governance and policy

42
Governance 1 Governance and Policy Tim Shimeall March 2006

Upload: marvel

Post on 19-Feb-2016

45 views

Category:

Documents


0 download

DESCRIPTION

Governance and Policy. Tim Shimeall March 2006. Addressing Security as Governance. Set of beliefs, capabilities, actions: Security enacted at enterprise level Security treated as business requirement Security considered during normal planning cycles - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Governance and Policy

Governance 1

Governance and Policy

Tim ShimeallMarch 2006

Page 2: Governance and Policy

Governance 2

Addressing Security as Governance

•Set of beliefs, capabilities, actions:– Security enacted at enterprise level– Security treated as business requirement– Security considered during normal planning cycles– All business unit leaders understand how security serves as

business enabler– Security integrated into enterprise functions and processes– All personnel accessing enterprise network understand their

responsibilities•Which are most important depends on culture and business context

Page 3: Governance and Policy

Governance 3

Governance

•Setting clear expectations of conduct•Influencing to achieve expectations•Decision making

– Assigned decision rights– Accountability– Intended to produce behavior/actions

•Ensuring organization does right things and does things right

Page 4: Governance and Policy

Governance 4

Security as Institutional Priority•Information security is a human enterprise

– “lack of security awareness by users” cited as top obstacle

– overriding impact of human complexities, inconsistencies, and peculiarities

•People can become the most effective layer in an organization's defense-in-depth strategy

– with proper training, education, motivation •The first step is making sure they operate in a security conscious culture.•Ernst & Young. "Global Information Security Survey 2004."•http://www.ey.com/global/download.nsf/UK/Survey_-_Global_Information_Security_04/$file/EY_GISS_%202004_EYG.pdf

Page 5: Governance and Policy

Governance 5

Response Time

Hours

Weeks or months

Days

Minutes

Seconds

Human response: difficult/impossibleAutomated response: possible

Human response: impossibleAutomated response: Will need new paradigmsProactive blocking: possible

Con

tagi

on T

imef

ram

e

File Viruses

Macro Viruses

e-mail Worms

Blended Threats

“Warhol” Threats

“Flash” Threats

Human response: possible

Page 6: Governance and Policy

Governance 6

What Is At Risk?

–Trust –Reputation; image –Stakeholder value –Community confidence–Regulatory compliance; fines, jail time–Customer retention, growth –Customer and partner identity, privacy –Ability to offer, fulfill transactions–Staff, client morale

Page 7: Governance and Policy

Governance 7

Responsibility to Protect Digital Assets

•In excess of 80 percent of an organization’s intellectual property is in digital form •Duty of Care: Governance of Digital Security

–Govern institutional operations & conduct–Protect critical assets and processes–Protect reputation–Ensure compliance requirements are met

•[Jody Westby, PricewaterhouseCoopers, Congressional Testimony; case law]

Page 8: Governance and Policy

Governance 8

Barriers to Tackling Security• Abstract, concerned with hypothetical events• A holistic, enterprise-wide problem; not just

technical• No widely accepted measures/indicators• Disaster-preventing rather than payoff-

producing (like insurance)• Installing security safeguards can

have negative aspects

Page 9: Governance and Policy

Governance 9

Information Survivability (1)

•Focuses on sustaining the mission in the face of an ongoing attack; requires an enterprise-wide perspective•Depends on the ability of networks and systems to provide continuity of essential services, albeit degraded, in the presence of attacks, failures, or accidents•Requires that only the critical assets need the highest level of protection

Page 10: Governance and Policy

Governance 10

Information Survivability (2)

•Complements current risk management approaches that are part of an organization’s business practices•Includes (but is broader than) traditional information security•Business Judgment Rule: That which a reasonably prudent director of a similar institution would have used

Page 11: Governance and Policy

Governance 11

Shift the Security Perspective

•Institutional •Institutional•Investment•Integrated•Institution•Process•Institutional continuity/resilience

•Scope: Technical•Ownership:IT•Funding: Expense•Focus: Intermittent•Driver: External•Application: Platform/practice•Goal: IT security

ToFrom

Page 12: Governance and Policy

Governance 12

Technical problem to Institutional problem

•IT owns problem and strategy, performs primary activities

•Secure infrastructure = secure organization

•Organization owns problem and strategy

•Secure assets and processes = secure organization

to

Page 13: Governance and Policy

Governance 13

Technical ownership to Institutional ownership

•IT is driver, owner, benefactor

•CSO is a technical advisor

•Organization is driver, owner, benefactor

•CSO is trusted advisor to business

to

Page 14: Governance and Policy

Governance 14

Expense to investment

•Security activities viewed as sunk costs, expenses

•Naturally avoided by management

•Security as amortizable investment in business

•Security as “goodwill” on balance sheet raising organizational value

to

Page 15: Governance and Policy

Governance 15

IA Regulations and Standards

•National legislation (privacy, etc.)•Insurance industry requirements•Customer demand•E-torts and e-pacts

