Archive for the ‘Security Postings’ Category
Monday, August 16th, 2010
Pen tests may seem like a security test panacea. However they have been known to go terribly wrong and become vastly expensive. Here’s what you need to know to make sure you get the results you want at the price you expect.
Pen tests come in many flavours and degrees of risk. Some pen tests are active which means a security expert is actively trying to exploit security vulnerabilities that they have identified. Some are passive which means the test is really a vulnerability assessment. In a vulnerability assessment there is no active testing whatsoever.
There are black box and white box pen tests. Black box tests assume zero prior knowledge. The auditor must first do research which may include social engineering in order to create a profile of the target network. It gets better. The black box pen test can be done on a need to know basis with the IT department kept in the dark. The pen test sponsor of the audit, such as the IT Security Governance Committee, may deem it necessary to exclude members of the IT department from being informed about the test.
White box pen tests are philosophically the exact opposite of black box pen tests. White box pen tests are based upon testing specific security elements within an enterprise network and all the work is carefully choreographed in concert with the client’s IT operations group prior to commencement of the test. In my opinion this is a much better approach for the following reasons:
- The test will focus exactly on the technology that is of business concern to the enterprise.
- Reduced risk of unintended damage and downtime caused during an active pen test.
- Adequate backups can be done prior to the pen test.
If you decide on any sort of pen testing my advice is to discuss the test methodology with respect to several standards and recommended methodologies. Here are but a few to consider:
What are you trying to identify?
If your goal is to identify security and compliance vulnerabilities then I would suggest you strongly consider the white box pen test or vulnerability assessment. There is a far better return on investment, in my opinion, of paying for an auditor to find the vulnerabilities, allow you the time to fix them, and then to retest, rather than to pay someone to attempt to breach vulnerability.
The reason for this is quite simple. The time a pen test team will spend attempting to breach vulnerability is usually in direct proportion to the amount of money the client is willing to pay for the test. So test time is limited. Not so for a potential hacker. So money is better spent eliminating rather than testing a vulnerability.
It is also critical to identify exactly what elements of an infrastructure are worth examining for vulnerabilities:
- Elements facing outward toward the Internet or inward facing towards “insiders”.
- Applications – web based or otherwise.
- Server operating systems and configurations.
- Network security hardware and software.
- Network telecommunications technology.
- Network security architecture.
- Intrusion detection and IT operations response to potential threats.
- Portable device security / authentication / identity management.
Careful consideration of your business goals should point you in the right direction when choosing your pen test options.
Have a secure week.
Regards,
Ron Lepofsky CISSP, B.A. SC. (Mech Eng)
ERE Information Security and Privacy Auditors
Tags: Information Security, IT Security, Pen Test
Posted in Security Postings | 1 Comment »
Friday, June 25th, 2010
Digital certificates were originally designed to help authenticate, provide non repudiation, and to sometimes ensure integrity and confidentiality for written communication. They, of course, became the rage for securing Internet based transactions.
Today some people take for granted that digital certificates are intrinsic to any web-based transaction and that the transactions are,therefore, safe. But are the transactions safe? By the way I stand corrected – I just did a quick pole of 10 people who regularly do e-transactions on the Internet and one of the ten even knew the existence of digital certificates.
Here is what digital certificates are and how they work. Digital certificates are electronic documents, much like an electronic version of a passport. In fact they contain very similar boiler plate information about both the owner and the issuer of the certificate. The issuer is hopefully a certificate authority, analogous to an issuing Country of a passport, which is widely recognized and in whom everybody else has complete confidence.
The digital certificate also contains a secret known, again hopefully, only to the certificate owner and to the issuer. The secret is called a private password. The certificate authority also publishes a public key or password for every certificate holder. Both the public and private keys used only together can unlock the secrets otherwise encrypted by one of the keys.
For example, if Bob wants to send a confidential email to Sally, then Bob would encrypt the email with Bob’s private key and then again with Sally’s public key. Sally would decrypt Bob’s email with Bob’s public key and with her secret private key. Bob’s public key will only decrypt emails from Bob, and Sally’s private key will only decrypt emails encrypted with her public key. So confidentiality and fairly strong authentication of sender is provided.
