The Information Security Program and How a Security Assessment Fits In
55
security concerns as a result of a security audit. When a follow-up is done, it is
found that none of the recommendations were ever implemented and thus, it is clear
that the report was not taken seriously. If management support for enforcement is
lacking, business groups can easily get away with not addressing issues raised during
a security audit. Ideally, management should openly support enforcement efforts,
and noncompliance should have repercussions.
Following the internal audit model, reports with findings are normally distributed
to senior management. This method demonstrates the support from management,
and then the individual groups are compelled to address the findings.
Without enforcement, which is very closely tied to executive support, the whole
information security program suffers because people do not care.
HOW DOES A SECURITY ASSESSMENT FIT IN?
Now that we have gone over the key elements of the information security program,
we can discuss how a security assessment fits into the overall information security
picture.
Companies are dynamic in nature, and different aspects of the company are
constantly changing. Everything from how the organization is set up to what the
company does changes over time. Few companies in today’s environment stay the
same — there is always some element of change, and changes have implications
from an information security perspective. For example, if a company restructures
its operations and outsources its IT operations, there are security implications
because data and systems are now under the control of a third party. Other examples
include a company beginning to offer goods and services on the Internet or imple-
menting a wireless environment. These changes have significant security implications
that must be considered up front and on an ongoing basis.
In many cases, changes and initiatives are made without considering the security
implications. In addition, no ongoing compliance effort exists to ensure that no
security vulnerabilities result from these changes to the environment. For example,
a business considering an e-commerce initiative is primarily concerned with the best
FIGURE 3.8
Enforcement.
Security Policies
& Procedures
Security
Organization
Executive
Support
EnforcementToolsets
Training and
Awareness
Security
Strategy
AU1706_book.fm Page 55 Wednesday, July 28, 2004 11:06 AM
56
A Practical Guide to Security Assessments
way to offer goods and services on the Internet so that sales are maximized and
consumers have a positive experience so that they will come back. While imple-
menting these services, security is not always considered proactively; rather, it is an
afterthought. Security personnel may be brought in after the fact to review the
implementation, which is not the best way to ensure that the environment is secure.
In some cases, security personnel may come to know about it well after the fact —
after the service has been operational for a significant time period. This scenario is
more common in large Fortune 500–type companies where decentralized and auton-
omous groups have the authority initiate these types of e-commerce–type imple-
mentations. Another common example today is wireless networks. There are well-
publicized and known security issues with wireless. Wireless networks are, however,
very easy to put up and can provide major benefits to users. In some companies, IT
departments do not even know that wireless networks are attached to their network
because business groups just decide to put them up without considering the security
implications. When these networks are found, even the minimal level of security
that is provided is not implemented. These are only a couple of examples out of
many. The bottom line is that if security personnel are not aware of changes in the
environment, it is difficult to provide the assurance of a secure environment.
This is where a security assessments fit in. A security assessment is the process
of looking at the business and supporting technologies and determining what security
risks are present. It is a process that management can use to determine whether the
existing information security program is adequately addressing a company’s security
risks. It is also something that should be done on an ongoing basis to make sure
that any security implications resulting from changes in the environment or new
initiatives are addressed. In the cases of the two examples discussed in the last
paragraph, a comprehensive security assessment would likely have discovered the
changes and provided recommendations to address the risks.
Security assessments are broad in nature and cover people, processes, and
technology. Assessments at a high level can be performed using the following
methodology:
•Evaluate business processes and identify related security risks.
•Evaluate critical supporting technologies and perform testing to determine
security vulnerabilities.
• Perform risk analysis and provide cost-effective recommendations to man-
age the security risks identified.
In the process outlined above, which is a high-level version of the assessment
methodology discussed in this book, it is important to note that the business processes
are the starting point. Without understanding the business processes, it is difficult
to determine what the risks are. The key driver for the information security program
is the list of risks identified when reviewing the business processes and critical data,
which is basically what is done in a security assessment. Once the information
security program is developed, all information security measures taken should clearly
map back to a risk that was identified in this analysis. Recommendations from a
AU1706_book.fm Page 56 Wednesday, July 28, 2004 11:06 AM
The Information Security Program and How a Security Assessment Fits In
57
security assessment should also map back to security risks related to business
processes.
Depending on the type of business and the related business processes, the
security risks can vary widely. For example, a company that is highly dependent on
revenues from online commerce activities will be much more sensitive to any risks
related to its Web site and in guarding the privacy of customer information. A
company like this will probably see its Web site and the related business processes
as the key risks. On the other hand, a manufacturing company would view the
systems that support its manufacturing process and the systems where key manu-
facturing data reside as the key systems. This company might not really care that
much about its Internet site.
The security assessment is essentially the process of evaluating the information
security program and determining what is important to the business and whether it
is adequately secured. Done on an ongoing basis, it is the process of periodically
looking at the business in a holistic way to determine whether the existing informa-
tion security program is properly addressing the security risks the company faces.
With the dynamic nature of businesses today and the speed at which technology is
changing, new security vulnerabilities surface all the time. It behooves companies
to try to address these risks in a proactive manner rather than dealing with them
after the fact. These risks range from organizational issues such as not having a
strong termination policy where terminated employees’ access to systems is properly
revoked to technical system vulnerabilities. A regular security assessment process
uncovers these issues so they can be addressed appropriately. In the context of the
information security program, the security assessment process is what keeps it
current — i.e., it is the constant evaluation. The security assessment process also
helps to instill a culture where security is taken seriously. If personnel know that a
regular security assessment is done, they will naturally become more aware of
security issues.
