1 / 42

Governance and Policy

Governance and Policy. Tim Shimeall March 2006. Addressing Security as Governance. Set of beliefs, capabilities, actions: Security enacted at enterprise level Security treated as business requirement Security considered during normal planning cycles

psamson
Download Presentation

Governance and Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Governance and Policy Tim Shimeall March 2006

  2. Addressing Security as Governance • Set of beliefs, capabilities, actions: • Security enacted at enterprise level • Security treated as business requirement • Security considered during normal planning cycles • All business unit leaders understand how security serves as business enabler • Security integrated into enterprise functions and processes • All personnel accessing enterprise network understand their responsibilities • Which are most important depends on culture and business context

  3. Governance • Setting clear expectations of conduct • Influencing to achieve expectations • Decision making • Assigned decision rights • Accountability • Intended to produce behavior/actions • Ensuring organization does right things and does things right

  4. Security as Institutional Priority • Information security is a human enterprise • “lack of security awareness by users” cited as top obstacle • overriding impact of human complexities, inconsistencies, and peculiarities • People can become the most effective layer in an organization's defense-in-depth strategy • with proper training, education, motivation • The first step is making sure they operate in a security conscious culture. • Ernst & Young. "Global Information Security Survey 2004." • http://www.ey.com/global/download.nsf/UK/Survey_-_Global_Information_Security_04/$file/EY_GISS_%202004_EYG.pdf

  5. “Flash” Threats Seconds “Warhol” Threats Minutes Hours Blended Threats e-mail Worms Days Macro Viruses Weeks or months File Viruses Response Time Human response: impossible Automated response: Will need new paradigms Proactive blocking: possible Human response: difficult/impossible Automated response: possible Human response: possible Contagion Timeframe

  6. What Is At Risk? • Trust • Reputation; image • Stakeholder value • Community confidence • Regulatory compliance; fines, jail time • Customer retention, growth • Customer and partner identity, privacy • Ability to offer, fulfill transactions • Staff, client morale

  7. Responsibility to Protect Digital Assets • In excess of 80 percent of an organization’s intellectual property is in digital form • Duty of Care: Governance of Digital Security • Govern institutional operations & conduct • Protect critical assets and processes • Protect reputation • Ensure compliance requirements are met • [Jody Westby, PricewaterhouseCoopers, Congressional Testimony; case law]

  8. Barriers to Tackling Security • Abstract, concerned with hypothetical events • A holistic, enterprise-wide problem; not just technical • No widely accepted measures/indicators • Disaster-preventing rather than payoff-producing (like insurance) • Installing security safeguards can have negative aspects

  9. Information Survivability (1) • Focuses on sustaining the mission in the face of an ongoing attack; requires an enterprise-wide perspective • Depends on the ability of networks and systems to provide continuity of essential services, albeit degraded, in the presence of attacks, failures, or accidents • Requires that only the critical assets need the highest level of protection

  10. Information Survivability (2) • Complements current risk management approaches that are part of an organization’s business practices • Includes (but is broader than) traditional information security • Business Judgment Rule: That which a reasonably prudent director of a similar institution would have used

  11. Institutional Institutional Investment Integrated Institution Process Institutional continuity/resilience Shift the Security Perspective From To • Scope: Technical • Ownership: IT • Funding: Expense • Focus: Intermittent • Driver: External • Application: Platform/practice • Goal: IT security

  12. IT owns problem and strategy, performs primary activities Secure infrastructure = secure organization Organization owns problem and strategy Secure assets and processes = secure organization to Technical problem to Institutional problem

  13. IT is driver, owner, benefactor CSO is a technical advisor Organization is driver, owner, benefactor CSO is trusted advisor to business to Technical ownership to Institutional ownership

  14. Security activities viewed as sunk costs, expenses Naturally avoided by management Security as amortizable investment in business Security as “goodwill” on balance sheet raising organizational value to Expense to investment

  15. IA Regulations and Standards • National legislation (privacy, etc.) • Insurance industry requirements • Customer demand • E-torts and e-pacts

  16. Legal Perspective • Analyze applicable state laws and municipal ordinances • Assess IS vulnerabilities and risks • Review and update IS policies & procedures • Review policies & procedures for sensitive information • Scrutinize relationships with third-party vendors • Review insurance policies • Develop a rapid response plan & incident response team • Work with associations & coalitions to develop standards • “IT Security for Higher Education: A Legal Perspective.” Salomon, Kenneth; Cassat, Peter; Thibeau, Briana. Dow, Lohnes & Albertson, PLLC. EDUCAUSE/Internet2 Computer and Network Security Task Force, 2003. http://www.educause.edu/ir/library/pdf/csd2746.pdf

  17. Willingness to accept and implement “best practices” Practices as process Possibly out of context with organizational drivers Security is proactive and managed Driven by risk management to Practice-driven to process-oriented

  18. Shifting the security approach Managed and strategic Ad-hoc and tactical to • systematic • adaptive • measured • adequate • irregular • reactive • immeasurable • absolute

  19. How Are You ManagingInformation Risks? • Policies, governance • Critical information assets • Who to involve • Management controls • Sustain survivability

  20. Managing to threat and vulnerability No articulation of desired state Possible security technology overkill Managing to impact and consequence Adequate security defined as desired state Security in sufficient balance to cost, risk to Security to Resiliency

  21. A Resilient Institution Is Able To. . . • withstand systemic discontinuities and adapt to new risk environments • be sensing, agile, networked, prepared • dynamically reinvent institutional models and strategies as circumstances change • have the capacity to change before the case for change becomes desperately obvious

  22. Security Strategy Questions • What needs to be protected? Why does it need to be protected? What happens if it is not protected? • What potential adverse consequences need to be prevented? At what cost? How much disruption can we stand before we take action? • How do we effectively manage the residual risk?

  23. Defining Adequate Security • The condition where the protection strategies • for an organization's critical assets and processes • are commensurate with the organization's risk appetite and risk tolerances • Risk appetite and risk tolerance as defined by COSO’s Enterprise Risk Management Integrated Framework, September, 2004.

  24. Determining Adequate Security Depends On . . . • Organizational factors: size, complexity, asset criticality, dependence on IT, impact of downtime • Market factors: provider of critical infrastructure, openness of network, customer privacy, regulatory pressure, public disclosure • Principle-based decisions: Accountability, Awareness, Compliance, Effectiveness, Ethics, Perspective/Scope, Risk Management, etc.

  25. Adequate Security and Operational Risk • “Appropriate security is that which protects the organization from undue operational risks in a cost-effective manner.” • “With the advent of regulatory agencies assessing a organization’s aggregate operational risk, there needs to be a way of looking at the organization as a whole rather than its many parts.”

  26. Evolving the Security Approach Institutional Security Management Process Maturation Security Risk Management Vulnerability Management Incident Response

  27. High Performing Organizations - 1 • Apply resources (time, effort, dollars, capital) to accomplish stated objectives, with little to no wasted effort • Regularly implement repeatable, predictable, secure, measurable, and measured operational processes • Independently evolved a system of process improvement as a natural consequence of their business demands

  28. High Performing Organizations - 2 • Use defined, verifiable controls to improve efficiency and effectiveness • Preventive, detective and corrective controls in place • Easier to audit • Detect production variances early • Lowest cost and least impact to fix problems • Fix problems in a planned manner • Devote increasingly more time and resources to strategic issues and new opportunities, having mastered tactical concerns

  29. High Performing Organizations - 3 • Demonstrated ability to get IT operations and security organizations working together to create: • Higher service levels (availability, high MTBF, low MTTR, low MTTD) • High percentage of planned (vs unplanned) work • Early integration of security requirements into the service delivery life cycle • The ability to quickly return to a known, reliable, trusted operational state • Unusually efficient cost structures (server-to-sysadmin ratios of 100:1 or greater) • Timely identification and resolution of security incidents

  30. Areas of Pain for High Performing Organizations • Patch management • Proliferation of “scorecards” • Managing outsourced IT services

  31. Areas of Pain – Patch Volume • Low performing: Adhoc, chaotic, urgent, disruptive; increase in unplanned work • High performing: Planned, predictable, just another change -> higher change success rate

