Governance and Policy

1
Governance and Policy

• Tim Shimeall
• March 2006

2
Addressing Security as Governance

• Set of beliefs, capabilities, actions
• Security enacted at enterprise level
• Security treated as business requirement
• Security considered during normal planning cycles
• All business unit leaders understand how security
  serves as business enabler
• Security integrated into enterprise functions and
  processes
• All personnel accessing enterprise network
  understand their responsibilities
• Which are most important depends on culture and
  business context

3
Governance

• Setting clear expectations of conduct
• Influencing to achieve expectations
• Decision making
• Assigned decision rights
• Accountability
• Intended to produce behavior/actions
• Ensuring organization does right things and does
  things right

4
Security as Institutional Priority

• Information security is a human enterprise
• lack of security awareness by users cited as
  top obstacle
• overriding impact of human complexities,
  inconsistencies, and peculiarities
• People can become the most effective layer in an
  organization's defense-in-depth strategy
• with proper training, education, motivation
• The first step is making sure they operate in a
  security conscious culture.
• Ernst Young. "Global Information Security
  Survey 2004."
• http//www.ey.com/global/download.nsf/UK/Survey_-_
  Global_Information_Security_04/file/EY_GISS_2020
  04_EYG.pdf

5
Response Time
Human response impossible Automated response
Will need new paradigms Proactive blocking
possible
Human response difficult/impossible Automated
response possible
Human response possible
Contagion Timeframe
6
What Is At Risk?

• Trust
• Reputation image
• Stakeholder value
• Community confidence
• Regulatory compliance fines, jail time
• Customer retention, growth
• Customer and partner identity, privacy
• Ability to offer, fulfill transactions
• Staff, client morale

7
Responsibility to Protect Digital Assets

• In excess of 80 percent of an organizations
  intellectual property is in digital form
• Duty of Care Governance of Digital Security
• Govern institutional operations conduct
• Protect critical assets and processes
• Protect reputation
• Ensure compliance requirements are met
• Jody Westby, PricewaterhouseCoopers,
  Congressional Testimony case law

8
Barriers to Tackling Security

• Abstract, concerned with hypothetical events
• A holistic, enterprise-wide problem not just
  technical
• No widely accepted measures/indicators
• Disaster-preventing rather than payoff-producing
  (like insurance)
• Installing security safeguards can have negative
  aspects

9
Information Survivability (1)

• Focuses on sustaining the mission in the face of
  an ongoing attack requires an enterprise-wide
  perspective
• Depends on the ability of networks and systems to
  provide continuity of essential services, albeit
  degraded, in the presence of attacks, failures,
  or accidents
• Requires that only the critical assets need the
  highest level of protection

10
Information Survivability (2)

• Complements current risk management approaches
  that are part of an organizations business
  practices
• Includes (but is broader than) traditional
  information security
• Business Judgment Rule That which a reasonably
  prudent director of a similar institution would
  have used

11
Shift the Security Perspective
To
From

• Scope Technical
• Ownership IT
• Funding Expense
• Focus Intermittent
• Driver External
• Application Platform/practice
• Goal IT security

• Institutional
• Institutional
• Investment
• Integrated
• Institution
• Process
• Institutional continuity/resilience

12
Technical problem to Institutional problem

• IT owns problem and strategy, performs primary
  activities
• Secure infrastructure secure organization

• Organization owns problem and strategy
• Secure assets and processes secure organization

13
Technical ownership to Institutional ownership

• IT is driver, owner, benefactor
• CSO is a technical advisor

• Organization is driver, owner, benefactor
• CSO is trusted advisor to business

14
Expense to investment

• Security activities viewed as sunk costs,
  expenses
• Naturally avoided by management

• Security as amortizable investment in business
• Security as goodwill on balance sheet raising
  organizational value

15
IA Regulations and Standards

• National legislation (privacy, etc.)
• Insurance industry requirements
• Customer demand
• E-torts and e-pacts

16
Legal Perspective

• Analyze applicable state laws and municipal
  ordinances
• Assess IS vulnerabilities and risks
• Review and update IS policies procedures
• Review policies procedures for sensitive
  information
• Scrutinize relationships with third-party vendors
• Review insurance policies
• Develop a rapid response plan incident response
  team
• Work with associations coalitions to develop
  standards
• IT Security for Higher Education A Legal
  Perspective. Salomon, Kenneth Cassat, Peter
  Thibeau, Briana. Dow, Lohnes Albertson, PLLC.
  EDUCAUSE/Internet2 Computer and Network Security
  Task Force, 2003. http//www.educause.edu/ir/libra
  ry/pdf/csd2746.pdf

