Universidad San Juan De La Cruz ( San Jose International Division)
Analysis of framework for allocating responsibilities for various security measures
within outsourcing principles in Security Management Systems
Thesis submitted in partial fulfilment of the requirements for the degree of Doctor of
Philosophy in Information Technology Management with an emphasis of Security Management
Systems
April 1th 2013
By
Rohit Kumar Nanduri
I hereby declare that I am the author of this dissertation.
security management system
Page 1 of 58
I hereby authorize Universidad San Juan De La Cruz to allow the usage of this dissertation only
for scholarly research. I further Universidad San Juan De La Cruz to use my dissertation only
within the university for research purposes only and not for other Institutions.
Rohit Kumar Nanduri
Security Management Systems
security management system
Page 2 of 58
Abstract
This paper presents a generalized framework for allocating responsibilities for various security
functions within a framework is based on the outsourcing principles contained within ISO
17799:2000 and divides work along the lines of a risk management structure proposed in
ISO13335-3:1998.
The paper also illustrates how the risk management framework proposed conforms to the
requirements of ISO 17799:2000. The conclusions are that business control over risk
management decisions cannot be outsourced. Whilst Information Security can be maintained in
an outsourced environment, this requires a clear delineation of responsibilities between the
business and the outsourcer.
Countermeasures should be focused not only on security measures, but also being balanced
towards needs of business in day to day operations.
security countermeasures have broad goal of adjusting the behaviour of potential threat actors
that they do not pose threat to the organisation. Implementation objectives and strategies include:
•
Control access to the target, denying access to possible threat actors
•
Where possible, deter threat actors from acting
•
Detect any threat action
•
Access what has been detected
•
Respond to any active threat action Minimize any impediment to normal business
operations
security management system
Page 3 of 58
security management system
Page 4 of 58
Acknowledgment
•
I would like to mention my grandfather Desiraju Lakshman Rao who is deeply revered by
me even no and has instilled education in myself and guided never to give up what you
set out to aspire to become in education and professional environment in oneself.
•
almighty himself to finish my dissertation and commence new start in life, which
endeavours me to seek more knowledge, versatility and hunger for quest in knowledge
based in Information Technology. Moreover depth of my thesis has given broad based
understanding subject involved.
Rohit Kumar Nanduri
security management system
Page 5 of 58
security management system
Page 6 of 58
1.
Chapter 1: Introduction Problem Statement
In the current IT environment it is becoming increasingly rare to find an
organization that fully owns and operates all parts of its IT operations. From
network to applications to business processes, it seems that all parts of the
business have become a candidate for outsourcing in one form or another.
However, despite the increasing reliance on external providers to supply critical
parts of the IT organization, Information Security has been one area that has been
slow to react to the increased complexity that outsourcing places on the
organization’s Information Security Management Systems. Indeed, it is only
recently that information security has become recognized as a candidate for
outsourcing itself.
This paper presents framework is presented that outlines an appropriate division
of roles and responsibilities for managing an organization’s information security
risks within an outsourced environment.
2.
Security Principles
1.
Outsourcing of critical IT infrastructure has been identified as being of particular
concern to regulatory authorities 1 due to the amount of sensitive information that
0F
is being placed in the hands of entities external to that of the organization
nominally entrusted with its care. This has been recognized within section 4.3 of
the Code of Practice for Information Management 2.
1F
(http://www.privacy.gov.au/publications/IS14_01.pdf (Accessed on 3/10/2011.
(Article published in March 2002)
1
2
APRA Insight (http://www.privacy.gov.au/publications/IS14_01.pdf)
ISO 17799
security management system
Page 7 of 58
This standard defines a set of principles that should be present within outsourcing
contracts. A contract with an outsourcer should contain reference to:
1.
How any legal requirements are to be addressed, for instance specific data
requirements for maintaining the confidentiality and integrity of any personal
details 3;
2F
2.
The arrangements that are in place to ensure that all parties are aware of their
security responsibilities, this must include provisions for any sub-contractors that
may be employed by the outsourcer;
3.
How the confidentiality, integrity and availability of organizational assets are
going to be maintained;
4.
Those physical and logical controls which are used to ensure that access to
organizational business information is restricted appropriately 4;
3F
5.
How service is to be maintained in the event of a disaster;
6.
The physical security measures put in place to protect the organization’s assets;
and
7.
The right of audit.
Whilst these principles provide a good foundation for ensuring that Information Security
is being addressed in an outsourcing contract, this does not provide sufficient detail to
ensure that Information Security is being managed appropriately. The remainder of this
1.Privacy Obligations for Government Contracts (Accessed on 3/10/2011)
((http://www.privacy.gov.au/publications/IS14_01.pdf)
2.Information security Management systems (ISMS), BSI Standard 100-1, version 1.5 May 2008
(http://www.bsi.bund.de/. Accessed on 5/10/2012)
security management system
Page 8 of 58
paper sets out a generalized model for an Information Security Management System
(ISMS) for use when parts of the IT infrastructure have been outsourced.
1.3 Target group
The thesis is directly aimed at IT operations and information Security as well as IT
security Officers, experts, consultants and interested personnel who form the basis of
enacting Information security within mainstream organisations that are medium sized,
and works towards ensuring ongoing development across all developmental sectors in the
information super highway.
1.4 Application
Using ISO standards describes information security or (ISMS) is formulated to gather
areas of development towards defining key objectives in coordinating essential
management techniques which heeds importance in growth where security is concerned
in sufficing current objectives given at hand. (http://www.bsi.bund.de/) Accessed on
5/10/2011
“Security management system and information security seeks and look towards specific
administrational level of an institution should use to comprehensibly manage the tasks
and activities aimed at achieving information security within all sectors of work.
(http://www.bsi.bund.de/) Accessed on 5/10/2012.
Information security is used in conjunction in defining key attributes in contextual
practises which aims to substantiate towards how security should me managed and in
coordination of specific concentration which is security management systems.
security management system
Page 9 of 58
The BSI standard provides specific key criteria when selecting standards. They are as
follows
 What are the success factors with information security management?
