Practice List For Information Security Management
Practice 1: Recognize Information Resources as Essential Organizational Assets That Must Be Protected
"Information technology is an integral and critical ingredient for the successful functioning of major U.S. companies." -- Deloitte & Touche LLP Survey of American Business Leaders, November 1996
The organizations we studied recognized that information and information systems were critical assets essential to supporting their operations that must be protected. As a result, they viewed information protection as an integral part of their business operations and of their strategic planning.
Senior Executive Support Is Crucial
In particular, senior executive recognition of information security risks and interest in taking steps to understand and manage these risks were the most important factors in prompting development of more formal information security programs. Such high-level interest helped ensure that information security was taken seriously at lower organizational levels and that security specialists had the resources needed to implement an effective program.
This contrasts with the view expressed to us by numerous federal managers and security experts that many top federal officials have not recognized the indispensable nature of electronic data and automated systems to their program operations. As a result, security-related activities intended to protect these resources do not receive the resources and attention that they merit.
In some cases, senior management's interest had been generated by an incident that starkly illustrated the organization's information security vulnerabilities, even though no damage may have actually occurred. In other cases, incidents at other organizations had served as a "wake-up call." Two organizations noted that significant interest on the part of the board of directors was an important factor in their organizations' attention to information security. However, security managers at many of the organizations told us that their chief executive officers or other very senior executives had an ongoing interest in information technology and security, which translated into an organizationwide emphasis on these areas.
Although the emphasis on security generally emanated from top officials, security specialists at lower levels nurtured this emphasis by keeping them abreast of emerging security issues, educating managers at all levels, and by emphasizing the related business risks to their own organizations.
Security Seen As An Enabler
In addition, most of the organizations were aggressively exploring ways to improve operational efficiency and service to customers through new or expanded applications of information technology, which usually prompted new security considerations. Officials at one organization viewed their ability to exploit information technology as giving them a significant competitive advantage. In this regard, several organizations told us that security was increasingly being viewed as an enabler--a necessary step in mitigating the risks associated with new applications involving Internet use and broadened access to the organization's computerized data. As a result, security was seen as an important component in improving business operations by creating opportunities to use information technology in ways that would not otherwise be feasible.
Practice 2: Develop Practical Risk Assessment Procedures That Link
Security to Business Needs
The organizations we studied had tried or were exploring various risk assessment methodologies, ranging from very informal discussions of risk to fairly complex methods involving the use of specialized software tools. However, the organizations that were the most satisfied with their risk assessment procedures were those that had defined a relatively simple process that could be adapted to various organizational units and involved a mix of individuals with knowledge of business operations and technical aspects of the organization's systems and security controls.
The manufacturing company had developed an automated checklist that asked business managers and relevant staff in individual units a series of questions that prompted them to consider the impact of security controls, or a lack thereof, on their unit's operations. The results of the analysis were reported in a letter to senior management that stated the business unit's compliance with the security policy, planned actions to become compliant, or willingness to accept the risk. The results were also reported to the internal auditors, who used them as a basis for reviewing the business unit's success in implementing the controls that the unit's managers had determined were needed. Through the reporting procedure, the business managers took responsibility for either tolerating or mitigating security risks associated with their operations.
Such procedures provided a relatively quick and consistent means of exploring risk with business managers, selecting cost-effective controls, and documenting conclusions and business managers' acceptance of final determinations regarding what controls were needed and what risks could be tolerated. With similar objectives in mind, the utility company had developed a streamlined risk assessment process that brought together business managers and technical experts to discuss risk factors and mitigating controls. (This process is described in detail as a case example on page 27.)
Other organizations had developed less formal and comprehensive techniques for ensuring that risks were considered prior to changes in operations.
-The retailer had established standard procedures for requesting and granting new network connections. Under these procedures, documentation about the business need for the proposed connection and the risks associated with the proposed connection had to be submitted in writing prior to consideration by the central security group. Then, a meeting between the technical group, which implemented new connections, the requester, and the central security group was held to further explore the issue. The documentation and meeting helped ensure that the requester's business needs were clearly understood and the best solution was adopted without compromising the network's security.