Another example. If Bob wanted to send an open email to many people, but needed everybody to be sure that Bob was the sender, Bob would encrypt with his private key and anybody receiving the email would decrypt and read it with Bob’s public key. Bob must have been the sender, so authentication of sender is provided to some degree.
Online vendors use digital certificates in combination with the SSL protocol for their encryption algorithm, in order to protect the validity, integrity, and confidentiality of each transaction. Any visitor to a validly secured online e-transaction site should be able to view the associated digital certificate including details of the hashing algorithm used to protect their transaction. In this case, the validation only goes in one direction; only the transaction site is identifying itself conclusively to any visitor.
Yikes! SSL Meltdowns
We’ve probably all read about a recent SSL certificate validation problem stemming from a hashing algorithm. This is not the first problem with SSL. There was a doozey in 2009. And in 2008. And so on. Each time there is a problem, someone finds a resolution, such as changing a hashing algorithm.
Whether industry uses SSL or TLS there will undoubtedly be developing security vulnerabilities and remediation for them.
The big issue is how to take reasonable precautions to protect ones-self from SSL meltdowns. Here is a simple precautionary SSL check-list.
- Do verify the URL you are visiting is what you expected and not a similar URL with slashes and asterisks where they don’t belong.
- If in doubt phone the vendor’s or site.
- Do take the time to verify the digital certificate on a web site.
- If in doubt, research the certificate authority.
- Remember that not all portions of a web site are secured with SSL. Users can stray to an unprotected area of a site.
Have a secure week.
Regards,
Ron Lepofsky CISSP, B.A. SC. (Mech Eng)
ERE Information Security and Privacy Auditors
Tags: Digital Certificates, Information Security, IT Security, SSL, TLS
Posted in Security Postings | 1 Comment »
Wednesday, June 9th, 2010
NERC’s June 2, 2010 report identifies potential paths to destruction of our North American Electrical Grid (www.ere-security.ca and http://www.nerc.com/ ). These paths include co-ordinated cyber / physical / blended attacks, pandemic illness, geomagnetic disturbances and electromagnetic pulses.
In my opinion, while NERC (North American Electric Reliability Corporation, www.nerc.org ) has managed to accurately identify real security risks it has missed the main point.
Yes our energy grid is woefully in need of upgrading to mitigate the threat of a cascading failure, an example of which many of us experienced in August 2005 ( http://en.wikipedia.org/wiki/Northeast_Blackout_of_2003 ). And yes the NERC CIP 01 – 09 security standard (http://www.ere-security.ca/NERC_CIP_Compliance_Audit.html and http://www.nerc.com/page.php?cid=2|20 ) for the real time monitoring and management of electrical grids is an important and meaningful tool for making our grid more survival robust and secure.
However, the fundamental recommendation of the report calls for better co-ordination between US power-grid providers and the government. To me, government co-ordination is an oxymoron. We can all see how well government co-ordination is working on the Gulf Oil Spill.
To rid the nation from electric grid gremlins, we don’t need cooperation, we need a bigger stick.
I think the path to grid deliverance is for the government to substitute co-ordination with costly penalties for those utilities which fail to comply with the NERC CIP standard.
Expensive penalties might get utility executives to take more seriously their security risks, and maybe start by addressing the “here and now” concerns expressed by their own SCADA IT security staff. We have worked with SCADA IT staff who were already aware of existing security risks, but since an event had not yet caused a costly or embarrassing outage, their executives were loathe to invest in mitigating these risks.
So perhaps the time is right to up the ante of the downside potential cost of a security event to include a serious financial penalty. Then executives can re-evaluate their security ROI business cases to include the new downside penalty.
In our security auditing experience with electrical utilities, we have identified lots of security threats and vulnerabilities which could be compromised into disasters by very low tech and unsophisticated means. Terrorists, solar events, and pandemics are not even remotely required in order to compromise very commonly found weaknesses. Somebody with a six foot ladder and a laptop could potentially do just as much damage.
The solution to this problem is to sufficiently fund the security programs at the electrical utilities so their own security teams can adequately and reasonably implement the NERC standard, with emphasis on sections like Electronic Security Perimeter (CIP 005) and Sabatoge Reporting (CIP 001).
