Information Security Management Programs: Assessment Analysis Lessons Learned and Best Practices Revealed JUSTIN SOMAINI AND ALAN HAZLETON This article, the fourth in a series, expands on the overlooked aspects of information security management system implementations introduced in a previous installment by focusing on the process of normalizing and analyzing organizational and operational assessment outputs. In the first three installments of our series on Information Security Management Programs ( ISMP ), we have explored the process of developing a comprehensive ISMP and have defined the first two steps in the Assessment & Strategy phases. The initial step in the Justin Somaini, Chief Information Security Officer for Symantec Corporation, leads its Information Security group, which is responsible for information security governance and risk management, privacy, and threat response. Most recently, he was the Director of Information Security at VeriSign, Inc., where he was responsible for all aspects of information security. Alan Hazleton, a Senior Advisor with TPI, has extensive expertise in helping clients with the full sourcing life cycle; reviewing strategic alternatives and priorities; structuring contracts; and implementing third-party service provider solutions. Mr. Hazelton has a particular focus on assessing existing application development and maintenance organizations as well as information security management organizations and assisting with initial implementation and long-term operational management. Mr. Hazleton can be reached at alan.hazleton@tpi.net. 981
PRIVACY & DATA SECURITY LAW JOURNAL Assessment & Strategy phase is the Organizational Assessment, and the second step is the Operational Assessment. Along the way, lessons have been highlighted that address common challenges with ISMP design and implementation. Please bear in mind that the phases and steps in the ISMP development are not necessarily in sequential order and are definitely not intended to be performed only once. Most industry best practices, including CobiT, 1 ITIL 2 and ISO/IEC27001, 3 refer to processes as life cycles that are recurring, repetitive, and most importantly reflect continuous improvement. Figure 1 depicts the overall ISMP life cycle phases, including the first phase, Assessment & Strategy. Figure 1 Now we turn to Assessment Analysis, another subset of the Assessment & Strategy phase and a key step in the ISMP strategy development process. Why? Information security professionals have been challenged with the process of consolidating the output of various assessment techniques into a roadmap for change, such as the ISMP strategy. Unlike politicians that espouse their versions of change, when change is referred to in this context, the implication is achievable and measurable change to 982
enterprise security in the form of risk reduction. Since the organizational and operational assessment techniques include both quantitative and qualitative disciplines, the ISMP strategist must be able to consolidate the output of these different disciplines into a cohesive model that can be used to prioritize strategy components and highlight which of them need to be analyzed further using enterprise risk assessment techniques. Lesson One: The analysis of assessment outputs developed from disparate techniques or disciplines must be normalized prior to leveraging these outputs for ISMP strategy development. ISMP Strategy Development Framework An ISMP strategy development process is a complex undertaking that should be approached with detailed planning and identification of assumptions, constraints, and expectations. We have discussed in previous components of this series the identification of which best practices should be adopted for information security. Another area of decision regards the approach for consolidating and normalizing assessment outputs. In the overview of the Organizational Assessment and the Operational Assessment, the concept of leveraging best practices or of not reinventing the wheel has been stressed, and this decision area is no different. Lesson Two: The assessment analysis process should leverage a model that is easy to understand and familiar to various roles, from executives to security technicians. SWOT Analysis INFORMATION SECURITY MANAGEMENT PROGRAMS: ASSESSMENT ANALYSIS During the 1960s and 1970s, Albert Humphrey led research projects for Stanford University that resulted in developing a method of strategic planning now referred to as Strengths, Weaknesses, Opportunities, and Threats ( SWOT ) Analysis. Using data from leading corporations, the research project was targeted at identifying the reasons behind failures of corporate planning and strategy. While the SWOT model has been used in planning and analysis for many years, it is primarily a collection and categorization technique that can be used as the mechanism for normalizing 983
PRIVACY & DATA SECURITY LAW JOURNAL the quantitative and qualitative outputs of the organizational and operational assessments. During the time Humphrey was conducting research that resulted in the SWOT Analysis model, weaknesses and threats did not cause an automatic assumption that information security was the driver of the discussion, as most IT professionals would conclude in this day and age. Weaknesses can easily be associated with vulnerabilities in information security terminology; however, threats have always been threats whether they are economic, operational, physical, logical, external, or internal. Figure 2 depicts the components of the ISMP strategy development process outlined in this and previous articles. Figure 2 984