-The financial services corporation had implemented procedures for documenting business managers' decisions to deviate from organizationwide policies and standards. In order to deviate from a "mandatory policy," the business unit prepared a letter explaining the reason for the deviation and recognizing the related risk. Both the business unit executive and the central security group manager signed the letter to acknowledge their agreement to the necessity of the policy deviation. Deviations from less rigid "standards" were handled similarly, although the letter could be signed by the business unit executive, alone, and did not require the central security group's approval, though it was generally received. In all cases, the central security group discussed the information security implications of the deviation with the appropriate executive and signed-off only when it was satisfied that the executives fully understood the risk associated with the deviation. However, the ultimate decision on whether a deviation from policies or standards was appropriate was usually left to the business unit.
Organizations Saw Benefits Despite Lack of Precision
"Actual losses are not necessarily good indications of risk."
-- Security manager at a prominent financial institution
Although all of the organizations placed emphasis on understanding risks, none attempted to precisely quantify them, noting that few quantified data are available on the likelihood of an incident occurring or on the amount of damage that is likely to result from a particular type of incident. Such data are not available because many losses are never discovered and others are never reported, even within the organizations where they occurred. In addition, there are limited data on the full costs of damage caused by security weaknesses and on the operational costs of specific control techniques. Further, due to fast-paced changes in technology and factors such as the tools available to would-be intruders, the value of applying data collected in past years to the current environment is questionable. As a result, it is difficult, if not impossible, to precisely compare the cost of controls with the risk of loss in order to determine which controls are the most cost-effective. Ultimately, business managers and security specialists must rely on the best information available and their best judgment in determining what controls are needed.
Despite their inability to precisely compare the costs of controls with reductions in risk, the organizations said that risk assessments still served their primary purpose of ensuring that the risk implications of new and existing applications were explored. In particular, the security managers believed that adequate information was available to identify the most significant risks. For example, in addition to their own organization's experience, they noted that information on threats, specific software vulnerabilities, and potential damage was widely available in technical literature, security bulletins from organizations such as the Carnegie-Mellon Computer Emergency Response Team (CERT), surveys done by professional associations and audit firms, and discussion groups. Although much of this information was anecdotal, the security managers thought that it was sufficient to give them a good understanding of the threats of concern to their organizations and of the potential for damage.
In addition, the lack of quantified results did not diminish the value of risk assessments as a tool for educating business managers. By increasing the understanding of risks, risk assessments (1) improved business managers' ability to make decisions on controls needed, in the absence of quantified risk assessment results, and (2) engendered support for policies and controls adopted, thus helping to ensure that policies and controls would operate as intended.
Practice 3: Hold Program and Business Managers Accountable
"Holding business managers accountable and changing the security staff's role from enforcement to service has been a major paradigm shift for the entire company."
-- Security manager at a major equipment manufacturer
The organizations we studied were unanimous in their conviction that business managers must bear the primary responsibility for determining the level of protection needed for information resources that support business operations. In this regard, most held the view that business managers should be held accountable for managing the information security risks associated with their operations, much as they would for any other type of business risk. However, security specialists played a strong educational and advisory role and had the ability to elevate discussions to higher management levels when they believed that risks were not being adequately addressed.
Business managers, usually referred to as program managers in federal agencies, are generally in the best position to determine which of their information resources are the most sensitive and what the business impact of a loss of integrity, confidentiality, or availability would be. Business or program managers are also in the best position to determine how security controls may impair their operations. For this reason, involving them in selecting controls can help ensure that controls are practical and will be implemented.
Accordingly, security specialists had assumed the role of educators, advisors, and facilitators who helped ensure that business managers were aware of risks and of control techniques that had been or could be implemented to mitigate the risks. For several of the organizations, these roles represented a dramatic reversal from past years, when security personnel were viewed as rigid, sometimes overly protective enforcers who often did not adequately consider the effect of security controls on business operations.
Some of the organizations had instituted mechanisms for documenting and reporting business managers' risk determinations. These generally required some type of sign-off on memoranda that either (1) reported deviations from predetermined control requirements, as was the case at the financial services corporation and the manufacturing company discussed previously or (2) provided the results of risk assessments, as was the case of the utility company described in the following case example. According to the security managers, such sign-off requirements helped ensure that business managers carefully considered their decisions before finalizing them.
