Insider's Perspective gives guest columnists a chance to write about challenges and solutions in their corner of the information technology industry.
This summer, Congress delayed action on the Cybersecurity Act of 2012, which would have given network infrastructure owners clear, nonprescriptive guidance on minimum security standards. Without this guidance, private network managers are left to create their own security standards to meet the requirements of prospects, business partners, and executives. So how can they execute this without fear of a breakdown?
My most relevant experience came during my tenure as a director of security with a well-known holding company in the Middle East, where there are no information technology laws or regulations, except for some of the private banks.
As a holding company for nine different types of businesses, we were far behind the industry in securityessential international standards, and we had to achieve an adequate level for due diligence by international industry standards. I came up with a framework to accomplish a mature security program without a defined standard. In essence, we had to design, develop, and maintain our own cybersecurity standards to minimize the number of cybersecurity attacks.
The First Steps
The first critical aspect of information security is planning. There are three types of plans: strategic, tactical, and operational, which are all related and each of which makes a different contribution to enhancing an organization's overall security.
Our strategic plans were aligned with the group's strategic business and IT goals. These plans have a longer-term duration (i.e., 3-5 years to guide a long-term view of the security activities within the group). High-level plans, which create a vision for projects to achieve business objectives, provided guidance to ensure that other decisions fit in with executive management's vision of the group.
Here are some examples of the strategic goals:
* Launch an information security policy and procedure project.
* Understand risk and ways to control it.
* Educate users on their security obligations.
Our tactical plans described extensive initiatives to support and achieve the goals specified in the strategic plan. Tactical plans usually take less time and required these types of initiatives:
* Implementing change control for the infrastructure
* Implementing a vulnerability management program
* Developing a disaster recovery plan/business continuity plan The last step is an operational plan. These specific plans have milestones, dates, and accountabilities while providing the communication and direction to ensure that individual projects are being completed.
For example, we developed an information security policy and procedures that included the following:
* Conducting security risk assessment, both technical and procedural
* Developing security policies
* Developing technical infrastructure to deploy and enforce policies and track compliance
* Training end users on policies and monitor compliance
To build your own cybersecurity standard, you need to protect all business information assets from intentional and unintentional loss, disclosure, alteration, destruction, and unavailability. After some intensive research, we developed basic components for achieving an efficient information security program.
The most important aspect is to have a channel of communication with the top executives. The person in charge of the security program should understand the organization's business objectives to ensure that the risk assessment methodology is properly executed. That methodology should consider the different threats and vulnerabilities affecting the organization, and at the end, it should communicate all of those risks to top management.
The top management team is interested in mainteining the appropriate balance between acceptable risks and making sure that business operations are meeting the mission of the organization. The team won't be concerned with the technical details of security implementation but will focus on the cost/benefit analysis of the solution and the residual risk that will remain after the controls are implemented. However, management will be interested in the ROI of implementing your recommendation.
Always remember to include these key points in discussing a security solution:
* Decide what problems you are going to solve.
* Consider risks to the business operation, costs, and residual risk.
* Calculate project duration with milestones.
This is an ongoing process, and the security officers must be part of the management team and in the organization's planning meetings to be effective, including attending Clevel meetings, information technology steering committees, and manager and departmental meetings.
Next, make sure there is a proper budget for information security projects and consider how it will be integrated within other budgets. The security leader should work with the development team leader to ensure that security is part of the software development life cycle. The security operation center, policies and procedures, and incident handling must also be funded.
In discussing the budget with top management, you will find that it's impossible to allocate all the funding for your planned projects. So examine current risks and ensure that activities with the largest costs/ benefits are implemented first. A complete risk assessment will help identify critical issues and those that can be planned later.
Projects exceeding 12-18 months are usually considered long-term, strategic in nature, and typically require more funding and resources. Other factors that will impact security budgets include the number of staff, level of security protection the organization needs, tasks to be performed, regulatory requirements needed, staff qualification levels, training required, and degree of metrics-tracking.
One of the key success factors is to understand business objectives, visions, and missions. This will help the security director introduce security problems at the correct times during the project's life cycle and can help the organization carry out its business goals. You will also need to understand the competitive pressures facing your organization; its strengths, weaknesses, threats, and opportunities; and the regulatory environment within which the organization operates.
After these steps have been achieved, you are ready for the practical blueprint of the information security program. Here are the seven main issues to consider:
1. Ensure that policies, procedures, baselines, standards, and guidelines have been developed and that they address the organization's information security needs. Network security is not only the responsibility of the security team but also other business units within the organization (i.e., HR, legal, finance). These business units will implement the policies that were written.
2. Because threats and vulnerabilities change constantly, you need to be up-to-date on different threats and revisit and update policies that address these threats if any changes occur. Security directors must know about emerging technologies to ensure that applicable solutions are in place based upon the organization's definition of risk, culture, and available resources. Keep current by attending security industry association meetings, interacting with vendors, subscribing to industry research groups, and reviewing printed material.
3. Depending on your location and type of business, you may want your own computer incident response team (CIRT), those professionals who have the necessary skills to evaluate an incident, including damage control, and who provide the correct response to repair a system and collect evidence for potential prosecution or sanctions. Security incidents need to be investigated and followed up on promptly since this is a key mechanism in ensuring compliance with security policies.
4. Developing a security compliance program is often necessary to ensure that security policies are being followed. Periodic compliance checks, whether though internal or external inspection, makes sure that procedures, checklists, and baselines are documented and that they are followed in practice and in theory. Compliance is considered to be a good indicator that the users and technical staff are trained and can apply security policies.
5. One of the most critical assets to the success of any project is managing people. You must direct an information security awareness program to deliver actionables in a meaningful way to the intended audience. This program should deliver general awareness of the security issues and what type of reporting actions are expected when the end user observes security violations. With an awareness program, you will know that the organization will practice the policies you created.
6. The security director will need to establish a partnership with internal and external auditors; they provide an essential role in information security by providing an independent view of the design, effectiveness, and implementation of the security controls in place. From any audit report, you will get findings that require corrective action plans to resolve issues and mitigate whatever risks are found. Some audits are performed at a high level without substantive testing, while others are performed to determine if a control was correctly executed. The objective here is to cooperate with auditors to ensure that the controls are adequate and functional.
7. The final step should be finding a way to measure effectiveness. You should design and collect measurements to provide information on long-term trends and day-to-day workloads caused by security requirements and to demonstrate the effects of noncompliance.
And lastly, when designing and collecting metrics, decide who will collect the data, what statistics will be collected and when, and what thresholds determine variations that are out of bounds and should be acted upon.
BY GEORGE LEWIS | BEAR DATA SOLUTIONS
George Lewis, the director of security consulting at BEAR Data Solutions, has more than 11 years of consulting experience and has been working in enterprise risk assessment for the past 7 years; he is also a Certified Information System Security Professional (CISSP) and a Certified Information Security Manager (CISM). Send your comments about this article to firstname.lastname@example.org.…