ISSA              The Global Voice of Information Security                                                                ...
Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram                              ISSA...
Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram                             ISSA ...
Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram                              ISSA...
Upcoming SlideShare
Loading in …5

2007 issa journal-building a comprehensive security control framework


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

2007 issa journal-building a comprehensive security control framework

  1. 1. ISSA The Global Voice of Information Security ISSA Journal | April 2007 Building a Comprehensive Security Control Framework By Lori Crooks and Aurobindo Sundaram Developing a comprehensive security control framework involving information security, privacy, physical security, and customer credentialing. O ver the last several years, information security has pro- gressed from being ad-hoc, to project-based, and then to program-based. The next evolution for information security is in process-based or control-based frameworks. These frameworks treat information security as a business process, and different security standards into a unified security control frame- work (the framework). The Methodology involve the integration of best practice codes of practice (e.g., ISO We examined different ways to create our framework. They are 17799:2005), regulatory requirements (e.g., GLBA requirements, summarized below. HIPAA requirements), policy, and compliance. 1. Create a custom framework For 6 months in 2006, we developed a comprehensive security con- This would have involved our researching all of our controls, ensur- trol framework involving information security, privacy, physical ing that they were substantially complete and broad enough as an security, and customer credentialing.1 The following sections will information security framework (by comparing them against ISO, describe our process, particularly in unifying the framework, the for example), and then crafting a set of control objectives2 and associ- expected benefits of a framework for an organization, and tools and ated control activities that would be the meat of the framework. procedures that can aid readers in their efforts to develop their own frameworks. Once we thought more about this, although it sometimes made sense to create a custom framework, in this case, we would have had to The Problem weigh its advantages against (a) having to explain to all our external auditors how the framework met their requirements; and (b) having Most companies are subject to meeting the requirements of differ- to continuously research and update the custom framework when ent regulations. For instance, our Insurance Data Services business is standards and regulations change. regulated under the Federal Fair Credit Reporting Act (FCRA). We also perform annual Sarbanes Oxley (SOX) 404 audits to fulfill SEC 2. Use multiple frameworks, overlapping as necessary requirements. Our customers audit us using their own standards, sometimes based on international standards, such as ISO 17799. Our This option was the easiest solution, essentially nearly preserving the credit card processing applications are required to be compliant with status quo, while searching for commonalities in control objectives. the Payment Card Industry Data Security Standards (PCI DSS). The point of this method would have been to spend the bulk of our And finally, we have requirements from several of our partners to time in making the controls consistent across the different frame- complete annual SAS70 Type II audits. works, while leaving each of the frameworks themselves unmodi- fied. Our Information Security Policy was based on ISO 17799, but it was specific to IT Security, and only loosely integrated with several of The disadvantage of this method is that tracking and managing our other programs, such as hiring and termination practices and multiple frameworks still involves significant overhead. In addition, physical security. In addition, we were finding that on every audit every time a new framework (regulatory or otherwise) impacts the or assessment that was performed on us, we were duplicating effort, company, this process would have to be completed again. Although performing redundant testing, and not re-using results from prior we could hope to identify operational synergies with this option, we audits. For efficiency and structure, there was a need to converge our 2 The objectives of management that are used as the framework for developing and imple- 1 Customer credentialing is our term for validating a customer’s information and bonafide menting controls business credentials before allowing them access to sensitive information. An automated or manual process that is periodically performed to meet a control objective 27
  2. 2. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 were unsure if they would be significant, compared to the other op- ISO- SAS AIC FACT tions. Control Framework GLBA 17799 70 PA ACT 5.0 – Policies and 3. Create a single framework with appropriate Procedures x x x x mappings to other frameworks 6.0 – Organizing With this option, we would have to pick one framework as the base Security and Privacy x x x framework, and then ensure that we created mappings where neces- 7.0 – Asset sary to all the regulatory and customer standards we had to comply Management x x x x with. If the framework was complete, every time a new regulation 8.0 – Human Resource was introduced, we would simply have to redo the mapping pro- cess, since the controls themselves would already exist. In rare cases, Security x x x x 9.0 - Physical and however, additional controls would have to be added to extend the framework. Environmental Security x x The disadvantage of this method is that we were essentially starting 10.0 – Communications from scratch. All of our existing controls would have to be mapped and Operating Management x x x x x to the base framework, and we would have to develop entirely new controls to meet the control objectives of the base framework. In ad- dition, there would inevitably be control objectives in the base