Management Update: Information Security Risk Best Practices

Transcription

1 IGG R. Witty Article 2 July 2003 Management Update: Information Security Risk Best Practices The growing focus on managing information security risk is challenging most enterprises to determine who should manage it, what should be managed, where it should reside within the enterprise, and how much should be spent on securing enterprise assets. Gartner presents information security risk best practices. The growing focus on managing information security risk is challenging most enterprises to figure out who should manage it, what should be managed, where it should reside within the enterprise, and how much should be spent on securing enterprise assets. Gartner presents information security risk best practices. Information Security Risk Management Cornerstones Enterprises must determine how their security controls and architecture align with relevant regulations, business risk and security requirements from partners or customers. However, most regulations do not offer detailed guidance on what security controls are necessary, but they do require best practices and also require partners or providers to have appropriate security practices. Clauses are typically too vague to be adequate. Key Issue: What are the best practices of a successful information security program? To be effective, five cornerstones are needed for any information security risk management program: The information security organization The IT asset risk inventory Information security policies, including those based on a common policy structure such as ISO The information security architecture A business continuity program Note: ISO is a comprehensive set of guidelines offering a code of practice for security management. The objectives of ISO are to provide a basis for organizational security Gartner Entire contents 2003 Gartner, Inc. All rights reserved. Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

2 standards and to enable the establishment of mutual trust among networked sites. Many information security service providers offer services associated with ISO As many of five cornerstone components as possible should be implemented to make the most effective use of limited funding in the information security and business continuity area. Information Security Certifications Certifications for information security professionals can be divided into three categories (see Figure 1): Figure 1 Information Security Certifications Vendor-Independent CESG CLAS (U.K.) CompTIA Security+ ISC2 CISSP, SSCP ISACA CISA, CISM SANS GIAC Security University TruSecure TICSA Vendor-Specific Checkpoint Novell Cisco Systems RSA Security IBM Tivoli Symantec Why It s Worth It: CISSP Compensation Benefit No.1inROI 7.9-to-1 8.6% salary increase $83,000 average salary Source: Gartner and Certification Magazine (December 2002) Related Knowledge Assoc. of Certified Fraud Examiners ASIS International High Tech Crime Network CESG CISA CISM CISSP CLAS CompTIA GIAC ICSA ISACA ISC2 ROI SANS SSCP TICSA Communications-Electronics Security Group Certified Information Systems Auditor Certified Information Systems Manager Certified Information System Security Professional CESG Listed Adviser Scheme Computing Technology Industry Association Global Information Assurance Certification International Computer Security Association Information Systems Audit and Control Association International Information Systems Security Certifications Consortium return on investment SysAdmin, Audit, Networking, Security Systems Security Certified Practitioner TruSecure ICSA Certified Security Associate Vendor-independent: Certifications provided by industry associations (except for TruSecure, which is a private concern), the certification is recognized as an industrywide level of achievement Vendor-specific: The certification is specific to the vendor s product(s) and demonstrates a level of mastery for implementation purposes Related knowledge: The certification is for a body of knowledge that is related to information security such as fraud, computer crime and physical security The two most frequent certifications in the industry are CISSP from ISC2, and GIAC from The SANS Institute. Note: CISSP is Certified Information Systems Security Professional; ISC2 is the International Information Systems Security Certifications Consortium; GIAC is Global Information Assurance Certification; SANS is SysAdmin, Audit, Networking, Security. CISSP certification is geared to the person who manages the information security function, or who consults in the market. CISSP is the leading certification in the industry.

3 GIAC certification is geared to the information security specialist who needs a technical level of expertise for analysis, implementation and operational purposes. The Information Systems Audit and Control Association has recently started its Certified Information Security Manager (CISM) certification. The grandfather clause means that many CISSPs will also be CISMs. Gartner conducted a survey of information security professionals that compared CISSP and CISM. Respondents were asked questions such as: Do you have your CISSP? When did you pass the CISSP exam? What percentage of your IT security staff has CISSP certification? Is a CISSP a requirement for employment? Do you have another information security certification? Following are some of the more significant survey results: 50 percent of respondents have the CISSP 0 percent of respondent organizations require CISSP 25 percent of respondent organizations provide extra compensation for CISSP 100 percent of CISSPs maintain their certification 90 percent of respondents would consider another certification Creating an Effective Security Awareness Program Imperative: A set of information security policies is the key cornerstone of an effective IT risk management program. The information security policies are the basis for all other components of this program, and without them, the enterprise risks its financial viability. An effective set of information security policies is the basis of risk assessments each enterprise should conduct. Policies must be communicated to all users of enterprise IT assets so that they understand their responsibility to protect the enterprise against information security breaches that is, they are as accountable for enterprise protection as the chief information security officer. Users must be trained in the following areas (see Figure 2): Figure 2 Security Awareness Program: Teach Your Employees Well

