Demonstrating Due Diligence in the Management of Information Security 

 
Download Article Article in Digital Form

A 1992 Datamation magazine article, titled “How Good Is Your Data Center? Maybe You Should Find Out Before Your Boss Does,”1 had a big impact on this author. He has followed the title’s advice ever since and encourages others to adopt it.

COBIT® 5 for Information Security provides an excellent, up-to-date and practical tool kit for practitioners, managers and auditors, which has helped the author continue to heed the advice of that 1992 article.

This article discusses how COBIT 5 for Information Security can be applied to maximum effect and to complement other tools to assess the extent to which due diligence has been exercised to provide appropriate information security.

While the components of information security, i.e., requirements definition, strategy and policies, technology, processes, and people (including system and data custodians), are common to all organizations, like snowflakes, no two implementations are identical.

The parameters that make a difference include organizational requirements, culture, the level of resources available and employee engagement. Then, there are other differences such as the individual capability maturity levels associated with processes. The consequence of this is that what may be “good enough” for one organization, may be totally inadequate for another.

COBIT 5 includes a discussion of pain points and trigger events, any of which may initiate a need to determine whether appropriate due diligence has been exercised. This article suggests five complementary activities to get this done:

  1. Determine metrics (i.e., what gets measured, by whom, how it is analyzed and reported).
  2. Perform self-assessments of gap analysis (e.g., against COBIT 5 practices), vulnerabilities, controls and risk.
  3. Determine the need for certification, whether process (e.g., 27001), professional (e.g., CISM ® ) or end user (e.g., tests leading to an attestation of the successful completion of a training program).
  4. Complete audits of the same domains as self-assessments. Audits are independently conducted, evidence-based and supported by standards and guidelines.2
  5. Complete penetration tests (i.e., ethical hacking).

Each of these is briefly examined and discussed later in this article.

Pain Points and Trigger Events

COBIT 5 includes an excellent description of both pain points and trigger events in section 2.3 (and they appear again in section 2.5 and in some of the appendices). Being aware of how information security performance is perceived by senior management and other parts of the business is of fundamental importance to assure alignment.

The scope of information security has grown enormously in the last 50 years and its focus continues to shift as technology and computer literacy become increasingly powerful and sophisticated. In the early days, there were few users of computer systems, which consisted of mainframes linked to dumb terminals. Some work was done in real time, the bulk in batch processing. Confidentiality was the prime concern, and access controls were a key activity.

As mainframe architectures evolved, real-time computing became widespread and availability became a further important requirement. Whatever networking existed was proprietary and hacking was, by and large, a hobby that began to grow when personal computers first became available in the 1970s. Acoustic couplers and a low-speed dial-up link were enough. And, of course, hacking was clearly targeted to specific computers.

In 1983, the US Federal Bureau of Investigation (FBI) arrested six teenagers known as the “414s” (it was the area code in which they resided) for hacking into several high-profile computer systems. The movie War Games3 was released in the same year. In this movie, a young man finds a back door into a military computer and comes close to launching World War III.

Jumping to the 2010s, security practitioners face multiple challenges—from bring your own device (BYOD), which creates architectural complexities and management issues, to weapons-grade malicious software (such as Stuxnet and Duqu)—as well as issues of investigations and digital forensics, regulatory and legal compliance, building awareness among users, engaging systems and data owners, and so much more.

One of the early lessons practitioners learn is that their activities are invisible until something goes wrong, at which time the reaction is swift and often hard. Engaging in dialog with executives, senior managers and other parts of the business—including procurement and legal counsel—to understand their perceptions and requirements is highly recommended. It must be recognized that these groups have their own accountabilities and pressures to deal with, that their time is valuable (and not to be wasted), and that information security may not appear on their lists of priorities. Therefore, good preparation and soft skills have become prerequisites for such dialog to be meaningful.

Metrics

In a lecture given in 1893 to the UK Institute of Civil Engineers, William Thompson (Lord Kelvin) said, “If you can measure that of which you speak and can express it by a number, you know something of your subject; but if you cannot measure it, your knowledge is meager and unsatisfactory.” This has since been changed into, “You cannot manage what you do not measure.” The original is, as usual, more accurate.

