ERE Information Security Auditors
Home | Site Map | Contact Us | Blog
This text is replaced by the Flash movie.
 Executive Strategies for Managing Risk
Audit Tactics for Managing Risk

Archive for December, 2009

IT Security Micro Governance – A Practical Alternative Part 2

Tuesday, December 29th, 2009

Last week’s blog introduced my concept of IT security micro Governance. This weeks installment covers the problems caused by insufficient Governance and the root causes of this problem.

Insufficient IT Governance Impedes the Security Team

In dynamic network environments, security issues can quickly appear where there are insufficient funds planned to mitigate new security risks. An active IT Governance process is invaluable to deal with such issues.

Insufficient IT Governance:
* Slows decision making.
* Inhibits communication of risk and associated potential financial loss between the IT Security. Team and executive management.
* Inhibits attaining unplanned, sufficient IT security funding.
Barriers to implementing IT Governance

Well known barriers to attaining IT governance are:
* The all encompassing scope of any Governance is a daunting challenge to face.
* Expensive.
* Time consuming.
* IT security risk can be very difficult to quantify.
* The executives may find it difficult to request additional funds particularly where the IT security team has done an excellent job and there are no expensive security vulnerabilities.
* A false sense of security makes cost justifying security budgets difficult.
* A Governance committee may get bogged down over confusion arising between identifying the content of compliance frameworks with compliance objectives.
* Turf wars over accepting / relegating ownership of responsibilities for various aspects of IT compliance.
* Maintaining longevity of the IT Governance process.

ITSecurity micro Governance as a Practical Alternative

A simplified alternative to the barriers mentioned above creates a bite-sized micro process which will provide the following value to a corporate entity:
* Minimizes the liability of executives with respect to their fiduciary responsibilities for IT Governance.
* Facilitates communications between the Governance Body and the IT Security Team regarding cost justification of unplanned or insufficient budget.
* Provides a regular opportunity for the Security Team to convey top priorities with requests for expedited executive authorization.
* Provides a regular opportunity for executives to convey business priorities that affect IT related risk directly to those responsible for physically managing those risks.
* Minimizes decision time and frustration levels by identifying bite sized issues.

Steps to Implement IT Micro Governance

1. IT Security should identify the top priority IT security risk(s) that require immediate decisions / funding by the executive team.
2. Estimate the ROI or potential cost avoidance by mitigating the risk(s).
3. Formally create a micro-Governance process to address the risk(s).
4. Engage a third party advisor to expedite the process.
5. Create a virtual (temporary) team to manage each risk management process.
6. Assign other management and employees as appropriate to the virtual team.
7. Identify a timeline to complete the project.
8. Identify a mechanism to test the degree of success of the mitigation.
9. Identify a timeline to report the degree of success back to the IT Governance Committee.
10. Assess whether ROI or cost avoidance goals were sufficiently met. *
11. Mandate longevity for the micro Governance process by directing the virtual team to continue monitoring the process and reporting to the Governance Committee.
12. Integrate the process into the IT security operations / administration processes and disband the virtual team.

* It is difficult to obtain data that captures the prevention of a security threat based on a specific action taken. One empirical yet evidentiary based method is to compare the frequency of similar threats before and after mediation steps are implemented.

To assist with calculating IT security related, risk, ROI / cost avoidance, and residual risk, Governance Committees (and IT security professionals) can contract third party expertise in these matters.

Next week’s blog will be an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor

www.ere-security.ca

Tags: , ,
Posted in Information Security, Internet Security, Security Postings | 3 Comments »

IT Security Micro Governance – A Practical Alternative Part 1

Tuesday, December 22nd, 2009

This week’s blog is the first of a three part series about my idea for an expedited method of implementing IT security Governance.  Your feed back would be most appreciated.

Executive Summary

IT Governance is difficult for most organizations to initiate and maintain as it is an ongoing process, particularly for medium and small institutions. There are many subject experts, vendors, and consultants that cater to implementation, but the inherent difficulties and complexities make the implementation of it an elusive goal for many.

Since Governance is, by definition, strategic and focused over long timeframes, it is not designed to deal with unexpected and potentially costly IT security threats. Threats which can evolve into costly security events.  A distraught client once described how a serious access breach within his organization could have been prevented if the senior management had evaluated and acted upon his impromptu but appropriate recommendations to harden access controls.  The author proposes a modified process to respond to mitigating threats that require funds exceeding the annual IT security budget. I call this micro Governance.

Definitions of IT Governance

IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management.  Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent.  Four prominent authorities define IT governance on their web sites as follows:
1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
3. Forrester: … The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.
4. MIT Sloan School of Management:  IT governance is the process by which firms align actions with their performance goals and assign accountability for those actions and their outcomes.
The three predominant frameworks for implementing IT Governance are provided by ISACA, ITIL and ISO.  In a more granular view, the ISO 38500:2008 guiding principles are organized into three prime sections, specifically Scope, Framework and Guidance.  The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:
* Responsibility
* Strategy
* Acquisition
* Performance
* Conformance
* Human behaviour
Significance of IT Security Governance for Compliance
Compliance violations may attract all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.

Examples of well known regulatory frameworks and compliance standards are as follows:
* Financial  -  SOX, Bill 109, Basel II, PCI, SAS 70
* Electrical Infrastructure for North America  -  NERC CIP
* Privacy  – PIPEDA, Red Flag, GLB
* Industry Best Practices -  COBIT, ITIL

Next week’s blog will cover the problems caused by insufficient Governance and the root causes of this problem.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors

www.ere-security.ca

Tags: , ,
Posted in Information Security, Internet Security, Security Postings | 1 Comment »

Book Report: The Myths of Security

Tuesday, December 15th, 2009

My blog this week is a review of a book I recently read, which purportedly was going to tell the reader “What the computer security industry doesn’t want you to know.”

