SlideShare a Scribd company logo

Information Risk Security model and metrics

Vladimir Jirasek, profile picture
Vladimir Jirasek

This document presents a security governance, risk, and compliance (GRC) model for information risk security management. The model describes three main components: security drivers like laws and regulations, business objectives, and security threats. It then outlines the security management framework, including policies, standards, processes, and metrics. Finally, it discusses the relevant stakeholders in information security. The goal of the model and this document is to help security professionals ensure the future of their jobs by aligning information security practices with business needs.

Technology
1 of 10
Downloaded 72 times
1
2
3
4
5
6
7
8
9
10
INFORMATION  RISK  SECURITY  MANAGEMENT:     A  Model  and  Metrics     By  Vladimir  Jirasek, Information  Risk  Management  Evangelist     Contents                   Page       Section  1:  Introduction               2   1.1  The  Security  Governance,  Risk  and  Compliance  (GRC)  model     2   1.1.2 Security  Drivers             2   (i) Laws  and  regulations           2   (ii) Business  objectives           2   (iii) Security  threats             3   1.1.3 Security  Management             3   (i) Policy  framework             3   a. Policies               3   b. Standards             3   c. Artefacts             3   (ii) Processes  framework           3   (iii) Security  metrics  framework         3   1.1.4 Stakeholders               4     Section  2:  Security  Drivers               4   2.1  Business  objectives               4   2.2  Legal  and  regulatory  requirements           4   2.3  Security  threats                 4     Section  3:  Security  Management             5   3.1  The  Policy  framework               5   3.1.1  Information  security  policy             5   3.1.2  Data  classification  policy             5   (i)  Public  data               5   (ii)  Company-­‐wide  data           6   (iii)  Restricted  access  data           6   3.1.3  Employee  acceptable  policy           6   3.1.4  Information  technology  security  policy         6   3.2.  Security  standards               7   3.2.1  International  standards  for  security  policy  and  controls     7   3.2.2  Information  technology  standards           7   3.3  Security  architecture  repository             8   3.4  Process  frameworks  and  metrics             8   3.4.1  Security  processes               8   3.4.2  Security  metrics                 8   (i)  Value  at  Risk             9   Conclusion                   10     About  the  Author                 10      
Section  1:  Introduction   Information  risk  security  management  is  an  area  that  is  constantly  moving  to  respond  to  new  threats,   standards   and   technologies.   Security   is   now   a   part   of   information   risk   management,   which   in   turn   has  a  place  in  the  overall  business  risk  management  strategy.     This   document   explains   a   security   model   that   supports   business   needs,   and   explores   how   security   professionals  could  change  their  mindsets  to  help  ensure  future  job  security.     1.1  The  Security  Governance,  Risk  and  Compliance  (GRC)  model     Figure  1  below  describes  a  security  model  that  introduces  the  topic  of  security  to  business  managers   and  CIOs.     Figure  1:  Security  GRC  model Feedback:  update  business  requirements SECURITY  MANAGEMENT DRIVERS STAKEHOLDERS Correction  of  security  processes CEO  &  Board International   Policy  framework Process framework Metrics  framework Governance security   standards Information   Information   Information   Line   Security   Security   Security   management policies processes metrics   Laws  &   objectives regulations Information   Product   Drivers Security   Rules Measure Inform management Technology standards Security   People Define metrics  portal Program   Information   management Compliance security   requirements architecture Risk  &   DEFINE  security   EXECUTE  security   MEASURE  security   compliance Business   controls controls controls  maturity objectives Auditors Security   Security   threats intelligence Security   External professionals security metrics The   model   describes   three   main   areas:   (1)   Security   drivers;   (2)   Security   management;   (3)   and   Stakeholders.     1.1.5 Security  Drivers     The  three  major  drivers  for  security  are:     (i)     Laws   and   regulations:   A   company   must   comply   with   these   or   face   legal   action   or   a   fine.   For   example,   the   Data   Protection   Act   and   the   Company   Act  are   examples   of   the   legal   drivers;   PCI   DSS  is  an  example  of  a  regulation  driver.       (ii) Business   objectives:  Companies  typically   want   to   generate   profit   and   define  a  set  of  business   objectives.   Security   supports   these   business   objectives   by   protecting   systems   and   information   used   in   the   business   processes.   Think   of   protecting   Microsoft   Windows   source   code:   if   the   source   code   was   not   protected   anyone   could   compile   their   own   operating   system   without   paying   Microsoft   any   license   fee.   Hence,   Microsoft’s   business   objective   to   ‘Sell   software’   is   supported   by   the   security   objective   ‘Protect   source   code’.   Similarly,   Amazon’s   business  
objective   is   to   sell   products   in   their   online   shop;   their   business   objective   is   to   have   an   online   shop   up   24/7;   the   security   objective   is   to   keep   systems   free   of   malware   that   could   disrupt   or   slow  down  IT  systems.     (iii) Security   threats:   Security   threats   work   against   laws   and   regulations   and   business   objectives.   However,   they   also   drive   information   security,   and   companies   need   to   respond   to   threats   in   order  to  satisfy  first  two  drivers.     1.1.6 Security  Management   Within   this   area   there   are   three   frameworks   that   enable   a   company   to   achieve   the   objectives   defined  in  the  ‘drivers’  section:       (i) Policy  framework   This   is   a   set   of   policies,   standards   and   guidelines   that   describe   how   a   company   addresses   information   security   drivers,   and  define   the   security   controls   available   for   a   company   to   implement.   There  are  also  international  standards  that  can  be  source  of  information  and  control  for  the  Policy   framework.     a.   Policies   –   also   known   as   Security   Control   Objectives,   these   typically   use   words   such   as   ‘should’   and   ‘must’.   The   key   objective   of   the   security   policy   document   is   alignment   with   the   business   objectives  and  drivers.       b.   Standards   –   detailed   Security   controls   that   should   be   implemented   to   support   individual   policy   statements;  one  policy  statement  can  be  supported  by  multiple  security  controls.  These  should  be   linked  to  a  policy,  otherwise  the  security  professional  will  be  unable  to  justify  why  a  password  needs   to   be   12   characters   and   change   every   45   days,   for   instance.   The   controls   should   be   selected   from   an   internationally  accepted  catalogue  of  controls  (see  section  below  on  ‘International  Standards’).       c.   Artefacts  –  Architecture  standardisation  is  the  key  to  the  success  of  any  company,  and  the  same   applies  to  security.  If  a  solution  to  implement  a  security  control  is  found  in  the  ‘Standard’,  it  should   be   put   it   into   a   ‘Security   Architecture   Repository’.   That   way,   others   can   benefit   and,   more   importantly,  consistent  security  is  achieved.  Many  security  professionals  do  not  document  artefacts   into  a  shared  library,  which  can  often  result  in  problems  when  they  leave  the  company.       (ii) Processes  framework   This   section   in   Security   Management   implements   what   is   stated   in   the   Policy   framework.   Any   security   control   in   a   policy   or   standard   is   a   process,   no   exceptions.   Each   process   is   supported   by   people   and   most   are   supported   by   technology.   However,   there   needs   to   be   a   link   between   any   technology  the  company  has,  its  process,   and  the  corresponding  control  in  the  Policy  framework  up   to   the   business   objective.   This   enables   traceability   of   the   security   investment   and   allows   security   professionals  to  justify  security  budgets.       (iii) Security  metrics  framework   This  is  a  developing  area  of  information  security  management.  The  common  adage  –  ‘what  cannot   be  measured,  cannot  be  managed’  –  can  be  applied  equally  well  to  security.  Security  professionals   should   be   able   to   measure   the   status   of   security   controls,   the   compliance   with   their   own   policies,   and  the  effectiveness  of  security  processes.  The  key  metric  is  to  take  a  security  policy  statement  and   measure   each   team   against   it;   this   will   provide   a   balanced   scorecard   for   security.   The   metrics   framework  provides  feedback  to  the  Process  framework,  to  assist  with  security  processes  design.     1.1.7 Stakeholders   Stakeholders  are  the  recipients  of  the  security  metrics  framework  results.  The  stakeholders  need  to   know  that  what  has  been  promised  is  being  delivered.  More  importantly,  the  security  professionals   need  to  show  the  value  of  security  to  the  business.  This  is  an  area  where  security  professionals  need   to   enhance   their   skills;   they   need   to   talk   to   stakeholders,   uncover   their   concerns,   and   show   them  
