Sytorus Information Security Assessment Overview

(1)

Sytorus Information Security Assessment Overview

(2)

Section 1: Our Understanding of the

Challenge

(4)

.

The Challenge

IT is often requested by senior management to report on the level of security of IT systems within the organisation. This is a challenging question and in order to fully answer this, any organisation should look, not only at the security of its websites and infrastructure, but also at the security governance surrounding the entire business. Security breaches can range from malicious attacks to a lack of security awareness of individuals within organisations. A recent report indicates 80% of data protection breaches, for example, were due to intentional non-malicious actions of employees. In order to get a full executive view of the security capability of a company it is necessary to assess not only the defensive capabilities of a company at any one time, but the capability of a company to respond in a constantly changing environment.

Understand how secure the current infrastructure is i.e.

penetration testing review, etc..

Understand the current information security capability of the organisation, including governance, staff awareness, business continuity, security strategy and security resource management.

Develop plan for continous

improvement which is easily

understood and reportable at

executive level.

(5)

.

Section 2: IT-CMF

A quick overview of the IT-CMF and its

mission statement

(6)

.

The IT-CMF

The IT-CMF is based on five maturity levels to assess and optimize the value of IT:

(7)

.

The IT-CMF, as a Capability Maturity Framework, comprises of over 30 Critical Capabilities, each one of which concerns itself as a fundamental component of IT’s role within the enterprise. These are in turn, divided under four macro-capabilities, each of which represents the core and common concerns for IT, namely business alignment, budget management, capability delivery and, business value:

(8)

.

The IT-CMF is delivered through the form of online assessments, face to face interviews and evidence gathering techniques, for any of these critical capabilities, in order to derive a maturity level for each. In turn the data returned is presented in easily understandable and visual forms, with very specific identification of under/over investment and next steps, to drive further maturity and value for each critical capability in scope. Comparisons are made against competitors, sectors and similar sized organisations, to determine maturity against peers.

The fundamental goal of the IT-CMF is to align Business and IT closer together to a point in which IT is wholly optimised not only in support and execution of the Business’ objectives but even to suppliers and partners.

(9)

.

Section 3: Information Security

Management (ISM) Critical Capability

(10)

.

Why ISM?

Information is:

• Key to business growth and success;

• An essential business enabler;

• A valuable business asset.

Therefore, it is vital that information’s availability, integrity and confidentiality be assured. This can be threatened by, for example:

• Theft;

• Accidental or malicious damage or loss;

• Disruption of supporting utilities such as power or the network.

Information Security continues to be business critical and is increasingly complex to manage for the following reasons:

• Physical boundaries are disappearing; more business data is transmitted over the internet, accelerated by the widespread adoption of mobile devices. Business activity (and related threats) are on a global scale.

• Optimal security implies physical lockdown but that is unacceptable from the business standpoint. Hence multiple criteria need to be balanced and feed into decision-making.

• The pace of change continues to accelerate. Digitization is having a profound effect on business models, with traditional bricks- and-mortar industries being dominated or completely replaced by models that are essentially based on software.

• Companies are moving from the more traditional outsourcing contracts to cloud service providers.

Information Security continues to be business critical and is increasingly complex to manage for the following reasons:

• 72% of organizations report increased risk to information security, based on both external and internal threats.

(11)

.

• Legal and regulatory expectations pertaining to information are also changing with increased complexity arising from organizations operating across multiple jurisdictions; key considerations here are:

• Has the information been retained longer than it should have been?

• Does the data follow a defined life-cycle and is it safe to delete it?

• Does the business have permission to share this data with its partners?

• Is it permissible for the company to use data supplied by another company?

• If information security is violated this can result in loss of business operations with associated adverse financial and reputational impacts, which can extend for significant periods of time, particularly should legal actions result from a breach of security.

• Source: Ernst and Young’s (2011) Global Information Security

The changing state of information security in 2012 is evident from the following findings:

• “Security has edged out business continuity as the most important connection between IT risks and reputation. Data breaches/

data theft/ cybercrime is identified as the IT risk posing the greatest risk to business” (61%). Emerging technologies such as cloud, bring your own device (BYOD) and social media further complicate the issue as these new technologies are less well controlled than other IT threats because organizations have not had time to fully adapt to them.

