Sytorus Information Assessment Overview
Contents Contents 2 Section 1: Our Understanding of the challenge 3 1 The Challenge 4 Section 2: IT-CMF 5 2 The IT-CMF 6 Section 3: Information Management (ISM) Critical Capability 9 3 Why ISM? 10 4 Overview of the ISM 12 5 Categories and Critical Building Blocks of the ISM 13 Section 4: Our Approach 19 6 The Report 27 Practices, Outcomes and Metrics 27 Senior Management Reporting 28 7 The Benefits 29
Section 1: Our Understanding of the Challenge
The Challenge IT is often requested by senior management to report on the level of security of IT systems within the organisation This is a challenging question and in order to fully answer this, any organisation should look, not only at the security of its websites and infrastructure, but also at the security governance surrounding the entire business breaches can range from malicious attacks to a lack of security awareness of individuals within organisations A recent report indicates 80% of data protection breaches, for example, were due to intentional non-malicious actions of employees In order to get a full executive view of the security capability of a company it is necessary to assess not only the defensive capabilities of a company at any one time, but the capability of a company to respond in a constantly changing environment Understand how secure the current infrastructure is ie penetration testing review, etc Understand the current information security capability of the organisation, including governance, staff awareness, business continuity, security strategy and security resource management Develop plan for continous improvement which is easily understood and reportable at executive level
Section 2: IT-CMF A quick overview of the IT-CMF and its mission statement
The IT-CMF The IT-CMF is based on five maturity levels to assess and optimize the value of IT:
The IT-CMF, as a Capability Maturity Framework, comprises of over 30 Critical Capabilities, each one of which concerns itself as a fundamental component of IT s role within the enterprise These are in turn, divided under four macro-capabilities, each of which represents the core and common concerns for IT, namely business alignment, budget management, capability delivery and, business value:
The IT-CMF is delivered through the form of online assessments, face to face interviews and evidence gathering techniques, for any of these critical capabilities, in order to derive a maturity level for each In turn the data returned is presented in easily understandable and visual forms, with very specific identification of under/over investment and next steps, to drive further maturity and value for each critical capability in scope Comparisons are made against competitors, sectors and similar sized organisations, to determine maturity against peers The fundamental goal of the IT-CMF is to align Business and IT closer together to a point in which IT is wholly optimised not only in support and execution of the Business objectives but even to suppliers and partners
Section 3: Information Management (ISM) Critical Capability
Why ISM? Information is: Key to business growth and success; An essential business enabler; A valuable business asset Therefore, it is vital that information s availability, integrity and confidentiality be assured This can be threatened by, for example: Theft; Accidental or malicious damage or loss; Disruption of supporting utilities such as power or the network Information continues to be business critical and is increasingly complex to manage for the following reasons: Physical boundaries are disappearing; more business data is transmitted over the internet, accelerated by the widespread adoption of mobile devices Business activity (and related threats) are on a global scale Optimal security implies physical lockdown but that is unacceptable from the business standpoint Hence multiple criteria need to be balanced and feed into decision-making The pace of change continues to accelerate Digitization is having a profound effect on business models, with traditional bricksand-mortar industries being dominated or completely replaced by models that are essentially based on software Companies are moving from the more traditional outsourcing contracts to cloud service providers Information continues to be business critical and is increasingly complex to manage for the following reasons: 72% of organizations report increased risk to information security, based on both external and internal threats
Legal and regulatory expectations pertaining to information are also changing with increased complexity arising from organizations operating across multiple jurisdictions; key considerations here are: Has the information been retained longer than it should have been? Does the data follow a defined life-cycle and is it safe to delete it? Does the business have permission to share this data with its partners? Is it permissible for the company to use data supplied by another company? If information security is violated this can result in loss of business operations with associated adverse financial and reputational impacts, which can extend for significant periods of time, particularly should legal actions result from a breach of security Source: Ernst and Young s (2011) Global Information The changing state of information security in 2012 is evident from the following findings: has edged out business continuity as the most important connection between IT risks and reputation Data breaches/ data theft/ cybercrime is identified as the IT risk posing the greatest risk to business (61%) Emerging technologies such as cloud, bring your own device (BYOD) and social media further complicate the issue as these new technologies are less well controlled than other IT threats because organizations have not had time to fully adapt to them Global Reputational Risk and IT Study 2012 IBM / Economic Intelligence Unit The velocity and complexity of change accelerates at a staggering pace: virtualization, cloud computing, social media, mobile, and other new and emerging technologies open the door to a wave of internal and external threats Emerging markets, continuing economic volatility, offshoring and increasing regulatory requirements add complexity to an already complicated information security environment Nearly 80% agree that there is an increasing level of risk from increased external threats, and nearly half agree that internal vulnerabilities are on the rise 31% of respondents have seen increases in the number of security incidents compared to last year Global Information Survey 2012 Ernst & Young The ISF announced their forecast of the top five security threats businesses will face in 2013 Key threats include cyber security, supply chain security, Big Data, data security in the cloud and mobile devices in the workplace Information Forum November 2012
Overview of the ISM
Categories and Critical Building Blocks of the ISM ISM, as with all other Critical Capabilities (CC) in the IT-CMF, consists of a series of Categories, each of which is composed of a series of Critical Building Blocks (CBB) The purpose of this structure, is to identify the core areas of concern that need to be assessed, and which in turn constitute the means of rating the Capability Maturity of the organisation that utilizes this CC Information is a complex and many nuanced beast, that is only becoming more complex as new technologies, business models, and supplier/client interaction become more advanced Traditionally Information has been seen as the ability for an organisation to lock-down its infrastructure and defend against the possibility of cyber attacks, with little responsibility given beyond the IT department Whilst this approach would have sufficed up until recent years, many things have now changed that require a more holistic approach, across all stakeholders in an organisation For example, consider the degree of IT outsourcing that takes place in your organisation Consider the flow of data between your contracted third parties and any of your business units, and then consider the breadth of security focused business processes that are required to ensure appropriate levels of protection are in place, to hinder or greatly reduce the possibility of a security breach, not only for IT but for all staff who interact with the data Also the days of an entire IT stack sitting quietly in a comms room are now gone, as most organisations have begun the process of shifting large volumes of data and infrastructure out to third parties, be they cloud providers or system integrators The degree of command and control now becomes a core concern for any organisation seeking to minimize its risk appetite, and yet most organisations struggle to clearly articulate and get buy-in on adequate levels of Governance and Risk Management to ensure that this operational reality is under control, from a security perspective Equally consider the more traditional concern of penetration testing, that IT systems are currently protected at an adequate level from external threats We emphasise the word, currently, as the ability to pen test is always a point in time activity, that tells you only what your situation is at that time, and not, necessarily what risk you carried before and what future risk you may yet carry This is purely due
to the dynamic nature of external threats and the many and varied ways in which currently secured systems can become quickly vulnerable Again the answer to this lies in the ability for any given organisation to have a holistic approach to its Information strategy and to look beyond simple point in time assessments to a more detailed and whole approach that seeks to measure and monitor all the core areas of concern that direclty relate to risk in this arena This is the purpose of the ISM To measure and verify the current Capability Maturity of all of the core areas of concern that relate to Information The following is a breakdown of the various Categories and Critical Building Blocks that ISM covers We believe that the range is impressive and holistic and can be used to clearly identify the real and present Information risks that your organisation may be carrying in its operational day to day activities: Category Capability Building Block Description Information Strategy Develops, communicates, and supports the organization s information security objectives so they fit the organization s business model and risk appetite Governance Policies, Standards, and Controls Establishes and maintains security policies and controls incorporating relevant security standards, regulatory and legislative security requirements; ensuring they fit the organization s business model and security objectives Roles, Responsibilities, and Accountabilities Identifies and establishes information security roles including allocation and enforcement of security responsibilities Agrees and/ or assigns responsibilities and accountability to allocated resources
Communication and Training Disseminates security processes, policies and other relevant information Provides training content in security practices and develops security knowledge and skills Performance Reporting Reports on the levels of compliance achieved, and the effectiveness and efficiency of the security activities Supplier Defines security requirements and expectations pertaining to the procurement and supply of hardware, software, services and data Category Capability Building Block Description Architecture Establishes and applies criteria and practices in designing security solutions with the aim of achieving appropriate cost effective protection Defines security layers to provide depth of defence and configuration management of security features Technical IT Component Defines and implements the measures to protect physical and virtual IT, servers, networks, and end-points such as peripherals and mobile devices Specifies and procures specific security tools/ products and resources Physical Environment Establishes and maintains measures to control access into and protect the physical infrastructure from threats and environmental factors (eg extreme temperatures, flooding, fire)
