Corporate Identity Protection Program

Author: Bryan Fite

June 2007

A comprehensive and effective program will incorporate many of the controls previously discussed. Because most Corporate Identity Fraud is perpetrated directly against end-users, customers and partners, organizations might not have direct knowledge that an attack is taking place or has succeeded. The advantage is currently with the criminals. However, a clearly defined organizational wide program that understands the nature of the evolving threats can reduce residual risk.

While it is out of the scope of this document to provide a detailed tutorial on the creation of a custom Corporate Identity Protection Program, it is useful to look at a sample program and the rationale used for security control selection.

Protect

1. Business units must identify assets, asset owners and asset custodians
2. Asset owners must declare a relative asset value [Action: Asset owners define three basic valuation categories; high, medium and low. They are relative value ranges- Low=$100,000. Asset values are assigned and the authoritative database is updated with the values]
3. Business units must clearly define roles and responsibilities of owners and custodians
4. Business units must define, implement and formalize a comprehensive Identity Asset Protection Program.
   • Must be role based.
   • Must be auditable and repeatable
   • Should include automation and management tools for managing asset portfolios
5. Business units should develop a metric to articulate the risk profile of an asset or group of assets relative to other assets being managed
6. Assets must be secured based on standard/published criteria.

Detect

1. Monitoring of all High-value assets must be performed
2. Monitoring of Medium-value and Low-value assets must be considered and should be implemented based on a business risk analysis.
3. Asset abuse alerts should be tracked centrally and communicated to owners and custodians based on business rules.
4. There must be a way for associates, customers, partners and employees to report possible asset compromises or exposures.

Summary
As organizations move from the "bricks and mortar" way of doing business to the modern market place of bit and bytes, new intangible corporate assets are being created. These assets must be protected. Traditional protections are not appropriate or effective. Therefore, new techniques, technologies and protections are warranted.

It is unlikely that law enforcement, technology or identity asset stakeholders will be able to deal with this growing epidemic alone. It is equally unlikely that criminals will voluntarily stop taking advantage of the current security deficiencies. Therefore, it is imperative that organizations take proactive steps to identify and protect Corporate Identity Assets before an attack.

Bryan is a member of the Dayton Chapter of the ISSA. The Dayton Information Systems Security Association is a non-profit group dedicated to providing educational and networking opportunities to promote the exchange of ideas, knowledge, and member's growth within the information security profession. For information about ISSA email Michele Melendez at This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

Comments (0)

Write comment

Email Name Website		Title Comment smaller | bigger
		Subscribe via email (registered users only) I have read and agree to the Terms of Usage. Add Comment