As a security professional who understands how the business world works, I wrote this article to convey the imperative need for security professionals and senior management to see eye-to-eye. Being motivated by business, senior management focuses on productivity and the bottom line. It is sometimes difficult to calculate a return on investment for security, but the damage caused by the absence of efficient controls is far greater than the cost of implementing them.
Over the past few years, there have been several highly publicized security incidents ranging from fraud to terrorism. These events demonstrated the need for disaster recovery plans and checks and balances within accounting systems. Many threats present themselves internally in the form of disgruntled or dishonest employees or as the result of social engineering. Human error and neglect are also examples of internal threats. New threats emerge daily. For more information, refer to the CSI/FBI Computer Crime and Security Survey.
The U.S. is beginning to mandate information security based on the concepts of due diligence and the prudent man principle. The most recent examples are the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA). Compliance with government regulations represents a threat of a sort. Under SOX, senior management is responsible for the accuracy of financial statements. Criminal penalties include fines of $1-5 million and prison terms of 10-20 years. A popular international standard is the Code of Practice for Information Security Management (ISO 17799).
A variety of control frameworks have been developed to meet financial and IT security concerns. Two of the leading standards are the Internal Control - Integrated Framework - Committee of Sponsoring Organizations of the Treadway Commission (COSO) and Control Objectives for Information and related Technology (CobiT).
IT governance and compliance must be addressed with a formal information security program. Basic elements include security policies, an annual audit and internal controls to mitigate threats and vulnerabilities. Nothing can take the place of an information security audit. It is critical to take a snapshot of each site's security posture and work against the findings.
Senior management should be aware of the state of the information security program. Usually this is facilitated through an annual security audit report and monthly security status reports.
In the absence of current information, it is a good exercise to ask the following questions of information security management:
• Are
employees required to sign off on the general security policy
and specific policies in their functional area as well?
• How
have applicable security standards been met (e.g. SOX, GLBA
and HIPAA)?
• Which
control frameworks are in use (e.g. COSO, CobiT and/or ISO
17799)?
• How
are logical and physical perimeters defined? Please provide
rationale and diagrams.
• Is
security built into custom applications from the design
phase?
• Are
all systems routinely patched and hardened?
• Are
strictly controlled development environments in place (e.g.
development, quality & user acceptance)?
• What
is the maturity level of business continuity and disaster
recovery planning?
• Are
accesses systematically rescinded when an employee leaves
or their role changes?
• In
general, are internal controls layered (i.e. defense-in-depth
measures)?
• How
are the concepts of least privilege and separation of duties
addressed?
• Is
a tactical incident response program in place?
• What
are the details of the security
awareness program?
• How
recently have each of these topics been addressed? Are they
truly maintained?
Establishing
a culture of security is critical. Information security
managers must be well versed in the breadth of the IT career
field and other disciplines as well (e.g. physical security,
accounting and human resources management). In addition,
a security manager must be a passionate advocate and an
effective communicator. Interpersonal skills should include
the ability to communicate in non-technical terms.
Many small organizations lack a dedicated information security professional. This practice should be avoided. As you can see, an effective security program requires constant care and feeding. A dedicated information security professional will reduce the high cost associated with unmanaged risk.
Consider
the impact on an organization if it does not adequately
mitigate risks. In the end, how an organization approaches
security depends on its appetite for risk. A healthy dose
of paranoia is warranted here. After all, the stakes are
extremely high.
Copyright © 2005 CyberGuard Corporation All Rights Reserved.
Reprinted with Permission