 How can the IT security process be managed and monitored by the management
responsible for this?
 How are security objectives and an appropriate IT security strategy Developed?
 How are IT security measures selected and an IT security policy drawn up?
 How can an achieved level of security be maintained and improved?
(http://www.bsi.bund.de/ Information Security Management Systems (ISMS),BSI
Standard 100-1, Version 1.5 May 2008,( Accessed on 5/10/2012)
Cohort of consensus is defining the process towards standards which hold key
importance towards strategies on security management systems be it the following
 Governmental
 Private Sector
 Not for Profit organisations
 Charitable trust organisations
 SME’S
 B2B sectors
“Standard security measures for practical implementation of the appropriate
Level of IT security are recommended in the Corporate Level within German
Mainstream organisations” (http://www.bsi.bund.de/ Information Security
security management system
Page 10 of 58
Management Systems (ISMS),BSI Standard 100-1, Version 1.5 May 2008,(
Accessed on 5/10/2012)
3.
Risk Management/ Risk Analysis
When the decision is made to outsource some or all of an organization’s IT functions, it is
important to ensure that an appropriate risk management strategy is in place to ensure that
Information Security is maintained. One of the greatest challenges is how to combine the
risk and security management strategies of two separate organizations to ensure that the
confidentiality, integrity and availability of the organizations business assets are
maintained.
security management system
Page 11 of 58
Figure1: Balance Delivery with Liability
(http://www.ittoday.info/Articles/CIO-Risk/CIO-Risk.htm.)
( Accessed on 5/10/2011)
Risk Analysis
Forms basis towards getting hold towards key criteria and to validate success rate into
stages of planning stages, which eventually will lead towards migitating well balanced
coordinated strategies which forms basis of cost base analysis in projects directed in
security management systems in risk management and quantitative in impact of project
security management system
Page 12 of 58
analysis. Risk analysis is forecasted to analysis phase in SDLC in current lifecycle
stages.
Figure 1. Systems development lifecycle (SDLC) chart
(http://www.infosectoday.com/Articles/Intro_Risk_Analysis.htm. (Accessed on 5/10/2012)
Analysis towards risk is foremost of the epicentre of forecasting areas of allocating
necessary resources, requiring manpower through use of demand and supply of economic
cost benefit analysis in getting mere recognition status in project funding in starting stages.
security management system
Page 13 of 58
Figure1. Risk Analysis Table
(http://www.infosectoday.com/Articles/Intro_Risk_Analysis.htm) Accessed on 5/10/2012
Organisations which define scope of project must refer to organisation stakeholder
criteria measures to get an understanding to keeping informed to stakeholders and
stakeholder management who decide entity of financial resources and availability of
resources needed to procure day to day operational measures to staff necessary
requirements to
“ Software Development groups typically concentrate primarily on delivering
functionality and meeting schedules because they perceive that management priorities
place these goals far ahead of application security and regulatory compliance.”
(http://web.securityinnovation.com/whitepaper-library) Accessed on 5/10/2012
Development leads to giving good model delivery in management which emphasize
nature getting things across in towards compliance regulations.
“ Counteract this tendency, software development groups need guidance from
management on topics such as:
security management system
Page 14 of 58
•
The importance management places on data security and compliance relative to
other priorities.
•
The direct impact software applications have on data security risks
•
The applicability and relative importance of many governmental agencies like
federal, state and international regulations and industry standards.
•
The business implications of not meeting compliance mandates
•
The potential impact on business of different types of data breaches and attacks
on business systems.
((http://web.securityinnovation.com/whitepaper-library) Accessed on 5/10/2012
Security by all means is forefront to creating strategies and implementing virtual teams
and also group teams in coordination movement in putting delivery models in place
which in turn resorts to 24/7 constant monitoring, if and when attacks of security mgmt.
systems encounter problems.
Corporate organisations resort to cohorts of teams
The seven principles outlined in provide general guidance as to the types of issues that
should be present in outsourcing contracts however, the principles themselves do not
provide any clues as to how this should be accomplished.
• The model presented in section
security management system
Page 15 of 58
Figure 1. Different modeling techniques to address each threat risk and risk type
are combined to augment the more conventional application testing approach.
guidance as to how the various components of information security management can be
divided between the business and its outsource provider(s). In section 3.2 it is shown
how this model addresses the ISO 17799 outsourcing principles.
1. Responsibilities
One of the principals in The Standard i states “arrangements will be in place to
16F
ensure that all parties involved in the outsourcing, including subcontractors, are
aware of their security responsibilities”. The Guidelines for the Management of
IT Security (GMITS) part 3 ii defines a structure for managing risk within an
17F
security management system
Page 16 of 58
organization. This model can be adapted to an outsourcing situation. This
breakdown is shown in Figure 1 - Division of Responsibilities.
The diagram is adapted from GMITS Part 2 5 with shading added by the author to
4F
indicate division of responsibility as appropriate to ensure that risk management
responsibilities are appropriately allocated between the outsourcer and the
business.
1. Strategy
It is important that Business retain control and responsibility for IT Security
Objectives and Strategy. The IT Security Objectives define level of risk that is
acceptable to the Business and the Strategy defines how the business will remain
within these risk parameters.
security management system
Page 17 of 58
http://www.infosectoday.com/Articles/Security_Metrics_Overview.htm
(Accessed on 3/10/2012)
Retaining control over this function ensures that the outsourcer has a defined goal
to work towards will in turn will assist in the success of the overall outsourcing
venture 6.
5F
2. Risk Management
An important component in the management of risks to business assets is
the selection of an appropriate strategy for analyzing risk. Selection of an
inappropriate Risk Analysis Strategy can lead to a superficial analysis of the
issues or result in overly long and costly risk assessments.
security management system
Page 18 of 58
Figure 1.2 Development of ISO 27001 and ISO 27002 standards
http://www.infosectoday.com/Articles/27001.htm (Accessed on 3/10/2012)
Table 1.1 ISO 27000 Family
ISO/IEC Standard Description
Space
(Pending) Vocabulary and definitions.