that   they   are   being   addressed.   This   should   be   followed   by   a   report   that   relates   to   their   specific  area   and  concerns;  they  need  to  see  that  security  personnel  are  on  their  side!     Section  2:  Security  Drivers     2.1  Business  objectives     Security   professionals   exist   to   support   the   business.   Companies   are   driven   by   their   vision   and   mission  statements,  translated   into  business  strategies  that  describe  how  to  achieve  that  vision.  The   business  objectives  define  how  the  organisation  wants  to  achieve  its  targets.  If  a  business  objective   is  to  ‘Supply  customers  with  the  goods’,  the  security  objectives  should  be  to  protect  the  process  of   supplying  the  customer.  This  clear  link  between  business  and  security  objectives  can  sometimes  be   missing.       2.2  Legal  and  regulatory  requirements     Businesses  need  to  comply  with  legal,  regulatory   and  contractual  requirements  (listed  in  order  of   impact).  Legal  requirements  are  typically  related   A  practical  example     to   the   way   the   company   is   governed,   how   it   A  telecommunication  company  sells  mobile  phones   prepares   its   accounts   and   how   it   protects   the   and  call  plans  to  its  customers.  One  of  its  objectives  is   personal  data.  In  the  UK,  the  Company  Act  2006,   to  ‘Deliver  outstanding  customer  service,  measured  by   ‘part   15   Accounts   and   reports’,   states   clearly   the   customer  satisfaction’.  This  objective  is  supported  by  a   requirements   relating   to   how   accounts   are   business  process  ‘Customer  service’,  whereby  customer   created   and   reported.   It   also   includes   penalties   service  representatives  in  shops,  call  centres  and  online   talk  to  customers  to  solve  their  problems  and  answer   for  untrue  and  misleading  accounts.  In  the  USA,   questions.     the   Sox   legislation   was   created   after   major     financial  scandals.  The  Data  Protection  Directive,   Customer  satisfaction  is  dependent  on  a)  speed  to   Principle   7,   states   that   access   to   data   must   be   initial  contact,  and  b)  completeness  of  response.  The   limited  to  the  authorised  persons.  And  although   information  security  risks  identified  are:  1)  information   the   Data   Protection   Directive   does   not   state   systems  unavailable  or  slow  so  the  initial  response   time  is  affected;  2)  information  in  the  knowledge  base   which  security  controls  should  be  implemented,   system  is  inaccurate;  and  3)  the  customer  data  in  the   the   guidance   states   that   there   are   CRM  system  becomes  compromised,  resulting  in  a  fine   internationally   accepted   standards   relating   to   and  bad  PR.   building   information   security   systems   in   a     company.   From  this  quick  risk  analysis,  it  is  easy  to  understand     where  the  information  security  policy  needs  to  focus  and   what  the  security  objectives  should  be. As   a   result   of   this   legislation,   any   information   security   system   implementation   must   protect   data  and  information  systems  so  that  they  are:   a)  accurate  (in  security  terminology  the  word  ‘Integrity’  is  used)   b)  available,  and   c)  access  to  the  content  is  assured  (‘Confidentiality’  in  security  terminology).     2.3  Security  threats     Security   threats   affect   the   level   of   protection   (i.e.   control)   that   is   needed.   Threats   come   from   attackers   who   want   to   either   acquire   information   or   limit   business   opportunities   by   affecting   business   processes.   Microsoft   has   created  a   very  good  methodology  (STRIDE)  for  assessing  threats   and  designing  security  controls  to  prevent  threats  from  harming  business  processes.  The  role  of  the   security  model  is  to  capture  security  threats  and  design  security  objectives  and  controls  to  protect   the   business.   Security   intelligence   is   the   capability   to   analyse   security   threats   and   advise   what   controls  should  be  included  in  the  policy  framework.  
Section  3:  Security  Management     3.1  The  Policy  framework     This   is   the   first   element   of   the   ‘Security   Management’   part   of   the   model.   The   Security   Policy   is   usually   not   a   single   document,   and   rightly   so.   The   documents   in   the   Security   Policy   library   have   different  audiences  and  levels  of  detail;  see  Figure  2  below.   Figure  2:  Information  Security  Policy  framework CISO Business  and   Information  security  policy security   objectives Data  classification   Employee  acceptable   policy use  policy CIO Information  technology  security  policy Security   objectives IT  Security IT  security   standards [reuse   Architecture internationally   accepted  controls] Controls   Technology and   Security   Technical  teams processes architecture repository Processes Security  guidelines     3.1.1  Information  security  policy   The  primary  objective  of  the  Information  security  policy  is  to  state  business  objectives  and  high  level   security  objectives.  The  document  also  sets  accountabilities  for  ensuring  the  security  objectives  are   met.   The   document   should   be   owned   by   CISO   or   CSO   but   approved   by   the   Board;   as   the   Board   is   responsible  for  approval  of  business  strategy  and  objectives,  the  protection  of  these  are  obviously  in   the  Board’s  interest.     3.1.2  Data  classification  policy   The  top  level  policy  should  also  make  provision  for  a  data  classification  scheme,  which  can  then  be   detailed  in  the  Data  classification  policy.  Data  classes  depend  on  the  nature  of  the  business  but  at   the  minimum  should  include:     (i)  Public  data  that  are  in  the  public  domain.  It  is  a  mistake  to  assume  that  public  data  do  not  need   any  protection.  For  example,  take  a  company  homepage;  typically  this  is  information  that  a  company   wants  to  share  with  the  world,  i.e.  it  is  ‘Public’.  But  what  happens  if  the  information  on  the  website   changes  without  authorisation?  Examples  can  range  from  defacing  of  the  website,  to  unintentional   mistakes  by  employees,  mixing  the  product  description,  changes  in  prices  of  the  products  etc.  The   public   information   usually   needs   to   be   ‘accurate’   and   ‘available’,   but   obviously   there   is   no   requirement  to  keep  the  information  ‘confidential’.       (ii)   Company-­‐wide   data:  this  type  of  information  can  be  shared  between  employees  and  people  who   have  signed  an  NDA.  This  is  by  far  the  largest  category  of  information  in  most  organisations.  It  is  also  
referred   to   as   ‘semi-­‐public’,   and   the   bigger   the   organisation   the   greater   the   probability   of   leakage   from  employees  or  partners.       (iii)  Restricted  access  data:  some  information  will  be  accessible  on  a  need-­‐to-­‐know  basis,  depending   on   the   type   of   business.   Business   plans,   strategy,   research   data,   and   new   product   details   are   just   some  examples  of  the  information  that  should  be  well  protected.       3.1.3  Employee  acceptable  policy   This  policy  document  should  spell  out  the  most  important  policies  for  employees.  Good  security  and   HR   professionals   do   not   expect   users   to   remember   all   policy   documents.   The   objective   of   this   document  is  to  show  employees  what  is  critical  and  where  to  find  more  information.       3.1.4  Information  technology  security  policy   Most  companies  rely  on  information  technology  to  run  the  business  processes.  The  role  of  CIOs  has   become  to  support  business,  understand  where  the  company  wants  to  expand,  and  suggest  how  to   become   more   agile   and   cost   effective.   IT   can   be   a   saviour   or   a   nightmare,   depending   on   the   abilities   of  the  CIO.  The  security  policy  for  the  CIO  team  needs  to  translate  business  objectives  into  security   objectives  and  controls,  as  shown  in  Figure  3  below.     Figure  3:  Relationship  between  business  objectives  and  security  processes Provides  response   to  ‘Do  we  have  all  business  risks  covered?’ International  standards Control  C1 Control  C2 Security   Security objective   SO1 Control  C3 process  P1 Business   Control  C4 objective   BO1 Security   objective   SO2 Control  C5 Security   Business  process  B3 Business  process  B1 Business  process  B2 Business   process  P2 Control  C6 objective   BO2 Security   objective   SO3 Control  C7 Business   Security   Control  C8 objective   BO3 objective   SO4 Security   Control  C9 process  P3 Control  C10 Security   Security   objective   SO5 Control  C11 process  P4 Provides  response   to  ‘Why  are  we  doing  this?’       The   figure   shows   how   business   objectives   on   the   left   influence   security   objectives.   Each   security   objective   then   has   several   security   controls   (C1   to   C11)   and   these   are   implemented   by   security   processes.   Lastly,   the   business   processes   are   protected   by   the   security   processes.   Such   a   model   answers  two  critical  questions:     a)  Do  we  have  all  business  risks  covered?     b)  Why  are  we  spending  money  on  the  security  controls?      
Examples  of  security  objectives  are:   § Establish  security  governance   § Provide  security  training   § Manage  access  to  information   § Keep  systems  resistant  to  malware   § Establish  secure  systems/applications  processes   § Monitor  systems  for  security  events   § Manage  security  incidents   § Monitor  security  compliance     Each  security  objective  then  contains  a  number  of  security  controls.  These  are  typically  included  in   more  detailed  documents,  such  as  IT  Security  standards  and  security  artefacts.     Examples  of  security  controls  are:     § Create  the  training  material;  monitor  attendance  of  security  trainings           § Review  feedback  from  security  trainings   § Manage   accounts   in   the   IT   systems   –   create   accounts   for   new   users,   modify   when   role   changes  and  delete/disable  when  account  is  not  longer  needed   § Install   anti-­‐malware   software;   establish   and   implement   secure   configuration   for   each   operating   system   in   use;   update   configurations   on   systems   as   per   changing   threat   landscape;  patch  systems  with  vendor  patches  within  X  days     Each  control  needs  to  be  linked  to  one  or  more  security  objectives.  A  number  of  security  controls  is   part  of  a  security  process,  and  each  process  must  have  its  owner  and  must  be  measured.       Finally,   each   security   process   contributes   to   the   security   of   a   number   of   business   processes.   For   example,  the  security  process  ‘Security  configuration  &  patch  management’  ensures  that  IT  systems   used  in  the  business  process  ‘Take  order  from  customers’  runs  smoothly  and  as  expected.     3.2.  Security  standards     3.2.1  International  standards  for  security  policy  and  controls   Figure   3   shows   business   objectives,   which   will   be   specific   to   each   company.   However,   security   objectives,   whilst   supporting   the   Business   objectives,   should   be   selected   from   a   catalogue   of   internationally   recognised   ones,   and   international   standards   can   play   an   important   role.   It   is   important   to   understand   which   objectives,   controls   and   processes   to   take   ‘as   is’   and   where   a   customisation  is  needed.  Moreover,  there  might  be  business  objectives  and  business  processes  that   need   controls   that   are   not   included   in   the   international   standards.   Standardisation   is   needed   but   should  not  be  applied  blindly.  Standards  such  as  ISO27001  &  27005,  COBIT  4,  ISF  Standard  of  Good   Practice  (both  2007  and  2011  editions)  are  generally  extremely  useful.     3.2.2  Information  technology  standards   This   document,   or   set   of   documents,   contains   a   list   of   security   controls   related   to   the   technology   used  in  a  company.  As  mentioned  above,  these  controls  are  of  sufficient  detail  to  describe  what  is   required.   Further   implementation   information   is   usually   included   in   ‘Guidelines’   or   ‘Security   Artefacts’.       The  level  of  detail  included  in  technology  standards  will  range  from  high  level,  such  as  ‘Implement   account   creation   process   to   create   account   within   two   days   of   request’,   to   more   detailed,   such   as   ‘Use  Windows  2008  R2  server  with  configuration  W2k_DMZ  for  servers  located  in  the  DMZ’.        