Page 16: Governance and Policy

Governance 16

Legal Perspective•Analyze applicable state laws and municipal ordinances•Assess IS vulnerabilities and risks•Review and update IS policies & procedures•Review policies & procedures for sensitive information•Scrutinize relationships with third-party vendors•Review insurance policies•Develop a rapid response plan & incident response team•Work with associations & coalitions to develop standards•“IT Security for Higher Education: A Legal Perspective.” Salomon, Kenneth; Cassat, Peter; Thibeau, Briana. Dow, Lohnes & Albertson, PLLC. EDUCAUSE/Internet2 Computer and Network Security Task Force, 2003. http://www.educause.edu/ir/library/pdf/csd2746.pdf

Page 17: Governance and Policy

Governance 17

Practice-driven to process-oriented

•Willingness to accept and implement “best practices”

•Practices as process

•Possibly out of context with organizational drivers

•Security is proactive and managed

•Driven by risk management

to

Page 18: Governance and Policy

Governance 18

Shifting the security approach

irregularreactiveimmeasurab

leabsolute

Ad-hoc and tactical

systematic

adaptivemeasure

dadequate

Managed and strategic

to

Page 19: Governance and Policy

Governance 19

How Are You ManagingInformation Risks?

•Policies, governance•Critical information assets•Who to involve•Management controls•Sustain survivability

Page 20: Governance and Policy

Governance 20

Security to Resiliency

•Managing to threat and vulnerability

•No articulation of desired state

•Possible security technology overkill

•Managing to impact and consequence

•Adequate security defined as desired state

•Security in sufficient balance to cost, risk

to

Page 21: Governance and Policy

Governance 21

A Resilient Institution Is Able To. . . • withstand systemic discontinuities and

adapt to new risk environments • be sensing, agile, networked, prepared • dynamically reinvent institutional models

and strategies as circumstances change • have the capacity to change before the

case for change becomes desperately obvious

Page 22: Governance and Policy

Governance 22

Security Strategy Questions• What needs to be protected? Why

does it need to be protected? What happens if it is not protected?

• What potential adverse consequences need to be prevented? At what cost? How much disruption can we stand before we take action?

• How do we effectively manage the residual risk?

Page 23: Governance and Policy

Governance 23

Defining Adequate Security•The condition where the protection strategies •for an organization's critical assets and processes •are commensurate with the organization's risk appetite and risk tolerances•Risk appetite and risk tolerance as defined by COSO’s Enterprise Risk Management Integrated Framework, September, 2004.

Page 24: Governance and Policy

Governance 24

Determining Adequate Security Depends On . . .

• Organizational factors: size, complexity, asset criticality, dependence on IT, impact of downtime

• Market factors: provider of critical infrastructure, openness of network, customer privacy, regulatory pressure, public disclosure

• Principle-based decisions: Accountability, Awareness, Compliance, Effectiveness, Ethics, Perspective/Scope, Risk Management, etc.

Page 25: Governance and Policy

Governance 25

Adequate Security and Operational Risk

•“Appropriate security is that which protects the organization from undue operational risks in a cost-effective manner.” •“With the advent of regulatory agencies assessing a organization’s aggregate operational risk, there needs to be a way of looking at the organization as a whole rather than its many parts.”

Page 26: Governance and Policy

Governance 26

Evolving the Security Approach

Incident Response

Process Maturation

Vulnerability Management

Security Risk Management

Institutional Security Management

Page 27: Governance and Policy

Governance 27

High Performing Organizations - 1

•Apply resources (time, effort, dollars, capital) to accomplish stated objectives, with little to no wasted effort •Regularly implement repeatable, predictable, secure, measurable, and measured operational processes•Independently evolved a system of process improvement as a natural consequence of their business demands

Page 28: Governance and Policy

Governance 28

High Performing Organizations - 2

•Use defined, verifiable controls to improve efficiency and effectiveness –Preventive, detective and corrective controls in place–Easier to audit

•Detect production variances early–Lowest cost and least impact to fix problems–Fix problems in a planned manner

•Devote increasingly more time and resources to strategic issues and new opportunities, having mastered tactical concerns

Page 29: Governance and Policy

Governance 29

High Performing Organizations - 3

•Demonstrated ability to get IT operations and security organizations working together to create:– Higher service levels (availability, high MTBF, low MTTR, low

MTTD)– High percentage of planned (vs unplanned) work– Early integration of security requirements into the service delivery

life cycle– The ability to quickly return to a known, reliable, trusted

operational state – Unusually efficient cost structures (server-to-sysadmin ratios of

100:1 or greater)– Timely identification and resolution of security incidents

Page 30: Governance and Policy

Governance 30

Areas of Pain for High Performing Organizations

• Patch management• Proliferation of “scorecards”

• Managing outsourced IT services

Page 31: Governance and Policy

Governance 31

Areas of Pain – Patch Volume

–Low performing: Adhoc, chaotic, urgent, disruptive; increase in unplanned work

–High performing: Planned, predictable, just another change -> higher change success rate

