Information Security Management: The New Security Paradigm

www.ccpace.com 2005 CC Pace, All Rights Reserved

Table of Contents
I. Introduction ................................................................................................................................... 3 II. Traditional Information Security Management ............................................................................. 4 III. The New Paradigm ..................................................................................................................... 5 IV. ISMS International Standards .................................................................................................... 7 V. ISMS and Statutes: Mutual Support ........................................................................................... 8 VI. Summary ................................................................................................................................ 10

www.ccpace.com 2005 CC Pace, All Rights Reserved

I. Introduction
Information is the lifeblood of all organizations and exists in many forms. It is printed or written on paper, stored electronically, transmitted by mail or electronically, shown in lms, and spoken in conversation. In todays competitive business environment, such information is constantly under threat from many types of sources, including internal, external, accidental, and malicious. With the increased use of new technology to store, transmit, and retrieve information, we have all opened ourselves up to increased numbers and types of threats. In the rst half of 2005, there have been numerous dramatic information security breakdowns that resulted in highly publicized theft of millions of citizens private nancial information social security numbers, home addresses, credit histories, etc. The unauthorized releases put each and every one of those citizens at high risk for identity theft. The companies involved suffered from the nancial cost of reparation, public embarrassment, increased scrutiny by regulators, drop in their stocks value, and in one case risk to their relationships with their largest customers. Sarbanes-Oxley has also increased the penalties and personal liabilities for security lapses to the corner ofce, holding CEOs personally liable for the effectiveness of internal controls. These forces have led to a paradigm shift in enterprise information security.

www.ccpace.com 2005 CC Pace, All Rights Reserved

II. Traditional Information Security Management

Business has traditionally viewed information security as an IT-centric concern. Information security traditionally concentrated on preventing unauthorized access to computerized records from outside the organization. Consequently, the focus has been more on network perimeter solutions, resulting in rewall and other network security product vendors enjoying a signicant share of IT budget. All the while, internal aspects of information security, such as employee security awareness and proper accountability for document control, have been neglected The unfortunate result of this approach is that over 70% of the security breaches in the past few years have been attributed to corporate insiders. The security gap is clear.

Figure 1
Figure 1 illustrates the traditional form in which information security has been implemented and managed. Security was conned to the Information Technology Department and had limited, if any, involvement with other business units. Generally the Board of Directors and C-level management had little or no involvement in the creation or enforcement of policies and actions of ITs information security staff. With no enterprise level manager responsible for information security across all business units, policy was compartmentalized. IT managers below the CIO effectively set and maintained information security policy within their areas. There was limited interaction with other business units except where IT-supported systems overlapped. Any information security activities and policies within non-IT business units were the product of their individual managers and external regulatory requirements. With the advent of SOX Section 404 requirements for certifying the effectiveness of internal controls, this structure is no longer viable it does not support the CEOs and CFOs annual certication of the effectiveness of internal controls to the SEC.

www.ccpace.com 2005 CC Pace, All Rights Reserved

III. The New Paradigm

The new paradigm, Information Security Management Systems (ISMS), is much more comprehensive, concentrating on business processes and the company as a whole rather than simply on the IT aspects. An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It encompasses people, processes, and IT systems. This paradigm shift has come about as a result of the increasing threats to businesses, creating a need to establish a comprehensive Information Security Policy within the enterprise. It is now managements responsibility to ensure the condentiality, integrity, and availability of vital corporate and customer information.

Figure 2
Figure 2 illustrates the new ISMS paradigm structure. The two key concepts illustrated are that the Board of Directors and C-level managers are directly involved in establishing the enterprise wide information security program as well as the policies, reporting, and management structure for the effort. Note that the IT department is no longer the keeper of the keys in this structure. IT is one of the business units involved in information security and continues to have responsibility for the tactical implementation of security in the network, software development processes, etc., but it is not alone in these responsibilities. Information Security Department, in this structure, is a separate group within the enterprise and interacts with IT and other business units to ensure that the security policies and standards are implemented appropriately. Effectively, the Information Security group is the new keeper of the keys within the enterprise. In the nancial industry it has become common practice to have a Compliance Department implement and monitor compliance with lending laws and other regulations that impact the line of business operations. It is more efcient to centralize monitoring and administration of these efforts rather than distribute these tasks to each business unit. The need for a centralized security entity has developed in the information security arena as well. Since information security mandates are being issued by legislative and regulatory bodies all across the country, and apply to any rm that does business in that jurisdiction, multi-state enterprises should follow the nancial industrys Compliance Department precedent with an Enterprise Information Security Department.
www.ccpace.com 2005 CC Pace, All Rights Reserved

III. The New Paradigm

Many organizations have also established the position Chief Information Security Ofcer (CISO), or equivalent title, to oversee the rms information security efforts. The CISO generally reports directly to the CEO or Board of Directors Audit Committee. The CISOs responsibilities include: Continuously assess threats to the enterprise Develop appropriate standards, procedures, and countermeasures to mitigate those threats Perform appropriate testing to ensure that the information security countermeasures are effective Educate business unit leaders in information security issues Engage business units in assessing and mitigating the specic threats for each business unit Communicate with the CEO, other business unit heads, and the Board of Directors to keep them engaged and informed of the enterprises information security status

www.ccpace.com 2005 CC Pace, All Rights Reserved

IV. ISMS International Standards

There are two internationally recognized standards for ISMS: British Standard 7799 and ISO Standard 17799. ISO 17799 is a superset of BS 7799 with only small differences in wording between the two documents. Each contains two sections: Part One Code of Practice for Information Management Part Two Specications for Information Security Management System

Together the two sections include the concepts and controls that need to be included in an ISMS and collectively describe the management and reporting structure required of a best practices system. Part One of the standard concentrates on dening the best practices for ISMS. Part Two documents the specic practice areas and controls that are included in an audit of an ISMS. Part Two is organized into the following ten sections corresponding to the areas of concern of an ISMS: Security policy To provide management direction and support for information security Organization of assets and resources - To help manage information security within the organization Asset classication and control - To help identify assets and appropriately protect them Personnel security - To reduce the risks of human error, theft, fraud, or misuse of facilities Physical and environmental security - To prevent unauthorized access, damage, and interference to business premises and information Communications and operations management - To ensure the correct and secure operation of information processing facilities Access control - To provide authentication and privilege controls for information assets Systems development and maintenance - To ensure that security is designed and built into information systems Business continuity management - To counteract interruptions to business activities and to protect critical business processes from the effects of major disasters or failures Compliance - To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations, and any security requirements

Each of the ten sections of ISO 17799 includes descriptions of the internal controls that apply to that topic. For instance, the Personnel Security controls include ensuring that staff: Have all of the appropriate procedure documentation at their workstation Receive adequate initial training on security procedures and regular security awareness refresher training Understand their role in reporting security weaknesses within the rm.

The standards and controls are specically designed to be independent of technology and can apply to any size organization. They are strategic in that they are not concerned with how a control is implemented; only that it is effective, manageable, and the results are measured in real life.

www.ccpace.com 2005 CC Pace, All Rights Reserved

V. ISMS and Statutes: Mutual Support

The regulatory environment surrounding personal nancial and medical information is more complex and demanding than ever before. Congress, SEC, FDIC, FDA, state legislatures, and many more state, Federal and Government sponsored organizations regularly publish mandates that rms must comply with on a daily basis. The need to address highly inammatory incidents in the business world has led to the GrammLeach-Bliley Act, Sarbanes-Oxley Act, Health Insurance Protection and Portability Act, California State Bill 1386, and many more laws and regulations. Since rms have no control over the speed with which mandates must be implemented, the key to surviving and thriving in such a dynamic environment is to establish a system to interpret and implement new requirements quickly, much as the nancial industry does with its Compliance Departments. The only way to do this in a cost effective manner is to establish a repeatable, manageable process for determining the impact of new information security mandates, work with all affected business units to ensure that mandates are implemented, and prove the implementations were done correctly. The logical home for management of personal privacy and information security is the Enterprise Information Security Department. An ISMS eases the burden of implementing and managing new privacy mandates by standardizing security processes across business units. Once the ISMS is in place, the task of adding new mandates to the environment becomes one of enhancing or adjusting the existing processes rather than inventing a new security process for each new requirement. For example, at rst glance, SOX and an ISMS based upon ISO Standard 17799 Part 2 appear to have little in common. SOX appears to be concerned with nancial statement integrity while ISO 17799 is concerned with information security controls. Deeper perusal, however, reveals that SOX Section 404 requires the CEO to certify the effectiveness of nancial systems controls, and ISO 17799 provides a management system that supports the control requirements of that very clearly. SOXs intention is to ensure that a rms internal controls can effectively prevent and/or detect unauthorized modication of nancial data or systems that support the nancial reporting. This is also an interpretation of the information security controls documented in ISO 17799. Figure 3 illustrates the correspondence between SOX control requirements and supporting ISO Standard clauses or controls.

www.ccpace.com 2005 CC Pace, All Rights Reserved

V. ISMS and Statutes: Mutual Support

Sarbanes Oxley Act Section 404 Requirements
Data Center Operation Controls Controls such as job setup and scheduling, operator actions, backup and recovery procedures, and contingency or disaster recovery planning

ISO 17799 Supporting Clause/Control

(Per BS 7799-2:2002)

A.5 Asset Classication & Control A.8 Communications and Operations Management A.11 Business Continuity Management

A.8 Communications and Operations System Software Controls Controls over the effective acquisition, Management implementation and maintenance of A.12 Compliance system software, database management, telecommunications software, security software and utilities Access Security Controls Controls that prevent inappropriate and unauthorized use of the system A.9 Access Control

Application System Development and A.10 System Development & Maintenance Maintenance Controls Controls over the development methodology, which include system design and implementation, outlining specic phases, documentation requirements, approvals, and checkpoints to control the development or maintenance of the project

Figure 3
The ISO 17799 Standard was designed broadly to apply to all industries and encompass the best practices for any rms ISMS. Consequently, the major IT governance controls (i.e. CobiT Control Objectives for IT governance) and regulatory-mandated controls (e.g. HIPPA, GLBA, California SB1386, etc) map easily to the clauses and controls that an ISO-compliant ISMS would already have established. This clearly illustrates a key strength of an ISMS newly mandated controls will in all likelihood already be in place, requiring at most minor adjustments in order to be compliant. Thus, an operating ISMS reduces the effort and costs required to implement new regulatory mandates.

www.ccpace.com 2005 CC Pace, All Rights Reserved

VI. Summary
The practice of information security has evolved from an IT-centric effort to one requiring enterprise wide attention and C-level management involvement on a regular basis. Both regulators and shareholders have changed the denition of duciary duty to include responsibility for internal information security controls and made the CEO and CFO personally liable for certifying that the rm has effective controls. New mandates for protecting personal, nancial, and medical information are being passed regularly, and need to be implemented promptly using a systematic approach in order to maintain compliance across the enterprise Information Security Management Systems. The stakes are being raised both personally and as an enterprise. We have reached a strategic inection point, to quote Andrew Grove from Only the Paranoid Survive, on how rms handle information security. The way in which rms respond to the new security environment can help determine whether they thrive or are consumed by litigation over information security incidents and questions regarding lack of due diligence. In this case, Mr. Grove was right only the paranoid will survive.

Author Information: Greg Rondot (greg.rondot@ccpace.com) CC Pace 4100 Monument Corner Drive Suite 400 Fairfax, VA 22030 Phone: 703-631-6600 For more information please visit our website at:

www.ccpace.com

www.ccpace.com 2005 CC Pace, All Rights Reserved

10