3.3  Security  architecture  repository     Consistency   is   key   in   information   security.   TOGAF   9   has   a   good   approach   to   standardisation   and   reusability,   as   does   the   SABSA   security   framework.   Standardisation   and   reusability   ensure   higher   maturity   in   information   security.   For   this   reason,   having   a   library   of   reusable   security   architecture   components  (artefacts)  is  extremely  important.        TOGAF  9  defines  artefact  as:     “A   product   that   describes   architecture   from   a   specific   viewpoint.   Examples   include   a   network   diagram,   a   server   specification,   a   use-­‐case   specification,   a   list   of   architectural   requirements,   and   a   business   interaction   matrix.   Artefacts   are   generally   classified   as   catalogues   (lists   of   things),   matrices   (showing   relationships   between   things),   and   diagrams  (pictures  of  things)  …  ”     In   the   context   of   an   information   security   model,   artefacts   are   re-­‐usable   for   the   creation   of   information  security  architecture,  either  a  technology  (such  as  ‘We  use  Cisco  firewall  and  this  is  how   it   is   configured’)   or   a   process   (such   as   ‘We   have   standardised   our   incident   response   process   and   this   is  how  it  is  done’).       The  technology  section  of  the  repository  should  contain,  for  example:   § Standard  set  of  technologies  used  in  the  company  (related  to  security)     § Configuration   standards   for   the   technologies   above   (e.g.   Windows   7   laptop   local   security   policy  object)   § Hardening  configuration  of  Web  servers,  DB  servers  and  other  servers.     The   process   section   of   the   repository   should   contain   standard   descriptions   for   security   processes,   in   a   detail   needed   to   replicate   the   process   in   another   part   of   the   organisation,   subsidiary   or   when   acquiring   another   company.   From   experience,   the   documenting   of   processes   is   not   a   strong   skill   base  of  many  IT  and  information  security  professionals.       3.4  Process  frameworks  and  metrics       3.4.1  Security  processes   As  stated  earlier  in  this  document,  and  shown  in  Figures  1  and  3,  security  processes  are  an  integral   part   of   the   security   model.   For   example,   ISACA,   the   organisation   behind   COBIT,   ensures   that   the   default   view   in   COBIT   is   based   on   processes,   where   each   process   is   defined   by   the   objective,   stakeholders,  maturity  levels  and  controls.       Another   international   standard,   ISM3   –   now   adopted   by   the   Open   Group   –   also   sees   security   processes  as  key  to  having  mature  security  systems.  Processes  in  general  often  have  a  bad  name  due   to  their  rigidity  and  over-­‐complex  set-­‐ups;  however,  it  is  important  to  understand  that  a  process  can   easily  be  made  complex  –  it  takes  skill  to  create  processes  that  are  lean  and  adaptive.       3.4.2  Security  metrics     Measuring  of  processes  in  any  company  is  one  of  the  key  techniques  to  ensure  that  inefficiencies  are   recognised   and   corrected.   Measurement   is   a   product   of   the   industrial   revolution;   Frederick   Taylor   published   Scientific   Management   in   1911,   a   revered   work   on   the   capacity   of   observation   and   measurement   to   improve   productivity.   By   the   same   token,   security   processes   must   be   observed,   monitored  and  measured  to  improve  them.       Security  and  metrics  is  a  largely  neglected  area  in  information  security.  There  are  some  exceptions,   such  as  COBIT,  which  brings  maturity  levels  for  CIOs  and  CISOs.  Another  promising  candidate  is  the   Common  Assurance  Maturity  Model  (CAMM),  which  brings  information  security  maturity  levels  into   the  supply  chain.    
  Gartner  has  researched  IT  and  security  metrics,  and  the  relationship  between  KPI  and  KRI  (Key  Risk   Indicators).   Furthermore,   what   the   business   leaders   are   interested   in   is:   ‘What   impact   do   security   controls   (or   lack   of)   have   on   the   business   processes   and   the   bottom   line?’   Security   professionals   have,  for  long  time,  used  the  FUD  (fear,  uncertainty  and  doubt)  approach  and  are  now  finding  this   does  not  resound  with  their  audiences.     It   is   also   accepted   that   maturity   of   security   controls   and   processes   inversely   affects   risks   to   the   organisation.  The  problem  many  security  professionals  face  is  in  having  to  justify  additional  costs  to   move  from  maturity  level  2  (repeatable)  to  3  (defined)  and  beyond.         With  this  in  mind,  it  would  be  prudent  for  organisations  to  measure:   § Basic  operational  metrics  to  keep  an  eye  on  processes  (i.e.  do  they  operate  as  expected?)   § Each  security  process  for  its  maturity   § Value  at  risk,  expressed  in  £s;  a  business  process  is  exposed  due  to  low  maturity  of  security   controls  (or  lack  of  them,  as  defined  by  COBIT  level  0)     The  first  two  metrics  are  fairly  straightforward  and  well  defined.  The  last  one  is  somewhat  new  to   information   security,   though   used   in   the   financial   arena   and   general   risk   management1.   For   the   purpose  of  this  paper,  it  is  worth  having  a  look  at  it  in  more  detail.     (i)  Value  at  Risk   The   main   problem   that   Value   at   Risk   is   trying   to   solve   is   how   to   quantify   the   exposure   that   an   organisation  is  subject  to.  Further  research  into  VaR  use  in  information  security  is  needed  to  make   the  concept  practical  and  reusable.       However,  the  input  elements  into  the  calculations  should  be:   § Business   asset   value   –   information   assets   alone   or   the   value   of   a   business   process.   A   company’s   PR   image   is   a   business   asset   and   in   this   case   should   be   assigned   a   value   by   consensus  rather  than  measurement     § Security   process   maturity   –   measure   the   maturity   of   process   (and   included   controls)   that   protect  the  business  asset   § Threat   landscape   –   threats   change   over   time;   for   example,   Sony   changed   the   threat   landscape   greatly   by   prosecuting   George   Hotz   for   breaching   the   PlayStation   T&Cs.   In   combination  with  the  vulnerabilities  in  their  systems,  it  cost  them  dearly.       The  high  level  calculation  of  the  VaR  is:   1.   Measure  the  maturity  of  the  controls.  Assume  that  maturity  level  5  provides  99%  (or  lower)   protection;  lower  maturity  levels  provide  less  protection.   2.   Analyse   the   control   to   find   compensating   controls;   two   low   maturity   controls   may   work   together  to  provide  higher  protection.     3.   Analyse  the  threat  landscape  and  derive  the  likelihood  that  the  threat  agents  will  attempt  to   attack.     4.   Use   the   above   and   the   asset   value   to   come   up   with   a   probability   distribution   of   monetary   exposure     The   pound   value   for   each   asset   can   be   collected   and   summarised   in   order   to   calculate   the   total   exposure  probability  distribution.  This  will  give  CIOs  and  CISOs  a  very  useful  tool  to  demonstrate  the   risks  to  the  executive  management  and  thus  justify  the  spending.       Detailed  calculations  of  Value  at  Risk  for  information  security  have  not  yet  been  developed  and  need   further  research.  Value  at  Risk  could  also  be  used  to  justify  security  investments,  i.e.  the  reduction  in   VaR  should  be  higher  than  the  cost  spent.        
Conclusion     Information  Security  Risk  Management  must  support  the  business  objectives.  Security  professionals   should   have   open   dialogue   with   business   leaders   and   managers,   listen   to   their   concerns,   and   frequently  educate  them  about  risks.     The  security  model  can  help  with  explaining  why  security  is  important,  and  can  support  justifications   for  that  ‘rather  expensive’  piece  of  technology,  depending  on  the  point  of  view,  security  policy  and   business  appetite  for  risk.         1   McNeil,  Alexander;  Frey,  Rüdiger;  Embrechts,  Paul  (2005).  Quantitative  Risk  Management:  Concepts   Techniques  and  Tools.  Princeton  University  Press.  ISBN  978-­‐0691122557.         About  the  author     Vladimir  Jirasek  is  a  passionate  information  risk  professional  with  more  than  16  years  of  IT  industry  practise   and  over  11  years  in  Information  Security  and  IT  Security,  Risk  and  Compliance  disciplines.  He  has  both  led  and   managed  global  teams  in  Security,  Risk  and  Compliance  for  multinational  corporations  such  as  Nokia,  Tesco,   and  DTAG.       In  his  own  time  he  tries  to  give  something  back  to  the  security  community  by  participating  in  a  variety  of  key   industry  initiatives,  such  as  the  Common  Assurance  Maturity  Model  (common-­‐assurance.com),  Cloud  Security   Alliance  (cloud-­‐security.org.uk);  and  the  Open  Group’s  Jericho  forum,  working  together  with  industry  experts.     He  can  be  contacted  at  vladimir@jirasek.eu  or  on  +44  (0)  7538  790302    

