governance1 governance and policy tim shimeall march 2006
Post on 21-Dec-2015
223 Views
Preview:
TRANSCRIPT
Governance 2
Addressing Security as Governance
•Set of beliefs, capabilities, actions:– Security enacted at enterprise level– Security treated as business requirement– Security considered during normal planning cycles– All business unit leaders understand how security serves as
business enabler– Security integrated into enterprise functions and processes– All personnel accessing enterprise network understand their
responsibilities
•Which are most important depends on culture and business context
Governance 3
Governance
•Setting clear expectations of conduct
•Influencing to achieve expectations
•Decision making– Assigned decision rights– Accountability– Intended to produce behavior/actions
•Ensuring organization does right things and does things right
Governance 4
Security as Institutional Priority
•Information security is a human enterprise – “lack of security awareness by users” cited as top
obstacle – overriding impact of human complexities,
inconsistencies, and peculiarities•People can become the most effective layer in an organization's defense-in-depth strategy
– with proper training, education, motivation •The first step is making sure they operate in a security conscious culture.•Ernst & Young. "Global Information Security Survey 2004."•http://www.ey.com/global/download.nsf/UK/Survey_-_Global_Information_Security_04/$file/EY_GISS_%202004_EYG.pdf
Governance 5
Response Time
Hours
Weeks or months
Days
Minutes
Seconds
Human response: difficult/impossibleAutomated response: possible
Human response: impossibleAutomated response: Will need new paradigmsProactive blocking: possible
Co
nta
gio
n T
imef
ram
e
File Viruses
Macro Viruses
e-mail Worms
Blended Threats
“Warhol” Threats
“Flash” Threats
Human response: possible
Governance 6
What Is At Risk?
–Trust –Reputation; image –Stakeholder value –Community confidence–Regulatory compliance; fines, jail time–Customer retention, growth –Customer and partner identity, privacy –Ability to offer, fulfill transactions–Staff, client morale
Governance 7
Responsibility to Protect Digital Assets
•In excess of 80 percent of an organization’s intellectual property is in digital form •Duty of Care: Governance of Digital Security
–Govern institutional operations & conduct–Protect critical assets and processes–Protect reputation–Ensure compliance requirements are met
•[Jody Westby, PricewaterhouseCoopers, Congressional Testimony; case law]
Governance 8
Barriers to Tackling Security• Abstract, concerned with hypothetical events
• A holistic, enterprise-wide problem; not just technical
• No widely accepted measures/indicators
• Disaster-preventing rather than payoff-producing (like insurance)
• Installing security safeguards can have negative aspects
Governance 9
Information Survivability (1)
•Focuses on sustaining the mission in the face of an ongoing attack; requires an enterprise-wide perspective•Depends on the ability of networks and systems to provide continuity of essential services, albeit degraded, in the presence of attacks, failures, or accidents•Requires that only the critical assets need the highest level of protection
Governance 10
Information Survivability (2)
•Complements current risk management approaches that are part of an organization’s business practices
•Includes (but is broader than) traditional information security
•Business Judgment Rule: That which a reasonably prudent director of a similar institution would have used
Governance 11
Shift the Security Perspective
•Institutional
•Institutional
•Investment
•Integrated
•Institution
•Process
•Institutional continuity/resilience
•Scope: Technical
•Ownership:IT
•Funding: Expense
•Focus: Intermittent
•Driver: External
•Application: Platform/practice
•Goal: IT security
ToFrom
Governance 12
Technical problem to Institutional problem
•IT owns problem and strategy, performs primary activities
•Secure infrastructure = secure organization
•Organization owns problem and strategy
•Secure assets and processes = secure organization
to
Governance 13
Technical ownership to Institutional ownership
•IT is driver, owner, benefactor
•CSO is a technical advisor
•Organization is driver, owner, benefactor
•CSO is trusted advisor to business
to
Governance 14
Expense to investment
•Security activities viewed as sunk costs, expenses
•Naturally avoided by
management
•Security as amortizable investment in business
•Security as “goodwill” on balance sheet raising organizational value
to
Governance 15
IA Regulations and Standards
•National legislation (privacy, etc.)
