Chief Security Officer's and Their Duties to Enforce Information Security

An ongoing debate has been raised as to whether computer and information technology should be the responsibility of the Chief Information Officer (CIO) or the Chief Security Officer (CSO). There is no argument as to the importance of information and computer security to any organization. Any leak of information or misuse of a computer can cost a company large amounts of money that could have been prevented. The largest responsibility for computer and network security should rest on the companies' CSO for computer security concerns.

The CSO's main goal in computer security is to protect the company and to provide safety to their data and reduce the risk of fraud through these systems (Fischer and Green 400). This is no difference if the data is written on a piece of paper or typed into a database. The information entered into every business's computers every day and the long term physical protection for the systems are no less important than someone physically entering a building and robbing them. It can actually be more damaging since they might not know a breech has occurred without a good computer security plan.

Ortmeier's definition of computer crime states that it is any type of crime that you use a computer to commit (186). This can be either going into a system and changing the data, stealing private data, inserting viruses or worms, pirating software, eavesdropping, or any unethical actions done over a computer (Fischer and Green 407-409). All of these can cause large risk to any business or organization.

Viruses have always been a main concern of any computer user. They can cost companies large amounts of money in loss of productive work time or could even cause them to have to buy new expensive computers to replace the infected systems if the virus can not be found and removed. They are easy to "catch" from just opening an unknown program or attached onto an email (Gokhan and Saleem 19). They are the oldest threat to computer security (19). Viruses can cause anything from just annoying or humorous screens that pop-up on the screen, to the computer to shutting on and off constantly, or can be as bad as deleting important programming information from the hard drive (Fischer and Green 408). Having scheduled and frequent anti-virus scans can limit the losses for destruction of information, work hours, administrative problems, and the constant threat of harm to the computer systems (Kelley and Moritz 29).

Newer than viruses, spyware and adware have become a major problem for businesses. Gordon states that spyware uses cookies in the browser to track down all of the information a person is transmitting over cookies through the World Wide Web (14). Companies that do a large percentage of their business over computer databases and online transactions can incur huge problems if the information is given to someone that can take advantage of it (14). Credit card numbers, addresses, social security numbers, telephone numbers, sales reports, and customer names are only a few things that a well made spyware program can access (14). Most spyware programs are downloaded when someone doesn't read the User's Agreements that come on downloads or memberships to certain web pages (17). Once again the CSO needs to make these facts available to employees so they can try and avoid them. The newest programs and updates that are available for anti-virus, spyware scanners, and firewalls should be installed (16).

Another duty of the CSO in computer security is monitoring the usage of the computers. It is vital to any company to know who is using their computer and what are they doing on those computers. Employee monitoring has become an acceptable practice in many of today's companies (Fischer and Green 418). By having employees aware of what is considered acceptable use by a company in an Acceptable Use Policy (AUP), employers can warn employees ahead of time if they have questions as to what they can or can not do on the email, phone, accessing company data, and instant messaging (419). Some employers restrict the use of any sites that are not appropriate for use during business hours with web monitoring and filtering software (419). If the employees can not access the pages in the beginning, it can not become a long term problem for the security team.

According to Todd Datz instant messaging has became a large computer security risk in the past several years (par. 1). Viruses that are sent through instant messaging programs can spread much faster than any standard email virus (par. 2). The spread of the instant information can also slide secret information that should not be shared (par. 4). Eighty five percent of business workers now have instant messengers installed and if they are used for the right reasons it can increase the productivity of the workers (par. 3). Rules should be made aware to all employees as to if the instant messaging should be made available in the office, what it's acceptable uses are, how to watch for warning signs of viruses, and how to protect themselves from an attack through the messenger (par. 6-14). Archiving all of instant messages should be mandatory to have a record of everything that is said just in case sensitive information is leaked or a virus is found (par. 13).

Fraud over the World Wide Web can also be costly to companies. If a customer believes that a company is not trustworthy they will not buy or recommend their product. The main problems associated with computer fraud are identity theft, phishing, and spam.

Identity theft causes large losses for companies and not just the person whose information was stolen. Fischer and Green state that two billion dollars were lost from stolen credit card numbers alone in 2002, that number was set to increase in the years since (407). Companies have to spend many hours trying to sort through transactions to try and help the victim, but they are losing many precious productive work hours along with the loss of the money from the transaction (410).

Phishing is a major threat for CSO's to constantly monitor. Other people may be posing as their company to try and trick someone into giving them personal information that they can use for identity theft ("ABC's of Phishing par.2). This can discredit and tarnish the reputation of the company if this fact has been released to the public once again causing huge losses. The main protection against phishing is to train employees on not sending out information to any suspicious or unknown email address, check regularly for other domain names close to theirs, monitor your business's web page accesses, as well as possibly hiring another company to help keep you safe (section 5 a-d).

Networking has also created new ways for companies to share and transmit information. Wireless connections to these networks allow for companies to keep their information connected, but without all of the wires (Gokhan and Saleem 23). They work by sending out radio frequencies to connect for data transfer (24). This allows any employee with a laptop to be able to work anywhere in the workspace without being tied down to one computer (24). With the advantages come the risks. The CSO needs make sure that only employees are able to access these networks and not any outsiders or hackers (24). The most effective form of preventing an unauthorized break in of wireless networks is to set encryption keys (24). Anyone without this information would not be able to access to network and hopefully keep the safest connection possible (24).

It would seem that the Chief Security Officer's main task for every job is to keep the company safe and to keep them from having unnecessary losses. The intellectual and computer security of the organizations are no less important than any other task that they should be concerned about. The main duties of the CSO in protecting the computer systems should be educating the employees on how to lessen security risks, monitoring computer usage, setting up a firewall, and frequent anti virus and spyware removal program. Running the computer systems should be saved for the CIO, but all safety issues should be resolved by the security teams.

Works Cited

Datz, Todd. "How 2 LUV IM!" CSOonline Magazine. April 2006. 18 April 2006.

Dragoon, Alice, Sarah Scalet and Bob Violino. "CSO Fundamentals: The ABCs of Phishing and Pharming". CSOonline Magazine. February 2006. 20 April 2006.

Fischer, Robert J., and Gion Green. "Introduction to Security." 7th Edition. Amsterdam: Elsevier, 2004.

Gokhan, Gereek and Naveed Saleem. "Securing Small Business Computer Networks: An Examination of Primary Security Threats and Their Solutions." Information Systems Security. 14(3). August 2005: 18-28 Wilson Select Plus. UMUC Online Library. 18 April 2006. .

Gordon, Sarah. "Fighting Spyware and Adware in the Enterprise." Information Systems Security. 14(3). July/August 2005: 14-17. Wilson Select Plus. UMUC Online Library. 17 April 2006. .

Kelley, Diane and Ron Moritz. "Best Practices for Building a Security Operations Center." Information Systems Security. 14(6). January 2006. 27-32. Wilson Select Plus. UMUC Online Library. 18 April 2006. .

Ortmeier, P.J., "Security Management: An Introduction". 2nd Edition. Upper Saddle River, NJ: Pearson Prentice Hall, 2005.