More Related Content

PPTX
iCode Security Architecture Framework
Mohamed Ridha CHEBBI, CISSP
 
PPTX
Know more about exin unique information security program
Elke Couto Morgado
 
PPT
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
PDF
Evolution of Security Management
Christophe Briguet
 
PPTX
Security models for security architecture
Vladimir Jirasek
 
PDF
Improving Your Information Security Program
Seccuris Inc.
 
PPT
Introduction to Information System Security
chauhankapil
 
PDF
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
IBMSSA
 
iCode Security Architecture Framework
Mohamed Ridha CHEBBI, CISSP
 
Know more about exin unique information security program
Elke Couto Morgado
 
Information Security Identity and Access Management Administration 07072016
Leon Blum
 
Evolution of Security Management
Christophe Briguet
 
Security models for security architecture
Vladimir Jirasek
 
Improving Your Information Security Program
Seccuris Inc.
 
Introduction to Information System Security
chauhankapil
 
[Chaco] Soluciones de Seguridad – Nicolás Pérez, Giux
IBMSSA
 

What's hot (18)

PDF
2010-02 Building Security Architecture Framework
Raleigh ISSA
 
PDF
Chapter1
tammy1124
 
PPTX
Information Security By Design
Nalneesh Gaur
 
PPTX
Information security management (bel g. ragad)
Rois Solihin
 
PPS
ISO 27001 2013 isms final overview
Naresh Rao
 
PDF
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 
PPTX
02 sasaran kendali pencapaian tujuan v05
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
PDF
Chapter 10 security standart
newbie2019
 
PPTX
Sådan undgår du misbrug af kundedata og fortrolig information
IBM Danmark
 
PDF
How Does IBM Deliver Cloud Security Paper
IBM
 
PDF
Telebiometric information security and safety management
Phil Griffin
 
PPT
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
PDF
Data Integrity Protection
proitsolutions
 
PDF
ISO 27001
n|u - The Open Security Community
 
PDF
“8th National Biennial Conference on Medical Informatics 2012”
Ashu Ash
 
PPSX
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
PPTX
Mr. ahmed obaid the ceo guide to implement iso 27001
qualitysummit
 
PDF
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
2010-02 Building Security Architecture Framework
Raleigh ISSA
 
Chapter1
tammy1124
 
Information Security By Design
Nalneesh Gaur
 
Information security management (bel g. ragad)
Rois Solihin
 
ISO 27001 2013 isms final overview
Naresh Rao
 
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 
02 sasaran kendali pencapaian tujuan v05
Sarwono Sutikno, Dr.Eng.,CISA,CISSP,CISM,CSX-F
 
Chapter 10 security standart
newbie2019
 
Sådan undgår du misbrug af kundedata og fortrolig information
IBM Danmark
 
How Does IBM Deliver Cloud Security Paper
IBM
 
Telebiometric information security and safety management
Phil Griffin
 
ISO 27001 - Information Security Management System
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Data Integrity Protection
proitsolutions
 
ISO 27001
n|u - The Open Security Community
 
“8th National Biennial Conference on Medical Informatics 2012”
Ashu Ash
 
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
Mr. ahmed obaid the ceo guide to implement iso 27001
qualitysummit
 
International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Ad

Similar to Information Risk Security model and metrics (20)

PPTX
Infosec policies to appsec standards ed final
eadams2330
 
PDF
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
PDF
Information Governance
Vicky Makhija
 
PPTX
Chapter 1 Introduction about information assurance.pptx
mc0225225
 
PDF
Fadi Mutlak - Information security governance
nooralmousa
 
PPTX
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
PDF
Making Executives Accountable for IT Security
Seccuris Inc.
 
