Implementing Information Security: Risks vs. Cost
Gideon T. Rasmussen - CISSP, CISM, CFSO, SCSA

As a security professional who understands how the business world works, I wrote this article to convey the imperative need for security professionals and senior management to see eye-to-eye. Being motivated by business, senior management focuses on productivity and the bottom line. It is sometimes difficult to calculate a return on investment for security, but the damage caused by the absence of efficient controls is far greater than the cost of implementing them.

Over the past few years, there have been several highly publicized security incidents ranging from fraud to terrorism. These events demonstrated the need for disaster recovery plans and checks and balances within accounting systems. Many threats present themselves internally in the form of disgruntled or dishonest employees or as the result of social engineering. Human error and neglect are also examples of internal threats. New threats emerge daily. For more information, refer to the CSI/FBI Computer Crime and Security Survey.

The U.S. is beginning to mandate information security based on the concepts of due diligence and the prudent man principle. The most recent examples are the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). Compliance with government regulations represents a threat of a sort. Under SOX, senior management is responsible for the accuracy of financial statements. Criminal penalties include fines of $1-5 million and prison terms of 10-20 years. A popular international standard is the Code of Practice for Information Security Management (ISO 17799).

A variety of control frameworks have been developed to meet financial and IT security concerns. Two of the leading standards are the Internal Control - Integrated Framework - Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and related Technology (CobiT).

IT governance and compliance must be addressed with a formal information security program. Basic elements include security policies, an annual audit and internal controls to mitigate threats and vulnerabilities. Nothing can take the place of an information security audit. It is critical to take a snapshot of each site's security posture and work against the findings.

Senior management should be aware of the state of the information security program. Usually this is facilitated through an annual security audit report and monthly security status reports.

In the absence of current information, it is a good exercise to ask the following questions of information security management:

Are employees required to sign off on the general security policy and specific policies in their functional area as well?
How have applicable security standards been met (e.g. SOX, GLBA and HIPAA)?
Which control frameworks are in use (e.g. COSO, CobiT and/or ISO 17799)?
How are logical and physical perimeters defined? Please provide rationale and diagrams.
Is security built into custom applications from the design phase?
Are all systems routinely patched and hardened?
Are strictly controlled development environments in place (e.g. development, quality & user acceptance)?
What is the maturity level of business continuity and disaster recovery planning?
Are accesses systematically rescinded when an employee leaves or their role changes?
In general, are internal controls layered (i.e. defense-in-depth measures)?
How are the concepts of least privilege and separation of duties addressed?
Is a tactical incident response program in place?
What are the details of the security awareness program?
How recently have each of these topics been addressed? Are they truly maintained?

Establishing a culture of security is critical. Information security managers must be well versed in the breadth of the IT career field and other disciplines as well (e.g. physical security, accounting and human resources management). In addition, a security manager must be a passionate advocate and an effective communicator. Interpersonal skills should include the ability to communicate in non-technical terms.

Many small organizations lack a dedicated information security professional. This practice should be avoided. As you can see, an effective security program requires constant care and feeding. A dedicated information security professional will reduce the high cost associated with unmanaged risk.

Consider the impact on an organization if it does not adequately mitigate risks. In the end, how an organization approaches security depends on its appetite for risk. A healthy dose of paranoia is warranted here. After all, the stakes are extremely high.

Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission