In the launch of this series, Information Security Management

Transcription

1 Information Security Management Programs: Operational Assessments Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON As the authors explain, a comprehensive assessment process that includes a focus on security and technology operations is critical to the development of a comprehensive information security management program. In the launch of this series, Information Security Management Programs: Lessons Learned and Best Practices Revealed, the process of developing a comprehensive information security management program ( ISMP ) was introduced. The second installment brought clar- Justin Somaini, Chief Information Security Officer for Symantec Corporation, leads its Information Security group, which is responsible for information security governance and risk management, privacy, and threat response. Most recently, he was the Director of Information Security at VeriSign, Inc., where he was responsible for all aspects of information security. Alan Hazleton, a Senior Advisor with TPI, has extensive expertise in helping clients with the full sourcing life cycle; reviewing strategic alternatives and priorities; structuring contracts; and implementing third party service provider solutions. Mr. Hazelton has a particular focus on assessing existing application development and maintenance organizations as well as information security management organizations and assisting with initial implementation and long term operational management. Mr. Hazleton can be reached at [email protected]. 892

2 INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS Lesson One: The existing corporate culture, organizational roles and historical security events as well as potential response to secuity to a commonly overlooked component of a successful ISMP development process the organizational assessment a subset of the Assessment and Strategy phase. To date, the common challenges with ISMP design and implementation have been highlighted. Now the discussion turns to addressing the critical process of performing another subset of the Assessment and Strategy phase an operational assessment and the importance of this assessment s outputs for building an effective and achievable ISMP strategy. Why? A comprehensive assess- A Review and a Look Forward Article 1: Information Security Management Programs: Lessons Learned and Best Practices Revealed: Lesson One: ISMS do not typically fail due to difficulty understanding or implementing technology. Lesson Two: Comprehensive security policy is but one of the key building blocks to an effective ISMS. Lesson Three: To successfully design an ISMP, the information security team must thoroughly understand the employee and management team s opinions, attitudes and history with respect to enterprise information security. Lesson Four: To successfully design an ISMP, the information security team must thoroughly understand the current state of operational processes and tools for IT infrastructure and application development. Article 2: Information Security Management Programs: Organizational Assessment Lessons Learned and Best Practices Revealed: 893

3 PRIVACY & DATA SECURITY LAW JOURNAL ment process that includes a focus on security and technology operations is critical to the development of the ISMP strategy. A lesson from the initial piece in this series stated that ISMSs (information security management systems) do not typically fail due to difficulty understanding or implementing technology. This assertion was further clarified by an example that underscored the fact that technology rarely fails; rather, more frequently, people or processes fail. Even though an understanding of existing culture and organizational dynamics is often underesti- rity-related stimuli should be an integral part of the assessment process. Lesson Two: The charter of the organizational assessment process is to gain a detailed understanding of an organization s culture and workforce dynamics in order to effectively tailor the ISMP program to the organization. Lesson Three: To understand an organization, you must talk to its executives, managers and employees. Lesson Four: Surveys are not an acceptable replacement for interviews; but the feasibility of interviewing a relevant sample of any large, geographically distributed organization in a limited timeframe is difficult, and sometimes there are political sensitivities to interviews across geographies. ISMP Phases of Implementation Phase 1: Assessment and Strategy Phase 2: Triage and Tactical Initiatives Phase 3: Metrics and Awareness Phase 4: Technical and Process Maturity Phase 5: Assessment and Validation Phase 6: Strategic Initiatives 894

4 INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS mated, a comprehensive operational assessment and gap analysis is an area that security professionals stress for development of a successful ISMP. Lesson One: The Operational Assessment or detailed understanding of the existing information technology services (e.g. design, operation, strategy and transition), governance, control and security processes must be a foundational component of the assessment process. There are several bodies of knowledge that have been embraced by information technology ( IT ) organizations across the world. The International Organization for Standardization, specifically, the ISO/IEC standard, is the core for an ISMP. There are very detailed controls defined in that should be used to build components of operational assessment processes. However, in order to effectively address the services, governance and control processes listed above, additional bodies of knowledge should be leveraged to complete or round out the operational assessment reference knowledge base. Governance and Control The primary IT control framework used in the United States is the CobiT 1 Framework. CobiT is an acronym for Control Objectives for Information and Related Technology, which was developed by the IT Governance Institute ( ITGI ). CobiT is an internationally recognized set of industry standards for IT governance and control practices. Although originated in the U.S., it is commonly used internationally due to the ever-increasing nature of the global economy and interrelationships between business partners. A detailed overview of CobiT is not addressed here. As a component of the operational assessment, CobiT should be leveraged to assess the existing information technology governance and control processes. The ISMP should represent an enterprise roadmap that must be tailored to meet program management guidelines, and even more importantly, to understand how all implementations of technology and process are accomplished in the organization. 895

5 PRIVACY & DATA SECURITY LAW JOURNAL Information Technology Infrastructure Library The Information Technology Infrastructure Library ( ITIL ) 2 is a widely adopted collection of published processes and techniques for managing IT infrastructure, development, and operations. ITIL includes detailed definitions of a series of critical IT practices that are designed to be tailored to any IT organization. ITIL is published by the United Kingdom s Office of Government Commerce ( OGC ) and includes comprehensive checklists, tasks and procedures. As a component of the operational assessment, ITIL should be leveraged to assess existing IT services. To be successful, the ISMP should represent a series of initiatives that must be tailored to integrate with existing services. Key areas including Change Management, Configuration Management, Incident Management and Service Management must be assessed for level of maturity and impact to the overall ISMP design. Lesson Two: The Operational Assessment should leverage a gap analysis model that enforces the consistency of the review process across multiple dimensions including industry best practices and existing organizational processes, controls and technology. Process and Control Framework The information security ( Infosec ) organization must be able to successfully analyze existing process and control hierarchy and rapidly define the gap between leading practices and existing policies, procedures and security architecture. Providing the ability to rapidly analyze maturity of processes against leading practices and drive analysis efforts from multiple dimensions, the use of best practices to develop a gap analysis will greatly enhance the quality of the strategy process. The Infosec team should strive to bring as much consistency as possible to the gap analysis model to define relationships between corporate business processes and leading practices that include CobiT, ISO27001 and ITIL standards. The operational assessment will benefit greatly from a relational approach to mapping leading practices, business require- 896

