• No results found

IT SECURITY PROGRAM MANAGEMENT

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "IT SECURITY PROGRAM MANAGEMENT"

Copied!
10
0
0

Loading.... (view fulltext now)

Download now ( 10 Page )

Full text

(1)

IT SECURITY PROGRAM MANAGEMENT

HOW TO ADD VALUE AND GIVE PURPOSE TO YOUR INFORMATION SECURITY PROGRAM

(Suarez, K. 2007)

DANIEL C GOEBEL, CISSP, ITIL, ISO27001 - GOEBEL ASSOCIATES KENNETH SUAREZ, CISSP - SUAREZ CONSULTING INC. JAMES AUSTIN, CISSP, PMP, - ENLIGHTENED INC.

G O E B E L A S S O C I A T E S

(2)

Executive Overview

What is the best way to look at how to secure your Information? There is not an easy answer. Certainly information does not remain static, neither should your Security Pro-gram. The concept of Life Cycle management is not new. Cycles occur in nature all the time. The ability to mimic nature is very flattering, but to be able to direct it is an alto-gether different matter.

We present a view on how an Information Security Program can be implemented. We see that there are some basic patterns that repeat themselves over and over. We see that there is a central viewpoint to which we can regain control of your Information Security. In essence, there are 4 areas that revolve around a central controlling area. We call the 4 areas Pillars and the central theme a Singular Purpose. The 4 Pillars are guided by a set of three triads that concern our information and how they are governed.

We’ll explore Strategy and Planning, Acquisition and Development, Risk Management, and Operations and Maintenance. These will revolve around the ability to measure value by using the correct metrics, whose stewards of this information are specifically trained to extract the best results possible. Each area will have specific controls attrib-uted to it covering the 7 Security Principles of Governance, Monitoring, Continuous Improvement, Technical Management, Privacy, Business Continuity, and Awareness and Training.

The 4 Pillars

Strategy and Planning

While we all know that it pays to measure twice and cut once, if you measure the wrong thing then you still end up with a piece that has to be redone. Careful planning in-volves considering where the organization needs to go in terms of how it provides product or service. Only then can a reasonable set of solutions can be offered. One would like to think that all one has to do is apply all the controls from a given

(3)

work to cover any possible action, but some controls are costly to implement therefore one has to to look at the reasoning behind such an action.

How the organization is set up matters as well. Is your organization set up to centrally mange it’s resources, or is it set up to have individual business units do it for them-selves? Or is it somewhere in between as is seen in a Federated model? Or is it that your model needs to change based upon the direction or regulations coming down the road? Attacking the implementation of Information Security Management is no less daunting. Some institutions keep Policy management separated from Engineering while others make no distinction. What’s correct for your organization depends on many factors and there is no absolutely correct way of handling it.

In any of the above scenarios it is important to communicate your vision, strategy, and mission to those who are implementing it. And those who implement it should be al-lowed to give feedback on improving how it is done. Regulations and Markets change with ease, so should your strategy.

Acquisition and Development

For organizations that are not in the business of developing their own software the op-tion of acquiring off-the-shelf software requires due diligence, not only from a contracts management perspective, but from an architecture perspective. Not all software is se-cure. This becomes more apparent when it is introduced into a complex environment. The same amount of effort goes into testing whether it will adhere to the overall Enter-prise Architecture requirements, whether it will give the results needed, and whether it plays well with others. There is no software that exists completely on its own. Proper testing is vital.

Similarly, when it is decided that software is best to be developed in house, then the the concepts of how your development proceeds closely follows how quickly it needs to be developed and what the culture is like for your organization. Both of these will help

(4)

determine your methodology (i.e. Agile, Extreme, Waterfall, etc.). In any methodology chosen the PMO is closely involved to realize and track the organization’s Earned Value.

Risk Management

Management of risk is well known among financial analysts and business people. the same principles hold true for Information professionals. There are some very good frameworks and methodologies, such as the OCTAVE® method, NSA IAM/IEM,

M_o_R, NIST, and etc. All these explore threats, vulnerabilities, likelihood, and impact. What’s important is that Risk Management is continuous, but even more so is that it is done before the Information is put into production. The ability to properly transition information from acquisition or development into operations is an important aspect ex-ercising the system fully before it is used. Even after it has been put into production, the procedures and containers of information need to be periodically reviewed, at minimum every year, preferably in real time.

