Assuring Your Information

WHITE PAPER Assuring Your Information

Contents Executive summary: What is INFORM for Security?......................................4 Benefits of INFORM for Security......................................................4 Information security and information assurance........................................5 Information assurance and risk management...........................................5 Establishing a dialogue..............................................................6 Coordinated action plan..............................................................7 Structured evaluation................................................................7 How INFORM works.................................................................8 Valuation capture...................................................................9 Risk assessment...................................................................11 Risk exposure................................................................11 Likelihood...................................................................12 Impact......................................................................15 ISO 17799 benchmarking...........................................................20 Solution program and scenario creation..............................................22 Current implementation.......................................................24 Action plan..................................................................26 Scenario creation and reporting.....................................................28 Conclusion........................................................................31

Executive summary: What is INFORM for Security? INFORM for Security is a Web-based application and program that has been designed to help organizations manage their information security risk and the costs associated with it. It is part of the overall INFORM program, which also involves an associated module: INFORM for Operational Efficiency. INFORM for Security can be used to evaluate whether an investment in a particular information security program is justified, by showing the extent to which it will reduce risk exposure compared with its annualized cost. INFORM: Captures and gives a value to risk exposure that is related to the value of the business Benchmarks current information security program effectiveness against a global standard to identify program gaps and focus on areas for improvement Creates a prioritized action plan to achieve targeted information security improvements and optimize information security spending Using INFORM for Security, an organization can benchmark information security risk management between its different groups and locations and can analyze trends over time to monitor improvement programs. Finally, it offers organizations of a similar type the opportunity to compare their management of information security risk, thus helping them to maintain a competitive position. Benefits of INFORM for Security INFORM for Security will help to identify answers to the information security questions that organizations are currently asking: What types of threat and vulnerability are most likely to affect me? What could I lose if I fail to comply with regulations or legislation or if business-critical information is seriously compromised? What could it cost me to recover from a serious incident? How well am I managing my risk exposure? Which solutions would be most effective in helping me to manage my risks better? And, for many, the most important question of all: Can I make a good business case for spending on information security? 4

Information security and information assurance All enterprises depend on the information they create and use. For many years the conventional wisdom was that this information must be kept secure. The use of this term, while clearly implying the need for protection, fails to convey the importance of making appropriate information available when and where it is needed a function that is particularly vital now that all organizations rely on networked information. In such circumstances it is preferable to use the term assurance, rather than security. Assurance implies that information systems must function not only to protect the information they handle but also as they need to, when they need to, under the control of legitimate users. 1 The term information assurance relates more closely to the associated INFORM for Operational Efficiency program and is therefore used in the INFORM for Security program in preference to information security. This paper describes the methodology that has been developed by Symantec to help organizations understand, evaluate, and manage their information assurance risk. The methodology has been incorporated into a Web application and a facilitated program has been based on it: the INFORM (INFOrmation assurance Risk Model) program. Information assurance and risk management Managing risks to information assurance across an organization is not a trivial task. In any organization these risks are not solely the responsibility of the IT department, because they arise not only from threats and issues that fall within the control of that department, but also from threats and issues that affect the business organization as a whole. Unfortunately, in nearly all organizations, information assurance risks are managed in discrete silos. In simplistic terms, these silos might be termed the IT department and the business organization. This concept is illustrated in Figure 1. The IT department tends to concern itself mainly with the risk to its systems from threats arising from customers who access the corporate Web site or its e-commerce systems. Linkages with partner networks also form a significant area of threat, as does the use (and abuse) of the network and IT systems by employees and contractors. It is important to recognize that all these risks are significant only so far as they impact on business-critical information that is created, stored, and processed within and by the IT department. Business risks, on the other hand, may arise from many sources. These include the organization s plans for growth and increased efficiency, competitor activities, and alterations to the infrastructure arising from the changing business environment. Business risk management is also increasingly 1 U.K. Government Central Sponsor for Information Assurance (CSIA): www.cabinetoffice.gov.uk/csia/ 5

