Felix Mohan, CEO - SecureSynergy |
Today, bounded environments ensconced within clearly demarcated perimeters are giving way to a milieu where gateways are obsolete. In this environment, the distinction between insiders and outsiders is blurred, and organisations neither have central administrative control over their information systems nor do they have access to global view of events occurring therein. In such an environment, it is almost impossible to thwart cyber attacks. Traditional models of information security fail to deal with the security problems associated with open-ended environments. |
Saturday, August 4, 2007
Information Security in Unbounded Environments
Security Models
SecurityScape, www.securesynergy.com |
A security model is a mathematical, or logical, expression of a set of security policies. It is a diagrammatic, schematic, or tabular construct of the rules derived from security policies that deals with security levels (of information, of people, and of processes), and the interplay between the various types of security levels. The interplay takes place in accordance with well defined rules, which determine whether information should be allowed to flow, or be restricted, whenever a person or a process tries to access the information. |
Defining Information Threats
Felix Mohan, CEO - SecureSynergy | ||||||||||||||||||||||
Enterprise Information Infrastructures have become critical 'centres of gravity'. A collapse of the information infrastructure can lead to collapse of the enterprise. This makes them attractive targets for potential adversaries. | ||||||||||||||||||||||
Active attacks include attempts to: | ||||||||||||||||||||||
| ||||||||||||||||||||||
Typical countermeasures include: | ||||||||||||||||||||||
| ||||||||||||||||||||||
In close-in attacks an unauthorized individual gains close physical proximity to networks, systems, or facilities for the purpose of modifying, gathering, or denying access to, information. Gaining such proximity is accomplished through surreptitious entry, open access, or both. Close-in attacks include modification of data, information gathering, system tampering, and physical destruction of the local system. |
Information Security: A New Approach
SecurityScape, www.securesynergy.com |
Information Technology is pervasive — it moves your business; very often aspects of your personal life, it facilitates transactions, creates a responsive organisation, enables customer- and partner-interactions, and creates competitive advantage for the corporation. As fundamental as IT is to business, information security is equally critical to survivability of businesses in today's Digital economy. |
Manage your Information Security
Felix Mohan, CEO - SecureSynergy | ||||||||||||||||||||||||||||||||||||||||||
A comprehensive information security strategy provides the vision to deliver a secure information environment. It enables organisations to integrate information security with business strategy and planning, and defines the framework through which organisational information risks can be securely managed. | ||||||||||||||||||||||||||||||||||||||||||
|
Measuring the Effectiveness of Security Using ISO 27001
Siemens Insight Consulting
Whilst the intentions and objectives behind
ISO/IEC 27001:2005 (ISO 27001) aren’t
dramatically different to those in BS 7799-
2:2002, one of the changes with the
biggest potential impact to organisations is
the requirement to measure the
effectiveness of selected controls - or
groups of controls - within the new
standard (for more details see ISO 27001
Clause 4.2.2 d).
This new requirement not only demands
that businesses specify how these
measurements are to be used to assess
‘control’ effectiveness (there are now 133
Controls in the new standard), but also how
to measure the selected controls’
effectiveness. In addition to this, the new
standard requires that these
measurements are comparable and
reproducible, e.g. so they can be used
time and time again, and compared on a year by year basis to gain a
better understanding on trends, etc.
So why do organisations need to measure security effectiveness in
the first place? Well, it would be easy to say we’re secure, but how
can you demonstrate that an organisation’s security controls are
working effectively, and equally importantly - how can you
demonstrate:
• Ongoing improvement?
• That your organisation has met legal, regulatory and compliance
with standards, contractual requirements such as Sarbanes-Oxley -
SOX, BASEL II, Payment Card Industry Data Security Standard – PCI
DSS, etc.?
• That any future expenditure is based on sound and reasoned
security solutions, (software, hardware, training, etc.) that is
appropriate and effective within your organisation?
• That your organisation is compliant with ISO 27001 (including other
Management Systems such as ISO 9001, Infrastructure Technology
Information Library - ITIL, COSO, CoBIT, ISO 20000)?
• Where implemented controls are not
effective in meeting their primary
objectives - to reduce risk?
• Assurance to auditors, senior
management and stakeholders that risk
justified implemented controls are
working effectively (i.e. they have
invested their money wisely for a good
return on investment - ROI)?