PDF
15466 mba technology_white_paper
wardell henley
 
PDF
15466 mba technology_white_paper
MD ASAD KHAN
 
PDF
CISSP Summary V1.1
christianreina
 
PPT
MIS chap # 9.....
Syed Muhammad Zeejah Hashmi
 
PPT
Information Security Framework
ssuser65fa31
 
PDF
E-Mail Compliance Frameworks in the Real World
Chris Byrne
 
PPTX
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
PPT
Security Maturity Assessment
Claude Baudoin
 
PPTX
Sw keynote
gueste69f645
 
PPT
Cyber crime with privention
Manish Dixit Ceh
 
PDF
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
Sasha Nunke
 
PDF
TRUSTe Online Security Guidelines v2.0
TRUSTe
 
PDF
Infrastructure Services Market 2009
Dr. Jimmy Schwarzkopf
 
Infosec policies to appsec standards ed final
eadams2330
 
TOGAF 9 - Security Architecture Ver1 0
Maganathin Veeraragaloo
 
Information Governance
Vicky Makhija
 
Chapter 1 Introduction about information assurance.pptx
mc0225225
 
Fadi Mutlak - Information security governance
nooralmousa
 
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
Making Executives Accountable for IT Security
Seccuris Inc.
 
15466 mba technology_white_paper
wardell henley
 
15466 mba technology_white_paper
MD ASAD KHAN
 
CISSP Summary V1.1
christianreina
 
MIS chap # 9.....
Syed Muhammad Zeejah Hashmi
 
Information Security Framework
ssuser65fa31
 
E-Mail Compliance Frameworks in the Real World
Chris Byrne
 
Information Security and the SDLC
BDPA Charlotte - Information Technology Thought Leaders
 
Security Maturity Assessment
Claude Baudoin
 
Sw keynote
gueste69f645
 
Cyber crime with privention
Manish Dixit Ceh
 
7 Mistakes of IT Security Compliance - and Steps to Avoid Them
Sasha Nunke
 
TRUSTe Online Security Guidelines v2.0
TRUSTe
 
Infrastructure Services Market 2009
Dr. Jimmy Schwarzkopf
 
Ad

More from Vladimir Jirasek (16)

PDF
Vulnerability management - beyond scanning
Vladimir Jirasek
 
PPTX
Vulnerability Management @ DevSecOps London Gathering
Vladimir Jirasek
 
PPTX
C-Level tools for Cloud security
Vladimir Jirasek
 
PPTX
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
PPTX
Cloud security and security architecture
Vladimir Jirasek
 
PPTX
2012 10 cloud security architecture
Vladimir Jirasek
 
PPT
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
KEY
Security architecture for LSE 2009
Vladimir Jirasek
 
PPTX
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
PPTX
Integrating Qualys into the patch and vulnerability management processes
Vladimir Jirasek
 
PPTX
Securing mobile population for White Hats
Vladimir Jirasek
 
PPTX
Meaningfull security metrics
Vladimir Jirasek
 
PPTX
CAMM presentation for Cyber Security Gas and Oil june 2011
Vladimir Jirasek
 
PDF
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 
PPT
Qualys Webex 24 June 2008
Vladimir Jirasek
 
PPTX
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 
Vulnerability management - beyond scanning
Vladimir Jirasek
 
Vulnerability Management @ DevSecOps London Gathering
Vladimir Jirasek
 
C-Level tools for Cloud security
Vladimir Jirasek
 
Secure your cloud applications by building solid foundations with enterprise ...
Vladimir Jirasek
 
Cloud security and security architecture
Vladimir Jirasek
 
2012 10 cloud security architecture
Vladimir Jirasek
 
Mobile phone as Trusted identity assistant
Vladimir Jirasek
 
Security architecture for LSE 2009
Vladimir Jirasek
 
Mobile security summit - 10 mobile risks
Vladimir Jirasek
 
Integrating Qualys into the patch and vulnerability management processes
Vladimir Jirasek
 
Securing mobile population for White Hats
Vladimir Jirasek
 
Meaningfull security metrics
Vladimir Jirasek
 
CAMM presentation for Cyber Security Gas and Oil june 2011
Vladimir Jirasek
 
ISE UK&Ireland 2008 Showcase Nominee Presentation Vladimir Jirasek
Vladimir Jirasek
 
Qualys Webex 24 June 2008
Vladimir Jirasek
 
Federation For The Cloud Opportunities For A Single Identity
Vladimir Jirasek
 

Recently uploaded (20)

PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Advanced IT Governance
University of Hertfordshire
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
defencerabbit Team
 
Cloud computing and distributed systems.
kkkkkhan
 
Advanced IT Governance
University of Hertfordshire
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
GamePlan Trading System Review: Professional Trader's Honest Take
SOFTTECHHUB
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 

