Information Security

Considerations And
Recommendations For IT And
Business Decision Makers

For an information
security system to support
the business we must treat
it like a system.

6450 Via Real, Suite3

Carpinteria, CA 93013

WHITE PAPER
800-721-9177
805-684-6858
 TABLE OF CONTENTS
1 Summary
2 The Information Security System
3 Issues, Threats and System Flaws
4 Structuring a Response
5 Making Decisions
6 Business Impact

Page 1 | www.redspin.com 2009 | White Paper

 Summary
This white paper outlines considerations
and recommendations for reducing
business risk through the use of an
effective enterprise information security
program.
Our goal is to present information
that will be helpful not only to IT and
information security professionals
but business unit general managers
as well.
Throughout, we take the perspective
of presenting and considering choices
based on optimizing a security program
Our goal is to for effectiveness, efficiency and business
impact.
present information In a recent Harvard Business Review
article titled “The Big Shift” (HBR; July-
that will be helpful August 2009; John Seely-Brown, Lang
Davidson) the authors presented the
not only to IT and idea that in times of economic crisis
such as those we face now, traditional
information security metrics for managing business may be
insufficient to point the way forward.
professionals but The HBR article presents a framework for
understanding business transformation
business unit general in terms of three factors: foundations for
major change (such as compute power
managers as well. and Internet usage), flows of resources
(such as information and knowledge)
and the impact of the combination of
the previous two factors on companies
and the economy. As is often the case
Page 2 | www.redspin.com
in business, this framework is measured
as an index (the shift index) comprised
of three components: foundation, flow
and impact. The foundation index is
strongly influenced by computing and
communications (Internet) infrastructure.
The flow index is influenced by
information sharing and Internet activity.
The impact index is influenced by
brand loyalty and competitive intensity.
The article concludes by challenging
executives on how they can best create
and capture value by managing these
factors.
The purpose of this paper is to examine
information security in terms of enabling
business. Wisely used, we believe that
security plays a major role in creating and
capturing business value. Given this role,
we frame the discussion of information
security as a system whose efficacy can
be evaluated in the terms suggest by
Seely-Brown and Davidson. We consider
information security from the perspective
of enabling an efficient compute and
communications infrastructure (positively
impacting the foundation index). We
examine what is required to support
the flow of information and knowledge
resources in a secure fashion (positively
impacting the flow index). Lastly, we
explore methods to deploy information
security technology and processes
in order to protect corporate brands
and promote competitive advantage
(positively impacting the impact index).
2009 | White Paper
 The Information Security System
For an information security system to support the business we must treat it like a system.
It must have structure and be measurable. In many enterprises this means capturing
log files, counting intrusions and tracking lost data incidents. We suggest a different
approach that starts with a top down perspective. We also believe that a system must
be rich with the necessary information but simple enough to support business decision
making.

Our information security system uses the terms presented in the HBR article. Ultimately
we have three elements to manage with three associated indices to track. The system is
illustrated in table 1.

Foundation Flow Impact

Key Elements Storage, Compute, Data, Information, Business

Applications, Knowledge, People Processes,
Communications Business Value
Infrastructure

Key Metric Availability Confidentiality Integrity

Table 1. High level elements and metrics associated with the Information Security System

Next, we must think about the elements that connect the information security system
with the business. An ideal description of the customer security system is shown in the
following diagram:

High Level Components

of the Information
Security System

Figure 1. High level components of the Information Security System

Page 3 | www.redspin.com 2009 | White Paper

 Given this structure the customer security program moves forward based on business
requirements and is accelerated based on specific business drivers. The primary
components of the program are policy, strategy, and control. The desired situation is
for a customer to define the risks facing the business, the requirements for the security
program and articulate the goals and measures for the program to achieve. The strategy
is developed through a model of the risk situation, data to be protected and controls
to carry out the protection objective. Lastly the control section implements, audits and
manages the plan. The net result is business enablement.

In an ideal situation the customer security system follows the plan that is illustrated above.
In many enterprises today, this is not the case, but a program constructed through
best practices should be driven by business requirements, focus on risk reduction and
guided through policy. Systematic metrics must be used to gauge the effectiveness and
efficiency of the program with course corrections where necessary.

Many companies fall short of this ideal. A common tendency is to focus on technology
rather than process. Often the threats presented by the ecosystem result in decisions driven
through fear. Similarly, the need to respond to particular events such as a regulatory
audit dictates behavior and decisions in a suboptimal fashion. Taken additively, these
conditions lead to ad hoc staffing, ill defined responsibilities and unstructured security
policies. The net result restricts business agility, growth and income.

To achieve the desired situation of the information security system enabling business,
an important point of leverage lies with policy. Table 2 illustrates some key information
security policy areas and their relation to our foundation, flow, impact model of the
information security system.