• Where implemented controls are not
effective in meeting their primary
objectives - to reduce risk?
You could be forgiven for thinking this
should be a reasonably straightforward
task. After all, most IT departments
throughout the world have been working
within some kind of measurement
infrastructure (e.g. sometimes measured
within contractual Key Performance
Indicators - KPI, Service Level Agreements -
SLA, Operational Level Agreements - OLA)
since the mid-1990s and should, by rights,
be used to considering how to measure
their IT effectiveness (most IT departments
I’ve known usually have very stringent
methods for providing value for money).
The challenge is, the whole area of what
constitutes good and effective security and
how to implement it is subjective and
therefore difficult to quantify, let alone
provide statistics. In fact, within most
organisations there is often plenty of
evidence that good security practices and
controls are in place, especially those
organisations that have already
implemented management frameworks
such as CoBIT, ITIL or COSO.
So what are the benefits of measuring
your organisation’s security effectiveness?
• Provides tangible evidence of cost
reduction - through better risk
management and reduction of impact
caused by exploitation of threats
• Provides better cost / benefit analysis and
therefore helps ensure ROI decisions
going forward
• Actually eases process of monitoring the
effectiveness of the ISMS (e.g. less labour
intensive, for example, if using tools, and
provides a means of self checking)
• Using proactive tools to measure can
prevent problems arising at a later date
(e.g. network bottlenecks, disk clutter,
development of poor human practices)
• Reduction of incidents and better
understanding of root cause
• Motivates staff when senior
management set targets
• Tangible evidence to auditors and
assurance to senior management that
you are in control - i.e. Corporate
Information Assurance (Corporate
Governance), and top-down approach to
Information Assurance.
Whatever the organisational drivers for measuring
the effectiveness of security, it should no longer be
just about identifying the controls to be
implemented (based on the risk assessment), but
also about how each control will be measured
against its original objective (to reduce the chances
of the risk being exposed). After all, if you can’t
measure it, how do you know it’s working
effectively?
Before deciding which control should be used to
measure effectiveness, your organisation should first
undertake to ensure the following activities:
• Confirm relevance of selected controls through risk
assessment (Mandatory requirement for both ISO
27001 compliance and certification projects)
• Define objectives, ensuring they map back to the
business objectives
• Use existing Indicators wherever possible, e.g. in
ITIL terms, KPIs
• A KPI helps a business define and measure
progress towards a particular goal
• KPIs are quantifiable measurements of the
improvement in performing the activity that is
critical to the success of the business
• Within the Information Security Management
System (ISMS) audit framework, identify controls
which can be continuously monitored, using a
chosen technique
• Establish a baseline, (e.g. security awareness
trained x amount of people in y timeframe) against
which all future measurements can be contrasted /
compared
• Provide periodic reports to appropriate
management forum / ISMS owners (illustrate with
graphs - pictures paint a thousand words)
• Identify Review Input - agreed recommendations,
corrective actions, etc.
• Implement improvements in line with any existing
Management Systems, e.g. ISOs 9001, 14000,
27001, 20000, 18000
• Establish / agree new baseline, review the output,
apply the PDCA approach (i.e. Plan - Do - Check -
Act).
Hopefully, each business may have its own
measurements already in place (e.g. SLAs, OLAs, KPIs).
The challenge is to set a ‘measurement’, which is
realistic based on a previous known figure, and ensure
the future figure is measurable and reproducible.
Senior management and possibly auditors,
are more likely to want to see the big picture,
therefore, consider monitoring the
effectiveness of a group of controls, e.g.
Section 13 of ISO 27001 - Security Incident
Management, plus others. Try to encourage
senior managers to buy into realistic ‘firsttime’
goals, such as measuring how well you
coped with the latest security incident, in
what time frames you held the lessons learnt
meeting and at what point the improvements
to the existing system became operational.
When selecting controls to be measured for
their effectiveness, it is worth bearing in
mind that you could group them into four
categories:
1. Management Controls
Security Policy, IT Policies, Security
Procedures, Business Continuity Plans,
Security Improvement Plans, Business
Objectives, Management Reviews.
2. Business Processes
Risk Assessment & Risk Treatment
Management Process, Human Resource
Process, SOA Selection Process, Media
Handling Process.