The Myths of Security
By John Viega,
Published by O’Reilly Media Inc.
Printed June 2009

This self proclaimed expose about secrets closely guarded by the security industry fails to tell the reader much of anything new, except the details of John Vega’s history of working with MacAfee – twice.

The word Myths in the title implies, at least to me, long believed truths about to be proved otherwise.  These revelations never occurred in the 48 chapters, unless you consider repeating common knowledge in the security industry as new revelations.

A central revelation is that AV vendors have a difficult time keeping up with new malware.  There are several chapters dedicated to why AV tools are not effective, why they consume large amounts of computer resources, and the author’s ideas of the AV industry members should collaborate by sharing their knowledge of zero day malware.  He further suggests they create “CIST”, the Consortium for Interoperability with Security Technology.

These ideas of collaboration sound viable from a technical perspective, but hardly realistic in a competitive capitalistic environment that favours the strongest vendors.  However the author’s suggestions are not revelations of secrets.

Viega goes on to compare the workings of AV with firewalls and with IDS.  While these analogies are clever, they are hardly central to the book’s premise of revelation.

I was left scratching my head as the author claims that many AV products have a low degree of usefulness, without providing any statistical, verifiable evidence to prove his point.  Unsubstantiated opinion, and in my opinion, overly negative.

Which brings me to the next point about the author’s many references of praise about MacAfee.  After 20, I lost count of references to MacAfee, liberally spread throughout the book.  This affection and praise for one vendor and twice previous employer certainly challenges the impartiality of the author’s revelations.

It seems the author has liberally substituted hyperbole for fact.  For instance the chapter entitled “Google is Evil” says Google’s Adwords creates a conflict of interest between impartiality and profit.  Hardly a surprise.   The Chapter “VPNs Usually Decrease Security” states the obvious:  a compromised  VPN’d client workstation indeed is a threat to a host network.

Similarly “The security Industry is Broken” chapter really says security vendors of products and services are not 100% perfect.  No further comment is necessary here.

It is not clear to me to whom the book is intended.  It can not be for security practitioners with certifications such as CISSP or CISM.  In an effort to minimize technical terms, Viega uses a wordy description to circumvent the use of “hashing” ( mentioned in a footnote below the text.)

End users who are not technology savvy might find the book verbose.  The few good security recommendations are summarized in a few pages; recommendations which commonly stated in any end-user policy worth reading.

Time reading this book would be better spent elsewhere.
PS  I feel guilty writing such a negative article, especially since it is far easier to criticize than to create.  So please take my comments with a grain of salt.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors

www.ere-security.ca

Tags: , , , ,
Posted in Information Security, Internet Security, Security Postings | No Comments »

Micro IT Governance to Really Achieve Compliance Part 2

Tuesday, December 8th, 2009

Last week I posted a rough draft of part 1 of 2 an article devoted to a concept I am creating called Micro-Governance. Next weeks’ post is part 2 of 2 would greatly appreciate your ideas / feedback / constructive criticism.  Thank you in advance for sharing your ideas with me.

Barriers to implementing IT Governance

  • All encompassing scope
  • Complex PPM Project Portfolio Management
  • Expensive
  • Time consuming
  • Risk is very difficult to quantify
  • False sense of security confuses cost justifying security budgets
  • Turf wars over accepting / relegating ownership of responsibilities
  • Maintaining longevity of the process

Micro – Governance a practical alternative

  • Minimize liability of executives / board
  • Facilitates communications between Governance and the Security Team regarding cost justification of budget
  • Provides a regular opportunity for the Security Team to convey top priorities with requests for executive authorization
  • Minimizes decision time and frustration levels by identifying bite sized issues
  • Quantify the few most threatening risks
  • Create a virtual team with responsibility to mitigate and report
  • Measure the results
  • Authorize / fund the virtual team

Call to Action

  • CEO and CIO discuss a few  top priority IT security risks that require immediate decisions / funding
  • Formally create a micro-Governance process to address each risk.
  • Engage a third party advisor to expedite the process.
  • Create a small virtual team to manage each risk management process.
  • Assign other management and employees as appropriate to the virtual team.
  • Identify a timeline to complete the project.
  • Identify a mechanism to test the degree of success of the mitigation
  • Identify a timeline to report the degree of success back to the IT Governance Committee.

Assess Financial Cost of Risk and Residual Risk

  • document the technical risks
  • Translate them into business risks
  • Utilize a straw poll for executives to estimate the cost of liability should the risks become realities.
  • Utilize a straw poll for technology experts to guestimate the % chance of a onetime occurrence both before and after mitigation steps are applied.
  • Compare the cost of risk vs. residual risk to the cost of mitigation

Create Longevity to the Micro- Governance Process(es)

  • Direct the virtual team(s) to continue monitoring and report according to a defined schedule Committee
  • Otherwise dissolve the virtual team(s)

Sources of Information – Governance Authorities

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP

ERE Information Security Auditors

www.ere-security.ca

Tags: , , ,
Posted in Information Security, Internet Security, Security Postings | No Comments »
Home | Point in Time Audit | Doc Audit/Authorship | 7x24 Monitoring | Knowledge Transfer | ERE Differentiators | About Us | Site map | Contact Us | Blog
Copyrights © 2007-2008. All rights reserved.  Non-security resources 1|2|3|4|5|6|7|8|9

   AddThis Social Bookmark Button