The relationship between technology advancements and business

Transcription

1 Security Information Management Programs: Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON This article introduces the often overlooked aspects of an end-to-end, organizational implementation approach or program for an effective information security management system. The relationship between technology advancements and business threats can be traced back to the evolution of piracy and the early days of maritime commerce on the Mediterranean Sea. Starting sometime around 500 B.C., early adopter Greek pirates leveraged tech- Justin Somaini, Chief Information Security Officer for Symantec Corporation, leads its Information Security group, which is responsible for information security governance and risk management, privacy, and threat response. Most recently, he was the Director of Information Security at VeriSign, Inc., where he was responsible for all aspects of information security. Alan Hazleton, a Senior Advisor with TPI, has extensive expertise in helping clients with the full sourcing life cycle; reviewing strategic alternatives and priorities; structuring contracts; and implementing third-party service provider solutions. Mr. Hazelton has a particular focus on assessing existing application development and maintenance organizations as well as information security management organizations and assisting with initial implementation and long-term operational management. Mr. Hazleton can be reached at alan.hazleton@tpi.net. 654

2 SECURITY INFORMATION MANAGEMENT PROGRAMS nology advancements in the form of faster, shallow-bottomed vessels (triremes) and successfully attacked shipping lanes in the Mediterranean by escaping from larger vessels into shallow waters. Later, Northern European Vikings employed fast, shallow-bottomed vessels (longships) to traverse inland waterways to attack villages with dual-edged axes and swords. Pirates continued to leverage technology throughout history, right up to today s digital age, where piracy can be found in the illegal duplication and distribution of copyrighted content on the Internet. The pillaging of the ancient Vikings to today s digital pirates illustrates that as technology matures and helps to provide more strategic business opportunities, the threats to an enterprise can also increase. Threats emanate from many different origins including competitors, organized crime, climatic elements, political unrest, as well as technologysavvy individuals connected to an ever-increasing global network of online communities. Even if a business does not have a global base of operations, it faces a vast array of technology-driven threats from all over the world. Defining the threats facing an enterprise is as critical as defining opportunities for revenue expansion. Of course, establishing preventive measures against threats is the end-state goal. A threat must be defined in order to develop an adequate defense. THE ISO STANDARD One of the most widely adopted industry best practices for security management is the ISO/IEC standard published by the International Standards Organization ( ISO ). This standard, based on the earlier standard ISO 17799, defines in detail the concept of an information security management system ( ISMS ). ISO/IEC is designed to assist organizations with implementation of a continuously improving system of security controls. In order for commercial enterprises to protect the integrity of information critical to the longevity of their business, they must implement a comprehensive, measurable, continuously improving, and proactive ISMS. These programs should be based on best practices and, most important, must be designed to provide a consistent feedback mechanism 655

3 PRIVACY & DATA SECURITY LAW JOURNAL for not only critical alerts but also continuous improvement. This article introduces the often overlooked aspects of an end-to-end, organizational implementation approach or program for an effective ISMS. In response to the increasing level of technology-based threats to businesses, governments, and individual consumers, a wide variety of legislative policies have been designed and enacted to influence businesses to address security threats or face significant financial penalties. Through increasingly prescriptive information security and privacy legislation, executive management teams and corporate directors not only face the threat of losing revenue, stockholders equity, brand equity, intellectual property, and customers, but also risk personal loss of freedom from legislative accountability. Establishing an effective information security management program ( ISMP ) has become one of the most important objectives of any corporate strategy. THE PDCA MODEL The adoption of the Plan-Do-Check-Act ( PDCA ) model, 1 which is applied to structure all ISMS processes, is critical to implementing an ISMP. Unfortunately, a large number of security programs today are operating in more of a Plan-Do-React ( PDR ) model because they are inadequately addressing critical components of the ISMS. Several reasons underpin the challenges of PDCA and the overall lack of process maturity in the security industry today; however, it is not due to lack of standards defined in the ISO/IEC There are many variables that can impact the creation of an effective ISMP. Without a clear understanding of the inputs necessary to create the ISMP strategy, an information security team will experience difficulty in developing and tailoring a cogent and effective strategy that incorporates a company s unique requirements and helps the business achieves its goals. In addition, without a clear definition of success or the end-state goals of the program, it is very difficult to develop a relevant ISMS strategy. Here we outline common pitfalls, misconceptions, and challenges associated with ISMP design. 656