Foundation Flow Impact

Key Elements Storage, Compute, Data, Information, Business

Applications, Knowledge, People Processes,
Communications Business Value
Infrastructure

Key Metric Availability Confidentiality Integrity

Policy Areas Business Continuity Data Classification Risk Attitude

Risk Assessment Information Privilege Regulatory Compliance

Security Enforcement Privacy Audit Process

Disaster Recovery Intellectual Incident Response

The primary Property Protection

components of the Monitoring Security Program and

Awareness Training Process Valuation

program are policy,

Application Security Identity and Risk Management

strategy and control. Access Management

Infrastructure Information Business

Impact Review Impact Review Impact Review

Table 2. Policy areas associated with the Information Security System

Page 4 | www.redspin.com 2009 | White Paper

 For an information security system to be running optimally managers must make policy
decisions about each of these areas and put in place processes to carry out their
decisions. If managers ignore their responsibility or take shortcuts on process, ad-hoc
decisions will fill the void. Often with disastrous results.

Let’s discuss a few policy areas in each category to explore the relationship of policy to
the information security system.

FOUNDATION

Risk Assessment
An enterprise must specify the scope, frequency and approach to risk assessments.
Typically this activity requires special skills in executing the assessment as well as
communicating the results. The benefit is a risk based analysis of where to focus security
resources and technology.

Application Security
The policy team must outline requirements for secure software development processes,
testing procedures, change management procedures as well as many other areas that
impact application security. Executed well, the company will have a level of assurance
that this most prevalent threat vector is under control.

Infrastructure Impact Review

Policy makers must decide the frequency, process, participants, metrics and information
sources that comprise the review of performance against policy. The company can use
this forum to make course corrections in their decisions and actions.

FLOW

Data Classification
The enterprise policy in this area specifies attributes about classes of data and the
resulting implications in storing, transmitting and securing the data. A wise policy in this
area has significant business payback because it allows technology and resources to
focus data security efforts where impact will be most beneficial.

Privacy
In recent years privacy has become an important component of government and industry
regulations. By implementing a corporate policy that meets the needs of the corporation
as well as the regulators a great deal of leverage can be achieved.

Information Impact Review

This policy review generally takes the same shape as the infrastructure review but tends
to be more difficult to manage because of the diversity of viewpoints and interests. Our
recommendations are to carefully consider the audience and the goals to be achieved
through the review process.

Page 5 | www.redspin.com 2009 | White Paper

 IMPACT

Regulatory Compliance
Most international enterprises are subject to hundreds of regulations. Often it is simply
too expensive to create an “uber-policy” that addresses all issues. However, this policy
area must be explicit about where effort will be consolidated, the scope of compliance
efforts and the processes for interacting with auditors and reporting results.

Risk Management
While risk must be a consideration in all areas of the security system, policy must guide
the means by which risk is managed. Information security is an operational risk that fits
within a larger system of enterprise financial risk. The policy must specify the goals and
scope of this area that has a high potential to bring significant business benefit through
improving effectiveness and efficiency.

Program And Process Valuation

The policy should set forth the guidelines for evaluating and measuring business value of
security programs and processes. Consistency in this area is key to creating a culture of
security programs as business value creators. In practice we have found it more useful to
evaluate net present value of a program rather than an ROI from cost savings.

Issues, Threats and System Flaws

Regardless of whether a customer is executing an optimal or sub-optimal security program
Most international they must support the business. This is true in any industry segment. Several of the issues
presented to businesses with respect to information security include:
enterprises are Protection Of
Intellectual Property
subject to hundreds This requirement varies across industry
segments but requires protection of
of regulations. Often critical business information. Often this
requirement is exacerbated through the
it is simply too need to share critical design data with
suppliers and partners.
expensive to create
Protection Of Brand
an “uber-policy” And Reputation
With the advent of the internet
that addresses all the opportunities for companies to
advance their brand recognition and
issues. reputation have increased dramatically.
Correspondingly, the threats have
increased as well. Without a strong
security program companies face a
major risk.
Protection Of
Transaction Integrity
As more companies conduct business
based on internet protocols the
opportunity to accelerate business is
greatly increased. However, many
circumstances exist in which the security
of critical transactions can be subverted,
resulting in major damage to the
corporation.
Protection Of
Transaction Value
A commonplace activity among
businesses is to clear transactions through
electronic funds transfer. These processes
present a significant area of exposure for
breaches of security.
Protection Of Supply/
demand Chain Integrity
As an increasing amount of business
associated with companies supply and
demand chain is conducted over the
internet, the exposure to damage grows.
Particularly, this situation is compounded
with attacks directed at monetary gains.
Protection Of Privacy
These needs pervade all aspects of the
corporation’s business transactions, but
are particularly visible in the customer
relationship management processes.
Flaws in this area can result in regulatory
penalties or worse.