27001
Information Security Management System requirements (specification)
27002
Code of practice for information security; management
27003
(Pending) Implementation guidance
27004
(Pending) Metric and measurement
27005
(Pending) Risk management
(http://www.infosectoday.com/Articles/27001.htm ( Accessed on 3/10/2012)
security management system
Page 19 of 58
Table 1.2 ISO 27002 Security Control Structure
Control
Definition of security control with statement regarding necessary qualities
to fulfill the control requirement
Implementation
Includes information for implementing the control and guidance to fulfill
guidance
the requirements of the control
Other information
In some controls there is a clause "Other Information," where there are
references to information related to the specific control
(http://www.infosectoday.com/Articles/27001.htm( Accessed on 3/10/2012)
(http://www.infosectoday.com/Articles/27001.htm accessed on 3/10/2011)
security management system
Page 20 of 58
GMITS defines a number of risk analysis strategies that business can use to
analyze risk 7. Of these, the most suitable approach for an outsourcing situation is
6F
the combined approach. This approach uses a High-Level assessment to
determine whether a more Detailed Assessment is necessary or whether the risk
can be analyzed using the existing baseline.
The High-Level Risk Assessment should be performed by the business. The
determination of what level of business risk is involved in a particular operation
or
Figure1. Different modeling techniques to address each threat risk are
combined to augment the more conventional application penetration testing
approach.
(Accessed on 11/10/2012)
http://www.ittoday.info/Articles/Software_Security_Total_Risk_Management.htm
security management system
Page 21 of 58
Figure1. Different modeling techniques to address each threat risk are
combined to augment the more conventional application penetration testing
approach.
(Accessed on 11/10/2012)
http://www.ittoday.info/Articles/Software_Security_Total_Risk_Management.htm
security management system
Page 22 of 58
(http://www.ittoday.info/Articles/Software_Security_Total_Risk_Management.ht)
m
concept is best left to the business where the impact of any miscalculation of risk
will be felt. If a Detailed Risk Assessment is required, this should also be the
responsibility of
the business.Should the high level assessment determine that the level of risk is
not too significant, the baseline approach is used. Responsibility for a baseline
risk assessment is shared between the outsourcer and the business. The
outsourcer effectively controls the IT baseline and the business must sign off and
be responsible for the level of risk associated with the baseline.
security management system
Page 23 of 58
The selection of appropriate safeguards is also a shared responsibility. Safeguards
to manage risks will most likely be a mixture of operational and technical
controls 8. Whilst technical controls (for example firewalls and other pieces of
7F
security technology), operational controls (such as security policies) will usually
remain the responsibility of the business.
Acceptance of risk and the development of any system specific policies should
remain with the business. It is a general principle that whilst the assets
themselves and even the business process surrounding the asset can be
outsourced, the risk associated with the asset is retained with the business.
The outsourcer should then produce a System Security Plan that details how the
requirements of the System Security Policy are going to be met. Whilst the
production of the actual plan itself will be the responsibility of the outsourcer, this
item nonetheless remains a shared responsibility, as the business should approve
the content of the System Security Plan as part of the general risk management
process.
3. Maintenance
Maintaining IT systems is a matter of balancing many competing priorities such
as balancing service levels and controlling cost, the maintenance of IT Security
components is no different. Maintenance of IT systems is almost always a shared
responsibility. The outsourcer is makes recommendations to the business as to
any changes required to maintain and improve service levels and the business
evaluates and approves these proposals.
8
Standards Australia, HB 231 Section 4.5.3.1
security management system
Page 24 of 58
The business is responsible for ensuring that the direction established by the IT
Security Strategy and the countermeasures identified during risk management are
maintained. For this reason, it is important that the business retain responsibility
for Security Compliance Checking. This provides the business with a level of
comfort that information security measures are being appropriately maintained.
The responsibility for monitoring should rest with the outsourcer. Monitoring is
the means by which the effectiveness of any security controls or processes can be
managed. In an outsourced environment, the outsourcer is operating the IT assets
and should be providing the business with constant feedback of the performance
of all components under their control.
Change management is a shared responsibility. Business should have a role in
approving changes to IT systems in response to recommendations made by the
outsourcer.
The responsibility for Incident Management is also shared. Typically it will be
the outsourcer in their role of custodian of the IT system(s) that is the first stage of
any incident response process as often security incidents may manifest themselves
as outages or unexplained behavior in IT systems 9.
8F
Once an incident has been identified as having occurred, the business would
normally become involved to determine the appropriate steps to resolve the
incident. The interactions involved in appropriate incident management are quite
complex and beyond the scope of this paper however, in general the business
makes the policy and risk management decisions with the outsourcer providing
advice and performing any technical changes.
9
Carnegie Mellon University (Accessed on 11/10/2012)
security management system
Page 25 of 58
2. Correlation to ISO 17799
1. Legal Requirements
As the organization retains control of IT Security Strategy and overall policy, it is
the responsibility of the organization to ensure that the policies are in compliance
with any applicable legal and legislative requirements. Organizational ownership
of compliance checking provides assurance that any obligations of corporate
policies and procedures are being carried out by the outsourcer.
2. Awareness of Security Responsibilities
Whilst this document does present a framework around which outsourcing
services can be agreed, the actual division of work will be defined in the contract
between the business and its outsourcer. By working within the framework
suggested, both parties will be broadly aware of the distinct Information Security
areas that need to be addressed. This will ensure that all parties (not just the
outsourcer) are fully aware of their security responsibilities.
http://www.ittoday.info/Articles/ISO_27001_Certification.htm
security management system
Page 26 of 58
3. Maintenance of Confidentiality, Integrity and Availability
The maintenance of confidentiality, integrity and availability of organizational
assets is perhaps one of the most significant challenges during an outsourcing
engagement. Outsourcing requires that control of sensitive and business critical
information is turned over to a third party who does not necessarily have the same
vested interest in ensuring that the data is adequately protected.
