Security Profession blog
Comment and discussion about the security industry of interest to the security professional. Blogs will be submitted by (ISC)2's management team and Advisory Board members.
Thursday 21 August 2008, 10:50 PM
Should a security professional have a legal background?
Your information management and data classification policy needs a revamp with a Legal view before even considering defining the future technical information security strategy. There are a number of reference sites and firms providing this, see (http://www.out-law.com/) . Many organizations follow simple rules and classify data sensitivity levels as “Confidential”, “Internal Only”, “Public”. But this is not enough when considering the information protection requirements across the organization. Assuming the current technical security model works, the next steps are to have the Legal input. Establishing a joint initiative will bring credibility to you as an information security professional (ISC2 certification in hand of course) and enable the first enhanced definitions of an information / data management policy. My first suggestion is to start with the topic of employee investigations. Most organizations will have at least some employees! Whilst this topic is not for the faint hearted, you can approach this in a constructive way with both the Legal and Human Resources department, and it will further define approaches for other sensitive information e.g. customer data. By approaching the issue under the premise of protecting employees from themselves, preventative controls can be discussed. But thereafter, the topics of electronic discovery, computer forensics, archiving, and regulatory information barriers may well be raised. I am not suggesting not having a “customer” centric business model, rather enhancing your information security policy inside out, will bring closer working relationships for your organisation’s professionals, to address the other thornier information management topics. And at this point you may be well considering going back to school to brush up on Legal cases!
Alessandro Moretti, CISSP, Member of (ISC)2's European Advisory Board and Executive Director of IT security risk management at an investment bank
PreviousComments on this post
I don't think it would hurt to have some legal training. I don't know if certification is the answer, but certainly some training in subjects specific to the IT environment make sense.
Depending on the size and the likelihood of your company becoming a target of lawsuits, it might more sense to keep some lawyers on retainer than bother training up internally.
Most of what passes for employee education can be accomplished by limiting access to files or information by using domain and local group policies and access controls. SQL servers can be setup to allow only certain queries to expose certain data to certain groups. If IT professionals need training, that is where to start. The legal training only reinforces the reasoning behind the security model details.
System designs that are not designed properly from the beginning, are not controlled or managed, or not constantly updated probably cause more security breaches than any legal training could repair.
But this above posting sounds more like a sales pitch than reporting. Sounds like a bunch of lawyers or trainers looking for clients.
Doing a cold call by blog-posting?
And how would that all work if you had a serious landscape to protect ie were not using MS products?
Landscape to me means terrain not computer systems so I'm sorry but your comment reads somewhat like noise. "Serious landscape", if it means computer systems, would as likely include MS products as well as Linux and other systems.
Lawyers and legal training do not secure computer systems. Lawyers are good for cleaning up the financial and policy mess afterwards and perhaps for helping people to understand what other lawyers have decided is law. They might even be useful training IT staff at least to know what legal requirements are related to data security. But good IT staff will attempt to maintain system security with or without the legal coursework.
Likewise security software doesn't do a damn bit of good if it isn't designed, installed or operated properly. I wouldn't trust an attorney to be able to configure security systems without training so why does legal training for IT personnel make sense? I would rather keep the IT staff focused on the systems and give them details for the privacy and security requirements so they can implement them in hardware and software.
The logical extension of security does not stop at the firewall.
Legal training in privacy and regulatory issues might be useful for the IT staff to at least become aware of what items in their possession need protection and the level of security required.
But after the training I wouldn't trust them to operate as part-time attorneys as I wouldn't expect attorneys to operate as part-time IT staff.
However, the assessment of what's needed for security will always devolve down to corporate management's decision. If the manager's or business owners won't listen to reason until they get sued, having IT staff with some partial legal training is pointless. My guess is that the training CSSIP certs require aren't cheap and will likely require corporate financial support in most cases. If the business owner isn't willing to pay for training, his staff will do without any unless they do it themselves on their own time. If the boss won't listen to reasonable security concerns, then its time to move to a new job.
In system maintenance, the biggest difference between a secure system and an insecure system can be most often measured in the attitude of the system owner.
Mark Surguy of Pinsent Masons LLP, international Law Firm, comments:
Perhaps it is lawyers who need technical qualifications rather than the other way round? What is clear is that technological change is driving the convergence of professional skills and disciplines: lawyers feel exposed by their lack of IT knowledge and it would seem that the IT professionals are feeling exposed on their lack of legal knowledge. I think that what is required is collaboration between the disciplines. I do a lot of fraud investigation work and have found that the respone to fraud is not the sole province of a law firm or forensic accountancy consultancy, but that both disciplines are needed to respond to the problem. The same is true in relation to information risk management. The risks associated with holding data - particularly sensitive personal data - are not always appreciated. The banking / financial sector and Government are most exposed because they store such large volumes. Security lapses are becoming an almost daily feature in the news. Who can forget Arthur Andersen? A world-class business which was arguably destroyed by the mishandling of its data retention policy...
Wwindowsjunkie suggests that law firms be kept on retainer. However I think more than that is required. The relationship of law firm and its client needs to be so close that the law firm understands the way data is handled within its client. After all, every legal case or external or internal investigation has to collect, organise, understand, evaluate and present the evidence. That evidence (whether exculpatory or inculpatory) will inevitably consist of ESI. The ability to access the ESI quicly and understand it quickly can be the difference between a good outcome and a bad one.
It's time for some change: professionals broadening their horizons, not to hijack an area for themselves but to learn respectfully from each other and turn the mutual understanding into real value.
Perhaps rather than go back to college, we should aim at collaboration and educate ourselves through talking and exchanging ideas and experiences.
Perhaps there should be a specialization for the legal profession that covers Information Technology, Security and Privacy like Patent Law or Business law. IT security firms already operating probably have attorneys working for them or with them. By retainer that's what I meant. It makes no sense to have a general practice or a criminal lawyer on retainer for IT concerns.
A security firm with law support should be able to come in and do a complete analysis of a network system or installation and make suggestions along with representation later in court if that's necessary. What I think is that a company has to be pro-active about their potential business and liability issues to both profit from and avoid penalties with an Internet related business. Most lawyers are "reactive" i.e. after the fact or incident occurs requiring their expertise. Most businesses are likewise. That is a major hurdle for management to overcome it seems in most situations.
A best practices approach to IT and network security is not always enough to prevent somebody from getting inside the network. The point I was making was that a lawyer wasn't going to prevent an intrusion. An IT department wasn't going to necessarily be able to file a lawsuit against an intruder. An intelligent combination of both was going to be necessary but business management is going to have to be the party with the intelligence enough to hire both.
