A comprehensive and effective information security program and supporting infrastructure is much more than just hardware and software components. Although most organizations wish there were such a thing, there is no magic information security silver bullet. Effective information security management requires the implementation and coordination of many components. Success requires vigilance by the information security group.
In addition to the motivations for individuals to compromise an enterprise information system discussed in Chapter 1, there are the mistakes and actions resulting from being uninformed that put an organization's information and network assets at risk. Managing enterprise-wide information security is a much larger and challenging task than just the subtask of managing the security of the network perimeter. Information security is a process, not a one-time achievement.
It is no longer sufficient or prudent to depend upon securing only the perimeter of the enterprise network with security management devices to protect all the enterprise information assets. The number of new entry points through most enterprise network perimeters can increase on a weekly, or even daily, basis.
The growing number of reported incidents not only demonstrates the impact of multiple breach notification laws but also indicate that organizations may still be focusing on just securing the network perimeter and not sufficiently securing all information assets wherever they are located. The following list highlights a few such incidents that have occurred. As you read through the list, consider how they could been prevented if effective internal controls and security management devices had been in place:
All these incidents could have been at least mitigated, but most likely prevented, if more attention had been placed upon internal security safeguards and controls. The risky behaviors described could virtually be eliminated with an effective enterprise-wide information security management program.
Unfortunately, too many organizations still believe that the same security management devices used for perimeter security can also be used to manage internal security. Perhaps they can for some activities. However, these perimeter network devices have some serious weaknesses when it comes to securing internal network resources. As discussed in Chapter 4, the network needs to be segregated into security zones; Chapter 5 discussed the need to layer security. These security methods are effective, but the effective management of all of them in unison takes planning and foresight to enable the security to be the most efficient and simple as possible. This process involves more than just the comparatively simple plug-and-play management devices that were used in typical perimeter security implementations. To effectively manage internal security organizations must:
Implementing and managing information security within the network perimeter is much more complex than just managing the security of the perimeter alone. This idea makes sense when you consider what is involved with managing perimeter security. Generally, perimeter security includes four basic components:
This comparatively limited number of components is easy for most security administrators to grasp. When adding internal information security management to the picture, most organizations will get a list of components that look something like the following:
There truly are a limitless number of activities to address for internal security management. The delimited list of activities will be unique for each organization and will depend upon the unique threats, risks, locations, operating systems (OSs) and applications, regulatory and contractual requirements, and industry of each. Table 7.1 compares just a few of the general key security management issues and how they differ from perimeter-only security to enterprise-wide internal security.
Perimeter-Only Security Management
Enterprise-Wide Inside Security Management
Typically one small team is responsible for performing systems security administration for all perimeter security devices.
Multiple teams, typically a different one within each security zone, have their own specific systems security administration rights.
A single set of information security tools and systems are implemented.
The set of information security tools and systems deployed within each security zone may vary greatly based upon the security needs for each zone.
A limited number of audit trails are maintained for the perimeter devices.
A large number of audit trails are maintained throughout all the security zones, systems, and applications.
Overall goal is to protect access to corporate environment
Overall goal is to protect corporate and confidential data.
A limited number of applications and systems need to be secured.
A wide range and large number of heterogeneous systems and applications must be secured.
A small group of people with perimeter management responsibilities must understand and appropriately apply information security practices.
Everyone on the enterprise network must understand and appropriately apply information security practices.
Table 7.1: Perimeter-only vs. enterprise-wide security management.
Effective and efficient internal information security management requires:
Plan your information security infrastructure carefully. Remember, the more solutions you have, the more you need to manage. If you get too many different security tools and solutions, it is likely many will not communicate with each other and you will have a difficult time managing them all. Also, the greater the complexity and variety of management systems, the greater the likelihood of inadvertently leaving a security hole that could expose confidential information or systems. Without proper management, your information security efforts will be ineffective, and ultimately, you will damage your information security program by having it viewed as being too complex, too expensive, and ineffective to boot. Transparency is also important here, as the more intrusive security systems are on users, the greater likelihood of them being circumvented.
Before making an information security management decision and purchase, research the interoperability issues. Many of the current security products are designed to work on a standalone basis and do not work well with other security solutions. For example, some personal firewall programs intended to protect roaming users with VPN connections do not work well with VPN clients.
Although multiple products working together provide a strong security infrastructure, not all solutions work well together.
The perimeter is porous. Wireless connections, mobile computing, Web-based applications, back-office connectivity, and connections to business partner and outsourced vendor networks have eliminated the once clearly defined network perimeter. With all these complex relationships, it is difficult to tell who should have access to network components and who needs to be blocked. There are so many ways in which networks can now be accessed that information security management has become more challenging than ever before.