The framework suggested ensures that whilst the actual maintenance of security
equipment resides with the outsourcer, the business retains control over policy
decisions regarding those assets. This division of labor means that it is the
business who has
ultimate control over decisions regarding the confidentiality, integrity and
availability of
their assets.
By retaining control over the audit function, the business is also able to ensure
that the
outsourcer is maintaining the standard required and specified by the business.
security management system
Page 27 of 58
Figure 1.1 Security
Cornerstones
(http://www.infosectoday.com/Articles/27001.htm)
(Accessed on 11/10/2012) http://www.infosectoday.com/Articles/27001.htm)
Figure 1.3 PDCA Model
(http://www.infosectoday.com/Articles/27001.htm)
(Accessed on 11/10/2012)
Figure 1.3 PDCA Model
(http://www.infosectoday.com/Articles/27001.htm)
4.Physical and Logical Controls over Access
See Diagram Below.
security management system
Page 28 of 58
(http://www.infosectoday.com/images/networkSecurity.jpg) (Accessed on
11/10/2012)
Where physical controls and logical controls are required to ensure that there is no
unauthorized access to company resources, this should be identified as part of the
Risk Management activities associated with the framework.
security management system
Page 29 of 58
The provisions in the framework show how the business and the outsourcer are
jointly responsible for the controls required to manage the business’ risk. Whilst
the responsibility for implementing the control rests with the outsourcer, policy
decisions as to their suitability remain with the business.
4. Service Maintenance during Disaster
The ISO 13335 framework is not particularly specific about the provision of
disaster recovery facilities. However, disaster recovery (DR) and its driver,
Business Continuity Planning 10 (BCP) are accommodated within ISO 17799 11.
9F
10F
Both BCP and DR should be considered during the high-level risk analysis
activity identified within the model and a decision made as to whether the system
falls within the existing baseline (for instance additional on-line services could be
incorporated into the existing DR and BCP baseline) or whether a detailed risk
assessment is required.
The System Security Policy should contain details of the BCP and DR
requirements for the system. This provides the ultimate guide for ensuring that
the requirements have been met. It is important to note that ISO 17799 considers
that BCP and DR are part of the overall information security management system
and thus it is not treated as a separate activity within its own right.
security management system
Page 30 of 58
(Accessed on 11/10/2012)
(http://www.ittoday.info/Articles/Beyond_Disaster_Recovery.htm)
5. Physical Security Measures
Required physical security measures would be identified and agreed during the
Selection of Safeguards activity and then be the responsibility of the outsourcer to
implement.
security management system
Page 31 of 58
(Figure 2. Service Desk Diagram)
(http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm)
(Accessed on 11/10/2012)
6. Right of Audit
Auditing falls broadly into the part of the framework identified as maintenance. It
is vitally important that the business ensure that appropriate auditing rights are
factored into any outsourcing contract. The framework shows that the majority of
maintenance activities are identified as being a shared responsibility however;
security compliance checking is clearly the responsibility of the business.
Whilst the framework identifies the responsibilities, it is noted that this does not
identify the actual rights of audit, however by using the framework this should
provide a useful starting point for discussions of audit content and frequency.
3. Risk Management and Managed Security Service Providers
Managed Security Service Providers (MSSP) are a specific type of outsource
service provider that offers some or all security services to a client. Some of the
services that may be offered by a MSSP are:
●
Firewall management;
●
Intrusion detection;
●
Vulnerability assessment and testing;
●
Antivirus management;
●
Authentication;
●
Security intelligence;
●
Virtual private network; and
security management system
Page 32 of 58
●
12
Public key infrastructure 12.
11F
Kavanagh, 2001
security management system
Page 33 of 58
Figure 1. ITIL Overview
(http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm)
(Accessed on 1/10/2011)
As the majority of these services directly impact information security, the tendency is to
assume that the solution to an organization’s security issues is as simple as choosing an
appropriate MSSP. The thinking is that as information security is complex and non-cost
recoverable, this is a function that should be best left to an outsourcer and not left to
consume valuable internal resources.
In the author’s experience, there is a tendency of businesses to assume that in selecting a
MSSP, the information security issues for the organization have been solved. In fact, this
is usually far from the case. Too often it is forgotten that the MSSP is there essentially to
operate infrastructure 13 and thus is not responsible for the businesses security strategy or
12F
requirement. Indeed, organizational control of security strategy is an essential component
of Security Outsourcing 14.
13F
The framework shown in Figure 1 is equally applicable to outsourcing the information
security function itself. The business must retain control over the decision making process
as to what level of risk is acceptable and then be responsible for ensuring that the
outsourcer is performing the appropriate actions to ensure that the risk is managed in an
appropriate fashion.
4. Evaluating the Outsourcer
Having made the decision to outsource some, or all, of the IT Infrastructure, it is
important to ensure that an evaluation of the outsourcer’s information security
security management system
Page 34 of 58
practice is included as part of the due diligence process (it sounds straightforward
but in the author’s experience this is often overlooked). This applies whether the
target of the outsource is the security function itself or a general part of the IT
infrastructure.
When conducting due diligence on an outsourcer there are a number of key
indicators that should be taken into account. These include:
●
Does the outsourcer have a clear security policy?
●
Is the outsourcer’s management clearly and visibly committed to information
security?
Table 2.3 Measuring IT Performance and Activities
Question
Analysis
1. Do you have any view of how IT
Sixty-two percent state that they have a view on
should be measured and accounted
measurement; however, there is significant variation in
for?
how executives define measurement.
There is significant variation in IT satisfaction. Only
2. Are you satisfied with IT
19% are very satisfied. Thirty-three percent are satisfied,
performance in the firm?
another 33% are less satisfied, and 14% are dissatisfied.
3. How do you budget IT costs? Is it
Fifty-seven percent state that they do not use gross
based on a percentage of gross
revenues in their budgeting methodologies.
revenues?
security management system
Page 35 of 58
4. To what extent do you perceive
Seventy-one percent feel that technology is a significant
technology as a means of increasing
means of increasing both marketing and productivity in
marketing or productivity, or both?
their firms.
