Information Security Considerations and Recommendations for IT and Business Decision Makers

Published: 17th September 2009
Views: N/A

REDSPIN WHITE PAPER:



Information Security Considerations and Recommendations for IT and Business Decision Makers



September 2009



Contents

1. Summary

2. The Information Security System

3. Issues, Threats and System Flaws

4. Structuring a Response

5. Making Decisions

6. Business Impact



Summary



This white paper outlines considerations and recommendations for reducing business risk through the use of an effective enterprise information security program. Our goal is to present information that will be helpful not only to IT and information security professionals but business unit general managers as well. Throughout, we take the perspective of presenting and considering choices based optimizing a security program for effectiveness, efficiency and business impact.

In a recent Harvard Business Review article titled "The Big Shift" (HBR; July-August 2009; John Seely-Brown, Lang Davidson) the authors presented the idea that in times of economic crisis such as those we face now, traditional metrics for managing business may be insufficient to point the way forward. The HBR article presents a framework for understanding business transformation in terms of three factors: foundations for major change (such as compute power and Internet usage), flows of resources (such as information and knowledge) and the impact of the combination of the previous two factors on companies and the economy. As is often the case in business, this framework is measured as an index (the shift index) comprised of three components: foundation, flow and impact. The foundation index is strongly influenced by computing and communications (Internet) infrastructure. The flow index is influenced by information sharing and Internet activity. The impact index is influenced by brand loyalty and competitive intensity. The article concludes by challenging executives on how can they best create and capture value by managing these factors.

The purpose of this paper is to examine information security in terms of enabling business.



Wisely used, we believe that security plays a major role in creating and capturing business value. Given this role, we frame the discussion of information security as a system whose efficacy can be evaluated in the terms suggested by Seely-Brown and Davidson. We consider information security from the perspective of enabling an efficient compute and communications infrastructure (positively impacting the foundation index). We examine what is required to support the flow of information and knowledge resources in a secure fashion (positively impacting the flow index). Lastly, we explore methods to deploy information security technology and processes in order to protect corporate brands and promote competitive advantage (positively impacting the impact index).



The Information Security System



For an information security system to support the business we must treat it like a system. It must have structure and be measurable. In many enterprises this means capturing log files, counting intrusions and tracking lost data incidents. We suggest a different approach that starts with a top down perspective. We also believe that a system must be rich with the necessary information but simple enough to support business decision making.

Our information security system uses the terms presented in the HBR article. Ultimately we have three elements to manage with three associated indices to track. The system is illustrated in



Information Security System



Next, we must think about the elements that connect the information security system with the business. An ideal description of the customer security system is shown in the following diagram:

Table 1.High level elements and metrics associated with the Information Security System Given this structure the customer security program moves forward based on business requirements and is accelerated based on specific business drivers. The primary components of the program are policy, strategy and control. The desired situation is for a customer to define the risks facing the business, the requirements for the security program and articulate the goals and measures for the program to achieve. The strategy is developed through a model of the risk situation, data to be protected and controls to carry out the protection objective. Lastly the control section implements, audits and manages the plan. The net result is business enablement.



In an ideal situation the customer security system follows the plan that is illustrated above. In many enterprises today, this is not the case, but a program constructed through best practices should be driven by business requirements, focus on risk reduction and guided through policy. Systematic metrics must be used to gauge the effectiveness and efficiency of the program with course corrections where necessary.



Many companies fall short of this ideal. A common tendency is to focus on technology rather than process. Often the threats presented by the ecosystem result in decisions driven through fear. Similarly, the need to respond to particular events such as a regulatory audit dictates behavior and decisions in a suboptimal fashion. Taken additively, these conditions lead to ad hoc staffing, ill defined responsibilities and unstructured security policies. The net result restricts business agility, growth and income.



To achieve the desired situation of the information security system enabling business, an important point of leverage lies with policy. Table 2 illustrates some key information security policy areas and their relation to our foundation, flow, impact model of the information security system.



System

For an information security system to be running optimally managers must make policy decisions about each of these areas and put in place processes to carry out their decisions. If managers ignore their responsibility or take shortcuts on process, ad hoc decisions will fill the void. Often with disastrous results.

Let's discuss a few policy areas in each category to explore the relationship of policy to the information security system.



Foundation

Risk Assessment

An enterprise must specify the scope, frequency and approach to risk assessments. Typically this activity requires special skills in executing the assessment as well as communicating the results. The benefit is a risk based analysis of where to focus security resources and technology.



Application Security

The policy team must outline requirements for secure software development processes, testing procedures, change management procedures as well as many other areas that impact application security. Executed well, the company will have a level of assurance that this most prevalent threat vector is under control.

Infrastructure impact review - Policy makers must decide the frequency, process, participants, metrics and information sources that comprise the review of performance against policy. The company can use this forum to make course corrections in their decisions and actions.



Flow

Data Classification

The enterprise policy in this area specifies attributes about classes of data and the resulting implications in storing, transmitting and securing the data. A wise policy in this area has significant business payback because it allows technology and resources to focus data security efforts where impact will be most beneficial.