Information Risk Security model and metrics

  • 1. INFORMATION  RISK  SECURITY  MANAGEMENT:     A  Model  and  Metrics     By  Vladimir  Jirasek, Information  Risk  Management  Evangelist     Contents                   Page       Section  1:  Introduction               2   1.1  The  Security  Governance,  Risk  and  Compliance  (GRC)  model     2   1.1.2 Security  Drivers             2   (i) Laws  and  regulations           2   (ii) Business  objectives           2   (iii) Security  threats             3   1.1.3 Security  Management             3   (i) Policy  framework             3   a. Policies               3   b. Standards             3   c. Artefacts             3   (ii) Processes  framework           3   (iii) Security  metrics  framework         3   1.1.4 Stakeholders               4     Section  2:  Security  Drivers               4   2.1  Business  objectives               4   2.2  Legal  and  regulatory  requirements           4   2.3  Security  threats                 4     Section  3:  Security  Management             5   3.1  The  Policy  framework               5   3.1.1  Information  security  policy             5   3.1.2  Data  classification  policy             5   (i)  Public  data               5   (ii)  Company-­‐wide  data           6   (iii)  Restricted  access  data           6   3.1.3  Employee  acceptable  policy           6   3.1.4  Information  technology  security  policy         6   3.2.  Security  standards               7   3.2.1  International  standards  for  security  policy  and  controls     7   3.2.2  Information  technology  standards           7   3.3  Security  architecture  repository             8   3.4  Process  frameworks  and  metrics             8   3.4.1  Security  processes               8   3.4.2  Security  metrics                 8   (i)  Value  at  Risk             9   Conclusion                   10     About  the  Author                 10      
  • 2. Section  1:  Introduction   Information  risk  security  management  is  an  area  that  is  constantly  moving  to  respond  to  new  threats,   standards   and   technologies.   Security   is   now   a   part   of   information   risk   management,   which   in   turn   has  a  place  in  the  overall  business  risk  management  strategy.     This   document   explains   a   security   model   that   supports   business   needs,   and   explores   how   security   professionals  could  change  their  mindsets  to  help  ensure  future  job  security.     1.1  The  Security  Governance,  Risk  and  Compliance  (GRC)  model     Figure  1  below  describes  a  security  model  that  introduces  the  topic  of  security  to  business  managers   and  CIOs.     Figure  1:  Security  GRC  model Feedback:  update  business  requirements SECURITY  MANAGEMENT DRIVERS STAKEHOLDERS Correction  of  security  processes CEO  &  Board International   Policy  framework Process framework Metrics  framework Governance security   standards Information   Information   Information   Line   Security   Security   Security   management policies processes metrics   Laws  &   objectives regulations Information   Product   Drivers Security   Rules Measure Inform management Technology standards Security   People Define metrics  portal Program   Information   management Compliance security   requirements architecture Risk  &   DEFINE  security   EXECUTE  security   MEASURE  security   compliance Business   controls controls controls  maturity objectives Auditors Security   Security   threats intelligence Security   External professionals security metrics The   model   describes   three   main   areas:   (1)   Security   drivers;   (2)   Security   management;   (3)   and   Stakeholders.     1.1.5 Security  Drivers     The  three  major  drivers  for  security  are:     (i)     Laws   and   regulations:   A   company   must   comply   with   these   or   face   legal   action   or   a   fine.   For   example,   the   Data   Protection   Act   and   the   Company   Act  are   examples   of   the   legal   drivers;   PCI   DSS  is  an  example  of  a  regulation  driver.       (ii) Business   objectives:  Companies  typically   want   to   generate   profit   and   define  a  set  of  business   objectives.   Security   supports   these   business   objectives   by   protecting   systems   and   information   used   in   the   business   processes.   Think   of   protecting   Microsoft   Windows   source   code:   if   the   source   code   was   not   protected   anyone   could   compile   their   own   operating   system   without   paying   Microsoft   any   license   fee.   Hence,   Microsoft’s   business   objective   to   ‘Sell   software’   is   supported   by   the   security   objective   ‘Protect   source   code’.   Similarly,   Amazon’s   business  
  • 3. objective   is   to   sell   products   in   their   online   shop;   their   business   objective   is   to   have   an   online   shop   up   24/7;   the   security   objective   is   to   keep   systems   free   of   malware   that   could   disrupt   or   slow  down  IT  systems.     (iii) Security   threats:   Security   threats   work   against   laws   and   regulations   and   business   objectives.   However,   they   also   drive   information   security,   and   companies   need   to   respond   to   threats   in   order  to  satisfy  first  two  drivers.     1.1.6 Security  Management   Within   this   area   there   are   three   frameworks   that   enable   a   company   to   achieve   the   objectives   defined  in  the  ‘drivers’  section:       (i) Policy  framework   This   is   a   set   of   policies,   standards   and   guidelines   that   describe   how   a   company   addresses   information   security   drivers,   and  define   the   security   controls   available   for   a   company   to   implement.   There  are  also  international  standards  that  can  be  source  of  information  and  control  for  the  Policy   framework.     a.   Policies   –   also   known   as   Security   Control   Objectives,   these   typically   use   words   such   as   ‘should’   and   ‘must’.   The   key   objective   of   the   security   policy   document   is   alignment   with   the   business   objectives  and  drivers.       b.   Standards   –   detailed   Security   controls   that   should   be   implemented   to   support   individual   policy   statements;  one  policy  statement  can  be  supported  by  multiple  security  controls.  These  should  be   linked  to  a  policy,  otherwise  the  security  professional  will  be  unable  to  justify  why  a  password  needs   to   be   12   characters   and   change   every   45   days,   for   instance.   The   controls   should   be   selected   from   an   internationally  accepted  catalogue  of  controls  (see  section  below  on  ‘International  Standards’).       c.   Artefacts  –  Architecture  standardisation  is  the  key  to  the  success  of  any  company,  and  the  same   applies  to  security.  If  a  solution  to  implement  a  security  control  is  found  in  the  ‘Standard’,  it  should   be   put   it   into   a   ‘Security   Architecture   Repository’.   That   way,   others   can   benefit   and,   more   importantly,  consistent  security  is  achieved.  Many  security  professionals  do  not  document  artefacts   into  a  shared  library,  which  can  often  result  in  problems  when  they  leave  the  company.       (ii) Processes  framework   This   section   in   Security   Management   implements   what   is   stated   in   the   Policy   framework.   Any   security   control   in   a   policy   or   standard   is   a   process,   no   exceptions.   Each   process   is   supported   by   people   and   most   are   supported   by   technology.   However,   there   needs   to   be   a   link   between   any   technology  the  company  has,  its  process,   and  the  corresponding  control  in  the  Policy  framework  up   to   the   business   objective.   This   enables   traceability   of   the   security   investment   and   allows   security   professionals  to  justify  security  budgets.       (iii) Security  metrics  framework   This  is  a  developing  area  of  information  security  management.  The  common  adage  –  ‘what  cannot   be  measured,  cannot  be  managed’  –  can  be  applied  equally  well  to  security.  Security  professionals   should   be   able   to   measure   the   status   of   security   controls,   the   compliance   with   their   own   policies,   and  the  effectiveness  of  security  processes.  The  key  metric  is  to  take  a  security  policy  statement  and   measure   each   team   against   it;   this   will   provide   a   balanced   scorecard   for   security.   The   metrics   framework  provides  feedback  to  the  Process  framework,  to  assist  with  security  processes  design.     1.1.7 Stakeholders   Stakeholders  are  the  recipients  of  the  security  metrics  framework  results.  The  stakeholders  need  to   know  that  what  has  been  promised  is  being  delivered.  More  importantly,  the  security  professionals   need  to  show  the  value  of  security  to  the  business.  This  is  an  area  where  security  professionals  need   to   enhance   their   skills;   they   need   to   talk   to   stakeholders,   uncover   their   concerns,   and   show   them  
