Last week’s blog described the problems caused by insufficient Governance and the root causes of this problem. This week’s blog provides an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.
Example Situation
The Problem Statement
1. A CIO of a fictitious company identifies weak identity management as a significant risk to the privacy and integrity to corporate information as well as to SOX compliance.
2. The problem has recently arisen due to several factors:
* The external corporate auditors introduced new IT audit control points for monitoring unauthorized and attempted unauthorized accesses to critical servers and critical applications.
* Corporate cost cutting has caused a reduction in the staff levels of the security administration group.
* A cost cutting reorganization has dramatically changed employees’ roles and need to access various servers and applications.
* The group of recently terminated employees which include IT security administrators has raised the potential threat of malicious activity from x-employees plus a diminished capacity for the corporation to adequately administer access privileges.
3. There are insufficient funds for a comprehensive upgrade to the identity management infrastructure to ensure reasonable compliance for SOX.
4. The problem is further obfuscated as the lack of any major security breach makes it appear to senior executives that there are no security threats.
5. Nonexistent IT Governance means decision making about the new risk will be delayed until the next year’s budget cycle.
IT micro Governance Solution
1. If the corporation does in fact have an IT Governance committee that is amenable to reacting quickly with micro Governance decisions, then the CIO can identify to the Governance committee the business risks relating to weak identity management.
2. The governance committee works with the CIO to estimate the cost to the corporation in the event of a security event at $5,000,000 per incident.
3. They build a business case modeled upon the chance of a security event occurring once per year.
a. The CIO estimates the first year annual cost to technically mitigate the risk at $100,000 and $50,000 annually thereafter.
b. The first year mitigation cost / annual loss expectation is $100,000 / $5,000,000 or 2% and 1% thereafter.
c. The Governance committee decides the return is acceptable.
4. The IT Governance committee formally creates a specific task force and IT micro Governance process to mitigate the identity management risk.
5. They engage a third party advisor to expedite the process, so that an aggressive date of fully tested implementation is 6 months.
6. They appoint virtual team leaders to manage each risk management process. The team leaders are comprised of two members of the IT Governance committee, the CIO, three members of the IT security team, 6 business line managers, a member of HR and a member of the CFO’s team. They also have external security consultants and auditors to assist with testing and evaluating the effectiveness of the new process.
7. The virtual team leaders assign other employees to implement the project and to create an ongoing process to monitor, manage, and report on the proposed identity management process.
8. The team creates a detailed project plan to complete the project.
9. The third party consultants and auditors work with the team right from the beginning to design processes and mechanisms to test and report on the degree of success of the new identity management process.
10. The virtual team and IT Governance committee creates a schedule for reporting / feedback / direction meetings as oversight for the new process, including:
a. Evaluating the degree of success of the initial implementation.
b. A subset of the virtual team continues to monitor and report to the Governance Committee.
c. A third party with expertise in calculating IT security risk is assigned the task of re-evaluating the initial ROI or cost avoidance business model in terms of:
i. Was risk correctly estimated?
ii. Is there an ongoing evaluation of the degree of risk reduction?
iii. Can the new process and its budget be integrated into IT security operations / administration. Can the virtual team be disbanded?
Conclusion: Keep it simple.
Sources of Information – Governance Authorities
* ISACA (Information Systems Audit and Control Association) www.isaca.org
* ITGI (IT Governance Institute) www.itgi.org
* Gartner Group www.gartner.com
* IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
* SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382
* The IT Metrics and Productivity Institute http://www.itmpi.org/default.aspx?pageid=198
* MIT Sloan School of Management http://web.mit.edu/cisr/working%20papers/cisrwp349.pdf
Have a secure week.
Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors
www.ere-security.ca
