Implementing Information Security: Risks vs. Cost

["Gideon T. Rasmussen, CISSP, CISM, CFSO, SCSA" <lists () INFOSTRUCT NET>]

http://www.cyberguard.com/news_room/news_newsletter_040628security.cfm

Implementing Information Security: Risks vs. Cost
Gideon T. Rasmussen - CISSP, CISM, CFSO, SCSA

As a security professional who understands how the business world works,
I wrote this article to convey the imperative need for security
professionals and senior management to see eye-to-eye. Being motivated
by business, senior management focuses on productivity and the bottom
line. It is sometimes difficult to calculate a return on investment for
security, but the damage caused by the absence of efficient controls is
far greater than the cost of implementing them.

Over the past few years, there have been several highly publicized
security incidents ranging from fraud to terrorism. These events
demonstrated the need for disaster recovery plans and checks and
balances within accounting systems. Many threats present themselves
internally in the form of disgruntled or dishonest employees or as the
result of social engineering. Human error and neglect are also examples
of internal threats. New threats emerge daily. For more information,
refer to the CSI/FBI Computer Crime and Security Survey
(http://www.gocsi.com/forms/fbi/pdf.jhtml).

The U.S. is beginning to mandate information security based on the
concepts of due diligence and the prudent man principle. The most recent
examples are the Sarbanes-Oxley Act (SOX), the Gramm-Leach-Bliley Act
(GLBA) and the Health Insurance Portability and Accountability Act
(HIPAA). Compliance with government regulations represents a threat of a
sort. Under SOX, senior management is responsible for the accuracy of
financial statements. Criminal penalties include fines of $1-5 million
and prison terms of 10-20 years. A popular international standard is the
Code of Practice for Information Security Management (ISO 17799).

A variety of control frameworks have been developed to meet financial
and IT security concerns. Two of the leading standards are the Internal
Control – Integrated Framework - Committee of Sponsoring Organizations
of the Treadway Commission (COSO) and Control Objectives for Information
and related Technology (CobiT).

IT governance and compliance must be addressed with a formal information
security program. Basic elements include security policies, an annual
audit and internal controls to mitigate threats and vulnerabilities.
Nothing can take the place of an information security audit
(http://www.sans.org/score/ISO_17799checklist.php). It is critical to
take a snapshot of each site’s security posture and work against the
findings.

Senior management should be aware of the state of the information
security program. Usually this is facilitated through an annual security
audit report and monthly security status reports.

In the absence of current information, it is a good exercise to ask the
following questions of information security management:

* Are employees required to sign off on the general security policy and
specific policies in their functional area as well?

* How have applicable security standards been met (e.g. SOX, GLBA and
HIPAA)?

* Which control frameworks are in use (e.g. COSO, CobiT and/or ISO 17799)?

* How are logical and physical perimeters defined? Please provide
rationale and diagrams.

* Is security built into custom applications from the design phase?

* Are all systems routinely patched and hardened?

* Are strictly controlled development environments in place (e.g.
development, quality & user acceptance)?

* What is the maturity level of business continuity and disaster
recovery planning?

* Are accesses systematically rescinded when an employee leaves or their
role changes?

* In general, are internal controls layered (i.e. defense-in-depth
measures)?

* How are the concepts of least privilege and separation of duties
addressed?

* Is a tactical incident response program in place?

* What are the details of the security awareness program
(http://www.cyberguard.com/news_room/news_newsletter_030926threatwithin.cfm)?


* How recently have each of these topics been addressed? Are they truly
maintained?

Establishing a culture of security is critical. Information security
managers must be well versed in the breadth of the IT career field and
other disciplines as well (e.g. physical security, accounting and human
resources management). In addition, a security manager must be a
passionate advocate and an effective communicator. Interpersonal skills
should include the ability to communicate in non-technical terms.

Many small organizations lack a dedicated information security
professional. This practice should be avoided. As you can see, an
effective security program requires constant care and feeding. A
dedicated information security professional will reduce the high cost
associated with unmanaged risk.

Consider the impact on an organization if it does not adequately
mitigate risks. In the end, how an organization approaches security
depends on its appetite for risk. A healthy dose of paranoia is
warranted here. After all, the stakes are extremely high.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.