Managing information security risks
The key to managing information security is to understand that it is not an IT issue; it does not come down to having the latest firewall or virus detection software. It is a business issue. It is about formulating and implementing an appropriate security strategy; it is about best practice and it is about taking responsibility at the highest levels for information security.
In 1999, following a number of corporate scandals in the UK, Nigel Turnbull on behalf of the Institute of Chartered Accountants of England and Wales and The London Stock Exchange, issued a report which included a number of guidelines. These have since been adopted as best practice by a number of stock exchanges including Dublin’s. Among other things, they make the chief executive officer of a company responsible for business risk. Furthermore, as part of a company’s annual report, each member of the board is required to sign off on a statement that the board has reviewed and measured the risks in the organisation and taken action.
The first step in ensuring that a company’s IT infrastructure is secure is to formulate a policy. ‘This is almost like a mission statement for IT security,’ says Kieran Kelly, Head of Technology and Security Practice at PricewaterhouseCoopers. ‘Ideally it should be a one-page, hard-hitting policy that outlines responsibility of the different groups in the organisation, whether it is data owners, managers, users and so on. But it should be simple enough for everyone to understand.’ Kelly also recommends that it should include a statement of responsibility for third parties working with the organisation along the lines of ‘we will not do business with anyone who does not regard our data security as importantly as ourselves.’
At the same time, the organisation should take a hard look at the data it wants to protect. ‘It should get into things like data classification, threat areas, differing sensitivity of data held and rating possible business impact,’ says Conor Flynn, Technical Director of RITS, a leading data security consultancy. ‘You might have a brochureware site that would have a different threat sensitivity to a credit card payment service,’ he points out.
Although the CEO is ultimately responsible for security under the Turnbull guidelines, day-to-day security matters can be delegated. According to Brian O’Donnell, Manager of the Security Services Group, Deloitte & Touche, creating a security function, as he calls it, is one of the first steps a company should take. ‘The information security function should include a steering committee,’ he says. ‘This should include representatives of the stakeholders. They do not necessarily have to be technically savvy people but they do need to understand, or be made to understand, the importance of business security in a business context.’ The company’s Information Security Manager should sit on this committee, says O’Donnell.
But who should take on the role of Information Security Manager? Almost all of those interviewed for this article agreed that it shouldn’t be the IT manager, nor should he report to the IT manager. ‘The key thing is the reporting structure,’ says Flynn. ‘The worst thing is to have the information security manager reporting to the IT manager. He needs a certain degree of independence. He might report to the chief financial officer or someone like that, it depends on the organisation’s structure, but outside IT if possible.’
‘Ideally the information security function should be outside the control of the IT function because there is conflict of interest between ownership and control of information security,’ explains Kelly. ‘IT should be answerable to the Information Security manager.’ As to who should have day-to-day responsibility on an operational level, Kelly says that depends of the size of the organisation. ‘Larger organisations have a separate information security manager who may head up a team. For a smaller organisation it might be the head of finance.’
Conall Lavery of Entropy expands on the reasons why the IT and Security functions should be separate. ‘The IT manager has lots of competition for his budget and delivering business application systems is highly visible. In many organisations, that is the basis for the IT manager’s short and medium term reward. Managing risk on the other hand, has no visible return on investment. In practice we are only now starting to see some larger companies move down that route. It is quite remarkable how many companies still have the IT security management function reporting to the IT manager. I do not know if there’s anything illegal about it, but good corporate governance means it has to be done the other way.’
<p >Fish nor fowl?
According to Grellan Larkin of Sysnet technical know-how is not absolutely necessary. ‘Should the Information Security Manager be a manager or a techie? Ideally, he should be neither fish nor fowl. It is not required that the information security manager be overly technical; it comes down to understanding risk control and management processes. If he is a techie it makes the job easier dealing with other techies, but there is a risk he will not see the big picture.’
But appointing an Information Security Manager is not enough, according to Tony Geraghty, Business Development Manager of Zerflow. ‘That does not fix the problem,’ he says. ‘It just gives a company someone to blame.’
If the Information Security Manager is to do his job effectively, then he must have the whole-hearted support of senior management. ‘The Information Security Manager must have the backing of the entire organisation to implement what people might call obstructive policies,’ says Flynn. ‘If they do not have that backing, they will be isolated and their policies will be shelved instead of implemented. It is important, therefore, that there be senior management buy in.’
Lavery agrees. ‘Management buy in is absolutely critical,’ he says. ‘If an organisation has an information security officer just because someone said it was a good idea but does not give that person authority or act on their advice, it’s probably nearly better not having one at all.’
Once management backing is secure, it is then essential to get the rest of the organisation behind the information security manager. ‘Once you develop a policy and start to implement it, there is no point in having the security manager in an ivory tower,’ says Flynn. ‘You need staff buy-in and awareness. Staff are the foot soldiers, doing day-to-day things and will see issues as they arise. You need the staff to understand their responsibility and accountability. It makes the security manager’s job much more effective and less confrontational if everyone buys into it and understands why it is in place.’
