10: MANAGING THE SECURITY LIFE CYCLE
INTRODUCTION
The McCumber Cube methodology is not a process that needs to be replicated on a recurring basis; it is a methodology to use in the assessment and design phases of the security program. It also can be employed as a tool for design and assessment of individual products and system components. Invoking the use of the methodology is also called for when the information systems environment is significantly modified or upgraded. In keeping with the understanding of this process as an information-centric model, you can determine if the McCumber Cube methodology needs to be used by looking for new information flows, changes in asset (information) valuation, and the acquisition of new technologies. However, there are many security-relevant activities that take place on a day-to-day basis and we will cover the basics of that process here.
In this chapter, we will deal with the issues of security life-cycle management. Lifecycle management is the complete menu of organizational activities that are conducted on an ongoing basis to implement, enhance, and support the information systems security program. We address these issues here simply to introduce some of the major concepts in security life-cycle management. This chapter is not designed to be a comprehensive checklist for security practitioners. It is important, however, to lay out the underlying processes and principles that make up an information systems security program.
The process outlined in this chapter is taken primarily from Symantec Corporation’s Lifecycle SecurityTM Model. I present it here because it complements the principles set forth in this text. It is a process that is centered on fundamentals that, like the McCumber Cube methodology, do not change with the evolution of technology and systems. It provides practitioners, analysts, and IT implementers with an effective way to visualize and create strategies for managing the ongoing activities of security management.
The life-cycle security model is depicted as a circle (Figure 10.1). There is a sound reason for that. At any given time, there are a number of activities that are being pursued for the purpose of protecting an organization’s information resources. Even if no information security program currently exists, there is still a need to conduct daily, weekly, and monthly recurring activities while performing the requisite assessment and implementation tasks. Few security practitioners have had the luxury of being able to design and implement a completely new program in a system yet to be deployed. Even the ones who have this experience are often severely constrained because they have lacked the tools to accurately quantify and express the value of the information security controls.
We will begin to look at the activities of the information security life cycle with the function labeled Assess (Figure 10.2). In this assessment phase, the elements of the complete information security program are laid out and evaluated. During this phase of the process, the McCumber Cube methodology provides a valuable tool for the evaluation and selection of security controls, the development of security policies, and the creation of training and awareness programs. By mapping the organization’s information flows and creating the metrics that will be used to judge the value of critical information resources, the fundamental components of the information security program will be developed.
This is also the phase where the risk assessment process needs to be undertaken. While you are developing the metrics for the measurement of the value of your information resources and tracking its flow through the organization, you are creating some of the key inputs into your risk assessment process. To obtain all the data necessary for the risk assessment, you will also need to make a detailed catalog of threats to the information that includes all the aspects of both environmental and human-based categories.
Once the McCumber Cube analysis results are created along with the information resources valuation and threat data, you should have the entire catalogue of elements needed as input to your targeted operational risk assessment. The basic elements of the risk assessment process are threats, vulnerabilities, assets, and safeguards. You know you are complete when you have quantifiable information for each of these areas and you have used the risk assessment process to determine the security controls necessary to provide the protection required to meet mission and organizational objectives.
During the design phase (Figure 10.3), you take the proposed security architecture and create a technical and procedural blueprint for your entire information security environment. The design phase is critical even for a currently deployed system undergoing a rigorous security review. In this case, your design should be able to highlight areas needing new components or upgrades to existing technology. Reviewing your risk assessment results as well as McCumber Cube analysis will provide you the necessary bases for the end-to-end design that is created as a result of the design phase.
The design phase also should include a complete review of security policies and procedures. Information security policies and procedures support and enhance the technical controls. They must be assessed in conjunction with the technical controls to ensure that the appropriate interoperability is considered. If you have walked through the structured methodology thoroughly and performed the decomposition stages correctly, this element of the life-cycle process should be quite easy. You should have a complete list of not only the proposed safeguards, but also all security policy requirements for the entire program.
