IT SECURITY PROGRAM MANAGEMENT

Transcription

1 G O E B E L A S S O C I A T E S IT Management with Value and Purpose IT SECURITY PROGRAM MANAGEMENT HOW TO ADD VALUE AND GIVE PURPOSE TO YOUR INFORMATION SECURITY PROGRAM (Suarez, K. 2007) DANIEL C GOEBEL, CISSP, ITIL, ISO GOEBEL ASSOCIATES KENNETH SUAREZ, CISSP - SUAREZ CONSULTING INC. JAMES AUSTIN, CISSP, PMP, - ENLIGHTENED INC. C o p y r i g h t G o e b e l A s s o c i a t e s A l l R i g h t s R e s e r v e d W 5 t h S t, F r e d e r i c k, M D telephone fax: w w w. g o e b e l a s s o c i a t e s. c o m

2 Executive Overview What is the best way to look at how to secure your Information? There is not an easy answer. Certainly information does not remain static, neither should your Security Program. The concept of Life Cycle management is not new. Cycles occur in nature all the time. The ability to mimic nature is very flattering, but to be able to direct it is an altogether different matter. We present a view on how an Information Security Program can be implemented. We see that there are some basic patterns that repeat themselves over and over. We see that there is a central viewpoint to which we can regain control of your Information Security. In essence, there are 4 areas that revolve around a central controlling area. We call the 4 areas Pillars and the central theme a Singular Purpose. The 4 Pillars are guided by a set of three triads that concern our information and how they are governed. We ll explore Strategy and Planning, Acquisition and Development, Risk Management, and Operations and Maintenance. These will revolve around the ability to measure value by using the correct metrics, whose stewards of this information are specifically trained to extract the best results possible. Each area will have specific controls attributed to it covering the 7 Security Principles of Governance, Monitoring, Continuous Improvement, Technical Management, Privacy, Business Continuity, and Awareness and Training. Strategy and Planning The 4 Pillars While we all know that it pays to measure twice and cut once, if you measure the wrong thing then you still end up with a piece that has to be redone. Careful planning involves considering where the organization needs to go in terms of how it provides product or service. Only then can a reasonable set of solutions can be offered. One would like to think that all one has to do is apply all the controls from a given frame- 2

3 work to cover any possible action, but some controls are costly to implement therefore one has to to look at the reasoning behind such an action. How the organization is set up matters as well. Is your organization set up to centrally mange it s resources, or is it set up to have individual business units do it for themselves? Or is it somewhere in between as is seen in a Federated model? Or is it that your model needs to change based upon the direction or regulations coming down the road? Attacking the implementation of Information Security Management is no less daunting. Some institutions keep Policy management separated from Engineering while others make no distinction. What s correct for your organization depends on many factors and there is no absolutely correct way of handling it. In any of the above scenarios it is important to communicate your vision, strategy, and mission to those who are implementing it. And those who implement it should be allowed to give feedback on improving how it is done. Regulations and Markets change with ease, so should your strategy. Acquisition and Development For organizations that are not in the business of developing their own software the option of acquiring off-the-shelf software requires due diligence, not only from a contracts management perspective, but from an architecture perspective. Not all software is secure. This becomes more apparent when it is introduced into a complex environment. The same amount of effort goes into testing whether it will adhere to the overall Enterprise Architecture requirements, whether it will give the results needed, and whether it plays well with others. There is no software that exists completely on its own. Proper testing is vital. Similarly, when it is decided that software is best to be developed in house, then the the concepts of how your development proceeds closely follows how quickly it needs to be developed and what the culture is like for your organization. Both of these will help 3