While it’s very exciting and stimulating to think how our electrical grid can be brought down by behemoths of nature and by evil people with mal intent, the reality is our grid is susceptible to the most simple of gremlins.
Maybe it’s time to think again.
Have a secure week.
Ron Lepofsky, CISSP, B.A.SC. (mech eng)
President,
ERE Information Security and Privacy Auditors
Tags: Energy Grid, Information Security, Internet Security, IT Security, NERC, Power Grid, Security Risks
Posted in Security Postings | 4 Comments »
Wednesday, June 2nd, 2010
Here’s a glaring example of how recreational online gaming of any sort can lead to unintentional expense and headache.
On May 27, Angela Moscaritolo at SC Magazine wrote an article about Symantec having discovered a database server hosting the stolen credentials of 44 million accounts belonging to at least 18 gaming websites. You can see the article on the ERE RSS feed or at http://www.scmagazineus.com/44-million-stolen-gaming-credentials-discovered/article/171128/e.
Online gamers own virtual assets within their games. These assets can be bought and sold for real dollars, up to thousands of dollars. An individual who steals and uses a gamer’s identity will gain access to the gamer’s assets which they can then use, sell and vandalize.
In any instance, where a gaming siter has access to their gaming membership’s credit card and banking information, the potential for identity theft and credit theft is escalated if a gamer’s credentials are already stolen.
Online gamblers face similar risks as online gamers whose credentials are stolen, with the added grief of facing a foreign jurisdiction when attempting to claim for losses against the gaming site. This is because most gaming sites, for reasons of US law, reside outside of the jurisdiction of the USA.
The same problem is faced by members of online transaction sites, where the members’ authentication credentials are stored by the transaction site. If a member’s user name and password are stolen, the member faces exactly the same potential risks as the online gamer, and is exacerbated if the member’s credit information is also electronically stored with the site.
While credit companies are implementing multi-factor authentication in order to mitigate potential fraudulent transactions, electronically stored credit card information is still a potential security and theft vulnerability. In these critical situations, my preference is to err on the side of conservatism; if anyone has access to electronic information, than potentially anybody has electronic access to that same information.
So the question is “What should gamers and transaction site members do to protect their electronic identities?”
The answers are pedantic but effective:
- Regularly change passwords. Chances are that a stolen old password will be used by a theft and, of course, will be useless.
- Use groups of passwords, prioritized by importance, for different uses. The best advice, of course, is to use a different password for every single use, including logon to your home and work computers, online banking, transaction sites, etc. This is not practical for most folks, so a tradeoff is to have a few different passwords but never use the same password for both critical and less critical applications.
- Consider storing (new!) passwords in an encrypted file or an electronic vault. Various programs and utilities are available for assisting with this process. The immediate two benefits are that people do not store their passwords in an unencrypted state and that the stress of remembering all the passwords and their use immediately disappears.
- Store the password for your “password vault” in a secure, non-electronic format or encrypt it with your own personal encryption system. For instance – add a suffix and prefix that are meaningful only to you and which are not composed of any personal information.
- Do not log onto any system over Wi-Fi or cellular network without the logon sequence being encrypted. Otherwise the logon credentials are easy prey for “man in the middle” attacks.
- Do not share passwords with anyone. Ever.
Have a secure week.
Ron Lepofsky, CISSP, B. A. SC. (Mech Engineering)
Tags: Games Online, Gaming Websites, Identity Theft, Internet Security, IT Security
Posted in Security Postings | 4 Comments »
Tuesday, May 4th, 2010
Intriguing, no? The Gordon Washington University School of Medicine has observed that bacteria left on keyboards and computer mice is highly unique to its depositors, and can be collected and identified up to two weeks after it is left on the device. If you would like to see more about this article please visit: www.ere-security.ca , RSS feed, March 29, 2010.
This certainly provides another identification tool with regard to tagging unauthorized access and use of equipment and to tying an individual to an act of accessing electronics.
I’m not sure if it is legal to request a finger swab and if this new type of evidence could even be presented in court, but hey, DNA evidence had to begin its legal career at some point.
It is not that far removed from contact biometrics such as fingerprint readers and palm readers. And these are not far removed from contact with “something you have” such as an identification swipe card. Since we are already on the slippery slope of allowing contact with one’s personal identification device or hand parts, perhaps identification by personal bacteria is not that unreasonable.