Each risk analysis session takes approximately 4 hours and includes 7 to 15 people, though sessions with as many as 50 and as few as 4 people have occurred. Additional time is usually needed to develop the action plan. The information security group conducts between 8 and 12 sessions a month. According to the utility's central information security group, this process increases security awareness among business managers, develops support for needed controls, and helps integrate information security considerations into the organization's business operations.
Practice 4: Manage Risk on a Continuing Basis
"Information security is definitely a journey, not a destination--there are always new challenges to meet."
-- Chief information security officer at a major financial services corporation
The organizations emphasized the importance of continuous attention to security to ensure that controls were appropriate and effective. They stressed that constant vigilance was needed to ensure that controls remained appropriate--addressing current risks and not unnecessarily hindering operations--and that individuals who used and maintained information systems complied with organizational policies.
Such attention is important for all types of internal controls, but it is especially important for security over computerized information, because, as mentioned previously, the factors that affect computer security are constantly changing in today's dynamic environment. Such changing factors include threats, systems technologies and configurations, known vulnerabilities in existing software, the level of reliance on automated systems and electronic data, and the sensitivity of such operations and data.
Existing Federal Guidance Provides a Framework for Implementing Risk Management Practices
OMB's 1996 revision of Circular A-130, Appendix III, recognizes that federal agencies have had difficulty in performing effective risk assessments--expending resources on complex assessments of specific risks with limited tangible benefits in terms of improved security. For this reason, the revised circular eliminates a long-standing federal requirement for formal risk assessments. Instead, it promotes a risk-based approach and suggests that, rather than trying to precisely measure risk, agencies focus on generally assessing and managing risks. This approach is similar to that used by the organizations we studied.
Similarly, the concept of holding program managers accountable underlies the existing federal process for accrediting systems for use. Accreditation is detailed in NIST's Federal Information Processing Standards Publication 102, Guideline for Computer Security Certification and Accreditation, which was published in 1983. According to NIST, accreditation is "the formal authorization by the management official for system operation and an explicit acceptance of risk." OMB's 1996 update to Circular A-130, Appendix III, provides similar guidance, specifying that a management official should authorize in writing the use of each system before beginning or significantly changing use of the system. "By authorizing processing in a system, a manager accepts the risks associated with it."
Getting Started--Assessing Risk and Determining Needs
Senior Program Officials
Gain an understanding of the criticality and sensitivity of the information and systems that support key agency programs.
Recognize that information security risks to program operations are potentially significant and support efforts to further explore and understand these risks as they relate to your agency's operations.
Review discussions made by subordinate managers regarding the levels of information protection needed and take responsibility for making final determinations.
Monitor implementation of the risk assessment process to ensure that it is providing benefits and does not evolve into a "paperwork exercise."
Define risk assessment processes that involve senior program officials and require them to make final determinations regarding the level of information protection needed.
Ensure that security specialists and other technical experts are available to educate and advise program officials regarding potential vulnerabilities and related controls.
Senior Security Officers
Promote and facilitate the risk assessment process by (1) developing practical risk assessment procedures and tools, (2) arranging for risk assessment sessions, (3) ensuring the involvement of key program and technical personnel, and (4) providing mechanisms for documenting final decisions.
In promoting the adoption of policies and other controls, focus on the specific business reasons for the controls rather than on generic requirements. "A central focal point is essential to spotting trends, identifying problem areas, and seeing that policies and administrative actions are handled in a consistent manner."
-- Senior information security officer for a major university
"Information security has become too important to handle on an ad hoc basis."
-- Security specialist at a major retailing company
Managing the increased risks associated with a highly interconnected computing environment demands increased central coordination to ensure that weaknesses in one organizational unit's systems do not place the entire organization's information assets at undue risk. Each of the organizations we studied had adopted this view and, within the last few years, primarily since 1993, had established a central security management group or reoriented an existing central security group to facilitate and oversee the organization's information security activities. As such, the central group served as the focal point for coordinating activities associated with the four segments of the risk management cycle.