The Information Security Leader's List of "Things That Keep Me Up At Night"
Firewalls, once considered the network security savior, are now mere islands of security in an ocean of threats; they will stop a small percentage of enterprise information pirates, but many more threats exist to the internal network than firewalls alone can stop. Various studies demonstrate how porous the perimeters of almost all enterprise networks have become:
The fact that organizations today are predominately in part virtual, with IT, sales, support, and executives potentially scattered all around the world has blurred the network perimeter to such a degree that it truly is very difficult to determine where the "workplace" really is. Organizations must understand that in today's world, it is not a question of "if" unauthorized individuals will penetrate their perimeter; it is a case of "when". Inside the perimeter must be treated with the same level of security as has traditionally been provided to the "outside"—including access control and encryption.
For many years, organizational leaders have regarded the IT unit as being the only area needed to manage and address all information security issues without any need for input or cooperation from other areas of the enterprise. Many business leaders mistakenly believed the only threats to data were electronic threats. As more accountability is created for business leaders to ensure information security, and as they then become more aware of the related issues, they are starting to understand that information security must be integrated throughout the entire enterprise. To be most effective in integrating information security responsibilities throughout the organization, two very important factors must exist:
Simply implementing firewalls, VPNs, IDS servers, and auditing products will not create a secure environment. Unfortunately, many organizations believe this product implementation is all they need to do and, as a result, many have experienced some significant information security incidents. Technology tools certainly are part of the solution. However, risk assessment, information security strategy, operational procedures, security education, and appropriate personnel behaviors are also necessary components.
If you expect information security to be addressed enterprise-wide, you must implement an effective information security awareness and training program to educate all personnel about their responsibilities and policies and procedures. Awareness must be an ongoing activity. Training must be regularly provided and mandatory. Executive leaders must actively support these efforts.
The enterprise information systems and information assets are not secure until all personnel know and understand the importance of securing information and network resources as it relates to their job activities. People truly are the weakest link in enterprise information security programs.
According to the Deloitte 2005 Global Security Survey:
You cannot expect your personnel to know how to do the right thing if you do not effectively teach them what the right thing is to do!
As discussed in Chapter 5, a centralized security management area with ultimate enterprise-wide security oversight has distinct benefits to organizations, including increased security efficiency, economy of scale for security implementation, and the ability to enforce security requirements centrally through monitoring, evaluation, security activity, and program updates.
There are also appropriate activities that through divide-and-conquer methods can be made more efficient and effective. Decentralized security management will help to ensure appropriate and cost-effective security is addressed within each of the organizational business and operations areas. It can also be used to more effectively ensure appropriate authorization is given to personnel based upon their job functions and to more effectively incorporate security into all the business processes.
The key is to identify those activities that are best performed centrally and which are best performed within each of the business units. The right combination of the two will lead to cost reduction, better risk management, regulatory compliance, and more effective security operations.
Cost reduction through the right combination of centralization and decentralization can be achieved in such areas as:
The right combination of centralization and decentralization can also result in better risk management practices, helping enterprises better address the following questions:
It is vital to ensure that information assurance activities support, and information security leaders understand, the existing regulatory and legal requirements for safeguarding information throughout the enterprise. The penalties, fines, and jail time for noncompliance can have a devastating impact on not only the business but also the business leaders personally.
Unfortunately, many information security leaders have not been informed of, or have not thought about, the types of safeguards they must put in place to comply with existing third-party business partners. Visa provides a good example of the importance of contractual requirements for information security.
When Visa announced the Visa Cardholder Information Security Program (CISP) in April 2000, and mandated compliance by June 2001, the organizations that processed credit card purchases suddenly realized the importance of such contracts. Visa gave merchants and service providers until September 30, 2004 to submit their compliance documentation.
The Visa CISP requires organizations to implement security to comply with 12 basic security requirements, including implementation of appropriate physical and logical controls and performance of regular audits. The program also requires organizations to immediately report security incidents as well as be able to investigate and take appropriate action to limit exposure of cardholder information. Organizations in compliance are automatically indemnified against any fines.
All entities that stored, processed, or transmitted Visa cardholder data were required to comply with CISP and were responsible for ensuring the compliance of their merchants or agents. If organizations did not comply, Visa contractually reserved the right to fine them up to $500,000 per incident. Very large organizations were scrambling to comply with the Visa requirements because they had been notified, after sending a perfunctory checklist to Visa to demonstrate their compliance, that they needed to provide solid documented evidence of their compliance or they would have their ability to process Visa card payments discontinued.