17
Practice-driven to process-oriented

• Willingness to accept and implement best
  practices
• Practices as process
• Possibly out of context with organizational
  drivers

• Security is proactive and managed
• Driven by risk management

18
Shifting the security approach
Managed and strategic
Ad-hoc and tactical
to

• systematic
• adaptive
• measured
• adequate

• irregular
• reactive
• immeasurable
• absolute

19
How Are You ManagingInformation Risks?

• Policies, governance
• Critical information assets
• Who to involve
• Management controls
• Sustain survivability

20
Security to Resiliency

• Managing to threat and vulnerability
• No articulation of desired state
• Possible security technology overkill

• Managing to impact and consequence
• Adequate security defined as desired state
• Security in sufficient balance to cost, risk

21
A Resilient Institution Is Able To. . .

• withstand systemic discontinuities and adapt to
  new risk environments
• be sensing, agile, networked, prepared
• dynamically reinvent institutional models and
  strategies as circumstances change
• have the capacity to change before the case for
  change becomes desperately obvious

22
Security Strategy Questions

• What needs to be protected? Why does it need to
  be protected? What happens if it is not
  protected?
• What potential adverse consequences need to be
  prevented? At what cost? How much disruption can
  we stand before we take action?
• How do we effectively manage the residual risk?

23
Defining Adequate Security

• The condition where the protection strategies
• for an organization's critical assets and
  processes
• are commensurate with the organization's risk
  appetite and risk tolerances
• Risk appetite and risk tolerance as defined by
  COSOs Enterprise Risk Management Integrated
  Framework, September, 2004.

24
Determining Adequate Security Depends On . . .

• Organizational factors size, complexity, asset
  criticality, dependence on IT, impact of downtime
• Market factors provider of critical
  infrastructure, openness of network, customer
  privacy, regulatory pressure, public disclosure
• Principle-based decisions Accountability,
  Awareness, Compliance, Effectiveness, Ethics,
  Perspective/Scope, Risk Management, etc.

25
Adequate Security and Operational Risk

• Appropriate security is that which protects the
  organization from undue operational risks in a
  cost-effective manner.
• With the advent of regulatory agencies assessing
  a organizations aggregate operational risk,
  there needs to be a way of looking at the
  organization as a whole rather than its many
  parts.

26
Evolving the Security Approach
Institutional Security Management
Process Maturation
Security Risk Management
Vulnerability Management
Incident Response
27
High Performing Organizations - 1

• Apply resources (time, effort, dollars, capital)
  to accomplish stated objectives, with little to
  no wasted effort
• Regularly implement repeatable, predictable,
  secure, measurable, and measured operational
  processes
• Independently evolved a system of process
  improvement as a natural consequence of their
  business demands

28
High Performing Organizations - 2

• Use defined, verifiable controls to improve
  efficiency and effectiveness
• Preventive, detective and corrective controls in
  place
• Easier to audit
• Detect production variances early
• Lowest cost and least impact to fix problems
• Fix problems in a planned manner
• Devote increasingly more time and resources to
  strategic issues and new opportunities, having
  mastered tactical concerns

29
High Performing Organizations - 3

• Demonstrated ability to get IT operations and
  security organizations working together to
  create
• Higher service levels (availability, high MTBF,
  low MTTR, low MTTD)
• High percentage of planned (vs unplanned) work
• Early integration of security requirements into
  the service delivery life cycle
• The ability to quickly return to a known,
  reliable, trusted operational state
• Unusually efficient cost structures
  (server-to-sysadmin ratios of 1001 or greater)
• Timely identification and resolution of security
  incidents

30
Areas of Pain for High Performing Organizations

• Patch management
• Proliferation of scorecards
• Managing outsourced IT services

31
Areas of Pain Patch Volume

• Low performing Adhoc, chaotic, urgent,
  disruptive increase in unplanned work
• High performing Planned, predictable, just
  another change -gt higher change success rate

32
Areas of Pain Proliferation of Scorecards

• Low Performing Look to external sources,
  authorities adopt scorecard du jour
• High Performing Have defined their own
  performance characteristics can demonstrate
  traceability to other instruments