concerned with the consequences of legislation and regulation, especially that relating to personal data protection and corporate governance. Indeed, the demands of corporate governance legislation, such as the U.S. Sarbanes-Oxley Act of 2002, 2 are increasingly driving businesses to recognize the importance of the IT department to its management of information flow within the business as a whole. Therefore, in today s connected world, it is evident that the effective management of both IT and business risks must involve managing the information that is stored, transmitted, and processed by the IT department. Managing the risk to that information is a question of being able to assure its confidentiality, integrity, and above all, availability. The need for information assurance is therefore the common thread linking the two silos. Regulation and Legislation Risk Issues: Customer, staff, and partner access Internet use E-commerce IT infrastructure IT Department Information Assurance Business Organization Risk Issues: Competition Business growth Market forces Corporate governance Figure 1. Information assurance risks and business silos Establishing a dialogue Establishing an information assurance dialogue between the IT department and the rest of the business organization requires that a common language is spoken, that risk assessment is treated in a mutually agreed way, and that a clear standard is used to explore the management of risk. Unfortunately, geek speak doesn t always translate well into business speak, and vice versa! In managing risk, too, network risk assessment tools and operational risk analysis methodologies cannot easily be reconciled. The existence of a plethora of competing standards also makes it difficult to agree on one that is suitable for common use across the whole enterprise. The INFORM methodology proposes that the dialogue can be simplified if risk can be clearly related to the value of the business. Business evaluation of information assets is difficult and is therefore not commonly used by IT departments. However, driven by the regulatory demands mentioned above, there has been an increasing realization of the need to understand these assets in relation to their value to the business as a whole. 2 See www.sarbanes-oxley.com/ 6

Risk assessment methodologies tend either to look at risks at a detailed technical level or to consider wider risks in a theoretical way evaluating them on a scale such as high medium low or on a numerical scale (1 to 5, for example). However, all risk assessments rely on two common factors: the evaluation of the impact of a risk and the probability of it occurring. These common factors are used as the basis of the INFORM methodology described in this paper. A number of standards have been developed to assist in the management of IT and the service it delivers. These include COBIT (Control Objectives for Information and Related Technology) 3 and ITIL (the IT Infrastructure Library). 4 Both standards are important and are used by INFORM for Operational Efficiency. However, only one international standard deals with the management of information security ISO 17799, the code of practice for information security management 5 and is the standard used by the INFORM for Security methodology. Coordinated action plan When developing a coordinated plan for risk management, organizations need to know which actions will be most cost-effective. Evaluating information assurance cost-effectiveness by considering return on investment is not easy. Classic return-on-investment calculations aim to show a direct linkage between cash spent and savings made, for example, in the reduction of staff costs. However, it is hard to prove that money spent on information assurance will lead to reduced expenditure. Indeed, reduction in expenditure may result in increased risk. Instead, it should be possible to demonstrate a positive link between expenditure and reduction in risk exposure. The INFORM methodology uses good practices drawn directly from the ISO 17799 standard as a benchmark against which an organization can estimate its management of information assurance risk. INFORM links the action plan to improvement in ISO 17799 good practices, showing the potential of the plan to increase overall information assurance effectiveness, thus reducing the organization s risk exposure. Structured evaluation Experience shows that organizations benefit greatly from being given the opportunity to discuss information assurance in a structured way, within a clear framework. Such discussions have been found to be especially beneficial if representatives from both the IT department and the business organization are present, particularly if those representatives are able to discuss strategic issues. INFORM enables participants to engage in the quantitative evaluation of threats, vulnerabilities, 3 See Information Systems Audit and Control Association (ISACA): www.isaca.org/ 4 See U.K. Office of Government Commerce (OGC): www.ogc.gov.uk/guidance_itil.asp 5 See International Standards Organization (ISO): www.iso.org 7

and impacts, founded on their knowledge and experience. The discussion quickly generates directional indicators that reflect the understanding of those taking part by using defaults based on benchmark data. Structured and repeatable benchmarking is an essential feature of the INFORM program. This may be undertaken by the same organization at different times, or used to compare different business groups or locations within the same organization. INFORM also enables benchmark comparisons between different organizations of the same size, location, or market sector. How INFORM works INFORM helps organizations explore their effectiveness in reducing business risk exposure through their current and planned information assurance management programs. INFORM works in a modular way, as follows: Module 1: Module 2: Module 3: Module 4: Module 5: Captures the business environment of the organization, or a part of the organization, allowing a monetary valuation to be assessed Assesses the risk to the organization, or part of it, based on exposure, likelihood, and potential for impact Measures current information assurance effectiveness, benchmarked against ISO 17799 good practice Assesses effectiveness of currently implemented risk management solutions, and selects a program to improve them Uses comparative scenarios to show effects on cost and risk reduction of changing variables, and displays these in both executive summary and full report formats These modules, and the process flow through them, are illustrated in Figure 2. In this figure, the individual modules are shown in blue, the steps within each module are shown in grey, and the critical outputs in yellow. 8