One important aspect of security assessments is that they are dependent on the
key elements of the information security program, which were discussed in the
preceding section. In particular, executive support for security assessments is critical
to their success. By its nature, the security assessment process will uncover security
risks and potentially raise issues about how employees are doing their jobs. Using
the example from the previous paragraph regarding the employee termination pro-
cess, this is a weak process for some companies because no one owns it. If you look
at your own company, you might find that after an employee leaves, it might be
weeks or months before that person’s access is removed from the company’s systems.
In some cases, IT may not even know of employee terminations on a timely basis.
A successful termination process requires ownership and communication between
multiple groups including human resources (HR), finance, IT, and others. In the
context of a security assessment, raising an issue about terminations could make
people feel uncomfortable, and as a result, you may not receive the cooperation
necessary during an assessment. In these cases, executive support is critical so
personnel know that they must be forthcoming and cooperative during the security
assessment process.
AU1706_book.fm Page 57 Wednesday, July 28, 2004 11:06 AM
58
A Practical Guide to Security Assessments
The other important element of an information security program that is very
helpful is security policies. If the company has a set of up-to-date security policies,
they can be used as the basis against which to conduct the assessment. Although a
lack of policies can be worked around by using publicly available best practice
standards, policies are better because they reflect the specific risks facing the com-
pany and thus are a better standard against which to measure the company.
WHY CONDUCT A SECURITY ASSESSMENT?
In the previous section, we explained how the security assessment fits into the overall
information security program. However, you may encounter cases where an executive
or member of management might say that the company has a handle on security and
that a security assessment is not necessary. You may encounter other companies that
tell you that they feel secure and that nothing has ever happened to them before so
why would it happen now. For any company, there are a number of reasons why a
security assessment is important regardless of the environment, culture, size, etc. This
is important to understand because there are times when you will have to convince
management of the value of assessing the environment from a security perspective.
Reasons for conducting a security assessment include:
• Obtaining an independent view of security
• Managing security risks proactively
• Determining measures to take to address any regulatory concerns
• Justifying funds
O
BTAINING
AN
I
NDEPENDENT
V
IEW
OF
S
ECURITY
Like a third-party audit, similar to how public companies are audited (notwithstand-
ing some of the scandals that have surfaced as of this writing — e.g., the Enron
debacle), an independent assessment of security is a valuable tool for management.
A third party can be an outside company or an independent party within a company
such as an internal audit department. If the party assessing is an internal audit
department, you must ensure that they were not actively involved in the development
or ongoing functioning of the security operations so that they can be independent.
Security assessments, if performed correctly, are an independent view of security,
which validates whether security measures are properly aligned with the security
risks a company is facing. The assessment process also uncovers vulnerabilities and
leads to recommendations to remediate those vulnerabilities. A qualified independent
third party conducting an assessment has several advantages including:
•
Objective and unbiased feedback —
Because of their independence, third
parties have the ability to offer honest feedback about the information
security program and how it stacks up. The recommendations that third
parties make are objective and unbiased. Although you may receive the
same information by not having a third party conduct the security assess-
ment, you will not have the assurance that the assessment was objective.
AU1706_book.fm Page 58 Wednesday, July 28, 2004 11:06 AM
The Information Security Program and How a Security Assessment Fits In
59
•
Expertise and best practices —
Some companies do not have the expertise
to conduct a security assessment. A qualified independent third party can
provide the expertise and knowledge of best practices that will make the
security assessment process more meaningful. If you engage the right
third party with the appropriate skill sets, they can provide a different
perspective because of their experience with other companies or groups.
Remember that for a third party, security is their area of expertise and
they have probably seen a variety of ways that environments are secured.
If you use a third party, this experience and knowledge can be leveraged
to improve your own information security program.
•
No politically motivated inhibitions —
Independent third parties do not
tend to have any friends or enemies or relationships that might cloud their
judgment during the security assessment process. As we discussed earlier,
security assessments potentially uncover information about how securely
your business is run. Some findings might embarrass someone or make
someone defensive. Internal parties who do not have the required level of
independence can be influenced by their relationships. Independent third
parties, on the other hand, do not have these concerns. As a result, their
results will be objective and unbiased.
M
ANAGING
S
ECURITY
R
ISKS
P
ROACTIVELY
Ideally, security assessments should be performed on a regular basis because doing
them often allows you to leverage what you already know about the business and
just look at changes to the business on an ongoing basis. Basically, the first assess-
ment is the “baseline,” and all subsequent assessments address changes to the
business based on the “baseline.” This is an efficient and effective way to manage
security risks. The security assessment process is a way for companies to look at
the information security program and ensure that security risks are managed in a
cost-effective manner. By conducting security assessments, companies have the
ability to know what their risks are and what the associated impacts of those risks
are. Based on this knowledge, companies can then make informed decisions on how
to allocate funds and resources to manage security risks in a cost-effective manner.
Without this process, resources for information security, including staffing and funds,
may not be allocated properly. Stepping back periodically and evaluating the infor-
mation security program provides a fresh perspective on whether the information
security measures in place are appropriate.
One of the classic examples in recent years is intrusion detection. These systems
can require significant administration time because of tasks related to updating
detection signatures, reacting to alerts, and fine-tuning the system to minimize false
alarms. Some companies have implemented intrusion detection systems without
considering whether they have the resources to properly administer them or whether
they really need them. In the end, many of these companies do not end up using
intrusion detection. The result is a very expensive system on the network that is not
managing any risk or providing any benefit to the company. In this example, a
security assessment would have determined whether a need for intrusion detection
AU1706_book.fm Page 59 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.