Operations and Maintenance

The O&M arena has been the traditional cornerstone of the Security Program. It has been in this area that administrators has had to come up with their own innovative methods of protecting the information on IT systems. From the days of the Morris worm to modern day botnets, these hardworking people have had to spend inordinate amount of time and effort to combat everyday threats. There is a solution. This solu-tion involves defining what is done on a day to day basis and categorizing those proc-esses into service areas. Luckily this has been done for IT in general. The IT Infrastruc-ture Library (ITIL) is in its third revision and provides guidance to any organization in-volved in information stewardship. With the latest revision of ITIL, now an interna-tional effort, the organization can view the services it provides in terms of a life cycle. The steps in this life cycle are: Strategy, Design, Transition, Operations, and Continuous Improvement. These phases of Information Management make it possible to mature a

(5)

program to become proactive, not just reactive. What needs to be kept in mind is that since Security Operations mirrors IT Operations in general all ITIL concepts equally ap-ply. Some argue that Security Management is not an area that should be separated out, but rather that it should be fully integrated within.

Triad of Three

Tenants

Confidentiality - Is defined as “limited to persons authorized to use information, docu-ments, etc., so classified”. It is this capability to ensure that only those that are author-ized to access the information are easily allowed to do so, and those that are not allowed are denied access. This touches on the principle of Privacy.

Integrity - Knowing that the information you are using at has not been altered is the as-surance of this tenant. Simple techniques, such as a CRC or Hash are examples of an integrity check.

Availability - This tenant follows closely on the requirement that the business side of an organization be involved in defining what constitutes as available or not. Business con-tinuity is called that for a reason. Information does not care if it is available or not, the users of that information do, however. The business of Disaster Recovery, Continuity of Operations, and Business Continuity Planning all involve how the organization defines its business and any Service Level agreements that it has in place with their customers.

Areas

Management - The area of Management identifies those principles that cover Governance

and Policy. In tune with this is that the improvement of the IT program has to be done

(6)

by taking a look at those metrics that are defined and agreed upon. When an organiza-tion has achieved this level of maturity, it can be said that they possess a continuously improving Program of Security.

Operational - The area defined under operational is where the “rubber meets the road”.

Unless you can ‘operationalize’ how your Security Program is implemented, then it is of no use to the organization. In order to help in this area, the procedures and ‘run books’ have to defined, mapped to other procedures, and reviewed periodically so that there is a basic understanding of how the facility is run on a daily, weekly, monthly, and yearly basis.

Technical - This the area that much of the present day attention is given. While this is obviously necessary, it is also unfortunate. When we talk of a technical control area we do not imply that technology will be a panacea, but rather that when technology is ap-plied toward safeguarding your information that these technical considerations will be given, regardless of the technical solution. In the adage of “People, Process, and Tech-nology”, Technology is the final consideration after you decided who and how it is to be done. In any maturity model the actual technology is not even a consideration.

Information Protection

At Rest - Information sitting around in file shares and file cabinets are waiting for some-one to come along and look at it. The information does not care who looks at it, but the owner of that information does care. It may be sensitive military information or it may be intellectual property, either way, denying access to those that are unauthorized to see it is important while the data is just sitting there. Simple tools as a lock for the file cabi-net of encryption for all laptops, which are seeing ever increasing rates of being stolen or lost, is vitally important.

In Transit - Encryption of information is as old as Caesar. With the simple alphabetic substitution ciphers of the Roman army to the vastly complicated modern algorithms,

(7)

information protection while the information is being transmitted is important and even easier to implement these days.

During Processing - This particular information state is often an under considered state for information to be in. Normally one considers whether the information is in transit or at rest, but the usually transient state when the information is being transformed or searched has to be considered as well.

Singular Purpose

IT Value

The overall goal of having an IT Security Program is to bring value and protection to all areas of your business. We have to keep in mind that it is information we are protect-ing. This means protecting the people that are stewards of an organization’s data, pro-tecting the places that this information is being stored, and the resources that will make use of this information. To do that will require some oversight. The Project Manage-ment Institute and it’s Project ManageManage-ment Body of Knowledge can help. This will lead to the ability to provide continuous improvement for all future IT Security projects.

Project Management Office

A successful IT project requires accurate estimation, careful planning, constant monitor-ing, and the ability to learn from past mistakes. The Project Management Institute (PMI) has been engaged in understanding how projects can become successful for quite a few years. It is their ability to comprehensively and succinctly put together a body of knowledge around project management that allows organizations to successfully im-plement a full blown Program Management Office (PMO).

The PMO can be as simple as an in-house consultancy by providing guidance to more autonomous areas of project management or it can be that over arching management structure collating and keeping track of all projects within an organization. Most likely

(8)

it lies somewhere in between the two extremes and that it is based upon how the or-ganization is set up (i.e. centralized, federated, etc. See section on Strategy and Plan-ning). The purpose of the PMO is to manage resources and monitor the progress of on-going projects, as well as to see that value is derived from the projects. Since Informa-tion Security has become such an integrated aspect of how the organizaInforma-tion engages in business, there should be dedicated project managers to the various security projects. An example of this are titles such as Security Officers (SO) or Information System Secu-rity Officer (ISSO). The people that are designated as such should be given every op-portunity to not only have enough accountability for the implementation of the Security Program, but should also be empowered enough to make reasonable judgements in how the program should be improved.

