Valiente Balancing It SecurityCompliance, Complexity & Cost


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Valiente Balancing It SecurityCompliance, Complexity & Cost

  1. 1. ISSA The Global Voice of Information Security ISSA Journal | July 2009 Balancing IT Security Compliance, Complexity, and Cost By Carlos Valiente, Jr. – ISSA member, Tampa Bay, USA Chapter The author discusses implementing the International Organization for Standardization ISO 27001, the international practice for information security management. O rganizations today risk customer trust, their reputa- each compliance effort is approached individually. However, tions, and ultimately shareholder value when they many of the controls that need to be defined, assessed, and do not address or prevent information security enforced are common across regulations. A silo-based ap- breaches. Many are required by law to comply with a grow- proach leads to a lot of redundant compliance efforts that ing number of government and industry-specific controls de- significantly increase the cost. In addition, companies have signed to safeguard the confidentiality, integrity, and avail- realized that as the number and scope of requirements grow, ability of IT systems from information security breaches. sheer complexity of assessing multi-regulatory compliance One strategy to consider is implementing the International with a large number of overlapping controls becomes a chal- Organization for Standardization1 ISO 27001, the interna- lenge. All these factors combined calls for a smarter approach tional practice for information security management. to addressing information security. Below is a partial list of Companies struggle to protect intellectual property and oth- the most common compliance standards: er sensitive information as they often lack the visibility need- California SB 1386 – known as the Security Breach Infor- ed to define effective access policies that help mitigate risk. IT mation Act, this state law governs organizations that serve departments bear one of the heaviest burdens in compiling customers residing in California and store confidential data the data required by auditors, as their responsibilities include about those customers on computers, or transmit such data the documentation of procedures for security policy, com- over networks. The law requires proactive protection of pri- pliance controls, and risk management processes. For many vate data for Californians. organizations, this is a key point of failure both before and EU Privacy Directives – Directive 95/46/EC of the European during an audit, which inevitably leads to increasing the cost Parliament and of the Council of 24 October 1995, on the of audit-related fees. protection of individuals with regard to the processing of The reality, however, is that security breaches will continue personal data and on the free movement of such data. to occur2 and the problem is not getting any easier to solve. GLBA – The Gramm-Leach-Bliley Act of 1999 requires fi- The exponential growth of information breaches, the level of nancial institutions to create, document, and continuously complexity of the infrastructure – network, virtual operating audit security procedures to protect the nonpublic personal systems, and applications – continues to grow at a fast pace. information of their clients, including precautions to prevent It is easy to get caught up in reacting to the current symp- unauthorized electronic access. tom or problem that is causing immediate pain, rather than proactively tracing the issue back to its root cause to find a FISMA – Requires that federal agencies establish risk-based long-term fix that will take the organization to a higher level information security programs to secure federal information. of overall performance. HIPAA – The Health Information Portability and Account- ability Act was one of the first mandates requiring organiza- Regulatory standards tions to implement IT security controls to protect the privacy Many organizations take a silo-based approach to complying of protected health information that they handle and store. with regulatory standards (e.g., PCI, GLBA, SOX, etc.), where PCI DSS – The PCI Data Security Standard was developed by the major credit card companies as a guideline to help orga- 1 nizations that process card payments to prevent credit card 2 fraud, hacking, and various other security issues. 22
  2. 2. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 SOX – The Sarbanes-Oxley Act of 2002 requires Regulatory Security & the company’s auditor to attest to and report on Legislative PLAN Compliance management’s assessment of the effectiveness of Contractual Management the company’s internal controls and procedures Establish the Framework Program for financial reporting. Continual Improvement PIPEDA – The Personal Information Protec- Implement and Approach to Maintain and Improve tion and Electronic Documents Act is a Cana- Operate the Framework Information Security Management the Framework dian law relating to data privacy. It governs how private-sector organizations collect, use, and DO Monitor and Review ACT disclose personal information in the course of the Framework commercial business. The key benefit of ISO 27001 is that it provides a single, stra- CHECK Figure 2 tegic, and comprehensive framework to information security, tives. Once implemented, organizations that have a need to and implementing these broad-based controls covers a wide advertise that they are 27001-compliant can be certified by a area set of control objectives required in SB-1386, HIPAA, number of accredited third-party audit registrars worldwide. PCI, GLBA, SOX and EU Directive 95 (see Figure 1). You can This is very similar to a manufacturing organization achiev- significantly reduce the number of controls and implemen- ing ISO 9001 certification or a service organization achiev- tation costs by achieving a transparent optimized security ing a SAS 70 for effectiveness of controls. Following is a brief baseline across the organization. summary of ISO 27002’s eleven main sections or domains. Regulatory & Corporate Objectives Security policy EU Privacy It prescribes a written, high-level policy document that Directives • Security Policy should be approved by management and published and com- • Human Resources municated to all employees responsible