Security Information Management The Foundation of Enterprise Security

Transcription

1 Security Information Management The Foundation of Enterprise Security All organizations must be concerned about incidents and loss a knowledgebased security program provides the best defense. By Brian McIlravey, CPP

2

3 Contents Executive Summary 5 Introduction 7 Finding Information in a Big Corporate World of Data 8 The World of Security Data 9 The Roles of Incident Management & Risk Assessment 10 The Deming Cycle 11 The Six Questions 14 Documenting the Right Data 15 Transforming Data into Information 20 Generating the Right Reports 20 A New Age of Security Incident & Information Management 23 The ROI of Data-Driven Security 25 Conclusion 26 About the Author 28 About PPM 2000 Inc. 29 Incident Management from Every Angle Featuring Perspective by PPM PPM 2000 Inc Avenue, Suite 1307 Edmonton, Alberta T5J 2Z information@ppm2000.com

4

5 Security Information Management The Foundation of Enterprise Security All organizations must be concerned about incidents and loss a knowledge-based security program provides the best defense. By Brian McIlravey, CPP Executive Summary The management of ongoing incident activity is an inevitable reality for all organizations. Detailed information about what is going on within and across an organization s operations enables deployment of effective security safeguards that help reduce incidents and losses, and provide a built-in defense against accusations of negligence or inadequate security. However, gathering and extracting the right information from the mountains of data available is one of the most common challenges facing organizations today. This challenge can be easily overcome with the aid of powerful and sophisticated incident reporting and investigation management software solutions. Security Information Management The Foundation of Enterprise Security 5

6

7 Introduction All organizations face potentially serious consequences from incidents of all nature. These include losses and disruptions caused by the events themselves, as well as subsequent litigation and lost opportunity costs. The chronic occurrence of even relatively minor incidents can undermine an organization s culture, cohesiveness and reputation. And in the extreme, major incidents can bring literal ruin to an organization. For instance, in 1995, fraudulent trading to the tune of $1.4 billion by rogue trader Nick Leeson forced the renowned British Barings Bank into bankruptcy. This cost 4,000 employees their jobs and huge losses for investors. Leeson, who worked out of the bank s Singapore office, was later convicted and sentenced to six and a half years in prison. While incidents and losses can never be totally prevented, an organization s visible commitment to knowing what is happening on its premises, in its surrounding neighborhoods, and across its operations is critical. Using information about actual and prevented incidents is essential to the development of effective security safeguards for each workplace environment, and a demonstrable commitment to collecting and constructively acting on this information is at the heart of successful litigation outcomes when the prosecution argues that the defending organization could have foreseen and prevented incidents from occurring. Unfortunately, the collection, analysis and management of incident data does not happen by itself; it is the Achilles heel of most security programs. This weakness includes failure to: Collect incident data in a consistent and accurate manner. Extracting the Terms The following terms appear throughout this whitepaper and are listed here in alphabetical order for your reference. Annual Loss Expectancy The expected total loss value attributed to a particular type of event for one year. Calculated by multiplying the expected frequency of the event for a one-year period (the number of times it will likely occur in a year) by the event s single loss expectancy (the loss value of the event occurring once). Annual Loss Expectancy = Frequency X Single Loss Expectancy Benchmark A point of reference against which something can be measured. Also referred to as a baseline measurement. Countermeasure A protective measure (physical or procedural) put in place to either minimize the frequency of an event or its impact. Store and proactively manage this data. Secure the data from unauthorized access and potential corruption. Analyze the data to derive useful information about security issues, as well as to educate upper management about the variety and intensity of threats that their organizations face. Act on the analytical information gleaned from the data in order to reduce or prevent incidents and loss. While the scene is changing dramatically in the age of the CSO (Chief Security Officer) and numerous management programs dedicated to security, it is surprising that many security Security Information Management The Foundation of Enterprise Security 7

8 operations still depend on inefficient office automation and reporting practices for incident management. For example, a number of corporate security departments have abandoned paperbased incident reports and conventional filing systems in favor of home-grown electronic incident reporting systems. While more efficient than paper reports, these electronic flat files are no more effective than traditional filing cabinets. They are searchable only with great effort, and they make finding specific information, doing analysis and generating reports very time-consuming. This is quite remarkable and fast becoming unacceptable with the need for immediate information and business intelligence in this day and age of fast-paced commerce and powerful threats and vulnerabilities. Most organizations would say that they are, quite literally, drowning in data while still suffering from a chronic lack of information on which to base decisions. This picture is not acceptable and it must change in order to maintain an effective risk management program. Finding Information in a Big Corporate World of Data The business world today is a data-centric world. Decisions based on carefully analyzed data are not only more likely to be correct and bring results, they are also more readily accepted and trusted. The term knowledge-based decisions is gaining currency. It refers to the knowledge and insights that are gleaned from raw data. As stated earlier, most corporations today are flooded with data, so much so that virtually no one in a typical corporation has the big picture of what is really going on. Ironically, that has become the convenient defense of executives involved in some recent highprofile corporate scandals. Yet, there is a recognizable truth lurking in and around their arguments; it should be understandable that there was much they did not know. One hears the same argument from all directions. Much data, but not enough clear information. Too many issues to track and understand, and not enough confidence that the grounds for action are valid or, if valid, an unwillingness to incur the expense of correcting the situation. Extracting the Terms Deming Cycle A cyclical management process designed to solve issues and improve procedures and responses. Also referred to as the PDCA cycle (Plan, Do, Check, Act). Event An occurrence, either accidental or purposeful, caused by human or natural factors. Frequency The number of times an event has occurred over a span of time. Also referred to as the likelihood or probability of the event s occurrence. Impact The measured effect of an event on an organization. Also referred to as the consequence of the event. May be tangible or intangible, with or without an associated dollar loss value. Incident Management The process of identifying and analyzing incident activity and determining the best course of action for handling it, presently as well as in the future. There is an obvious need for reliable business intelligence to drive actions. The challenge and the obvious, if daunting, opportunity is that our world of data is growing exponentially and becoming even more complex. It is only over the last two decades or so that organizations and 8 Security Information Management The Foundation of Enterprise Security

9 their software suppliers have begun to focus on the challenge of how to make sense and use of the mountains of data available to them. Data storage, data management and data mining are now huge businesses for IT suppliers and consulting firms. Likewise, the emerging field of data and business analytics is providing sophisticated tools, algorithms and modeling techniques to draw from raw data meaningful analysis, knowledge and predictive studies that provide guidance on strategy and future investment. The World of Security Data Progress must still be made in the practical integration of data management technology into daily security operations. Industry surveys show that security managers rank office management and paperwork as one of their most serious time consumers and sources of inefficiency. Budget preparation and justification is also a predictably large, and mostly unpleasant, time consumer. Even worse are one-off requests from upper management that invariably wreak havoc on a normal work week. The new trends of performance measurement and performance management now add an even greater degree of required reporting from predetermined metrics and measures. The world of security data is fundamentally disorderly, primarily because there is no obvious let alone easy and convenient way to organize a substantial variety of seemingly disparate data. It is for this reason that so little security department data is well utilized, even if it is routinely collected and archived. Some security directors will admit that very little of their data is routinely scrutinized for the identification of patterns and trends and for making decisions about logical corrective action. This, of course, changes decidedly in the days and weeks following a highvisibility incident when 20/20 hindsight becomes very apparent. Security directors explain that the lack of qualified data analysts and the time demands placed on management result in reactive management by red flags which means responding to crises rather than developing proactive, data-based security strategies. Extracting the Terms Loss The resulting impact of an event. Losses are usually measured in dollars, though intangible losses may also result from incident activity (e.g., loss of corporate reputation). Risk The likelihood of damage or loss [associated with an event s occurrence] multiplied by the potential magnitude of the loss. 1 Risk Management The process of determining whether or how much of the risk [associated with an event s occurrence] is acceptable and what action should be taken. 2 Security Information Management The collection, storage and management of security data for analysis of patterns, trends, potential risks and other intelligence. Single Loss Expectancy The expected loss value of an event occurring once. Threat An event that can potentially occur. It is absolutely critical for security departments to realize that the amount and variety of security data flowing into their information systems is only going to grow day-by-day and year-by-year both as their corporations grow and as new technology-based security systems come on line. The corresponding need to store and organize this data for meaningful use will thus become an ever more pressing issue that will almost certainly command more upper management interest and scrutiny. 1 Garcia, Mary Lynn. (2001). The Design and Evaluation of Physical Protection Systems. Woburn, MA: Butterworth-Heinemann. 2 McNamee, David. (1998). Business Risk Assessment. Altamonte Springs, FL: The Institute of Internal Auditors. Security Information Management The Foundation of Enterprise Security 9

