SlideShare a Scribd company logo
INFORMATION	
  RISK	
  SECURITY	
  MANAGEMENT:	
  	
  
A	
  Model	
  and	
  Metrics	
  
	
  
By	
  Vladimir	
  Jirasek, Information	
  Risk	
  Management	
  Evangelist	
  
	
  
Contents	
           	
         	
        	
         	
         	
         	
        	
           	
     Page	
  
	
  
	
  

Section	
  1:	
  Introduction	
                   	
      	
      	
    	
           	
           	
     2	
  
1.1	
  The	
  Security	
  Governance,	
  Risk	
  and	
  Compliance	
  (GRC)	
  model	
            	
     2	
  
        1.1.2           Security	
  Drivers	
             	
      	
    	
           	
           	
     2	
  
                        (i) Laws	
  and	
  regulations	
          	
    	
           	
           	
     2	
  
                        (ii) Business	
  objectives	
             	
    	
           	
           	
     2	
  
                        (iii) Security	
  threats	
   	
          	
    	
           	
           	
     3	
  
        1.1.3           Security	
  Management	
  	
              	
    	
           	
           	
     3	
  
                        (i) Policy	
  framework	
  	
             	
    	
           	
           	
     3	
  
                                 a. Policies	
  	
        	
      	
    	
           	
           	
     3	
  
                                 b. Standards	
           	
      	
    	
           	
           	
     3	
  
                                 c. Artefacts	
           	
      	
    	
           	
           	
     3	
  
                        (ii) Processes	
  framework	
   	
              	
           	
           	
     3	
  
                        (iii) Security	
  metrics	
  framework	
        	
           	
           	
     3	
  
        1.1.4           Stakeholders	
   	
               	
      	
    	
           	
           	
     4	
  
	
  
Section	
  2:	
  Security	
  Drivers	
   	
               	
      	
    	
           	
           	
     4	
  
2.1	
  Business	
  objectives	
                   	
      	
      	
    	
           	
           	
     4	
  
2.2	
  Legal	
  and	
  regulatory	
  requirements	
               	
    	
           	
           	
     4	
  
2.3	
  Security	
  threats	
   	
                 	
      	
      	
    	
           	
           	
     4	
  
	
  
Section	
  3:	
  Security	
  Management	
   	
                    	
    	
           	
           	
     5	
  
3.1	
  The	
  Policy	
  framework	
   	
                  	
      	
    	
           	
           	
     5	
  
        3.1.1	
  Information	
  security	
  policy	
  	
          	
    	
           	
           	
     5	
  
        3.1.2	
  Data	
  classification	
  policy	
   	
          	
    	
           	
           	
     5	
  
                        (i)	
  Public	
  data	
   	
      	
      	
    	
           	
           	
     5	
  
                        (ii)	
  Company-­‐wide	
  data	
          	
    	
           	
           	
     6	
  
                        (iii)	
  Restricted	
  access	
  data	
   	
    	
           	
           	
     6	
  
        3.1.3	
  Employee	
  acceptable	
  policy	
               	
    	
           	
           	
     6	
  
        3.1.4	
  Information	
  technology	
  security	
  policy	
   	
              	
           	
     6	
  
3.2.	
  Security	
  standards	
                   	
      	
      	
    	
           	
           	
     7	
  
        3.2.1	
  International	
  standards	
  for	
  security	
  policy	
  and	
  controls	
     	
     7	
  
        3.2.2	
  Information	
  technology	
  standards	
  	
           	
           	
           	
     7	
  
3.3	
  Security	
  architecture	
  repository	
   	
              	
    	
           	
           	
     8	
  
3.4	
  Process	
  frameworks	
  and	
  metrics	
  	
              	
    	
           	
           	
     8	
  
        3.4.1	
  Security	
  processes	
   	
             	
      	
    	
           	
           	
     8	
  
        3.4.2	
  Security	
  metrics	
  	
   	
           	
      	
    	
           	
           	
     8	
  
                        (i)	
  Value	
  at	
  Risk	
      	
      	
    	
           	
           	
     9	
  
Conclusion	
   	
                   	
            	
      	
      	
    	
           	
           	
     10	
  
	
  

About	
  the	
  Author	
        	
        	
         	
         	
         	
        	
           	
     10	
  
	
  
	
  
Section	
  1:	
  Introduction	
  
Information	
  risk	
  security	
  management	
  is	
  an	
  area	
  that	
  is	
  constantly	
  moving	
  to	
  respond	
  to	
  new	
  threats,	
  
standards	
   and	
   technologies.	
   Security	
   is	
   now	
   a	
   part	
   of	
   information	
   risk	
   management,	
   which	
   in	
   turn	
  
has	
  a	
  place	
  in	
  the	
  overall	
  business	
  risk	
  management	
  strategy.	
  	
  

This	
   document	
   explains	
   a	
   security	
   model	
   that	
   supports	
   business	
   needs,	
   and	
   explores	
   how	
   security	
  
professionals	
  could	
  change	
  their	
  mindsets	
  to	
  help	
  ensure	
  future	
  job	
  security.	
  

	
  
1.1	
  The	
  Security	
  Governance,	
  Risk	
  and	
  Compliance	
  (GRC)	
  model	
  
	
  
Figure	
  1	
  below	
  describes	
  a	
  security	
  model	
  that	
  introduces	
  the	
  topic	
  of	
  security	
  to	
  business	
  managers	
  
and	
  CIOs.	
  	
  

       Figure	
  1:	
  Security	
  GRC	
  model
                                                                  Feedback:	
  update	
  business	
  requirements


                                                                      SECURITY	
  MANAGEMENT
            DRIVERS                                                                                                                                     STAKEHOLDERS
                                                                                           Correction	
  of	
  security	
  processes

                                                                                                                                                          CEO	
  &	
  Board

           International	
               Policy	
  framework                  Process framework                       Metrics	
  framework                 Governance
              security	
  
             standards                     Information	
  
                                                                                 Information	
                           Information	
                       Line	
  
                                             Security	
  
                                                                                   Security	
                              Security	
                     management
                                             policies
                                                                                  processes                                metrics	
  
              Laws	
  &	
                                                                                                 objectives
            regulations                    Information	
                                                                                                    Product	
  
                               Drivers       Security	
           Rules                                    Measure                             Inform     management
                                                                                              Technology




                                            standards                                                                    Security	
  
                                                                                People




                     Define
                                                                                                                       metrics	
  portal                   Program	
  
                                          Information	
                                                                                                   management
            Compliance                      security	
  
           requirements                   architecture
                                                                                                                                                             Risk	
  &	
  
                                         DEFINE	
  security	
                 EXECUTE	
  security	
                  MEASURE	
  security	
                 compliance
             Business	
                     controls                              controls                           controls	
  maturity
            objectives
                                                                                                                                                            Auditors

              Security	
                     Security	
  
              threats                      intelligence                                                                                                     Security	
  
                                                                                                                            External
                                                                                                                                                          professionals
                                                                                                                            security
                                                                                                                            metrics




The	
   model	
   describes	
   three	
   main	
   areas:	
   (1)	
   Security	
   drivers;	
   (2)	
   Security	
   management;	
   (3)	
   and	
  
Stakeholders.	
  
	
  
1.1.5 Security	
  Drivers	
  
	
  
The	
  three	
  major	
  drivers	
  for	
  security	
  are:	
  
	
  

(i)	
  	
   Laws	
   and	
   regulations:	
   A	
   company	
   must	
   comply	
   with	
   these	
   or	
   face	
   legal	
   action	
   or	
   a	
   fine.	
   For	
  
                example,	
   the	
   Data	
   Protection	
   Act	
   and	
   the	
   Company	
   Act	
  are	
   examples	
   of	
   the	
   legal	
   drivers;	
   PCI	
  
                DSS	
  is	
  an	
  example	
  of	
  a	
  regulation	
  driver.	
  	
  
           	
  
(ii) Business	
   objectives:	
  Companies	
  typically	
   want	
   to	
   generate	
   profit	
   and	
   define	
  a	
  set	
  of	
  business	
  
                objectives.	
   Security	
   supports	
   these	
   business	
   objectives	
   by	
   protecting	
   systems	
   and	
   information	
  
                used	
   in	
   the	
   business	
   processes.	
   Think	
   of	
   protecting	
   Microsoft	
   Windows	
   source	
   code:	
   if	
   the	
  
                source	
   code	
   was	
   not	
   protected	
   anyone	
   could	
   compile	
   their	
   own	
   operating	
   system	
   without	
  
                paying	
   Microsoft	
   any	
   license	
   fee.	
   Hence,	
   Microsoft’s	
   business	
   objective	
   to	
   ‘Sell	
   software’	
   is	
  
                supported	
   by	
   the	
   security	
   objective	
   ‘Protect	
   source	
   code’.	
   Similarly,	
   Amazon’s	
   business	
  
objective	
   is	
   to	
   sell	
   products	
   in	
   their	
   online	
   shop;	
   their	
   business	
   objective	
   is	
   to	
   have	
   an	
   online	
  
        shop	
   up	
   24/7;	
   the	
   security	
   objective	
   is	
   to	
   keep	
   systems	
   free	
   of	
   malware	
   that	
   could	
   disrupt	
   or	
  
        slow	
  down	
  IT	
  systems.	
  
     	
  
(iii) Security	
   threats:	
   Security	
   threats	
   work	
   against	
   laws	
   and	
   regulations	
   and	
   business	
   objectives.	
  
          However,	
   they	
   also	
   drive	
   information	
   security,	
   and	
   companies	
   need	
   to	
   respond	
   to	
   threats	
   in	
  
          order	
  to	
  satisfy	
  first	
  two	
  drivers.	
  
	
  
1.1.6 Security	
  Management	
  
Within	
   this	
   area	
   there	
   are	
   three	
   frameworks	
   that	
   enable	
   a	
   company	
   to	
   achieve	
   the	
   objectives	
  
defined	
  in	
  the	
  ‘drivers’	
  section:	
  	
  
	
  
(i) Policy	
  framework	
  
This	
   is	
   a	
   set	
   of	
   policies,	
   standards	
   and	
   guidelines	
   that	
   describe	
   how	
   a	
   company	
   addresses	
  
information	
   security	
   drivers,	
   and	
  define	
   the	
   security	
   controls	
   available	
   for	
   a	
   company	
   to	
   implement.	
  
There	
  are	
  also	
  international	
  standards	
  that	
  can	
  be	
  source	
  of	
  information	
  and	
  control	
  for	
  the	
  Policy	
  
framework.	
  
	
  
a.	
   Policies	
   –	
   also	
   known	
   as	
   Security	
   Control	
   Objectives,	
   these	
   typically	
   use	
   words	
   such	
   as	
   ‘should’	
  
and	
   ‘must’.	
   The	
   key	
   objective	
   of	
   the	
   security	
   policy	
   document	
   is	
   alignment	
   with	
   the	
   business	
  
objectives	
  and	
  drivers.	
  	