Another key aspect of your security program that also should be available to you now is a comprehensive understanding of the training and awareness activities needed to complement the security program. The human factors component of the McCumber Cube methodology covers this critical area and the various places where this safeguard category was assessed and defined need to be gathered and developed into a human factors plan that supports the overall information security program.
The implementation phase is shown in Figure 10.4. This important phase of the life cycle encompasses all those activities associated with the selection, acquisition, and deployment of the technical and procedural security program. This is also the most difficult phase because significant costs of the security program must be justified and expended. However, if you have performed the structured methodology correctly, you will have most of the information you need at your fingertips.
The McCumber Cube analysis will provide a detailed description of your security requirements based on the asset valuation of the information resources for which the program provides assurance. By presenting this material to those responsible for financial and resources allocation decisions, you should have comprehensive, well-documented justification for all implementation requirements—technical, procedural, and human factors based. For those inevitable times when resources are constrained and trade-offs must be made, your analysis will remain an important part of your documentation for future use. You may be called on to provide justification when more resources become available or you may need to be able to show how your initial implementation plans were not fully executed after a undesirable consequence has been realized.
The implementation phase also may need to be accomplished over a period of time. The results of your structured methodology also will aid you in making a determination about what elements of the security program are most critical and how they should be rolled out to protect the most sensitive information resources first. As with the design phase, having this information readily available makes the decision-making process for your information systems security program much easier and certainly justifiable.
Once the technology and procedural controls have been implemented, you have to plan and conduct monitoring of the security controls (Figure 10.5). Often this vital step is either overlooked or ignored in the assessment and design phase. An intrusion detection product or audit log will provide you with little or no protection if they are not monitored on a regular basis. The key question is always, What do I need to monitor?
Your inventory of security capabilities needs to be carefully evaluated for each entity that requires monitoring. Firewalls, intrusion detection systems, honeypots, audit logs, and malicious code sentinels all require a certain degree of monitoring for adequate security enforcement. In addition to the various security technologies you have deployed, the security procedures also need to be monitored for compliance.
You also will need to continually monitor the overall threat environment to maintain currency in the understanding of the evolution of the threats. Environmental threats, although daunting and far ranging, tend to remain relatively constant. The human threat, however, is changing and adapting. The motivations of those who would want to exploit your information resources are affected by everything from global events to personal needs and desires. New tools and techniques for exploiting information resources are developed daily. Keeping abreast of this dynamic environment is a primary responsibility for anyone charged with the protection of digital assets.
You also will notice that circumnavigating the life-cycle model is Early Warning, which has become increasingly important to information security. There are now many public and private organizations that can help you maintain an awareness of the threat and vulnerability environment that affects all IT resources. Central to the concept of early warning is access to information gathered from sensors both nationally and globally so you and those who support your efforts are aware of trends and changes that can affect information resources and IT. This can be achieved by allotting time and resources to monitor information sources or by subscribing to one of the many services now available to provide assessment and notification.
Within the center ring of the information security life cycle is a band representing education (Figure 10.6). Education represents the growth and nurturing of the human factors safeguard category. Education is a requirement not only for the person ultimately responsible for the information security program, but for everyone involved. At the broadest level of the organization, everyone who handles and uses information resources needs to be aware of their personal responsibilities for maintaining confidentiality, integrity, and availability of these assets. However, the ultimate responsibility lies with the individual chartered with creating and managing the information security program.
For those who are new to this position, it makes sense to get some education right away. Taking classes offered by experts and attending relevant conferences and symposia is a good beginning. Make sure you ask plenty of questions and seek out proven methodologies. It is important to understand who is giving you advice and what their long-term goals are. Obviously, vendors who provide low- or no-cost information security courses would prefer you buy their products as a result of the education. They may also tailor the information in the course to target their solutions.
Consultants and service providers often promote free seminars and training materials to entice you to contract for their services. Their goal is not to educate you, as much as it is to impress you, with their understanding and skill. Usually it is worth the investment to take independent courses and even look for professional certification. The key point here is not to wait. Get pointed in the right direction and start making improvements.