3. Operational Controls
Operational Procedures, Change Control,
Problem Management, Capacity
Management, Release Management,
Back-up, Secure Disposal, Equipment
Off-Site.
4. Technical Controls
Patch Management, Anti-Virus Controls,
IDS, Firewall, Content Filtering.
In a changing environment, new baselines
will need to be set each time a major
change or incident occurs within the ISMS,
so this is just the beginning. Try to
establish regular review cycles of your
security effectiveness measurements and
consider how this might improve, how
your organisation can become more
effective in the management of its
incidents.
that security and risk management is a
black art and that it is un-measurable. In
fact, we should start to see tangible
benefits from measuring and improving
our ISMSs and Security Management
solutions globally. For more information,
the new ISO 27004 will soon be published,
which will help those organisations who
are unclear about this and the new
standard should help any organisation get
a grip on measuring the effectiveness of
security.
Author’s biography
Steve Wright is the Senior Consultant
providing professional advice in
relation to Information Security/
Technology/ Management to meet
BS 7799, ISO 27001, ITIL, ISO 20000,
PAS 56, PAS 99, PCI DSS, ISO 13335
and works within legal and regulatory
frameworks such as Basel II, SOX and
Combined Code requirements. In
addition, he is accustomed to
implementing risk best practices such
as Enterprise Risk Management
frameworks and conducting risk
assessments, using tools such as
CRAMM.
Steve is currently project managing
many implementations of ISO 27001
ISMS systems, both virtually and
physically, from initiation through to
final delivery, to meet certification
requirements of ISO 27001, ISO 9001
and ISO 20000 in both financial,
private and public service sectors,
three of which have recently achieved
certification to ISO/IEC 27001:2005 in
late 2006 alone.
Steve heads up the Security
Management service line within
Siemens Insight Consulting managing
the team of six highly qualified and
experienced consultants.
Insight Consulting is the specialist Security,
Compliance, Continuity and Identity Management
unit of Siemens Enterprise Communications
Limited and offers a complete, end-to-end portfolio
encompassing:
• Security • Compliance
• Continuity • Identity Management
• Managed Services • Training
Siemens Insight Consulting subscribes to the CESG
Listed Advisor Scheme (CLAS) and CHECK services.
We’re also certified against ISO 27001 and are a
preferred supplier of services to the UK
Government and an accredited Catalist supplier.
If you’d like to find out more about how we can
help you manage risk in your organisation, visit our
web site at www.siemens.co.uk/insight
Siemens Insight Consulting
Tel: +44 (0)1932 241000
Fax: +44 (0)1932 236868
www.siemens.co.uk/insight
Policy Monitor and its relationship with ISO 27001:2005
So how can Policy Monitor help an
organisation demonstrate best practice and
compliance with ISO 27001:2005?
Back to basics
Information security (InfoSec) covers a far
more complex and broad area than just IT.
InfoSec interweaves in and out of an entire
business function and its supporting process.
It spans and affects every part of the
organisation (and its trusted partners) and
business. It can change the way an entire
department is operated, whilst providing
assurance to stakeholders and shareholders
that appropriate controls are in place, or being
managed. It can also provide the necessary
risk management controls mandated under
legislation and regulatory requirements.
Whatever your business or contractual requirements to demonstrate and
manage InfoSec are, an organisation needs to think about how it can
manage and disseminate relevant InfoSec policies (e.g. IT User
Acceptance, HR Vetting, Building Access, IT & Network Access, Mobile
Devices Usage) to all its employees. This may sound straightforward, but
ensuring these policies have the correct version, are assigned to relevant
owners for regular updates (following the latest vulnerability alert, a
significant change or an updated risk review) and making sure the ‘end
users’ have read and understood them, can be a real headache for any
organisation (depending upon the size and geographical layout).
Policy Monitor has been designed and developed with this requirement in
mind. In addition, Policy Monitor also fulfils the best practice
requirements of ISO 27001.
What is Best Practice - ISO 27001?
ISO 27001:2005 was established by the International Organisation for
Standardization (ISO). It is based on, and replaces, the internationally
recognised British Standard BS 7799. ISO 27001 has been aligned with
other international standards, including the OECD guidelines for
implementing information security and the Code of Practice standard,
ISO 17799.