  • 4. that   they   are   being   addressed.   This   should   be   followed   by   a   report   that   relates   to   their   specific  area   and  concerns;  they  need  to  see  that  security  personnel  are  on  their  side!     Section  2:  Security  Drivers     2.1  Business  objectives     Security   professionals   exist   to   support   the   business.   Companies   are   driven   by   their   vision   and   mission  statements,  translated   into  business  strategies  that  describe  how  to  achieve  that  vision.  The   business  objectives  define  how  the  organisation  wants  to  achieve  its  targets.  If  a  business  objective   is  to  ‘Supply  customers  with  the  goods’,  the  security  objectives  should  be  to  protect  the  process  of   supplying  the  customer.  This  clear  link  between  business  and  security  objectives  can  sometimes  be   missing.       2.2  Legal  and  regulatory  requirements     Businesses  need  to  comply  with  legal,  regulatory   and  contractual  requirements  (listed  in  order  of   impact).  Legal  requirements  are  typically  related   A  practical  example     to   the   way   the   company   is   governed,   how   it   A  telecommunication  company  sells  mobile  phones   prepares   its   accounts   and   how   it   protects   the   and  call  plans  to  its  customers.  One  of  its  objectives  is   personal  data.  In  the  UK,  the  Company  Act  2006,   to  ‘Deliver  outstanding  customer  service,  measured  by   ‘part   15   Accounts   and   reports’,   states   clearly   the   customer  satisfaction’.  This  objective  is  supported  by  a   requirements   relating   to   how   accounts   are   business  process  ‘Customer  service’,  whereby  customer   created   and   reported.   It   also   includes   penalties   service  representatives  in  shops,  call  centres  and  online   talk  to  customers  to  solve  their  problems  and  answer   for  untrue  and  misleading  accounts.  In  the  USA,   questions.     the   Sox   legislation   was   created   after   major     financial  scandals.  The  Data  Protection  Directive,   Customer  satisfaction  is  dependent  on  a)  speed  to   Principle   7,   states   that   access   to   data   must   be   initial  contact,  and  b)  completeness  of  response.  The   limited  to  the  authorised  persons.  And  although   information  security  risks  identified  are:  1)  information   the   Data   Protection   Directive   does   not   state   systems  unavailable  or  slow  so  the  initial  response   time  is  affected;  2)  information  in  the  knowledge  base   which  security  controls  should  be  implemented,   system  is  inaccurate;  and  3)  the  customer  data  in  the   the   guidance   states   that   there   are   CRM  system  becomes  compromised,  resulting  in  a  fine   internationally   accepted   standards   relating   to   and  bad  PR.   building   information   security   systems   in   a     company.   From  this  quick  risk  analysis,  it  is  easy  to  understand     where  the  information  security  policy  needs  to  focus  and   what  the  security  objectives  should  be. As   a   result   of   this   legislation,   any   information   security   system   implementation   must   protect   data  and  information  systems  so  that  they  are:   a)  accurate  (in  security  terminology  the  word  ‘Integrity’  is  used)   b)  available,  and   c)  access  to  the  content  is  assured  (‘Confidentiality’  in  security  terminology).     2.3  Security  threats     Security   threats   affect   the   level   of   protection   (i.e.   control)   that   is   needed.   Threats   come   from   attackers   who   want   to   either   acquire   information   or   limit   business   opportunities   by   affecting   business   processes.   Microsoft   has   created  a   very  good  methodology  (STRIDE)  for  assessing  threats   and  designing  security  controls  to  prevent  threats  from  harming  business  processes.  The  role  of  the   security  model  is  to  capture  security  threats  and  design  security  objectives  and  controls  to  protect   the   business.   Security   intelligence   is   the   capability   to   analyse   security   threats   and   advise   what   controls  should  be  included  in  the  policy  framework.  
  • 5. Section  3:  Security  Management     3.1  The  Policy  framework     This   is   the   first   element   of   the   ‘Security   Management’   part   of   the   model.   The   Security   Policy   is   usually   not   a   single   document,   and   rightly   so.   The   documents   in   the   Security   Policy   library   have   different  audiences  and  levels  of  detail;  see  Figure  2  below.   Figure  2:  Information  Security  Policy  framework CISO Business  and   Information  security  policy security   objectives Data  classification   Employee  acceptable   policy use  policy CIO Information  technology  security  policy Security   objectives IT  Security IT  security   standards [reuse   Architecture internationally   accepted  controls] Controls   Technology and   Security   Technical  teams processes architecture repository Processes Security  guidelines     3.1.1  Information  security  policy   The  primary  objective  of  the  Information  security  policy  is  to  state  business  objectives  and  high  level   security  objectives.  The  document  also  sets  accountabilities  for  ensuring  the  security  objectives  are   met.   The   document   should   be   owned   by   CISO   or   CSO   but   approved   by   the   Board;   as   the   Board   is   responsible  for  approval  of  business  strategy  and  objectives,  the  protection  of  these  are  obviously  in   the  Board’s  interest.     3.1.2  Data  classification  policy   The  top  level  policy  should  also  make  provision  for  a  data  classification  scheme,  which  can  then  be   detailed  in  the  Data  classification  policy.  Data  classes  depend  on  the  nature  of  the  business  but  at   the  minimum  should  include:     (i)  Public  data  that  are  in  the  public  domain.  It  is  a  mistake  to  assume  that  public  data  do  not  need   any  protection.  For  example,  take  a  company  homepage;  typically  this  is  information  that  a  company   wants  to  share  with  the  world,  i.e.  it  is  ‘Public’.  But  what  happens  if  the  information  on  the  website   changes  without  authorisation?  Examples  can  range  from  defacing  of  the  website,  to  unintentional   mistakes  by  employees,  mixing  the  product  description,  changes  in  prices  of  the  products  etc.  The   public   information   usually   needs   to   be   ‘accurate’   and   ‘available’,   but   obviously   there   is   no   requirement  to  keep  the  information  ‘confidential’.       (ii)   Company-­‐wide   data:  this  type  of  information  can  be  shared  between  employees  and  people  who   have  signed  an  NDA.  This  is  by  far  the  largest  category  of  information  in  most  organisations.  It  is  also  
  • 6. referred   to   as   ‘semi-­‐public’,   and   the   bigger   the   organisation   the   greater   the   probability   of   leakage   from  employees  or  partners.       (iii)  Restricted  access  data:  some  information  will  be  accessible  on  a  need-­‐to-­‐know  basis,  depending   on   the   type   of   business.   Business   plans,   strategy,   research   data,   and   new   product   details   are   just   some  examples  of  the  information  that  should  be  well  protected.       3.1.3  Employee  acceptable  policy   This  policy  document  should  spell  out  the  most  important  policies  for  employees.  Good  security  and   HR   professionals   do   not   expect   users   to   remember   all   policy   documents.   The   objective   of   this   document  is  to  show  employees  what  is  critical  and  where  to  find  more  information.       3.1.4  Information  technology  security  policy   Most  companies  rely  on  information  technology  to  run  the  business  processes.  The  role  of  CIOs  has   become  to  support  business,  understand  where  the  company  wants  to  expand,  and  suggest  how  to   become   more   agile   and   cost   effective.   IT   can   be   a   saviour   or   a   nightmare,   depending   on   the   abilities   of  the  CIO.  The  security  policy  for  the  CIO  team  needs  to  translate  business  objectives  into  security   objectives  and  controls,  as  shown  in  Figure  3  below.     Figure  3:  Relationship  between  business  objectives  and  security  processes Provides  response   to  ‘Do  we  have  all  business  risks  covered?’ International  standards Control  C1 Control  C2 Security   Security objective   SO1 Control  C3 process  P1 Business   Control  C4 objective   BO1 Security   objective   SO2 Control  C5 Security   Business  process  B3 Business  process  B1 Business  process  B2 Business   process  P2 Control  C6 objective   BO2 Security   objective   SO3 Control  C7 Business   Security   Control  C8 objective   BO3 objective   SO4 Security   Control  C9 process  P3 Control  C10 Security   Security   objective   SO5 Control  C11 process  P4 Provides  response   to  ‘Why  are  we  doing  this?’       The   figure   shows   how   business   objectives   on   the   left   influence   security   objectives.   Each   security   objective   then   has   several   security   controls   (C1   to   C11)   and   these   are   implemented   by   security   processes.   Lastly,   the   business   processes   are   protected   by   the   security   processes.   Such   a   model   answers  two  critical  questions:     a)  Do  we  have  all  business  risks  covered?     b)  Why  are  we  spending  money  on  the  security  controls?      
  • 7. Examples  of  security  objectives  are:   § Establish  security  governance   § Provide  security  training   § Manage  access  to  information   § Keep  systems  resistant  to  malware   § Establish  secure  systems/applications  processes   § Monitor  systems  for  security  events   § Manage  security  incidents   § Monitor  security  compliance     Each  security  objective  then  contains  a  number  of  security  controls.  These  are  typically  included  in   more  detailed  documents,  such  as  IT  Security  standards  and  security  artefacts.     Examples  of  security  controls  are:     § Create  the  training  material;  monitor  attendance  of  security  trainings           § Review  feedback  from  security  trainings   § Manage   accounts   in   the   IT   systems   –   create   accounts   for   new   users,   modify   when   role   changes  and  delete/disable  when  account  is  not  longer  needed   § Install   anti-­‐malware   software;   establish   and   implement   secure   configuration   for   each   operating   system   in   use;   update   configurations   on   systems   as   per   changing   threat   landscape;  patch  systems  with  vendor  patches  within  X  days     Each  control  needs  to  be  linked  to  one  or  more  security  objectives.  A  number  of  security  controls  is   part  of  a  security  process,  and  each  process  must  have  its  owner  and  must  be  measured.       Finally,   each   security   process   contributes   to   the   security   of   a   number   of   business   processes.   For   example,  the  security  process  ‘Security  configuration  &  patch  management’  ensures  that  IT  systems   used  in  the  business  process  ‘Take  order  from  customers’  runs  smoothly  and  as  expected.     3.2.  Security  standards     3.2.1  International  standards  for  security  policy  and  controls   Figure   3   shows   business   objectives,   which   will   be   specific   to   each   company.   However,   security   objectives,   whilst   supporting   the   Business   objectives,   should   be   selected   from   a   catalogue   of   internationally   recognised   ones,   and   international   standards   can   play   an   important   role.   It   is   important   to   understand   which   objectives,   controls   and   processes   to   take   ‘as   is’   and   where   a   customisation  is  needed.  Moreover,  there  might  be  business  objectives  and  business  processes  that   need   controls   that   are   not   included   in   the   international   standards.   Standardisation   is   needed   but   should  not  be  applied  blindly.  Standards  such  as  ISO27001  &  27005,  COBIT  4,  ISF  Standard  of  Good   Practice  (both  2007  and  2011  editions)  are  generally  extremely  useful.     3.2.2  Information  technology  standards   This   document,   or   set   of   documents,   contains   a   list   of   security   controls   related   to   the   technology   used  in  a  company.  As  mentioned  above,  these  controls  are  of  sufficient  detail  to  describe  what  is   required.   Further   implementation   information   is   usually   included   in   ‘Guidelines’   or   ‘Security   Artefacts’.       The  level  of  detail  included  in  technology  standards  will  range  from  high  level,  such  as  ‘Implement   account   creation   process   to   create   account   within   two   days   of   request’,   to   more   detailed,   such   as   ‘Use  Windows  2008  R2  server  with  configuration  W2k_DMZ  for  servers  located  in  the  DMZ’.        