  
	
  
b.	
   Standards	
   –	
   detailed	
   Security	
   controls	
   that	
   should	
   be	
   implemented	
   to	
   support	
   individual	
   policy	
  
statements;	
  one	
  policy	
  statement	
  can	
  be	
  supported	
  by	
  multiple	
  security	
  controls.	
  These	
  should	
  be	
  
linked	
  to	
  a	
  policy,	
  otherwise	
  the	
  security	
  professional	
  will	
  be	
  unable	
  to	
  justify	
  why	
  a	
  password	
  needs	
  
to	
   be	
   12	
   characters	
   and	
   change	
   every	
   45	
   days,	
   for	
   instance.	
   The	
   controls	
   should	
   be	
   selected	
   from	
   an	
  
internationally	
  accepted	
  catalogue	
  of	
  controls	
  (see	
  section	
  below	
  on	
  ‘International	
  Standards’).	
  
	
  	
  
c.	
   Artefacts	
  –	
  Architecture	
  standardisation	
  is	
  the	
  key	
  to	
  the	
  success	
  of	
  any	
  company,	
  and	
  the	
  same	
  
applies	
  to	
  security.	
  If	
  a	
  solution	
  to	
  implement	
  a	
  security	
  control	
  is	
  found	
  in	
  the	
  ‘Standard’,	
  it	
  should	
  
be	
   put	
   it	
   into	
   a	
   ‘Security	
   Architecture	
   Repository’.	
   That	
   way,	
   others	
   can	
   benefit	
   and,	
   more	
  
importantly,	
  consistent	
  security	
  is	
  achieved.	
  Many	
  security	
  professionals	
  do	
  not	
  document	
  artefacts	
  
into	
  a	
  shared	
  library,	
  which	
  can	
  often	
  result	
  in	
  problems	
  when	
  they	
  leave	
  the	
  company.	
  	
  
	
  
(ii) Processes	
  framework	
  
This	
   section	
   in	
   Security	
   Management	
   implements	
   what	
   is	
   stated	
   in	
   the	
   Policy	
   framework.	
   Any	
  
security	
   control	
   in	
   a	
   policy	
   or	
   standard	
   is	
   a	
   process,	
   no	
   exceptions.	
   Each	
   process	
   is	
   supported	
   by	
  
people	
   and	
   most	
   are	
   supported	
   by	
   technology.	
   However,	
   there	
   needs	
   to	
   be	
   a	
   link	
   between	
   any	
  
technology	
  the	
  company	
  has,	
  its	
  process,	
   and	
  the	
  corresponding	
  control	
  in	
  the	
  Policy	
  framework	
  up	
  
to	
   the	
   business	
   objective.	
   This	
   enables	
   traceability	
   of	
   the	
   security	
   investment	
   and	
   allows	
   security	
  
professionals	
  to	
  justify	
  security	
  budgets.	
  	
  
	
  
(iii) Security	
  metrics	
  framework	
  
This	
  is	
  a	
  developing	
  area	
  of	
  information	
  security	
  management.	
  The	
  common	
  adage	
  –	
  ‘what	
  cannot	
  
be	
  measured,	
  cannot	
  be	
  managed’	
  –	
  can	
  be	
  applied	
  equally	
  well	
  to	
  security.	
  Security	
  professionals	
  
should	
   be	
   able	
   to	
   measure	
   the	
   status	
   of	
   security	
   controls,	
   the	
   compliance	
   with	
   their	
   own	
   policies,	
  
and	
  the	
  effectiveness	
  of	
  security	
  processes.	
  The	
  key	
  metric	
  is	
  to	
  take	
  a	
  security	
  policy	
  statement	
  and	
  
measure	
   each	
   team	
   against	
   it;	
   this	
   will	
   provide	
   a	
   balanced	
   scorecard	
   for	
   security.	
   The	
   metrics	
  
framework	
  provides	
  feedback	
  to	
  the	
  Process	
  framework,	
  to	
  assist	
  with	
  security	
  processes	
  design.	
  
	
  
1.1.7 Stakeholders	
  
Stakeholders	
  are	
  the	
  recipients	
  of	
  the	
  security	
  metrics	
  framework	
  results.	
  The	
  stakeholders	
  need	
  to	
  
know	
  that	
  what	
  has	
  been	
  promised	
  is	
  being	
  delivered.	
  More	
  importantly,	
  the	
  security	
  professionals	
  
need	
  to	
  show	
  the	
  value	
  of	
  security	
  to	
  the	
  business.	
  This	
  is	
  an	
  area	
  where	
  security	
  professionals	
  need	
  
to	
   enhance	
   their	
   skills;	
   they	
   need	
   to	
   talk	
   to	
   stakeholders,	
   uncover	
   their	
   concerns,	
   and	
   show	
   them	
  
that	
   they	
   are	
   being	
   addressed.	
   This	
   should	
   be	
   followed	
   by	
   a	
   report	
   that	
   relates	
   to	
   their	
   specific	
  area	
  
and	
  concerns;	
  they	
  need	
  to	
  see	
  that	
  security	
  personnel	
  are	
  on	
  their	
  side!	
  
	
  
Section	
  2:	
  Security	
  Drivers	
  
	
  
2.1	
  Business	
  objectives	
  
	
  
Security	
   professionals	
   exist	
   to	
   support	
   the	
   business.	
   Companies	
   are	
   driven	
   by	
   their	
   vision	
   and	
  
mission	
  statements,	
  translated	
   into	
  business	
  strategies	
  that	
  describe	
  how	
  to	
  achieve	
  that	
  vision.	
  The	
  
business	
  objectives	
  define	
  how	
  the	
  organisation	
  wants	
  to	
  achieve	
  its	
  targets.	
  If	
  a	
  business	
  objective	
  
is	
  to	
  ‘Supply	
  customers	
  with	
  the	
  goods’,	
  the	
  security	
  objectives	
  should	
  be	
  to	
  protect	
  the	
  process	
  of	
  
supplying	
  the	
  customer.	
  This	
  clear	
  link	
  between	
  business	
  and	
  security	
  objectives	
  can	
  sometimes	
  be	
  
missing.	
  	
  
	
  
2.2	
  Legal	
  and	
  regulatory	
  requirements	
  
	
  
Businesses	
  need	
  to	
  comply	
  with	
  legal,	
  regulatory	
  
and	
  contractual	
  requirements	
  (listed	
  in	
  order	
  of	
  
impact).	
  Legal	
  requirements	
  are	
  typically	
  related	
                       A	
  practical	
  example	
  	
  
to	
   the	
   way	
   the	
   company	
   is	
   governed,	
   how	
   it	
             A	
  telecommunication	
  company	
  sells	
  mobile	
  phones	
  
prepares	
   its	
   accounts	
   and	
   how	
   it	
   protects	
   the	
              and	
  call	
  plans	
  to	
  its	
  customers.	
  One	
  of	
  its	
  objectives	
  is	
  
personal	
  data.	
  In	
  the	
  UK,	
  the	
  Company	
  Act	
  2006,	
                to	
  ‘Deliver	
  outstanding	
  customer	
  service,	
  measured	
  by	
  
‘part	
   15	
   Accounts	
   and	
   reports’,	
   states	
   clearly	
   the	
         customer	
  satisfaction’.	
  This	
  objective	
  is	
  supported	
  by	
  a	
  
requirements	
   relating	
   to	
   how	
   accounts	
   are	
                          business	
  process	
  ‘Customer	
  service’,	
  whereby	
  customer	
  
created	
   and	
   reported.	
   It	
   also	
   includes	
   penalties	
               service	
  representatives	
  in	
  shops,	
  call	
  centres	
  and	
  online	
  
                                                                                         talk	
  to	
  customers	
  to	
  solve	
  their	
  problems	
  and	
  answer	
  
for	
  untrue	
  and	
  misleading	
  accounts.	
  In	
  the	
  USA,	
  
                                                                                         questions.	
  	
  
the	
   Sox	
   legislation	
   was	
   created	
   after	
   major	
                    	
  
financial	
  scandals.	
  The	
  Data	
  Protection	
  Directive,	
                      Customer	
  satisfaction	
  is	
  dependent	
  on	
  a)	
  speed	
  to	
  
Principle	
   7,	
   states	
   that	
   access	
   to	
   data	
   must	
   be	
        initial	
  contact,	
  and	
  b)	
  completeness	
  of	
  response.	
  The	
  
limited	
  to	
  the	
  authorised	
  persons.	
  And	
  although	
                      information	
  security	
  risks	
  identified	
  are:	
  1)	
  information	
  
the	
   Data	
   Protection	
   Directive	
   does	
   not	
   state	
                   systems	
  unavailable	
  or	
  slow	
  so	
  the	
  initial	
  response	
  
                                                                                         time	
  is	
  affected;	
  2)	
  information	
  in	
  the	
  knowledge	
  base	
  
which	
  security	
  controls	
  should	
  be	
  implemented,	
  
                                                                                         system	
  is	
  inaccurate;	
  and	
  3)	
  the	
  customer	
  data	
  in	
  the	
  
the	
   guidance	
   states	
   that	
   there	
   are	
  
                                                                                         CRM	
  system	
  becomes	
  compromised,	
  resulting	
  in	
  a	
  fine	
  
internationally	
   accepted	
   standards	
   relating	
   to	
                         and	
  bad	
  PR.	
  
building	
   information	
   security	
   systems	
   in	
   a	
                                	
  

company.	
                                                                               From	
  this	
  quick	
  risk	
  analysis,	
  it	
  is	
  easy	
  to	
  understand	
  
	
                                                                                       where	
  the	
  information	
  security	
  policy	
  needs	
  to	
  focus	
  and	
  
                                                                                         what	
  the	
  security	
  objectives	
  should	
  be.
As	
   a	
   result	
   of	
   this	
   legislation,	
   any	
   information	
  
security	
   system	
   implementation	
   must	
   protect	
  
data	
  and	
  information	
  systems	
  so	
  that	
  they	
  are:	
  
             a)	
  accurate	
  (in	
  security	
  terminology	
  the	
  word	
  ‘Integrity’	
  is	
  used)	
  
             b)	
  available,	
  and	
  
             c)	
  access	
  to	
  the	
  content	
  is	
  assured	
  (‘Confidentiality’	
  in	
  security	
  terminology).	
  
	
  
2.3	
  Security	
  threats	
  
	
  
Security	
   threats	
   affect	
   the	
   level	
   of	
   protection	
   (i.e.	
   control)	
   that	
   is	
   needed.	
   Threats	
   come	
   from	
  
attackers	
   who	
   want	
   to	
   either	
   acquire	
   information	
   or	
   limit	
   business	
   opportunities	
   by	
   affecting	
  
business	
   processes.	
   Microsoft	
   has	
   created	
  a	
   very	
  good	
  methodology	
  (STRIDE)	
  for	
  assessing	
  threats	
  
and	
  designing	
  security	
  controls	
  to	
  prevent	
  threats	
  from	
  harming	
  business	
  processes.	
  The	
  role	
  of	
  the	
  
security	
  model	
  is	
  to	
  capture	
  security	
  threats	
  and	
  design	
  security	
  objectives	
  and	
  controls	
  to	
  protect	
  
the	
   business.	
   Security	
   intelligence	
   is	
   the	
   capability	
   to	
   analyse	
   security	
   threats	
   and	
   advise	
   what	
  
controls	
  should	
  be	
  included	
  in	
  the	
  policy	
  framework.	
  