5. Are Internet/Web marketing
Only 24% state that Internet/Web marketing efforts
activities part of the IT function?
report directly to the IT organization.
(http://www.ittoday.info/Articles/IT_Dilemma.htm Accessed on 3/10/2011)
Table 1. Perception and Role of IT.
Question
Analysis
Fifty-seven percent responded that their IT organizations
were reactive and did not really have a mission. Twenty-
1. How do you define the role and
eight percent had an IT mission that was market-driven;
the mission of IT in your firm?
i.e., that their IT departments were responsible for actively
participating in marketing and strategic processes.
Twenty-eight percent feel the impact is insignificant, while
2. What impact has the Internet had
24% feel it is critical. The remaining 48% feel that the
on your business strategy?
impact of the Internet is significant to daily transactions.
3. Does the firm have its own
internal software development
Seventy-six percent have an internal development
activity? Do you develop your own organization. Eighty-one percent have internally developed
in-house software or use software
software.
packages?
security management system
Page 36 of 58
4. What is your opinion of
outsourcing? Do you have the need Sixty-two percent have outsourced certain aspects of their
to outsource technology? If so, how technology needs
is this accomplished?
5. Do you use consultants to help
formulate the role of IT? If yes,
Sixty-two percent of the participants use consultants to
what specific roles do they play? If assist them in formulating the role of IT.
not, why?
6. Do you feel that IT will become
Eighty-five percent feel that IT has recently important to
more important to the strategic of
the strategic planning become more planning of the
the business? If yes, why?
business.
Twenty-nine percent feel that IT is still very marginalized.
7. How is the IT department viewed
Another 29% feel it is not very integrated. Thirty-eight
by other departments? Is IT
percent feel IT is sufficiently integrated within the
department liked or is it
organization, but only one chief executive feels that IT is
marginalized?
very integrated with the culture of his firm.
8. Do you feel there is too much
Fifty-three percent feel that there is no hype. However,
"hype" about the importance and
32% feel that there are levels of hype attributed to the role
role of technology?
of technology; 10% feel it is "all hype."
9. Have the role and the uses of
Fourteen percent feel little has changed, whereas 43%
technology in the firm significantly
stated that there were moderate changes. Thirty-eight
changed over the last five years? If
percent state significant change.
so, what are the salient changes?
security management system
Page 37 of 58
(http://www.ittoday.info/Articles/IT_Dilemma.htm)
(Accessed on 11/10/2012)
●
Is there evidence that the supplier has assessed the security risks, understood the
legal risks and is prepared to implement appropriate countermeasures?
●
Does the outsourcer’s operational team have a good, demonstrated knowledge and
understanding of information security issues?
●
Does the outsourcer follow some well-recognized standard for Information
Security Management, such as ISO 17799?
●
Visible information and data security signals such as appropriate physical security
at data centers, security vetting for personnel involved in the management of
business resources, password access to IT systems? 15
14F
Table 2.2 Management and Strategic Issues
Question
Analysis
1. What is the most senior title
Sixty-six percent call the highest position "CIO" (Chief
held by IT? Where does this
Information Officer). Ten percent use "Managing Director,"
person rank on the organization
while 24% use "Director" as the highest title.
hierarchy?
Fifty percent of IT leaders report directly to the chief
2. Does IT management
executive, the other half reports to either the chief financial
ultimately report to you?
officer or the chief operating officer.
security management system
Page 38 of 58
Fifty-seven percent state that they are very active- on a weekly
3. How active are you in working basis. Thirty-eight percent are less active or inconsistently
with IT issues?
involved, usually stepping in when an issue becomes
problematic.
4. Do you discuss IT strategy
Eighty-one percent do not communicate with peers at all. Only
with your peers from other
10% actively engage in peer-to-peer communication about IT
firms?
strategy.
Eighty-six percent confirm that IT issues are regularly
5. Do IT issues get raised at
discussed at board meetings. However, only 57% acknowledge
board, marketing, or strategy
IT discussion during marketing meetings, and only 38%
meetings?
confirm like discussions at strategic sessions.
6. How critical is IT to the day-
Eighty-two percent of the chief executives feel it is very
to-day business?
significant or critical to the business.
(http://www.ittoday.info/Articles/IT_Dilemma.htm) (Accessed on 11/10/2012)
“One of the challenges in establishing the outsourcing arrangement will be
merging the security requirements of the outsourcer with the security
requirements of the business it is outsourcing. Although the outsourcer may have
its own internal security policies these should be examined to ascertain if there are
appropriate provisions for including a client security domain (or indeed multiple
client domains) within their (the outsourcer’s) policy structure. This issue is
illustrated in a diagram developed by the author shown as Figure 2 - Security
Domains Within a Data Center.”
security management system
Page 39 of 58
http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on
17/10/2012
Figure 2 - Security Domains Within a Data Center
Figure 2 shows how an outsourcer might choose to integrate a client’s security
requirements into their existing data center. Ideally, the outsourcer would have a
complete set of security policies and procedures that detail its own information
security management requirements; this is depicted as the Outsourcer Security
Domain. Everything within the outsourcer’s control should be governed by the
set of security policies and procedures that govern this domain.
Within the outsourcer’s security domain are likely to be a number of client
security domains. This reflects the needs and requirements of specific customers
within the outsourcing environment. Each client will have different requirements
for managing the risk to their business and thus will have slightly different
requirements for the way in which information security countermeasures are to be
applied for their machines. The outsourcer’s security policies should be
developed in such a way as to take this into account.
One of the clear indicators as to how well the outsourcer understands the security
risks and implications will be the conduct of security due diligence on the
business. As previously stated, outsourcing is a partnership 16 and as such it
15F
should be expected that the outsourcer will perform some due diligence activities
to assess the various aspects of the business in order to formulate a suitable
contract.
security management system
Page 40 of 58
As part of the development of the contract, the outsourcer should be taking steps
to understand the security requirements of the business. The information security
requirements of the business will have a significant impact on the way in which
information security is maintained for those assets that are to be outsourced. A
robust, thorough Information Security due diligence process by the outsourcer is a
good indication that there is a good understanding of Information Security issues
and the way in which these issues should be addressed.
