Evolution of Information Security
15
at the University of California, Los Angeles (UCLA) and published in the UCLA
Internet Report, “92.4
percent were either somewhat or very or extremely concerned
about the security of their credit card information when purchasing online in 2002.”
5
Some consumers will not purchase online for that reason. Others may stop buying
from an e-commerce site completely if a security incident has occurred.
In the case of a denial-of-service attack, if a consumer goes to a Web site and
has a bad “user experience,” that consumer may think twice about going to that site
in the future. These are only a few of the specific risks that fall into the “cyber-
related” risks category.
At a higher level, key concerns related to cyber threats include:
•
Damage to reputation —
e.g., security incidents receiving significant press
•
Loss of revenue —
e.g., inability to sell a product or service because the
consumer goes to a competitor
•
Permanent loss of customers —
e.g., consumers so displeased that they
do not buy from the company again
•
Regulatory concerns —
e.g., if the security breach affected compliance
with certain laws such as HIPAA or GLBA
•
Legal liabilities—
e.g., if the security breach causes someone harm and
they decide to sue the company
All of the items listed above can be devastating for a business and, if significant
enough, can destroy a business. Although loss of revenue is the only item on this
list that can be easily quantified into a dollar amount, the other items represent much
more lasting and long-term effects on the business.
GROWING ROLE OF INTERNAL AUDIT
Another aspect in the evolution of information security is linked to the internal audit
function. The internal audit function plays a key role in larger companies and is now
receiving a significant amount of press in the wake of the Enron scandal. At a high
level, internal auditors look at certain processes within a company and ensure that
proper internal controls are implemented. By the nature of their jobs, internal auditors
learn about a company and its processes. They learn the best and worst ways to do
something. Some companies have their auditors act like watchdogs, looking for
internal control weaknesses, providing recommendations, and following up to make
sure they have been implemented. In other companies, auditors are viewed as business
partners who find internal control weaknesses, suggest process improvements, and
also actively transfer knowledge about best practices around the company — i.e.,
effectively serving as internal business consultants.
The internal audit process is very much like the security assessment process,
which is part of the bigger picture of information security. However, internal audit
departments have mostly focused on operational and financial processes, and there
has not been widespread focus on technology and its related processes — i.e., IT
audit. As IT audit becomes more prevalent, information security will continue to
have importance through company internal audit departments.
AU1706_book.fm Page 15 Tuesday, August 17, 2004 11:02 AM
16
A Practical Guide to Security Assessments
Although security assessments are not exactly the same as internal audit, many
similarities exist — with the main similarity being evaluating systems from an
internal control/security perspective. Each of these processes examines how systems
function within an organization and whether or not the organization is secure. This
includes reviewing the critical data transacted by the various systems and its depen-
dencies from both the process and technology perspectives.
The differences between security assessments and IT audits are really quite
subtle. Essentially, the focus of an IT audit is broader. In a security assessment, the
process is very focused around the security aspects of information, such as storage,
transmission, and access. In an IT audit, the focus also includes ensuring that systems
function as intended from a business perspective. This clearly goes beyond the realm
of information security.
Today, traditional operational auditors must be more knowledgeable about tech-
nology and system-related controls, as most mission-critical business processes are
dependent on technology. As a result, IT auditors are an integral part of the process
of securing information assets. Similar to what internal auditors have been doing
for years — providing an independent opinion of the quality of internal controls
around business processes — IT auditors now provide that same independent view
of technology and associated controls. The overlap between IT audit and security
assessments can be seen with internal controls related to technology — access
control, configurations of systems, etc., which are critical to the confidentiality,
integrity, and availability of information.
Besides the increased use of technology, laws
are also raising the stature of IT
auditors. “While heightened concerns over security and terrorism accounts for some
of IT auditor’s new sheen, there’s also another reason: the freshly minted law known
as the Sarbanes–Oxley Act puts more pressure on upper management to vouch for
‘internal controls,’ with specific sections related to information auditing.”
6
The other key aspects of internal auditors are their independence and their
reporting structure. From an organizational perspective, internal audit is separate
and has limited ties to any operational unit of a company. Internal auditors have
access to senior management and often report directly to the board of directors.
From a security perspective, as security assessments are incorporated into audits,
internal audit departments can provide independent judgment and help drive security
initiatives.
From an evolutionary perspective, internal audit continues to give legitimacy to
the information security discipline as it becomes integrated into the function of
internal audit. The dependence on technology and laws such as the Sarbanes–Oxley
Act, HIPAA, and GLBA are expediting this process.
SECURITY STANDARDS
One of the driving forces behind information security has been the proliferation of
different information security standards (key standards will be discussed in detail
in Chapter 9). Similar to other competencies, companies are looking for guidance
as it relates to information security both at an operational level and from an assess-
ment perspective. For example, from an assessment perspective, the accounting
AU1706_book.fm Page 16 Tuesday, August 17, 2004 11:02 AM
Evolution of Information Security
17
profession has guidelines for auditing financial statements, the Generally Accepted
Auditing Standards (GAAS). These standards provide guidance that should be taken
when auditing certain areas of the financial statements. At an operational level, certain
standards for internal controls are considered best practices that companies follow.
As information security has become more important, companies are looking for
standards they can use in implementing information security measures. Information
security experts, companies, and government agencies have come together to share
information and develop standards for information security. Different organizations
have cropped up recently to develop best practices for the information security
discipline. Although some information security standards have been around for some
time, most have not received much attention until recently. Companies are using
three types of standards:
• Best practice standards
•Technical standards
• Marketplace standards administered by third parties
B
EST
P
RACTICE
S
TANDARDS
“Best practice” standards or information security guidelines are used by companies
to develop and monitor their information security programs. Two of these standards
are Generally Accepted System Security Principles (GASSP) and the International
Standards Organization (ISO) 17799 standard, which was based on the BS 7799
(British Standards 7799) standard. These standards are vendor neutral and do not
focus on specific technologies. Both of these standards are focused on policy and
the different elements of an information security program that companies should
have in place. Although technology is mentioned in broad generic terms, the standard
is focused on the process of information security.