As discussed in the previous section on risk analysis, the central security groups served primarily as advisers or consultants to the business units, and, thus, they generally did not have the ability to independently dictate information security practices. However, most possessed considerable "clout" across their organizations due largely to the support they received from their organization's senior management. In this regard, their views were sought and respected by the organizations' business managers. The following case example describes how one organization strengthened its central security group and reoriented its focus.
Case Example: Transforming an Organization's Central Security Focal Point
In 1995, realizing that security was an essential element of its efforts to innovatively use information technology, a major manufacturer significantly reorganized and strengthened its central information security function. Prior to the reorganization, a central security group of about four individuals concentrated on mainframe security administration and had little interaction with the rest of the company. Since then, the central group has grown to include 12 individuals who manage the security of the company's (1) main network, (2) decentralized computer operations, and
(3) Internet use. In addition, the group participates in the company's strategic planning efforts and in the early stages of software development projects to ensure that security implications of these efforts are addressed. In this regard, it serves as a communications conduit between management and the information systems staff who design, build, and implement new applications.
Members of the central group possess a variety of technical skills and have specific information security responsibilities, such as developing policy, maintaining the firewall that protects the organization's network from unauthorized intrusions, or supporting security staff assigned to individual business units. According to the group's manager, because of the shift in the central group's responsibilities, "the members of the group had to change their mind-set from a staff organization to a service organization. They had to be willing to work with business managers to enable rather than to control business operations."
Practice 5: Designate a Central Group to Carry Out Key Activities
Overall, the central security groups served as (1) catalysts for ensuring that information security risks were considered in both planned and ongoing operations, (2) central resources for advice and expertise to units throughout their organizations, and (3) a conduit for keeping top management informed about security-related issues and activities affecting the organization. In addition, these central groups were able to achieve some efficiencies and increase consistency in the implementation of the organization's security program by performing tasks centrally that might otherwise be performed by multiple individual business units.
Specific activities performed by central groups differed somewhat, primarily because they relied to a varying extent on security managers and administrators in subordinate units and on other organizationally separate groups, such as disaster recovery or emergency response teams. Examples of the most common activities carried out by central groups are described below.
- Developing and adjusting organizationwide policies and guidance, thus reducing redundant policy-related activities across the organization's units. For example, the manufacturer's central security group recently revamped the company's entire information security manual and dedicated one staff member to maintaining it.
- Educating employees and other users about current information security risks and helping to ensure consistent understanding and administration of policies through help-line telephone numbers, presentations to business units, and written information communicated electronically or through paper memos.
- Initiating discussions on information security risks with business managers and conducting defined risk assessment procedures.
- Meeting periodically with senior managers to discuss the security implications of new information technology uses being considered.
- Researching potential threats, vulnerabilities, and control techniques and communicating this information to others in the organization. Many of the organizations supplemented knowledge gained from their own experiences by frequently perusing professional publications, alerts, and other information available in print and through the Internet. Several mentioned the importance of networking with outside organizations, such as the International Information Integrity Institute, the European Security Forum, and the Forum of Incident Response and Security Teams, to broaden their knowledge. One senior security officer noted, "Sharing information and solutions is important. Many organizations are becoming more willing to talk with outsiders about security because they realize that, despite differing missions and cultures, they all use similar technology and face many of the same threats."
- Monitoring various aspects of the organization's security-related activities by testing controls, accounting for the number and types of security incidents, and evaluating compliance with policies. The central groups often characterized these evaluative activities as services to the business units.
- Establishing a computer incident response capability, and, in some cases, serving as members of the emergency response team.
- Assessing risks and identifying needed policies and controls for general support systems, such as organizationwide networks or central data processing centers, that supported multiple business units. For example, some central groups controlled all new connections to the organization's main network, ensuring that the connecting network met minimum security requirements. Similarly, one organization's central group was instrumental in acquiring a strong user authentication system to help ensure that network use could be reliably traced to the individual users. Further, most central groups oversaw Internet use.
- Creating standard data classifications and related definitions to facilitate protection of data shared among two or more business units.