On December 15, 2004, credit card associations created a set of industry security requirements referred to as Payment Card Industry (PCI) compliance. Generally, the agreement among the credit card industry was that, if a merchant is Visa CISP compliant, MasterCard, American Express, and Discover would honor the CISP compliance and consider the company PCI compliant.
In the past few years, I have performed many security reviews for organizations' business partners, and almost all the contracts the organizations had with the third parties contained some very clear information security requirements within the Master Service Agreements (MSAs). However, upon speaking with the third-party representatives responsible for information security, I found that only a small handful were even aware that the MSA contained such information security requirements.
In today's business environment, contracts with third parties should include requirements to protect information. A breach of contractual requirements could result in a costly court action.
Organizations must include information security requirements within the contracts they have with their business partners and know their contractual information security obligations.
Governmental regulations cover almost all aspects of corporate operations, scrutinizing and controlling everything from how the physical security of computer labs are managed to how new employees are trained on security responsibilities. Security management is at the heart of almost all data protection regulations. Without a strong security infrastructure that protects systems, applications, data, and processes from unauthorized use or access, compliance with any regulation is very difficult. The requirement for strong security management cuts across all major regulations.
Staying on top of legal and regulatory compliance is a comparatively new, but hugely important, task for managing internal security. Table 7.2 provides a high-level overview of the information security requirements of prominent laws and regulations.
Example of Information Security Management Principles Covered
Sarbanes-Oxley Act (SOX)
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
California State Bill 1386 (CA SB 1386)
Table 7.2: Overview of the information security requirements of prominent laws and regulations.
As you can see, there are some very apparent commonalities between these regulatory requirements. This chapter will discuss this idea in detail a little later.
The number of data protection regulations is increasing rapidly. It seems a week does not go by without reading about a new proposed bill or law. Just a few of the other existing laws and regulations impacting information security management, beyond those discussed earlier, include:
Effective information security management practices must include a way to stay up to date with all the laws and regulations that apply to the enterprise.
In a panic to answer corporate executives' questions regarding their accountability requirements for specific information protection practices, and meet the "letter of the law" for each individual regulation, many information security and privacy professionals have been trying to address regulatory requirements in a piecemeal fashion, looking at one law, and the corresponding minute applicable detailed requirements, at a time. This practice is not only stressful to those responsible for compliance but also generally inefficient.
As Table 7.2 demonstrates, when you examine the multitude of data protection laws and regulations, common themes of information security requirements reappear. By viewing these commonalities between the regulations and managing information security to them, then addressing any outstanding specific requirements within any one particular law, information security management will be much more effective.
Figure 7.1 illustrates common information security management areas covered by most of the major regulations. Although each regulation typically includes specific differences within these areas, a common requirement of all regulations is for organizations to have implemented a strong set of information security controls and practices to protect critical enterprise information assets.
A strong information security management platform is necessary to achieve this requirement.
Secure Data Storage
Change Control Management
Disaster Recovery & Business Continuity
Documented Policies & Procedures
Security & Privacy Accountability
Records Management and Retention
Training & Awareness
Access Control Management
Monitoring & Auditing
Secure Data Transmission
Figure 7.1: Common information security regulatory requirements.
Very important, but sorely lacking in most organizations, is an inventory of information assets that have been classified according to their sensitivity and criticality. Especially with today's regulatory requirements to notify individuals of security breaches, it is a necessity to know the information you have and where it is located, if you expect to know when the information has been compromised.
After you have your inventory of information compiled, you can ensure appropriate security is applied based upon the value of the information. It is not feasible, or prudent, to try to secure all information at the same level. By knowing the value of the information, you can then more successfully manage the security within your security zones and layers by applying the most robust security within the zones in which your high-value information assets are located. In addition, you can use appropriate mechanisms within the security layers, which will prevent you from investing as many resources in those zones that have information assets with lesser values.
So what is the value of information? There are few, if any, organizations that do not place a high dependency upon information for their business success. This dependency alone has great value.
There are many types of enterprise information, including customer data, patient files, accounting records, Human Resource files, marketing plans, product designs, emails, and basically an infinite number of others.
The amount of information within an enterprise is growing exponentially. Consider email. According to IDC, a typical 1000-user organization generates more than 3 terabytes (TB) of email data annually. CIOs, CTOs, legal, IT departments, and enterprise managers in every industry must address the growing challenge of complying with multiple regulations that cover the types of information found within email messages.