Page 32: Governance and Policy

Governance 32

Areas of Pain – Proliferation of Scorecards

–Low Performing: Look to external sources, authorities; adopt scorecard du jour

–High Performing: Have defined their own performance characteristics; can demonstrate traceability to other instruments

Page 33: Governance and Policy

Governance 33

Areas of Pain – Outsourced IT Services

Low Performing:Transfer risk; out of sight; then unable to control

High Performing: Manage like any other business unit or project; understand unique challenges; develop more bullet proof service level agreement

Page 34: Governance and Policy

Governance 34

Common Root Causes•Absence of explicit articulation of current state and desired state

– Thus current state (and companion pain) is tolerable; doesn’t hurt enough yet; don’t know that there is an alternative

•Culturally embedded belief that control is not possible– Abdication of responsibility – “throw up my hands”

•Rewards/reinforcement for personal heroics vs. repeatable, predictable discipline•Continued argument that IT ops and security are different (than other business investments or projects)•Desire for a technical solution; easier to justify and implement than people and process improvements

Page 35: Governance and Policy

Governance 35

IT Change Management• Process for efficient and timely handling of all IT

changes• Enterprise capabilities critical to achieving effective

change management:− Risk Management− Project Management− Process Management− IT Operations− Security Operations− Audit

• IIA Global Technology Audit Guide series: Change and Patch Management: Critical for Organizational Success

Page 36: Governance and Policy

Governance 36

Continuously Improving

• <5% of time spent on unplanned work

• Change success rate very high

• Service levels world class

• IT operating costs under control

• Can scale IT capacity rapidly with marginal increases in IT costs

• Change review and learning processes in place

• Able to increase capacity in a cost-effective way

Closed-Loop Process

• 15-35% of time spent on unplanned work

• Some ticketing / workflow system in place

• Changes documented and approved

• Change success rate high

• Service levels good• Server-to-admin

ratio good, but not best-of-breed

• IT costs improving but still too high

• Security incidents down

Using Honor System

• 35-50% of time spent on unplanned work

• Some technology deployed

• Right vision but no accountability

• Server-to-admin ratio too low

• IT costs too high• Process subverted

by talking to the “right” people

Reactive

• Over 50% of time spent on unplanned work

• Chaotic environment; lots of fire fighting

• MTTR very long; poor service levels

• Can only scale by throwing people at the problem

Progression of Capability

Reactive Using The Honor System Closed-Loop Change Mgt

Effec

tiven

ess

ContinuouslyImproving

Based on the IT Process Institute’s “Visible Ops” Framework

Changes control the organization:

Organization controls the changes:

Page 37: Governance and Policy

Governance 37

Measurement•Performance measurement of an enterprise's security state is conducted with the same rigor as other enterprise functions and business units. •Corporate Information Security Working Group: Report of the Best Practices and Metrics Team, December, 2004

– Thirty Information Security Program Elements with companion metrics• Governance (7 elements; 12 metrics)• Management (10 elements; 42 metrics)• Technical (13 elements; 45 metrics)

Page 38: Governance and Policy

Governance 38

Example Measures - Governance•Oversee Risk Management and Compliance

Programs Pertaining to Information Security– Percentage of key information assets for which a

comprehensive strategy has been implemented to mitigate information security risks as necessary and to maintain these risks within acceptable thresholds

– Percentage of key external requirements for which the organization has been deemed by objective audit or other means to be in compliance

Page 39: Governance and Policy

Governance 39

Example Measures - Management

•Establish Information Security Management Policies and Controls and Monitor Compliance

– Percentage of staff assigned responsibilities for information security policies and controls who have acknowledged accountability for their responsibilities in connection with those policies and controls

•Assess Information Risks, Establish Risk Thresholds and Actively Manage Risk Mitigation

– Percentage of critical information assets for which some form of risk assessment has been performed and documented as required by policy

Page 40: Governance and Policy

Governance 40

Example Measures - Technical

•Software Change Management, including Patching– Percentage of systems with the latest approved patches

installed– Percentage of software changes that were reviewed for security

impacts in advance of installation

•Incident and Vulnerability Detection and Response– Percentage of operational time that critical services were

unavailable (as seen by users and customers) due to security incidents

– Percentage of security incidents that exploited existing vulnerabilities with known solutions, patches, or workarounds

Page 41: Governance and Policy

Governance 41

What Does Effective Security Look Like at the Enterprise Level?

• No longer solely under IT’s control

• Achievable, measurable objectives are defined and included in strategic and operational plans

• Functions across the organization view security as part of their job (e.g., Audit) and are so measured

• Adequate and sustained funding is a given

• Senior executives visibly sponsor and measure this work against defined performance parameters

• Considered a requirement of being in business

Page 42: Governance and Policy

Governance 42

Governance and the Case Study

• What regulations must the convention follow?– Industry– Financial processing– SOX– Venue

• What best practices should the convention follow?