Privacy

In recent years privacy has become an important component of government and industry regulations. By implementing a corporate policy that meets the needs of the corporation as well as the regulators a great deal of leverage can be achieved.

Information Impact Review

This policy review generally takes the same shape as the infrastructure review but tends to be more difficult to manage because of the diversity of viewpoints and interests. Our recommendations are to carefully consider the audience and the goals to be achieved through the review process.



Impact

Regulatory Compliance

Most international enterprises are subject to hundreds of regulations. Often it is simply too expensive to create an "uber-policy" that addresses all issues. However, this policy area must be explicit about where effort will be consolidated, the scope of compliance efforts and the processes for interacting with auditors and reporting results.



Risk Management

While risk must be a consideration in all areas of the security system, policy must guide the means by which risk is managed. Information security is an operational risk that fits within a larger system of enterprise financial risk. The policy must specify the goals and scope of this area that has a high potential to bring significant business benefit through improving effectiveness and efficiency.



Information Security System Flaws

The following areas represent situations in which customers often go wrong in managing their security programs.

A common problem is the failure to understand the environmental conditions surrounding security programs. An example of this problem is buying additional security products in the hope that overall security will increase. Such circumstances present a number of problems. First the complexity introduced by additional security products often results in decreased security. Next, the attackers have the advantage often attributed to the conditions of asymmetric warfare, in that they must simply find one avenue to exploit a vulnerability whereas the corporation must defend all possible points of exposure.



Another important point is that many companies deal with security as a trust issue, seeking methods to ensure that information is treated in the most secure manner possible regardless of the situation. In such a scenario the corporation finds itself in an arms race with the attackers. The company is desperately trying to ensure that information is protected while the attackers have the advantage of defining the battlefield and choosing the points of attack.



Further, customers often misunderstand security system requirements. It is appealing to react to new products that deal with imminent threats while forgoing basic information security principles regarding process. To implement a security program properly the primary focus should be on process, with requirements centered on the security, scalability and integration capabilities associated with the system as a whole.

In light of this situation, security platform vendors and providers of internet infrastructure have a major advantage in supplying corporations with security solutions. Because the threat environment is fast moving, the need for point solutions will always exist, but in time these products will be integrated within an overall security framework provided by the major suppliers in the industry. Perhaps the most important component of this argument is that security needs to appear as seamless to the end users and as such must be delivered as part of the overall IT infrastructure.



Finally it is important to recognize that security is not a result for corporations to achieve, but merely a means of facilitating business. Done well the process will not interfere and often will facilitate profitable growth of the business.



Threat Environment

Customers face a dynamic threat environment. An important item to note is that attackers are constantly adapting mechanisms for gaining advantage. Motivations have also changed over time. Initially, attackers were satisfied with the notoriety associated with being able to penetrate a corporation. Presently motivations are driven by monetary gain. It is also noteworthy that attacks are directed against critical infrastructure and are considered an important component in nation-state warfare.

An illustration of the current state of the threat economy is presented in the diagram below.



Compliance Requirements

While coping with these threats business must also face the challenge of complying with industry and governmental regulations. For the most, part these regulations were introduced because businesses lacked direct motivation to improve governance and security. The illustration below depicts a framework for relevant regulatory standards and guidance provided by various industry and governmental organizations to assist in helping corporations with compliance.



While dealing with these regulatory pressures customers must cope with a growing threat landscape including cybercrime, internal threats and malicious activity on the part of business partners. Each of these areas presents unique threats and security challenges.

Because of this dangerous climate customers are rightly concerned about a number of significant issues including:



• Brand protection

• Risk reduction

• Service availability

• Employee productivity

• Regulatory fines

• Reputational damage



It is important to note the corporation as a whole is a stakeholder with respect to the issues, but each organization values them differently. Business units tend to prioritize brand protection and service availability because they are fundamental to maintaining and improving business value. IT organizations must respect the need to address every issue, but often prioritize compliance as a means of securing additional funding. Security groups tend to be driven by the latest threats to the company's reputation as a way of proving their value to the organization. Forward thinking companies realize that information security is a matter of risk reduction and strive to unify security programs such that they meet the concerns of the business in the most economical fashion.



Making Decisions

The following section describes some practices that we have found useful from experience.



Use a simple step by step decision making process. For example:



1. Understand the business conditions

a. Team capability, operating environment, threat model, business drivers, etc.





To read the full article including diagrams please visit our website

http://www.redspin.com/research_redspin.html



Redspin, founded in 2000, delivers the highest quality information security assessments through technical expertise, business acumen and objectivity. Redspin customers include leading companies in areas such as health care, financial services and hotels, casinos and resorts as well as retailers and technology providers. Some of the largest companies rely upon Redspin to provide an effective technical solution tailored to their business context, allowing them to reduce risk, maintain compliance and increase the value of their business unit and IT portfolios.


Report this article Ask About This Article


Loading...
More to Explore