However, it is not easy to find information security metrics that are meaningful in business terms. (COBIT 5 for Information Security, the NIST SP 800 series and ISO 27000 publications suggest lists of possible metrics.) Out of the hundreds of possible metrics, the most valuable ones are those that meet the following four criteria:

  1. They are accessible and credible, i.e., they are not laborious to obtain and the source can be trusted.
  2. They involve a transparent calculation, i.e., one that can be explained, understood and shared.
  3. They have a common interpretation, i.e., the recipient understands what the metric means.
  4. They are actionable, i.e., changes in the metric point to the source of a problem and to actions needed to remedy it.

In addition, metrics and how they are reported are likely to be most valuable when they have clear links to business impact analysis (BIA), enterprise risk management (ERM), IT and security strategies.

There is no universal set of metrics that will fit the needs of all organizations. Information security events are neither random nor independent; they are targeted. Therefore, statistical analyses using a Gaussian (normal) distribution are of no use,4 as are most lagging indicators, such as key performance indicators (KPIs). However, key risk indicators (KRIs) are leading indicators and point to actions to be taken.

Self-assessments

The security practitioner is well placed to perform a series of self-assessments as suggested by Robert Burns when he wrote (loosely translated into current English): “Oh, what if some Power gave us the gift to see ourselves as others see us! It would from many a blunder free us….”5

Five areas where self-assessment is likely to have a good return on the time and effort invested include:

  • Gap analysis of security practices and related metrics—Using, for example, COBIT 5 for Information Security (however, it should be noted that this publication contains 192 such practices)
  • Vulnerability analysis—Integrating, for example, items known to the practitioners and their teams, reports from vendors and other advisory services, high-impact open items in the risk register, and relevant audit recommendations not yet implemented.
  • Key controls—Not waiting for the auditors to identify areas for improvement. These should represent what is most critical to the organization and are likely to include, among others, privileged access, change and configuration management, third-party service providers, core business applications, and identity and access management (a full list would be quite long).
  • Risk—Ensuring that a risk register is maintained and used to identify high-impact items (regardless of their likelihood) and their appropriate mitigating actions, and also monitoring to ensure that these items are properly reflected in a corporate risk register and supported by (ideally tested) contingency plans
  • Intelligence—Building a good awareness of security incidents around the world to avoid being surprised, as this is never a good thing

As useful and valuable as self-assessments can be, they have four major limitations:

  1. They require considerable time and effort.
  2. They require good knowledge of how to conduct and document them.
  3. They must involve other players in the organization, notably system and data custodians.
  4. They must be carried out objectively. Optimism would diminish the value of the exercise.

Certifications

Certifications are documents issued by a body with the authority to grant recognition to an organization, a set of processes or services, and/or an individual, that assert that certain established criteria have been met. There are three types of certification:

Figure 1
  • Process certifications—There are a number of certifications with good practices that are well known to security practitioners, such as compliance with ISO 27001, Information Security Management System (ISMS).6 Such certifications are voluntary; each organization must decide the merits of pursuing them, for example, to demonstrate to its stakeholders that information security is formally addressed at the strategic level. There are, of course, disadvantages to pursuing these certifications, such as the cost of preparing for a certification inspection and the risk of failing to acquire it (or to renew it at a future mandated revalidation).
  • Professional certifications—Individual practitioners of information security can obtain professional certification from bodies such as ISACA. To obtain these certifications, individuals often must meet eligibility requirements (education and/or experience), pass an examination and pay a fee. Additional requirements that must be met may include retesting and participating in a minimum number of continuing professional education (CPE) activities. Professional certifications are voluntary, and the individual usually invests personal time for preparation and incurs the cost of training, related material and the examination. It is conceivable that growing numbers of organizations will require such professional certification as a condition of employment. As such certifications provide independent evidence of an individual’s qualifications, experience and knowledge, those who possess them can be seen as being more attractive to potential employers than those who do not, thus introducing the risk of increased turnover among information security professionals.
  • Personal certifications—A third category of certification is the issuance of the equivalent to a drivers license for users who access critical systems or data (or even for all users). This is practiced by many organizations. The United Nations, for example, made it mandatory in 2003 for all staff traveling on mission to hold a basic certificate of “Security in the Field” and, for those traveling to higher-risk destinations, an advanced certificate (see figure 1 for the author’s own such certificate). These certificates are valid at the UN for three years, after which time the online course and its associated test must be retaken.

Thus, all three types of certification become a matter of corporate policy and imply monitoring for compliance.