Global Reputational Risk and IT Study 2012 IBM / Economic Intelligence Unit

• The velocity and complexity of change accelerates at a staggering pace: virtualization, cloud computing, social media, mobile, and other new and emerging technologies open the door to a wave of internal and external threats. Emerging markets, continuing economic volatility, offshoring and increasing regulatory requirements add complexity to an already complicated information security environment. Nearly 80% agree that there is an increasing level of risk from increased external threats, and nearly half agree that internal vulnerabilities are on the rise. 31% of respondents have seen increases in the number of security incidents compared to last year.

Global Information Security Survey 2012 Ernst & Young

• The ISF announced their forecast of the top five security threats businesses will face in 2013. Key threats include cyber security, supply chain security, Big Data, data security in the cloud and mobile devices in the workplace.

Information Security Forum November 2012

(12)

.

Overview of the ISM

(13)

.

Categories and Critical Building Blocks of the ISM

ISM, as with all other Critical Capabilities (CC) in the IT-CMF, consists of a series of Categories, each of which is composed of a series of Critical Building Blocks (CBB).

The purpose of this structure, is to identify the core areas of concern that need to be assessed, and which in turn constitute the means of rating the Capability Maturity of the organisation that utilizes this CC.

Information Security is a complex and many nuanced beast, that is only becoming more complex as new technologies, business models, and supplier/client interaction become more advanced.

Traditionally Information Security has been seen as the ability for an organisation to lock-down its infrastructure and defend against the possibility of cyber attacks, with little responsibility given beyond the IT department.

Whilst this approach would have sufficed up until recent years, many things have now changed that require a more holistic approach, across all stakeholders in an organisation.

For example, consider the degree of IT outsourcing that takes place in your organisation. Consider the flow of data between your contracted third parties and any of your business units, and then consider the breadth of security focused business processes that are required to ensure appropriate levels of protection are in place, to hinder or greatly reduce the possibility of a security breach, not only for IT but for all staff who interact with the data.

Also the days of an entire IT stack sitting quietly in a comms room are now gone, as most organisations have begun the process of shifting large volumes of data and infrastructure out to third parties, be they cloud providers or system integrators.

The degree of command and control now becomes a core concern for any organisation seeking to minimize its risk appetite, and yet most organisations struggle to clearly articulate and get buy-in on adequate levels of Governance and Risk Management to ensure that this operational reality is under control, from a security perspective.

Equally consider the more traditional concern of penetration testing, that IT systems are currently protected at an adequate level from external threats. We emphasise the word, currently, as the ability to pen test is always a point in time activity, that tells you only what your situation is at that time, and not, necessarily what risk you carried before and what future risk you may yet carry. This is purely due

(14)

.

to the dynamic nature of external threats and the many and varied ways in which currently secured systems can become quickly vulnerable.

Again the answer to this lies in the ability for any given organisation to have a holistic approach to its Information Security strategy and to look beyond simple point in time assessments to a more detailed and whole approach that seeks to measure and monitor all the core areas of concern that direclty relate to risk in this arena.

This is the purpose of the ISM. To measure and verify the current Capability Maturity of all of the core areas of concern that relate to Information Security.

The following is a breakdown of the various Categories and Critical Building Blocks that ISM covers. We believe that the range is

impressive and holistic and can be used to clearly identify the real and present Information Security risks that your organisation may be carrying in its operational day to day activities:

Category Capability Building Block Description

Governance

Information Security Strategy

Develops, communicates, and supports the organization’s information security objectives so they fit the organization’s business model and risk appetite.

Security Policies,

Standards, and Controls

Establishes and maintains security policies and controls incorporating relevant security standards, regulatory and legislative security

requirements; ensuring they fit the organization’s business model and security objectives.

Security Roles, Responsibilities, and Accountabilities

Identifies and establishes information security roles including allocation and enforcement of security responsibilities. Agrees and/ or assigns

responsibilities and accountability to allocated resources.

(15)

.

Communication and Training

Disseminates security processes, policies and other relevant information.

Provides training content in security practices and develops security knowledge and skills.

Security Performance Reporting

Reports on the levels of compliance achieved, and the effectiveness and efficiency of the security activities.

Supplier Security Defines security requirements and expectations pertaining to the procurement and supply of hardware, software, services and data.

Category Capability Building

Block Description

Technical Security

Security Architecture

Establishes and applies criteria and practices in designing security solutions with the aim of achieving appropriate cost effective protection. Defines security layers to provide depth of defence and configuration management of security features.

IT Component Security

Defines and implements the measures to protect physical and virtual IT, servers, networks, and end-points such as peripherals and mobile devices. Specifies and procures specific security tools/ products and resources.