Identifying who may have used a mouse or keyboard does not help a forensic investigation relating to remote unauthorized accesses. Users still make the same old mistakes with regard to preservation of forensic evidence when they become suspicious about a potential cyber attack.
Not to demean bacteria in any way, but users should and can implement the following procedures when they would like assistance in verifying that an intrusion has been committed on their system:
- Immediately telephone the IT security department and clearly identify their observations of concern, what they were doing on their workstation at the time, and the exact time / date.
- Do not continue to interact with their workstation and with any other applications / systems with which their workstation is interacting.
- Do not turn off their workstation.
- Do not attempt to run any diagnostics on their workstation.
- Do not send emails from their workstation.
The investigating forensics team should:
- Isolate the workstation and other systems associated with the potential incident.
- Not turn off the power to any of these systems.
- Make an image of the state of each system, make a copy of the disk contents, and especially make a copy of the logs of all relevant systems.
- Then begin their forensic investigation
Of course many forensic situations could have been mitigated at the preventative stage by computer users / bacteria hosts following simple security best practices. But that is an ongoing conversation.
Have a secure week.
Regards, Ron Lepofsky, CISSP
President,
ERE Information Security and Compliance Auditors
www.ere-security.ca
Tags: DNA, Forensics, Information Security, IT Security, Personal Identification
Posted in Security Postings | 4 Comments »
Wednesday, March 31st, 2010
“High- tech copy machines a gold mine for data thieves” was as story printed on March 18, 2010 in the Toronto Star, which should give pause to every one of us. That is, everybody who uses a smart photocopier or who provides access to one for others.
You may think this is overreaction, but is it?
By smart photocopier, I mean one with a computer inside that provides all the great features. The computer also has a disk, which indiscriminately retains images of sensitive and personal images like tax returns (social insurance numbers), job applications, and legal documents.
It also unwittingly retains images of critical information like executive summaries about corporate plans, new business strategies, and unpublished quarterly financial reports.
So everybody using a smart photocopier really needs to give some thought as to the consequences of their confidential material falling into the hands of those who would benefit from its unauthorized use for personal gain. How could this happen? you think. Well, lots of ways.
Someone such as a photocopier service person could simply copy the disk data. Or someone with unauthorized access to the machine at night. If the copier has a data access port, anyone familiar with the data communications capabilities of the data port could walk by with their smart phone and download the data.
Twenty years ago I remember watching a news documentary describing a similar but lower tech use of photocopiers to steal sensitive and critical information. Apparently during the cold war spies would insert a camera into a photocopier destined for the opposition’s embassy. Then the “copier tech” would surreptitiously remove the film from the hidden camera in the photocopier and, of course, replace it with more unused film.
So, without becoming paranoid about photocopiers, how can you get them to do you bidding with confidence that your sensitive and critical information will not fall into the hands of others?
Some simple things you can do are:
1. Always do your own photocopying whenever possible.
2. If you must use a copy service, then keep your eyes on your original documents and all copies of them, just as diligently as you would keep eye contact with your credit /debit card during a purchasing transaction.
3. Don’t use smart photocopiers unless you are sure of the security policy by which they are managed.
As the custodian of a smart photocopier, ensure your telecommunications and security people have configured it to:
a. Configure it to communicate only as mandated by your corporate security policy.
b. Implement an ongoing process to regularly scrub (rather than just “deleted”).
c. Implement an ongoing process to monitor the event logs of the copier and alert on suspicious activity such as unauthorized attempts to connect it to a telecommunications network, unauthorized attempts to communicate with its data port in order to upload data, and unauthorized attempts to open or tamper with the machine.
Prior to sending the copier off premises for service or for disposal, ensure the disk is either removed and destroyed or that data is scrubbed and destroyed completely. Otherwise, you could end up with the same consequences as confidential data on a used and resold computer work station or laptop being retrieved by its new owner.
Of course we all know that there are dumb users even for smart photocopiers. How many times have we all found original documents left by some previous users of the copy machine? So it’s probably a good practice to count your original documents before and after using a photocopier.
Have a secure week.