Certification for individuals, who need to access systems and data, raises design issues such as how long the test should take and how much knowledge is required to pass. If it is too easy, the exercise becomes pointless and if too difficult, one must consider what to do about those who are unable to pass it. Such certifications also require data to be held on expiration dates and the tracking of requalification. Certifications must not be seen as the equivalent of a guarantee.

Audits

Audits are performed to ascertain one or more of the following: the validity of information (financial and other such as performance reports), an independent assessment of internal controls, and an assessment of the completeness and capability maturity level of operational processes.

The outcome of an audit is an opinion of the items being audited (e.g., an organization, a set of processes, systems reflecting work done on a sampling or test basis). Therefore, an audit report can only provide reasonable assurance that its findings, observations and recommendations are free from material error.

There are many guidelines and good practices for IT and security audits, such as those published by ISACA.7

The challenges here fall in two categories:

  1. Defining the scope of an IT security audit so that it is appropriate to the organization, does not require an inordinate amount of time to complete, does not unduly disrupt the work of the IT security organization and its practitioners, and provides information that was previously unknown. An audit report that merely reports facts and issues already known to the organization is a waste of time and resources.
  2. Engaging auditors with appropriate qualifications and experience to ensure that the parties being audited can have confidence in the audit

Penetration Tests

Also known as ethical hacking, penetration tests differ from an external hacking attack only in that they have the consent of senior management, which, in turn, requires a good measure of trust and suitable contractual nondisclosure agreements.

It is prudent to remember that “anything built by man can be broken by man”8 and to fully expect the ethical hacking to confirm this.

Penetration tests can take many forms:

  • They may give the testers a measure of prior knowledge of the target (none equals black box, detailed equals white box, some equals gray box).
  • They may be announced to security team members prior to the engagement or be conducted without their knowledge.
  • They may be conducted either by testers with links to vendors or by independent testers.
  • They may be performed over a limited time, mainly to contain costs.

Conclusions

“If there is no problem, you are not needed. If there is a problem, you are incompetent.”9 This statement is made from time to time in security conferences, and it is clear that no professional would wish to be labeled “incompetent” or blamed.

COBIT 5 for Information Security10 can be used to help practitioners identify the trigger events and pain points that are relevant to their organizations at the time of review. This can also be supported by Principles for Information Security Practitioners11 issued jointly in December 2010 by ISACA, (ISC) 2 and the Information Security Forum.

The ability to demonstrate that due diligence has been exercised needs to be considered and an appropriate plan of action developed accordingly.

The five approaches described in this article are compatible with COBIT 5 for Information Security, and regarded as worthwhile initiatives subject to Nassim Taleb’s statement in The Black Swan that “No evidence of vulnerabilities is quite different from evidence of no vulnerabilities.”12

Endnotes

1 “How Good Is Your Data Center? Maybe You Should Find Out Before Your Boss Does,” Datamation, vol. 38, no.18, 1 September 1992
2 ISACA, IT Standards, Guidelines, and Tools and Techniques for Audit and Assurance and Control Professionals, October 2010, www.isaca.org/standards
3 War Games, www.imdb.com/title/tt0086567/
4 Taleb, Nassim; The Black Swan, 2007 (also by the same author, Fooled by Randomness)
5 Burns, Robert; To a Louse
6 International Organization for Standardization (ISO), Information Security Management System, ISO 27001, 2005
7 ISACA, Guidance for Best Practice in Information Security and IT Audit, 2009
8 Source unknown
9 Source unknown
10 ISACA, COBIT 5 for Information Security, 2012, www.isaca.org/cobit
11 ISACA, Principles for Information Security Practitioners, December 2010, www.isaca.org/Knowledge-Center/Standards/Pages/Security-Principles.aspx
12 Op cit, Taleb

Ed Gelbstein, Ph.d., has worked in IT for more than 40 years and is the former director of the United Nations (UN) International Computing Centre, a service organization providing IT services around the globe to most of the organizations in the UN System. Since leaving the UN, Gelbstein has been an advisor on IT matters to the UN Board of Auditors and the French National Audit Office (Cour des Comptes) and is also a faculty member of Webster University, Geneva, Switzerland. He is a regular speaker at international conferences covering audit, risk, governance and information security and is the author of several publications. Gelbstein lives in France and may be contacted at ed.gelbstein@gmail.com.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2012 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.