12 Dangers of Endpoint Security
12 Dangers of Endpoint Security
1. AntiVirus alone is inadequate: a Symantec survey of U.S.-based small
businesses finds nearly 60 percent of respondents have not implemented endpoint
protection (software that protects end points such as laptops, desktops and servers
against malware). 42 percent do not have an antispam solution, and one-third do
not even have the most basic protection of all -- antivirus protection.
http://www.infosectoday.com/Articles/Endpoint_Security.htm
Accessed on 17/10/2012
2. Lack of IT expertise: the same Symantec survey finds 42 percent of SMBs do
not have a dedicated IT staff--they either have no one managing their computers
or they use staff that has other jobs.
http://www.infosectoday.com/Articles/Endpoint_Security.htm
Accessed on 17/10/2012
security management system
Page 41 of 58
3. Explosion of malware: Symantec in 2008 created more than 1.6 million new malicious code
signatures, a 165 percent increase over 2007.
4. Fame to fortune: the primary motivation of attackers has evolved from
wanting to achieve public notoriety to financial gains, and they are employing
attacks that are more stealthy and insidious.
http://www.infosectoday.com/Articles/Endpoint_Security.htm
Accessed on 17/10/2012
5. Unpatched endpoints: ignoring updates from software companies leaves
businesses much more susceptible to infection and attack.
http://www.infosectoday.com/Articles/Endpoint_Security.htm
Accessed on 17/10/2012
6. Confidential information loss: could be due to well-meaning insiders, malicious insiders or
external attackers. SMBs are less likely to have network server and storage space, so are
therefore more likely to store sensitive information on endpoints that need to be protected.
7. Rogue security software: Also known as Scareware, these attacks pose as
legitimate security software that actually facilitates the installation of the
malicious code they purport to protect against.
http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on
17/10/2012
8. Drive-by downloads: Malware that resides on web sites and infect systems of
people who visit those sites. SMBs are increasingly adopting Internet and Web-
security management system
Page 42 of 58
based computing models to conduct tasks like web mail, file sharing and social
media communication, and are therefore at high risk of having their endpoints
infected via the web.
http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on
17/10/2012
9. Netbooks: These inexpensive tools are becoming more popular for business purposes, and
they need to be secured just like traditional desktops and laptops. Relying on limited security
functionality built into operating systems will not provide adequate security.
http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on
17/10/2012
10. Smartphones: the first attack targeting smartphones and other mobile devices appeared in
2005 as a Multimedia Messaging Service (MMS) worm. As more employees attach their
smartphones to the company network, the risk to confidential information loss also increases.
11. Wireless networks: Businesses must ensure their WiFi networks, and the
endpoints connecting to them, are secure.
http://www.infosectoday.com/Articles/Endpoint_Security.htm accessed on
17/10/2012
12. Cloud computing: Web-hosted services can dramatically increase productivity and reduce
IT costs, but these environments must be secured just like on-site data centers.
http://www.infosectoday.com/Articles/Endpoint_Security.htm
(Accessed on 18/10/2012)
security management system
Page 43 of 58
Diagram of ISMS Concept of applying management system conceptual model to
Information Security
((http://www.infosectoday.com/Articles/ISMS/Information_Security_Managemen
t_Systems.htm (Accessed on 1/10/2011)
Model of Business Enabler part of ISMS Model
security management system
Page 44 of 58
(http://www.infosectoday.com/Articles/ISMS/Information_Security_Management
_Systems.htm) (Accessed on 11/10/2012)
(Who participates in ISMS)
(http://www.infosectoday.com/Articles/ISMS/Information_Security_Management
_Systems.htm) (Accessed on 11/10/2012)
Back It Up
Data drives small business, and the ability to keep it always available is critical for a business’
success. To that end, organizations must regularly back up their data, using a tiered approach that
saves data to disk as well as to tape for short- and long-term purposes. For quick recovery, disk is
often the preferred media. For long-term storage and data archiving, tape is an effective option.
Both methods play a major role in the backup strategies for many organizations.
http://www.ittoday.info/Articles/Expecting_Disaster.htm ( Accessed on 18/10/2012)
“Today’s most advanced backup tools for small businesses provide continuous data protection
for an organization’s most valuable information, whether that data is on a Windows file server, a
desktop or laptop, or a Microsoft Exchange, SQL, SharePoint, or other application server. New
cutting edge tools have revolutionized data protection by eliminating backup windows and
security management system
Page 45 of 58
enabling small businesses to recover data in seconds. For example, while traditional approaches
for backing up Exchange required a full data base backup and “brick level” mailbox backups,
these tools offer a full, incremental, or continuous backup of Exchange and enable restores to a
granular level--including down to an individual email—from a single database backup pass.”
http://www.ittoday.info/Articles/Expecting_Disaster.htm
(Accessed on 18/10/2012)
Recover It Fast
After a disaster, businesses are often left with anxieties and pressures to recover data quickly.
While prevention of data loss is a must, system recovery is equally important. Traditional
recovery methods, however, are cumbersome, with manual system rebuilds from bare metal
taking hours or even days. Small businesses must be able to recover from system loss or disasters
in minutes. What’s more, they need to be able to recover servers, desktops, or laptops to
dissimilar hardware and in remote, unattended locations.
Consequently, many small businesses are also deploying system recovery tools that capture the
operating system, applications, system settings, configurations, and files of a live system in a
recovery point that can be saved to a wide variety of media or storage devices. An administrator
can schedule how often data recovery points are created and can retain specific recovery points
for different time periods in accordance with business needs.
Virtualization can help small businesses better leverage their disaster recovery strategy. With
server virtualization technology, multiple operating systems can be run on a single server, which
security management system
Page 46 of 58
enables organizations to consolidate servers and make better use of existing hardware resources.
This is particularly beneficial for organizations such as small businesses that typically lack a
spare system to which to restore data.
As today’s data-driven global marketplace evolves, information volumes will continue to
increase. At the same time, natural disasters, power outages, application failures, system crashes,
and other potentially damaging events will likely remain a challenge for businesses of all sizes.
Human error will never be eliminated. And downtime will likely become less rather than more
acceptable.
Disaster recovery planning, in turn, will become a greater priority for small businesses as well as
large enterprises. By leveraging next-generation data and system protection tools and service
offerings, small businesses can prepare for disasters, allowing them to minimize downtime, and
ensure efficient and rapid recovery.
http://www.ittoday.info/Articles/Expecting_Disaster.htm
(Accessed on 18/10/2012)
Top 5 Tips for Developing a Disaster Recovery Strategy
1. Document!
Every element of your DR process is important. Make sure everything is documented and ensure
it includes the locations of system and other critical disks and data. Key staff members—within
IT and other areas of the organization—should be familiar with these documented storage
locations.
security management system
Page 47 of 58
http://www.ittoday.info/Articles/Expecting_Disaster.htm
Accessed on 18/10/2012
2. Automate Processes
Establish an automated system to notify critical staff of a disaster by text, phone or email. Train
your staff on the system to perform basic DR/back-up tasks unsupervised. Symantec
recommends enterprises have a complete disk-based data protection solution across all
environments, offices and hardware.
http://www.ittoday.info/Articles/Expecting_Disaster.htm
Accessed on 18/10/2012
3. Back It Up
Backing up critical data seems like a no brainer. But if you neglect to do so, no matter how good
your DR plan is it will be of no use. Don’t just back it up—test it!
http://www.ittoday.info/Articles/Expecting_Disaster.htm (Accessed on 18/10/2012)
4. Protect from the Inside
Internal theft is on the rise and usually undetected. Be sure to protect your company from
random theft, vandalism and employee malice. Be aware of the data location, where it is sorted
and where it is going. Place controls to automatically safeguard the data, according to corporate
policy, like implementing a corporate policy that all traveling laptops are backed up.
http://www.ittoday.info/Articles/Expecting_Disaster.htm
(Accessed on 18/10/2012)
security management system
Page 48 of 58
5. Practice Makes Perfect--almost
Practice your DR plan on a quarterly basis, better yet, more frequently. This will strengthen your
organization’s skills, help you figure out more efficient logistics, work out kinks in your system
and give you the confidence that your plan will work in testing
http://www.ittoday.info/Articles/Expecting_Disaster.htm
(Accessed on 18/10/2012)
Ten Tips for Disaster Recovery Planning
1. Devise a disaster recovery plan: IT disaster recovery planning can be a daunting
undertaking, with many scenarios to analyze and options to pursue. It is important
to start with the basics and add to the plan over time. To begin, define what is
important to keep the business running - i.e., email and application access,
database back-up, computer equipment - and the "recovery time objective" or how
quickly the company needs to be up and running post-disaster. Other key plan
components to consider are determining who within the organization declares the
disaster, how employees are informed that a disaster has occurred, and the method
of communication with customers to reassure them that the company can still
service their needs.
http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012
2. Monitor implementation: Once a disaster recovery plan has been established, it
is critical to monitor the plan to ensure its components are implemented
effectively. A disaster recovery plan should be viewed as a living, breathing
security management system
Page 49 of 58
document that can and should be updated frequently, as needed. Additionally,
proactive ongoing monitoring and remediation of processes, such as back-up data
storage and data replication, results in fewer IT issues and less downtime should a
crisis occur.
http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012
3. Test disaster recovery plan: A 2007 eWeek survey of more than 500 senior IT
professionals revealed that a whopping 89% of companies test their disaster
recovery/failover systems only once per year or not at all, leaving their enterprises
vulnerable to massive technology and business failures in the event of a disaster.
An under-tested plan can often be more of a hindrance than having no plan at all.
The ability of the disaster recovery plan to be effective in emergency situations
can only be assessed if rigorous testing is carried out one or more times per year
in realistic conditions by simulating circumstances that would be applicable in an
actual emergency. The testing phase of the plan must contain important
verification activities to enable the plan to stand up to most disruptive events.
http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012
4. Perform off-site data back-up and storage: Any catastrophe that threatens to
shutter a business is likely to make access to on-site data back-up impossible. The
primary concerns for data back-up are security during and accessibility following
a crisis. There is no benefit to creating a back-up file of valuable data if this
information is not transferred via a secure method and stored in an offsite data
storage center with foolproof protection. As part of establishing a back-up data
security management system
Page 50 of 58
solution, every company needs to determine its "recovery point objective" (RPO)
- the time between the last available back-up and when a disruption could
potentially occur. The RPO is based on tolerance for loss of data or reentering of
data. Every company should back-up its data at least once daily, typically
overnight, but should strongly consider more frequent back-up or "continuous
data protection" if warranted.
http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012
5. Perform data restoration tests: Using tape back-up for data storage has been
integral to IT operations for many years, however this form of back-up has not
been the most reliable. Today, disk to disk systems are gaining popularity. With
either type of system, the back-up software and the hardware on which it resides
needs to be checked daily to verify that back-up is completed successfully and
that there are no pending problems with the hardware. With tape back-up,
companies need to store the tapes in an off-site location that is secure and
accessible, while disk systems need to have an off-site replication if the back-up is
not run off-site initially. Moreover, companies need to perform monthly test
restoration to validate that a restoration can be accomplished during a disaster.
http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012
6. Invest in theft recovery and data delete solutions for laptops: IDC reports that
more than 70% of the total workforce in the U.S. will be considered mobile
workers by 2009. Accordingly, laptops are increasingly replacing the traditional
desktop PCs. Unlike desktops, however, laptops are more easily misplaced or
security management system
Page 51 of 58
stolen, thus requiring organizations to secure data deletion and theft recovery
options for their users' laptops. Theft recovery solutions can locate, recover and
return lost or stolen computers, while data delete options can enable companies to
delete data remotely from lost or stolen computers thereby preventing the release
of sensitive information.