1. Valuation Capture 2. Risk Assessment 3. ISO 17799 Capability 4. Solution Program 5. Scenarios and Reporting Business and IT Environment Risk Exposure Control Importance Solution Effectiveness Variables Changed? Revenue and Budget Likelihood of Threat and Vulnerability Current Capability Reports Produced Impact of Regulation, Information, and Incidents Required Capability Evaluated Risk Control Gap Action Plan Figure 2. INFORM modules and process flow INFORM is designed to allow an organization to rapidly produce a preliminary scenario. This can be done in two hours or fewer and will give a general indication of the reduction in risk exposure achievable by investing in an action plan where one or more solution areas are improved. The preliminary scenario may be used to suggest deployment of other resources, or it may be taken as the basis for a more intensive use of INFORM. INFORM Modules 2 to 4 allow different levels of granularity to be deployed, depending on the organization s requirement for detailed analysis. All five INFORM modules are examined in the following sections. Valuation capture The concept of intelligent defaults is used in operating all INFORM modules. Experience has shown that it is easier to make a decision about the appropriate dimension for a value, such as the organization s IT budget, if a preliminary figure is suggested by the application itself. Intelligent defaults are derived either from values previously entered in the application or from Symantec and third-party research. Within INFORM, default values are shown against a grey background, as is that for the IT budget in Figure 3. All defaults can be overridden by values that are specific to the organization. When this is done, the value is shown against a white background. 9

INFORM captures essential information about an organization s business and IT environment. It allows an organization to determine its valuation in a number of ways. Broadly, these depend on the type of organization under consideration: publicly traded, privately owned, or not-for-profit (see Figure 3). Or, if it is part of an organization, whether it is a profit or cost center. The valuation capture module asks about annual revenue or annual expense, as appropriate. It also examines the annual IT budget as well as basic information about the IT environment operated by the organization. This takes into consideration such risk factors as the number of home and remote users and the number of countries within which an organization operates. Data about revenue (or expense) and about the IT environment are carried forward to be used in the risk assessment module. The Valuation Capture Module also allows the user to choose to display the results of the risk assessment as a monetary value or as a percentage of the business value. This choice is shown in the Quantification method in Figure 3. Figure 3. Valuation capture 10

Risk assessment As indicated in Figure 2, the INFORM risk assessment consists of three sections: 1. Risk exposure 2. Likelihood 3. Impact Each of these sections is considered below. Risk exposure INFORM first considers the potential risk exposure of the organization by asking about either market capitalization (in the case of a publicly quoted company) or assets at risk (in the case of a governmental or not-for-profit organization). Added to the annual revenue (or expense) figure from the Valuation Capture Module, this constitutes the total business value at risk. The resources that the organization devotes to information security are also captured in this section. The way that INFORM captures these values is shown in Figure 4. In addition, the risk exposure section considers the organization s overall tolerance of risk. This is important because an organization with a low tolerance (for example, a financial institution) will need to manage a greater percentage of its risk than an organization with a high tolerance (for example, a start-up company). Risk tolerance is captured using a slider bar (Figure 4). Experience has shown that a slider bar is far more effective at capturing a consensus view than is the case where a precise figure must be entered or a box chosen. Setting risk tolerance between very high and very low positions the organization s required capability when meeting good practice requirements of ISO 17799. Very high tolerance means a requirement to control 50 percent of the risk, and very low tolerance represents a requirement to control 95 percent. Figure 4 also illustrates the slider bar that sets the maximum effectiveness of the information assurance program. This indicates the residual risk that will inevitably remain, even if maximum efforts are made. 11