  • 8. 3.3  Security  architecture  repository     Consistency   is   key   in   information   security.   TOGAF   9   has   a   good   approach   to   standardisation   and   reusability,   as   does   the   SABSA   security   framework.   Standardisation   and   reusability   ensure   higher   maturity   in   information   security.   For   this   reason,   having   a   library   of   reusable   security   architecture   components  (artefacts)  is  extremely  important.        TOGAF  9  defines  artefact  as:     “A   product   that   describes   architecture   from   a   specific   viewpoint.   Examples   include   a   network   diagram,   a   server   specification,   a   use-­‐case   specification,   a   list   of   architectural   requirements,   and   a   business   interaction   matrix.   Artefacts   are   generally   classified   as   catalogues   (lists   of   things),   matrices   (showing   relationships   between   things),   and   diagrams  (pictures  of  things)  …  ”     In   the   context   of   an   information   security   model,   artefacts   are   re-­‐usable   for   the   creation   of   information  security  architecture,  either  a  technology  (such  as  ‘We  use  Cisco  firewall  and  this  is  how   it   is   configured’)   or   a   process   (such   as   ‘We   have   standardised   our   incident   response   process   and   this   is  how  it  is  done’).       The  technology  section  of  the  repository  should  contain,  for  example:   § Standard  set  of  technologies  used  in  the  company  (related  to  security)     § Configuration   standards   for   the   technologies   above   (e.g.   Windows   7   laptop   local   security   policy  object)   § Hardening  configuration  of  Web  servers,  DB  servers  and  other  servers.     The   process   section   of   the   repository   should   contain   standard   descriptions   for   security   processes,   in   a   detail   needed   to   replicate   the   process   in   another   part   of   the   organisation,   subsidiary   or   when   acquiring   another   company.   From   experience,   the   documenting   of   processes   is   not   a   strong   skill   base  of  many  IT  and  information  security  professionals.       3.4  Process  frameworks  and  metrics       3.4.1  Security  processes   As  stated  earlier  in  this  document,  and  shown  in  Figures  1  and  3,  security  processes  are  an  integral   part   of   the   security   model.   For   example,   ISACA,   the   organisation   behind   COBIT,   ensures   that   the   default   view   in   COBIT   is   based   on   processes,   where   each   process   is   defined   by   the   objective,   stakeholders,  maturity  levels  and  controls.       Another   international   standard,   ISM3   –   now   adopted   by   the   Open   Group   –   also   sees   security   processes  as  key  to  having  mature  security  systems.  Processes  in  general  often  have  a  bad  name  due   to  their  rigidity  and  over-­‐complex  set-­‐ups;  however,  it  is  important  to  understand  that  a  process  can   easily  be  made  complex  –  it  takes  skill  to  create  processes  that  are  lean  and  adaptive.       3.4.2  Security  metrics     Measuring  of  processes  in  any  company  is  one  of  the  key  techniques  to  ensure  that  inefficiencies  are   recognised   and   corrected.   Measurement   is   a   product   of   the   industrial   revolution;   Frederick   Taylor   published   Scientific   Management   in   1911,   a   revered   work   on   the   capacity   of   observation   and   measurement   to   improve   productivity.   By   the   same   token,   security   processes   must   be   observed,   monitored  and  measured  to  improve  them.       Security  and  metrics  is  a  largely  neglected  area  in  information  security.  There  are  some  exceptions,   such  as  COBIT,  which  brings  maturity  levels  for  CIOs  and  CISOs.  Another  promising  candidate  is  the   Common  Assurance  Maturity  Model  (CAMM),  which  brings  information  security  maturity  levels  into   the  supply  chain.    
  • 9.   Gartner  has  researched  IT  and  security  metrics,  and  the  relationship  between  KPI  and  KRI  (Key  Risk   Indicators).   Furthermore,   what   the   business   leaders   are   interested   in   is:   ‘What   impact   do   security   controls   (or   lack   of)   have   on   the   business   processes   and   the   bottom   line?’   Security   professionals   have,  for  long  time,  used  the  FUD  (fear,  uncertainty  and  doubt)  approach  and  are  now  finding  this   does  not  resound  with  their  audiences.     It   is   also   accepted   that   maturity   of   security   controls   and   processes   inversely   affects   risks   to   the   organisation.  The  problem  many  security  professionals  face  is  in  having  to  justify  additional  costs  to   move  from  maturity  level  2  (repeatable)  to  3  (defined)  and  beyond.         With  this  in  mind,  it  would  be  prudent  for  organisations  to  measure:   § Basic  operational  metrics  to  keep  an  eye  on  processes  (i.e.  do  they  operate  as  expected?)   § Each  security  process  for  its  maturity   § Value  at  risk,  expressed  in  £s;  a  business  process  is  exposed  due  to  low  maturity  of  security   controls  (or  lack  of  them,  as  defined  by  COBIT  level  0)     The  first  two  metrics  are  fairly  straightforward  and  well  defined.  The  last  one  is  somewhat  new  to   information   security,   though   used   in   the   financial   arena   and   general   risk   management1.   For   the   purpose  of  this  paper,  it  is  worth  having  a  look  at  it  in  more  detail.     (i)  Value  at  Risk   The   main   problem   that   Value   at   Risk   is   trying   to   solve   is   how   to   quantify   the   exposure   that   an   organisation  is  subject  to.  Further  research  into  VaR  use  in  information  security  is  needed  to  make   the  concept  practical  and  reusable.       However,  the  input  elements  into  the  calculations  should  be:   § Business   asset   value   –   information   assets   alone   or   the   value   of   a   business   process.   A   company’s   PR   image   is   a   business   asset   and   in   this   case   should   be   assigned   a   value   by   consensus  rather  than  measurement     § Security   process   maturity   –   measure   the   maturity   of   process   (and   included   controls)   that   protect  the  business  asset   § Threat   landscape   –   threats   change   over   time;   for   example,   Sony   changed   the   threat   landscape   greatly   by   prosecuting   George   Hotz   for   breaching   the   PlayStation   T&Cs.   In   combination  with  the  vulnerabilities  in  their  systems,  it  cost  them  dearly.       The  high  level  calculation  of  the  VaR  is:   1.   Measure  the  maturity  of  the  controls.  Assume  that  maturity  level  5  provides  99%  (or  lower)   protection;  lower  maturity  levels  provide  less  protection.   2.   Analyse   the   control   to   find   compensating   controls;   two   low   maturity   controls   may   work   together  to  provide  higher  protection.     3.   Analyse  the  threat  landscape  and  derive  the  likelihood  that  the  threat  agents  will  attempt  to   attack.     4.   Use   the   above   and   the   asset   value   to   come   up   with   a   probability   distribution   of   monetary   exposure     The   pound   value   for   each   asset   can   be   collected   and   summarised   in   order   to   calculate   the   total   exposure  probability  distribution.  This  will  give  CIOs  and  CISOs  a  very  useful  tool  to  demonstrate  the   risks  to  the  executive  management  and  thus  justify  the  spending.       Detailed  calculations  of  Value  at  Risk  for  information  security  have  not  yet  been  developed  and  need   further  research.  Value  at  Risk  could  also  be  used  to  justify  security  investments,  i.e.  the  reduction  in   VaR  should  be  higher  than  the  cost  spent.        
  • 10. Conclusion     Information  Security  Risk  Management  must  support  the  business  objectives.  Security  professionals   should   have   open   dialogue   with   business   leaders   and   managers,   listen   to   their   concerns,   and   frequently  educate  them  about  risks.     The  security  model  can  help  with  explaining  why  security  is  important,  and  can  support  justifications   for  that  ‘rather  expensive’  piece  of  technology,  depending  on  the  point  of  view,  security  policy  and   business  appetite  for  risk.         1   McNeil,  Alexander;  Frey,  Rüdiger;  Embrechts,  Paul  (2005).  Quantitative  Risk  Management:  Concepts   Techniques  and  Tools.  Princeton  University  Press.  ISBN  978-­‐0691122557.         About  the  author     Vladimir  Jirasek  is  a  passionate  information  risk  professional  with  more  than  16  years  of  IT  industry  practise   and  over  11  years  in  Information  Security  and  IT  Security,  Risk  and  Compliance  disciplines.  He  has  both  led  and   managed  global  teams  in  Security,  Risk  and  Compliance  for  multinational  corporations  such  as  Nokia,  Tesco,   and  DTAG.       In  his  own  time  he  tries  to  give  something  back  to  the  security  community  by  participating  in  a  variety  of  key   industry  initiatives,  such  as  the  Common  Assurance  Maturity  Model  (common-­‐assurance.com),  Cloud  Security   Alliance  (cloud-­‐security.org.uk);  and  the  Open  Group’s  Jericho  forum,  working  together  with  industry  experts.     He  can  be  contacted  at  vladimir@jirasek.eu  or  on  +44  (0)  7538  790302