Continuous Improvement

How does one improve the overall Security Program? With the PMI’s Body of Knowl-edge and the 5 stages of a project (Initiation, Planning, Developing, Monitoring, and Closing), the organization can set up metrics and controls during the project life cycle to gauge overall performance. It is precisely to ability to marry the correct and easily gathered metrics to the overall goals and mission of an organization that will provide the most benefit for the organization. Coming up with metrics for metric sake and it having no relevance to what the business deems valuable will prove to be a red herring for business decisions and ultimately will be of no value to anyone.

Metrics for a security program requires what we like to call a lot of “front loading”. This extra effort up front will go along way in helping everyone on the project keep the end goals in mind and strive for what’s important for the business. When even the least significant person is involved in determining what should be measured and how it can be measured then the whole team presents a coherent picture of what needs to be ac-complished.

(9)

To help illustrate the complexity of a good metric we have an example. An organization measures how many emails contain viruses on a weekly basis and thus blocked. What is it that we are measuring? In simple terms we can measure the percentage of emails that contain viruses compared to non virus carrying emails and eventually get a trend over a year’s period. But what does that measure? It might measure that spam emails versus virus emails are changing proportions and that we will need to bolster resources towards spam. But the real question should be how many virus laden emails did we NOT catch? This is a difficult question. Yes we are blocking viruses and this goes to show that at least that one control in an enterprise security management is being han-dled, but how can we improve the implementation of that control? This is where the organization has to sit down and talk it over with subject matter experts and come up with meaningful measurements.

Summary

Information Security is more than tossing some technology at the problem, it involves full cooperation of all involved, especially those business stakeholders who have the most to lose. The coordination of strategy, development, risk management, and opera-tions, with the continual monitoring and improving of security services is an engage-ment unlike any that has been experienced in the past. There are no cookie cutter ap-proaches of how to do it, that is why it is important to ensure all stakeholders under-stand the goals and mission of the organization as a whole. The capacity of an organi-zation rests in the effort of everyone to carry out that mission to their own specific capa-bility. Finding the experts to accurately engage the organization is half the battle.

DRAFT

(10)

Acknowledgements

Daniel C Goebel, CISSP, ITIL Foundations, ISO27001 certified - Dan has been involved in the IT industry since 1985. He has worked on Wall Street, for Hospitals, at Bell Labs, at Rutgers University, and since 2003 has been consulting in the federal and civilian en-terprise security space. He has an undergraduate degree in Biology from Rutgers Uni-versity and is presently finishing up his Executive IT Masters degree with the CIO cer-tificate from the University of Maryland, University College.

References

Download now ( PDF - 10 Page - 228.25 KB )

Related documents

Final Report. Assessment of Wind/Solar Co-Located Generation in Texas. Submitted July 20, 2009 by

(One exception is that solar energy losses are slightly greater for a fixed, south-oriented PV array at the GLO Lease Site; though in this case economic value losses are greater

Beowulf Mining Plc. Handelsbanken 25 Nov 2015

- Other roles - independent advisor to junior mining companies on acquisitions and project development, General Manager of Business Development, developing strategic growth and

Market and Business Analysis of Tissue Engineered Blood Vessels

infection, a lack of foreign scaffold materials, more favorable mechanical properties (more compliant, less stiff) and greater contractile responsiveness. However, there are

Patient Flow Software

If a patient no longer meets criteria for the level of care they were receiving, on the day of stay assessed, specific reasons for the delay are captured.. Readiness

AT&T Synaptic Storage as a Service is available at the following AT&T Internet Data Centers:

An AT&T Government Cloud powered by CSC Access Availability Outage occurs if Customer is unable to access for more than a minute the AT&T Synaptic Compute as a Service

Water, water everywhere: dehydration in the midst of plenty - An observational study of barriers and enablers to adequate hydration in older hospitalized patients

  On  one  occasion,  a  patient  was  left  in  a  lying  position  and  was  unable 

Model-Based Development of Safety-Critical Software: Safe and Effi cient

In model-based software develop- ment, not only can the code be gener- ated automatically from the models, the software documentation can also be generated at a click. Specifi

A retrospective audit of medication prescription records in critical care units of a tertiary hospital in the Cape metropole

The purpose of this study was to retrospectively audit the medication prescription records of patients in critical care units of a tertiary hospital in the Cape Metropole..