Figure 4. Risk exposure Likelihood The second element of INFORM risk assessment estimates the likelihood of the organization s exposure to risk. In evaluating the outcome of likelihood, INFORM uses the concept of annual frequency of impact and estimates this by looking at the threats to an organization and at its vulnerabilities. Threats Organizations can be subject to a potentially limitless range of threats. To simplify the assessment, INFORM considers only nine categories of high-level threats. Again, slider bars are used to allow the organization to estimate the relative importance it attaches to each of these. Using slider bars for a number of comparable parameters such as these gives the INFORM user an immediate visual feel for the comparative importance that is attached to each. All the threats considered by INFORM are human. INFORM does not concern itself with physical or environmental threats, such as fire and flood. The following nine categories of threats are considered: 1. Organized crime 2. State-sponsored threats 3. Competitors 12

4. Business partners 5. Disgruntled customers and other outsiders 6. Disgruntled employees and other insiders 7. Social activists 8. Untargeted attacks 9. Errors and omissions INFORM users are also able to chose a 10th category of threat they feel to be of particular significance to their organization (for example, terrorism ). Figure 5 shows the INFORM threat assessment screen. Figure 5. Threat assessment It will be evident that some threat categories are more significant to certain types of organizations than others. Thus state-sponsored threats will be of importance only to certain parts of national governments and perhaps to some very large global companies. Other threats may be of greater significance at certain times in an organization s development; thus competitors could be more of a threat during a hostile takeover attempt, and disgruntled employees could be more of a threat during a time when the organization is undergoing restructuring or a merger. 13

When all the slider bars have been set to the user s satisfaction, INFORM will indicate an overall Threat score (see Figure 5). This is calculated as falling between 0 and 3; where 0 indicates a zero likelihood and 3 indicates a likelihood that is three times the expected figure for an average organization. Vulnerabilities INFORM encourages an organization to consider 29 vulnerabilities, divided between four general categories, as follows: 1. Organizational four vulnerabilities relating to support for, and understanding of, information assurance 2. Location/process seven vulnerabilities relating to geographical concerns, business processes, and remote users 3. Internet nine vulnerabilities relating to use of the Internet by employees and for e-commerce purposes 4. IT nine vulnerabilities relating to IT infrastructure, including software, staff, and outsourcing These categories are illustrated in Figure 6. Figure 6. Vulnerability assessment 14

As with threats, vulnerabilities depend on the type of organization and its stage of development. Thus organizations that are heavily committed to electronic commerce will have significantly greater vulnerabilities in the Internet category than an organization which only uses the Internet for email. The INFORM process can therefore usefully be deployed by a company that is considering expanding its e-commerce activities as a way to examine the effect that such a change might have on its overall management of information assurance. Once all the individual vulnerabilities in each of the four categories have been assessed, INFORM calculates a Business vulnerability score (see Figure 6) of between 0 and 3, in the same way as it does with the threats. This score is multiplied by the score from the threat assessment to a produce a combined figure called the frequency multiplier. This is used in the Impact section of INFORM to calculate annual loss expectancies. The methodology for doing this is explained in the next section. Impact As indicated in Figure 2, INFORM considers the potential information assurance impact on an organization by looking at three factors: 1. Loss of brand value through legal or regulatory breaches 2. Loss of confidentiality, integrity, and availability of information 3. Cost implications of remediation and recovery in the event of major and minor IT security incidents When the assessment of the three types of impact has been completed, INFORM will have calculated an evaluated annual risk that can be displayed either as a monetary value or as a percentage of the business value. All three impact factors and the evaluated annual risk are considered below. Legal and regulatory Most organizations find it very difficult to estimate their potential for loss of market or brand value as a result of failure to comply with legal and regulatory requirements. INFORM therefore uses research that has shown organizations to lose, on average, 2.1 percent of their market value within two days of a publicized breach. 6 Some organizations, however, have experience or more 6 The Effect of Internet Security Breach Announcements on Market Value of Breached Firms and Internet Security Developers. The University of Texas at Dallas School of Management. February 2002 15