Budget for Provides security related budget criteria This includes concepts such as new equipment must be purchased with specific security features eg virus protection Resource Management Tools and Resources Specifies and procures specific security tools/ products and resources Manages the tools, security solutions and the staff assigned for security purposes Resource Effectiveness Measures value for money from security investments Captures feedback from stakeholders and other sources on the effectiveness of security resource management procedures, tools and activities Category Capability Building Block Description Data Identification and Classifications Defines security classifications and provides guidance for associated protection levels and access control Data Management Access Rights Management Manages the lifecycle of user accounts and certificates, and the granting, denial and revocation of access rights Matches access control procedures to data classifications Life-cycle Management Provides the security expertise and guidance to ensure that data throughout its lifecycle is appropriately available, adequately preserved and/ or destroyed to meet business, regulatory and/ or security requirements
Business Continuity Management Business Continuity Planning Incident Management Provides expertise and guidance to ensure that business continuity planning is effective in ensuring data integrity, confidentiality and availability This may include input on backup management, archiving management, and systems recovery policies and procedures Establishes and implements procedures for handling incidents and near incidents Evaluates the nature and impact of incidents Supports protection of the organization by providing feedback and reports on security aspects of incidents Category Capability Building Block Description Threat Profiling Gathers intelligence on threats and vulnerabilities from internal and external sources Identifies and documents the security threat profiles by their potential impact on business objectives and activities Risk Management Risk Assessment Runs assessments to identify, document and quantify/ score security-related risks and their components Assessments include the evaluation of exposure to risks, and measurement of their likely impact Risk Prioritization Prioritizes security risks and risk handling strategies, based on residual risks, acceptable risk levels and changes to the business/ IT environment or operating environment such as outsourcing, mergers and acquisitions
Risk Handling Implements risk handling strategies, where risks can be deferred, accepted, mitigated, transferred or eliminated Risk Monitoring Tracks changes to the identified security risks, and validates the effectiveness of risk handling strategies/ controls
Section 4: Our Approach
As with all other Critical Capabilities, ISM follows a similar, evidence based assessment model:
The survey is completed using an online tool:
We then follow up with a face to face interview process:
The purpose of the face to face interviews is to:
The question set we use comprises of 29 detailed focus areas across the categories Below is a sample of questions we ask on Technical We focus on querying the Architecture and IT Component, seeking to identify where on the maturity curve each CBB is This is done through extensive evidence gathering, such as penetration testing methodologies, infrastructure hardening and enterprise system security techniques: CBB Category CBB Question Tooltip Text 1 2 3 4 5 Technical Architecture How do you establish the security architecture? Establishes and uses approaches for designing security solutions with the aim of achieving appropriate cost effective security Defines security layers to provide depth of defence and configuration management of security features Responsibility for establishing the security architecture layers is assigned on an ad hoc basis Few (if any) security architecture diagrams exist layers and depth of defence are considered in architecture design but this may not always be implemented or provisioned in delivered solutions Configuration management is typically a localized activity within departments or functional groups IT and some business units have a documented shared vision for security layers and most security architecture features are common across these areas Depth of defence and configuration management practices are evident A security architecture framework supporting depth of defence and utilizing configuration management principles has been developed, documented and implemented across the enterprise An effective security framework is used across the extended enterprise The framework is optimized for business efficiency, hardware and software cost management, depth and effectiveness of security measures
