Information Security Management for Governments 

 
Download Article Article in Digital Form

The establishment of common controls and enterprisewide security program development, coordination, implementation and management is the maturation of IS security from a secondary activity to an executive-level operational concern. The key question is: Are not only US government agencies, but also other governments and businesses globally now going to use these new requirements as the impetus of change needed to accelerate the needed improvement in their security readiness and capabilities?1

For many governments of developing nations, information security has not yet become an initiative of priority and, as a result, information security may not be supported by the executive in a manner that encourages the measurement and administration of controls that may be necessary to protect the information that is processed, stored and transported by the government’s IT systems. The risk associated with not having basic information security controls in place is not always seen as more significant than the initiatives that can gain political mileage. In many cases, the role of information security management (ISM) is often assigned to a single individual, or a very small team, who reports to a senior manager or executive who may have little or no focus on information security.

This article seeks to share a simple model that can be used for ISM in governments. It is meant to assist the IS manager who may be facing challenges in establishing a program that may not be visible or supported by the priorities of the government environment in which the information security manager works.

ISM

ISM should be treated as a specialized function within smaller governments. The information security leader should have direct reporting lines to the head of the government agency responsible for either IT risk management or IT operations. The scope of the information security leader in government needs to be across all of government. An effort to restrict this scope for political or other reasons could compromise the security of information stored, transported and processed by the government. There should be one point of contact for information security at an executive level, and this person must be able to act quickly, at short notice and in a manner that can protect the entire government—within the boundaries of the most senior approval.

The controls recommended in ISO 27001:2005, Information technology—Security techniques— Information security management systems— Requirements, should be implemented in a manner that is applicable to the environment and within budget. A record of all controls that are necessary, but are not achievable within the current budget, should be maintained, and this record should be used to plan each new budget thereafter.

ISM Model

Figure 1 depicts an ISM model for smaller governments:

  • Performance measurement—Before implementing information security controls, it is a good idea to identify the processes that are necessary and to establish a system that will allow the success of the processes to be measured using defined benchmarks against specific control objectives. These processes and methods of measurement are available through COBIT 4.1; however, the value of implementing COBIT can be lost if regular, periodic assessment and measurement are not done.
  • Development—At least 30 percent of effort should be allocated toward development in each of the seven pillars (discussed in more detail later).
  • Budget—The information security budget can be continuously justified by asking the executive sponsors pertinent questions such as, “Would it be useful to be able to measure how well the enterprise protects its information?”
  • Staffing—In comparison to other technical departments, information security can function efficiently with a small team of specialists, controlled delegation of responsibilities across other IT departments and outsourcing of specialized activities.

Using ISO 27001 as a guide, the information security department should be built on the following seven pillars of responsibility (figure 1).

Figure 1

Information Security Policy
The information security policy should clearly communicate the government’s position on the way its computer systems are to be developed, implemented, managed, used and disposed. If previous experience or time is not available, the drafting of the policy can be outsourced and aligned with the vision, environment, culture and IT infrastructure of the government.

A small information security policy review committee should be established that comprises, at a minimum, senior representatives from the most critical departments/ministries (e.g., defense, justice/legal, health, finance). This committee should also include representatives from departments that are critical to the government’s economic and political objectives (e.g., energy, industry). Even though it is not necessary for all members of the committee to have a technical background, it is useful if the representatives have a basic understanding of IT and its role in government.

The policy should be approved by the body responsible for government decisions at the highest level (the cabinet, council of ministers or the executive council). It should then be treated as an official government document and be distributed to all government agencies.

Security Awareness
Security awareness is an ongoing process that seeks to ensure that all users are familiar with the information security policies and best practices that govern the use of IT assets.

It is good practice to establish a process whereby new employees are made to attend a security awareness training session as part of their orientation. This can culminate in an online lab session and a quiz to ensure understanding. At the end of the initial training and as part of their annual assessment, all employees should sign a release indicating that they accept and understand the policies.

The security awareness program can be split into two specific streams: one geared toward the general user and one that is specialized for technical officers. In the technical officer stream, it is advisable to address the security controls that must be implemented at the system, application, network and database levels. System administrator policies and standards should also be addressed in the technical program.

Due to the number of computer users within most governments, it is often not practical for the information security department to take on the task of conducting the security awareness sessions and may require outsourcing. It is useful to first contract one of these specialized companies to measure the requirements of the training and recommend a customized service based on the size of the network, number of users, categories of users, culture, budget and company information security policies.