http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012
7. Install regular virus pattern updates: IT infrastructure is one of those realities
of business life that most companies take for granted. Companies often do not
focus on email security until an incipient virus, spyware or malware wreaks havoc
on employees' desktops. Organizations need to protect its data and systems by
installing regular virus pattern updates as part of disaster recovery planning,
which may even help prevent a crisis from happening.
http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012
8. Consider hiring a managed services provider: For small- to medium-sized
businesses, it is often cost prohibitive to implement a sound disaster recovery
plan. Frequently these organizations lack the technical professionals to
accomplish this. Managed services providers (MSPs) have emerged in recent
years to perform this role. MSPs have the technical personnel to design,
implement and manage complex disaster recovery projects. Additionally, MSPs
have the server, storage and network infrastructure in place to manage a true
disaster recovery plan. To keep costs manageable and make disaster recovery
services, such as data storage and redundant servers, available to small- to
security management system
Page 52 of 58
medium-sized businesses, MSPs build shared, multi-tenant IT infrastructures that
host multiple companies on the same hardware and network equipment which
helps keep costs affordable and advantageous for its customers.
http://www.infosectoday.com/Articles/DRPlanning.htm Accessed on 18/10/2012
security management system
Page 53 of 58
Figure 6. Security Diagram Image
(http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm)
security management system
Page 54 of 58
4.
Conclusions
Significant cost reductions to businesses through economies of scale offered by
the outsourcer and can provide ready access to knowledge of current industry best
practice. However, the decision of of the IT infrastructure also brings with it the
added difficulties of adequately managing business risk and ensuring that control
over that risk is appropriately allocated.
There are a number of ISO Technical Reports, International Standards and private
publications that have been collated which provide information on Risk
Management although few of these explicitly recognize the reality that
outsourcing is increasingly becoming the norm rather than the exception and that
our information management systems have to recognize this reality. This is not to
say that the information within the current body of knowledge is irrelevant though
as the standard approaches to risk management can be easily adapted to suit an
outsourced environment.
ISO 17799 provides some high level principals for consideration in outsourcing
contracts that, when applied to risk management, provide a good basis for
ensuring that information security is maintained even in a complex outsourced
environment. Central to this is ensuring that all parties are completely aware of
who is responsible for what sections of the information management puzzle. By
defining and allocating responsibilities for the various components of risk
management puzzle in such a way as to ensure that the business retains control
over the information security and risk management strategy (including monitoring
compliance), the security of the business can be maintained.
security management system
Page 55 of 58
References
1.
Australian Prudential Regulatory Authority, “Prudential Issues in Electronic
Commerce.” APRA Insight. 1st Quarter 2001. URL:
http://www.apra.gov.au/Insight/loader.cfm?url=/commonspot/security/getfile.cfm
&PageID=2017 (March 2002);
2.
International Organization for Standardization, “Code of Practice for Information
Security Management.” ISO/IEC 17799:2000. (2000);
3.
Office of the Federal Privacy Commissioner (Australia). “Privacy Obligations for
Government Contracts.” Information Sheet 14-2001. December 2001. URL:
http://www.privacy.gov.au/publications/IS14_01.pdf (March 2002);
4.
International Organization for Standardization, “Techniques for the Management
of IT Security.” ISO 13335-3:1998, Guidelines for the Management of IT
Security Part 3 (1998);
5.
Goolsby, Kathleen. “The Snowball Effect: Characteristics of Outstanding
Outsourcing Relationships.” Outsourcing Center White Paper. February 2002.
URL: http://www.outsourcingrequests.com/common/sponsors/4664/The_Snowball_Effect_Characteristics_of_
Outstanding_Outsourcing_Relationships.pdf (March 2002)*
6.
International Organization for Standardization, “Managing and Planning IT
Security.” ISO 13335-2:1997, Guidelines for the Management of IT Security Part
2 (1997);
7.
Standards Australia. “Information Security Risk Management Guidelines.” HB
231:2000 (2000);
security management system
Page 56 of 58
8.
Carnegie Mellon University. “Monitor and inspect Systems for unexpected
behavior.” May 2001. URL: http://www.cert.org/securityimprovement/practices/p095.html (March 2002);
9.
Noakes-Fry, Kirsten and Diamond, Trude. “Business Continuity and Disaster
Recovery Planning and Management: Perspective.” Gartner Research Technology
Overview. October 2001. URL:
http://www.availability.com/resource/pdfs/DPRO-100862.pdf (March 2002);
10. Kavanagh, Kelly. “Managed Security Services”. Gartner Research Technology.
August 2001. URL:
http://www4.gartner.com/DisplayDocument?id=339855&acsFlg=accessBought
(March 2002);
11. Berkman, Eric. “MSPs Say They’ll Do It All For You.” IT Outsourcing - CIO
Magazine. November 2001. URL: http://www.cio.com/archive/110101/msp.html
(March 2002);
12. Pankowska, Malgorzata. “Outsourcing Impact on Security Issues.” University of
Poland. URL: http://figaro.ae.katowice.pl/~pank/secout2.htm (March 2002);
13. Peterson, Brad L. “Information Security in Outsourcing Contracts.” Outsourcing
Journal. March 2002. URL: http://www.outsourcing14.journal.com/issues/mar2002/legal.html (March 2002).
15.(http://www.ittoday.info/Articles/Software_Security_Total_Risk_Management.ht)m
(Accessed on 16/10/2012) with journals cited with date referenced.
16. (http://www.ittoday.info/Articles/IT_Dilemma.htm (Accessed on 16/10/2012)
17. http://www.ittoday.info/Articles/Expecting_Disaster.htm
(Accessed on 16/10/2012)
security management system
Page 57 of 58
18. (http://www.infosectoday.com/Articles/ITIL_and_Security_Management.htm)
(Accessed on 17/10/2012)
19. http://www.infosectoday.com/Articles/DRPlanning.htm
(Accessed on 17/10/2012)
i
ii
ISO 17799 section 4.3
ISO 13335-3
security management system
Page 58 of 58