Example Situation

The Problem Statement

1. A CIO of a fictitious company identifies weak identity management as a significant risk to the privacy and integrity to corporate information as well as to SOX compliance.
2. The problem has recently arisen due to several factors:
* The external corporate auditors introduced new IT audit control points for monitoring unauthorized and attempted unauthorized accesses to critical servers and critical applications.
* Corporate cost cutting has caused a reduction in the staff levels of the security administration group.
* A cost cutting reorganization has dramatically changed employees’ roles and need to access various servers and applications.
* The group of  recently terminated employees which include IT security administrators has  raised the potential threat of malicious activity from x-employees plus a diminished capacity for the corporation to adequately administer access privileges.
3. There are insufficient funds for a comprehensive upgrade to the identity management infrastructure to ensure reasonable compliance for SOX.
4. The problem is further obfuscated as the lack of any major security breach makes it appear to senior executives that there are no security threats.
5. Nonexistent IT Governance means decision making about the new risk will be delayed until the next year’s budget cycle.

IT micro Governance Solution

1. If the corporation does in fact have an IT Governance committee that is amenable to reacting quickly with micro Governance decisions, then the CIO can identify to the Governance committee the business risks relating to weak identity management.
2. The governance committee works with the CIO to estimate the cost to the corporation in the event of a security event at $5,000,000 per incident.
3. They build a business case modeled upon the chance of a security event occurring once per year.
a. The CIO estimates the first year annual cost to technically mitigate the risk at $100,000 and $50,000 annually thereafter.
b. The first year mitigation cost / annual loss expectation is $100,000 / $5,000,000 or 2% and 1% thereafter.
c. The Governance committee decides the return is acceptable.
4. The IT Governance committee formally creates a specific task force and IT micro Governance process to mitigate the identity management risk.
5. They engage a third party advisor to expedite the process, so that an aggressive date of fully tested implementation is 6 months.
6. They appoint virtual team leaders to manage each risk management process. The team leaders are comprised of two members of the IT Governance committee, the CIO, three members of the IT security team, 6 business line managers, a member of HR and a member of the CFO’s team. They also have external security consultants and auditors to assist with testing and evaluating the effectiveness of the new process.
7. The virtual team leaders assign other employees to implement the project and to create an ongoing process to monitor, manage, and report on the proposed identity management process.
8. The team creates a detailed project plan to complete the project.
9. The third party consultants and auditors work with the team right from the beginning to design processes and mechanisms to test and report on the degree of success of the new identity management process.
10. The virtual team and IT Governance committee creates a schedule for reporting / feedback / direction meetings as oversight for the new process, including:
a. Evaluating the degree of success of the initial implementation.
b. A subset of the virtual team continues to monitor and report to the Governance Committee.
c. A third party with expertise in calculating IT security risk is assigned the task of re-evaluating the initial ROI or cost avoidance business model in terms of:
i. Was risk correctly estimated?
ii. Is there an ongoing evaluation of the degree of risk reduction?
iii. Can the new process and its budget be integrated into IT security operations / administration. Can the virtual team be disbanded?

Conclusion:  Keep it simple.

Sources of Information – Governance Authorities
* ISACA (Information Systems Audit and Control Association) www.isaca.org
* ITGI (IT Governance Institute) www.itgi.org
* Gartner Group www.gartner.com
* IBM www-935.ibm.com/services/us/index.wss/offering/its/a1031003
* SANS (SysAdmin, Audit, Network, Security Institute) www.sans.org/reading_room/whitepapers/casestudies/corporate_governance_and_information_security_1382
* The IT Metrics and Productivity Institute  http://www.itmpi.org/default.aspx?pageid=198
* MIT Sloan School of Management  http://web.mit.edu/cisr/working%20papers/cisrwp349.pdf

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditors

www.ere-security.ca

Insufficient IT Governance Impedes the Security Team

In dynamic network environments, security issues can quickly appear where there are insufficient funds planned to mitigate new security risks. An active IT Governance process is invaluable to deal with such issues.

Insufficient IT Governance:
* Slows decision making.
* Inhibits communication of risk and associated potential financial loss between the IT Security. Team and executive management.
* Inhibits attaining unplanned, sufficient IT security funding.
Barriers to implementing IT Governance

Well known barriers to attaining IT governance are:
* The all encompassing scope of any Governance is a daunting challenge to face.
* Expensive.
* Time consuming.
* IT security risk can be very difficult to quantify.
* The executives may find it difficult to request additional funds particularly where the IT security team has done an excellent job and there are no expensive security vulnerabilities.
* A false sense of security makes cost justifying security budgets difficult.
* A Governance committee may get bogged down over confusion arising between identifying the content of compliance frameworks with compliance objectives.
* Turf wars over accepting / relegating ownership of responsibilities for various aspects of IT compliance.
* Maintaining longevity of the IT Governance process.

ITSecurity micro Governance as a Practical Alternative

A simplified alternative to the barriers mentioned above creates a bite-sized micro process which will provide the following value to a corporate entity:
* Minimizes the liability of executives with respect to their fiduciary responsibilities for IT Governance.
* Facilitates communications between the Governance Body and the IT Security Team regarding cost justification of unplanned or insufficient budget.
* Provides a regular opportunity for the Security Team to convey top priorities with requests for expedited executive authorization.
* Provides a regular opportunity for executives to convey business priorities that affect IT related risk directly to those responsible for physically managing those risks.
* Minimizes decision time and frustration levels by identifying bite sized issues.

Steps to Implement IT Micro Governance

1. IT Security should identify the top priority IT security risk(s) that require immediate decisions / funding by the executive team.
2. Estimate the ROI or potential cost avoidance by mitigating the risk(s).
3. Formally create a micro-Governance process to address the risk(s).
4. Engage a third party advisor to expedite the process.
5. Create a virtual (temporary) team to manage each risk management process.
6. Assign other management and employees as appropriate to the virtual team.
7. Identify a timeline to complete the project.
8. Identify a mechanism to test the degree of success of the mitigation.
9. Identify a timeline to report the degree of success back to the IT Governance Committee.
10. Assess whether ROI or cost avoidance goals were sufficiently met. *
11. Mandate longevity for the micro Governance process by directing the virtual team to continue monitoring the process and reporting to the Governance Committee.
12. Integrate the process into the IT security operations / administration processes and disband the virtual team.

* It is difficult to obtain data that captures the prevention of a security threat based on a specific action taken. One empirical yet evidentiary based method is to compare the frequency of similar threats before and after mediation steps are implemented.

To assist with calculating IT security related, risk, ROI / cost avoidance, and residual risk, Governance Committees (and IT security professionals) can contract third party expertise in these matters.

Next week’s blog will be an example situation which illustrates the steps for implementing IT security micro Governance to address a security threat.

Have a secure week.

Regards, Ron Lepofsky, B.A. SC. (Mech Eng), CISSP
ERE Information Security Auditor

www.ere-security.ca