What are some InfoSec best practices in assisting our organizations to move into Web 2.0 applications (Second Life, Blogs, Wikis)?
Our agency and others are moving into the 'Web 2.0' world of community-based, interactive applications and networks. While these are certainly valuable to our mission of education, outreach and collaboration, the 2-way communication with our network poses serious Information Security questions. The purpose is to move into this new level of the web and related technologies, while maintaining the assurance of a secure network.
Answers (6)
Barry,
There are a number of frameworks, standards and best practices out there, each with focus in one particular area of information management and security. Before you decide which one to use, you need to look at your business information needs as a whole and define an over reaching process framework for managing information and related resources (people, data, applications and infrastructure). A good starting point for this is COBIT from the IT perspective and COSO from the business perspective.
By using these two frameworks you will be able to identify the areas that require specific focus due to their importance and criticality to the business. If you plan to develop these applications and support users who will be using it, you most definitely need to look at ITIL and related ISO 20000 standard for IT Service Management. To achieve better focus on the Information Security in particular, your organization should look at the ISO27000 series of standards around Information Security Management. And finally, to achieve focus on specific are of the Information Security you can use NIST publications that are very specific in terms of control over particular technology areas. I included some links below.
Don't forget, you may have specific regulatory requirements that may depend on the industry your business is in that you need to consider while working on this.
Links:
To my knowledge there is not such a thing, for now, as a serious and dedicated work on Web 2.0 security itself.
If you just consider things from a "web application perspective", indeed there is nothing new at work here.
Sure, XSS and CSRF are fare more important in a web2.0 environment, but every technology and methodology developed for web applications will apply for the web 2.0 as well.
So, what's different, from a security perspective? I'd say user interaction and perception.
Before web2.0 you had completely separated worlds: the intranet was the place for secret things and the internet the one for public things. If you start merging the two worlds, using the same tools here and there, it's difficult to tell "where" a given information is secure and where it's not.
Privilege management and accountability are far more important in web2.0.Unfortunately, at the moment, I don't know of any framework capturing these new trends: you have to analyze your environment ad-hoc.
Jose Maria R
VP Consultancy and Co-Founder at Solaiemes
Best Answers in: Business Development (1), Wireless (1)
Don't forget about privacy, specially if you are thinking on communities.
Ken R
Senior Systems Manager at AT&T - Midrange Operational Security and Compliance Team.
Best Answers in: Information Security (4), Staffing and Recruiting (3), Regulation and Compliance (2), Ethics (2), Job Search (1), Government Policy (1), Government Services (1), Compensation and Benefits (1), Personnel Policies (1), Corporate Law (1), Corporate Governance (1), Labor Relations (1), Organizational Development (1), Using LinkedIn (1)
A number of terms used regularly come into play. Separation of duties. Rule of least privilege.
But, what this comes down to is that people should only have access, and the type of access, to the resources that they have a business reason to access. Establishing roles, from site admin to general user, is essential to protect the data appropriately. This addresses privacy and basic security issues.
However, one thing that you must always build into your plans. Patch, patch, patch. Too often data and systems are compromised because the systems, applications, and databases are never patched. Patching is one of the basic rules of security. Make sure that whatever you do, the necessity to patch within a reasonable time of a security patch release is a must. (Reasonable time is determined by risk to your environment.) But, as a rule of thumb, I would make sure that even the low risk security patches are applied no less than quarterly.
Seshagiri Rao V
Senior Manager, IRM/ERM, GRC Practice at Wipro Consulting Services
Best Answers in: Corporate Governance (2), Accounting (1), Auditing (1), Risk Management (1), Corporate Law (1), Organizational Development (1), Enterprise Software (1), Information Security (1)
Hi Barry,
I suggest to adopt the best practices detailed in OWASPGuide2.0.1, a guide to building secure web applications and web sevices. This guide is mapped to COBIT, ISO27001 etc.
You can download the same from http://www.owasp.org.
Regards
Sesh
Rick L
Chief Information Security Officer, Published Author & Advisor
Best Answers in: Information Security (9), International Law (1), Antitrust Law (1), Professional Organizations (1), E-Commerce (1), Information Storage (1)
As you know, Web 2.0 has really been out there for quite a long time. In the past, my direct experience was that our company's legal department had a laundry list of reasons why we should not embark on this capability. When our company associates are in charge of what they say and how they say it, it has the potential to become a liability for the organization. Think of legal representative, doctors, salespeople, brokers, etc....there are many things that can be construed as an agreement or understanding that can make the organization they represent accountable.
My recommendation for this include:
1). Make sure that your legal team understands what the organization is about to do, and get their sign off.
2). Make sure that your policies and requirements around what can/can't be said are clear, communicated and user awareness has taken place.
3). Make sure that you have the appropriate level of monitoring occurring against these sites to ensure policies are being followed. Understand who needs to be contacted if a problem is identified.
4). Ensure that you are following the SEC requirements around monitoring and retention of communications if you are public, or your investors require it for their financial security.
5). Determine how eDiscovery will be supported enabling this adoption of new capabilities. This may include backing up content up as it changes, but it is really based on the requirements from your legal group.
6). Determine the appropriate amount of due care once the process is in production. Work on identifying renewal of commitments, especially with acceptable use and confidentiality agreements.
Hope this may help.