Ron Lepofsky, B.A.SC. (Mech Eng), CISSP
President
ERE Information Security Auditors
www.ere-security.ca
www.ere-security.com
Tags: Information Security, IT Security, Photocopiers, Smart Photocopier
Posted in Information Security, Security Postings | 1 Comment »
Tuesday, March 23rd, 2010
Great article this week by Brian Krebson about the risks and liabilities of on line banking for businesses, on Brian’s blog: http://www.krebsonsecurity.com/2010/03/ebanking-victim-take-a-number/
But no need to just believe Brian; there are lots of news articles every month about security and privacy breaches of information handlers and service providers for banks and credit card companies as well as for actual banks and credit card companies.
My opinion on the subject of IT security and privacy with regard to on-line banking is: Caveat Emptor: Buyer Beware! There are several sources of security threats with corresponding vulnerabilities beyond the control of most consumers of on-line services. So I strongly advise on-line users to compare the potential cost of impact of a security breach against the time savings of on-line banking.
If the potential losses are large, say $25,000 for a small business, compared to 2 hours per week of time saved at $75 / hour which equates to $7,800 annually, then it may be advisable to take another step in evaluating the risks involved.
Let’s say the user is not technically strong with regards to IT security and therefore needs to make some qualitative, anecdotal assumptions about the risk of on-line banking. The user may consider the following risk factors:
- Banks make errors.
- Users make errors in all sorts of ways, such as; not keeping their anti-virus signatures updated, not keeping their security patches and operating system patches / updates completed in a timely manner; not visiting web sites that may inject malware into their systems; opening email attachments; opening email from unknown individuals; etc. etc.
- Banks may not fully refund funds caused by a security breach during an online transaction.
- Banks may refund funds but not in a timely fashion.
- Do you want to do battle with a bank?
Based upon these and other risks, a user can decide if their risk is high, medium, or low. They could then go a step further and allocate values of 70% – 100% to high risk; 40% – 69% to medium risk; 0% – 68% for low risk.
As a sanity check, they can estimate the impact of one loss as % chance of loss x possible cost of loss. So a user who estimates they face medium risk of 50% and have in their on-line account a maximum of $50,000 at any time, the cost of security breach could be 50% X $50,000 or $25,000.
Perhaps compared with $7,800 in annual savings, it may be a good idea to consider other options, such as:
- Doing only online bank enquiries, ensuring there are no change privileges attached to the account.
- Asking to see the bank’s written policy about how they deal with clients who suffer losses due to a security breach.
- Purchase insurance for losses caused by an online banking error or security breach.
- Dramatically improving the security procedures they follow for protecting the computer(s) and the network on which they reside, for doing e-banking.
What do you think?
Regards, Ron Lepofsky, CISSP
www.ere-security.ca
Tags: Banks, E-Banking, Information Security, IT Security, Privacy Breach, Risks
Posted in Security Postings | 1 Comment »
Wednesday, January 6th, 2010
Last week’s blog described the problems caused by insufficient Governance and the root causes of this problem. This week’s blog provides an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Example Situation
The Problem Statement
1. A CIO of a fictitious company identifies weak identity management as a significant risk to the privacy and integrity to corporate information as well as to SOX compliance.
2. The problem has recently arisen due to several factors:
* The external corporate auditors introduced new IT audit control points for monitoring unauthorized and attempted unauthorized accesses to critical servers and critical applications.
* Corporate cost cutting has caused a reduction in the staff levels of the security administration group.
* A cost cutting reorganization has dramatically changed employees’ roles and need to access various servers and applications.
* The group of recently terminated employees which include IT security administrators has raised the potential threat of malicious activity from x-employees plus a diminished capacity for the corporation to adequately administer access privileges.
3. There are insufficient funds for a comprehensive upgrade to the identity management infrastructure to ensure reasonable compliance for SOX.
4. The problem is further obfuscated as the lack of any major security breach makes it appear to senior executives that there are no security threats.
5. Nonexistent IT Governance means decision making about the new risk will be delayed until the next year’s budget cycle.
IT micro Governance Solution
1. If the corporation does in fact have an IT Governance committee that is amenable to reacting quickly with micro Governance decisions, then the CIO can identify to the Governance committee the business risks relating to weak identity management.