Physical Environment Security

Establishes and maintains measures to control access into and protect the physical infrastructure from threats and environmental factors (e.g. extreme temperatures, flooding, fire).

(16)

.

Security Resource Management

Budget for Security

Provides security related budget criteria. This includes concepts such as new equipment must be purchased with specific security features e.g. virus protection.

Tools and Resources Specifies and procures specific security tools/ products and resources. Manages the tools, security solutions and the staff assigned for security purposes.

Resource Effectiveness

Measures “value for money” from security investments. Captures feedback from stakeholders and other sources on the effectiveness of security resource

management procedures, tools and activities.

Security Data Management

Data Identification and Classifications

Defines security classifications and provides guidance for associated protection levels and access control.

Access Rights Management

Manages the lifecycle of user accounts and certificates, and the granting, denial and revocation of access rights. Matches access control procedures to data classifications.

Life-cycle Management

Provides the security expertise and guidance to ensure that data throughout its lifecycle is appropriately available, adequately preserved and/ or destroyed to meet business, regulatory and/ or security requirements.

(17)

.

Business Continuity Management

Business Continuity Planning

Provides expertise and guidance to ensure that business continuity planning is effective in ensuring data integrity, confidentiality and availability. This may include input on backup management, archiving management, and systems recovery policies and procedures.

Incident Management

Establishes and implements procedures for handling incidents and near incidents.

Evaluates the nature and impact of incidents. Supports protection of the organization by providing feedback and reports on security aspects of incidents.

Security Risk Management

Security Threat Profiling

Gathers intelligence on threats and vulnerabilities from internal and external sources. Identifies and documents the security threat profiles by their potential impact on business objectives and activities.

Security Risk Assessment

Runs assessments to identify, document and quantify/ score security-related risks and their components. Assessments include the evaluation of exposure to risks, and measurement of their likely impact.

Security Risk Prioritization

Prioritizes security risks and risk handling strategies, based on residual risks, acceptable risk levels and changes to the business/ IT environment or operating environment such as outsourcing, mergers and acquisitions.

(18)

.

Security Risk Handling

Implements risk handling strategies, where risks can be deferred, accepted, mitigated, transferred or eliminated.

Security Risk Monitoring

Tracks changes to the identified security risks, and validates the effectiveness of risk handling strategies/ controls.

(19)

.

Section 4: Our Approach

(20)

.

As with all other Critical Capabilities, ISM follows a similar, evidence based assessment model:

(21)

.

The survey is completed using an online tool:

(22)

.

We then follow up with a face to face interview process:

(23)

.

The purpose of the face to face interviews is to:

(24)

.

The question set we use comprises of 29 detailed focus areas across the categories. Below is a sample of questions we ask on Technical Security. We focus on querying the Security Architecture and IT Component Security, seeking to identify where on the maturity curve each CBB is. This is done through extensive evidence gathering, such as penetration testing methodologies, infrastructure hardening and enterprise system security techniques:

CBB Category

CBB Question Tooltip Text

1 2 3 4 5

Security Architecture

How do you establish the security architecture?

Establishes and uses approaches for designing security solutions with the aim of achieving appropriate cost effective security.

Defines security layers to provide depth of defence and

configuration management of security features.

Responsibility for

establishing the security architecture layers is assigned on an ad hoc basis. Few (if any) security architecture diagrams exist.

Security layers and depth of defence are considered in architecture design but this may not always be implemented or provisioned in delivered solutions.

Configuration management is typically a localized activity within departments or functional groups.

IT and some business units have a documented shared vision for security layers and most security architecture features are common across these areas. Depth of defence and configuration management practices are evident.

A security architecture framework supporting depth of defence and utilizing configuration management principles has been

developed, documented and

implemented across the enterprise.

An effective security framework is used across the extended enterprise. The framework is optimized for business efficiency, hardware and software cost management, depth and effectiveness of security measures.

(25)

.

IT

Component Security

How do you define and implement measures to protect information technology components?

Defines and implements the

measures to protect physical and virtual IT, servers, networks, and end- points such as

peripherals and mobile devices.

Specifies and procures specific security tools/

products and

resources.

IT

component security is done on an ad hoc basis.

IT component security guidelines are emerging within the IT organization, but only basic security measures are in place.

IT and some business units are agreed on detailed and documented IT component security measures, which are implemented across these areas.

IT component security measures are implemented enterprise- wide and the measures are tested for compliance with policies and

standards.

Management of IT

component security is optimized across the layers of the security framework.