•Insurance industry requirements
•Customer demand
•E-torts and e-pacts
Governance 16
Legal Perspective•Analyze applicable state laws and municipal ordinances•Assess IS vulnerabilities and risks•Review and update IS policies & procedures•Review policies & procedures for sensitive information•Scrutinize relationships with third-party vendors•Review insurance policies•Develop a rapid response plan & incident response team•Work with associations & coalitions to develop standards•“IT Security for Higher Education: A Legal Perspective.” Salomon, Kenneth; Cassat, Peter; Thibeau, Briana. Dow, Lohnes & Albertson, PLLC. EDUCAUSE/Internet2 Computer and Network Security Task Force, 2003. http://www.educause.edu/ir/library/pdf/csd2746.pdf
Governance 17
Practice-driven to process-oriented
•Willingness to accept and implement “best practices”
•Practices as process
•Possibly out of context with organizational drivers
•Security is proactive and managed
•Driven by risk management
to
Governance 18
Shifting the security approach
irregularreactiveimmeasurab
leabsolute
Ad-hoc and tactical
systematic
adaptivemeasure
dadequate
Managed and strategic
to
Governance 19
How Are You ManagingInformation Risks?
•Policies, governance
•Critical information assets
•Who to involve
•Management controls
•Sustain survivability
Governance 20
Security to Resiliency
•Managing to threat and vulnerability
•No articulation of desired state
•Possible security technology overkill
•Managing to impact and consequence
•Adequate security defined as desired state
•Security in sufficient balance to cost, risk
to
Governance 21
A Resilient Institution Is Able To. . . • withstand systemic discontinuities and
adapt to new risk environments
• be sensing, agile, networked, prepared
• dynamically reinvent institutional models and strategies as circumstances change
• have the capacity to change before the case for change becomes desperately obvious
Governance 22
Security Strategy Questions• What needs to be protected? Why
does it need to be protected? What happens if it is not protected?
• What potential adverse consequences need to be prevented? At what cost? How much disruption can we stand before we take action?
• How do we effectively manage the residual risk?
Governance 23
Defining Adequate Security
•The condition where the protection strategies •for an organization's critical assets and processes •are commensurate with the organization's risk appetite and risk tolerances•Risk appetite and risk tolerance as defined by COSO’s Enterprise Risk Management Integrated Framework, September, 2004.
Governance 24
Determining Adequate Security Depends On . . .
• Organizational factors: size, complexity, asset criticality, dependence on IT, impact of downtime
• Market factors: provider of critical infrastructure, openness of network, customer privacy, regulatory pressure, public disclosure
• Principle-based decisions: Accountability, Awareness, Compliance, Effectiveness, Ethics, Perspective/Scope, Risk Management, etc.
Governance 25
Adequate Security and Operational Risk
•“Appropriate security is that which protects the organization from undue operational risks in a cost-effective manner.” •“With the advent of regulatory agencies assessing a organization’s aggregate operational risk, there needs to be a way of looking at the organization as a whole rather than its many parts.”
Governance 26
Evolving the Security Approach
Incident Response
Process Maturation
Vulnerability Management
Security Risk Management
Institutional Security Management
Governance 27
High Performing Organizations - 1
•Apply resources (time, effort, dollars, capital) to accomplish stated objectives, with little to no wasted effort
•Regularly implement repeatable, predictable, secure, measurable, and measured operational processes
•Independently evolved a system of process improvement as a natural consequence of their business demands
Governance 28
High Performing Organizations - 2
•Use defined, verifiable controls to improve efficiency and effectiveness –Preventive, detective and corrective controls in place–Easier to audit
•Detect production variances early–Lowest cost and least impact to fix problems–Fix problems in a planned manner
•Devote increasingly more time and resources to strategic issues and new opportunities, having mastered tactical concerns
Governance 29
High Performing Organizations - 3
•Demonstrated ability to get IT operations and security organizations working together to create:– Higher service levels (availability, high MTBF, low MTTR, low
MTTD)– High percentage of planned (vs unplanned) work– Early integration of security requirements into the service delivery
life cycle– The ability to quickly return to a known, reliable, trusted
operational state – Unusually efficient cost structures (server-to-sysadmin ratios of
100:1 or greater)– Timely identification and resolution of security incidents
Governance 30
Areas of Pain for High Performing Organizations
• Patch management• Proliferation of “scorecards”
• Managing outsourced IT services
Governance 31
Areas of Pain – Patch Volume
–Low performing: Adhoc, chaotic, urgent, disruptive; increase in unplanned work
–High performing: Planned, predictable, just another change -> higher change success rate
Governance 32