Page 6 | www.redspin.com 2009 | White Paper

 INFORMATION SECURITY SYSTEM FLAWS
The following areas represent situations
in which customers often go wrong in
managing their security programs.
A common problem is the failure
to understand the environmental
conditions surrounding security
programs.
An example of this problem is buying
additional security products in the hope
that overall security will increase. Such
circumstances present a number of
problems. First the complexity introduced
by additional security products often
results in decreased security. Next, the
attackers have the advantage often
attributed to the conditions of asymmetric
warfare, in that they must simply find one
avenue to exploit a vulnerability whereas
the corporation must defend all possible
points of exposure.
Another important point is that many
companies deal with security as a trust
issue, seeking methods to ensure that
information is treated in the most secure
manner possible regardless of the
situation. In such a scenario the
corporation finds itself in an arms
race with the attackers. The company
is desperately trying to ensure that
information is protected while the
attackers have the advantage of defining
the battlefield and choosing the points of
attack.
Customer Information
Security System
Concerns
Figure 2. Customer information security concerns
Page 7 | www.redspin.com
Further, customers often misunderstand
security system requirements. It is
appealing to react to new products that
deal with imminent threats while forgoing
basic information security principles
regarding process. To implement a
security program properly the primary
focus should be on process, with
requirements centered on the security,
scalability and integration capabilities
associated with the system as a whole.
In light of this situation, security platform
vendors and providers of internet
infrastructure have a major advantage
in supplying corporations with security
solutions. Because the threat environment
is fast moving, the need for point
solutions will always exist, but in time
these products will be integrated within
an overall security framework provided
by the major suppliers in the industry.
Perhaps the most important component
of this argument is that security needs to
appear as seamless to the end users and
as such must be delivered as part of the
overall IT infrastructure.
Finally it is important to recognize that
security is not a result for corporations
to achieve, but merely a means of
facilitating business. Done well the
process will not interfere and often
will facilitate profitable growth of the
business.
2009 | White Paper
 THREAT ENVIRONMENT

Customers face a dynamic threat environment. The evolution of this environment is

presented in the figure below.

Figure 3. Threat Evolution

An important item to note is that attackers are constantly adapting mechanisms for
gaining advantage. Motivations have also changed over time. Initially, attackers were
satisfied with the notoriety associated with being able to penetrate a corporation.
Presently motivations are driven by monetary gain. It is also noteworthy that attacks are
directed against critical infrastructure and are considered an important component in
nation-state warfare.

An illustration of the current state of the threat economy is presented in the diagram
below.

Current State of the

Threat Economy

Figure 4. Threat Economy

Page 8 | www.redspin.com 2009 | White Paper

 COMPLIANCE REQUIREMENTS

While coping with these threats business must also face the challenge of complying
with industry and governmental regulations. For the most, part these regulations were
introduced because businesses lacked direct motivation to improve governance and
security. The illustration below depicts a framework for relevant regulatory standards
and guidance provided by various industry and governmental organizations to assist in
helping corporations with compliance.

Figure 5. Regulatory compliance structure

While coping
with these threats While dealing with these regulatory pressures customers must cope with a growing
threat landscape including cybercrime, internal threats and malicious activity on the
businesses must also part of business partners. Each of these areas presents unique threats and security
challenges.
face the challenge Because of this dangerous climate customers are rightly concerned about a number of
of complying significant issues including:

• Brand Protection
with industry and • Risk Reduction
• Service Availability
governmental • Employee Productivity
• Regulatory Fines
regulations. • Reputational Damage

It is important to note the corporation as a whole is a stakeholder with respect to the

issues, but each organization values them differently. Business units tend to prioritize
brand protection and service availability because they are fundamental to maintaining
and improving business value. IT organizations must respect the need to address every
issue, but often prioritize compliance as a means of securing additional funding.
Security groups tend to be driven by the latest threats to the company’s reputation as a
way of proving their value to the organization. Forward thinking companies realize that
information security is a matter of risk reduction and strive to unify security programs such
that they meet the concerns of the business in the most economical fashion.

Structuring A Response
Many attempts have been made toward providing a framework for managing
an information security program. These range from ISO standards such as ISO
17799 as well as general IT management frameworks such as CobiT and ITIL. Shown
in the diagram below is a framework based on NIST guidelines that largely reflects
best practices.

Page 9 | www.redspin.com 2009 | White Paper

 Figure 6. NIST Guidelines

Rather than wade into each area of the NIST Guidelines we will return to the foundation,
flow, impact model of the information security system to structure a response. Our premise
is that business risk reduction provides the reason for the existence of the information
security system. We will evaluate some important areas of business risk in the terms of
our model.