ISO 27001 defines the requirements for an
Information Security Management System
(ISMS). The standard is designed to ensure the
selection of adequate and proportionate
security controls such as a security policy and its
supporting IT policies and procedures. This
helps to protect organisations’ information
assets and provides confidence to interested
parties including an organisation’s customers
and third parties.
The standard adopts a process approach for
establishing, implementing, operating,
monitoring, reviewing, maintaining, and
improving an organisation’s ISMS. ISO 27001 is
by no means an IT only standard; information is
an organisational asset. The standard has no
technology requirements; although there are IT
related controls as the majority of information is
held on IT systems.
ISO 27001 is the only internationally accepted
auditable standard for information security
management.
The standard goes further to re-emphasise the
importance of having a security policy endorsed
by the highest level of authority within an
organisation. This way, employees can
recognise the importance of security to that
organisation and ensure they comply with best
practice. ISO 27001 requires that “an
information security policy document should be
approved by management, and published and
communicated to all employees and relevant
external parties.”
Clause 4.2.2 (e) requires any organisation
wishing to be compliant (or certified) with
ISO 27001 to implement training and
awareness programmes. Clause 5.2.2 requires
that the organisation is responsible for ensuring
all personnel who are assigned responsibilities
defined in the Information Security
Management System (ISMS) are aware of their
responsibilities and have access to appropriate
policies at all times.
In addition to this, ISO 27001 describes the
context of risk and how risk, policies and
corporate standards can work together (within a
framework of an Information Security
Management System – ISMS / ISO 27001)
through a systematic and layered approach to
InfoSec Management.
Control reference Appendix 8.2.2 goes even
further – it requires any organisation claiming
to be compliant with ISO 27001 to ensure “All
employees of the organisation and, where
relevant, contractors and third party users shall
receive appropriate awareness training and
regular updates in organisational policies and
procedures, as relevant for their job function.”
This effectively means that an organisation is
responsible for not only ensuring all its staff and
contractors should have appropriate access to
the security policy, but they are required to
demonstrate the relevant people have read and
understood the policy.
Well, it all originates from one very simple
principle – good and effective policy and
content management. Without knowing what
and where your policies are, how current they
are, how they are accessed and by whom, then
the organisation increases the risks of
employees not adhering to policies within the
organisation. Nobody can be expected to
adhere to security policy rules, nor be
disciplined for breaching them, unless the
organisation can categorically prove the end
user was aware of the security policy
requirements.
This presents most organisations with a similar
dilemma – how to ensure the relevant
information is disseminated appropriately and
that evidence can be provided should the need
arise (e.g. civil or criminal prosecution). Policy
Monitor has the answer, it uses an Integrated
Content Management System to allow author
and approver control (a requirement of
ISO 27001 – see Clause 4.3.2 & 4.3.3 Control of
documents and records and a requirement of a
Quality Management System – ISO 9001),
policy version control and monitors employee
usage and acceptance.
With the focus being placed on perimeter
security, firewalls, intrusion prevention software
and ID card access it becomes easy to forget the
simple rule, that you are only as good as the
people you employ.
Making sure they are equipped with the
knowledge and tools to ensure the correct
policy is applied – should be an
organisation’s first and last line of defence.
So, whatever your drivers are for ensuring
security policies are disseminated, adhered
to, or communicated effectively,
complementary use of Policy Monitor will
help your organisation with all kinds of
invaluable and available information about
security.
I hope this paper will help you when
considering Siemens Insight Consulting as your
partner in helping you or your organisation
become fluent in the world of InfoSec.
Author’s biography
Steve Wright is a Senior Consultant
providing professional advice in relation to
information security/technology
management to meet BS 7799, ISO 27001,
ITIL, ISO 20000, PAS 56, PAS 99, PCI DSS,
ISO 13335 and works within legal and
regulatory frameworks such as Basel II, SOX
and Combined Code requirements. In
addition, he is accustomed to
implementing risk best practices such as
enterprise risk management frameworks
and conducting risk assessments, using
tools such as CRAMM.
He is currently project managing many
implementations of ISO 27001 ISMS
systems, both virtually and physically, from
initiation through to final delivery, to meet
certification requirements of ISO 27001,
ISO 9001 and ISO 20000 in both financial,
private and public service sectors, three of
which have recently achieved certification
to ISO/IEC 27001:2005 in late 2006 alone.