This article is not going to focus on the typical top 10 list ranking items in some predetermined order of importance; instead, this discussion will look at the equally essential components of a successful information security program that can scale across an enterprise.
The 10 most important things an IT person must understand include:
- Every organization must have a plan.
- Having no plan is a plan in and of itself.
- Security programs come in all extremes, shapes and sizes.
- Security programs need to put learned information into practice.
- Today’s IT options include numerous situational awareness tools.
- Effective IT organizations are not only aware of attacks but are proactive about preventing or resolving them.
- Compliance is a lot more than just maintaining data; it also includes the management of that data.
- Security controls come in three essential forms: protective, detective and corrective.
- The field of security event management (SEM) has significant real-time visibility and analysis attached to it.
- SEM is a rapidly growing field that is constantly changing; maintaining updated user guides, data and planning tools will significantly enhance the security process.
Certain items on this list may be more or less relevant for a given organization, depending on where it is in the broad spectrum of security preparedness. All spectrums have extremes, and the confines of security programs are no different. At one end lies the chaotic environment where few formal policies exist and fewer are enforced. This type of security situation is often one where the security program has not been around for very long and is struggling to gain control of its environment. On the opposite end is the mature information security program where the security officer has a dedicated staff and is held accountable by executive management for policy enforcement. This type of organization is generally savvy to new security threats and initiatives. In these situations, the security program is mandated because of regulation or highly sensitive information resources. Emerging legislative acts, such as the Sarbanes-Oxley, Gramm-Leach-Bliley, Federal Information Security Management Act (FISMA) and Health Insurance Portability and Accountability Act (HIPAA) in the US, are now forcing affected organizations to look at the security program in place and find ways to hasten its maturity.
At this juncture, some background information may be needed to describe the full breadth of the concepts that will be examined herein. The viewpoints in this article result from a decade of running an information security program at a US multibillion-dollar worldwide electronics and communications corporation throughout the 1990s. This perspective is also shared from myriad experiences described by chief security officers (CSO) of the largest corporations, financial institutions and accounting firms in the world over the last five years.
Viruses and hackers, once the prime concerns as networks and computers were proliferating, are now a mere fraction of the threat landscape. This landscape has expanded with legal mandates requiring security programs to be in place; controls to be provably implemented, maintained and monitored frequently (if not continuously); and the necessity for an incident response plan.
The field of information security is in the midst of a tremendous growth spurt. This growth is not limited to isolated areas, such as larger budgets, more technology or more experienced personnel. While these items may be included, information security is also growing in organizational relevance that requires greater levels of demonstrable responsibility and accountability than ever before.
Experience shows that information security is going through a stage in its evolution where it has to put what it has learned into action. When a teenager goes for his/her first solo ride with a new driver’s license, mapping out a destination, paying attention to the road, obeying the traffic laws and reacting effectively to unexpected hazards will keep the new driver from experiencing the realities of citations, damage to person or property, or something more catastrophic. Today’s information security organizations are in a similar stage. It is understandable that with the advent of more and more laws, the CSO must be the safe driver of an organization’s security program.
This assessment examines the critical aspects of a security program that can navigate safely in today’s world of security threats and corporate/federal governance compliance requirements.
From the beginning, one must understand that many chief security officers are in the middle of the “perception vs. reality” battle with management and users. The gap between what should be happening and what is actually happening is quite large. When audited, these gaps become quite apparent. Therefore, when looking to mature a security program, an IT or security professional must deal in reality, while respecting perception. Many security officers struggle to support the perception that there are adequate security controls in place that protect their organizations’ most critical assets. CSOs are constantly caught in a double-minded position of having to defend the ongoing investments required to implement even the bare-minimum controls for a massive IT enterprise and having to justify the wealth of work required to avoid the ever-changing plethora of security threats today. Security professionals consistently ask themselves one mission-critical question: “Are we secure?” When answered honestly, this highlights the significant gap between perception and reality.
The lack of situational awareness is the biggest contributor to this chasm. The sheer quantity of controls, such as firewalls, intrusion detection/prevention, antivirus, user authentication, access control rules and virtual private networks, is a prominent facet of this problem. There are simply not enough sets of eyes to actively monitor, not to mention correlate, this immense collection of event logs and/or alerts. How can a security professional know the organization is secure without this necessary visibility?
Many organizations have invested heavily to implement a security program with all of the aforementioned controls. Only in recent years have new technological solutions emerged to help provide situational awareness. In the early days of SEM, the message was all about sifting through the mammoth amounts of data spewed out of various kinds of security controls, with the promise of providing actionable information. This situation no longer exists. It is nice to have information, but as Mary McLeod-Bethune (advisor to Franklin Delano Roosevelt) once said, “Knowledge is the prime need of the hour.” Advancing a security program to a new level of maturity and relevance requires more than awareness of an attack to a critical system or a situation of noncompliance. It takes the knowledge and understanding of how to recognize and decisively respond to the threats. That said, this is a great opening to another point in the top 10 list: knowing and understanding what threatens the organization.
An interesting phenomenon has occurred during the recent rise in the importance of information security. The number of threats to computers, networks and software has unarguably increased. At the same time, the amount of press coverage dedicated to possible attacks or vulnerabilities has exploded. At each turn, there are new stories about the latest threat factor or the unsecured organization. Organizations that do not fully understand the vulnerabilities or threats have been hit the hardest. Without understanding which systems/networks/data stores are critical and what their current state of configuration is, the entire population of threats is perceived as a real threat. Compounding this is the lack of visibility into the range of events that are actually occurring in the enterprise. It is easy to understand how the resulting situation creates a significant out-of-balance sense of concern, or lack thereof. If an organization does not know what threats apply to its critical infrastructure and does not have any situational awareness, once again, every known threat is perceived as a real one. When the list of threats significantly increases at an hourly rate but the security program is not increasing its awareness of the impact to these possible threats, hundreds or thousands of systems are vulnerable, and the gap between what might happen and how it could be handled continues to expand at a rapid pace.
Information classification is critical for an effective security program. Efficient policies cannot be enacted without understanding what is valuable, and each organization does it differently. Controls, whether computerized or manual, cannot be effectively deployed without knowing to what types of threats that information is vulnerable. The three characteristics of information most commonly protected are confidentiality, integrity and availability. Classifying information resources by their level of importance, sensitivity or relevance to the mission is merely part of the process. Just understanding that a system housing patient information is important to protect does not provide the complete picture required to define the controls that must be implemented to mitigate the chance of loss or unauthorized disclosure. By examining this more closely and understanding the value these records have, it becomes apparent that all three security classifications apply, each for very different reasons.
Let’s begin by looking at the need to protect the integrity of the data and the systems that house the information. If a patient’s medical records are inaccurate or incomplete, the medical staff may misdiagnose or mistreat a patient. Therefore, protecting the integrity of the data from a security perspective involves the implementation of strong controls over who is able to make changes to or delete patient records. This translates into the necessity for security requirements for strong authentication and access controls to prevent unauthorized access.
The importance of the availability of patient records to health care practitioners is the second facet of this process that needs to be examined. Medical situations do not always occur during standard working hours. At 2 a.m., no one wants to find that a patient’s medical history cannot be accessed because a server is down or a network has been rendered unavailable as a result of a hacker, virus or worm. Putting controls in place that mitigate the risk of losing access to critical patient data is traditionally a joint effort among the security, network and systems organizations. Controls such as redundant networks, secure environments, high-availability servers with fail-over capabilities and monitored processes governing configuration changes help protect this life-saving data.
Finally, there has been a wealth of federal legislation passed, including the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires demonstrable controls concerning the confidentiality of patient information to be in place. This legislation is driving security requirements focused on keeping patients’ medical records from being accessed by any unauthorized medical staff and ensuring that transmission of patient records is performed securely. Any one or combination of these three characteristics may be present in an information resource, commonly known as data or supporting systems. The means to protect the confidentiality of this data are different than protecting against threats to the availability of the data. If the value of the information is in it being absolutely correct, rather than confidential, appropriate controls need to be in place. The last thing a security manager wants to be is guilty of is “spending a dollar to protect a dime,” while leaving the real assets unprotected.