for information se- HIPAA • Access Controls curity in a manner that is understandable to the intended • Business Continuity recipient. The primary objective of a policy statement is to PCI ISO • Physical Security • Incident Management outline the aims of the organization as endorsed by the ex- ecutive management team. The document should be written SOX 27001 • Operations Management clearly so that it can be interpreted at all levels of the organi- zation and applied to the standards operations procedures. GLBA • Compliance The supporting standards and procedures, which are then • Asset Management derived from the overall policy statement, will control the SB-1386 • Infosec Organization day-by-day operations, which occur at the various functional • Infosys Dev. & Maint. levels within the organization. Others Organization of information security Figure 1 This is primarily about people rather than technology, and how they are organized to manage the information security The ISO standards framework function. It outlines how management is organized and es- The framework takes a very broad approach to information tablished to initiate and control the implementation of infor- security. The term information addresses all forms of data, mation security within the organization. In large or global documents, communications, conversations, messages, re- organizations, it is sometimes necessary to co-ordinate in- cordings, and photographs. It includes everything from digi- formation security measures by establishing distribution tal data, email, faxes to telephone conversations. The stan- services channels. It is important that organizations support dard effectively comes in two parts: the delegation of security responsibility to areas where those • ISO/IEC 27001:2005 is a standard specification for an responsibilities can be properly discharged. information security management system (ISMS). Asset management • ISO/IEC 27002:2005 is a standard code of practice and can be regarded as a comprehensive catalogue of All major information assets should be accounted for and individual control objectives. have an owner designated by name or title and responsible and accountable for his or her assigned assets. This will in- When you implement 27001 you are building an informa- clude access rights to, and classification of, those assets. The tion security management system using a continual improve- owner of the assets determines documents and promulgates ment approach (see Figure 2); 27002 is intended to be used the rules for the use of those assets for their whole life cycle. in conjunction and prescribes the individual control objec- This includes creation or purchase to disposal. Finally, to en- 23
  3. 3. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 sure that information assets receive an appropriate level of sions are what requires protection and who has the keys. These protection, classification levels should be used to indicate the are strictly business decisions that should not depend on the need and priorities for security protection. Classifications technology at all. This domain covers areas such as user ac- should show the value, sensitivity, and criticality of each in- cess management, responsibilities, network access controls, formation asset. operating systems, application access controls, and mobile computing. Human resources It ensures that employees, contractors, and third-party users Information systems acquisition understand their responsibilities and are suitable for the roles Access to information and business processes should be con- they are considered for, and aims to reduce the risk of theft, trolled on the basis of business and security requirements. fraud, or misuse of facilities. Information security should be All security requirements should be identified and agreed to addressed at the recruitment stage, included in the job de- prior to the development or acquisition of information sys- scriptions and contracts, and monitored during an individu- tems. It is also essential that any commercial software (e.g., al’s employment. It should also form part of the exit process off-the-shelf software, software as a service (SaaS), or cloud to ensure that organizational assets are returned prior to ces- computing) options have suitable controls built in, and the sation of employment or contract. All users of information inclusion of such controls is considered a part of the acqui- systems should be given adequate security education and sition process. These controls include, for example, crypto- technical training. graphic controls, access to system files, change control proce- dures, disaster recovery, and vulnerability analysis. Physical and environmental security Information processing facilities supporting critical or sen- Information security incident management sitive business activities should be housed in secure areas. This domain ensures information security events and weak- This includes protection of equipment and information from nesses associated with information systems are communi- physical harm, as well as physical control of access to infor- cated in a manner that allows timely corrective action to be mation and equipment. It also contains two of the most sig- taken. An effective and efficient incident management system nificant control features of the standard: the education and for information security incidents must be implemented with training of staff and setting contractually the expected be- appropriate escalation processes. When breaches of security havior of anyone with access to organizational resources. do occur, for whatever reason, it is important to contain the result by reporting the incident and responding to it as quick- Communications and operations management ly as possible. For example: To whom should an incident be This broad domain section aims to ensure correct and secure reported? What information will that person need to know? operation of information processing facilities and that re- What precautions should be taken to limit the organization’s sponsibilities and procedures are established for the manage- exposure to the security breach? ment of all computers, networks, and information processing facilities. For example, all changes to operational informa- Business continuity management tion processing facilities and systems should be