2. The governance committee works with the CIO to estimate the cost to the corporation in the event of a security event at $5,000,000 per incident.
3. They build a business case modeled upon the chance of a security event occurring once per year.
a. The CIO estimates the first year annual cost to technically mitigate the risk at $100,000 and $50,000 annually thereafter.
b. The first year mitigation cost / annual loss expectation is $100,000 / $5,000,000 or 2% and 1% thereafter.
c. The Governance committee decides the return is acceptable.
4. The IT Governance committee formally creates a specific task force and IT micro Governance process to mitigate the identity management risk.
5. They engage a third party advisor to expedite the process, so that an aggressive date of fully tested implementation is 6 months.
6. They appoint virtual team leaders to manage each risk management process. The team leaders are comprised of two members of the IT Governance committee, the CIO, three members of the IT security team, 6 business line managers, a member of HR and a member of the CFO’s team. They also have external security consultants and auditors to assist with testing and evaluating the effectiveness of the new process.
7. The virtual team leaders assign other employees to implement the project and to create an ongoing process to monitor, manage, and report on the proposed identity management process.
8. The team creates a detailed project plan to complete the project.
9. The third party consultants and auditors work with the team right from the beginning to design processes and mechanisms to test and report on the degree of success of the new identity management process.
10. The virtual team and IT Governance committee creates a schedule for reporting / feedback / direction meetings as oversight for the new process, including:
a. Evaluating the degree of success of the initial implementation.
b. A subset of the virtual team continues to monitor and report to the Governance Committee.
c. A third party with expertise in calculating IT security risk is assigned the task of re-evaluating the initial ROI or cost avoidance business model in terms of:
i. Was risk correctly estimated?
ii. Is there an ongoing evaluation of the degree of risk reduction?
iii. Can the new process and its budget be integrated into IT security operations / administration. Can the virtual team be disbanded?
Conclusion: Keep it simple.
Sources of Information – Governance Authorities
* ISACA (Information Systems Audit and Control Association) www.isaca.org
* ITGI (IT Governance Institute) www.itgi.org
* Gartner Group www.gartner.com
* IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
* SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382
* The IT Metrics and Productivity Institute http://www.itmpi.org/default.aspx?pageid=198
* MIT Sloan School of Management http://web.mit.edu/cisr/working%20papers/cisrwp349.pdf
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | No Comments »
Tuesday, December 29th, 2009
Last week’s blog introduced my concept of IT security micro Governance. This weeks installment covers the problems caused by insufficient Governance and the root causes of this problem.
Insufficient IT Governance Impedes the Security Team
In dynamic network environments, security issues can quickly appear where there are insufficient funds planned to mitigate new security risks. An active IT Governance process is invaluable to deal with such issues.
Insufficient IT Governance:
* Slows decision making.
* Inhibits communication of risk and associated potential financial loss between the IT Security. Team and executive management.
* Inhibits attaining unplanned, sufficient IT security funding.
Barriers to implementing IT Governance
Well known barriers to attaining IT governance are:
* The all encompassing scope of any Governance is a daunting challenge to face.
* Expensive.
* Time consuming.
* IT security risk can be very difficult to quantify.
* The executives may find it difficult to request additional funds particularly where the IT security team has done an excellent job and there are no expensive security vulnerabilities.
* A false sense of security makes cost justifying security budgets difficult.
* A Governance committee may get bogged down over confusion arising between identifying the content of compliance frameworks with compliance objectives.
* Turf wars over accepting / relegating ownership of responsibilities for various aspects of IT compliance.
* Maintaining longevity of the IT Governance process.
ITSecurity micro Governance as a Practical Alternative
A simplified alternative to the barriers mentioned above creates a bite-sized micro process which will provide the following value to a corporate entity:
* Minimizes the liability of executives with respect to their fiduciary responsibilities for IT Governance.
* Facilitates communications between the Governance Body and the IT Security Team regarding cost justification of unplanned or insufficient budget.
* Provides a regular opportunity for the Security Team to convey top priorities with requests for expedited executive authorization.
* Provides a regular opportunity for executives to convey business priorities that affect IT related risk directly to those responsible for physically managing those risks.
* Minimizes decision time and frustration levels by identifying bite sized issues.