4 determine your methodology (i.e. Agile, Extreme, Waterfall, etc.). In any methodology chosen the PMO is closely involved to realize and track the organization s Earned Value. Risk Management Management of risk is well known among financial analysts and business people. the same principles hold true for Information professionals. There are some very good frameworks and methodologies, such as the OCTAVE method, NSA IAM/IEM, M_o_R, NIST, and etc. All these explore threats, vulnerabilities, likelihood, and impact. What s important is that Risk Management is continuous, but even more so is that it is done before the Information is put into production. The ability to properly transition information from acquisition or development into operations is an important aspect exercising the system fully before it is used. Even after it has been put into production, the procedures and containers of information need to be periodically reviewed, at minimum every year, preferably in real time. Operations and Maintenance The O&M arena has been the traditional cornerstone of the Security Program. It has been in this area that administrators has had to come up with their own innovative methods of protecting the information on IT systems. From the days of the Morris worm to modern day botnets, these hardworking people have had to spend inordinate amount of time and effort to combat everyday threats. There is a solution. This solution involves defining what is done on a day to day basis and categorizing those processes into service areas. Luckily this has been done for IT in general. The IT Infrastructure Library (ITIL) is in its third revision and provides guidance to any organization involved in information stewardship. With the latest revision of ITIL, now an international effort, the organization can view the services it provides in terms of a life cycle. The steps in this life cycle are: Strategy, Design, Transition, Operations, and Continuous Improvement. These phases of Information Management make it possible to mature a 4

5 program to become proactive, not just reactive. What needs to be kept in mind is that since Security Operations mirrors IT Operations in general all ITIL concepts equally apply. Some argue that Security Management is not an area that should be separated out, but rather that it should be fully integrated within. Tenants Triad of Three Confidentiality - Is defined as limited to persons authorized to use information, documents, etc., so classified. It is this capability to ensure that only those that are authorized to access the information are easily allowed to do so, and those that are not allowed are denied access. This touches on the principle of Privacy. Integrity - Knowing that the information you are using at has not been altered is the assurance of this tenant. Simple techniques, such as a CRC or Hash are examples of an integrity check. Availability - This tenant follows closely on the requirement that the business side of an organization be involved in defining what constitutes as available or not. Business continuity is called that for a reason. Information does not care if it is available or not, the users of that information do, however. The business of Disaster Recovery, Continuity of Operations, and Business Continuity Planning all involve how the organization defines its business and any Service Level agreements that it has in place with their customers. Areas Management - The area of Management identifies those principles that cover Governance and Policy. In tune with this is that the improvement of the IT program has to be done 5

6 by taking a look at those metrics that are defined and agreed upon. When an organization has achieved this level of maturity, it can be said that they possess a continuously improving Program of Security. Operational - The area defined under operational is where the rubber meets the road. Unless you can operationalize how your Security Program is implemented, then it is of no use to the organization. In order to help in this area, the procedures and run books have to defined, mapped to other procedures, and reviewed periodically so that there is a basic understanding of how the facility is run on a daily, weekly, monthly, and yearly basis. Technical - This the area that much of the present day attention is given. While this is obviously necessary, it is also unfortunate. When we talk of a technical control area we do not imply that technology will be a panacea, but rather that when technology is applied toward safeguarding your information that these technical considerations will be given, regardless of the technical solution. In the adage of People, Process, and Technology, Technology is the final consideration after you decided who and how it is to be done. In any maturity model the actual technology is not even a consideration. Information Protection At Rest - Information sitting around in file shares and file cabinets are waiting for someone to come along and look at it. The information does not care who looks at it, but the owner of that information does care. It may be sensitive military information or it may be intellectual property, either way, denying access to those that are unauthorized to see it is important while the data is just sitting there. Simple tools as a lock for the file cabinet of encryption for all laptops, which are seeing ever increasing rates of being stolen or lost, is vitally important. In Transit - Encryption of information is as old as Caesar. With the simple alphabetic substitution ciphers of the Roman army to the vastly complicated modern algorithms, 6