accurate knowledge of what they are likely to lose. INFORM therefore allows such users to enter their own potential loss by using a slider bar (see Figure 7). The volume of legislation and regulation that relates to information security and privacy is vast and increasing. The Information Security Forum (ISF) 7 has catalogued over 380 pieces of legislation alone and this list is not exhaustive. To help users, INFORM therefore groups all information security related legislation into seven logical categories, on the basis of common functionality. These categories are as follows: 1. Data protection 2. Data retention 3. Corporate governance 4. National security 5. Civil and criminal legal framework 6. Intellectual property protection 7. Sector-specific provisions INFORM allows the user to drill down into individual categories in order to see examples of legislation and regulation that are relevant to that category. Some of these examples are shown in Figure 7. Figure 7 illustrates the slider bars for these seven legal and regulatory categories. It also shows the red arrows that are used to indicate the default positions for the slider bars. In this instance, the defaults are drawn from data obtained by the INFORM benchmark survey 8 and are conditioned by the market sector of the organization to which the INFORM user belongs. Figure 7 also shows the expected annual loss from regulatory and compliance failure in each area of legislation and regulation. This is calculated by modifying the unadjusted ( worst case ) frequencies of occurrence by the frequency multiplier, which is obtained by multiplying the scores obtained from the threat and vulnerability assessments. The unadjusted annual frequency of occurrence has been assessed by Symantec expert opinion. As with all INFORM figures, the organization is offered an opportunity to either accept or modify the calculated annual frequency. 7 The Information Security Forum is a not-for-profit association of over 280 corporate and governmental worldwide organizations (www.securityforum.org). 8 The Symantec INFORM benchmark survey is published annually; see www.symantec.com/inform/benchmark. 16

Figure 7. Impact of legal and regulatory non-compliance Information loss Failures or deficiencies in information assurance can result in the loss of confidentiality, integrity, or availability of information. For each of these three categories, INFORM asks organizations to assess, using slider bars, the relative importance of the following nine types of information: 1. Identity credentials 2. Consumer financial records 3. Business-to-business financial records 4. Patient health records 5. Personal information 6. Insider compliance/regulatory filing 7. Critical operational processes and production control 8. National infrastructure protection 9. Intellectual property 17

As can be seen in Figure 8, an estimate of the value of loss, in either monetary terms or in terms of percentage of business value, is calculated for each category. The values will be conditioned by the relative importance the user attaches to the nine types of information in each category. As with the annual risk exposure for regulatory risk, unadjusted frequencies of occurrence are adjusted by the frequency multiplier obtained from the scores of the threat and vulnerability assessments. Once more, the unadjusted frequency is derived from INFORM benchmark survey data. As with all INFORM figures, the organization is offered an opportunity to either accept or modify the calculated annual frequency. The ISF has shown that most organizations assess the loss of information availability as more significant than that of integrity and availability. This is therefore reflected in the default impact value for this category, which is twice that of the other two categories. For each category, it is also possible to examine particular sources of loss in more detail by means of a spreadsheet that can be used to capture specific information that relates to it. Figure 8. Impact of information confidentiality, integrity, and availability loss 18

IT impact INFORM asks organizations to use slider bars to assess the potential impact of major and minor security incidents. For both major and minor incidents, the user is asked to estimate the numbers of clients, servers, and other devices affected as well as the time taken to remediate and recover from the incident. This is illustrated in Figure 9. Many organizations will have detailed information about how they deal with security incidents, and INFORM offers users the opportunity to link to a spreadsheet where these details can be captured. Completing this delivers a more accurate estimate of the potential impact on the business of remediation and recovery from major and minor incidents. Using the same methodology as that for regulatory impact and loss of information confidentiality, integrity, and availability, INFORM calculates the annual loss expectancy from major and minor incidents. This is displayed either as a monetary value or as a percentage of the business value. Figure 9. Impact of major and minor incidents on remediation and recovery 19

Evaluated risk The INFORM risk assessment is completed by reviewing the data entered and then checking the Risk exposure completed box, as illustrated in Figure 10. The user is also invited to consider if a value for insurance risk could reduce the total exposure, and if any other adjustments need to be made. Experience has indicated that organizations welcome the opportunity to modify the calculation of their risk exposure in line with the degree of uncertainty they feel over the accuracy of their estimates. INFORM takes this into account by allowing an organization to express a percentage uncertainty in their calculations of risk exposure. The percentage can be adjusted between 0 percent and 50 percent, and scenarios can be created to show Risk exposure valuation in INFORM when the chosen percentage is ignored (Medium), added (High), or subtracted (Low). Figure 10. Total risk exposure ISO 17799 benchmarking In Module 3, INFORM asks the user to estimate their organization s effectiveness in the management of information assurance against recommendations drawn from the international code of practice for information security management: ISO/IEC 17799:2005. 20

