Security Management. Security is taken for granted until something goes wrong.

Transcription

1 Security Management

2 Security Management Security is taken for granted until something goes wrong. Concerns about security have existed for as long as has mankind. The most obvious manifestation of this relates to ourselves, where we rely on basic needs such as food, clothing and security to be satisfied in order for the more discretionary aspects to be enjoyed. One popular attribution about security was voiced by William Shakespeare in Macbeth, from where the quotation Security is mortals chiefest enemy came in the 16th Century. This white paper explains how security management and service management are part of the same overall remit to run an effective enterprise information architecture. As they are but different aspects of the same objective, it can be argued that security management can sit in the service department. Security is taken for granted until something goes wrong, when visibility goes through the roof and management start to hunt for someone to blame. Whilst this is understandable, it can also be quickly recognised that exactly the same characteristic applies to service delivery as well. Information Security is a topic that has its own terminology, standards and champions and is either given too much prominence or not enough, depending on who is involved. However, we use information more today than at any time in our collective past and access to and the accuracy of that information is an assumed right. So what is Information Security and why is it relevant to the discipline of Service Delivery? SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 2

3 Definition of Security Information is an asset which, like any other business asset, has value to an organisation and so needs protecting. Whether that information is in paper or electronic format doesn t matter in terms of the business safeguards needed, although our main interest level is clearly in the electronic format as this is what IT deals with everyday. Information Security is defined here as representing the preservation of: Good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support. Confidentiality ensuring that information is accessible only to those authorised to access it Integrity safeguarding the accuracy & completeness of information and its processing Availability ensuring that users can get access to information and any associated assets when required So it isn t hard to understand the correlation between the objectives of information security management and what service managers should be doing everyday. For instance, good security is achieved by implementing a set of controls, policies, practices and procedures along with organisational structures and software support. This is so like how formal service management disciplines are structured that information security management should become a natural extension to scope, especially once it is realised that 42 of the 133 control objectives within the security world are also described in ISO 20000, the standard for service management. Security controls and regulation There are few formal controls governing service management in isolation but there are many concerning security management. These actually determine what controls should exist and what level of compliance with rules, statutes, regulations and industry standards must be achieved. There are several control regimes that govern security, with the most obvious one being ISO/IEC 27001, the international standard for information security management. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 3

4 Figure 1 The control objectives of ISO ISO clause Security Categories Control Objectives Security policy 1 2 Organising security Asset management Human Resources security Physical and environmental security Communications and operations management Access control Systems development and maintenance Security incident management Business continuity management Compliance Security policy Total This standard details 133 control objectives grouped in 11 key clauses, as shown in figure 1, although not all of these will be needed in every organisation and many of them are capable of interpretation. This is where care is needed because unlike service management, security management can be overdone to be on the safe side and organisations end up being burdened by the weight of control. Whilst we do not want just anyone to be able to see our bank accounts, the protection needed over, say, our social media profile is a bit less important and so the controls need to be different. It is this aspect of security which confuses people most, because an element of judgement is required and this is exercised by means of Risk Assessments, which will return different results for different types of enterprise. The process for carrying out risk assessments is described by ISO and there are common themes in every organisation highlighted below, along with some of the underlying legal and regulatory requirements. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 4

5 Figure 2 Laptop theft reported in The Times newspaper Data Protection all organisations have to comply with the 1998 Data Protection Act (DPA), which came into effect in Do you know what your responsibilities for this are? Enforcement of the DPA is the responsibility of the Information Commissioner who can impose heavy fines for data loss and non-compliance with the Act. Into this category also comes the Regulation of Investigatory Powers (RIP) Act 2000 which specifies who can take responsibility for the interception, monitoring and investigation of incidents and this is of particular relevance to organisations who need to determine who had access to information held or processed electronically. Use of and telephone call monitoring procedures by an employer of its staff is covered by this RIP legislation. Business Continuity all organisations need to protect their equipment, software and data from intentional or unintentional loss. Do you have a plan to show how your business operates when key information goes missing? Business continuity in a 24x7x52 business environment is far more complex than having a Disaster Recovery plan involving cold standby facilities for if you are on online retailer handling 2500 revenue a minute, can the business cash flow survive a 36 hour restore period? And would your customers accept this even if the business did? SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 5