  32. Areas of Pain – Proliferation of Scorecards • Low Performing: Look to external sources, authorities; adopt scorecard du jour • High Performing: Have defined their own performance characteristics; can demonstrate traceability to other instruments

  33. Areas of Pain – Outsourced IT Services Low Performing: Transfer risk; out of sight; then unable to control High Performing: Manage like any other business unit or project; understand unique challenges; develop more bullet proof service level agreement

  34. Common Root Causes • Absence of explicit articulation of current state and desired state • Thus current state (and companion pain) is tolerable; doesn’t hurt enough yet; don’t know that there is an alternative • Culturally embedded belief that control is not possible • Abdication of responsibility – “throw up my hands” • Rewards/reinforcement for personal heroics vs. repeatable, predictable discipline • Continued argument that IT ops and security are different (than other business investments or projects) • Desire for a technical solution; easier to justify and implement than people and process improvements

  35. IT Change Management • Process for efficient and timely handling of all IT changes • Enterprise capabilities critical to achieving effective change management: • Risk Management • Project Management • Process Management • IT Operations • Security Operations • Audit • IIA Global Technology Audit Guide series: Change and Patch Management: Critical for Organizational Success

  36. Progression of Capability Organization controls the changes: • Continuously Improving • <5% of time spent on unplanned work • Change success rate very high • Service levels world class • IT operating costs under control • Can scale IT capacity rapidly with marginal increases in IT costs • Change review and learning processes in place • Able to increase capacity in a cost-effective way Changes control the organization: • Closed-Loop Process • 15-35% of time spent on unplanned work • Some ticketing / workflow system in place • Changes documented and approved • Change success rate high • Service levels good • Server-to-admin ratio good, but not best-of-breed • IT costs improving but still too high • Security incidents down • Using Honor System • 35-50% of time spent on unplanned work • Some technology deployed • Right vision but no accountability • Server-to-admin ratio too low • IT costs too high • Process subverted by talking to the “right” people • Reactive • Over 50% of time spent on unplanned work • Chaotic environment; lots of fire fighting • MTTR very long; poor service levels • Can only scale by throwing people at the problem Effectiveness Reactive Using The Honor System Closed-Loop Change Mgt ContinuouslyImproving Based on the IT Process Institute’s “Visible Ops” Framework

  37. Measurement • Performance measurement of an enterprise's security state is conducted with the same rigor as other enterprise functions and business units. • Corporate Information Security Working Group: Report of the Best Practices and Metrics Team, December, 2004 • Thirty Information Security Program Elements with companion metrics • Governance (7 elements; 12 metrics) • Management (10 elements; 42 metrics) • Technical (13 elements; 45 metrics)

  38. Example Measures - Governance • Oversee Risk Management and Compliance Programs Pertaining to Information Security • Percentage of key information assets for which a comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds • Percentage of key external requirements for which the organization has been deemed by objective audit or other means to be in compliance

  39. Example Measures - Management • Establish Information Security Management Policies and Controls and Monitor Compliance • Percentage of staff assigned responsibilities for information security policies and controls who have acknowledged accountability for their responsibilities in connection with those policies and controls • Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation • Percentage of critical information assets for which some form of risk assessment has been performed and documented as required by policy

  40. Example Measures - Technical • Software Change Management, including Patching • Percentage of systems with the latest approved patches installed • Percentage of software changes that were reviewed for security impacts in advance of installation • Incident and Vulnerability Detection and Response • Percentage of operational time that critical services were unavailable (as seen by users and customers) due to security incidents • Percentage of security incidents that exploited existing vulnerabilities with known solutions, patches, or workarounds

  41. What Does Effective Security Look Like at the Enterprise Level? • No longer solely under IT’s control • Achievable, measurable objectives are defined and included in strategic and operational plans • Functions across the organization view security as part of their job (e.g., Audit) and are so measured • Adequate and sustained funding is a given • Senior executives visibly sponsor and measure this work against defined performance parameters • Considered a requirement of being in business

  42. Governance and the Case Study • What regulations must the convention follow? • Industry • Financial processing • SOX • Venue • What best practices should the convention follow?

More Related