33
Areas of Pain Outsourced IT Services
Low Performing Transfer risk out of sight then
unable to control
High Performing Manage like any other business
unit or project understand unique challenges
develop more bullet proof service level agreement
34
Common Root Causes

• Absence of explicit articulation of current state
  and desired state
• Thus current state (and companion pain) is
  tolerable doesnt hurt enough yet dont know
  that there is an alternative
• Culturally embedded belief that control is not
  possible
• Abdication of responsibility throw up my
  hands
• Rewards/reinforcement for personal heroics vs.
  repeatable, predictable discipline
• Continued argument that IT ops and security are
  different (than other business investments or
  projects)
• Desire for a technical solution easier to
  justify and implement than people and process
  improvements

35
IT Change Management

• Process for efficient and timely handling of all
  IT changes
• Enterprise capabilities critical to achieving
  effective change management
• Risk Management
• Project Management
• Process Management
• IT Operations
• Security Operations
• Audit
• IIA Global Technology Audit Guide series Change
  and Patch Management Critical for Organizational
  Success

36
Progression of Capability
Organization controls the changes

• Continuously Improving
• lt5 of time spent on unplanned work
• Change success rate very high
• Service levels world class
• IT operating costs under control
• Can scale IT capacity rapidly with marginal
  increases in IT costs
• Change review and learning processes in place
• Able to increase capacity in a cost-effective way

Changes control the organization

• Closed-Loop Process
• 15-35 of time spent on unplanned work
• Some ticketing / workflow system in place
• Changes documented and approved
• Change success rate high
• Service levels good
• Server-to-admin ratio good, but not best-of-breed
• IT costs improving but still too high
• Security incidents down

• Using Honor System
• 35-50 of time spent on unplanned work
• Some technology deployed
• Right vision but no accountability
• Server-to-admin ratio too low
• IT costs too high
• Process subverted by talking to the right people

• Reactive
• Over 50 of time spent on unplanned work
• Chaotic environment lots of fire fighting
• MTTR very long poor service levels
• Can only scale by throwing people at the problem

Effectiveness
Reactive
Using The Honor System
Closed-Loop Change Mgt
ContinuouslyImproving
Based on the IT Process Institutes Visible Ops
Framework
37
Measurement

• Performance measurement of an enterprise's
  security state is conducted with the same rigor
  as other enterprise functions and business units.
  
• Corporate Information Security Working Group
  Report of the Best Practices and Metrics Team,
  December, 2004
• Thirty Information Security Program Elements with
  companion metrics
• Governance (7 elements 12 metrics)
• Management (10 elements 42 metrics)
• Technical (13 elements 45 metrics)

38
Example Measures - Governance

• Oversee Risk Management and Compliance Programs
  Pertaining to Information Security
• Percentage of key information assets for which a
  comprehensive strategy has been implemented to
  mitigate information security risks as necessary
  and to maintain these risks within acceptable
  thresholds
• Percentage of key external requirements for which
  the organization has been deemed by objective
  audit or other means to be in compliance

39
Example Measures - Management

• Establish Information Security Management
  Policies and Controls and Monitor Compliance
• Percentage of staff assigned responsibilities for
  information security policies and controls who
  have acknowledged accountability for their
  responsibilities in connection with those
  policies and controls
• Assess Information Risks, Establish Risk
  Thresholds and Actively Manage Risk Mitigation
• Percentage of critical information assets for
  which some form of risk assessment has been
  performed and documented as required by policy

40
Example Measures - Technical

• Software Change Management, including Patching
• Percentage of systems with the latest approved
  patches installed
• Percentage of software changes that were reviewed
  for security impacts in advance of installation
• Incident and Vulnerability Detection and Response
• Percentage of operational time that critical
  services were unavailable (as seen by users and
  customers) due to security incidents
• Percentage of security incidents that exploited
  existing vulnerabilities with known solutions,
  patches, or workarounds

41
What Does Effective Security Look Like at the
Enterprise Level?

• No longer solely under ITs control
• Achievable, measurable objectives are defined and
  included in strategic and operational plans
• Functions across the organization view security
  as part of their job (e.g., Audit) and are so
  measured
• Adequate and sustained funding is a given
• Senior executives visibly sponsor and measure
  this work against defined performance parameters
• Considered a requirement of being in business

42
Governance and the Case Study

• What regulations must the convention follow?
• Industry
• Financial processing
• SOX
• Venue
• What best practices should the convention follow?