Foundation Flow Impact

Key Elements Storage, Compute, Data, Information, Business

Applications, Knowledge, People Processes,
Communications Business Value
Infrastructure

Key Metric Availability Confidentiality Integrity

Risk Areas Business Continuity Data Security Regulatory

Compliance

Security Information Incident Response

Enforcement Management

Disaster Recovery Collaboration Systems Audit Process

Technology Voice Communications Supply Chain

Implementation Management

Infrastructure Privacy Management Demand Chain

Architecture Management

Infrastructure Identity and Financial Reporting

Monitoring Access Management

Application Security Fraud Prevention Acquisition Process

Table 3. Policy areas associated with the Information Security System

Page 10 | www.redspin.com 2009 | White Paper

 While the risk areas described are by no means exhaustive, each area can be
evaluated in terms of risks presented to the business. Interdependencies can also be
taken into account. For example risks within the identity and access management system
are dependent upon risks associated with infrastructure technology implementation.

The traditional model for evaluating risk consists of vulnerability x probability of occurrence
x impact. Assessing vulnerabilities has been the focus of the security community for
decades. A variety of mechanisms exist to quantify this factor. Impact is also generally
reasonably well understood through discussions with the business owners who use the
systems. More challenging is the probability of occurrence. A simplistic approach is to
rate the likelihood with a high, medium, low scheme. The next step is to normalize to a
common scale and determine the risk of each area in terms of dollars. In our experience,
for critical areas it is worth the time to develop a quantitative model of probability of
occurrence using Monte Carlo simulation to determine the mean dollars at risk and the
distribution.

Making Decisions
Ideally, the enterprise security system has been constructed with a top-down model,
driven by policy and guided by reducing risks. Regardless of the condition of the system,
business must get done and information security decisions will be made. The following
section describes some practices that we have found useful from experience.

Use a simple step by step decision making process. For example:

1. Understand The Business Conditions

Team capability, operating environment, threat model, business drivers, etc.

2. Determine The Requirements For Success

Business goals, security requirements, operational metrics

3. Identify Potential Solutions

Usually three or four reasonable choices

4. Quantitatively Model The Business Impact Of Each Solution

Account for uncertainty associated with each choice

5. Choose The Optimal Solution

Perhaps the easiest way to see decision making related to the information security
system is with an example. In this case, the company we worked with was a major
storage equipment supplier. The information technology and security operations teams
Regardless of the were involved with a project to save 25% in annual operating costs while achieving
regulatory compliance (a wide variety of regulations). The problem presented to the
condition of the team by executive management was to achieve the 25% goal and measure the business
value of the project.
system, business In examining the business conditions more closely, the IT and security operations
organizations had a general reputation for technical excellence. Cost reduction through
must get done and this particular compliance initiative was a key to overall organizational savings. A
project plan was already in place with total cost of ownership (TCO) and return on
information security investment (ROI) as key metrics.

decisions will be Fundamental issues that had yet to be considered were:

• Was the proposed project plan the most effective?
made.
• Were there more effective and efficient alternatives?
• What was the value contributed to the business by doing the project?

Page 11 | www.redspin.com 2009 | White Paper

 The current conditions suggested that a status quo approach would be taken to the
problem. Headcount reductions would be executed, and cost goals as measured by
ROI and TCO would be met. Several issues were identified with this approach. First, no
systematic measure of business value existed. Next, there was no confidence that cost
reduction targets could be quantitatively predicted.

The recommended decision making approach was as follows:

• Understand current system characteristics
• Acquire qualitative and quantitative data
• Develop a model of operational cost over a three year time period considering
viable options
• Develop a model of business value and drivers over three years considering
viable options
• Evaluate NPV, ROI, and TCO of viable plans
• Move forward with the actions required to meet the goals and apply best
practices where feasible

The outcome of the project analysis suggested an alternative approach, surfaced through
NPV analysis of the business impact. Compliance goals were met while headcount
reductions were minimized.

Business Impact
Ultimately, the net result is the integration
of the business impact of the information
security system with the processes that
already manage the enterprise. At the
end of the day, information security costs
money. Yet, a well run information security
program can positively impact business
results. The necessary requirement
is a well agreed upon framework to
integrate the information security system
with business operations. This paper
has provided guidance for using the
tools of policy management and risk
management to generate positive results
for the business.

About Redspin www.redspin.com

Redspin delivers the highest quality information security assessments through technical
expertise, business acumen and objectivity. Redspin customers include leading companies
in areas such as health care, financial services and hotels, casinos and resorts as well
as retailers and technology providers. Some of the largest communications providers
and commercial banks rely upon Redspin to provide an effective technical solution
tailored to their business context, allowing them to reduce risk, maintain compliance and
increase the value of their business unit and IT portfolios. Penetration Testing

Page 12 | www.redspin.com 2009 | White Paper