Académique Documents
Professionnel Documents
Culture Documents
Table of Contents
I. Introduction ................................................................................................................................... 3 II. Traditional Information Security Management ............................................................................. 4 III. The New Paradigm ..................................................................................................................... 5 IV. ISMS International Standards .................................................................................................... 7 V. ISMS and Statutes: Mutual Support ........................................................................................... 8 VI. Summary ................................................................................................................................ 10
I. Introduction
Information is the lifeblood of all organizations and exists in many forms. It is printed or written on paper, stored electronically, transmitted by mail or electronically, shown in lms, and spoken in conversation. In todays competitive business environment, such information is constantly under threat from many types of sources, including internal, external, accidental, and malicious. With the increased use of new technology to store, transmit, and retrieve information, we have all opened ourselves up to increased numbers and types of threats. In the rst half of 2005, there have been numerous dramatic information security breakdowns that resulted in highly publicized theft of millions of citizens private nancial information social security numbers, home addresses, credit histories, etc. The unauthorized releases put each and every one of those citizens at high risk for identity theft. The companies involved suffered from the nancial cost of reparation, public embarrassment, increased scrutiny by regulators, drop in their stocks value, and in one case risk to their relationships with their largest customers. Sarbanes-Oxley has also increased the penalties and personal liabilities for security lapses to the corner ofce, holding CEOs personally liable for the effectiveness of internal controls. These forces have led to a paradigm shift in enterprise information security.
Figure 1
Figure 1 illustrates the traditional form in which information security has been implemented and managed. Security was conned to the Information Technology Department and had limited, if any, involvement with other business units. Generally the Board of Directors and C-level management had little or no involvement in the creation or enforcement of policies and actions of ITs information security staff. With no enterprise level manager responsible for information security across all business units, policy was compartmentalized. IT managers below the CIO effectively set and maintained information security policy within their areas. There was limited interaction with other business units except where IT-supported systems overlapped. Any information security activities and policies within non-IT business units were the product of their individual managers and external regulatory requirements. With the advent of SOX Section 404 requirements for certifying the effectiveness of internal controls, this structure is no longer viable it does not support the CEOs and CFOs annual certication of the effectiveness of internal controls to the SEC.
Figure 2
Figure 2 illustrates the new ISMS paradigm structure. The two key concepts illustrated are that the Board of Directors and C-level managers are directly involved in establishing the enterprise wide information security program as well as the policies, reporting, and management structure for the effort. Note that the IT department is no longer the keeper of the keys in this structure. IT is one of the business units involved in information security and continues to have responsibility for the tactical implementation of security in the network, software development processes, etc., but it is not alone in these responsibilities. Information Security Department, in this structure, is a separate group within the enterprise and interacts with IT and other business units to ensure that the security policies and standards are implemented appropriately. Effectively, the Information Security group is the new keeper of the keys within the enterprise. In the nancial industry it has become common practice to have a Compliance Department implement and monitor compliance with lending laws and other regulations that impact the line of business operations. It is more efcient to centralize monitoring and administration of these efforts rather than distribute these tasks to each business unit. The need for a centralized security entity has developed in the information security arena as well. Since information security mandates are being issued by legislative and regulatory bodies all across the country, and apply to any rm that does business in that jurisdiction, multi-state enterprises should follow the nancial industrys Compliance Department precedent with an Enterprise Information Security Department.
www.ccpace.com 2005 CC Pace, All Rights Reserved
Together the two sections include the concepts and controls that need to be included in an ISMS and collectively describe the management and reporting structure required of a best practices system. Part One of the standard concentrates on dening the best practices for ISMS. Part Two documents the specic practice areas and controls that are included in an audit of an ISMS. Part Two is organized into the following ten sections corresponding to the areas of concern of an ISMS: Security policy To provide management direction and support for information security Organization of assets and resources - To help manage information security within the organization Asset classication and control - To help identify assets and appropriately protect them Personnel security - To reduce the risks of human error, theft, fraud, or misuse of facilities Physical and environmental security - To prevent unauthorized access, damage, and interference to business premises and information Communications and operations management - To ensure the correct and secure operation of information processing facilities Access control - To provide authentication and privilege controls for information assets Systems development and maintenance - To ensure that security is designed and built into information systems Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major disasters or failures Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirements
Each of the ten sections of ISO 17799 includes descriptions of the internal controls that apply to that topic. For instance, the Personnel Security controls include ensuring that staff: Have all of the appropriate procedure documentation at their workstation Receive adequate initial training on security procedures and regular security awareness refresher training Understand their role in reporting security weaknesses within the rm.
The standards and controls are specically designed to be independent of technology and can apply to any size organization. They are strategic in that they are not concerned with how a control is implemented; only that it is effective, manageable, and the results are measured in real life.
A.5 Asset Classication & Control A.8 Communications and Operations Management A.11 Business Continuity Management
A.8 Communications and Operations System Software Controls Controls over the effective acquisition, Management implementation and maintenance of A.12 Compliance system software, database management, telecommunications software, security software and utilities Access Security Controls Controls that prevent inappropriate and unauthorized use of the system A.9 Access Control
Application System Development and A.10 System Development & Maintenance Maintenance Controls Controls over the development methodology, which include system design and implementation, outlining specic phases, documentation requirements, approvals, and checkpoints to control the development or maintenance of the project
Figure 3
The ISO 17799 Standard was designed broadly to apply to all industries and encompass the best practices for any rms ISMS. Consequently, the major IT governance controls (i.e. CobiT Control Objectives for IT governance) and regulatory-mandated controls (e.g. HIPPA, GLBA, California SB1386, etc) map easily to the clauses and controls that an ISO-compliant ISMS would already have established. This clearly illustrates a key strength of an ISMS newly mandated controls will in all likelihood already be in place, requiring at most minor adjustments in order to be compliant. Thus, an operating ISMS reduces the effort and costs required to implement new regulatory mandates.
VI. Summary
The practice of information security has evolved from an IT-centric effort to one requiring enterprise wide attention and C-level management involvement on a regular basis. Both regulators and shareholders have changed the denition of duciary duty to include responsibility for internal information security controls and made the CEO and CFO personally liable for certifying that the rm has effective controls. New mandates for protecting personal, nancial, and medical information are being passed regularly, and need to be implemented promptly using a systematic approach in order to maintain compliance across the enterprise Information Security Management Systems. The stakes are being raised both personally and as an enterprise. We have reached a strategic inection point, to quote Andrew Grove from Only the Paranoid Survive, on how rms handle information security. The way in which rms respond to the new security environment can help determine whether they thrive or are consumed by litigation over information security incidents and questions regarding lack of due diligence. In this case, Mr. Grove was right only the paranoid will survive.
Author Information: Greg Rondot (greg.rondot@ccpace.com) CC Pace 4100 Monument Corner Drive Suite 400 Fairfax, VA 22030 Phone: 703-631-6600 For more information please visit our website at:
www.ccpace.com
10