- Reviewing and testing the security features in both commercially developed software that was being considered for use and internally developed software prior to its being moved into production. For example, the manufacturing company's central group reviewed all new Internet related applications and had the authority to stop such applications from going into production if minimum security standards were not met. Similarly, the central information protection group at the utility was required to approve all new applications to indicate that risks had been adequately considered.
- Providing self-assessment tools to business units so that they could monitor their own security posture. For example, the financial services corporation provided business units with software tools and checklists so that they would assume responsibility for identifying and correcting weaknesses rather than depending on auditors to identify problems.
Practice 6: Provide the Central Group Ready and Independent Access to Senior Executives
Senior information security managers emphasized the importance of being able to discuss security issues with senior executives. Several noted that, to be effective, these senior executives had to be in a position to act and effect change across organizational divisions. The ability to independently voice security concerns to senior executives was viewed as important because such concerns could often be at odds with business managers' and system developers' desires to implement new computer applications quickly and avoid controls that would impede efficiency, user friendliness, and convenience. This ability to elevate significant security concerns to higher management levels helped ensure that risks were thoroughly understood and that decisions as to whether such risks should be tolerated were carefully considered before final decisions were made.
The organizational positions of the central groups varied. Most were located two levels below the Chief Information Officer (CIO). However, the groups reporting directly to the CIO or to an even more senior official viewed this as an advantage because it provided them greater independence. Several others said that, despite their lower organizational position, they felt free to contact their CIOs and other senior executives when important security issues arose, and they were relatively unrestrained by the need to "go through the chain of command." Some noted that senior managers frequently called them to discuss security issues. For example, at the nonbank financial institution, the senior security manager was organizationally placed two levels below the CIO, but she met independently with the CIO once every quarter. Also, during the first three months of 1997, she had met twice with the organization's chief executive officer, at his request, to discuss the security implications of new applications.
In contrast, several federal information security officials told us that they felt that their organizations were placed too low in the organizational structure to be effective and that they had little or no opportunity to discuss information security issues with their CIOs and other senior agency officials.
Rather than depend on the personal interest of individual senior managers, two of the organizations we studied had established senior-level committees to ensure that information technology issues, including information security, received appropriate attention. For example, the university's central group had created a committee of respected university technical and policy experts to discuss and build consensus about the importance of certain information security issues reported to senior management, thus lending weight and credibility to concerns raised by the central security office.
Practice 7: Designate Dedicated Funding and Staff
Unlike many federal agencies, the central groups we studied had defined budgets, which gave them the ability to plan and set goals for their organization's information security program. At a minimum, these budgets covered central staff salaries and training and security hardware and software. At one organization, business units could supplement the central group's resources in order to increase the central group's participation in high priority projects. While all of the central groups had staffs ranging from 3 to 17 people permanently assigned to the group, comparing the size of these groups is of limited value because of wide variations in the (1) sizes of the organizations we studied, (2) inherent riskiness of their operations, and (3) the additional support the groups received from other organizational components and from numerous subordinate security managers and administrators.
In particular, no two groups were alike regarding the extent of support they received from other organizational units. For example, the computer vendor relied on a security manager in each of the organization's four regional business units, while the utility's nine-member central group relied on 48 part-time information security coordinators at various levels within the company. Some central groups relied heavily on technical assistance located in another organizational unit, while others had significant technical expertise among their own staff, and, thus, were much more involved in directly implementing and testing controls.
Despite these differences, two key characteristics were common to each of the organizations: (1) information security responsibilities had been clearly defined for the groups involved and (2) dedicated staff resources had been provided to carry out these responsibilities. The following table summarizes the details on the size and structure of the organizations' information security staffs.