Areas of Pain – Proliferation of Scorecards
–Low Performing: Look to external sources, authorities; adopt scorecard du jour
–High Performing: Have defined their own performance characteristics; can demonstrate traceability to other instruments
Governance 33
Areas of Pain – Outsourced IT Services
Low Performing:
Transfer risk; out of sight; then unable to control
High Performing:
Manage like any other business unit or project; understand unique challenges; develop more bullet proof service level agreement
Governance 34
Common Root Causes
•Absence of explicit articulation of current state and desired state
– Thus current state (and companion pain) is tolerable; doesn’t hurt enough yet; don’t know that there is an alternative
•Culturally embedded belief that control is not possible– Abdication of responsibility – “throw up my hands”
•Rewards/reinforcement for personal heroics vs. repeatable, predictable discipline
•Continued argument that IT ops and security are different (than other business investments or projects)
•Desire for a technical solution; easier to justify and implement than people and process improvements
Governance 35
IT Change Management• Process for efficient and timely handling of all IT
changes• Enterprise capabilities critical to achieving effective
change management:− Risk Management
− Project Management
− Process Management
− IT Operations
− Security Operations
− Audit
• IIA Global Technology Audit Guide series: Change and Patch Management: Critical for Organizational Success
Governance 36
Continuously Improving
• <5% of time spent on unplanned work
• Change success rate very high
• Service levels world class
• IT operating costs under control
• Can scale IT capacity rapidly with marginal increases in IT costs
• Change review and learning processes in place
• Able to increase capacity in a cost-effective way
Closed-Loop Process
• 15-35% of time spent on unplanned work
• Some ticketing / workflow system in place
• Changes documented and approved
• Change success rate high
• Service levels good• Server-to-admin
ratio good, but not best-of-breed
• IT costs improving but still too high
• Security incidents down
Using Honor System
• 35-50% of time spent on unplanned work
• Some technology deployed
• Right vision but no accountability
• Server-to-admin ratio too low
• IT costs too high• Process subverted
by talking to the “right” people
Reactive
• Over 50% of time spent on unplanned work
• Chaotic environment; lots of fire fighting
• MTTR very long; poor service levels
• Can only scale by throwing people at the problem
Progression of Capability
Reactive Using The Honor System Closed-Loop Change Mgt
Eff
ect
iven
ess
ContinuouslyImproving
Based on the IT Process Institute’s “Visible Ops” Framework
Changes control the organization:
Organization controls the changes:
Governance 37
Measurement
•Performance measurement of an enterprise's security state is conducted with the same rigor as other enterprise functions and business units.
•Corporate Information Security Working Group: Report of the Best Practices and Metrics Team, December, 2004
– Thirty Information Security Program Elements with companion metrics• Governance (7 elements; 12 metrics)• Management (10 elements; 42 metrics)• Technical (13 elements; 45 metrics)
Governance 38
Example Measures - Governance
•Oversee Risk Management and Compliance Programs Pertaining to Information Security
– Percentage of key information assets for which a comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds
– Percentage of key external requirements for which the organization has been deemed by objective audit or other means to be in compliance
Governance 39
Example Measures - Management
•Establish Information Security Management Policies and Controls and Monitor Compliance
– Percentage of staff assigned responsibilities for information security policies and controls who have acknowledged accountability for their responsibilities in connection with those policies and controls
•Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation
– Percentage of critical information assets for which some form of risk assessment has been performed and documented as required by policy
Governance 40
Example Measures - Technical
•Software Change Management, including Patching
– Percentage of systems with the latest approved patches installed
– Percentage of software changes that were reviewed for security impacts in advance of installation
•Incident and Vulnerability Detection and Response
– Percentage of operational time that critical services were unavailable (as seen by users and customers) due to security incidents
– Percentage of security incidents that exploited existing vulnerabilities with known solutions, patches, or workarounds
Governance 41
What Does Effective Security Look Like at the Enterprise Level?
• No longer solely under IT’s control
• Achievable, measurable objectives are defined and included in strategic and operational plans
• Functions across the organization view security as part of their job (e.g., Audit) and are so measured
• Adequate and sustained funding is a given
• Senior executives visibly sponsor and measure this work against defined performance parameters
• Considered a requirement of being in business
top related