Organisations should not build their strategy around stopping the NSA or GCHQ monitoring: this is a very negative, reactive and ultimately pointless exercise, writes Adrian Davis.
At the Information Security Forum (ISF), we state that an organisation’s information security strategy should support the business strategy and allow the organisation to conduct and grow its business in a secure and robust manner, by protecting the organisation’s assets – including information – against a range of threats.
An important part of the strategy should be to create and implement processes to manage contractors; control access rights and stop accrual of such rights by employees and contractors; and to monitor and review critical system activity on a regular basis. These were some of the flaws that allowed the leaks to occur.
The revelations that certain technologies – especially encryption – have back doors should come as no surprise: the majority of software available today has flaws, Easter eggs and so on. The key here is determine whether the backdoors pose an exploitable vulnerability, and if the organisation has deployed or can deploy measures to mitigate the vulnerability. This, of course, brings us to risk assessment – which should be used to inform the choice about which software to use, decide whether to use open source software or choose another control to apply.
Remember that open source may not be a panacea: these products may not be mature or robust enough for enterprise use, nor may their development exclude flaws and errors in implementing complex algorithms.
Read more responses to Edward Snowden's state surveillance revelations
- Security Think Tank: Snowden proves technology is only part of security
It is likely that customers or organisations will apply encryption to more and more data.
The wider application of encryption actually means that key management becomes more critical, more difficult to perform and access has to be well controlled – after all, if you can get the keys, it does not matter what is or is not encrypted.
Adrian Davis is principal research analyst at in Information Security Forum (ISF)