"QUIS CUSTODIET IPSOS CUSTODES?"
"WHO WILL WATCH THE WATCHERS?"
--Juvenal, Roman poet and satirist
Browse any major newspaper, industry journal or security blog today, and it is evident that the number of significant data breaches--from credit card information to health records--is rapidly increasing. Organizations must improve their information assurance capabilities, but the gap between recognizing the problem and developing a solution to address it can be daunting.
Many organizations respond by throwing more technology and personnel at the problem. While this can help, the true answer lies in ensuring that the three core IT teams responsible for information assurance--network operations, security and risk operations and audit/compliance--have the necessary independence to identify, evaluate and implement the right solutions to reduce risk to the organization.
In the most traditional model of information assurance, which is implemented in many organizations today, network and security operations are tethered together. Similarly, audit (which frequently includes compliance management) is also often placed within the IT governance model under the auspices of being an independent entity, despite still being under the same reporting umbrella as the organization they are supposed to audit. Unfortunately, in today's IT environment, an estimated 70% of all security breaches resulting in over $100K in losses come from inside the organization. These challenges prevent each IT team from performing their jobs independently, effectively and efficiently.
Independence: The Business Case
As Juvenal's famous quote indicates, the concern over too much concentrated control (in his case, by the Roman government) left the distinct impression on the populace that they needed assurances to keep those with power in check. In today's world of technology, the problem remains essentially the same: who will watch over IT teams to ensure that they make the right decisions? The answer, too, is similar: they must watch themselves.
In technology, as in politics, the concept of separation of duty is used to enforce independence across different groups that support the same business goal while providing a valuable system of checks and balances to ensure that each group operates with some degree of peer oversight. In the case of IT, the network, security and audit teams are most effective when controls are established to ensure that each group functions independently, yet still works collaboratively to support the business.
The idea of keeping IT network, security and audit groups independent from each other is not a new concept; in the past decade, a range of federal regulations, best practices and IT security management frameworks (including Sarbanes-Oxley, NIST 800-53, ISO 17799/27002 and COBIT, among others) have been established that either explicitly state or imply the need to keep certain technology-related groups separate to reduce the likelihood of conflicts of interest, inappropriate collusion and even fraud.
Often, this separation is automated at a granular level within IT systems. Role-based access controls, for example, are often used to differentiate persons who have access to different parts of critical systems, such as enterprise resource planning or customer relationship management. Operationally, however, separation of duty also makes sense within IT governance, as a means of ensuring real independence among those groups responsible for information assurance--for example, separating development and production environments for software developers and database administrators.
In the realm of information assurance, a similar compartmentalization of roles leads to more independent and effective technology governance. The benefits of this independence are significant: each group has the authority to review and comment on the efforts of the other two, ensuring that planning efforts are reviewed with a critical eye. …