10 The Roles of Incident Management & Risk Assessment With an overwhelming volume of security data available, it is crucial for organizations to closely examine the integral roles that incident management and risk assessment play in a successful security information management program. Understanding how they interact can aid organizations in identifying the data that is most useful in mitigating risk, as well as how this data may be used to proactively prevent incident activity and its related loss. Indeed, awareness of the common operations of these processes is key to better managing incident activity, risk and security. Of course, it is obvious that incident activity is the necessary pre-condition of both security management and risk management. Without incidents, there would be no risk and there would be no need for security. If it were possible to guarantee that incident activity would not occur, corporations and businesses would have no need to employ security staff. Clearly, this is not the case. Incident activity is widespread and affects organizations around the world; it cannot be fully prevented. So, the goal then is not so much to eliminate incidents as to manage them and reduce their associated loss. In effect, this is the function of security to manage the risk of incident activity. The risk management process provides security with a systematic framework to achieve this. Risk management can be defined as an organized approach through which uncertain events can be identified, measured and controlled to minimize loss and optimize the return on investment for security operations. It plays a central role in security s ability to reduce incident activity and its impact. Risk management can be defined as an organized approach through which uncertain events can be identified, measured and controlled to minimize loss and optimize the return on investment for security operations. It plays a central role in security s ability to reduce incident activity and its impact. Since security s main purpose is to minimize the effects of incident activity on corporate assets (people, property or information), any security force s first duty in protecting these assets is to put in place a countermeasure or safeguard against incident activity. Then, to identify whether or not the countermeasure is effective, it is necessary for the organization to measure any potential impact on their corporate assets since deploying the safeguard. (In other words, the organization must determine whether or not an incident has occurred since implementing the countermeasure.) If incidents have occurred and assets have been impacted, then the organization can perform a more thorough analysis of the effectiveness of the countermeasure in relation to the incident, and determine if further action is required. 10 Security Information Management The Foundation of Enterprise Security

11 This continuous cycle of managing incidents, risk and security can best be described by the Deming cycle, otherwise known as the PDCA cycle (Plan, Do, Check, Act). After planning and implementing a countermeasure, an organization monitors incident activity and measures the effectiveness of the countermeasure. The organization may then begin planning the next mitigating step that should be taken to improve protection of corporate assets. The cycle repeats, and the interplay of the incident management, risk management and security information management processes continues. Formulate Strategy Throughout these cycles, six questions must be asked and answered: 1. Has the incident happened before? Act Set Goals If so, what was the impact on the organization? Is the incident likely to happen again? If so, how often? Decide Monitor Metrics 4. What would the impact be? What countermeasures are currently in place to prevent the incident from happening again? What further steps can be taken to mitigate the risk of the incident s recurrence? Analyze The Deming Cycle Answering each of these questions, in turn, provides information needed to approach the following question, facilitating the continuation of the incident management, risk management and security information management cycles. The Deming Cycle To better answer the six questions integral to the incident management, risk management and security information management cycles, and to comprehend their dynamic interaction, it is useful to have a thorough understanding of the common process underlying them all the Deming cycle. When the adjacent Deming cycle graphic is applied to an organization s security program, the open space inside the ring represents the organization s assets (including people, property and data). The ring surrounding this space represents not only the various protective countermeasures the organization employs to mitigate the risk of incident activity (including physical and process-oriented countermeasures), but also the organization s entire security information management program. Security Information Management The Foundation of Enterprise Security 11

12 Formulate Strategy The first step involves an initial assessment of the organization s assets, their values and what countermeasures are currently required to protect them. In many cases, this information is contained in the organization s 1, 3 and 5 year security master plans. Set Goals This step requires the organization to set benchmarks for measuring the effectiveness of its countermeasures. Generally, an organization employs countermeasures to either reduce the number of incidents occurring or to reduce incident losses. Once a baseline has been selected, incident numbers and losses can be measured against it, and the organization will know whether or not their short and long term strategies are working. Usually, the baseline measurement, or benchmark, that an organization sets is derived from measurements of past incidents or threats. An organization can look to historical data to determine the various threats that exist for a particular asset, the impact of each of these threats if they were to manifest and the frequency of the threats. In this instance, the asset s threats would be the various types of incidents that could occur. The impact of each threat would be the loss value associated with the threat occurring once. And the frequency of each threat would be its expected number of occurrences. Threat X Impact = Single Loss Expectancy (Risk) Risk X Frequency = Annual Loss Expectancy In theory, a perfect security program would reduce all threats, impact, frequency, risk and loss expectancy to zero. However, in reality, an organization will set realistic goals for incident reduction and loss reduction based on the conclusions drawn from its historical data. For example, if an organization had an average of 18 internal thefts per year over the last three years with a total loss value of $50,000, potential goals for the upcoming year may be: Threat X Impact Single Loss Expectancy (Risk) Risk X Frequency Annual Loss Expectancy A reduction of incidents by 50%; the baseline measurement would then be 9 incidents. A loss reduction of 70%; the baseline measurement would then be $15,000. In addition to aiding incident, risk and security information management, setting benchmarks provides a means of measuring and managing performance. 12 Security Information Management The Foundation of Enterprise Security