7 information protection while the information is being transmitted is important and even easier to implement these days. During Processing - This particular information state is often an under considered state for information to be in. Normally one considers whether the information is in transit or at rest, but the usually transient state when the information is being transformed or searched has to be considered as well. Singular Purpose IT Value The overall goal of having an IT Security Program is to bring value and protection to all areas of your business. We have to keep in mind that it is information we are protecting. This means protecting the people that are stewards of an organization s data, protecting the places that this information is being stored, and the resources that will make use of this information. To do that will require some oversight. The Project Management Institute and it s Project Management Body of Knowledge can help. This will lead to the ability to provide continuous improvement for all future IT Security projects. Project Management Office A successful IT project requires accurate estimation, careful planning, constant monitoring, and the ability to learn from past mistakes. The Project Management Institute (PMI) has been engaged in understanding how projects can become successful for quite a few years. It is their ability to comprehensively and succinctly put together a body of knowledge around project management that allows organizations to successfully implement a full blown Program Management Office (PMO). The PMO can be as simple as an in-house consultancy by providing guidance to more autonomous areas of project management or it can be that over arching management structure collating and keeping track of all projects within an organization. Most likely 7

8 it lies somewhere in between the two extremes and that it is based upon how the organization is set up (i.e. centralized, federated, etc. See section on Strategy and Planning). The purpose of the PMO is to manage resources and monitor the progress of ongoing projects, as well as to see that value is derived from the projects. Since Information Security has become such an integrated aspect of how the organization engages in business, there should be dedicated project managers to the various security projects. An example of this are titles such as Security Officers (SO) or Information System Security Officer (ISSO). The people that are designated as such should be given every opportunity to not only have enough accountability for the implementation of the Security Program, but should also be empowered enough to make reasonable judgements in how the program should be improved. Continuous Improvement How does one improve the overall Security Program? With the PMI s Body of Knowledge and the 5 stages of a project (Initiation, Planning, Developing, Monitoring, and Closing), the organization can set up metrics and controls during the project life cycle to gauge overall performance. It is precisely to ability to marry the correct and easily gathered metrics to the overall goals and mission of an organization that will provide the most benefit for the organization. Coming up with metrics for metric sake and it having no relevance to what the business deems valuable will prove to be a red herring for business decisions and ultimately will be of no value to anyone. Metrics for a security program requires what we like to call a lot of front loading. This extra effort up front will go along way in helping everyone on the project keep the end goals in mind and strive for what s important for the business. When even the least significant person is involved in determining what should be measured and how it can be measured then the whole team presents a coherent picture of what needs to be accomplished. 8

9 To help illustrate the complexity of a good metric we have an example. An organization measures how many s contain viruses on a weekly basis and thus blocked. What is it that we are measuring? In simple terms we can measure the percentage of s that contain viruses compared to non virus carrying s and eventually get a trend over a year s period. But what does that measure? It might measure that spam s versus virus s are changing proportions and that we will need to bolster resources towards spam. But the real question should be how many virus laden s did we NOT catch? This is a difficult question. Yes we are blocking viruses and this goes to show that at least that one control in an enterprise security management is being handled, but how can we improve the implementation of that control? This is where the organization has to sit down and talk it over with subject matter experts and come up with meaningful measurements. Summary Information Security is more than tossing some technology at the problem, it involves full cooperation of all involved, especially those business stakeholders who have the most to lose. The coordination of strategy, development, risk management, and operations, with the continual monitoring and improving of security services is an engagement unlike any that has been experienced in the past. There are no cookie cutter approaches of how to do it, that is why it is important to ensure all stakeholders understand the goals and mission of the organization as a whole. The capacity of an organization rests in the effort of everyone to carry out that mission to their own specific capability. Finding the experts to accurately engage the organization is half the battle. 9

10 Acknowledgements Daniel C Goebel, CISSP, ITIL Foundations, ISO27001 certified - Dan has been involved in the IT industry since He has worked on Wall Street, for Hospitals, at Bell Labs, at Rutgers University, and since 2003 has been consulting in the federal and civilian enterprise security space. He has an undergraduate degree in Biology from Rutgers University and is presently finishing up his Executive IT Masters degree with the CIO certificate from the University of Maryland, University College. 10