frame- 11.0 – Access Control x x x x x 12.0 – Application work, which, even though we did not believe were applicable, would still have to implemented or addressed in some way. And finally, we Development x x x x would have to start the process of mapping all of our existing meth- 13.0 – Information odologies and controls for SOX, SAS70, etc., to the new framework. Security Incident Management x x x x In the end, we decided to select Option for the following reasons: • Our information security policy was already based on ISO 15.0 – Compliance x 17799, and many of our technical security programs (e.g. 16.0 – Customer vulnerability management, virus protection, application se- Credentialing curity, patch management) already mapped to elements of the corresponding ISO best practices. Diagram 1 – Control Framework Mapping and Normalization Example • The ISO standard, although specific to information securi- ty, is widely accepted worldwide. Emerging standards, such The framework as the BITS FISAP4 are based on ISO 17799. As we started populating the framework, we realized that the ISO • Using a single framework gave us a starting point and a standard is heavily slanted towards security. goal. We could then focus on mapping and migrating con- • Physical security controls mapped easily into Section 9 - trols from other audit requirements into the framework. Physical Security The end goal was to reduce audit time, combine testing, and • Corporate governance model for security and privacy unify all of our controls. mapped into Section 5 - Policies and Procedures • Option 1 would have resulted in our diverging from indus- • Privacy controls mapped into sections 11 - Access Control try and international standards. We felt that had we done and 15 - Compliance this, we would have spent significant additional time con- vincing our partners and auditors of the completeness and However, our controls for customer credentialing were not ad- breadth of our framework. equately covered in the ISO standard (some controls were covered in Section 6 - Organizing Information Security). Therefore, we extend- • Option 2 would have involved leaving the existing systems ed our base framework to add an additional section on Customer in place, while trying to exploit some synergies of operations. Credentialing. To us, this felt more like a stop gap solution, as the origi- nal problem would not have been fixed. Although this was Tip: It is important that organizations not try to keep a framework workable, we felt it better to build a clean, unified frame- rigid and inflexible. There are occasions where a framework must be work for the future, despite the inevitable growing pains extended, and as long as it is done with discipline, the organization and integration issues along the way. can reap the advantages of such an extension. Diagram 1 shows the different sections of ISO 17799:2005 and our Challenges mappings to different regulatory frameworks. In particular, our re- sources section points the reader to step-by-step guides to regulatory As with every project, challenges were encountered. For this project compliance planning. Our paper, though, focuses on a security con- challenges included determining the correct framework to use, iden- trol framework for managing business operations, including regula- tifying controls outside of information security, ensuring complete- tory compliance.5 ness of the framework and classifying key controls. Each of these challenges is discussed below. As previously mentioned, deciding on the methodology was chal- 4 Financial Institution Shared Assessment Program lenging. After we decided on Option , we considered several frame- 5 With SAS70 Type II audit the mapping may be expanded or reduced. works, e.g., COBIT, ISO 17799, for our base control framework. 28
  3. 3. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 The frameworks were assessed to see which one fit the company absence of a particular control to judge whether or not it was a key and its various divisions best. Our company is unique because we control. have many corporate-wide controls, but also we have several busi- ness units that have their own set of controls. A few of the business Benefits units had defined controls because they had gone through a SAS70 There are many benefits to a unified control framework. This Type II audit; however, those controls did not tie to a specific control framework will be used for the whole company. Instead of having framework – they were ad-hoc. After reviewing the different frame- different controls or control sets for internal audit, compliance, and works, we decided that the ISO 17799:2005 code of practice fit our security, there will be one unified framework. During Sarbanes- company – both company-wide and business unit specific. Since our Oxley testing, internal audit will be able to use this framework, as security policy is aligned to the ISO, it made defining those controls will the security team for simpler. their assessments. The One issue we identified completeness of this after our selection of the All our employees undergo mandatory information framework means that standard framework was security and privacy training annually. This our external auditors will to decide how to address be able to use our frame- the sections that did not awareness helps us push accountability onto every work for their testing, for fall under ISO 17799. We employee of the company. SOX, SAS70, and other decided to enhance the compliance testing. Fi- framework and add addi- nally, our customers will tional sections as appropriate. Since privacy is key to our business, we appreciate the rigor and structure of a framework based on an inter- added elements of privacy in our controls, based on AICPA Gener- nationally accepted standard. ally Accepted Privacy Principles (GAPP). We also added a section We are currently completing the implementation of a compliance on customer credentialing because we have controls for validating management tool for the framework. This will assist us in maintain- our customers and their use of data that we provide. Since there is no ing compliance information centrally. Since we know certain con- standard for credentialing, we built it based on our own