There are many people involved in protecting information resources. The question has been asked, who are the smartest people in information security? Perhaps the smartest people are the penetration experts. In a recent article in an information security trade publication, the practice leader for a team of hackers-for-hire gushed, “… most of these guys [hackers] have an IQ that could boil water.” Perhaps they are the smartest.
I personally stand in awe of cryptographers and cypherpunks. I have had the privilege of working with some extremely talented men and women for whom this intense and absorbing discipline was simply amusing. It is easy to feel humble while struggling through the mathematics and complex logic that comprises the study of modern cryptography.
Others may cry up the case for software and security product developers. Their ability to tackle a difficult problem, write the code to solve it, debug it, and release a working product is most admirable. As these products evolve to improve the security of systems, we can be assured of more accurate and scalable security solutions. These folks surely rate up there in smarts.
Ultimately, however, the question is as moot as it is silly. The information security profession is best described as multidisciplinary. There are experts in penetration testing, physical security of networks and systems, cryptography, security administration, intrusion detection, systems audit, and many other facets of our business. Some jobs are more technically oriented and others require management and people skills.
Those who aspire to grow in the profession may become a chief information security officer and assume responsibility for an entire information security program at a major corporation. In this capacity, they have to excel in the knowledge of how all these technologies and industry best practices work in harmony to achieve the most costeffective protection. Yet they may not be able to hack their way out of a paper bag.
Everyone involved in building tools, creating products, designing architectures, developing policies, and assessing vulnerabilities is an important part of the whole. However, I believe the smartest person is the one who is able to provide the right amount of information and infrastructure protection for a reasonable investment and a minimum of overhead. This is truly the balancing act that deserves the highest recognition. Those who are able to apply just the right amount of security where it is needed should be heralded for their achievements. To become that person, you have to have a structured methodology that provides a solid, quantifiable approach that recognizes the interplay of technological, procedural, and human factors safeguards.
I have saved the management function (Figure 10.7) for last so we can conclude with some comments on the nature of the information security manager’s function. The management of information systems security is a job without end. Just as the security environment or threats and vulnerabilities changes, so must the safeguards. Ongoing maintenance and configuration of technology components must keep pace with these changes. This management function is the key function of the person charged with the management and protection of information resources.
A key aspect of managing the security environment is creating and promoting that environment. Your program will be most successful only when it is most visible. Organizational decision makers must be keenly aware of the value of the information security program and its place in the overall corporate risk management program.
The first step in developing an effective information security program is to adapt an old Zen philosophy to your program. Understand that security is not a destination, but a journey. Applying and managing security controls is an ongoing process that reflects the values of the organization.
If you believe information security is a critical aspect of your information systems and electronic commerce initiatives, you will find yourself and your colleagues actively promoting the confidentiality, integrity, and availability attributes of vital corporate data and technology systems both in operational use and in development.
Security is not simply something you implement and forget; it is a way of doing business. The journey mindset forces you to evaluate the value your organization places in its information and data. It also forces decision makers to consider the privacy and protection of the sensitive information of your company, your customers, and your collaborators.
Security programs are being recognized for their importance. Many large financial institutions and a rapidly growing number of other businesses have appointed a senior executive or corporate officer to specifically oversee the protection of all corporate information. They have realized that an effective information security program needs to be developed, implemented, and managed if they want retain their competitive advantages in an information-centric marketplace. Either you or someone you appoint must be the focal point for the entire information security program. The program will be their responsibility and it should form the basis for all or part of the annual performance evaluation. When the issue of information security is raised at a company meeting, everyone should be able to identify the key individual.
The management of information security is not simply an enforcement job. Far too many information security personnel perceive their job as that of an overzealous security guard or night watchman. They feel compelled to demand compliance from employees, look to either capture or chase away intruders, and aggressively enforce rules and regulations. The management of information security is something quite different.
Information security management is the art and science of assessing and implementing safeguards for the appropriate protection of information resources. To perform this difficult function, the information security manager and practitioners have to take on a consultative role that helps people throughout the organization meet their personal responsibilities for ensuring the confidentiality, integrity, and availability of the information that is the lifeblood of business and government.