6 Internet Threats anyone with PC based systems and/or internet access is vulnerable to information being lost or rendered inaccessible due to a virus. This can also seriously affect service stability it is estimated that 50% of all s contain a virus and there are 62tn of them annually around the world. Courts of law can use s as formal records of the company that you work for, which is why they are sequestered by the police. We can see that the is often more deadly than the mail! A recent issue of Internal Auditing magazine stated that the biggest risks facing organisations are now technologybased. Denial of Service most often interpreted as being a sustained bombardment of your website, denial of service can be achieved in other ways, often inadvertently if your network is not in a Closed User Group or has not been designed to use alternate routing and you get cut off from the outside world. This happens and if you do online business, then you re out of it until the outage is repaired and service is restored. Theft and Loss of Assets the growth in the number of laptops, tablets and smart phones means that both the hardware and information contained on them can and do go missing. Would you be happy if it was your medical records that were left behind on the bus? Or that your company tax return was being examined by your competitors? Security is a deeply personal issue as well as one of corporate embarrassment witness the high profile information leaks in recent years, such as that in figure 2 and the theft of identity of two high profile banking executives. ISO is not the only control regime that can be applied to security management, however. Another mature offering is CobiT, standing for Control Objectives for Information and related Technology and this methodology has been in existence since It is positioned as a practical toolkit for IT governance because following the Turnbull report, corporate governance and risk management have become increasingly important issues to businesses. A recent issue of Internal Auditing magazine stated that the biggest risks facing organisations are now technology-based. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 6

7 Figure 3 How ISO and ISO clauses overlap Change Management Clause ISO ISO Planning and implementation ; Control of implementation Clause Clause Clause Clause Closing and reviewing Emergency changes Reporting and analysis Verification and audit ; Formal change procedures Control of essential changes Review, reporting and auditing Compliance with software IPR Just as the role of any auditor will, as a matter of course, include an information systems component, so effective corporate governance and risk management necessitates effective IT governance and risk management. CobiT is primarily an auditing tool but offers an alternative to ISO by introducing controls from a much wider set of standards; however, ISO has always relied on a security standard like ISO to discharge security specific requirements and a third of controls are shared between ISO and ISO An example, using change management, of how these controls are evidenced in the two standards is shown in figure 3. Service and Security synergy This paper has already asserted that there is significant synergy between the disciplines of security management and service management. If this is made obvious by a few examples, such as Disaster Management, then it can be readily seen how close the disciplines are. However, it is important not to take the leap towards organisational synergy without considering an important aspect of governance segregation of duties. IT staff with deep technical skills are the ones who have the means and arguably the time to hack into systems for their own ends and it is necessary to establish effective monitoring and control procedures to ensure they don t. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 7

8 Figure 4 An example of an ISO controls assessment Business Continuity Management Compliance Security policy 100% 75% Organisation of security 50% Asset management 25% Security Incident Management 0% Human Resources Security System Development & MTCE Access control Operations management Physical & environmental security Score This may be more difficult when everyone is under the same management umbrella but given that the benefits of synergy can outweigh the drawbacks then self policing, assuming suitable external oversight and effective access control systems, becomes possible even in the most highly regulated organisations. The way ahead for organisations All good ideas start off with either a feasibility study or a visionary statement. There are a number of ways that the security management regime appropriate to your organisation can be determined and a survey, taking no more than a few hours to complete, that will assess conformance to ISO is a very good start. An example of the output from a security assessment is shown in figure 4 and provides an overview of control status. Management of security can be made cost effective if taken alongside a service improvement programme where the changes can be dovetailed together and this approach works in practice. SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 8

9 If you are seeking the most effective way of delivering high quality services alongside robust operational KPIs and security appropriate for the Electronic Business, then consider making security management part of your IT service improvement programme. This can be regarded as offering savings of about 10% of the cost of having separate teams, whilst delivering better service. Anyone considering accreditation to ISO will know that a key focus area for compliance is information security management. An organisation having accreditation to ISO is deemed to have fully satisfied the requirements of ISO in this regard, thus proving the link between Security Management and Service Delivery. For More Information: Contact Fruition Partners at or info@fruitionpartners.com. You can also browse some related resources on our website: ESM Showcase Case Studies Webinars SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 9

10 SECURITY MANAGEMENT A FRUITION PARTNERS WHITEPAPER 10