations have split these functions, but I think that is often less effective than a hybrid that combines the entire security organization into one team. My personal preference is to have the protection team matrix between the corporate center and the business and operational roles. We operate with the business unit security manager's solid line reporting to the enterprise CISO and a dotted line to the business CIOs. This allows the security staff to be vertically aligned to the mission and priorities of their units while providing consistent attention to policy compliance. It also allows a critical mass of security staff to be managed as a job family -- providing career development, rotational assignments and a sense of belonging to a group of peers.
Q: Based on Sarbanes-Oxley, what are we legally obligated to do from an IT perspective? What kind of controls should we have to ensure compliance?
A: I'm always leery when anyone asks a nonlawyer for legal advice. (Let me be clear that my answer is not a substitute for advice from a knowledgeable attorney.) Since this is an example of an issue with multiple aspects to consider, it's probably good to approach it from a task-force perspective with representatives from legal, IT, information protection and audit. This team should have the requisite backgrounds to review the organization's business, and determine which systems manage the business operations and which manage the financial controls. Then look closely at the level of controls in those key systems from the perspective of reliance. Access controls, authorization, auditability and availability (disaster recovery) are all key elements that must be addressed to ensure that the systems will provide accurate and timely information for management's use.
Q: What are your thoughts on the pros and cons of intrusion prevention from a host and network perspective?
A: The Defense in Depth paradigm remains as desirable as ever. To the extent that solutions are available that improve the capability to protect by providing complementary protection at both the network and host levels, we'll have two chances to stop inbound attacks. Typically, network-based defenses tend to be more cost effective for large organizations with tens of thousands of hosts and applications to protect.
Q: With Wi-Fi and GSM users increasing greatly, is there much that you have seen to address or safeguard the devices and the intellectual property?
A: This is a key issue, as ubiquitous portable devices provide both remote access to proprietary contents and offline local storage of increasing volumes of such contents. We are familiar with several promising product solutions. One provides persistent protection to sensitive content, and another ensures devices comply with enterprise policies concerning passwords and content encryption and other key elements. To date, solutions have been expensive or limited to the platforms supported. I recommend any organizations with sensitive proprietary or regulated contents follow this area closely. The risks to key content will increase as portable and handheld devices equal the processing and storage capacity of recent laptops.