Steps to Implement IT Micro Governance
1. IT Security should identify the top priority IT security risk(s) that require immediate decisions / funding by the executive team.
2. Estimate the ROI or potential cost avoidance by mitigating the risk(s).
3. Formally create a micro-Governance process to address the risk(s).
4. Engage a third party advisor to expedite the process.
5. Create a virtual (temporary) team to manage each risk management process.
6. Assign other management and employees as appropriate to the virtual team.
7. Identify a timeline to complete the project.
8. Identify a mechanism to test the degree of success of the mitigation.
9. Identify a timeline to report the degree of success back to the IT Governance Committee.
10. Assess whether ROI or cost avoidance goals were sufficiently met. *
11. Mandate longevity for the micro Governance process by directing the virtual team to continue monitoring the process and reporting to the Governance Committee.
12. Integrate the process into the IT security operations / administration processes and disband the virtual team.
* It is difficult to obtain data that captures the prevention of a security threat based on a specific action taken. One empirical yet evidentiary based method is to compare the frequency of similar threats before and after mediation steps are implemented.
To assist with calculating IT security related, risk, ROI / cost avoidance, and residual risk, Governance Committees (and IT security professionals) can contract third party expertise in these matters.
Next week’s blog will be an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor
www.ere-security.ca
Tags: Information Security, IT Security, Micro Governance
Posted in Information Security, Internet Security, Security Postings | 2 Comments »
Tuesday, December 22nd, 2009
This week’s blog is the first of a three part series about my idea for an expedited method of implementing IT security Governance. Your feed back would be most appreciated.
Executive Summary
IT Governance is difficult for most organizations to initiate and maintain as it is an ongoing process, particularly for medium and small institutions. There are many subject experts, vendors, and consultants that cater to implementation, but the inherent difficulties and complexities make the implementation of it an elusive goal for many.
Since Governance is, by definition, strategic and focused over long timeframes, it is not designed to deal with unexpected and potentially costly IT security threats. Threats which can evolve into costly security events. A distraught client once described how a serious access breach within his organization could have been prevented if the senior management had evaluated and acted upon his impromptu but appropriate recommendations to harden access controls. The author proposes a modified process to respond to mitigating threats that require funds exceeding the annual IT security budget. I call this micro Governance.
Definitions of IT Governance
IT Governance is a subset discipline of Corporate Governance focused on information technology (IT) systems and their performance and risk management. Various bodies of authority on the subject publish similar definitions of IT Governance, each with its own emphasis of intent. Four prominent authorities define IT governance on their web sites as follows:
1. ISACA: …provide the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the enterprise’s strategies and objectives.
2. ITGI:… an effective IT governance framework that addresses strategic alignment, performance measurement, risk management, value delivery and resource management.
3. Forrester: … The act of establishing IT decision structures, processes, and communication mechanisms in support of the business objectives and tracking progress against fulfilling business obligations efficiently and consistently.
4. MIT Sloan School of Management: IT governance is the process by which firms align actions with their performance goals and assign accountability for those actions and their outcomes.
The three predominant frameworks for implementing IT Governance are provided by ISACA, ITIL and ISO. In a more granular view, the ISO 38500:2008 guiding principles are organized into three prime sections, specifically Scope, Framework and Guidance. The framework comprises definitions, principles and a model. It sets out six principles for good corporate governance of IT:
* Responsibility
* Strategy
* Acquisition
* Performance
* Conformance
* Human behaviour
Significance of IT Security Governance for Compliance
Compliance violations may attract all manner of liability directly affecting a governance committee, such as fines and confinement for SOX, revocation of interconnection agreements with electrical utilities for NERC CIP, and violation notices from third party auditors for COBIT.
Examples of well known regulatory frameworks and compliance standards are as follows:
* Financial - SOX, Bill 109, Basel II, PCI, SAS 70
* Electrical Infrastructure for North America - NERC CIP
* Privacy – PIPEDA, Red Flag, GLB
* Industry Best Practices - COBIT, ITIL
Next week’s blog will cover the problems caused by insufficient Governance and the root causes of this problem.
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
Tags: Information Security, IT Governance, IT Security
Posted in Information Security, Internet Security, Security Postings | 1 Comment »
|
|
