Will Advanced Technology Block a Hacker? Probably Not.
This essay is adapted from Edward’s book, Public Service Information Technology.
It is easy to imagine that all an organization needs to protect its information is to install a firewall device, implement data encryption, or update a software program with the latest security patch. While installing a technical fix certainly plugs up a security hole, the source of a security issue may not be specific to technology. What is harder to imagine and more difficult to implement are the policies, plans, and procedures that an organization must establish and maintain to ensure that computer users know their roles, responsibilities, and limitations in their use of an information system. Weaknesses often found in information security tend to be non-technological in nature. In other words, a security weakness can be a missing policy or an inadequate operational plan.
A successful information security program requires three categories of security controls. A managerial control, an operational control, and a technical control work in combination to protect and safeguard an information system. The three categories form a logical structure with each one informing the other.
To begin, senior leaders develop and oversee a set of rule-based policies, the managerial controls. Such controls set boundaries on how computer users will engage. A critical managerial control is a rules of behavior policy that stipulates what a computer user can and cannot do in a system. Approved policies are then put into operation.
Managers execute the managerial controls through several plans and procedures. Not only do these controls provide the steps for operating computer equipment, securing a facility, and safeguarding information against a potential threat, the operational controls establish the mechanisms to ensure that the technical controls are working as expected and within the boundaries set by the managerial controls. A critical operational control is a user account management plan that describes how a computer user account will be activated and inactivated from registration to termination and the justifications for suspending and closing a user account in any event that warrants account suspension. User account management essentially describes the requirements for providing a user account to a person, and by design can minimize if not prevent the proliferation of illegitimate (fake) user accounts.
The developed operational plans instruct what types of technology need to be purchased and used. A number of technical controls can be selected and configured based on the requirements in the plans and the rules in the policies. A particular technology that could be used to create a wireless computer network or to scan a person’s face may be deemed too risky to implement in a given operating environment. An operational control may call for additional computer programming in a software program or a physical token that generates a random six-digit code, for example. Technical controls may be a combination of hardware, software, and networking or specific to one type of technology. Information Technology (IT) specialists review all available technologies to examine which ones can and will provide protection in accordance with established policies and plans.
Once implemented, technical controls must be monitored. An operational control would describe regular monitoring and evaluation of implemented technologies. In an event that leads to system failure or stolen data, IT specialists will investigate what happened. A fault could have occurred in the hardware. An inadequate method to validate data entry could have been exploited to submit harmful computer code. Whatever the problem is, the developer of the technical control must fix the problem and release an updated version.
Periodic monitoring can reveal gaps and weaknesses in the plans and policies. An investigation could find that the cause of a security breach was due to sharing a user account with an unauthorized person. In this case, a managerial control must be reviewed and amended. Another investigation could find that a computer user had bypassed established protocols to gain access. This would not only lead to correcting a technical control but will necessitate a review of an operational control to identify where a person could have deviated from a step in the process. The operational control in this case must be revised. A problem can not only occur in computer equipment but can occur in an operating plan or in an organizational policy.
A technical security control can be installed, but without a corresponding managerial security control and an operational security control that provide guidance and enforcement, a computer user can find a way around the deployed technical control or could neutralize the technical control. A technical control alone is not enough to block a user. Inadequate or lack of controls at the management and operating levels can allow an employee to make a mistake or enable a rogue person to exploit a vulnerability. The additional managerial and operational controls resolve human-related issues that technical controls may neither be equipped to handle nor be capable of eliminating with any kind of computer engineering. Moreover, the managerial and operational controls when drafted well serve to explain the rationale for why a security control is needed in the first place -- a critical part of information security that allows computer users to accept a new technical control.
Further advances in technology may not prevent a security breach. A combination of technology and non-technology can. Non-technological approaches and methods that deal with organizational behavior may accomplish a security objective with equal effect.