Understanding the threat landscape in any company begins with understanding the value of information resources to the mission of the organization. Security organizations cannot determine the appropriate level of information security controls required without first establishing an information security policy that aligns with the organizational mission. An effective information security policy must pass three rules before it can be implemented:
- It must be reasonable. The policy must fit the security requirements of the information and the organization itself. This means that, if the information is highly sensitive, it makes sense to protect it to the maximum levels possible. However, if the cost, rigor or complexity of such protection is greater than the organization can withstand, the policy is doomed to be circumvented by myriad levels within the organization.
- It must be enforceable. If there is no way to implement and maintain controls to enforce the policy, a major gap emerges between perception and reality. This gap is exposed each time an audit is performed utilizing the policy as a measuring stick against security practices. Many times, a policy is implemented and enforced at a small scale, but over time, as systems mature and use increases, the enforceability becomes unmanageable. Take event monitoring, for example. Most companies have policies or standards stating that they review event logs on a periodic basis looking for violations. The reality is that most event logs roll over on themselves several times before anyone reviews them.
- It must be auditable. If a policy is enacted and enforcement controls are implemented, but there is no evidence that it is working, then it is worthless. Every security policy must have audit trails indicating and validating that the policy is in place and enforced on an ongoing basis.
Once an acceptable information security policy is in place, the internal standards and controls are established. One large financial institution serves as an excellent example of internal standards. This organization maintains an organized set of documented security standards that it uses as a guide to help it determine how and where to implement specific controls. These standards govern things such as password policies, administrative user privileges, e-mail usage, reviewing system logs and more.
Rich Cook once said, “Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning.” User and administrative errors and/or omissions are some of the most frequent and devastating incidents. Educated employees acting responsibly are, by far, the best security of all.
Well-documented standards provide an excellent source for two important types of internal documents. To begin with, technical administrative guides instruct IT system administrators how to properly configure and maintain the various systems and networks to enforce security policies. The second type of document is the user guide, which is an important tool for ongoing security awareness and a consistent method of communicating how to properly use systems containing sensitive or critical information.
Information classification, a security policy that aligns with organizational mission, identifying threats to mission-critical information resources, having well-documented internal security standards, and promoting administrative and end-user awareness are all crucial components in a robust information security program. Much of what has been discussed in this article can be encapsulated in documentation, stored in a binder and placed on a shelf. This is exactly where so many security policies sit. Putting the program into action is an exercise in preparation—preparing for the very thing one has been working so hard to mitigate.
In a recent webcast with an experienced IT security veteran focusing on protecting against the unknown, the discussion centered on the premise that every successful security breach results from something an organization is not expecting, and how the security team responds to each breach is measured by the overall business. Today’s requirements for security organizations to pay attention to traditional security controls and compliance-focused controls focusing on the tracking and reacting to incidents, mandates that, as professionals, it is an excellent time for us to examine a new planning technique: security process management (SPM).
What is SPM? Good security is inherently organized. Establishing a security program requires diligent planning and strong communication. Getting management buy-in on a security plan and budget requires a reasonable and compelling plan of action that aligns with the needs and concerns of the organization. Often, though, security planning stays focused on what the security team can control. User administration, access rules, vulnerability testing, maintaining firewall and intrusion detection systems, system monitoring and user awareness programs are excellent examples of these. The security processes focusing on these areas are contained within information security’s purview, and are normally organized accordingly.
Over the years, it has become abundantly clear that few security organizations have incident response plans that are as well thought-out. In most cases, responding to situations of noncompliance or security breaches of any kind is haphazard; in fact, many times these situations are bordering on the chaotic. One of the primary reasons for this common condition is that the information security policies and standards simply do not call for formal incident response plans. It is an incomplete mission for information security teams to be called upon only to deploy and administer security controls. They should be the first responders to indications that critical or regulated information is at risk. SPM encompasses more than planning and operating the security controls; it is also the active monitoring of myriad controls, recognizing real threats to critical resources and coordinating the organizational response to resolve the incident as efficiently and effectively as possible.