Identity and Access Management (IAM)
A clear hierarchy of access approval should be established with the requisite segregation of duties considered. The information security administrator should not be able to grant access to any system without second approval from the business owner. All access and granting of access should be recorded.

If the budget allows it, a single centralized identity management system (IMS), inclusive of single sign-on (SSO), should be implemented. The key is to be able to view and control a user’s access privileges from one place while simplifying the user experience without compromising system security.

For successful IAM:

  • All accounts should be uniquely identifiable and assigned to an individual.
  • All default accounts should be removed and replaced by uniquely identifiable accounts with the same privileges as the default accounts.
  • One account-naming convention should be maintained. For example, avoid using “jbrown” for AS/400 access, “joe_brown” for Windows access and “joe.brown” for UNIX access. An SSO system removes this problem.
  • Privileged access activity (e.g., root, admin) should be regularly reviewed, and suspicious events should be investigated.
  • Orphan accounts, i.e., accounts that belonged to employees who no longer work for the unit/department, should be closely monitored. These accounts should be disabled and removed as soon as the employee has been terminated.
  • Exception reports for multiple password failures should be produced and reviewed daily.
  • Audits and “clean-ups” of all user databases should be performed regularly.
  • Contractors, auditors and remote system support should be granted only temporary access. If further access is required, the approval process should be followed and recorded.
  • Adequate storage space and memory should be available for access logs, and all logs should record who, when, where and what for each instance of access.

Network and Data Security
In the absence of a network security engineer, specific network security processes will be required, and the information security manager will need to ensure that these are assigned to technical resources with the appropriate skills. The information security manager should review daily exception reports because network security administration can be assigned to resources that may not have information security as their daily priority.

All standard network security tools should be assessed and implemented where applicable.

Virtual private networks (VPNs) should be used where applicable, and Internet traffic should be secured and controlled (Secure Sockets Layer [SSL], Secured Hypertext Transmission Protocol [HTTPS], etc.).

The design of the network is extremely important. Critical and vulnerable services should be identified and placed in highly secured network zones. DMZs should be implemented and used to separate critical services from lower-risk services.

Network policies should be reviewed regularly and implemented at all times. It is recommended to have a centralized network policy management system from which policy modules can be applied to network elements.

Network policies should mandate that all network clients (personal computers [PCs], laptops, etc.) have a defined, minimum set of security controls in place before they are authenticated to the network. For example, all laptops should have the latest antimalware software updates installed before access to network services is granted.

Operating system (OS) patch levels should be applied across the organization after being tested in an isolated environment. This includes all security updates that may have been implemented by the OS vendors.

Network access logs should be reviewed daily, and all suspicious activity should be reported according to a defined escalation procedure and addressed as quickly as possible.

Monitoring
The assumption that the network is not under threat is normally a perception created by a lack of adequate monitoring. The information security manager within the government must ensure that there are ongoing and measurable information security incident monitoring processes in place at both the internal and national level.

The key watch words of monitoring are:  who, when, where and what.

At an internal level, incident reporting resources and tools should be deployed at all times. Surveillance of all networks and data repositories is critical. Automated alerting mechanisms and escalation procedures should be designed and implemented. Exception reports should be reviewed daily. Extra storage for log files should be identified, and all access logging should be activated. A corporate logging strategy should be implemented that includes, but is not limited to, log rotation strategy, archiving and remote journaling.

Internal information security monitoring can be the responsibility of the network group or the help desk, and most of it can be automated.

At the external or national level, the information security manager within the government should be actively involved in running a national computer security incident response team (CSIRT).

Assistance in setting up a national CSIRT is readily available from the Inter-American Committee Against Terrorism (CICTE).2 The national CSIRT team should comprise members from a cross-section of the society. Education, military, critical industry and the private business sector should all be actively involved. The national CSIRT should be closely linked with other regional CSIRTs and should have a direct escalation path to the government executive responsible for national security.

Risk Assessment
In the case of information security, risk assessment consists of a number of techniques used to identify and report weaknesses and to recommend mitigating controls. This is an ongoing process of checking for existing risks and recommending mitigation.

A cycle to identify information security risks should be established. This includes identification of both IT system and process vulnerabilities. For example, is it possible for the network administrator to create user accounts anonymously without trace or approval? These tests should be conducted by independent, third-party security specialists. It is best practice to alternate among the contracted third parties on an annual basis, thus ensuring that any biases are avoided and a wider spread of results is achieved.

