Linux Advisory Watch – June 10, 2005

A Business Case for Security
By: Benjamin D. Thomas

Establishing a business case is perhaps the first phase in any project initiation.
Organizations that are successful maintain full justification for all business
expenditure. An information security project is no different. An effective information
security program requires visible support from executive management. To gain
support, a persuasive business case is often necessary. An information security
program will have numerous tangible and intangible benefits to any organization.
It is the role of a business case to document these.

To build a persuasive case for information security, it is important
for practitioners to “to become more managerial in outlook, speech, and
perspectives.” (Information Security Management Handbook 4th Edition,
Volume 2.) Stressing the technical benefits of information security
is no longer sufficient because of the size and expenditure of
information security programs. When making a case for information
security, an emphasis should be placed on how proactive security
mechanisms ensure that senior management will not be held liable
for negligence. As IT has become more prominent in organizations,
so have compliance and regulatory requirements. Today, senior
management personnel are expected to demonstrate due care and due
diligence in relation to information security. With this, information
security must become an essential aspect of management.

Addressing the overall benefits of information security is important as well.
A business case should stress how information security can become a business
enabler. It can be a company differentiator by offering increased levels of
customer satisfaction and contributing overall to total quality management.
Information security also provides a means to ensure against unauthorized behavior.
Often trusting that internal employees will “do the right thing” is not enough.
Information security related business cases should be written in a way that
emphasizes all benefits of information security.

LinuxSecurity.com
Feature Extras:

Getting
to Know Linux Security: File Permissions – Welcome to the first
tutorial in the ‘Getting to Know Linux Security’ series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I’ll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

The
Tao of Network Security Monitoring: Beyond Intrusion Detection
– To be honest, this was one of the best books that I’ve read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.

Encrypting
Shell Scripts – Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn’t have a “ps -ef” loop running in an attempt to capture
that sensitive info (though some applications mask passwords in “ps” output).

 

Take advantage of our Linux Security discussion
list! This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline.