Professional Documents
Culture Documents
Considerations And
Recommendations For IT And
Business Decision Makers
For an information
security system to support
the business we must treat
it like a system.
WHITE PAPER
800-721-9177
805-684-6858
TABLE OF CONTENTS
1 Summary
2 The Information Security System
3 Issues, Threats and System Flaws
4 Structuring a Response
5 Making Decisions
6 Business Impact
Our information security system uses the terms presented in the HBR article. Ultimately
we have three elements to manage with three associated indices to track. The system is
illustrated in table 1.
Table 1. High level elements and metrics associated with the Information Security System
Next, we must think about the elements that connect the information security system
with the business. An ideal description of the customer security system is shown in the
following diagram:
In an ideal situation the customer security system follows the plan that is illustrated above.
In many enterprises today, this is not the case, but a program constructed through
best practices should be driven by business requirements, focus on risk reduction and
guided through policy. Systematic metrics must be used to gauge the effectiveness and
efficiency of the program with course corrections where necessary.
Many companies fall short of this ideal. A common tendency is to focus on technology
rather than process. Often the threats presented by the ecosystem result in decisions driven
through fear. Similarly, the need to respond to particular events such as a regulatory
audit dictates behavior and decisions in a suboptimal fashion. Taken additively, these
conditions lead to ad hoc staffing, ill defined responsibilities and unstructured security
policies. The net result restricts business agility, growth and income.
To achieve the desired situation of the information security system enabling business,
an important point of leverage lies with policy. Table 2 illustrates some key information
security policy areas and their relation to our foundation, flow, impact model of the
information security system.
Let’s discuss a few policy areas in each category to explore the relationship of policy to
the information security system.
FOUNDATION
Risk Assessment
An enterprise must specify the scope, frequency and approach to risk assessments.
Typically this activity requires special skills in executing the assessment as well as
communicating the results. The benefit is a risk based analysis of where to focus security
resources and technology.
Application Security
The policy team must outline requirements for secure software development processes,
testing procedures, change management procedures as well as many other areas that
impact application security. Executed well, the company will have a level of assurance
that this most prevalent threat vector is under control.
FLOW
Data Classification
The enterprise policy in this area specifies attributes about classes of data and the
resulting implications in storing, transmitting and securing the data. A wise policy in this
area has significant business payback because it allows technology and resources to
focus data security efforts where impact will be most beneficial.
Privacy
In recent years privacy has become an important component of government and industry
regulations. By implementing a corporate policy that meets the needs of the corporation
as well as the regulators a great deal of leverage can be achieved.
Regulatory Compliance
Most international enterprises are subject to hundreds of regulations. Often it is simply
too expensive to create an “uber-policy” that addresses all issues. However, this policy
area must be explicit about where effort will be consolidated, the scope of compliance
efforts and the processes for interacting with auditors and reporting results.
Risk Management
While risk must be a consideration in all areas of the security system, policy must guide
the means by which risk is managed. Information security is an operational risk that fits
within a larger system of enterprise financial risk. The policy must specify the goals and
scope of this area that has a high potential to bring significant business benefit through
improving effectiveness and efficiency.
Customer Information
Security System
Concerns
An important item to note is that attackers are constantly adapting mechanisms for
gaining advantage. Motivations have also changed over time. Initially, attackers were
satisfied with the notoriety associated with being able to penetrate a corporation.
Presently motivations are driven by monetary gain. It is also noteworthy that attacks are
directed against critical infrastructure and are considered an important component in
nation-state warfare.
An illustration of the current state of the threat economy is presented in the diagram
below.
While coping with these threats business must also face the challenge of complying
with industry and governmental regulations. For the most, part these regulations were
introduced because businesses lacked direct motivation to improve governance and
security. The illustration below depicts a framework for relevant regulatory standards
and guidance provided by various industry and governmental organizations to assist in
helping corporations with compliance.
• Brand Protection
with industry and • Risk Reduction
• Service Availability
governmental • Employee Productivity
• Regulatory Fines
regulations. • Reputational Damage
Structuring A Response
Many attempts have been made toward providing a framework for managing
an information security program. These range from ISO standards such as ISO
17799 as well as general IT management frameworks such as CobiT and ITIL. Shown
in the diagram below is a framework based on NIST guidelines that largely reflects
best practices.
Rather than wade into each area of the NIST Guidelines we will return to the foundation,
flow, impact model of the information security system to structure a response. Our premise
is that business risk reduction provides the reason for the existence of the information
security system. We will evaluate some important areas of business risk in the terms of
our model.
The traditional model for evaluating risk consists of vulnerability x probability of occurrence
x impact. Assessing vulnerabilities has been the focus of the security community for
decades. A variety of mechanisms exist to quantify this factor. Impact is also generally
reasonably well understood through discussions with the business owners who use the
systems. More challenging is the probability of occurrence. A simplistic approach is to
rate the likelihood with a high, medium, low scheme. The next step is to normalize to a
common scale and determine the risk of each area in terms of dollars. In our experience,
for critical areas it is worth the time to develop a quantitative model of probability of
occurrence using Monte Carlo simulation to determine the mean dollars at risk and the
distribution.
Making Decisions
Ideally, the enterprise security system has been constructed with a top-down model,
driven by policy and guided by reducing risks. Regardless of the condition of the system,
business must get done and information security decisions will be made. The following
section describes some practices that we have found useful from experience.
The outcome of the project analysis suggested an alternative approach, surfaced through
NPV analysis of the business impact. Compliance goals were met while headcount
reductions were minimized.
Business Impact
Ultimately, the net result is the integration is a well agreed upon framework to
of the business impact of the information integrate the information security system
security system with the processes that with business operations. This paper
already manage the enterprise. At the has provided guidance for using the
end of the day, information security costs tools of policy management and risk
money. Yet, a well run information security management to generate positive results
program can positively impact business for the business.
results. The necessary requirement
Redspin delivers the highest quality information security assessments through technical
expertise, business acumen and objectivity. Redspin customers include leading companies
in areas such as health care, financial services and hotels, casinos and resorts as well
as retailers and technology providers. Some of the largest communications providers
and commercial banks rely upon Redspin to provide an effective technical solution
tailored to their business context, allowing them to reduce risk, maintain compliance and
increase the value of their business unit and IT portfolios. Penetration Testing