4 SECURITY INFORMATION MANAGEMENT PROGRAMS Lesson One: ISMSs Do Not Typically Fail Due To Difficulty Understanding or Implementing Technology Let s take an example from the application development world. Many application development projects fail to meet customer expectations, not because of an inability to conquer technology issues, but more frequently due to a lack of process adherence (e.g., institutionalized systems development life cycles). Comparatively, technology is typically not the most important concern in implementing a successful ISMP. A significant percentage of ISMP challenges stem from individuals failing to adopt new policies or consistently follow established policies rather than from technology issues. For example, configuring a firewall is not seen as difficult from a technology perspective; however, ensuring that firewall rule sets are standardized, current, and implemented consistently is more difficult. Lesson Two: Comprehensive Security Policy Is But One of the Key Building Blocks to an Effective ISMS As any information security organization adopts new or revised processes or policies, there is typically a challenge with alignment to existing organizational processes or policies in addition to the organizational structure, roles, and responsibilities. Formalized and properly communicated security policies, procedures, and standards (policy) are critical to an effective ISMP implementation. Although critical, the existence of a formal security policy does not necessarily create a more secure environment or higher level of protection. Historically, it s been difficult to correlate policy maturity with a measurable level of enterprise security protection. A key challenge related to implementing security policy is how they are communicated, distributed, and made readily available. More important, what critical measures are established by an information security team to provide feedback regarding the level of awareness of the target user community? The institutionalization of policy is definitely one of the most challenging goals of enterprise information security organizations. Since a large percentage of security breaches are ultimately traced back to lack of adherence to policy, the environment fostered by an information security team is the single most important factor in securing an enterprise. 657

5 PRIVACY & DATA SECURITY LAW JOURNAL Lesson Three: To Successfully Design an ISMP, the Information Security Team Must Thoroughly Understand the Employee and Management Team s Opinions, Attitudes, and History With Respect to Enterprise Information Security In the next piece of this series, the process of conducting a gap analysis including an organizational assessment is discussed in detail. The discovery of the level of awareness, past experience with security, industry and corporate culture characteristics, and other important factors are critical to success. Examples of processes that must be thoroughly understood as input to the ISMP strategy include human resource management, project management, learning management, cultural empowerment, succession planning, performance evaluation, and incentive compensation. In order to develop a predictable and achievable strategy for a successful ISMP, a deep understanding of the current process environment is also critical. Even though technology is not the top concern in implementing a successful ISMP, the current state of other key operational processes must be understood to effectively tailor the strategy development process. Lesson Four: To Successfully Design an ISMP, the Information Security Team Must Thoroughly Understand the Current State of Operational Processes and Tools for IT Infrastructure and Application Development The discovery of the level of process maturity in other areas of information technology management through an operational assessment is also critical for success. Examples of processes that must be thoroughly understood as input to the ISMP strategy include service level management, incident management, problem management, event management, defect tracking, and root cause analysis. The following phases of an ISMP implementation have been identified as critical to the implementation of an effective ISMS: Phase 1: Assessment and Strategy 658

6 Phase 2: Triage and Tactical Initiatives Phase 3: Metrics and Awareness Phase 4: Technical and Process Maturity Phase 5: Assessment and Validation Phase 6: Strategic Initiatives SECURITY INFORMATION MANAGEMENT PROGRAMS In order to successfully complete the phases listed above, the information security team must develop a thorough understanding of where the current environment stands from a process maturity perspective as well as the work in process and planned work to increase the maturity level over the next several years. Another consideration often overlooked is the short-term and long-term strategy of where the business is evolving from a product, market, sourcing, or competitive perspective. All of these factors should influence the development of the ISMP. Focusing on organizational readiness, policies, procedures, processes, standards, and data integration will provide insight to IT executives, information security professionals, and other interested parties on the most critical areas to address when designing and implementing an effective information security program. CONCLUSION Technology-driven security threats are global in nature, and executive teams need to be savvy and take measures to ensure their business interests are adequately protected. Deploying an effective information security management program ( ISMP ) should be considered a cornerstone of an overall corporate strategy. NOTE 1 BS ISO/IEC 27001:2005, Information Security Information Security Management Systems Requirements, International Standards Organization,