An effective incident response policy must respect the existing organizational boundaries and must overcome those same boundaries in an incident response scenario. Overwhelmingly, security organizations do not have the authority to shut down a production server in another department or business unit. Therefore, policy must allow for the drafting of qualified and authorized resources to take appropriate steps in a timely fashion when reacting to a live incident. Accountability contracts between various departments containing sensitive or valuable information resources and the security organization are helpful in aligning the response plan with an incident response policy.
Accountability contracts are simple documents that inform department heads and system administrators that, in the event an incident has been detected affecting sensitive information resources in their purview, they will automatically become part of the incident response team for the duration of the resolution process. There are many incident response methodologies available from industry resources, but the real work involved in incident response planning involves interorganizational preparation and organization. If there is no formal incident response policy, everything that occurs chaotically is the default incident response policy.
Continuous online auditing of event logs and alerts coming from various IT systems and networks is critical for timely detection and recognition of active threats.
Three questions from a security standpoint must be answered expediently before a response process should be initiated. First is “Is an attack occurring right now?” If the answer to this question is yes, it is time to move on to the second question: “Is the targeted system vulnerable to the specific attack?” If the answers to questions one and two are both yes, the third question is to be addressed at this time: “Is the targeted system critical?” If all three answers are yes, there should be appropriate confidence in the analysis and urgency of the situation to warrant initiation of a response process. The last thing a security team can afford is to be a false alarm to other parts of the larger organization. To effectively achieve any of these goals, diligent monitoring protocols must be in place on a consistent basis.
IT security controls come in three types: protective, detective and corrective.
Protective controls are the preventive measures taken to mitigate the risk of loss of information value. These controls are intended to thwart attacks through strong intervention and management. Permissions must be managed and kept current. Most protective controls are more expensive to implement and maintain than detective or corrective controls. However, over the course of time, their effective use will probably prevent a more significant loss in information value. Examples of protective controls include authentication, access control systems, encryption and firewalls.
The posture of a detective control is one of post-event response. These controls are loss mitigation systems that function as burglar alarms, indicating something has happened and information value may be lost. This is the type of control that is implemented to support the preventive controls already in effect. Generally, these controls are less costly to deploy and will often complement existing preventive controls. However, organizations that rely too heavily on the detective controls run a higher risk of actually experiencing loss of information value as a direct result of the passive/reactive nature of the control.
The third type of control, a corrective control, is found in most organizations. Often, these controls are deployed when having a valid backup/restore program is sufficient. For most organizations, this is the strategy utilized for public access systems such as web sites and anonymous FTP sites. The value of that information is usually found in its accessibility, and if something alters or deletes the information resource, restoration to a prior state is sufficient. Obviously, this type of control is inexpensive to deploy and should never be used for any valuable information resource. The real cost of corrective controls comes once an incident has occurred, and something valuable was either damaged or lost.
When a security breach has occurred against a critical asset, the incident response plan is the corrective control. As a result, two universal truths exist today: threats are increasing, and the time to respond is decreasing. This forces the security organization in a pressure situation to build a first-response capability that is effective and repeatable.
SEM technology has advanced rapidly to provide real-time visibility and analysis tools to security organizations. Isaac Asimov once said, “The most exciting phrase to hear in science, the one that heralds the most new discoveries, is not ‘eureka!’ but, ‘hmmm…that’s funny…’.” Correlating disparate security events and trying to identify suspicious or malicious behavior is more of an art than a science. Left without aid, organizations are blind to real threats and incidents, which can go on for significant periods of time with no response.
Situational awareness leads to a state of preparedness, thereby enabling reaction. The newest generation of SEM products has a tremendous impact in this area. Leading information security into a new realm of security process management, the ability to monitor enables security teams to recognize and react to real incidents with efficient and effective processes. Security teams can now legitimately plan for what-if scenarios and respond with confidence and urgency. At that point, knowing who does what and when to successfully react and remediate an incident after an event has evaded security controls is the measure of a successful security program.
is the chief technology officer at e-Security, a company he founded in 1999. For more than 21 years, Harrison has served as an innovator and recognized specialist in the information security industry. Harrison can be contacted through e-Security’s corporate web site at www.esecurity-inc.net.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by ISACA®, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA® and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.
© Copyright 2005 by ISACA® Inc., formerly the EDP Auditors Association. All rights res erved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by ISACA® Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 3, 2005