The resulting threat analysis reports should be used to determine levels of risk and to apply priorities in budgets and remedial activity. Generally, information security risk (R) can be approximated by determining the measurement of the probability (P) of an event occurring, the value (V) of the asset that may be at risk and the threat (T) itself. In mathematical terms, the rough equation is: R = PVT.

All recommended mitigation should be submitted to senior management. The enterprise may be willing to accept the risk regardless of the cost of mitigation because the risk may have a low impact or its likelihood may be low. It is up to the senior management team to determine the enterprise risk tolerance level and to inform the information security manager as to whether the recommended mitigation should be implemented.

The cost of implementing the countermeasure equals the cost of the asset multiplied by the value percentage of the overall infrastructure, which is then multiplied by the annualized rate of occurrence (ARO).

The exercise of achieving accurate calculations of risk in this manner can be time-consuming and highly subjective. For smaller information security departments, it is probably more worthwhile to outsource the threat analysis and address the identified weaknesses, in order of criticality, as soon as possible. For the organization that determines that it is worthwhile to measure risk, The Risk IT Practitioner Guide from ISACA and ISO 27005:2008, Information technology— Security techniques—Information security risk management, can be used for guidance.

Contingency
Contingency planning would normally fall under the scope of the risk management department; however, in smaller governments, the responsibility often ends up with the information security department for various reasons.

In this case, contingency planning involves business continuity planning (BCP) and disaster recovery planning (DRP) as it relates to IT infrastructural design and IT business support processes. The objective is to ensure minimal service disruption and the reestablishment of business services in the shortest possible time after an unforeseen event or a disaster occurs.

The contingency planning process does not refer only to backup and restoration; it also includes the following steps:

  • Develop a contingency planning policy statement.
  • Conduct a business impact analysis (BIA).
  • Identify preventive controls.
  • Develop recovery strategies.
  • Develop an IT contingency plan (including a sequence of recovery).
  • Plan testing, training and exercises.
  • Plan maintenance.

The contingency strategy must be developed in cooperation with other functional and resource managers associated with the system or the business processes supported by the system. All major applications and general support systems must have a contingency plan.3

From implementation of storage access networks (SANs) and data restoration to the development of the emergency contact list for the server room, the IT contingency coordinator (in the case of smaller governments, the information security manager) must be able to understand and coordinate the processes that are necessary. A great place to start is with the identification of the critical business services and their supporting infrastructure, i.e., the services that, if unavailable, would disable the ability to achieve organizational goals and would result in loss of revenue, reputation and legal compliance.

It is recommended that the information security manager become familiar with the contingency planning guide for IT systems published by the US National Institute of Standards and Technology in 2002.

Conclusion

In governments that place less importance on the needs and risks associated with the security of the information that is stored, transported and processed by their IT systems, the information security manager may find it easier to establish a successful and sustainable ISM function by implementing a model that includes information security policy, information security awareness, IAM, network and data security, information security monitoring, and risk assessment and contingency as functional pillars. These functions should be supported by continuous measurement and compliance, development, and appropriate budgeting and staffing.

Endnotes

1 Roth, Jeff; “Evolution of Federal Cybersecurity—From Individual Controls to Systems of Control,” JournalOnline, ISACA Journal, vol. 5, 2010, www.isaca.org/journalonline
2 In 2004, in recognition of the emerging threats to the Internet and related computer systems, the Organization of American States (OAS) General Assembly adopted a “comprehensive inter-American strategy to combat threats to cybersecurity.” The strategy calls for all member states to establish or identify national “alert, watch and warning” groups known as computer security incident response teams (CSIRTs) and to take the necessary measures to prevent cyberthreats, prosecute cybercrimes and promote a culture of awareness in their countries. To help implement these three pillars of strategy, three OAS committees joined forces—the Inter-American Committee Against Terrorism (CICTE), the group of governmental experts on cybercrime of the Meeting of Ministers of Justice or of Ministers or Attorneys General of the Americas (REMJA), and the Inter-American Telecommunications Commission (CITEL).
3 National Institute of Standards and Technology (NIST), Contingency Planning Guide for Information Technology Systems, USA, 2002, www.itl.nist.gov/lab/bulletns/bltnjun02.htm

Krishna Raj Kumar, CISA, CISM
is a senior consultant with Barrington Consulting Group based in Halifax, Nova Scotia, Canada. He has worked as an information security manager for more than 15 years within the financial and governmental sectors of the Caribbean, where he last held the position of executive manager, information security in the Government of the Republic of Trinidad and Tobago.


Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.

The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.

© 2011 ISACA. All rights reserved.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.