Section	
  3:	
  Security	
  Management	
  
	
  
3.1	
  The	
  Policy	
  framework	
  
	
  
This	
   is	
   the	
   first	
   element	
   of	
   the	
   ‘Security	
   Management’	
   part	
   of	
   the	
   model.	
   The	
   Security	
   Policy	
   is	
  
usually	
   not	
   a	
   single	
   document,	
   and	
   rightly	
   so.	
   The	
   documents	
   in	
   the	
   Security	
   Policy	
   library	
   have	
  
different	
  audiences	
  and	
  levels	
  of	
  detail;	
  see	
  Figure	
  2	
  below.	
  


       Figure	
  2:	
  Information	
  Security	
  Policy	
  framework

                CISO                                                                                             Business	
  and	
  
                                       Information	
  security	
  policy                                           security	
  
                                                                                                                  objectives
                                                      Data	
  classification	
     Employee	
  acceptable	
  
                                                               policy                  use	
  policy


                 CIO

                       Information	
  technology	
  security	
  policy                                            Security	
  
                                                                                                                 objectives

            IT	
  Security
                           IT	
  security	
  
                            standards
                              [reuse	
                     Architecture
                         internationally	
  
                       accepted	
  controls]                                                                      Controls	
  
                                                                                    Technology
                                                                                                                    and	
  
                                                                Security	
  
            Technical	
  teams                                                                                   processes
                                                              architecture
                                                               repository             Processes
                       Security	
  guidelines


                                                                                                                                                      	
  
	
  
3.1.1	
  Information	
  security	
  policy	
  
The	
  primary	
  objective	
  of	
  the	
  Information	
  security	
  policy	
  is	
  to	
  state	
  business	
  objectives	
  and	
  high	
  level	
  
security	
  objectives.	
  The	
  document	
  also	
  sets	
  accountabilities	
  for	
  ensuring	
  the	
  security	
  objectives	
  are	
  
met.	
   The	
   document	
   should	
   be	
   owned	
   by	
   CISO	
   or	
   CSO	
   but	
   approved	
   by	
   the	
   Board;	
   as	
   the	
   Board	
   is	
  
responsible	
  for	
  approval	
  of	
  business	
  strategy	
  and	
  objectives,	
  the	
  protection	
  of	
  these	
  are	
  obviously	
  in	
  
the	
  Board’s	
  interest.	
  
	
  
3.1.2	
  Data	
  classification	
  policy	
  
The	
  top	
  level	
  policy	
  should	
  also	
  make	
  provision	
  for	
  a	
  data	
  classification	
  scheme,	
  which	
  can	
  then	
  be	
  
detailed	
  in	
  the	
  Data	
  classification	
  policy.	
  Data	
  classes	
  depend	
  on	
  the	
  nature	
  of	
  the	
  business	
  but	
  at	
  
the	
  minimum	
  should	
  include:	
  
	
  
(i)	
  Public	
  data	
  that	
  are	
  in	
  the	
  public	
  domain.	
  It	
  is	
  a	
  mistake	
  to	
  assume	
  that	
  public	
  data	
  do	
  not	
  need	
  
any	
  protection.	
  For	
  example,	
  take	
  a	
  company	
  homepage;	
  typically	
  this	
  is	
  information	
  that	
  a	
  company	
  
wants	
  to	
  share	
  with	
  the	
  world,	
  i.e.	
  it	
  is	
  ‘Public’.	
  But	
  what	
  happens	
  if	
  the	
  information	
  on	
  the	
  website	
  
changes	
  without	
  authorisation?	
  Examples	
  can	
  range	
  from	
  defacing	
  of	
  the	
  website,	
  to	
  unintentional	
  
mistakes	
  by	
  employees,	
  mixing	
  the	
  product	
  description,	
  changes	
  in	
  prices	
  of	
  the	
  products	
  etc.	
  The	
  
public	
   information	
   usually	
   needs	
   to	
   be	
   ‘accurate’	
   and	
   ‘available’,	
   but	
   obviously	
   there	
   is	
   no	
  
requirement	
  to	
  keep	
  the	
  information	
  ‘confidential’.	
  	
  
	
  
(ii)	
   Company-­‐wide	
   data:	
  this	
  type	
  of	
  information	
  can	
  be	
  shared	
  between	
  employees	
  and	
  people	
  who	
  
have	
  signed	
  an	
  NDA.	
  This	
  is	
  by	
  far	
  the	
  largest	
  category	
  of	
  information	
  in	
  most	
  organisations.	
  It	
  is	
  also	
  
referred	
   to	
   as	
   ‘semi-­‐public’,	
   and	
   the	
   bigger	
   the	
   organisation	
   the	
   greater	
   the	
   probability	
   of	
   leakage	
  
from	
  employees	
  or	
  partners.	
  	
  
	
  
(iii)	
  Restricted	
  access	
  data:	
  some	
  information	
  will	
  be	
  accessible	
  on	
  a	
  need-­‐to-­‐know	
  basis,	
  depending	
  
on	
   the	
   type	
   of	
   business.	
   Business	
   plans,	
   strategy,	
   research	
   data,	
   and	
   new	
   product	
   details	
   are	
   just	
  
some	
  examples	
  of	
  the	
  information	
  that	
  should	
  be	
  well	
  protected.	
  	
  
	
  
3.1.3	
  Employee	
  acceptable	
  policy	
  
This	
  policy	
  document	
  should	
  spell	
  out	
  the	
  most	
  important	
  policies	
  for	
  employees.	
  Good	
  security	
  and	
  
HR	
   professionals	
   do	
   not	
   expect	
   users	
   to	
   remember	
   all	
   policy	
   documents.	
   The	
   objective	
   of	
   this	
  
document	
  is	
  to	
  show	
  employees	
  what	
  is	
  critical	
  and	
  where	
  to	
  find	
  more	
  information.	
  	
  
	
  
3.1.4	
  Information	
  technology	
  security	
  policy	
  
Most	
  companies	
  rely	
  on	
  information	
  technology	
  to	
  run	
  the	
  business	
  processes.	
  The	
  role	
  of	
  CIOs	
  has	
  
become	
  to	
  support	
  business,	
  understand	
  where	
  the	
  company	
  wants	
  to	
  expand,	
  and	
  suggest	
  how	
  to	
  
become	
   more	
   agile	
   and	
   cost	
   effective.	
   IT	
   can	
   be	
   a	
   saviour	
   or	
   a	
   nightmare,	
   depending	
   on	
   the	
   abilities	
  
of	
  the	
  CIO.	
  The	
  security	
  policy	
  for	
  the	
  CIO	
  team	
  needs	
  to	
  translate	
  business	
  objectives	
  into	
  security	
  
objectives	
  and	
  controls,	
  as	
  shown	
  in	
  Figure	
  3	
  below.	
  
	
  



       Figure	
  3:	
  Relationship	
  between	
  business	
  objectives	
  and	
  security	
  processes

                                       Provides	
  response	
   to	
  ‘Do	
  we	
  have	
  all	
  business	
  risks	
  covered?’


                                                                 International	
  standards

                                                                              Control	
  C1

                                                                              Control	
  C2
                                               Security	
                                                  Security
                                             objective	
   SO1                Control	
  C3              process	
  P1

              Business	
                                                      Control	
  C4
            objective	
   BO1                  Security	
  
                                             objective	
   SO2                Control	
  C5                Security	
  
                                                                                                                                                                                           Business	
  process	
  B3
                                                                                                                                   Business	
  process	
  B1

                                                                                                                                                               Business	
  process	
  B2




              Business	
                                                                                 process	
  P2
                                                                              Control	
  C6
            objective	
   BO2                  Security	
  
                                             objective	
   SO3                Control	
  C7

              Business	
                       Security	
  
                                                                              Control	
  C8
            objective	
   BO3                objective	
   SO4                                             Security	
  
                                                                              Control	
  C9
                                                                                                         process	
  P3

                                                                             Control	
  C10
                                               Security	
  
                                                                                                           Security	
  
                                             objective	
   SO5               Control	
  C11              process	
  P4

                                                    Provides	
  response	
   to	
  ‘Why	
  are	
  we	
  doing	
  this?’
                                                                                                                                                                                                                       	
  
	
  
	
  
The	
   figure	
   shows	
   how	
   business	
   objectives	
   on	
   the	
   left	
   influence	
   security	
   objectives.	
   Each	
   security	
  
objective	
   then	
   has	
   several	
   security	
   controls	
   (C1	
   to	
   C11)	
   and	
   these	
   are	
   implemented	
   by	
   security	
  
processes.	
   Lastly,	
   the	
   business	
   processes	
   are	
   protected	
   by	
   the	
   security	
   processes.	
   Such	
   a	
   model	
  
answers	
  two	
  critical	
  questions:	
  
	
  
a)	
  Do	
  we	
  have	
  all	
  business	
  risks	
  covered?	
  	
  
b)	
  Why	
  are	
  we	
  spending	
  money	
  on	
  the	
  security	
  controls?	
  
	
  
	
  
Examples	
  of	
  security	
  objectives	
  are:	
  
       §   Establish	
  security	
  governance	
  
       §   Provide	
  security	
  training	
  
       §   Manage	
  access	
  to	
  information	
  
       §   Keep	
  systems	
  resistant	
  to	
  malware	
  
       §   Establish	
  secure	
  systems/applications	
  processes	
  
       §   Monitor	
  systems	
  for	
  security	
  events	
  
       §   Manage	
  security	
  incidents	
  
       §   Monitor	
  security	
  compliance	
  
	
  
Each	
  security	
  objective	
  then	
  contains	
  a	
  number	
  of	
  security	
  controls.	
  These	
  are	
  typically	
  included	
  in	
  
more	
  detailed	
  documents,	
  such	
  as	
  IT	
  Security	
  standards	
  and	
  security	
  artefacts.	
  
	
  
Examples	
  of	
  security	
  controls	
  are:	
  
	
  

       §   Create	
  the	
  training	
  material;	
  monitor	
  attendance	
  of	
  security	
  trainings	
  	
   	
               	
            	
  
       §   Review	
  feedback	
  from	
  security	
  trainings	
  
       §   Manage	
   accounts	
   in	
   the	
   IT	
   systems	
   –	
   create	
   accounts	
   for	
   new	
   users,	
   modify	
   when	
   role	
  
            changes	
  and	
  delete/disable	
  when	
  account	
  is	
  not	
  longer	
  needed	
  
       §   Install	
   anti-­‐malware	
   software;	
   establish	
   and	
   implement	
   secure	
   configuration	
   for	
   each	
  
            operating	
   system	
   in	
   use;	
   update	
   configurations	
   on	
   systems	
   as	
   per	
   changing	
   threat	
  
            landscape;	
  patch	
  systems	
  with	
  vendor	
  patches	
  within	
  X	
  days	
  
	
  
Each	
  control	
  needs	
  to	
  be	
  linked	
  to	
  one	
  or	
  more	
  security	
  objectives.	
  A	
  number	
  of	
  security	
  controls	
  is	
  
part	
  of	
  a	
  security	
  process,	
  and	
  each	
  process	
  must	
  have	
  its	
  owner	
  and	
  must	
  be	
  measured.	
  	