controlled. This counteracts interruptions to business activities and to The operating procedures identified by the information se- protect critical business processes from the effects of ma- curity policy relating to all information processing should be jor failures of information systems or disasters and ensures documented and maintained under formal change control. their timely resumption. A business continuity management Segregation of duties should be considered to minimize the process should be implemented to reduce the disruption risk of negligent or deliberate system misuse. Development caused by disasters and security failures to an acceptable level and testing facilities should be isolated from operational or through a combination of preventative and recovery controls. production systems. Rules for the promotion of software to For example, how IT intends to deliver corporate informa- operational status should be defined and documented. In ad- tion when the power goes off, a fire occurs, or when the com- dition, this domain addresses third-party service delivery, puters simply break down. system planning and acceptance, protection against mali- cious code or antivirus, backup and recovery procedures, Compliance media handling, and the exchange of information. To avoid breaches of any law, statute, regulation, or contrac- tual obligation and of any security requirements. The design, Access control operation, use, and management of information systems may This section is all about the control or access to information be subject to statutory, regulatory, and contractual security and systems on the basis of business and security needs. Sys- requirements. This domain also addresses compliance to an tem access can be controlled in a number of ways using hard- organization’s own security policies and standards. Most im- ware and/or software. The real question is not how control is portant is that there should be controls to safeguard opera- achieved but who is allowed access and to what. System access tional systems and audit tools during system audits. is like every other system of locks and keys; the basic deci- 24
  4. 4. Balancing IT Security Compliance, Complexity, and Cost | Carlos Valiente, Jr. ISSA Journal | July 2009 Implementation steps Implementation benefits There are different methods of implementing ISO27001 and Some of the benefits to implementing 27001 over point solu- the exact process may vary or need tailoring for each organi- tions include the following: zation. Here are basic key steps to consider: • Provides an internationally recognized information 1. Define the scope of implementation security strategy, structure, and methodology 2. Develop the information security policy and obtain • Allows an organization to demonstrate credibility, management approval trust, confidence, and due-diligence to clients and 3. Identify your information assets and owners business partners 4. Classify your information assets • Establishes that relevant laws and regulations are be- 5. Define the risk assessment process methodology and ing met identify the risks • Increases awareness of information protection within 6. Map the ISO 27001 controls applicable to mitigating the the organization risks identified in step 5 • Documents processes, policies, and procedures and 7. Document the statement of applicability to identify the provides for a structured, reusable approach controls chosen for your environment, explaining how • Becomes part of the formal business process to im- and why they are appropriate prove security and reduce risk 8. Define the organization’s policies, standards, and proce- • Provides a holistic approach to monitoring and con- dures trolling the IT environment across the enterprise 9. Communicate the policies and procedures to entire or- • Ensures that a commitment to information security ganization exists at all levels of the organization 10. Implement the identified controls and document them • Leads to substantial cost savings of implementing in- 11. Implement a security awareness training program for the formation security and compliance efforts entire organization 12. Perform and implement a scheduled internal compliance Conclusion audit program Are you “doing things right” rather than “doing the right 13. Engage a third-party auditor to provide assurance things”?4 The first is tactical and the second is strategic think- 14. Proactively close any gaps identified during audit ing. Both are clearly needed to run a successful organization, 15. Maintain matrices of the security practice and ensure but it is important to make sure you are steering your ship continuous improvement where you want it to go rather than clinging desperately to 16. Certify your organization the anchor chain as it drags you through the water. When it comes to protecting information, this framework, if implemented correctly, can increase your resource efficiency Spain ISO 27001 while helping manage risk, reducing the number of controls Italy Hungary Certificates Worldwide and ultimately your overall spending. By eliminating a silo- based approach to compliance, and leveraging commonality Czeck Republic of controls across various regulations and mandates, com- USA plexity decreases significantly and compliance becomes more Germany sustainable and cost-efficient. Implementing a single stra- China tegic solution will help an organization manage complexity Taiwan and total cost of ownership of information security, risk, and UK compliance. India 0 100 200 300 400 500 About the Author Carlos Valiente Jr., CISSP, CISA, CISM, Figure 3 CGEIT, LA-27001, is a results-driven in- Industry certification trends formation security specialist and compli- According to the international certification register, which ance audit professional with 21+ years maintains a list of the ISMS certificates awarded to organiza- experience leading and managing global tions worldwide,3 only 86 certifications have been granted in IT, information security, compliance, and the U.S., while countries like India, UK, China, Taiwan, and risk management programs in Big 4 and Germany are leading the U.S. in adopting 27001 ISMS (see Fortune 500 companies. For more information, comments, or Figure 3). Japan accounts for 3000 of the 5000 plus certifica- questions email tions issued worldwide. 3 4 A quote from business thinker Peter F. Drucker. 25