This ISO standard is structured into 11 major control areas, with 39 control objectives and 130 individual controls. INFORM allows an organization to consider its information assurance at any, or all, of these three levels of the ISO standard. The 11 control areas are: 1. Security policy 2. Organization of information security 3. Asset management 4. Human resources security 5. Physical and environmental security 6. Communications and operations management 7. Access control 8. Information systems acquisition, development, and maintenance 9. Information security incident management 10. Business continuity management 11. Compliance Unlike many ISO 17799 gap analyses, INFORM relates ISO standard good practice to the organization s business needs. Thus INFORM uses slider bars to assess the following factors: the relative importance that the organization, as a business, attaches to a control; its current effectiveness in implementing the control; and its target effectiveness, based on its risk tolerance (assessed at the risk exposure stage; see above). INFORM then calculates a control gap based on the following formula: (Target effectiveness Current effectiveness) x Control importance. In assessing the current state of its controls, the organization is offered simple good practice guidance that is derived from the ISO standard. For example, the following is the guidance for the security policy control area: We have a clear, written security policy that supports our business objectives and legal and regulatory obligations. Our policy has full management support. Everyone has seen and understood our security policy. The policy is reviewed regularly. 21

Using this guidance, experience has shown that organizations find it reasonably easy to estimate their current compliance. Experience has also shown that most organizations experience one or more areas where the control gaps are significantly greater rising above the noise. INFORM displays the control gaps as a bar chart (see Figure 11), which makes poorly performing areas easier to see. Figure 11. ISO 17799 control benchmarking Solution program and scenario creation ISO 17799 suggests good practices for risk management. However, it does not provide clear guidance on the practical implementation of these, nor does it suggest any priority for their achievement. INFORM seeks to remedy both these deficiencies by recommending a prioritized action plan by which an organization can seek to improve its risk management effectiveness. The INFORM program involves both information security and operational efficiency. Each of these may be considered as constituting different aspects of the IT risks faced by an organization. Operational efficiency addresses the risk that an organization s IT systems may fail to achieve the availability, performance, and agility needed to meet business challenges. Information security, on the other hand, addresses the risk that an organization s IT systems may fail to protect it from regulatory and IT failure and from the loss of information confidentiality, integrity, and availability. In either case, Symantec experts believe that risks can be addressed through the same set of generic solutions. 22

To achieve the management of both operational efficiency and information security risks, therefore, 18 generic solutions have been identified. These are grouped into four categories, as follows: A. Strategy 1. IT and security policy, strategic management, and architecture 2. Organizational structure, roles, and responsibility 3. Governance, compliance, and continuous improvement 4. Data lifecycle management B. Service Support 5. Asset inventory classification and management 6. Physical and environmental management 7. Configuration, change, and release management 8. Incident response and problem management C. Service Delivery 9. Service-level management 10. Application design, development, and testing 11. Operational design, workflows, and automation 12. Capacity management 13. Systems build and deployment 14. Service continuity management 15. Availability management 23

D. Security 16. Authentication. authorization, and access management 17. Network, protocol, and host security 18. Training and awareness The fourth module of INFORM for Security looks at the current implementation of these 18 solutions and at an action plan for improving them. Current implementation INFORM users are asked to position slider bars to estimate their current effectiveness in implementing the solutions in each of the four categories shown above (see Figure 12). To assist in this task, INFORM offers a description of each solution, a list of criteria to measure success in implementing the solution, and a series of action points that should be undertaken to help achieve success. For example, the description, success criteria, and action points for IT and security policy, strategic management, and architecture are as follows: Description: This solution area focuses on ensuring that IT is strategically aligned to the organization s business objectives and is compliant with all appropriate internal, legal, and regulatory requirements. Key Performance Indicators (KPIs), Service Level Agreements (SLAs), policies, standards, and procedures are defined and used to ensure that the design, architecture, and operation of the IT and information infrastructure and systems will optimally adapt to the organization s changing business needs, while at the same time ensuring that information risk is managed effectively. Success criteria: Measurable, business-driven KPIs and SLAs for IT architecture, infrastructure, systems, and financial, procurement, and resource management are in place Appropriate standards frameworks (ISO 17799, ITIL, COBIT, SAS 70, etc, as necessary) are in place Risk assessment and management processes are in place Monitoring and accountability processes for KPIs, SLAs, standards, and risk management are in place IT objectives and strategy are understood by general business management 24