  
	
  
Finally,	
   each	
   security	
   process	
   contributes	
   to	
   the	
   security	
   of	
   a	
   number	
   of	
   business	
   processes.	
   For	
  
example,	
  the	
  security	
  process	
  ‘Security	
  configuration	
  &	
  patch	
  management’	
  ensures	
  that	
  IT	
  systems	
  
used	
  in	
  the	
  business	
  process	
  ‘Take	
  order	
  from	
  customers’	
  runs	
  smoothly	
  and	
  as	
  expected.	
  
	
  
3.2.	
  Security	
  standards	
  
	
  
3.2.1	
  International	
  standards	
  for	
  security	
  policy	
  and	
  controls	
  
Figure	
   3	
   shows	
   business	
   objectives,	
   which	
   will	
   be	
   specific	
   to	
   each	
   company.	
   However,	
   security	
  
objectives,	
   whilst	
   supporting	
   the	
   Business	
   objectives,	
   should	
   be	
   selected	
   from	
   a	
   catalogue	
   of	
  
internationally	
   recognised	
   ones,	
   and	
   international	
   standards	
   can	
   play	
   an	
   important	
   role.	
   It	
   is	
  
important	
   to	
   understand	
   which	
   objectives,	
   controls	
   and	
   processes	
   to	
   take	
   ‘as	
   is’	
   and	
   where	
   a	
  
customisation	
  is	
  needed.	
  Moreover,	
  there	
  might	
  be	
  business	
  objectives	
  and	
  business	
  processes	
  that	
  
need	
   controls	
   that	
   are	
   not	
   included	
   in	
   the	
   international	
   standards.	
   Standardisation	
   is	
   needed	
   but	
  
should	
  not	
  be	
  applied	
  blindly.	
  Standards	
  such	
  as	
  ISO27001	
  &	
  27005,	
  COBIT	
  4,	
  ISF	
  Standard	
  of	
  Good	
  
Practice	
  (both	
  2007	
  and	
  2011	
  editions)	
  are	
  generally	
  extremely	
  useful.	
  
	
  
3.2.2	
  Information	
  technology	
  standards	
  
This	
   document,	
   or	
   set	
   of	
   documents,	
   contains	
   a	
   list	
   of	
   security	
   controls	
   related	
   to	
   the	
   technology	
  
used	
  in	
  a	
  company.	
  As	
  mentioned	
  above,	
  these	
  controls	
  are	
  of	
  sufficient	
  detail	
  to	
  describe	
  what	
  is	
  
required.	
   Further	
   implementation	
   information	
   is	
   usually	
   included	
   in	
   ‘Guidelines’	
   or	
   ‘Security	
  
Artefacts’.	
  	
  
	
  
The	
  level	
  of	
  detail	
  included	
  in	
  technology	
  standards	
  will	
  range	
  from	
  high	
  level,	
  such	
  as	
  ‘Implement	
  
account	
   creation	
   process	
   to	
   create	
   account	
   within	
   two	
   days	
   of	
   request’,	
   to	
   more	
   detailed,	
   such	
   as	
  
‘Use	
  Windows	
  2008	
  R2	
  server	
  with	
  configuration	
  W2k_DMZ	
  for	
  servers	
  located	
  in	
  the	
  DMZ’.	
  
	
  
	
  
	
  
3.3	
  Security	
  architecture	
  repository	
  
	
  
Consistency	
   is	
   key	
   in	
   information	
   security.	
   TOGAF	
   9	
   has	
   a	
   good	
   approach	
   to	
   standardisation	
   and	
  
reusability,	
   as	
   does	
   the	
   SABSA	
   security	
   framework.	
   Standardisation	
   and	
   reusability	
   ensure	
   higher	
  
maturity	
   in	
   information	
   security.	
   For	
   this	
   reason,	
   having	
   a	
   library	
   of	
   reusable	
   security	
   architecture	
  
components	
  (artefacts)	
  is	
  extremely	
  important.	
  	
  
	
  
	
  TOGAF	
  9	
  defines	
  artefact	
  as:	
  
	
  
        “A	
   product	
   that	
   describes	
   architecture	
   from	
   a	
   specific	
   viewpoint.	
   Examples	
   include	
   a	
  
        network	
   diagram,	
   a	
   server	
   specification,	
   a	
   use-­‐case	
   specification,	
   a	
   list	
   of	
   architectural	
  
        requirements,	
   and	
   a	
   business	
   interaction	
   matrix.	
   Artefacts	
   are	
   generally	
   classified	
   as	
  
        catalogues	
   (lists	
   of	
   things),	
   matrices	
   (showing	
   relationships	
   between	
   things),	
   and	
  
        diagrams	
  (pictures	
  of	
  things)	
  …	
  ”	
  
	
  
In	
   the	
   context	
   of	
   an	
   information	
   security	
   model,	
   artefacts	
   are	
   re-­‐usable	
   for	
   the	
   creation	
   of	
  
information	
  security	
  architecture,	
  either	
  a	
  technology	
  (such	
  as	
  ‘We	
  use	
  Cisco	
  firewall	
  and	
  this	
  is	
  how	
  
it	
   is	
   configured’)	
   or	
   a	
   process	
   (such	
   as	
   ‘We	
   have	
   standardised	
   our	
   incident	
   response	
   process	
   and	
   this	
  
is	
  how	
  it	
  is	
  done’).	
  	
  
	
  
The	
  technology	
  section	
  of	
  the	
  repository	
  should	
  contain,	
  for	
  example:	
  
       §    Standard	
  set	
  of	
  technologies	
  used	
  in	
  the	
  company	
  (related	
  to	
  security)	
  	
  
       §    Configuration	
   standards	
   for	
   the	
   technologies	
   above	
   (e.g.	
   Windows	
   7	
   laptop	
   local	
   security	
  
             policy	
  object)	
  
       §    Hardening	
  configuration	
  of	
  Web	
  servers,	
  DB	
  servers	
  and	
  other	
  servers.	
  
	
  
The	
   process	
   section	
   of	
   the	
   repository	
   should	
   contain	
   standard	
   descriptions	
   for	
   security	
   processes,	
   in	
  
a	
   detail	
   needed	
   to	
   replicate	
   the	
   process	
   in	
   another	
   part	
   of	
   the	
   organisation,	
   subsidiary	
   or	
   when	
  
acquiring	
   another	
   company.	
   From	
   experience,	
   the	
   documenting	
   of	
   processes	
   is	
   not	
   a	
   strong	
   skill	
  
base	
  of	
  many	
  IT	
  and	
  information	
  security	
  professionals.	
  	
  
	
  
3.4	
  Process	
  frameworks	
  and	
  metrics	
  	
  
	
  
3.4.1	
  Security	
  processes	
  
As	
  stated	
  earlier	
  in	
  this	
  document,	
  and	
  shown	
  in	
  Figures	
  1	
  and	
  3,	
  security	
  processes	
  are	
  an	
  integral	
  
part	
   of	
   the	
   security	
   model.	
   For	
   example,	
   ISACA,	
   the	
   organisation	
   behind	
   COBIT,	
   ensures	
   that	
   the	
  
default	
   view	
   in	
   COBIT	
   is	
   based	
   on	
   processes,	
   where	
   each	
   process	
   is	
   defined	
   by	
   the	
   objective,	
  
stakeholders,	
  maturity	
  levels	
  and	
  controls.	
  	
  
	
  
Another	
   international	
   standard,	
   ISM3	
   –	
   now	
   adopted	
   by	
   the	
   Open	
   Group	
   –	
   also	
   sees	
   security	
  
processes	
  as	
  key	
  to	
  having	
  mature	
  security	
  systems.	
  Processes	
  in	
  general	
  often	
  have	
  a	
  bad	
  name	
  due	
  
to	
  their	
  rigidity	
  and	
  over-­‐complex	
  set-­‐ups;	
  however,	
  it	
  is	
  important	
  to	
  understand	
  that	
  a	
  process	
  can	
  
easily	
  be	
  made	
  complex	
  –	
  it	
  takes	
  skill	
  to	
  create	
  processes	
  that	
  are	
  lean	
  and	
  adaptive.	
  	
  
	
  
3.4.2	
  Security	
  metrics	
  	
  
Measuring	
  of	
  processes	
  in	
  any	
  company	
  is	
  one	
  of	
  the	
  key	
  techniques	
  to	
  ensure	
  that	
  inefficiencies	
  are	
  
recognised	
   and	
   corrected.	
   Measurement	
   is	
   a	
   product	
   of	
   the	
   industrial	
   revolution;	
   Frederick	
   Taylor	
  
published	
   Scientific	
   Management	
   in	
   1911,	
   a	
   revered	
   work	
   on	
   the	
   capacity	
   of	
   observation	
   and	
  
measurement	
   to	
   improve	
   productivity.	
   By	
   the	
   same	
   token,	
   security	
   processes	
   must	
   be	
   observed,	
  
monitored	
  and	
  measured	
  to	
  improve	
  them.	
  	
  
	
  
Security	
  and	
  metrics	
  is	
  a	
  largely	
  neglected	
  area	
  in	
  information	
  security.	
  There	
  are	
  some	
  exceptions,	
  
such	
  as	
  COBIT,	
  which	
  brings	
  maturity	
  levels	
  for	
  CIOs	
  and	
  CISOs.	
  Another	
  promising	
  candidate	
  is	
  the	
  
Common	
  Assurance	
  Maturity	
  Model	
  (CAMM),	
  which	
  brings	
  information	
  security	
  maturity	
  levels	
  into	
  
the	
  supply	
  chain.	
  	
  
 
Gartner	
  has	
  researched	
  IT	
  and	
  security	
  metrics,	
  and	
  the	
  relationship	
  between	
  KPI	
  and	
  KRI	
  (Key	
  Risk	
  
Indicators).	
   Furthermore,	
   what	
   the	
   business	
   leaders	
   are	
   interested	
   in	
   is:	
   ‘What	
   impact	
   do	
   security	
  
controls	
   (or	
   lack	
   of)	
   have	
   on	
   the	
   business	
   processes	
   and	
   the	
   bottom	
   line?’	
   Security	
   professionals	
  
have,	
  for	
  long	
  time,	
  used	
  the	
  FUD	
  (fear,	
  uncertainty	
  and	
  doubt)	
  approach	
  and	
  are	
  now	
  finding	
  this	
  
does	
  not	
  resound	
  with	
  their	
  audiences.	
  
	
  
It	
   is	
   also	
   accepted	
   that	
   maturity	
   of	
   security	
   controls	
   and	
   processes	
   inversely	
   affects	
   risks	
   to	
   the	
  
organisation.	
  The	
  problem	
  many	
  security	
  professionals	
  face	
  is	
  in	
  having	
  to	
  justify	
  additional	
  costs	
  to	
  
move	
  from	
  maturity	
  level	
  2	
  (repeatable)	
  to	
  3	
  (defined)	
  and	
  beyond.	
  	
  	
  
	
  
With	
  this	
  in	
  mind,	
  it	
  would	
  be	
  prudent	
  for	
  organisations	
  to	
  measure:	
  
       §    Basic	
  operational	
  metrics	
  to	
  keep	
  an	
  eye	
  on	
  processes	
  (i.e.	
  do	
  they	
  operate	
  as	
  expected?)	
  
       §    Each	
  security	
  process	
  for	
  its	
  maturity	
  
       §    Value	
  at	
  risk,	
  expressed	
  in	
  £s;	
  a	
  business	
  process	
  is	
  exposed	
  due	
  to	
  low	
  maturity	
  of	
  security	
  
             controls	
  (or	
  lack	
  of	
  them,	
  as	
  defined	
  by	
  COBIT	
  level	
  0)	
  
	
  
The	
  first	
  two	
  metrics	
  are	
  fairly	
  straightforward	
  and	
  well	
  defined.	
  The	
  last	
  one	
  is	
  somewhat	
  new	
  to	
  
information	
   security,	
   though	
   used	
   in	
   the	
   financial	
   arena	
   and	
   general	
   risk	
   management1.	
   For	
   the	
  
purpose	
  of	
  this	
  paper,	
  it	
  is	
  worth	
  having	
  a	
  look	
  at	
  it	
  in	
  more	
  detail.	
  
	
  
(i)	
  Value	
  at	
  Risk	
  
The	
   main	
   problem	
   that	
   Value	
   at	
   Risk	
   is	
   trying	
   to	
   solve	
   is	
   how	
   to	
   quantify	
   the	
   exposure	
   that	
   an	
  
organisation	
  is	
  subject	
  to.	
  Further	
  research	
  into	
  VaR	
  use	
  in	
  information	
  security	
  is	
  needed	
  to	
  make	
  
the	
  concept	
  practical	
  and	
  reusable.	
  	
  
	
  
However,	
  the	
  input	
  elements	
  into	
  the	
  calculations	
  should	
  be:	
  
        § Business	
   asset	
   value	
   –	
   information	
   assets	
   alone	
   or	
   the	
   value	
   of	
   a	
   business	
   process.	
   A	
  
               company’s	
   PR	
   image	
   is	
   a	
   business	
   asset	
   and	
   in	
   this	
   case	
   should	
   be	
   assigned	
   a	
   value	
   by	
  
               consensus	
  rather	
  than	
  measurement	
  	
  
        § Security	
   process	
   maturity	
   –	
   measure	
   the	
   maturity	
   of	
   process	
   (and	
   included	
   controls)	
   that	
  
               protect	
  the	
  business	
  asset	
  
        § Threat	
   landscape	
   –	
   threats	
   change	
   over	
   time;	
   for	
   example,	
   Sony	
   changed	
   the	
   threat	
  
               landscape	
   greatly	
   by	
   prosecuting	
   George	
   Hotz	
   for	
   breaching	
   the	
   PlayStation	
   T&Cs.	
   In	
  
               combination	
  with	
  the	
  vulnerabilities	
  in	
  their	
  systems,	
  it	
  cost	
  them	
  dearly.	
  	
  
	
  
The	
  high	
  level	
  calculation	
  of	
  the	
  VaR	
  is:	
  
       1.	
   Measure	
  the	
  maturity	
  of	
  the	
  controls.	
  Assume	
  that	
  maturity	
  level	
  5	
  provides	
  99%	
  (or	
  lower)	
  
               protection;	
  lower	
  maturity	
  levels	
  provide	
  less	
  protection.	
  
       2.	
   Analyse	
   the	
   control	
   to	
   find	
   compensating	
   controls;	
   two	
   low	
   maturity	
   controls	
   may	
   work	
  
               together	
  to	
  provide	
  higher	
  protection.	
  	
  
       3.	
   Analyse	
  the	
  threat	
  landscape	
  and	
  derive	
  the	
  likelihood	
  that	
  the	
  threat	
  agents	
  will	
  attempt	
  to	
  
               attack.	
  	
  
       4.	
   Use	
   the	
   above	
   and	
   the	
   asset	
   value	
   to	
   come	
   up	
   with	
   a	
   probability	
   distribution	
   of	
   monetary	
  
               exposure	
  
	
  
The	
   pound	
   value	
   for	
   each	
   asset	
   can	
   be	
   collected	
   and	
   summarised	
   in	
   order	
   to	
   calculate	
   the	
   total	
  
exposure	
  probability	
  distribution.	
  This	
  will	
  give	
  CIOs	
  and	
  CISOs	
  a	
  very	
  useful	
  tool	
  to	
  demonstrate	
  the	
  
risks	
  to	
  the	
  executive	
  management	
  and	
  thus	
  justify	
  the	
  spending.	
  	
  
	
  
Detailed	
  calculations	
  of	
  Value	
  at	
  Risk	
  for	
  information	
  security	
  have	
  not	
  yet	
  been	
  developed	
  and	
  need	
  
further	
  research.	
  Value	
  at	
  Risk	
  could	
  also	
  be	
  used	
  to	
  justify	
  security	
  investments,	
  i.e.	
  the	
  reduction	
  in	
  
VaR	
  should	
  be	
  higher	
  than	
  the	
  cost	
  spent.	
  	
  
	
  
	
  
Conclusion	
  
	
  
Information	
  Security	
  Risk	
  Management	
  must	
  support	
  the	
  business	
  objectives.	
  Security	
  professionals	
  
should	
   have	
   open	
   dialogue	
   with	
   business	
   leaders	
   and	
   managers,	
   listen	
   to	
   their	
   concerns,	
   and	
  
frequently	
  educate	
  them	
  about	
  risks.	
  
	
  
The	
  security	
  model	
  can	
  help	
  with	
  explaining	
  why	
  security	
  is	
  important,	
  and	
  can	
  support	
  justifications	
  
for	
  that	
  ‘rather	
  expensive’	
  piece	
  of	
  technology,	
  depending	
  on	
  the	
  point	
  of	
  view,	
  security	
  policy	
  and	
  
business	
  appetite	
  for	
  risk.	
  	
  
	
  
	
  
1	
  
     McNeil,	
  Alexander;	
  Frey,	
  Rüdiger;	
  Embrechts,	
  Paul	
  (2005).	
  Quantitative	
  Risk	
  Management:	
  Concepts	
  
Techniques	
  and	
  Tools.	
  Princeton	
  University	
  Press.	
  ISBN	
  978-­‐0691122557.	
  
	
  
	
  
	
  
About	
  the	
  author	
  
	
  
Vladimir	
  Jirasek	
  is	
  a	
  passionate	
  information	
  risk	
  professional	
  with	
  more	
  than	
  16	
  years	
  of	
  IT	
  industry	
  practise	
  
and	
  over	
  11	
  years	
  in	
  Information	
  Security	
  and	
  IT	
  Security,	
  Risk	
  and	
  Compliance	
  disciplines.	
  He	
  has	
  both	
  led	
  and	
  
managed	
  global	
  teams	
  in	
  Security,	
  Risk	
  and	
  Compliance	
  for	
  multinational	
  corporations	
  such	
  as	
  Nokia,	
  Tesco,	
  
and	
  DTAG.	
  	
  
	
  
In	
  his	
  own	
  time	
  he	
  tries	
  to	
  give	
  something	
  back	
  to	
  the	
  security	
  community	
  by	
  participating	
  in	
  a	
  variety	
  of	
  key	
  
industry	
  initiatives,	
  such	
  as	
  the	
  Common	
  Assurance	
  Maturity	
  Model	
  (common-­‐assurance.com),	
  Cloud	
  Security	
  
Alliance	
  (cloud-­‐security.org.uk);	
  and	
  the	
  Open	
  Group’s	
  Jericho	
  forum,	
  working	
  together	
  with	
  industry	
  experts.	
  
	
  
He	
  can	
  be	
  contacted	
  at	
  vladimir@jirasek.eu	
  or	
  on	
  +44	
  (0)	
  7538	
  790302	
  
	
  

More Related Content

What's hot

2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework
Raleigh ISSA
 
Chapter1
Chapter1Chapter1
Chapter1
tammy1124
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
Rois Solihin
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
Naresh Rao
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 
02 sasaran kendali pencapaian tujuan v05
02 sasaran kendali pencapaian tujuan v0502 sasaran kendali pencapaian tujuan v05
02 sasaran kendali pencapaian tujuan v05
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
IBM Danmark
 
How Does IBM Deliver Cloud Security Paper
How Does IBM Deliver Cloud Security PaperHow Does IBM Deliver Cloud Security Paper
How Does IBM Deliver Cloud Security Paper
IBM
 
Telebiometric information security and safety management
Telebiometric information security and safety managementTelebiometric information security and safety management
Telebiometric information security and safety management
Phil Griffin
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
PECB
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
PECB
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protection
proitsolutions
 
ISO 27001
ISO 27001ISO 27001
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”
Ashu Ash
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid   the ceo guide to implement iso 27001Mr. ahmed obaid   the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001
qualitysummit
 

What's hot (20)

2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework 2010-02 Building Security Architecture Framework
2010-02 Building Security Architecture Framework
 
Chapter1
Chapter1Chapter1
Chapter1
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
 
Information security management (bel g. ragad)
Information security management (bel g. ragad)Information security management (bel g. ragad)
Information security management (bel g. ragad)
 
ISO 27001 2013 isms final overview
ISO 27001 2013 isms final overviewISO 27001 2013 isms final overview
ISO 27001 2013 isms final overview
 
.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management.The Complete Guide to Log and Event Management
.The Complete Guide to Log and Event Management
 
02 sasaran kendali pencapaian tujuan v05
02 sasaran kendali pencapaian tujuan v0502 sasaran kendali pencapaian tujuan v05
02 sasaran kendali pencapaian tujuan v05
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Sådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig informationSådan undgår du misbrug af kundedata og fortrolig information
Sådan undgår du misbrug af kundedata og fortrolig information
 
How Does IBM Deliver Cloud Security Paper
How Does IBM Deliver Cloud Security PaperHow Does IBM Deliver Cloud Security Paper
How Does IBM Deliver Cloud Security Paper
 
Telebiometric information security and safety management
Telebiometric information security and safety managementTelebiometric information security and safety management
Telebiometric information security and safety management
 
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and DifferencesCMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
CMMC, ISO/IEC 27701, and ISO/IEC 27001 — Best Practices and Differences
 
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information StandardQuick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
Quick Guide to ISO/IEC 27701 - The Newest Privacy Information Standard
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Data Integrity Protection
Data Integrity ProtectionData Integrity Protection
Data Integrity Protection
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”“8th National Biennial Conference on Medical Informatics 2012”
“8th National Biennial Conference on Medical Informatics 2012”
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
 
Mr. ahmed obaid the ceo guide to implement iso 27001
Mr. ahmed obaid   the ceo guide to implement iso 27001Mr. ahmed obaid   the ceo guide to implement iso 27001
Mr. ahmed obaid the ceo guide to implement iso 27001
 

Similar to Information Risk Security model and metrics

Agam Profile
Agam ProfileAgam Profile
Agam Profile
Agama Consulting
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
Agama Consulting
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 -  Security Architecture Ver1 0TOGAF 9 -  Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
laurahees
 
2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez
Reenergize
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
PECB
 
Fraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer Report on Black
Fraunhofer Report on Black
Fraunhofer SIT
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance  at CloudSec 2015 Kuala LumpurCybersecurity Assurance  at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Alan Yau Ti Dun
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
Zubair Rahim
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
Ali Sadhik Shaik
 
Ta Security
Ta SecurityTa Security
Ta Security
jothsna
 
TA security
TA securityTA security
TA security
kesavars
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
Sasha Nunke
 
2023 ITM Short Course - Week 1.pdf
2023 ITM Short Course - Week 1.pdf2023 ITM Short Course - Week 1.pdf
2023 ITM Short Course - Week 1.pdf
DorcusSitali
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
PECB
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
Kathirvel Ayyaswamy
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
SsendiSamuel
 
Cs9224 information security
Cs9224 information securityCs9224 information security
Cs9224 information security
rajakani
 

Similar to Information Risk Security model and metrics (20)

Agam Profile
Agam ProfileAgam Profile
Agam Profile
 
Agama Profile
Agama ProfileAgama Profile
Agama Profile
 
TOGAF 9 - Security Architecture Ver1 0
TOGAF 9 -  Security Architecture Ver1 0TOGAF 9 -  Security Architecture Ver1 0
TOGAF 9 - Security Architecture Ver1 0
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez2012 ReEnergize the Americas 3B: Gene Rodriguez
2012 ReEnergize the Americas 3B: Gene Rodriguez
 
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27032: How do they map?
 
Fraunhofer Report on Black
Fraunhofer Report on BlackFraunhofer Report on Black
Fraunhofer Report on Black
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance  at CloudSec 2015 Kuala LumpurCybersecurity Assurance  at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Integrating of security activates in agile process
Integrating of security activates in agile processIntegrating of security activates in agile process
Integrating of security activates in agile process
 
Information Systems Policy
Information Systems PolicyInformation Systems Policy
Information Systems Policy
 
Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them7 Mistakes of IT Security Compliance - and Steps to Avoid Them
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
 
2023 ITM Short Course - Week 1.pdf
2023 ITM Short Course - Week 1.pdf2023 ITM Short Course - Week 1.pdf
2023 ITM Short Course - Week 1.pdf
 
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
Implementing of a Cyber Security Program Framework from ISO 27032 to ISO 55001
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology20CS024 Ethics in Information Technology
20CS024 Ethics in Information Technology
 
102 Information security standards and specifications
102 Information security standards and specifications102 Information security standards and specifications
102 Information security standards and specifications
 
Cs9224 information security
Cs9224 information securityCs9224 information security
Cs9224 information security
 

More from Vladimir Jirasek

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
Vladimir Jirasek
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
Vladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
Vladimir Jirasek
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
Vladimir Jirasek
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
Vladimir Jirasek
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
Vladimir Jirasek
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
Vladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud  Opportunities For A Single IdentityFederation For The Cloud  Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 

More from Vladimir Jirasek (16)

Vulnerability management - beyond scanning
Vulnerability management - beyond scanningVulnerability management - beyond scanning
Vulnerability management - beyond scanning
 
Vulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London GatheringVulnerability Management @ DevSecOps London Gathering
Vulnerability Management @ DevSecOps London Gathering
 
C-Level tools for Cloud security
C-Level tools for Cloud securityC-Level tools for Cloud security
C-Level tools for Cloud security
 
Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...Secure your cloud applications by building solid foundations with enterprise ...
Secure your cloud applications by building solid foundations with enterprise ...
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
2012 10 cloud security architecture
2012 10 cloud security architecture2012 10 cloud security architecture
2012 10 cloud security architecture
 
Mobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistantMobile phone as Trusted identity assistant
Mobile phone as Trusted identity assistant
 
Security architecture for LSE 2009
Security architecture for LSE 2009Security architecture for LSE 2009
Security architecture for LSE 2009
 
Mobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risksMobile security summit - 10 mobile risks
Mobile security summit - 10 mobile risks
 
Integrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processesIntegrating Qualys into the patch and vulnerability management processes
Integrating Qualys into the patch and vulnerability management processes
 
Securing mobile population for White Hats
Securing mobile population for White HatsSecuring mobile population for White Hats
Securing mobile population for White Hats
 
Meaningfull security metrics
Meaningfull security metricsMeaningfull security metrics
Meaningfull security metrics
 
CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011CAMM presentation for Cyber Security Gas and Oil june 2011
CAMM presentation for Cyber Security Gas and Oil june 2011
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir JirasekISE UK&Ireland 2008  Showcase Nominee Presentation Vladimir Jirasek
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
 
Qualys Webex 24 June 2008
Qualys Webex 24 June 2008Qualys Webex 24 June 2008
Qualys Webex 24 June 2008
 
Federation For The Cloud Opportunities For A Single Identity
Federation For The Cloud  Opportunities For A Single IdentityFederation For The Cloud  Opportunities For A Single Identity
Federation For The Cloud Opportunities For A Single Identity
 

Recently uploaded

LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
OnBoard
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
Baishakhi Ray
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
Zilliz
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
AimanAthambawa1
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 

Recently uploaded (20)

LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
 
Semantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software DevelopmentSemantic-Aware Code Model: Elevating the Future of Software Development
Semantic-Aware Code Model: Elevating the Future of Software Development
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Retrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with RagasRetrieval Augmented Generation Evaluation with Ragas
Retrieval Augmented Generation Evaluation with Ragas
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 

Information Risk Security model and metrics

  • 1. INFORMATION  RISK  SECURITY  MANAGEMENT:     A  Model  and  Metrics     By  Vladimir  Jirasek, Information  Risk  Management  Evangelist     Contents                   Page       Section  1:  Introduction               2   1.1  The  Security  Governance,  Risk  and  Compliance  (GRC)  model     2   1.1.2 Security  Drivers             2   (i) Laws  and  regulations           2   (ii) Business  objectives           2   (iii) Security  threats             3   1.1.3 Security  Management             3   (i) Policy  framework             3   a. Policies               3   b. Standards             3   c. Artefacts             3   (ii) Processes  framework           3   (iii) Security  metrics  framework         3   1.1.4 Stakeholders               4     Section  2:  Security  Drivers               4   2.1  Business  objectives               4   2.2  Legal  and  regulatory  requirements           4   2.3  Security  threats                 4     Section  3:  Security  Management             5   3.1  The  Policy  framework               5   3.1.1  Information  security  policy             5   3.1.2  Data  classification  policy             5   (i)  Public  data               5   (ii)  Company-­‐wide  data           6   (iii)  Restricted  access  data           6   3.1.3  Employee  acceptable  policy           6   3.1.4  Information  technology  security  policy         6   3.2.  Security  standards               7   3.2.1  International  standards  for  security  policy  and  controls     7   3.2.2  Information  technology  standards           7   3.3  Security  architecture  repository             8   3.4  Process  frameworks  and  metrics             8   3.4.1  Security  processes               8   3.4.2  Security  metrics                 8   (i)  Value  at  Risk             9   Conclusion                   10     About  the  Author                 10      
  • 2. Section  1:  Introduction   Information  risk  security  management  is  an  area  that  is  constantly  moving  to  respond  to  new  threats,   standards   and   technologies.   Security   is   now   a   part   of   information   risk   management,   which   in   turn   has  a  place  in  the  overall  business  risk  management  strategy.     This   document   explains   a   security   model   that   supports   business   needs,   and   explores   how   security   professionals  could  change  their  mindsets  to  help  ensure  future  job  security.     1.1  The  Security  Governance,  Risk  and  Compliance  (GRC)  model     Figure  1  below  describes  a  security  model  that  introduces  the  topic  of  security  to  business  managers   and  CIOs.     Figure  1:  Security  GRC  model Feedback:  update  business  requirements SECURITY  MANAGEMENT DRIVERS STAKEHOLDERS Correction  of  security  processes CEO  &  Board International   Policy  framework Process framework Metrics  framework Governance security   standards Information   Information   Information   Line   Security   Security   Security   management policies processes metrics   Laws  &   objectives regulations Information   Product   Drivers Security   Rules Measure Inform management Technology standards Security   People Define metrics  portal Program   Information   management Compliance security   requirements architecture Risk  &   DEFINE  security   EXECUTE  security   MEASURE  security   compliance Business   controls controls controls  maturity objectives Auditors Security   Security   threats intelligence Security   External professionals security metrics The   model   describes   three   main   areas:   (1)   Security   drivers;   (2)   Security   management;   (3)   and   Stakeholders.     1.1.5 Security  Drivers     The  three  major  drivers  for  security  are:     (i)     Laws   and   regulations:   A   company   must   comply   with   these   or   face   legal   action   or   a   fine.   For   example,   the   Data   Protection   Act   and   the   Company   Act  are   examples   of   the   legal   drivers;   PCI   DSS  is  an  example  of  a  regulation  driver.       (ii) Business   objectives:  Companies  typically   want   to   generate   profit   and   define  a  set  of  business   objectives.   Security   supports   these   business   objectives   by   protecting   systems   and   information   used   in   the   business   processes.   Think   of   protecting   Microsoft   Windows   source   code:   if   the   source   code   was   not   protected   anyone   could   compile   their   own   operating   system   without   paying   Microsoft   any   license   fee.   Hence,   Microsoft’s   business   objective   to   ‘Sell   software’   is   supported   by   the   security   objective   ‘Protect   source   code’.   Similarly,   Amazon’s   business  
  • 3. objective   is   to   sell   products   in   their   online   shop;   their   business   objective   is   to   have   an   online   shop   up   24/7;   the   security   objective   is   to   keep   systems   free   of   malware   that   could   disrupt   or   slow  down  IT  systems.     (iii) Security   threats:   Security   threats   work   against   laws   and   regulations   and   business   objectives.   However,   they   also   drive   information   security,   and   companies   need   to   respond   to   threats   in   order  to  satisfy  first  two  drivers.     1.1.6 Security  Management   Within   this   area   there   are   three   frameworks   that   enable   a   company   to   achieve   the   objectives   defined  in  the  ‘drivers’  section:       (i) Policy  framework   This   is   a   set   of   policies,   standards   and   guidelines   that   describe   how   a   company   addresses   information   security   drivers,   and  define   the   security   controls   available   for   a   company   to   implement.   There  are  also  international  standards  that  can  be  source  of  information  and  control  for  the  Policy   framework.     a.   Policies   –   also   known   as   Security   Control   Objectives,   these   typically   use   words   such   as   ‘should’   and   ‘must’.   The   key   objective   of   the   security   policy   document   is   alignment   with   the   business   objectives  and  drivers.       b.   Standards   –   detailed   Security   controls   that   should   be   implemented   to   support   individual   policy   statements;  one  policy  statement  can  be  supported  by  multiple  security  controls.  These  should  be   linked  to  a  policy,  otherwise  the  security  professional  will  be  unable  to  justify  why  a  password  needs   to   be   12   characters   and   change   every   45   days,   for   instance.   The   controls   should   be   selected   from   an   internationally  accepted  catalogue  of  controls  (see  section  below  on  ‘International  Standards’).       c.   Artefacts  –  Architecture  standardisation  is  the  key  to  the  success  of  any  company,  and  the  same   applies  to  security.  If  a  solution  to  implement  a  security  control  is  found  in  the  ‘Standard’,  it  should   be   put   it   into   a   ‘Security   Architecture   Repository’.   That   way,   others   can   benefit   and,   more   importantly,  consistent  security  is  achieved.  Many  security  professionals  do  not  document  artefacts   into  a  shared  library,  which  can  often  result  in  problems  when  they  leave  the  company.       (ii) Processes  framework   This   section   in   Security   Management   implements   what   is   stated   in   the   Policy   framework.   Any   security   control   in   a   policy   or   standard   is   a   process,   no   exceptions.   Each   process   is   supported   by   people   and   most   are   supported   by   technology.   However,   there   needs   to   be   a   link   between   any   technology  the  company  has,  its  process,   and  the  corresponding  control  in  the  Policy  framework  up   to   the   business   objective.   This   enables   traceability   of   the   security   investment   and   allows   security   professionals  to  justify  security  budgets.       (iii) Security  metrics  framework   This  is  a  developing  area  of  information  security  management.  The  common  adage  –  ‘what  cannot   be  measured,  cannot  be  managed’  –  can  be  applied  equally  well  to  security.  Security  professionals   should   be   able   to   measure   the   status   of   security   controls,   the   compliance   with   their   own   policies,   and  the  effectiveness  of  security  processes.  The  key  metric  is  to  take  a  security  policy  statement  and   measure   each   team   against   it;   this   will   provide   a   balanced   scorecard   for   security.   The   metrics   framework  provides  feedback  to  the  Process  framework,  to  assist  with  security  processes  design.     1.1.7 Stakeholders   Stakeholders  are  the  recipients  of  the  security  metrics  framework  results.  The  stakeholders  need  to   know  that  what  has  been  promised  is  being  delivered.  More  importantly,  the  security  professionals   need  to  show  the  value  of  security  to  the  business.  This  is  an  area  where  security  professionals  need   to   enhance   their   skills;   they   need   to   talk   to   stakeholders,   uncover   their   concerns,   and   show   them  
  • 4. that   they   are   being   addressed.   This   should   be   followed   by   a   report   that   relates   to   their   specific  area   and  concerns;  they  need  to  see  that  security  personnel  are  on  their  side!     Section  2:  Security  Drivers     2.1  Business  objectives     Security   professionals   exist   to   support   the   business.   Companies   are   driven   by   their   vision   and   mission  statements,  translated   into  business  strategies  that  describe  how  to  achieve  that  vision.  The   business  objectives  define  how  the  organisation  wants  to  achieve  its  targets.  If  a  business  objective   is  to  ‘Supply  customers  with  the  goods’,  the  security  objectives  should  be  to  protect  the  process  of   supplying  the  customer.  This  clear  link  between  business  and  security  objectives  can  sometimes  be   missing.       2.2  Legal  and  regulatory  requirements     Businesses  need  to  comply  with  legal,  regulatory   and  contractual  requirements  (listed  in  order  of   impact).  Legal  requirements  are  typically  related   A  practical  example     to   the   way   the   company   is   governed,   how   it   A  telecommunication  company  sells  mobile  phones   prepares   its   accounts   and   how   it   protects   the   and  call  plans  to  its  customers.  One  of  its  objectives  is   personal  data.  In  the  UK,  the  Company  Act  2006,   to  ‘Deliver  outstanding  customer  service,  measured  by   ‘part   15   Accounts   and   reports’,   states   clearly   the   customer  satisfaction’.  This  objective  is  supported  by  a   requirements   relating   to   how   accounts   are   business  process  ‘Customer  service’,  whereby  customer   created   and   reported.   It   also   includes   penalties   service  representatives  in  shops,  call  centres  and  online   talk  to  customers  to  solve  their  problems  and  answer   for  untrue  and  misleading  accounts.  In  the  USA,   questions.     the   Sox   legislation   was   created   after   major     financial  scandals.  The  Data  Protection  Directive,   Customer  satisfaction  is  dependent  on  a)  speed  to   Principle   7,   states   that   access   to   data   must   be   initial  contact,  and  b)  completeness  of  response.  The   limited  to  the  authorised  persons.  And  although   information  security  risks  identified  are:  1)  information   the   Data   Protection   Directive   does   not   state   systems  unavailable  or  slow  so  the  initial  response   time  is  affected;  2)  information  in  the  knowledge  base   which  security  controls  should  be  implemented,   system  is  inaccurate;  and  3)  the  customer  data  in  the   the   guidance   states   that   there   are   CRM  system  becomes  compromised,  resulting  in  a  fine   internationally   accepted   standards   relating   to   and  bad  PR.   building   information   security   systems   in   a     company.   From  this  quick  risk  analysis,  it  is  easy  to  understand     where  the  information  security  policy  needs  to  focus  and   what  the  security  objectives  should  be. As   a   result   of   this   legislation,   any   information   security   system   implementation   must   protect   data  and  information  systems  so  that  they  are:   a)  accurate  (in  security  terminology  the  word  ‘Integrity’  is  used)   b)  available,  and   c)  access  to  the  content  is  assured  (‘Confidentiality’  in  security  terminology).     2.3  Security  threats     Security   threats   affect   the   level   of   protection   (i.e.   control)   that   is   needed.   Threats   come   from   attackers   who   want   to   either   acquire   information   or   limit   business   opportunities   by   affecting   business   processes.   Microsoft   has   created  a   very  good  methodology  (STRIDE)  for  assessing  threats   and  designing  security  controls  to  prevent  threats  from  harming  business  processes.  The  role  of  the   security  model  is  to  capture  security  threats  and  design  security  objectives  and  controls  to  protect   the   business.   Security   intelligence   is   the   capability   to   analyse   security   threats   and   advise   what   controls  should  be  included  in  the  policy  framework.  
  • 5. Section  3:  Security  Management     3.1  The  Policy  framework     This   is   the   first   element   of   the   ‘Security   Management’   part   of   the   model.   The   Security   Policy   is   usually   not   a   single   document,   and   rightly   so.   The   documents   in   the   Security   Policy   library   have   different  audiences  and  levels  of  detail;  see  Figure  2  below.   Figure  2:  Information  Security  Policy  framework CISO Business  and   Information  security  policy security   objectives Data  classification   Employee  acceptable   policy use  policy CIO Information  technology  security  policy Security   objectives IT  Security IT  security   standards [reuse   Architecture internationally   accepted  controls] Controls   Technology and   Security   Technical  teams processes architecture repository Processes Security  guidelines     3.1.1  Information  security  policy   The  primary  objective  of  the  Information  security  policy  is  to  state  business  objectives  and  high  level   security  objectives.  The  document  also  sets  accountabilities  for  ensuring  the  security  objectives  are   met.   The   document   should   be   owned   by   CISO   or   CSO   but   approved   by   the   Board;   as   the   Board   is   responsible  for  approval  of  business  strategy  and  objectives,  the  protection  of  these  are  obviously  in   the  Board’s  interest.     3.1.2  Data  classification  policy   The  top  level  policy  should  also  make  provision  for  a  data  classification  scheme,  which  can  then  be   detailed  in  the  Data  classification  policy.  Data  classes  depend  on  the  nature  of  the  business  but  at   the  minimum  should  include:     (i)  Public  data  that  are  in  the  public  domain.  It  is  a  mistake  to  assume  that  public  data  do  not  need   any  protection.  For  example,  take  a  company  homepage;  typically  this  is  information  that  a  company   wants  to  share  with  the  world,  i.e.  it  is  ‘Public’.  But  what  happens  if  the  information  on  the  website   changes  without  authorisation?  Examples  can  range  from  defacing  of  the  website,  to  unintentional   mistakes  by  employees,  mixing  the  product  description,  changes  in  prices  of  the  products  etc.  The   public   information   usually   needs   to   be   ‘accurate’   and   ‘available’,   but   obviously   there   is   no   requirement  to  keep  the  information  ‘confidential’.       (ii)   Company-­‐wide   data:  this  type  of  information  can  be  shared  between  employees  and  people  who   have  signed  an  NDA.  This  is  by  far  the  largest  category  of  information  in  most  organisations.  It  is  also  
  • 6. referred   to   as   ‘semi-­‐public’,   and   the   bigger   the   organisation   the   greater   the   probability   of   leakage   from  employees  or  partners.       (iii)  Restricted  access  data:  some  information  will  be  accessible  on  a  need-­‐to-­‐know  basis,  depending   on   the   type   of   business.   Business   plans,   strategy,   research   data,   and   new   product   details   are   just   some  examples  of  the  information  that  should  be  well  protected.       3.1.3  Employee  acceptable  policy   This  policy  document  should  spell  out  the  most  important  policies  for  employees.  Good  security  and   HR   professionals   do   not   expect   users   to   remember   all   policy   documents.   The   objective   of   this   document  is  to  show  employees  what  is  critical  and  where  to  find  more  information.       3.1.4  Information  technology  security  policy   Most  companies  rely  on  information  technology  to  run  the  business  processes.  The  role  of  CIOs  has   become  to  support  business,  understand  where  the  company  wants  to  expand,  and  suggest  how  to   become   more   agile   and   cost   effective.   IT   can   be   a   saviour   or   a   nightmare,   depending   on   the   abilities   of  the  CIO.  The  security  policy  for  the  CIO  team  needs  to  translate  business  objectives  into  security   objectives  and  controls,  as  shown  in  Figure  3  below.     Figure  3:  Relationship  between  business  objectives  and  security  processes Provides  response   to  ‘Do  we  have  all  business  risks  covered?’ International  standards Control  C1 Control  C2 Security   Security objective   SO1 Control  C3 process  P1 Business   Control  C4 objective   BO1 Security   objective   SO2 Control  C5 Security   Business  process  B3 Business  process  B1 Business  process  B2 Business   process  P2 Control  C6 objective   BO2 Security   objective   SO3 Control  C7 Business   Security   Control  C8 objective   BO3 objective   SO4 Security   Control  C9 process  P3 Control  C10 Security   Security   objective   SO5 Control  C11 process  P4 Provides  response   to  ‘Why  are  we  doing  this?’       The   figure   shows   how   business   objectives   on   the   left   influence   security   objectives.   Each   security   objective   then   has   several   security   controls   (C1   to   C11)   and   these   are   implemented   by   security   processes.   Lastly,   the   business   processes   are   protected   by   the   security   processes.   Such   a   model   answers  two  critical  questions:     a)  Do  we  have  all  business  risks  covered?     b)  Why  are  we  spending  money  on  the  security  controls?      
  • 7. Examples  of  security  objectives  are:   § Establish  security  governance   § Provide  security  training   § Manage  access  to  information   § Keep  systems  resistant  to  malware   § Establish  secure  systems/applications  processes   § Monitor  systems  for  security  events   § Manage  security  incidents   § Monitor  security  compliance     Each  security  objective  then  contains  a  number  of  security  controls.  These  are  typically  included  in   more  detailed  documents,  such  as  IT  Security  standards  and  security  artefacts.     Examples  of  security  controls  are:     § Create  the  training  material;  monitor  attendance  of  security  trainings           § Review  feedback  from  security  trainings   § Manage   accounts   in   the   IT   systems   –   create   accounts   for   new   users,   modify   when   role   changes  and  delete/disable  when  account  is  not  longer  needed   § Install   anti-­‐malware   software;   establish   and   implement   secure   configuration   for   each   operating   system   in   use;   update   configurations   on   systems   as   per   changing   threat   landscape;  patch  systems  with  vendor  patches  within  X  days     Each  control  needs  to  be  linked  to  one  or  more  security  objectives.  A  number  of  security  controls  is   part  of  a  security  process,  and  each  process  must  have  its  owner  and  must  be  measured.       Finally,   each   security   process   contributes   to   the   security   of   a   number   of   business   processes.   For   example,  the  security  process  ‘Security  configuration  &  patch  management’  ensures  that  IT  systems   used  in  the  business  process  ‘Take  order  from  customers’  runs  smoothly  and  as  expected.     3.2.  Security  standards     3.2.1  International  standards  for  security  policy  and  controls   Figure   3   shows   business   objectives,   which   will   be   specific   to   each   company.   However,   security   objectives,   whilst   supporting   the   Business   objectives,   should   be   selected   from   a   catalogue   of   internationally   recognised   ones,   and   international   standards   can   play   an   important   role.   It   is   important   to   understand   which   objectives,   controls   and   processes   to   take   ‘as   is’   and   where   a   customisation  is  needed.  Moreover,  there  might  be  business  objectives  and  business  processes  that   need   controls   that   are   not   included   in   the   international   standards.   Standardisation   is   needed   but   should  not  be  applied  blindly.  Standards  such  as  ISO27001  &  27005,  COBIT  4,  ISF  Standard  of  Good   Practice  (both  2007  and  2011  editions)  are  generally  extremely  useful.     3.2.2  Information  technology  standards   This   document,   or   set   of   documents,   contains   a   list   of   security   controls   related   to   the   technology   used  in  a  company.  As  mentioned  above,  these  controls  are  of  sufficient  detail  to  describe  what  is   required.   Further   implementation   information   is   usually   included   in   ‘Guidelines’   or   ‘Security   Artefacts’.       The  level  of  detail  included  in  technology  standards  will  range  from  high  level,  such  as  ‘Implement   account   creation   process   to   create   account   within   two   days   of   request’,   to   more   detailed,   such   as   ‘Use  Windows  2008  R2  server  with  configuration  W2k_DMZ  for  servers  located  in  the  DMZ’.        
  • 8. 3.3  Security  architecture  repository     Consistency   is   key   in   information   security.   TOGAF   9   has   a   good   approach   to   standardisation   and   reusability,   as   does   the   SABSA   security   framework.   Standardisation   and   reusability   ensure   higher   maturity   in   information   security.   For   this   reason,   having   a   library   of   reusable   security   architecture   components  (artefacts)  is  extremely  important.        TOGAF  9  defines  artefact  as:     “A   product   that   describes   architecture   from   a   specific   viewpoint.   Examples   include   a   network   diagram,   a   server   specification,   a   use-­‐case   specification,   a   list   of   architectural   requirements,   and   a   business   interaction   matrix.   Artefacts   are   generally   classified   as   catalogues   (lists   of   things),   matrices   (showing   relationships   between   things),   and   diagrams  (pictures  of  things)  …  ”     In   the   context   of   an   information   security   model,   artefacts   are   re-­‐usable   for   the   creation   of   information  security  architecture,  either  a  technology  (such  as  ‘We  use  Cisco  firewall  and  this  is  how   it   is   configured’)   or   a   process   (such   as   ‘We   have   standardised   our   incident   response   process   and   this   is  how  it  is  done’).       The  technology  section  of  the  repository  should  contain,  for  example:   § Standard  set  of  technologies  used  in  the  company  (related  to  security)     § Configuration   standards   for   the   technologies   above   (e.g.   Windows   7   laptop   local   security   policy  object)   § Hardening  configuration  of  Web  servers,  DB  servers  and  other  servers.     The   process   section   of   the   repository   should   contain   standard   descriptions   for   security   processes,   in   a   detail   needed   to   replicate   the   process   in   another   part   of   the   organisation,   subsidiary   or   when   acquiring   another   company.   From   experience,   the   documenting   of   processes   is   not   a   strong   skill   base  of  many  IT  and  information  security  professionals.       3.4  Process  frameworks  and  metrics       3.4.1  Security  processes   As  stated  earlier  in  this  document,  and  shown  in  Figures  1  and  3,  security  processes  are  an  integral   part   of   the   security   model.   For   example,   ISACA,   the   organisation   behind   COBIT,   ensures   that   the   default   view   in   COBIT   is   based   on   processes,   where   each   process   is   defined   by   the   objective,   stakeholders,  maturity  levels  and  controls.       Another   international   standard,   ISM3   –   now   adopted   by   the   Open   Group   –   also   sees   security   processes  as  key  to  having  mature  security  systems.  Processes  in  general  often  have  a  bad  name  due   to  their  rigidity  and  over-­‐complex  set-­‐ups;  however,  it  is  important  to  understand  that  a  process  can   easily  be  made  complex  –  it  takes  skill  to  create  processes  that  are  lean  and  adaptive.       3.4.2  Security  metrics     Measuring  of  processes  in  any  company  is  one  of  the  key  techniques  to  ensure  that  inefficiencies  are   recognised   and   corrected.   Measurement   is   a   product   of   the   industrial   revolution;   Frederick   Taylor   published   Scientific   Management   in   1911,   a   revered   work   on   the   capacity   of   observation   and   measurement   to   improve   productivity.   By   the   same   token,   security   processes   must   be   observed,   monitored  and  measured  to  improve  them.       Security  and  metrics  is  a  largely  neglected  area  in  information  security.  There  are  some  exceptions,   such  as  COBIT,  which  brings  maturity  levels  for  CIOs  and  CISOs.  Another  promising  candidate  is  the   Common  Assurance  Maturity  Model  (CAMM),  which  brings  information  security  maturity  levels  into   the  supply  chain.    
  • 9.   Gartner  has  researched  IT  and  security  metrics,  and  the  relationship  between  KPI  and  KRI  (Key  Risk   Indicators).   Furthermore,   what   the   business   leaders   are   interested   in   is:   ‘What   impact   do   security   controls   (or   lack   of)   have   on   the   business   processes   and   the   bottom   line?’   Security   professionals   have,  for  long  time,  used  the  FUD  (fear,  uncertainty  and  doubt)  approach  and  are  now  finding  this   does  not  resound  with  their  audiences.     It   is   also   accepted   that   maturity   of   security   controls   and   processes   inversely   affects   risks   to   the   organisation.  The  problem  many  security  professionals  face  is  in  having  to  justify  additional  costs  to   move  from  maturity  level  2  (repeatable)  to  3  (defined)  and  beyond.         With  this  in  mind,  it  would  be  prudent  for  organisations  to  measure:   § Basic  operational  metrics  to  keep  an  eye  on  processes  (i.e.  do  they  operate  as  expected?)   § Each  security  process  for  its  maturity   § Value  at  risk,  expressed  in  £s;  a  business  process  is  exposed  due  to  low  maturity  of  security   controls  (or  lack  of  them,  as  defined  by  COBIT  level  0)     The  first  two  metrics  are  fairly  straightforward  and  well  defined.  The  last  one  is  somewhat  new  to   information   security,   though   used   in   the   financial   arena   and   general   risk   management1.   For   the   purpose  of  this  paper,  it  is  worth  having  a  look  at  it  in  more  detail.     (i)  Value  at  Risk   The   main   problem   that   Value   at   Risk   is   trying   to   solve   is   how   to   quantify   the   exposure   that   an   organisation  is  subject  to.  Further  research  into  VaR  use  in  information  security  is  needed  to  make   the  concept  practical  and  reusable.       However,  the  input  elements  into  the  calculations  should  be:   § Business   asset   value   –   information   assets   alone   or   the   value   of   a   business   process.   A   company’s   PR   image   is   a   business   asset   and   in   this   case   should   be   assigned   a   value   by   consensus  rather  than  measurement     § Security   process   maturity   –   measure   the   maturity   of   process   (and   included   controls)   that   protect  the  business  asset   § Threat   landscape   –   threats   change   over   time;   for   example,   Sony   changed   the   threat   landscape   greatly   by   prosecuting   George   Hotz   for   breaching   the   PlayStation   T&Cs.   In   combination  with  the  vulnerabilities  in  their  systems,  it  cost  them  dearly.       The  high  level  calculation  of  the  VaR  is:   1.   Measure  the  maturity  of  the  controls.  Assume  that  maturity  level  5  provides  99%  (or  lower)   protection;  lower  maturity  levels  provide  less  protection.   2.   Analyse   the   control   to   find   compensating   controls;   two   low   maturity   controls   may   work   together  to  provide  higher  protection.     3.   Analyse  the  threat  landscape  and  derive  the  likelihood  that  the  threat  agents  will  attempt  to   attack.     4.   Use   the   above   and   the   asset   value   to   come   up   with   a   probability   distribution   of   monetary   exposure     The   pound   value   for   each   asset   can   be   collected   and   summarised   in   order   to   calculate   the   total   exposure  probability  distribution.  This  will  give  CIOs  and  CISOs  a  very  useful  tool  to  demonstrate  the   risks  to  the  executive  management  and  thus  justify  the  spending.       Detailed  calculations  of  Value  at  Risk  for  information  security  have  not  yet  been  developed  and  need   further  research.  Value  at  Risk  could  also  be  used  to  justify  security  investments,  i.e.  the  reduction  in   VaR  should  be  higher  than  the  cost  spent.        
  • 10. Conclusion     Information  Security  Risk  Management  must  support  the  business  objectives.  Security  professionals   should   have   open   dialogue   with   business   leaders   and   managers,   listen   to   their   concerns,   and   frequently  educate  them  about  risks.     The  security  model  can  help  with  explaining  why  security  is  important,  and  can  support  justifications   for  that  ‘rather  expensive’  piece  of  technology,  depending  on  the  point  of  view,  security  policy  and   business  appetite  for  risk.         1   McNeil,  Alexander;  Frey,  Rüdiger;  Embrechts,  Paul  (2005).  Quantitative  Risk  Management:  Concepts   Techniques  and  Tools.  Princeton  University  Press.  ISBN  978-­‐0691122557.         About  the  author     Vladimir  Jirasek  is  a  passionate  information  risk  professional  with  more  than  16  years  of  IT  industry  practise   and  over  11  years  in  Information  Security  and  IT  Security,  Risk  and  Compliance  disciplines.  He  has  both  led  and   managed  global  teams  in  Security,  Risk  and  Compliance  for  multinational  corporations  such  as  Nokia,  Tesco,   and  DTAG.       In  his  own  time  he  tries  to  give  something  back  to  the  security  community  by  participating  in  a  variety  of  key   industry  initiatives,  such  as  the  Common  Assurance  Maturity  Model  (common-­‐assurance.com),  Cloud  Security   Alliance  (cloud-­‐security.org.uk);  and  the  Open  Group’s  Jericho  forum,  working  together  with  industry  experts.     He  can  be  contacted  at  vladimir@jirasek.eu  or  on  +44  (0)  7538  790302