Placement and Staffing of Eight Central
Information Security Management Groups
Organization Approximate number of system users Placement of central group Number of
dedicated central staff Other staff resources relied on (some numbers are approximate)
Financial services corporation 70,000
-Two levels below CEO 17
-35 security officers in business units
Electric utility 5,000
-One level below CIO 9
-48 security coordinators at three levels throughout the organization
-Virus response team
State university 100,000
-One level below CIO 3
-170 LAN administrators
-Incident handling team
-Two levels below CIO 12
-2,000 distributed security administrators
-Internal audit staff
-Technical services group
-Loss prevention staff
State agency 8,000
-Two levels below CIO 8
-25 district managers
-Security administrators in 31 units
-Individuals with specialized expertise in the information systems group
-Two levels below CIO 7
n Central security administration group
-Three levels below CIO 4
-27 regional security specialists
Equipment manufacturer 35,000
-Several levels below CIO 12
-70 site security administrators
Practice 8: Enhance Staff Professionalism and Technical Skills
The organizations had taken steps to ensure that personnel involved in various aspects of their information security programs had the skills and knowledge they needed. In addition, they recognized that staff expertise had to be frequently updated to keep abreast of ongoing changes in threats, vulnerabilities, software, security techniques, and security monitoring tools. Further, most of the organizations were striving to increase the professional stature of their staff in order to gain respect from others in their organizations and attract competent individuals to security-related positions.
Update Skills and Knowledge of Security Managers and Specialists
The training emphasis for staff in the central security management groups, many of whom came to their groups with significant technical expertise, was on keeping staff skills and knowledge current. This was accomplished primarily through attendance at technical conferences and specialized courses on topics such as the security features of new software, as well as networking with other security professionals and reviewing the latest technical literature and bulletins. To maximize the value of expenditures on external training and events, one central group required staff members who attended these events to brief others in the central group on what they had learned.
In an effort to significantly upgrade the expertise of information security officers in its various business units, the central group at the financial services corporation had recently arranged for an outside firm to provide 5 weeks of training for these individuals. The training, which is planned to take place in
1-week increments throughout the year, is expected to entail a broad range of security-related topics, including general information security, encryption, access control, and how to build a better working relationship with the corporation's technical information systems group.
Citing an emerging trend, the senior information security managers had also started to create information security career paths and stress professional certification for security specialists. In particular, many organizations were encouraging their staff to become Certified Information Systems Security Professionals (CISSP). One security manager noted that security specialists also needed excellent communication skills if they were to effectively fulfill their roles as consultants and facilitators for business managers who were less technically expert regarding computers and telecommunications.
Educate System Administrators
Increasing the expertise of system administrators presented different challenges. System administrators are important because they generally perform day-to-day security functions, such as creating new system user accounts, issuing new passwords, and implementing new software. These tasks must be completed properly and promptly or controls, such as passwords and related access restrictions, will not provide the level of protection intended. In addition, system administrators are the first line of defense against security intrusions and are generally in the best position to notice unusual activity that may indicate an intrusion or other security incident. However, at the organizations we studied, as at federal agencies, security is often a collateral duty, rather than a full-time job, and the individuals assigned frequently have limited technical expertise. As a result, the effectiveness of individual system administrators in maintaining security controls and spotting incidents is likely to vary.
To enhance the technical skills of their security administrators and help ensure that all of them had the minimal skills needed, most of the groups had established special training sessions for them. For example,
-the manufacturer required new security administrators to spend 2 to 5 days in training with the central security group, depending on their technical skills, before they were granted authority to perform specific functions on the network, such as controlling the users' access rights;
-the central security group at the university held annual technical conferences for the university's systems administrators and engaged professional training organizations to offer on-campus training at very reduced rates; and
-the state agency held a biannual conference for systems administrators that included sessions related to their information security responsibilities.
Attract and Keep Individuals with Technical Skills
Most of the groups cited maintaining or increasing the technical expertise among their security staff as a major challenge, largely due to the high demand for information technology experts in the job market. In response, several said they offered higher salaries and special benefits to attract and keep expert staff. For example, the financial services corporation provided competitive pay based on surveys of industry pay levels, attempted to maintain a challenging work environment, and provided flexible work schedules and telecommuting opportunities that allowed most of the staff to work at home 1 day a week. In addition, provisions were made for staff to do the type of work they preferred, such as software testing versus giving presentations.
Organizations relied on both internally and externally developed and presented training courses, sometimes engaging contractors or others to assist. For example, the state information security office above the state agency worked with an information security professional organization to provide a relatively low-cost statewide training conference. The state organization provided meeting rooms and administrative support while the professional organization used its professional contacts to obtain knowledgeable speakers.