controls. trols occur on a periodic basis, we can place those documents within The ISO 17799 framework has sections that cover human resources, the management tool. Auditors can directly access the management physical security, environmental security, change control, and other tool in read-only mode to assist with their testing. This saves time for sections that are not strictly related to information security. Since the auditors and for the company, because the auditors do not have to each of these sections falls out of our experience in information se- set up time with the employee to gather the documents. curity, we had to coordinate and interview individuals who were Since the control framework is so broad, it affects every individual. knowledgeable in these other sections. We spent significant resourc- This benefits the company because individuals will be expected to es performing walk-throughs of processes, and defining appropriate be control conscious and to learn how to ensure their controls are control activities that could be tied back into our framework working effectively. In fact, all our employees undergo mandatory As mentioned previously, we identified which controls were corpo- information security and privacy training annually. This awareness rate-wide and which ones were business unit specific. This took time helps us push accountability onto every employee of the company. to ensure that there were appropriate controls for each of the business units. Unfortunately, maintaining controls specific to each business Lessons learned unit is complicated, time consuming, and leads to inconsistency in implementations. It is far more efficient to drive control activities As we went through the framework definition process, we learned from a corporate perspective (for instance, policies, procedures and many lessons: external expertise is useful, at least in the beginning; standards should be created and enforced at a corporate level, unless resources with audit backgrounds are helpful, especially in defining there are aspects that are so business-unit specific as to merit an ex- controls from processes; you will invariably need to make multiple ception). As part of our continued evolution in information security, review and modification passes over the framework; and you should we are rationalizing these business unit controls to make them enter- plan on the effort taking longer than you estimate. prise controls – for instance, although different application develop- Although they can be expensive, using consultants to assist in the ment groups use different project management methods, all of them control definition process is useful. In particular, they assisted with are required to abide by secure application development standards ensuring that the framework and our controls were complete, while developed at the corporate level. This consolidation and centraliza- identifying where our control gaps were. We do not recommend that tion will reduce the number of controls to test, focus accountability the reader use consultants in the control definition phase – this is on corporate compliance, and provide consistency for customers and best performed in-house using resources such as the internal audit auditors. and compliance teams. Once all the controls were identified and placed in the framework, Internal resources with auditing backgrounds are valuable because it was important to go back through and compare to ISO 17799 to their experience and knowledge is useful during the control defi- determine whether there was at least one control for each control nition process. It is particularly valuable when reviewing control objective in the standard. Gaps were identified during our complete- processes with business operations and translating them into control ness check, so we had to find an effective control to fit in that gap. activities that would meet an external auditor’s requirements. Another challenge was identifying the key controls. We wanted to Our framework went through many revisions and took more time ensure that our auditors were being efficient and only looking at the to develop than we initially planned. This is especially true when key controls. But since we had defined many controls, trying to de- there are many gaps in the framework, because those take longer termine key controls was a challenge. We analyzed the risk of the 29
  4. 4. Building a Comprehensive Security Control Framework | Lori Crooks and Aurobindo Sundaram ISSA Journal | April 2007 to identify and define controls for. It took a lot of time to sit with Regulatory Compliance Planning Guide (Mapping Regulations to various individuals and understand their processes. Some processes High Level Control Objectives) – are more complicated than others and took multiple meetings. Once net/security/guidance/complianceandpolicies/compliance/rcguide/1- the process was understood, we had to pull controls from that and 02-00.mspx?mfr=true then go back to the control owner to ensure we had documented it Regulatory Compliance Planning Guide Front Page – http://www. correctly. This framework is not a one-time development; it will be an ongo- compliance/rcguide/1-02-00.mspx?mfr=true ing process that will involve updates and maintenance. We’ll have to periodically review to ensure that all controls are still relevant and About the Authors check to see if new controls have been put in place. However, we believe that the up-front effort we have expended will serve us well Lori Crooks is a Security Compliance Analyst at ChoicePoint, Inc in Al- in the long run. pharetta, GA. Lori has 6 years experience in auditing and security. She is a CISA and co-creater of ChoicePoint’s Security Control Framework. She can be reached at Resources Aurobindo Sundaram is the Vice President of Information Security at Creating a Systemized Approach to Regulatory Compliance at Mi- ChoicePoint, Inc. in Alpharetta, GA. He has worked in the information crosoft - security industry for more than 10 years, and is responsible for articulat- compliance.mspx ing the vision and supervising the implementation of ChoicePoint’s Secu- BITS Financial Services Roundtable - rity Control Framework. He can be reached at aurobindo.sundaram@ about.html 30