INFORMATION SECURITY MANAGEMENT PROGRAMS: ASSESSMENT ANALYSIS Lesson Three: The SWOT analysis should be targeted at a specific objective, such as ISMP strategy, to reduce corporate information security risk and should be used to begin the analysis process, not as a substitute for analysis. Best Practice Framework Continuity The information security ( Infosec ) organization must be able to successfully analyze organizational and operational assessment results and rapidly prioritize the gaps between leading practices and existing policies, procedures, and security architecture. Providing the ability to rapidly analyze assessment outputs and drive analysis from multiple dimensions, the SWOT normalization model will greatly enhance the quality of the analysis. In order to leverage both the SWOT categorization model and the maturity model components of best practices, the Infosec team should strive to bring as much consistency as possible to the SWOT Analysis model and ensure that relationships between SWOT components and leading practices that include CobiT, ITIL, and ISO/IEC27001 standards are maintained. A Review and a Look Forward July 2008: Information Security Management Programs Lessons Learned and Best Practices Revealed: Lesson One: ISMS do not typically fail due to difficulty understanding or implementing technology Lesson Two: Comprehensive security policy is but one of the key building blocks to an effective ISMS Lesson Three: To successfully design an ISMP, the information security team must thoroughly understand the employee and management team s opinions, attitudes, and history with respect to enterprise information security Lesson Four: To successfully design an ISMP, the information security team must thoroughly understand the current state of operational processes and tools for IT infrastructure and application development 985
PRIVACY & DATA SECURITY LAW JOURNAL Lesson Four: The Assessment Analysis process should be designed to continue to leverage a reference model that ensures that SWOT Analysis components remain linked to best practice definitions of maturity. See Table 1 for an example of this concept. Assessment Analysis Once the SWOT analysis has been completed, the ISMP strategist begins the process of prioritizing the changes that need to occur into tactical (short term) and strategic (long term) categories. The phased journey to a destination or future state can only be accurately planned if the definition of that destination is well defined. With regard to ISMP strategy, defining the destination in detail with clear, periodic milestones is critical to achieving measurable success. A Review and a Look Forward August 2008: Information Security Management Programs: Organizational Assessment Lessons Learned and Best Practices Revealed: Lesson One: The existing corporate culture, organizational roles, historical security events as well as potential response to security-related stimuli should be integral parts of the assessment process. Lesson Two: The charter of the organizational assessment process is to gain a detailed understanding of an organization s culture and workforce dynamics in order to effectively tailor the ISMP program to the organization. Lesson Three: To understand an organization, you must talk to its executives, managers and employees. Lesson Four: Surveys are not an acceptable replacement for interviews; but the feasibility of interviewing a relevant sample of any large, geographically distributed organization in a limited timeframe is difficult, and sometimes there are political sensitivities to interviews across geographies. 986
INFORMATION SECURITY MANAGEMENT PROGRAMS: ASSESSMENT ANALYSIS Table 1 987
PRIVACY & DATA SECURITY LAW JOURNAL As illustrated in Figure 1, there are three distinct categories of work efforts that are used to group changes to security policy, process, standards, and/or technology: Triage & Tactical Initiatives Metrics & Awareness Technical & Process Maturity Triage and Tactical Initiatives One of the challenges with developing an effective ISMP strategy is balancing tactical initiatives while achieving strategic change. Information security best practices always include a discussion on the merits of risk analysis and risk management. This is a key area where textbooks lead the security strategist astray. All threats and vulnerabilities do not require a risk analysis to be completed to prioritize the work activity of mitigating that risk. An example of this concept is frequently referred to as information access controls. A common finding of an operational assessment is that too many resources or users have administrative access to server operating systems. The security strategist does not need to perform a risk analysis on excessive administrative access privileges to know that this weakness should be addressed as quickly as possible. This is a prime example of an operational assessment result that would be normalized into the weakness quadrant of the SWOT model and would subsequently be prioritized into the Triage & Tactical Initiatives group of changes. Phased Approach with Rolling Wave Planning The phased implementation approach of the ISMP strategy must be carefully tailored to the organization s unique requirements and process maturity. Due to the dynamic nature of the information security industry, it is paramount to leverage concepts like rolling wave planning ( RWP ), where components of an overall plan are decomposed into phases. The phases are repetitive in nature with frequent adjustments to the deliverables and expectations. As the implementation process of change compo- 988
nents occurs, the understanding of the work required and deliverables becomes clearer. This is frequently referred to as progressive elaboration. The ISMP strategy must be flexible and designed to leverage the RWP concepts and progressive elaboration. What s Next The use of common sense and the application of best practices will provide most organizations with very clear change components to include in the Triage & Tactical Initiatives, Metrics & Awareness, and Technical & Process Maturity groupings of the ISMP Strategy. Strategic initiatives are very different and represent the appropriate use of risk analysis and risk management disciplines. The organization must be secured, risks must be mitigated, and the business must continue to operate while the security strategy is in process. In the next installment(s) in this series, the process of assembling a comprehensive security strategy will be defined, including leveraging the outputs of the assessment analysis processes. Constraints of a strategy implementation will be addressed in order to tailor the strategy to the current state of the organization. The use of enterprise risk management disciplines to tailor the strategy will also be introduced. NOTES INFORMATION SECURITY MANAGEMENT PROGRAMS: ASSESSMENT ANALYSIS 1 Control Objectives for Information and Related Technology ( CobiT ), IT Governance Institute ( ITGI ). 2 Information Technology Infrastructure Library ( ITIL ), United Kingdom s Office of Government Commerce ( OGC ). 3 BS ISO/IEC 27001:2005, Information Security Information Security Management Systems Requirements, International Standards Organization, 2005. 989