IT

Component Security

How do you ensure security is built into new systems and applications?

Defines and implements security measures to protect systems and applications and data held therein.

Security is defined and built-in or added after the product is built on an ad hoc basis.

Security is defined and built in using a generic approach or default measures.

Security requirements are defined early in the development cycle by IT and business stakeholders and are included in testing.

Security requirements are

addressed consistently enterprise wide.

Security requirements are

addressed consistently across the extended enterprise.

(26)

.

A typical swim lane chart for an ISM Assessment is as follows:

(27)

.

The Report

The ISM report is designed to provide a detailed review with measurable next steps for implementers, whilst providing a comprehensive high level overview for senior management.

Practices, Outcomes and Metrics

For implementers it is essential that a detailed review, with clear and unambiguous suggestions to improving Capability Maturity, is an essential aspect to the report part of an ISM Assessment. Throughout the engagement the clear ambition is to identify and document, accurately, the Capability Maturity at its present time, with a breakdown of all findings against each of the CBBs.

We use a concept known as Practices, Outcomes and Metrics (POMs), to achieve this. The POMS is designed to highlight to implementers what steps need to be taken to achieve an improvement in capability. For example, an organisation that wanted to achieve a Level 2 in Technical Security, would need to take the following steps, based on an agreed measurable metric value set, for each CBB:

Maturity Level

CBB

Category CBB Practices Outcomes Metrics

Level 2

Security Architecture

Provide basic architectural security descriptions.

Security layers and depth of defence, while considered, may not always be implemented or provisioned in delivered

solutions. However, policies and procedures can be partially aligned with security recommendations.

% of Policies reviewed for security compliance

% of Relevant IT processes reviewed for security alignment

Level 2

IT Component Security

Set defaults to secure or block and open only as needed to enable the business.

Access is restricted to authorised components and access paths through the IT infrastructure.

% Components with default set to closed

# Staff needed to maintain the component security

(28)

.

Level 2 Technical Security

Physical Environment Security

Identify and secure locations of critical and sensitive IT

infrastructure components, and sensitive information storage locations (e.g. confidential printed reports).

A cross functional appreciation of the need for security is emerging and physical measures are obvious unlike many other measures that are implemented in electronics or software. IT and facilitates departments co- operate in physical security provision.

% Critical systems in secure locations

% People with authorised access / All with access

Senior Management Reporting

For senior management, the report is presented in a visual form, designed to give a clear overview of current and desired Capability Maturity across each category:

Note: The example, above, is for the Sustainable ICT CC, and is for illustrative purposes.

The primary purpose of executive reports within the IT- CMF, is to provide a clear and unambiguous overview of current Capability Maturity. In the case of ISM, this reflects not only the current capability of Technical and Data Security, but also the capability of Governance, Business Continuity, Resource Management and Risk Mitigation.

Taken together, this overview will provide senior management with a comprehensive and complete overview on current status and what actions are being implemented to improve Capability Maturity, where relevant, to match with business plans.

(29)

.

The Benefits

The purpose of an ISM assessment is to give an organisation a complete and holistic assessment of its current strengths and weaknesses, with relation to information security. The ability to demonstrate both current and intended Capability Maturity across a range of

categories such as Governance, Technical Security, Business Continuity etc, is compelling in its exhaustive remit, and will certainly provide answers to a wide range of queries that may be driven from business needs.

The following is a brief breakdown of the unique benefits that ISM can bring:

1. A truly unique and comprehensive review of current capability around Information Security, focusing not just on security implementation, but also:

a. The governance processes and their suitability;

b. The level of effectiveness of technical security across architecture and components;

c. The degree of resource capability within the organisation for information security;

d. The capability of data security management throughout the enterprise;

e. The effectiveness of business continuity management with respect to information security;

f. The risk management around information security and how it is monitored, handled and reported;

g. The alignment of all of the above with business needs and the capability to tightly integrate IT and business goals, going forward, to improve on Capability Maturity.

2. An assessment of current security implementations such as penetration testing and infrastructure hardening, with a determination, based on evidence gathering, as to how this aligns within the Capability Maturity spectrum;

3. A clear and precise POMs based approach to improving on Capability Maturity, fundamentally focused on driving value throughout the IT portfolio and bringing a closer alignment with other business units, based on common goals;

4. An unambiguous and easily comprehended visual report metric for senior management, which answers all questions that may arise around the capability of information security throughout the enterprise.

Sytorus Information Security Assessment Overview