Go out and implement
Once the security manager has the full backing of the organisation he now has to go out and implement processes and procedures consistent with the organisation’s information security policy. This involves such things as audit meetings, change control processes, being involved in new projects from the outset and having a security input into projects at the beginning of their lifecycle rather than trying to tack security on as an afterthought.
Lavery uses the analogy of quality control pre- and post-Japanese quality revolution. Before the revolution, quality control was something that happened at the end of the production process. If a unit failed the quality control test it was discarded. If too many units failed, then the quality control people went and found out what was wrong. The current model, however, is that quality control is an intrinsic part of the production process and every unit that reaches the end of the line should pass. So it should be with security.
The information security manager should also have a reasonable budget, but how much is enough? The problem is that while it is easy to quantify the return on investment for certain budgets, security does not generate a revenue stream and so it can be difficult to quantify its value.
Tony Geraghty, however, has a sure fire way of getting the attention of his clients when it comes to looking at budgets. ‘I go to the board of directors and say ‘If I was to come to you with a competitor’s file, how much would that be worth to you.’ The first thing they usually say is ‘Do you have the file on you?’ but my reply to that is ‘Now what’s your security worth?’ In the end they understand.’
Kelvin Garrahan, Information Security Architect with HP Services does not go that far. ‘It is difficult to come up with a figure,’ he agrees. ‘But the company must remember what is it trying to protect. How do you put a cost on an item like a house? How do you put a cost on a company’s image? If a company’s Website gets hacked, what damage will they do to the corporate infrastructure. In fact they can do very little if the Website is well separated from the core data, but it’s a huge loss of face. How much value do you put on a loss of face? I would usually ask the client what is the worst case scenario. If a hacker brings down a server for a few hours what is the damage? If they upload pornography onto a Website or network, what is the damage?’
There are other aspects, he says. ‘Under the child pornography laws, the onus is on the company to inform the Garda Siochana if it suspects that an employee is using company hardware to store child pornography. The guards can come in and confiscate any piece of equipment they feel is pertinent and that could be gone for 18 to 24 months. Given the rate of technological development in the industry, you might as well write that piece of hardware off.’
One school of thought says that a company should allocate a fixed percentage of profits or turnover. However, not everyone agrees with this approach.
‘I have seen some analyst’s report on how much should be spent that recommends between one and four percent of turnover. However, I do not think it’s linked to turnover or profit,’ says Lavery. ‘It’s risk. For an online business like Egg – the Internet bank – it will be a higher proportion of their business. A company with little on-line business, such as an estate agent it would be a smaller proportion.’
O’Donnell of Deloitte & Touche has seen similar reports but fells that those figures can be misleading. ‘The measures I have seen are less in terms of turnover and more in terms of IT budget. In financial services the figure is ten percent of the IT budget and in others, three to four percent. But it all depends on how you measure it. For instance, should that figure include software licences for upgrading from, say, Windows 98 to Windows 2000 because Windows 2000 is more secure? In its strictest sense I do not think it should be. But that’s what people run into. Other things like firewalls and routers have a security function, but they have a connectivity function as well. Should they be in the security budget or not. Intrusion detection is a different thing altogether. Its function is purely security while other things have a dual mandate.’
The issue is also blurred by the question of where information security ends and physical security begins. After all, no matter what sort of intrusion detection system, anti virus or firewalls you install, they are rendered useless if someone can walk in off the street and copy your password file on to a floppy disk.
‘A more likely scenario,’ says Lavery, ‘is a contractor having access to the LAN. After all, the whole basis of a LAN is that users are trusted. The problem is even employees can’t be trusted 100 percent and contractors are a different category altogether. We were demonstrating a product to a potential client on his own laptop and while we were there someone established a connection to the customer’s machine and started looking through his files.’
Security has become such an issue that it now has its own qualifications. One of the most widely accepted is the CISSP (Certified Information Systems Security Professional) offered by the International Information Systems Security Certification Consortium or (ISC)2. (www.isc2.org) ‘This was the first certification to be internationally held in high esteem,’ says Larkin. ‘If you have a security guy in house and they have a CISSP, you are sure they know their stuff.’
The CISSP is a very broad qualification and one industry professional – who himself holds the certification – described it as ‘two millimetres thick and 50km wide.’ Holders of the CISSP are expected to be knowledgeable in ten domains: Access Control Systems & Methodology; Applications & Systems Development; Business Continuity Planning; Cryptography; Law, Investigation & Ethics; Operations Security; Physical Security; Security Architecture & Models; Security Management Practices; Telecommunications, Network & Internet Security.
‘One of the key things it teaches you is not to look at security as a technical issue but at the bigger picture,’ says Larkin. ‘And one of the other things it does, particularly for people with a technical background, is that it gives them the tools and skills to present to senior management to impress upon them how serious a threat is and its potential financial impact.
Exams are held on a regular basis throughout the UK and the first ones in Ireland were held earlier this year.