Action points: Appropriate, business-driven KPIs and SLAs defined Appropriate good practices selected from standards frameworks Implementation of standards-based good practice processes Implementation of an appropriate information risk assessment and management methodology Integration with corporate risk management practices Implementation of an appropriate information risk management methodology Implementation of monitoring and audit processes to assess success in KPIs and SLAs Implementation of monitoring and audit processes to assess effectiveness of standards-based good practices Implementation of a monitoring and auditing process to assess effectiveness of risk management Implementation of a system to communicate monitored KPIs, SLAs, processes, and risk in an appropriate fashion to key management and executive stakeholders Figure 12. Current implementation of solution categories 25

Action plan Once the survey of current IT risk management solution effectiveness is complete, organizations are invited to develop a targeted improvement action plan. INFORM enables this by linking generic solutions to ISO controls in a many-to-many matrix. The matrix is constructed by scoring the relationship of each solution and each ISO 17799 control area to a common set of verbs describing their function. Using these linkages, the solutions are offered as a list, prioritized according to their effectiveness in reducing ISO control gaps. From this list, users can select one or more programs to include in their improvement action plan, as shown in Figure 13. Figure 13. Prioritized list of solutions As can be seen in Figure 13, INFORM asks the user to consider the cost of implementing each chosen solution. Figure 14 shows the screen from which costs are calculated. Default costs for contractors, internal staff, and technology are shown. These are based on the size of the organization s IT infrastructure. Full lifecycle costs are also taken into consideration, including maintenance and license renewals. Annualized costs are shown, by default amortized over three years. Users are asked to estimate the percentage of successful implementation of the solution at the end of this spending program. When an initial scenario is built, this screen allows costs to be estimated roughly. However, INFORM also offers the opportunity to use detailed worksheets to calculate more accurate costs. 26

Figure 14. Solution cost calculation INFORM enables an organization to see how its targeted and costed action plan reduces some or all of the gaps identified in their management of the ISO 17799 controls. Figure 15 shows how the implementation of the solutions, Asset Inventory Classification and Management and Training and Awareness, could potentially contribute to closing the control gaps for a sample organization. As shown, the solutions chosen, while addressing a number of the gaps, have only a small effect on the largest; in this case, therefore, the organization may wish to consider other solutions. 27

Figure 15. Contribution of solutions to closing ISO 17799 control gaps Scenario creation and reporting Module 5 of INFORM for Security allows users to create a series of tailored reports based on the scenarios that have been built through the use of the INFORM tool. Scenarios are created using the tool within a unique account for each organization (see Figure 16). Using this account, any number of individual scenarios can be created. These could be used to compare different parts of the organization, different levels of certainty in the assessment of risk exposure, or different solution action plans. Once a scenario has been created, reports can be produced at either an executive summary level or at a detailed level, showing all the data entered and results calculated. Examples of the charts that are displayed in the executive reports are shown in Figure 17. The INFORM program will also allow the preparation of reports that compare scenarios. This feature can be used to compare different parts or groups of an organization, or different locations. Such comparisons will allow an organization to implement company-wide a consistent and structured improvement program. Furthermore, if INFORM is used to make regular assessments, it can be used as a tool to monitor trends in implemented improvement programs. 28

Finally, data in INFORM can be made anonymous and used to build a database that will enable organizations to compare themselves against their peers. Such comparative benchmarking will demonstrate the overall cost-effectiveness of the organization s information assurance program. Figure 16. INFORM account management 29

Figure 17. Examples of INFORM report outputs 30

Conclusion The INFORM for Security program enables organizations to explore ways of improving the costeffectiveness of their information assurance in a structured, repeatable way. In doing so, it also allows them to: Benchmark information assurance management between business groups and locations Analyze trends over time to monitor improvement Compare their management of information assurance risk with others, to ensure that they are maintaining a competitive position 31

For more information on INFORM, please contact your Symantec sales representative or send an email to inform@symantec.com About Symantec Symantec is a global leader in infrastructure software, enabling businesses and consumers to have confidence in a connected world. The company helps customers protect their infrastructure, information, and interactions by delivering software and services that address risks to security, availability, compliance, and performance. Headquartered in Cupertino, Calif., Symantec has operations in 40 countries. More information is available at www.symantec.com. Symantec Corporation World Headquarters 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA +1 (408) 517 8000 (800) 721 3934 www.symantec.com 32 Copyright 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Printed in the U.S.A. 02/07 11866968