4 Corporate Policies Security Issues Employee Role Report/ Respond The Law Personal Safety Pertinence What to Do Would the employee recognize a policy breach? Goal: Methodology: Would they choose to report it? Influence User Behavior New Employee Orientation Information Security Exam Branding/Logo Communications Newsletter, Video Employee Termination Would they know how to report it? Tools: g NetIQ g Easyi g PwC g Blue292 g RedSiren Source: Gartner Corporate policies: They must understand policies to both limit their personal violations and allow them to recognize when others violate policies. Security issues: What is a virus? Employees need training on a variety of security issues, from physical access, to information misuse, to safety. Ongoing training should include new security issues as they arise and signs of an impending incident before it causes damage. Impact on the enterprise or employee: People tend to pay less attention to issues that don t directly affect them. Awareness and proactive actions are likely if employees understand the negative consequences on the enterprise and themselves. How to report and respond: Obviously not everyone must be trained to put out a fire, but they must know how to hit the fire alarm, call 911 and safely evacuate the building. Measuring Information Security Expenditure Effectiveness Strategic Planning Assumption: By 2005, 20 percent of the Global 2000 will have effectiveness assessment systems in place that will monitor the information security health of business transactions in real time (0.7 probability). Many enterprises struggle with how much to spend on controls to mitigate the risk of an information security threat being exploited and how effective those controls are. Many are turning to metrics to help them evaluate the effectiveness of their information security program. Gartner describes a variety of metrics, categorized using the information security total cost of ownership chart of accounts, that enterprises can implement to help them in this effort: What data should be collected in support of each metric? How often is the data collected?

5 How often is the data reported, and how is it reported (for example, beeper notification or report)? To whom is the metric reported? What actions are taken and decisions are made based on the metric? One can turn to numerous places for the raw data, including: System and application logs Help desk software Internal and external audits Internal risk assessments/compliance reviews Security system/management reports Action Item: Establish critical effectiveness metrics for each information security policy. Ensure audit logs are in place for all mission-critical applications and systems. Begin moving toward a centralized reporting facility for such log entries. Information Security Metrics, Scorecards and Dashboards Metrics, scorecards and dashboards are becoming a popular approach for informing all levels of management of the overall status of the information security program. The technical and operational groups as well as the strategic, planning, and management groups should have such dashboards to manage their own view of the information security risk management program (see Figure 3). Figure 3 Information Security Risk Management Program: Use Scorecards and Dashboards Assessment Category Rating Low Medium High Organization R P Roles/Responsibilities PR Awareness Training T R P Security Administration T R P Intrusion Detection T R P Source: Gartner P = People; R = Process; T = Tools Multiple technical dashboards might be used for specific activities. The technical dashboards will feed into a strategic and management dashboard that measures the effectiveness of the information security risk management program and is used for security breach investigation purposes.

6 The use of a traffic light report, which documents the status of each metric, is a good visual tool. The categories to be tracked must be based on the enterprise s information security policies. The rating for each category must assess the business unit s compliance level against people, processes and tools. Metrics, scorecards and dashboards are a multiyear effort. The first year (or first six months) establishes a baseline for each business unit s level of compliance with the information security risk management program. Subsequent releases enable an enterprise to track improvements and setbacks. That enables senior management to focus on risk hot spots. Action Item: Report semiannually to senior management on the information security risk management program. Recommendations Establish a risk management committee with purview over all risk issues in the enterprise. Assign ownership for the information security risk management function. Establish information security policies, architecture and IT asset risk inventory. Ensure information security covers new technology integration. Establish an information classification program to ensure the correct application of mitigating controls. Review the enterprise s use of outside service providers with regard to their compliance level with the enterprise s policies. Establish critical effectiveness metrics for each information security policy. Report semiannually to senior management the state of the information security risk management program. Written by Edward Younker, Research Products Analytical source: Roberta Witty, Gartner Research This article is an excerpt of a chapter from a new Gartner report, Securing the Enterprise: The Latest Strategies and Technologies for Building a Safe Architecture. The report is an offering of the Gartner Executive Report Series, a new business venture of Gartner Press that provides buyers with comprehensive guides to today s hottest IT topics. For information about buying the report or others in the Executive Report Series, go to For related Inside Gartner articles, see: CIO Update: IT Security Management and Gartner s Magic Quadrant, (IGG ) CEO and CIO Update: Establish a Strong Defense in Cyberspace for Information Security, (IGG ) Management Update: What You Should Know About the Antivirus Market, (IGG )

7 CIO Update: Enterprise Security Moves Toward Intrusion Prevention, (IGG ) Management Update: Security Strategies for Enterprises Using Web Services, (IGG )