Technical Technical IT Component IT Component How do you define and implement measures to protect information technology components? How do you ensure security is built into new systems and applications? Defines and implements the measures to protect physical and virtual IT, servers, networks, and endpoints such as peripherals and mobile devices Specifies and procures specific security tools/ products and resources Defines and implements security measures to protect systems and applications and data held therein IT component security is done on an ad hoc basis is defined and built-in or added after the product is built on an ad hoc basis IT component security guidelines are emerging within the IT organization, but only basic security measures are in place is defined and built in using a generic approach or default measures IT and some business units are agreed on detailed and documented IT component security measures, which are implemented across these areas requirements are defined early in the development cycle by IT and business stakeholders and are included in testing IT component security measures are implemented enterprisewide and the measures are tested for compliance with policies and standards requirements are addressed consistently enterprise wide Management of IT component security is optimized across the layers of the security framework requirements are addressed consistently across the extended enterprise
A typical swim lane chart for an ISM Assessment is as follows:
The Report The ISM report is designed to provide a detailed review with measurable next steps for implementers, whilst providing a comprehensive high level overview for senior management Practices, Outcomes and Metrics For implementers it is essential that a detailed review, with clear and unambiguous suggestions to improving Capability Maturity, is an essential aspect to the report part of an ISM Assessment Throughout the engagement the clear ambition is to identify and document, accurately, the Capability Maturity at its present time, with a breakdown of all findings against each of the CBBs We use a concept known as Practices, Outcomes and Metrics (POMs), to achieve this The POMS is designed to highlight to implementers what steps need to be taken to achieve an improvement in capability For example, an organisation that wanted to achieve a Level 2 in Technical, would need to take the following steps, based on an agreed measurable metric value set, for each CBB: Maturity Level Level 2 Level 2 CBB Category CBB Practices Outcomes Metrics Technical Provide basic architectural security Architecture descriptions Technical IT Component Set defaults to secure or block and open only as needed to enable the business layers and depth of defence, while considered, may not always be implemented or provisioned in delivered solutions However, policies and procedures can be partially aligned with security recommendations Access is restricted to authorised components and access paths through the IT infrastructure % of Policies reviewed for security compliance % of Relevant IT processes reviewed for security alignment % Components with default set to closed # Staff needed to maintain the component security
Level 2 Technical Physical Environment Identify and secure locations of critical and sensitive IT infrastructure components, and sensitive information storage locations (eg confidential printed reports) A cross functional appreciation of the need for security is emerging and physical measures are obvious unlike many other measures that are implemented in electronics or software IT and facilitates departments cooperate in physical security provision % Critical systems in secure locations % People with authorised access / All with access Senior Management Reporting For senior management, the report is presented in a visual form, designed to give a clear overview of current and desired Capability Maturity across each category: The primary purpose of executive reports within the IT- CMF, is to provide a clear and unambiguous overview of current Capability Maturity In the case of ISM, this reflects not only the current capability of Technical and Data, but also the capability of Governance, Business Continuity, Resource Management and Risk Mitigation Taken together, this overview will provide senior management with a comprehensive and complete overview on current status and what actions are being implemented to improve Capability Maturity, where relevant, to match with business plans Note: The example, above, is for the Sustainable ICT CC, and is for illustrative purposes
The Benefits The purpose of an ISM assessment is to give an organisation a complete and holistic assessment of its current strengths and weaknesses, with relation to information security The ability to demonstrate both current and intended Capability Maturity across a range of categories such as Governance, Technical, Business Continuity etc, is compelling in its exhaustive remit, and will certainly provide answers to a wide range of queries that may be driven from business needs The following is a brief breakdown of the unique benefits that ISM can bring: 1 A truly unique and comprehensive review of current capability around Information, focusing not just on security implementation, but also: a The governance processes and their suitability; b The level of effectiveness of technical security across architecture and components; c The degree of resource capability within the organisation for information security; d The capability of data security management throughout the enterprise; e The effectiveness of business continuity management with respect to information security; f The risk management around information security and how it is monitored, handled and reported; g The alignment of all of the above with business needs and the capability to tightly integrate IT and business goals, going forward, to improve on Capability Maturity 2 An assessment of current security implementations such as penetration testing and infrastructure hardening, with a determination, based on evidence gathering, as to how this aligns within the Capability Maturity spectrum; 3 A clear and precise POMs based approach to improving on Capability Maturity, fundamentally focused on driving value throughout the IT portfolio and bringing a closer alignment with other business units, based on common goals; 4 An unambiguous and easily comprehended visual report metric for senior management, which answers all questions that may arise around the capability of information security throughout the enterprise