IDC reports the current (2006) number of daily emails worldwide is 35 billion.
The value of information is greatly impacted by the state, federal, and regulatory requirements governing the management and safeguarding of information. Noncompliance with those information-handling directives can, and has, cost organizations millions of dollars. The value of each kind of information changes as it goes through its life cycle. The usefulness of information typically lessens. However, the financial impact of a breach to sensitive information can be as damaging no matter where in the life cycle information is.
Organizations need to determine the types of information that could have the most financial impact and build security around those high-value items appropriately. What will make this task challenging are the many unstructured forms in which sensitive information may be saved, such as in email, Word, Excel, PowerPoint, and other type of end-user controlled formats. This challenge highlights the need to implement a clear, strongly supported set of information security policies that contains a very good information classification policy.
Many organizations are outsourcing very specialized data processing and management activities in an effort to save money or because they just don't have the resources, experience, or capabilities to do it themselves. Organizations also often outsource to get specific expertise that they may not possess and cannot afford to hire full time. Organizations that outsource application programming probably expect that the individuals doing this work will know about application security and will incorporate it into the product they create. These same organizations probably also expect the individual to know how to protect information in a shared customer environment; making sure that the code created for the organization is not accidentally sent to another customer, and so on.
When an organization entrusts third parties with the organization's confidential data, they basically place all direct control of security measures for the data completely into the hands of someone else. That trust cannot be blind. Numerous recent security incidents have resulted from loose security practices within outsourced third-party organizations:
When organizations outsource critical data processing and management activities, they must implement measures to stay in charge of their own business data security and minimize business risks. Many organizations indicate the security issues related to outsourcing are a big concern. Alarmingly, it seems few organizations actually address this issue.
In a May 15, 2005 CIO Magazine article titled "Don't Maroon Security," Atul Vashistha, CEO of NeoIT, an offshore outsourcing consultancy, said, "I'd say fewer than 20 percent of my clients audit the security of their providers. They just accept the suppliers' defined security plan and don't check to see if they are living up to it." Steven DeLaCastro, a consultant with offshore outsourcing company Tatum Partners, indicated he believes it is more like 10 percent. "Sarbanes-Oxley requires the right to audit outsourcers, yet companies aren't putting [audits] into the contract," he said.
How do you know the third party is complying with your regulatory responsibilities? How can you demonstrate to regulators that you are in compliance when someone else possesses your data? You need to hold third parties to strict security standards. In many instances, such standards will be more stringent than your own organization's security requirements.
The measures you take to make sure your business partners are taking appropriate actions to protect the data with which you've entrusted them depends upon the situation and existing legal restrictions. The following list highlights general actions you should consider taking:
The following list notes recurring vulnerabilities for third parties; be sure to pay particular attention to these:
Unfortunately, information security leaders cannot track their success and progress with information protection initiatives. Not only is it wise and necessary to track information security progress and incidents in order to have an effective information security program, it is a requirement of many laws and regulations. The following regulation examples illustrate this requirement:
The HIPAA Security Rule requires covered entities in § 164.308 Administrative Safeguards:
(a)(1)(ii)(D) Information system activity review
(Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
The GLBA Safeguards Rule requires covered entities in § 314.4 Elements:
(c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures.
Effective information security leaders will establish formal monitoring and program evaluation procedures and implement appropriate tools to help them keep up with the day-to-day status of their enterprise information security posture.
There is a wide range of activities throughout your enterprise you will need to monitor, and multiple types of activities you will need to log. These will not all be electronic based. You should have identified many of them while establishing your security zones (discussed in Chapter 4) and implementing your layers of security (discussed in Chapter 5).
Carefully consider the cost, resources, and liabilities associated with each considered logging and monitoring activity.
The following list highlights items most organizations will need to log to meet compliance with a wide range of regulatory requirements and keep up with an ever-changing network environment in which new threats are introduced every day:
As you can see, this list covers all the layers of security you need to have implemented throughout your organization.
The logging and monitoring activities you implement within your organization need to be determined based upon an analysis of the risks to your enterprise's unique network and systems environment.
Establish auditing and tracking mechanisms for personally identifiable information and other sensitive and mission-critical information. Doing so will likely require one or more of the follow ng: i
If all you do is protect the perimeter, you will lose the information security battle. Effective information security management requires security throughout the entire enterprise. To effectively manage internal security organizations must:
The next, final, chapter will discuss how to put together the ideas and practices discussed so far into an effective enterprise-wide information security management plan.