6 INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS ments (regulatory and other) to corporate process and control hierarchies. Upon detailed review of CobiT, ISO27001 and ITIL, the redundancy, or overlap, in certain areas will become obvious. The use of an operational assessment framework will allow the reviewer to select the most appropriate best practices for their organization and maturity level. Lesson Three: The Operational Assessment should leverage a gap analysis model that ensures the discovery of all technology components utilized across existing information technology processes. Technical Architecture A common method used in the IT industry for describing the impact of new technology implementations (e.g. change) is to reference three dimensions: people, process and technology. Here and in previous installments, a great deal of focus has been placed on the analysis of culture and organizational process. The second column in this series emphasized the people aspect of ISMP design. The process and control framework approach described herein emphasizes the process aspects of ISMP design. What about technology? Why have we not focused on the review and assessment of technology and the security architecture for the organization? The answer is simple, but often misunderstood. The assessment of technology can be effectively accomplished through the lens of process review and cultural review. When asked what technology is planned for implementation over the next year, any good security professional s eyes will light up, and they will begin a long and colorful discussion, piece by piece, of how the network, server, storage and application infrastructure will be improved through technology. But the discussion can turn to interesting but sometimes misleading attributes of technology solutions, including Security Information Management, Intrusion Detection and Prevention, Data Encryption, Data Loss Prevention, Host Security, Endpoint Security and Mobile Security. The Infosec professional s leap to technology as the solution to specific issues is as natural as an IT infrastructure professional s leap to the next 897

7 PRIVACY & DATA SECURITY LAW JOURNAL level of server virtualization. The astute Infosec professional, however, will weave the technology implementations into a series of people and process changes with the overall goal of reducing risk to the organization. Lesson Four: The charter of the gap analysis process is to document the maturity level of the existing culture (people), processes and technology in order to identify where there is doubt in the ability of current state processes to effectively address risk to the organization. Operational Assessment and Gap Analysis The development of a comprehensive gap analysis of the current state of security in any organization is critical to the development of a security strategy. The phased journey to a destination or future state can only be accurately planned if the definition of that destination is well defined. The operational assessment and gap analysis process varies significantly from the organizational assessment described in the previous article. The operational assessment is primarily oriented to a quantitative analysis approach, while the organizational assessment includes a significant level of qualitative analysis. What is the difference? The simple view is that qualitative analysis involves words and quantitative analysis involves numbers. During the organizational assessment, qualitative analysis involves active participation of the reviewer in the process and immersion in the analysis (e.g. interviews). In addition, one of the key goals of the organizational assessment is to build relationships of trust between Infosec (reviewers) and IT (participants). During the operational assessment, quantitative analysis involves objective observation wherein the reviewer does not participate directly in processes being reviewed nor significantly influence those processes. Since Infosec is involved in many IT processes and usually exerts some influence on the process execution, this pure approach is not strictly followed, but the use of quantitative principles in the operational assessment and gap analysis still applies. The accompanying table outlines the high-level tasks and order of operations for completing the gap analysis process for IT operations. 898

8 INFORMATION SECURITY MANAGEMENT PROGRAMS; OPERATIONAL ASSESSMENTS Step Preparation Identify Analysis Scope Identify Analysis Gaps Select Analysis Approach Select Analysis Population Conduct Assessment and Gap Analysis Distribute Results and Gain Consensus Distribute Final Results Description Select the best practice knowledge bases Identify redundant coverage and select knowledge base of record for each topic area Select, refine and confirm the components of those best practices that will be used in the gap analysis process Identify coverage gaps Select additional knowledge bases of record for each gap, or supplement with additional content For each component, identify the most appropriate analysis approach Develop analysis response definitions (e.g., binary response selection definitions, or multiple choice selection definitions) Develop analysis response weightings (e.g., level of importance indicators) For each component, identify the most appropriate people, processes and technology Confirm assessment and analysis participants Complete gap analysis process Distribute results to participants and provide for feedback mechanism Make modifications where analysis was incomplete or inaccurate Distribute results to executive management 899

9 PRIVACY & DATA SECURITY LAW JOURNAL Security Goals and Objectives (Strategy) In order to develop an achievable strategy for security in any organization, the Infosec professional must be able to define in detail the endstate goals to be achieved. The process of developing a gap analysis is to define the people, process and technology changes that must be prioritized, designed, implemented, measured and managed over the course of a phased implementation approach. The phased implementation approach (for example, security strategy), must be carefully tailored to the organization s unique requirements and process maturity. The organization must be secured, risks must be mitigated, and the business must continue to operate while the security strategy is in process. In the next installment in this series, the process of developing a comprehensive security strategy will be defined, including leveraging the outputs of the organizational assessment and operational assessment processes. Constraints to the implementation of the strategy will be addressed in order to tailor the strategy to the current state of the organization. Although frequently a component of process improvement in the strategy itself, the use of enterprise risk management disciplines to tailor the strategy will also be introduced. NOTES 1 Control Objectives for Information and Related Technology ( CobiT ), IT Governance Institute ( ITGI ). 2 Information Technology Infrastructure Library ( ITIL ), United Kingdom s Office of Government Commerce ( OGC ). 900