The ISO 17799 standard, which is widely recognized as an information security
best practice standard, was developed by a consortium of companies and is based
on companies’ best practices and input from industry experts. This consortium
represented a cross section of companies to bring out best practices that can be
applicable to a wide range of companies. These standards are meant to help com-
panies create an information security program addressing a wide range of topics
that fall under the umbrella of information security. The ISO 17799 standards provide
high-level guidance on information security topics including:
• Security policy
•Organizational security
• Asset classification and control
• Personnel security
•Physical and environmental security
• Communications and operations management
• Access control
• Systems development and maintenance
• Business continuity management
• Compliance
AU1706_book.fm Page 17 Tuesday, August 17, 2004 11:02 AM
18
A Practical Guide to Security Assessments
The ISO 17799 standard provides guidance in each of the above areas. The
standard can guide the development of security policies and can serve as the foun-
dation of an information security program. One thing to note is that the guidance
provided by the ISO 17799 pertains to “what” should be in an information security
program. This standard does not provide much guidance on process or how a specific
security requirement can be achieved. The ISO 17799 is one of several standards
(some of which will be discussed in detail later in this book) in use by companies.
One of the earliest sets of standards was the GASSP. GASSP was developed as
a result of a recommendation from the U.S. National Research Council’s 1990 report
Computers at Risk
.
The first recommendation in this report was “To promulgate
comprehensive generally accepted system security principles” using input from
information security practitioners in the private and public sectors from the United
States and abroad.
These technology-neutral best practice standards serve a very important purpose
when the overall information security program in a company is developed. They
help set the foundation of the program, which is then used to develop the rest of the
program including technology, processes, people with the appropriate skill sets, etc.
From a security assessment perspective, these standards can be used as a basis for
evaluating a company’s security posture. In a security assessment, one of the first
things to look for is a solid foundation — i.e., a security strategy including policies
and procedures and ongoing assessments to ensure that the information security
program is up to date.
T
ECHNICAL
S
TANDARDS
Technical standards are published by information security practitioners and vendors.
For example, many information security professionals utilize the Microsoft Technet
Web site (www.technet.com) to access best practice security standards for Microsoft
products. Many of the major vendors, such as Cisco and Microsoft, have a wealth
of information that can be used to help lock down the respective technologies. These
standards can come in the form of case studies or as checklists that can be used
with some minor customization to reflect a specific company’s business require-
ments. The checklists tend to be very technical in nature, actually recommending
specific system settings. An example is the Windows 2000 Server Baseline Security
Checklist
7
, which is published on the Microsoft Technet Web site. This checklist
contains a comprehensive list of security measures that system administrators should
take to adequately lock down a Windows 2000 server. Some of the items in this
checklist include:
• Disabling unnecessary services
• Disabling and deleting unnecessary accounts
• Disabling the guest account
Not all of the items on the checklist have to be complied with because the
checklist is only meant to provide guidance. It is probable that some of the items
on these checklists cannot be complied with because of certain business requirements
AU1706_book.fm Page 18 Tuesday, August 17, 2004 11:02 AM
Evolution of Information Security
19
a given company might have. These checklists are designed to help you consider all
of the alternatives in locking down a company’s systems. When used, they should
be modified based on the specific client. Because of the rapid pace of change with
technology, these guides should be checked frequently, as they are constantly
updated.
In addition to material supplied by vendors, significant material is available in
the public domain relating to best practice technology standards contributed by
security practitioners. Some of the technical standards used by companies today
include the National Institute of Standards and Technology (NIST) Standards, Center
for Internet Security benchmarks, and the SysAdmin, Audit, Network Security
(SANS)
Top 20 list. These can be helpful documents, as they often reflect real world
scenarios. People who are out in the field actually trying the recommendations on
these checklists typically prepare these documents. The sources of these documents
should be considered, and you should make sure that you trust the document before
using it. All checklists should be modified as required to reflect the client’s business
requirements before using them.
M
ARKETPLACE
S
TANDARDS
The third type of standards is marketplace standards. These standards are indepen-
dent standards that signify a certain level of security. They are like certifications in
that companies must meet certain criteria to be certified. This has become somewhat
prevalent in the business-to-consumer space, where consumers want to see that
companies who conduct business online have met certain standards related to privacy
and security. In the business-to-consumer space, these standards go a long way in
providing credibility related to security and privacy for companies with an online
presence. Based on a Harris Interactive survey dated February 19, 2002, “…most
consumers still do not trust companies to handle their personal information properly.
However, independent verification of company privacy policies is the single business
action that would satisfy almost two out of three consumers (62 percent). In fact,
84 percent think such verification should be ‘a requirement’ for companies today.”
8
Consumers are clearly demanding some minimum standards related to security.
Three examples of these standards are:
• Better Business Bureau (BBB) Online Privacy Seal
• American Institute of Certified Public Accountants (AICPA)/Canadian
Institute of Chartered Accountants (CICA) WebTrust Program
Each of these programs is discussed in greater detail below.
Better Business Bureau (BBB) Online Privacy Seal
The BBB has several programs that companies may apply for, one of which is the
Online Privacy Seal. This program is for companies that conduct commerce online.
These companies know the value of giving consumers confidence that their personal
and credit card data is secured and that their online transaction will be secure. Based
AU1706_book.fm Page 19 Tuesday, August 17, 2004 11:02 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.